Zilav virus ili trojanac

[ Bokacio @ 13.09.2009. 20:22 ] @

Pozdrav,

Mucim se sa nekim nepoznatim virusom koji ne dozvoljava da se antivirusi poput Kasperskog, AVG-a i firewall-a ZoneAlarm uopste startuju.

Takodje stalno mi brise prava da startujem regedit kao i taskmanager. Vratio sam ta prava, poubijao sam skoro sve taskove ali ih i dalje brise.

Ne znam da li je to do interneta, ail nece cak ni da otvori stranicu www.pandasecurity.com ?!?

Da li ima pomoci protiv ovog virusa/trojanca/crva?

Razmisljam da re-instaliram ceo sistem, ali bi mi mozda pomoglo sa transferom i back-upom ako ocistim trenutni sistem.

Pozdrav i hvala

[ magna86 @ 13.09.2009. 20:32 ] @

Za pocetak procitaj Top temu "Upustva za koriscenje programa: HijackThis / ComboFix
"
i postavi HijackThis log po uputstvu

[ icobh @ 13.09.2009. 20:37 ] @

Hmm. A jesi li pokušao ubiti Explorer? Mislim da ti je Explorer povukao neki maliciozni plugin ili je inficiran...

[ Bokacio @ 13.09.2009. 20:48 ] @

Evo report-a iz HiJack-a:

Citat:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:04 PM, on 9/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Win\lsass.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\Bojan\LOCALS~1\Temp\hpash.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [run32] C:\Win\lsass.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

--
End of file - 5882 bytes

Nadam se da ce pomoci.

PS. Probacu da ugasim explorer pa da probam da startujem Task Manager uz pomoc CTRL+ALT+DEL

[ Boris @ 13.09.2009. 20:48 ] @

Ili pokušati iz Safe Moda da pokreneš nešto od toga...??

[ icobh @ 13.09.2009. 20:53 ] @

Sumnjivo:

Code:
C:\Win\lsass.exe
C:\DOCUME~1\Bojan\LOCALS~1\Temp\hpash.exe

O4 - HKLM\..\Run: [run32] C:\Win\lsass.exe

To pokušaj nekako izbrisati/fixovati

[ Boris @ 13.09.2009. 20:56 ] @

Probaj to da ochistish pa uradi ponovo scan:

C:\DOCUME~1\Bojan\LOCALS~1\Temp\hpash.exe
C:\Win\lsass.exe
O4 - HKLM\..\Run: [run32] C:\Win\lsass.exe

Verovatno cesh tu imati malo cimanja jer verovatno ovaj hpash.exe vraća C:\Win\lsass.exe u život kad ga izbrišeš... A možda i ne :D

[ kristi1 @ 13.09.2009. 21:06 ] @

@Bokacio sacekaj da ti magna odradi, nemoj nista da cackas.

[ Bokacio @ 13.09.2009. 21:09 ] @

Samo da napomenem da mi SafeMode ne radi. Da li je to delo virusa, nisam siguran.

Pokusavam sad da nadjem hpash ali ga nigde nema (trazio u C:\DOCUME~1\Bojan\LOCALS~1\Temp\hpash.exe)

I dalje mi blokira Task Manager i Regedit. lsass se pojavio kao sistemski proces i ne da mi da ga End-Task.

Uspeo sam da startujem Malvare Bytes i on je kao nasao lsass, ali virus kao da je i dalje startovan jer svakih par sekundi zakljucava pristup Task Manager-u i Regedit-u.

[ kristi1 @ 13.09.2009. 21:28 ] @

Skini Combofix na Desktop http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Ugasi Kaspera
Pokreni Combofix sa desktopa, i na svako pitanje klikni Yes ili Ok
Kad zavrsi skeniranje zakaci log koji dobijes.

[ Bokacio @ 13.09.2009. 22:21 ] @

Moracu ponovo da pokrenem Combofix, zakucao se na stage_50.

Jos da napomenem da ne mogu da otvorim neke AV sajtove dok je virus aktivan.

[ icobh @ 13.09.2009. 22:31 ] @

Skini Avira Rescue CD Iso image, sprži na cd, boot-uj računar sa tim CD-om i očisti PC. Tako ti je najlakše.

[ Milos911 @ 13.09.2009. 22:53 ] @

Citat:

lsass se pojavio kao sistemski proces i ne da mi da ga End-Task.

Nije se pojavio, nego je uvek bio tu. On i jeste sistemski proces, ali se nalazi u widows/?? folderu. A ne u win. Taj u win je virus.

[ Bokacio @ 13.09.2009. 23:58 ] @

Hvala na odgovorima,

Problem je sto taj Win folder ne postoji, pa ne mogu da nadjem taj dupil lsass.exe. Izgleda da se radi o nekom sofisticiranom virusu. Voleo bih da ga se resim pre nego sto startujem novu instalaciju. I dalje, posle ComboFix-a se ovaj virus nalazi u memoriji.

Evo ComboFix izvestaja:

Citat:

ComboFix 09-09-13.04 - Bojan 09/13/2009 23:25.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.408 [GMT 2:00]
Running from: c:\documents and settings\Bojan\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bojan\Application Data\EurekaLog
c:\windows\Installer\WinRMSrv.msi
c:\windows\system32\Cache

.
((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.

2009-09-13 20:30 . 2009-09-13 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-13 20:30 . 2009-09-13 20:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-13 20:30 . 2009-09-13 20:30 -------- d-----w- c:\documents and settings\Bojan\Application Data\SUPERAntiSpyware.com
2009-09-13 20:30 . 2009-09-13 20:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-13 16:42 . 2009-09-13 16:42 -------- d-----w- c:\documents and settings\Bojan\Application Data\Malwarebytes
2009-09-13 16:41 . 2009-09-10 12:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 16:41 . 2009-09-13 16:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 16:41 . 2009-09-13 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-13 16:41 . 2009-09-10 12:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-13 16:17 . 2009-09-13 16:17 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-09-13 16:17 . 2009-09-13 16:17 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-09-13 16:15 . 2009-09-13 16:15 -------- d-----w- c:\program files\Kaspersky Lab
2009-09-13 16:15 . 2009-09-13 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-09-13 15:55 . 2009-09-13 15:55 -------- d-----w- c:\documents and settings\Bojan\Application Data\AVG8
2009-09-13 15:54 . 2009-09-13 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-13 14:42 . 2009-09-13 14:42 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-11 20:44 . 2009-09-11 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{BBD31133-40F8-4B57-9BA6-DB76C03D153B}
2009-09-09 21:33 . 2009-09-09 21:33 -------- d-----w- c:\program files\iPod
2009-09-09 21:33 . 2009-09-09 21:34 -------- d-----w- c:\program files\iTunes
2009-09-09 19:13 . 2009-09-09 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-09 13:57 . 2009-09-13 19:46 -------- d-----r- C:\Win
2009-09-06 12:29 . 2009-09-06 12:29 -------- d-----w- c:\documents and settings\Bojan\Application Data\TuneUp Software
2009-09-06 12:28 . 2009-09-06 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-09-06 12:27 . 2009-09-06 12:27 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-08-29 22:43 . 2009-08-29 22:43 -------- d-----w- c:\documents and settings\Bojan\Local Settings\Application Data\RagdollSoft
2009-08-29 22:42 . 2009-08-29 22:43 -------- d-----w- c:\program files\Rubber Ninjas Demo
2009-08-28 03:17 . 2009-08-28 03:17 -------- d-----w- c:\program files\Scs4b5t
2009-08-27 03:16 . 2009-08-27 03:16 -------- d-----w- c:\program files\Psygnosis
2009-08-27 03:04 . 2009-08-27 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-08-27 03:04 . 2009-08-27 03:05 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-08-27 02:54 . 2009-08-27 02:54 722416 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-27 02:54 . 2009-08-27 02:54 -------- d-----w- c:\documents and settings\Bojan\Application Data\DAEMON Tools Pro
2009-08-19 22:49 . 2009-08-19 22:49 -------- d-----w- c:\documents and settings\Bojan\Local Settings\Application Data\PunkBuster
2009-08-19 22:32 . 2009-09-13 16:51 -------- d-----w- c:\documents and settings\Bojan\Application Data\id Software
2009-08-19 20:29 . 2009-08-19 20:29 -------- d-----w- c:\program files\Zone Labs
2009-08-19 19:24 . 2009-08-19 19:24 437365 ----a-w- c:\temp\maindemo.zip
2009-08-19 19:23 . 2009-08-19 19:23 211329 ----a-w- c:\temp\inspector_demo.zip
2009-08-19 19:23 . 2009-08-19 19:23 215439 ----a-w- c:\temp\nextgrid_demo2.zip
2009-08-19 19:23 . 2009-08-19 19:23 286464 ----a-w- c:\temp\nextgrid_demo.zip
2009-08-18 22:02 . 2009-08-27 15:38 -------- d-----w- c:\documents and settings\Bojan\Local Settings\Application Data\MediaMonkey
2009-08-18 22:02 . 2009-08-27 15:38 -------- d-----w- c:\program files\MediaMonkey
2009-08-15 00:10 . 2009-08-15 00:10 -------- d-----w- c:\windows\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 22:16 . 2008-05-11 10:36 -------- d-----w- c:\documents and settings\Bojan\Application Data\Skype
2009-09-13 17:15 . 2009-06-08 17:38 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-09-13 17:15 . 2009-06-08 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-09-13 16:11 . 2009-06-08 17:43 -------- d-----w- c:\documents and settings\Bojan\Application Data\VMware
2009-09-13 16:10 . 2008-05-07 20:09 -------- d-----w- c:\program files\Common Files\Logitech
2009-09-13 15:21 . 2008-12-29 21:54 -------- d-----w- c:\program files\Common Files\Logishrd
2009-09-13 15:21 . 2008-04-02 14:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-13 15:02 . 2008-05-11 10:38 -------- d-----w- c:\documents and settings\Bojan\Application Data\skypePM
2009-09-13 15:00 . 2009-06-08 17:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-09-11 16:05 . 2008-08-25 09:39 -------- d-----w- c:\documents and settings\Bojan\Application Data\uTorrent
2009-09-10 01:12 . 2008-06-24 13:32 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 21:35 . 2008-04-08 09:57 -------- d-----w- c:\documents and settings\Bojan\Application Data\Apple Computer
2009-09-09 21:33 . 2008-04-08 09:55 -------- d-----w- c:\program files\Common Files\Apple
2009-09-09 21:32 . 2009-02-07 17:06 -------- d-----w- c:\program files\QuickTime
2009-09-09 21:04 . 2008-04-03 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-09 19:10 . 2008-09-12 17:44 -------- d-----w- c:\program files\Bonjour
2009-09-01 00:36 . 2008-12-14 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Embarcadero
2009-08-19 20:29 . 2008-04-02 16:57 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-14 21:14 . 2009-08-14 21:13 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-14 21:05 . 2008-04-02 16:02 -------- d-----w- c:\program files\Windows Media Connect
2009-08-09 15:39 . 2009-05-08 13:05 18 ----a-w- c:\windows\popcinfot.dat
2009-08-09 15:39 . 2009-05-08 13:23 14 ----a-w- c:\windows\popcinfo.dat
2009-08-05 13:31 . 2008-05-29 17:40 4608 ----a-w- c:\windows\system32\bbchlp.dll
2009-08-05 13:31 . 2008-05-29 17:40 4096 ----a-w- c:\windows\system32\drivers\bbcap.sys
2009-08-05 13:31 . 2008-05-29 17:40 30720 ----a-w- c:\windows\system32\bbcap.dll
2009-08-05 09:11 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-27 20:14 . 2008-04-03 16:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-27 20:11 . 2009-07-27 20:11 -------- d-----w- c:\program files\Adobe Media Player
2009-07-26 19:19 . 2009-07-26 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Blueberry
2009-07-26 19:18 . 2009-07-26 19:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{6B71DDD0-B12C-4427-A1DE-A57327178878}
2009-07-26 19:18 . 2009-07-26 19:18 -------- d-----w- c:\program files\Common Files\Blueberry Software
2009-07-26 19:18 . 2009-07-26 19:18 -------- d-----w- c:\program files\Blueberry Software
2009-07-26 19:17 . 2008-05-29 17:41 -------- d-----w- c:\documents and settings\Bojan\Application Data\Blueberry
2009-07-25 18:46 . 2009-07-25 18:41 -------- d-----w- c:\program files\Quake III Arena
2009-07-25 18:42 . 2009-07-25 18:42 -------- d-----w- c:\program files\Mplayer
2009-07-19 14:37 . 2009-07-19 14:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-07-17 18:55 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 21:43 . 2006-02-28 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 13:48 . 2009-07-03 13:48 219664 ----a-w- c:\windows\system32\klogon.dll
2009-07-03 13:45 . 2009-07-03 13:45 27507 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-06-29 16:12 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-28 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-28 12:46 . 2008-04-02 17:03 60408 ----a-w- c:\documents and settings\Bojan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-25 18:36 . 2006-02-28 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2006-02-28 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2006-02-28 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2006-02-28 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2006-02-28 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2006-02-28 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2006-02-28 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2006-02-28 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2006-02-28 12:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2006-02-28 12:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2006-02-28 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:17 . 2006-02-28 12:00 729600 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:17 . 2006-02-28 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:17 . 2006-02-28 12:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:17 . 2006-02-28 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:17 . 2006-02-28 12:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:17 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-22 11:49 . 2006-02-28 12:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2006-02-28 12:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2006-02-28 12:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2006-02-28 12:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:35 . 2006-02-28 12:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-21 18:48 . 2009-06-21 18:48 51760 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-19 21:03 . 2009-06-19 20:56 78884 ----a-w- c:\windows\hpfins05.dat
2009-06-16 14:55 . 2006-02-28 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-10 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 1994480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 839769]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 274432]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1385808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-4-3 187392]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-15 663613]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 18:41 40960 ----a-w- c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2005-08-19 13:52 389120 ----a-w- c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli AsWlnPkg

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bojan^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Bojan\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bojan^Start Menu^Programs^Startup^Product Registration.lnk]
path=c:\documents and settings\Bojan\Start Menu\Programs\Startup\Product Registration.lnk
backup=c:\windows\pss\Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bojan^Start Menu^Programs^Startup^santa.bat]
path=c:\documents and settings\Bojan\Start Menu\Programs\Startup\santa.bat
backup=c:\windows\pss\santa.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bojan^Start Menu^Programs^Startup^WingsStart.lnk]
path=c:\documents and settings\Bojan\Start Menu\Programs\Startup\WingsStart.lnk
backup=c:\windows\pss\WingsStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)
"mi-raysat_3dsmax2010_32"=2 (0x2)
"LightScribeService"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"VMware NAT Service"=2 (0x2)
"vmount2"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"ufad-ws60"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"PersonalSecureDriveService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"iPod Service"=3 (0x3)
"IFXTCS"=2 (0x2)
"IFXSpMgtSrv"=2 (0x2)
"idsvc"=3 (0x3)
"hpqwmiex"=2 (0x2)
"gusvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"BlackfishSQL"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\InterVideo\\DVD Check\\DVDCheck.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\hqtray.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe"=
"c:\\Program Files\\ProtectTools\\Embedded Security Software\\PSDrt.exe"=
"c:\\Programs\\Process\\procexp.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=
"c:\\Program Files\\HPQ\\HP ProtectTools Security Manager\\PTServs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\PowerISO\\PWRISOVM.EXE"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 8:41 PM 33808]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [10/25/2005 8:10 PM 35488]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2/28/2006 2:00 PM 14336]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\nlomog.sys --> c:\windows\system32\drivers\nlomog.sys [?]
R3 bbcap;bbcap;c:\windows\system32\drivers\bbcap.sys [5/29/2008 7:40 PM 4096]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [4/2/2008 4:46 PM 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6/10/2005 3:26 PM 35968]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [5/1/2009 11:58 PM 30336]
S4 BlackfishSQL;BlackfishSQL;c:\program files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe [8/29/2008 9:00 PM 65536]
S4 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 5:36 PM 86016]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-73586283-1801674531-1003Core.job
- c:\documents and settings\Bojan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-04 20:27]

2009-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-73586283-1801674531-1003UA.job
- c:\documents and settings\Bojan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-04 20:27]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Bojan\Application Data\Mozilla\Firefox\Profiles\uyzmc3lw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Bojan\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 00:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\drivers\nlomog.sys 5669 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 4.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-73586283-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:58,a1,1c,56,28,3e,69,da,dd,cc,bd,36,50,f7,60,7f,02,00,dc,94,de,
57,2a,7e,cc,a9,30,41,ae,ca,b6,a9,50,a8,ca,e1,8f,55,84,ad,4a,7e,44,f0,e1,6d,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\IfxWlxEN.dll

- - - - - - - > 'lsass.exe'(1028)
c:\program files\HPQ\IAM\bin\AsWlnPkg.dll

- - - - - - - > 'explorer.exe'(1432)
c:\windows\system32\WININET.dll
c:\program files\HPQ\IAM\Bin\SFSShell.dll
c:\program files\HPQ\IAM\bin\ItMsg.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\windows\system32\dllhost.exe
c:\program files\HPQ\IAM\Bin\asghost.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\inetsrv\davcdata.exe
.
**************************************************************************
.
Completion time: 2009-09-13 0:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-13 22:43

Pre-Run: 18,916,556,800 bytes free
Post-Run: 19,329,462,272 bytes free

356 --- E O F --- 2009-09-09 21:10

[ Bokacio @ 14.09.2009. 00:00 ] @

Jos da dodam da se pojavio Win folder u TC-u i da je sadrzao fajl 1.exe . Obrisao sam ga, ali je virus i dalje aktivan u memoriji :(

Da napisem ponovo sta se desava dok je virus aktivan
- ne mogu da pokrenem AV
- ne mogu da odem na AV sajtove za online skeniranje
- ne radi regedit/task manager
- verovatno radi key log, jer sam primetio usporavanje prilikom kucanja.

uh :(

_{[Ovu poruku je menjao Bokacio dana 14.09.2009. u 01:14 GMT+1]}

[ Catch 22 @ 14.09.2009. 01:18 ] @

Jedan dobar savet, koji si dobio ovde ti je izgleda promakao?

Ili ti možda treba i link odakle to da skineš?

Avira AntiVir Rescue System

PS
Druge opcije za brisanje tog foldera C:\Win i kompletnog njegovog sadržaja je da pokreneš neki Live CD (Linux, ili Hiren's Mini XP) pa da sa njega čistiš svoj hard disk od gamadi... Poslednja verzija Hiren's 10.0 sadrži u sebi i neke programe za čišćenje gamadi:
- Kaspersky Virus Removal Tool 7.0.0.290 (2908)
- Malwarebytes' Anti-Malware 1.40 (2908)
- RootkitRevealer 1.7.1
- SmitFraudFix 2.423
- ComboFix (2908)
... i još neke...

[ Bokacio @ 14.09.2009. 01:46 ] @

Hvala na savetima,

Upravo skidam Avira Rescue CD pa cu pokusati nesto.

Najveci problem mi je sto virus bukvalno gasi skoro sve poznatije programe za uklanjanje virusa/trojanaca/crva. Sumnjam da mi je virus unistio i SafeMod jer vise ne mogu da udjem u njega. Jos uvek nisam uspeo da nadjem KOJI je filename za taj virus, a pogasio sam skoro sve.

[ .LoG @ 14.09.2009. 02:21 ] @

c:\windows\system32\drivers\nlomog.sys

Izgleda sa imaš rootkit, pokušaj ga obrisati Gmer-om, www.gmer.net

[ kristi1 @ 14.09.2009. 06:25 ] @

Skini fajl uz poruku, raspakuj na desktop.
Ugasi AV.
Levim klikom misa prevuci skriptu na ikonicu Combofixa

Kad zavrsi postavi novi log

Pokreni HJT i stikliraj sledecu liniju

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Klikni Fix checked

edit. najverovatnije ti je i fleska zarazena.

_{[Ovu poruku je menjao kristi1 dana 14.09.2009. u 12:14 GMT+1]}

[ andre2000 @ 14.09.2009. 09:42 ] @

Za ovakve situacije, kad je komp zaražen do daske, koristim Kaspersky Rescue Disk. Radi uz pomoć BartPe-a, diže se sa live cd-a, i čisti sve, ne moram da obaram ruke sa virusima koji mi blokiraju antimalware alate.

[ Horvat @ 14.09.2009. 12:56 ] @

nisi video win direktorijum jer si vrlo verovatno isao iz explorera,a nije ti ukljucen prikaz skrivenih i sistemskih datoteka,dok u totalu jeste

nisi rekao,jesi na kraju obrisao onaj exe iz temp direktorijuma?

[ Bokacio @ 14.09.2009. 14:33 ] @

Pozdrav,

Hvala svima na odgovorima i izvinite na kasnjenju, spavao sam malo duze zbog sinocnjeg rvanja sa virusom :)

GMER - nije nasao nista vazno, tj. nije ispisao nista crvenim fontom.
Avira Resque CD - Radila je celu noc i nasla mi virus W32/Sality.Y i TR/CRYPT.ZPACK.GEN

@kristi1: Sada cu pokusati. PS. sta je "fleska"? :)
@Andree2000: Gde mogu skinuti taj AV, tj. kako da ga narezem.
@horvat: Folder se nije video ni iz TC-a, samo se odjednom pojavio (!?)

[ Bokacio @ 14.09.2009. 15:22 ] @

Evo novog ComboFix report-a

Citat:

ComboFix 09-09-13.05 - Bojan 09/14/2009 15:37.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.259 [GMT 2:00]
Running from: c:\documents and settings\Bojan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bojan\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_abp470n5
-------\Service_abp470n5

((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.

2009-09-14 00:33 . 2009-09-14 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-14 00:33 . 2009-09-14 00:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-13 23:24 . 2008-12-11 06:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-13 23:24 . 2009-04-03 08:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-13 23:24 . 2008-12-18 09:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-13 23:23 . 2009-09-13 23:26 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-13 23:23 . 2008-12-10 09:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-13 23:23 . 2009-09-13 23:38 -------- d-----w- c:\program files\Spyware Doctor
2009-09-13 23:23 . 2009-09-13 23:23 -------- d-----w- c:\documents and settings\Bojan\Application Data\PC Tools
2009-09-13 23:23 . 2009-09-13 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-13 23:17 . 2009-09-13 23:17 -------- d-----w- c:\documents and settings\Bojan\Application Data\Uniblue
2009-09-13 23:17 . 2009-09-13 23:17 -------- d-----w- c:\program files\Uniblue
2009-09-13 20:30 . 2009-09-13 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-13 20:30 . 2009-09-13 23:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-13 20:30 . 2009-09-13 20:30 -------- d-----w- c:\documents and settings\Bojan\Application Data\SUPERAntiSpyware.com
2009-09-13 20:30 . 2009-09-13 20:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-13 16:42 . 2009-09-13 16:42 -------- d-----w- c:\documents and settings\Bojan\Application Data\Malwarebytes
2009-09-13 16:41 . 2009-09-10 12:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 16:41 . 2009-09-13 16:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 16:41 . 2009-09-13 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-13 16:41 . 2009-09-10 12:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-13 16:17 . 2009-09-13 16:17 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-09-13 16:17 . 2009-09-13 16:17 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-09-13 16:15 . 2009-09-13 16:15 -------- d-----w- c:\program files\Kaspersky Lab
2009-09-13 16:15 . 2009-09-13 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-09-13 15:55 . 2009-09-13 15:55 -------- d-----w- c:\documents and settings\Bojan\Application Data\AVG8
2009-09-13 15:54 . 2009-09-13 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-13 14:42 . 2009-09-13 14:42 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-11 20:44 . 2009-09-11 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{BBD31133-40F8-4B57-9BA6-DB76C03D153B}
2009-09-09 21:33 . 2009-09-09 21:33 -------- d-----w- c:\program files\iPod
2009-09-09 21:33 . 2009-09-09 21:34 -------- d-----w- c:\program files\iTunes
2009-09-09 19:13 . 2009-09-09 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-06 12:29 . 2009-09-06 12:29 -------- d-----w- c:\documents and settings\Bojan\Application Data\TuneUp Software
2009-09-06 12:28 . 2009-09-06 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-09-06 12:27 . 2009-09-06 12:27 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-08-29 22:43 . 2009-08-29 22:43 -------- d-----w- c:\documents and settings\Bojan\Local Settings\Application Data\RagdollSoft
2009-08-29 22:42 . 2009-08-29 22:43 -------- d-----w- c:\program files\Rubber Ninjas Demo
2009-08-28 03:17 . 2009-08-28 03:17 -------- d-----w- c:\program files\Scs4b5t
2009-08-27 03:16 . 2009-08-27 03:16 -------- d-----w- c:\program files\Psygnosis
2009-08-27 03:04 . 2009-08-27 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-08-27 03:04 . 2009-08-27 03:05 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-08-27 02:54 . 2009-08-27 02:54 722416 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-27 02:54 . 2009-08-27 02:54 -------- d-----w- c:\documents and settings\Bojan\Application Data\DAEMON Tools Pro
2009-08-19 22:49 . 2009-08-19 22:49 -------- d-----w- c:\documents and settings\Bojan\Local Settings\Application Data\PunkBuster
2009-08-19 22:32 . 2009-09-13 16:51 -------- d-----w- c:\documents and settings\Bojan\Application Data\id Software
2009-08-19 20:29 . 2009-08-19 20:29 -------- d-----w- c:\program files\Zone Labs
2009-08-19 19:24 . 2009-08-19 19:24 437365 ----a-w- c:\temp\maindemo.zip
2009-08-19 19:23 . 2009-08-19 19:23 211329 ----a-w- c:\temp\inspector_demo.zip
2009-08-19 19:23 . 2009-08-19 19:23 215439 ----a-w- c:\temp\nextgrid_demo2.zip
2009-08-19 19:23 . 2009-08-19 19:23 286464 ----a-w- c:\temp\nextgrid_demo.zip
2009-08-18 22:02 . 2009-08-27 15:38 -------- d-----w- c:\documents and settings\Bojan\Local Settings\Application Data\MediaMonkey
2009-08-18 22:02 . 2009-08-27 15:38 -------- d-----w- c:\program files\MediaMonkey

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 14:07 . 2008-05-11 10:38 -------- d-----w- c:\documents and settings\Bojan\Application Data\skypePM
2009-09-14 00:43 . 2008-05-11 10:36 -------- d-----w- c:\documents and settings\Bojan\Application Data\Skype
2009-09-14 00:23 . 2008-09-12 14:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-13 17:15 . 2009-06-08 17:38 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-09-13 17:15 . 2009-06-08 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-09-13 16:11 . 2009-06-08 17:43 -------- d-----w- c:\documents and settings\Bojan\Application Data\VMware
2009-09-13 16:10 . 2008-05-07 20:09 -------- d-----w- c:\program files\Common Files\Logitech
2009-09-13 15:21 . 2008-12-29 21:54 -------- d-----w- c:\program files\Common Files\Logishrd
2009-09-13 15:21 . 2008-04-02 14:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-13 15:00 . 2009-06-08 17:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-09-11 16:05 . 2008-08-25 09:39 -------- d-----w- c:\documents and settings\Bojan\Application Data\uTorrent
2009-09-10 01:12 . 2008-06-24 13:32 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 21:35 . 2008-04-08 09:57 -------- d-----w- c:\documents and settings\Bojan\Application Data\Apple Computer
2009-09-09 21:33 . 2008-04-08 09:55 -------- d-----w- c:\program files\Common Files\Apple
2009-09-09 21:32 . 2009-02-07 17:06 -------- d-----w- c:\program files\QuickTime
2009-09-09 21:04 . 2008-04-03 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-09 19:10 . 2008-09-12 17:44 -------- d-----w- c:\program files\Bonjour
2009-09-01 00:36 . 2008-12-14 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Embarcadero
2009-08-19 20:29 . 2008-04-02 16:57 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-14 21:14 . 2009-08-14 21:13 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-14 21:05 . 2008-04-02 16:02 -------- d-----w- c:\program files\Windows Media Connect
2009-08-09 15:39 . 2009-05-08 13:05 18 ----a-w- c:\windows\popcinfot.dat
2009-08-09 15:39 . 2009-05-08 13:23 14 ----a-w- c:\windows\popcinfo.dat
2009-08-05 13:31 . 2008-05-29 17:40 4608 ----a-w- c:\windows\system32\bbchlp.dll
2009-08-05 13:31 . 2008-05-29 17:40 4096 ----a-w- c:\windows\system32\drivers\bbcap.sys
2009-08-05 13:31 . 2008-05-29 17:40 30720 ----a-w- c:\windows\system32\bbcap.dll
2009-08-05 09:11 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-27 20:14 . 2008-04-03 16:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-27 20:11 . 2009-07-27 20:11 -------- d-----w- c:\program files\Adobe Media Player
2009-07-26 19:19 . 2009-07-26 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Blueberry
2009-07-26 19:18 . 2009-07-26 19:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{6B71DDD0-B12C-4427-A1DE-A57327178878}
2009-07-26 19:18 . 2009-07-26 19:18 -------- d-----w- c:\program files\Common Files\Blueberry Software
2009-07-26 19:18 . 2009-07-26 19:18 -------- d-----w- c:\program files\Blueberry Software
2009-07-26 19:17 . 2008-05-29 17:41 -------- d-----w- c:\documents and settings\Bojan\Application Data\Blueberry
2009-07-25 18:46 . 2009-07-25 18:41 -------- d-----w- c:\program files\Quake III Arena
2009-07-25 18:42 . 2009-07-25 18:42 -------- d-----w- c:\program files\Mplayer
2009-07-19 14:37 . 2009-07-19 14:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-07-17 18:55 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 21:43 . 2006-02-28 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 13:48 . 2009-07-03 13:48 219664 ----a-w- c:\windows\system32\klogon.dll
2009-07-03 13:45 . 2009-07-03 13:45 27507 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-06-29 16:12 . 2006-02-28 12:00 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-28 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-28 12:46 . 2008-04-02 17:03 60408 ----a-w- c:\documents and settings\Bojan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-25 18:36 . 2006-02-28 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2006-02-28 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2006-02-28 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2006-02-28 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2006-02-28 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2006-02-28 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2006-02-28 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2006-02-28 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2006-02-28 12:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2006-02-28 12:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2006-02-28 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:17 . 2006-02-28 12:00 729600 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:17 . 2006-02-28 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:17 . 2006-02-28 12:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:17 . 2006-02-28 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:17 . 2006-02-28 12:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:17 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-22 11:49 . 2006-02-28 12:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2006-02-28 12:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2006-02-28 12:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2006-02-28 12:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:35 . 2006-02-28 12:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-21 18:48 . 2009-06-21 18:48 51760 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-19 21:03 . 2009-06-19 20:56 78884 ----a-w- c:\windows\hpfins05.dat
2009-06-16 14:55 . 2006-02-28 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-13_22.33.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-09 17:34 . 2009-09-14 14:08 231113 c:\windows\system32\inetsrv\MetaBase.bin
- 2008-04-09 17:34 . 2009-09-13 22:34 231113 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-10 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-04 2068208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 839769]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 274432]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1385808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-4-3 187392]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-15 663613]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 18:41 40960 ----a-w- c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2005-08-19 13:52 389120 ----a-w- c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli AsWlnPkg

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bojan^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Bojan\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bojan^Start Menu^Programs^Startup^Product Registration.lnk]
path=c:\documents and settings\Bojan\Start Menu\Programs\Startup\Product Registration.lnk
backup=c:\windows\pss\Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bojan^Start Menu^Programs^Startup^santa.bat]
path=c:\documents and settings\Bojan\Start Menu\Programs\Startup\santa.bat
backup=c:\windows\pss\santa.batStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bojan^Start Menu^Programs^Startup^WingsStart.lnk]
path=c:\documents and settings\Bojan\Start Menu\Programs\Startup\WingsStart.lnk
backup=c:\windows\pss\WingsStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)
"mi-raysat_3dsmax2010_32"=2 (0x2)
"LightScribeService"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"VMware NAT Service"=2 (0x2)
"vmount2"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"ufad-ws60"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"PersonalSecureDriveService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"iPod Service"=3 (0x3)
"IFXTCS"=2 (0x2)
"IFXSpMgtSrv"=2 (0x2)
"idsvc"=3 (0x3)
"hpqwmiex"=2 (0x2)
"gusvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"BlackfishSQL"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\InterVideo\\DVD Check\\DVDCheck.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\hqtray.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe"=
"c:\\Program Files\\ProtectTools\\Embedded Security Software\\PSDrt.exe"=
"c:\\Programs\\Process\\procexp.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=
"c:\\Program Files\\HPQ\\HP ProtectTools Security Manager\\PTServs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\PowerISO\\PWRISOVM.EXE"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2010\\klwtblfs.exe"=
"c:\\WINDOWS\\system32\\CF28155.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 8:41 PM 33808]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/14/2009 1:24 AM 130936]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [10/25/2005 8:10 PM 35488]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2/28/2006 2:00 PM 14336]
R3 bbcap;bbcap;c:\windows\system32\drivers\bbcap.sys [5/29/2008 7:40 PM 4096]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [4/2/2008 4:46 PM 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6/10/2005 3:26 PM 35968]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [5/1/2009 11:58 PM 30336]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/14/2009 1:23 AM 348752]
S4 BlackfishSQL;BlackfishSQL;c:\program files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe [8/29/2008 9:00 PM 65536]
S4 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [3/12/2009 5:36 PM 86016]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-73586283-1801674531-1003Core.job
- c:\documents and settings\Bojan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-04 20:27]

2009-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-73586283-1801674531-1003UA.job
- c:\documents and settings\Bojan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-04 20:27]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Bojan\Application Data\Mozilla\Firefox\Profiles\uyzmc3lw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Bojan\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 16:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 4.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-682003330-73586283-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:58,a1,1c,56,28,3e,69,da,dd,cc,bd,36,50,f7,60,7f,02,00,dc,94,de,
57,2a,7e,cc,a9,30,41,ae,ca,b6,a9,50,a8,ca,e1,8f,55,84,ad,4a,7e,44,f0,e1,6d,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\IfxWlxEN.dll

- - - - - - - > 'lsass.exe'(1176)
c:\program files\HPQ\IAM\bin\AsWlnPkg.dll

- - - - - - - > 'explorer.exe'(2412)
c:\windows\system32\WININET.dll
c:\program files\HPQ\IAM\Bin\SFSShell.dll
c:\program files\HPQ\IAM\bin\ItMsg.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\windows\system32\dllhost.exe
c:\program files\HPQ\IAM\Bin\asghost.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\inetsrv\davcdata.exe
.
**************************************************************************
.
Completion time: 2009-09-14 16:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-14 14:16
ComboFix2.txt 2009-09-13 22:43

Pre-Run: 19,748,868,096 bytes free
Post-Run: 19,558,744,064 bytes free

382 --- E O F --- 2009-09-09 21:10

Hvala jos jednom.

[ kristi1 @ 14.09.2009. 16:26 ] @

Kazi mi kakva je situacija.
Fleska je usb drajv ili ti stick.

[ Bokacio @ 14.09.2009. 16:56 ] @

Situacija je i dalje ista. I dalje ne mogu da ugasim taj virus koji je u memoriji i koji mi gasi AV i ne dozvoljava sa odem na AV sajtove.

Imam USB HDD na koji sam presnimio vazne stvari, pa me zanima kako da nakon re-instalacije i formatiranja glavnog HDD-a, da slucajno se ne zarazim opet sa virusa koji je "prebegao" na USB HDD.

Hvala jos jednom

[ Dashkes @ 14.09.2009. 17:11 ] @

Preuzmite program Dr.Web CureIt!.

• Posle preuzimanja restartujte racunar u Safe Mode-u (dok se pali racunar pritiskajte F8 pa kada se pojavi meni odaberite Safe Mode).
• Kada se ucita Safe Mode pokrenite Dr.Web CureIt!.
• Kad se upali odaberite Start. On ce automatski poceti da skenira racunar. Pustiti da skenira (to je Express Scan).
• Kada zavrsi sa skeniranjem odaberite kompletno skeniranje - Complete scan i sa desne strane pritisnite dugme Start Scanning (izgleda kao Play dugme).
Moram da vas upozorim da kompletno skeniranje moze da potraje nekoliko sati!

Pokazite log (zapakujte u ".rar" arhivu i upload-ujte) CureIt!-a koji se nalazi u C:\Documents and Settings\USERNAME\DoctorWeb\

P.S. Mozete i odmah pokusati da pokrenete Dr.Web CureIt! u normal mode-u posle skidanja i da vidite da li ce Express Scan-om da pronajde virus i da ga ukolni.

[ Bokacio @ 14.09.2009. 17:22 ] @

Citat:

Dashkes: Preuzmite program Dr.Web CureIt!.

• Posle preuzimanja restartujte racunar u Safe Mode-u (dok se pali racunar pritiskajte F8 pa kada se pojavi meni odaberite Safe Mode).
• Kada se ucita Safe Mode pokrenite Dr.Web CureIt!.
• Kad se upali odaberite Start. On ce automatski poceti da skenira racunar. Pustiti da skenira (to je Express Scan).
• Kada zavrsi sa skeniranjem odaberite kompletno skeniranje - Complete scan i sa desne strane pritisnite dugme Start Scanning (izgleda kao Play dugme).
Moram da vas upozorim da kompletno skeniranje moze da potraje nekoliko sati!

Pokazite log (zapakujte u ".rar" arhivu i upload-ujte) CureIt!-a koji se nalazi u C:\Documents and Settings\USERNAME\DoctorWeb\

P.S. Mozete i odmah pokusati da pokrenete Dr.Web CureIt! u normal mode-u posle skidanja i da vidite da li ce Express Scan-om da pronajde virus i da ga ukolni.

Hvala,

Pokusacu i njega, ali ne mogu da odem u SafeMode jer ga je virus pokvario.

PS. Iz nekog razloga ne mogu da skinem CureIt sa vaseg sajta. Izgleda da je i njega virus blokirao.

[ silvestro @ 14.09.2009. 17:28 ] @

Nadji u c:\windows\system32\drivers\etc\ file hosts, otvori ga notepad-om i obrisi sve sto se nalazi u njega i sacuvaj izmene. Onda ces moci da udjes na AV sajtove...

[ Bokacio @ 14.09.2009. 17:41 ] @

Citat:

silvestro: Nadji u c:\windows\system32\drivers\etc\ file hosts, otvori ga notepad-om i obrisi sve sto se nalazi u njega i sacuvaj izmene. Onda ces moci da udjes na AV sajtove...

Nazalost ni to ne pomaze, u fajlu hosts je samo "localhost" ubacen.

[ Dashkes @ 14.09.2009. 17:46 ] @

Da li mozete da skinete sledece programe - http://www.bdtools.net/download/dcleaner.zip - Win32.HLLW.Shadow.based (Conficker)
i
http://www.softpedia.com/get/Antivirus/Win32-Sality-Remover.shtml - Win32.HLLP.Sector (Sality)?
Pokusajte da ocistite sa njim racunar i onda pokusajte da skinete Dr.Web CureIt!

_{[Ovu poruku je menjao Dashkes dana 14.09.2009. u 19:08 GMT+1]}

[ drvlada75 @ 14.09.2009. 18:00 ] @

Pomenuo si da si zarazen Sality virusom. Takodje pominjes i number.exe virus... Imao sam skoro iskustva sa tim virusima. Pretpostavljam da su ti prakticno svi .exe zarazeni dok je ulazak u Safe mode onemogucen plavim ekranom. Jedini antivirus koji je uspeo da se izbori sa njim i da DEZINFIKUJE fajlove bio je Bit Defender. Postoji njihov rescue disk, vredi ga probati:
http://download.bitdefender.co...rRescueCD_v2.0.0_3_08_2009.iso
Medjutim, toplo ti savetujem vadjenje hard diska instaliranje Bit Defendera na drugi racunar i onda ciscenje. Kasperski i Avast ce pronaci viruse ali i obrisati .exe fajlove. Jos jedna stvar. Posto sam ocistio racunar i ponovo ga pokrenuo iskljucio sam mrezni kabl i instalirao Comodo Firewall. Racunar je imao staticku adresu. Napadac sa interneta je odmah krenuo sa napadom. Zanimljivo je to, da je napadac bio kod istog srpskog provajdera kao i racunar. Sve se zavrsilo slanjem log fajla firewall-a provajderu koji je u najkracem roku onemogucio napadaca.
Eto, izneo sam jedno iskustvo i resenje slicnog problema.

[ kristi1 @ 14.09.2009. 18:02 ] @

Bojim se da si zapatio Sality Legacy_abp470n5 Vec je bilo reci kako se cisti taj Virus.
Evo drvlada75 me pretece

Najbolje resenje je Format C, instaliranje jednog od boljih AV i komplet scan, sve ostalo moze da uspe a i ne mora. Postoji velika verovatnoca da windows nece da se podigne. Znaci ako vec hoces da se resis tog virusa najbrze i najbolje je ovo sto sam ti predlozio. Znaci AV pre drajvera i scan. Komletan racunar ti je zarazen, znaci sve particije.

_{[Ovu poruku je menjao kristi1 dana 14.09.2009. u 19:13 GMT+1]}

[ Bokacio @ 14.09.2009. 18:17 ] @

Citat:

drvlada75: Pomenuo si da si zarazen Sality virusom. Takodje pominjes i number.exe virus... Imao sam skoro iskustva sa tim virusima. Pretpostavljam da su ti prakticno svi .exe zarazeni dok je ulazak u Safe mode onemogucen plavim ekranom. Jedini antivirus koji je uspeo da se izbori sa njim i da DEZINFIKUJE fajlove bio je Bit Defender. Postoji njihov rescue disk, vredi ga probati:
http://download.bitdefender.co...rRescueCD_v2.0.0_3_08_2009.iso
Medjutim, toplo ti savetujem vadjenje hard diska instaliranje Bit Defendera na drugi racunar i onda ciscenje. Kasperski i Avast ce pronaci viruse ali i obrisati .exe fajlove. Jos jedna stvar. Posto sam ocistio racunar i ponovo ga pokrenuo iskljucio sam mrezni kabl i instalirao Comodo Firewall. Racunar je imao staticku adresu. Napadac sa interneta je odmah krenuo sa napadom. Zanimljivo je to, da je napadac bio kod istog srpskog provajdera kao i racunar. Sve se zavrsilo slanjem log fajla firewall-a provajderu koji je u najkracem roku onemogucio napadaca.
Eto, izneo sam jedno iskustvo i resenje slicnog problema.

Hvala na odgovoru,

Nazalost nece da otvori ni sajt bitdefender.com :(

Sve ovo mi se desava na laptopu sa internim diskom i jos jednim eksternim USB diskom.

Prebacio sam podatke i neke instalacije na taj USB disk, ali me plasi da ce mi se komp nakon format-a i pokretanja instalacija ponovo zapatiti virusima. Da li je najpametnije da nakon instalacije Windows-a da odmah skinem bit-defender i onda da skeniram taj eksterni disk?

[ Dashkes @ 14.09.2009. 18:19 ] @

Jeste li mozda uspeli da skinete porgrame iz ove teme i da ih pokrenete - http://www.elitesecurity.org/p2387602 ?

[ Bokacio @ 14.09.2009. 18:29 ] @

Citat:

Dashkes: Jeste li mozda uspeli da skinete porgrame iz ove teme i da ih pokrenete - http://www.elitesecurity.org/p2387602 ?

dcleaner nece da se startuje (!?) dok Virus remover upravo radi (mada jos uvek nista ne nalazi)

[ kristi1 @ 14.09.2009. 18:33 ] @

Citat:

Sve ovo mi se desava na laptopu sa internim diskom i jos jednim eksternim USB diskom.

Vrlo moguce da si ga i preneo sa njega, obavezno ga prikljuci i komplet skeniranje. Ako si ga nosio negde i kacio na druge kompove.
Jedino Anntivirus moze da ukloni sality, nijedan drugi program, slobodno prekini skeniranje.

[ Dashkes @ 14.09.2009. 18:37 ] @

Citat:

kristi1: Vrlo moguce da si ga i preneo sa njega, obavezno ga prikljuci i komplet skeniranje. Ako si ga nosio negde i kacio na druge kompove.
Jedino Anntivirus moze da ukloni sality, nijedan drugi program, slobodno prekini skeniranje.

kristi1, jeste li videli koji je to program? Kratak opis programa - A useful tool for deleting the Win32/Sality virus from your computer.

[ Bokacio @ 14.09.2009. 18:42 ] @

Citat:

kristi1: Bojim se da si zapatio Sality Legacy_abp470n5 Vec je bilo reci kako se cisti taj Virus.
Evo drvlada75 me pretece :)

Najbolje resenje je Format C, instaliranje jednog od boljih AV i komplet scan, sve ostalo moze da uspe a i ne mora. Postoji velika verovatnoca da windows nece da se podigne. Znaci ako vec hoces da se resis tog virusa najbrze i najbolje je ovo sto sam ti predlozio. Znaci AV pre drajvera i scan. Komletan racunar ti je zarazen, znaci sve particije.

_{[Ovu poruku je menjao kristi1 dana 14.09.2009. u 19:13 GMT+1]}

To cu sad da uradim, neka mi je bog u pomoci :)

Hvala

[ drvlada75 @ 14.09.2009. 18:43 ] @

Uh, ne znam koliko su ti vazni podaci na disku i da li vredi da skines neku linux distribuciju, narezes, pokrenes, a zatim iz nje skines i narezes rescue disk.
Dashkes probao sam ja taj program...nazalost, nije uspeo nista da uradi sa mojom vrstom Sality virusa.
Moram da napomenem da je racunar bio sa Windows 2000 operativnim sistemom.

[ Dashkes @ 14.09.2009. 18:48 ] @

A Dr.Web CureIt!?

[ drvlada75 @ 14.09.2009. 18:59 ] @

Pa ne, nisam probao Dr.Web CureIt...izvukao sam HD i skenirao ga u racunaru sa Bit Defenderom jer sam primetio da ga on veoma uspesno dezinfikuje. Imam u firmi legalnu verziju Bit Defender Antivirusa.

[ kristi1 @ 14.09.2009. 19:35 ] @

kristi1, jeste li videli koji je to program? Kratak opis programa - A useful tool for deleting the Win32/Sality virus from your computer.

Znam za taj program i isprobao sam ga na VM, CureIt uklanja sality, takodje i avast, to sam probao.
Stvar je u tome, da se taj virus toliko rasirio u zadnje vreme u nekoliko varijanti, ranije si mogao da ga zakacis preko nekog prenosivog medija, a sada se pojavio i na pojedinim sajtovima.

[ jovanmal @ 14.09.2009. 19:37 ] @

@Bokacio

Pa sto ne probas Rescue CD Bit Defendera kao sto ti je drvlada75 rekao?

[ kristi1 @ 14.09.2009. 19:44 ] @

http://www.free-av.com/en/tool...ira_antivir_rescue_system.html
http://download.bitdefender.com/rescue_cd/
http://www.freedrweb.com/livecd/
http://ftp.kaspersky.com/devbuilds/RescueDisk/
http://www.f-secure.com/linux-weblog/2008/06/

Nekoliko resenja live CD-a

Po meni najbolje resenje je format pa DrWeb

[ Horvat @ 14.09.2009. 20:55 ] @

formatiraj windows ,OBAVEZNo ucitaj neki av,pa TEK ONDA prikljuci usb hard i preskeniraj ga [evo predlazu ti bit defender koji ne brise exe fileove nego ih ocisti od virusa ,pa probaj taj ako su ti bitni exe fileovi]

[ Bokacio @ 15.09.2009. 00:06 ] @

Formatirao sam disk, instalirao Windows pa odmah Avast.

Cim sam prikljucio USB HDD odmah je izbacio da je nasao virus i mogao sam da ga obrisem.

Nazalost AV mi je unistio neke exe-ove, ali cu ih ponovo nabaviti ili cu ih drzati na DVD-u.

Hvala svima, nadam se da sada kada je Avast u memoriji, da virus nece uci u RAM i poceti da opet hara.

I dalje me cudi kako je uspeo da ostane u memoriji, pored gasenja skoro svih procesa (?!)

[ jovanmal @ 15.09.2009. 06:59 ] @

Ja imam mnogo losa iskustva sa Avastom. Ako hoces besplatno, mislim da je Avira bolja - sve je bolje od Avasta.

[ drvlada75 @ 15.09.2009. 07:14 ] @

Jesi li formatirao ceo disk ili samo C particiju? Virus i dalje spremno ceka da napadne sa drugih particija. Nezgodan je Sality...u bezbroj novih varijanti

[ AmoK @ 15.09.2009. 09:11 ] @

Taj gadni malware je zarazio explorer.exe, winlogon.exe i jos masu drugih fajlova.
Ja sam tvoj problem riješio tako što sam prekopirao više ovih bitnih sistemskih fajlova sa Linux Live CDom.

Ja prvo što gledam jeste \system32\drivers\ i pobrišem sve najnovije što nema Description.

Najpametnije je fino naštimati da se učitavaju osnovni drajveri i servisi i u SafeMode sve lagano čistit.
HirenBoot CD 9.9 ima Mini WindowsXP. Veoma korisna stvar jer se može pokrenuti dosta alata za čišćenje gamadi.

[ Bokacio @ 15.09.2009. 13:50 ] @

Pozdrav,

Formatirao sam C disk (interni disk na laptopu), dok mi je backup bio na USB HDD-u. Zarazenih fajlova ima na tom USB HDD-u, ali Avast ih sve sprecava da se startuju (dovoljno je da otvorim folder i pojavi se prozor koji nudi da obrisem virus).

[ deri3891 @ 15.09.2009. 18:00 ] @

Prije svega da kazem da mi je zao sto nisam ranije procitao tvoj post,mislim da bih ti ustedeo mnogo truda :( . Sto se tice tog problema sa virusom,uspeo si da pokupis Conficker,alias Downadup,alias Kido (jedna od glavnih karakteristika prisustva Confickera je da blokira pristup stranicama AV proizvodjaca,kao i sam update AV programa). Ja sam ga cistio sa jednog HP laptopa na kome se vrtio AVAST (koji je doduse imao otprilike oko 2-3 mjeseca zastarjelu bazu virusa,ali sve u svemu propustio ga je) i sa samim AVAST-om nisam mogao da rijesim problem (jos jedan minus za ovaj AV). S obzirom da AVAST nije mogao iz nekoliko pokusaja da uradi update baze virusa poceo sam sumnjati na Conficker. Ako neko sumnja da je zarazen ovim virusom ovdje:http://www.confickerworkinggro...infection_test/cfeyechart.html moze da napravi jednostavan test na Conficker (s tim da je relevantnost testa upitna jer je sam test bio predvidjen za prvobitnu verziju Conficker-a koja se pojavila,a od tada su se desile 2 ili 3 "mutacije" prvobitne verzije). Takodje ovdje:http://www.enigmasoftware.com/products/conficker-removal-tool/ moze da se skine alat za uklanjanje,s tim da je nakon pokretanja alata potrebno uraditi nekoliko ponovnih pokretanja sistema.

[ Bokacio @ 15.09.2009. 19:59 ] @

Citat:

deri3891: Prije svega da kazem da mi je zao sto nisam ranije procitao tvoj post,mislim da bih ti ustedeo mnogo truda :( . Sto se tice tog problema sa virusom,uspeo si da pokupis Conficker,alias Downadup,alias Kido (jedna od glavnih karakteristika prisustva Confickera je da blokira pristup stranicama AV proizvodjaca,kao i sam update AV programa). Ja sam ga cistio sa jednog HP laptopa na kome se vrtio AVAST (koji je doduse imao otprilike oko 2-3 mjeseca zastarjelu bazu virusa,ali sve u svemu propustio ga je) i sa samim AVAST-om nisam mogao da rijesim problem (jos jedan minus za ovaj AV). S obzirom da AVAST nije mogao iz nekoliko pokusaja da uradi update baze virusa poceo sam sumnjati na Conficker. Ako neko sumnja da je zarazen ovim virusom ovdje:http://www.confickerworkinggro...infection_test/cfeyechart.html moze da napravi jednostavan test na Conficker (s tim da je relevantnost testa upitna jer je sam test bio predvidjen za prvobitnu verziju Conficker-a koja se pojavila,a od tada su se desile 2 ili 3 "mutacije" prvobitne verzije). Takodje ovdje:http://www.enigmasoftware.com/products/conficker-removal-tool/ moze da se skine alat za uklanjanje,s tim da je nakon pokretanja alata potrebno uraditi nekoliko ponovnih pokretanja sistema.

Hvala, imacu ovo na um ako se nedaj boze ponovi.

Pozdrav!