Pogledaj u log ekranu Nod-a ... šta konkretno briše.

Da li lokacija ispred ima IP adresu, tj. vidi da ne dolazi sa drugog računara u mreži.

evo šta piše:
Time Module Object Name Threat Action User Information
21.10.2009 17:53:38 AMON file C:\DOCUME~1\SEFPRO~1\LOCALS~1\Temp\ctv41734.exe Win32/TrojanDownloader.Unruy.AA trojan quarantined - deleted VPC-DM\sef proizvodnje Event occurred on a new file created by the application: C:\Program Files\Compaq\SetRefresh\SetRefresh.exe. The file was moved to quarantine. You may close this window.
21.10.2009 17:34:36 AMON file C:\DOCUME~1\SEFPRO~1\LOCALS~1\Temp\ctv40810.exe Win32/TrojanDownloader.Unruy.AA trojan quarantined - deleted VPC-DM\sef proizvodnje Event occurred on a new file created by the application: C:\Program Files\Compaq\SetRefresh\SetRefresh.exe. The file was moved to quarantine. You may close this window.
21.10.2009 17:21:19 AMON file C:\DOCUME~1\SEFPRO~1\LOCALS~1\Temp\ctv39885.exe Win32/TrojanDownloader.Unruy.AA trojan quarantined - deleted VPC-DM\sef proizvodnje Event occurred on a new file created by the application: C:\Program Files\Compaq\SetRefresh\SetRefresh.exe. The file was moved to quarantine. You may close this window.
21.10.2009 17:05:02 AMON file C:\DOCUME~1\SEFPRO~1\LOCALS~1\Temp\ctv38961.exe Win32/TrojanDownloader.Unruy.AA trojan quarantined - deleted VPC-DM\sef proizvodnje Event occurred on a new file created by the application: C:\Program Files\Compaq\SetRefresh\SetRefresh.exe. The file was moved to quarantine. You may close this window.
21.10.2009 16:50:32 AMON file C:\DOCUME~1\SEFPRO~1\LOCALS~1\Temp\ctv38038.exe Win32/TrojanDownloader.Unruy.AA trojan quarantined - deleted VPC-DM\sef proizvodnje Event occurred on a new file created by the application: C:\Program Files\Compaq\SetRefresh\SetRefresh.exe. The file was moved to quarantine. You may close this window.
21.10.2009 16:50:29 AMON file C:\DOCUME~1\SEFPRO~1\LOCALS~1\Temp\ctv37115.exe Win32/TrojanDownloader.Unruy.AA trojan quarantined - deleted VPC-DM\sef proizvodnje Event occurred on a new file created by the application: C:\Program Files\Compaq\SetRefresh\SetRefresh.exe. The file was moved to quarantine. You may close this window.
21.10.2009 16:23:38 AMON file C:\DOCUME~1\SEFPRO~1\LOCALS~1\Temp\ctv36193.exe Win32/TrojanDownloader.Unruy.AA trojan quarantined - deleted VPC-DM\sef proizvodnje Event occurred on a new file created by the application: C:\Program Files\Compaq\SetRefresh\SetRefresh.exe. The file was moved to quarantine. You may close this window.
20.10.2009 17:14:50 AMON file C:\DOCUME~1\SEFPRO~1\LOCALS~1\Temp\rjfhadkz.exe Win32/TrojanDropper.Agent.NNE trojan quarantined - deleted Event occurred on a new file created by the application: C:\Documents and Settings\sef proizvodnje\My Documents\Downloads\Keygen.Scanitto.1.16.0.0 (1).exe. The file was moved to quarantine. You may close this window.
20.10.2009 17:11:16 AMON file C:\DOCUME~1\SEFPRO~1\LOCALS~1\Temp\bbjcozzc.exe a variant of Win32/Kryptik.WJ trojan quarantined - deleted Event occurred on a new file created by the application: C:\Documents and Settings\sef proizvodnje\My Documents\Downloads\Keygen.Scanitto.1.16.0.0 (1).exe. The file was moved to quarantine. You may close this window.
20.10.2009 17:11:02 AMON file C:\DOCUME~1\SEFPRO~1\LOCALS~1\Temp\evgsaukr.exe a variant of Win32/Kryptik.AWP trojan quarantined - deleted Event occurred on a new file created by the application: C:\Documents and Settings\sef proizvodnje\My Documents\Downloads\Keygen.Scanitto.1.16.0.0 (1).exe. The file was moved to quarantine. You may close this window.
20.10.2009 17:10:19 IMON file http://stopicot.ultrxxxxa.com/pzdcbl/ll.exe a variant of Win32/Kryptik.AWP trojan VPC-DM\sef proizvodnje
20.10.2009 17:09:10 IMON file http://medianetxxxx.com/Serial.Scanitto.1.16.0.0.45042.exe a variant of Win32/Kryptik.AWQ trojan VPC-DM\sef proizvodnje



i nadalje sve tako.uvek je iza onog ctv drugi broj.šta dalje?

_{[Ovu poruku je menjao Dashkes dana 23.10.2009. u 00:28 GMT+1]}

Skini DDS Program na Desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Dvoklikom pokreni dds.scr

Kad zavrsi, DDS ce otvoriti dva loga:
1. DDS.txt
2. Attach.txt


Kopiraj mi DDS.txt

evo šta kaže:
DDS (Ver_09-10-13.01) - NTFSx86
Run by sef proizvodnje at 6:42:09,31 on pet 23.10.2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.759.271 [GMT 2:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ClocX\ClocX .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc .exe
C:\WINDOWS\NCLAUNCH .exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Documents and Settings\sef proizvodnje\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Settings,ProxyServer = 192.168.80.10:8080
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB0.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB0.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB0.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\sef proizvodnje\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [NCLaunch] c:\windows\NCLAUNCH.EXe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [ClocX] c:\program files\clocx\ClocX.exe
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [WHITNEY_S2P] c:\program files\samsung\samsung scx-4x21 series\psu\Scan2pc.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\sefpro~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/229?b34629e0ae824782a5c6cde136a71638
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/230?b34629e0ae824782a5c6cde136a71638
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {599C0F30-3E75-4233-85A3-584FAC958C16} = 195.178.32.2,212.200.13.13
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-5-18 15424]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-20 55152]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S2 MCUSBPM3;Microchip MPLAB PM3 Firmware Client Driver (PM3W2K.SYS);c:\windows\system32\drivers\PM3w2k.sys [2004-3-22 12447]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 mpr_freader;MPR FileReader Driver;\??\c:\docume~1\sefpro~1\locals~1\temp\rarsfx0\mpr_freader.sys --> c:\docume~1\sefpro~1\locals~1\temp\rarsfx0\mpr_freader.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

=============== Created Last 30 ================

2009-10-21 06:15 30,208 a------- c:\documents and settings\sef proizvodnje\rundll32.exe bthprops .exe
2009-10-20 17:10 10 a------- c:\windows\system32\kr_done1
2009-10-03 06:18 195,440 -------- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2009-10-23 06:18 30,208 a------- c:\windows\nclaunch.exe
2009-09-14 19:13 2,568 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-09-11 16:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 16:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 23:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 23:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 12:28 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 12:28 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 07:18 634,648 -------- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 07:18 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 10:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 10:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-08-17 23:33 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-13 17:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 11:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 11:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 17:13 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 17:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 16:20 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 16:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 16:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-03-14 12:54 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-04-21 14:05 8 ---shr-- c:\windows\system32\BB642112CA.sys
2009-04-01 08:46 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040120090402\index.dat

============= FINISH: 6:42:46,59 ===============

Skini ovaj program http://swandog46.geekstogo.com/avenger2/download.php
Raspakuj ga u folder
Dvoklikom pokreni avenger.exe
Iskopiraj ovaj tekst u beli prozor programa



Zatim klikni Execute pa dva puta Yes.
Kompjuter ce se restartovati, mozda dva puta.
Postavi log fajl C:\avenger.txt

završio sam sve kao što si mi reko ,dva puta se restartovao,kad sam se ulogovao pojavio se donji text,i dok sam ga ja pogledao opet mi je nod prijavio da je otkrio virus:
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Fri Oct 23 14:44:10 2009

14:44:10: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "c:\docume~1\sefpro~1\locals~1\temp\rarsfx0\mpr_freader.sys"
Deletion of file "c:\docume~1\sefpro~1\locals~1\temp\rarsfx0\mpr_freader.sys" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

File "c:\windows\system32\kr_done1" deleted successfully.
Driver "mpr_freader" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Ok ajde ovako cemo da ga sklonimo.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe Skini na desktop
Iskljuci Antivirus
Pokreni ga dvoklikom sa desktopa
Odgovori potvrdno za sve sto te pita
Na kraju skeniranja izbacice ti log koji ces mi kopirati ovde.

Šta dalje? da li je sada uklonjen napokon?

ComboFix 09-10-22.01 - sef proizvodnje 23.10.2009 16:29.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.759.267 [GMT 2:00]
Running from: c:\documents and settings\sef proizvodnje\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\~WRD0005.tmp
c:\documents and settings\sef proizvodnje\rundll32.exe bthprops .exe
c:\recycler\S-1-5-21-674801537-3840082271-3752609986-500
c:\windows\nclaunch .exe
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\comrepl.exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\setup.ini

.
((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-14 14:43 . 2009-10-14 14:43 -------- d-----w- c:\documents and settings\sef proizvodnje\Local Settings\Application Data\PCHealth
2009-10-03 04:18 . 2009-10-01 08:29 195440 ------w- c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 12:47 . 2004-12-14 10:39 -------- d-----w- c:\program files\ClocX
2009-10-23 12:47 . 2009-02-13 09:46 30208 ----a-w- c:\windows\nclaunch.exe
2009-10-23 08:36 . 2008-11-26 10:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-21 16:32 . 2009-01-20 07:50 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-10-14 06:06 . 2008-12-03 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-14 17:16 . 2008-12-31 10:55 -------- d-----w- c:\documents and settings\sef proizvodnje\Application Data\MSN6
2009-09-14 17:13 . 2007-04-21 12:05 2568 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-11 14:18 . 2003-03-31 02:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 04:46 . 2009-03-20 07:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-06 10:20 . 2007-04-26 10:17 -------- d-----w- c:\documents and settings\sef proizvodnje\Application Data\Skype
2009-09-06 08:37 . 2008-03-14 10:54 -------- d-----w- c:\documents and settings\sef proizvodnje\Application Data\skypePM
2009-09-04 21:03 . 2003-03-31 02:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-12-07 14:37 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2003-03-31 02:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 10:44 . 2009-08-26 10:44 -------- d-----w- c:\program files\Readiris
2009-08-26 10:44 . 2004-10-29 23:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-26 08:00 . 2003-03-31 02:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 21:33 . 2009-08-17 21:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-05 09:01 . 2002-12-12 07:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2003-03-31 02:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2003-03-31 02:00 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2007-04-21 12:05 . 2007-04-21 12:05 8 --sh--r- c:\windows\system32\BB642112CA.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}"= "c:\program files\myBabylon_English\tbmyB0.dll" [2009-04-01 1883672]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2009-04-01 05:35 1883672 ----a-w- c:\program files\myBabylon_English\tbmyB0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}"= "c:\program files\myBabylon_English\tbmyB0.dll" [2009-04-01 1883672]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B2E293EE-FD7E-4C71-A714-5F4750D8D7B7}"= "c:\program files\myBabylon_English\tbmyB0.dll" [2009-04-01 1883672]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\sef proizvodnje\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-26 133104]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2009-10-23 30208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-06 68856]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-06-01 4608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2009-10-20 30208]
"ClocX"="c:\program files\ClocX\ClocX.exe" [2009-10-23 30208]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-05-18 949376]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-07 98304]
"WHITNEY_S2P"="c:\program files\Samsung\Samsung SCX-4x21 Series\PSU\Scan2pc.exe" [2009-10-23 30208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\sef proizvodnje\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"Google Update"="c:\documents and settings\sef proizvodnje\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"ISUSPM Startup"=c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"TomcatStartup"=c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
"StatusClient"=c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
"IgfxTray"=c:\windows\System32\igfxtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [18.5.2007 13:36 15424]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [20.3.2009 9:28 55152]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 19:19 13592]
S2 MCUSBPM3;Microchip MPLAB PM3 Firmware Client Driver (PM3W2K.SYS);c:\windows\system32\drivers\PM3w2k.sys [22.3.2004 2:45 12447]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [6.2.2009 19:08 533360]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6.11.2007 22:22 34064]
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-16 07:36]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2241337480-236900093-1425797982-1006Core.job
- c:\documents and settings\sef proizvodnje\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-26 07:24]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2241337480-236900093-1425797982-1006UA.job
- c:\documents and settings\sef proizvodnje\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-26 07:24]

2009-10-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Settings,ProxyServer = 192.168.80.10:8080
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?b34629e0ae824782a5c6cde136a71638
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?b34629e0ae824782a5c6cde136a71638
LSP: imon.dll
TCP: {599C0F30-3E75-4233-85A3-584FAC958C16} = 195.178.32.2,212.200.13.13
.
- - - - ORPHANS REMOVED - - - -

AddRemove-_{63218538-4A69-497F-8455-904261B0E9E4} - c:\program files\Corel\CorelDRAW Graphics Suite 13\Programs\MSILauncher {63218538-4A69-497F-8455-904261B0E9E4}



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 16:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\imon.dll
.
Completion time: 2009-10-23 16:37
ComboFix-quarantined-files.txt 2009-10-23 14:37

Pre-Run: 35.703.853.056 bytes free
Post-Run: 36.430.077.952 bytes free

- - End Of File - - 37C1F0A51E5F2AC9357E7A8F912A0269

sve je isto...

Imas li izvestaj sta ti to pronalazi nod, ili uslikaj pa postavi da vidim.

Slikao,još kad bi mi reko kako da dodam sliku u ovoj poruci?
Ako pomaže piše sledeće:
Alert details
File:
C:\DOCUME-1\SEFPRO-1\LOCALS-1\Temp\ctv6623.exe
Threat:
Win32/TrojanDownloader.Unruy.AAtrojan
Comment:
Event occured on a new file created by application>C:\Program Files\Compaq\SetRefresh\SetRefresh.exe.The file was moved to quarantine.You may close this window.

Ajde isključi System restore, pa obriši sadžaj TEMP foldera,
C:\Windows\Temp i ovaj što se spominje najviše ... idi Start-Run pa učukaj pa pobriši sve to što ima
Isprazni Recycle Bin pa skeniraj sa Malwarebytes i kasnije sa NOD-om

opet isto.sve sam uradio kao sto si reko i dok sam skenirao nod-om 3 puta se uključio alarm da je pronašao virus.Malverbytes nisam koristio i nemam ga(valjda).Šta dalje činiti?

Preuzmite program Dr.Web CureIt!.

• Posle preuzimanja restartujte racunar u Safe Mode-u (dok se pali racunar pritiskajte F8 pa kada se pojavi meni odaberite Safe Mode).
• Kada se ucita Safe Mode pokrenite Dr.Web CureIt!.
• Kad se upali odaberite Start. On ce automatski poceti da skenira racunar. Pustiti da skenira (to je Express Scan).
• Kada zavrsi sa skeniranjem odaberite kompletno skeniranje - Complete scan i sa desne strane pritisnite dugme Start Scanning (izgleda kao Play dugme).

Pokazite log (zapakujte u ".rar" arhivu i upload-ujte) CureIt!-a koji se nalazi u C:\Documents and Settings\USERNAME\DoctorWeb\

Pa prilično sam uveren da bi on baš rešio problem.

Pre nego odradis ovo deinstaliraj combofix.
Start > run > Combofix /u > enter.

Koliko sam video na stranim forumima, problem resavaju i Dr.Web, i ComboFix, i MBAM i SuperAntiSyware, ali svi samo iz SafeMode-a...

Malo mi je čudno da se posle brisanja javlja na C:\DOCUME-1\SEFPRO-1\LOCALS-1\Temp\ ovoj lokaciji

Dakle, uključi opciju Show hidden Files i idi direkt na C:\Documents and Settings\Tvoj User Name\Local Settings\Temp i obriši sve unutar njega
Kraća opcija je Start>Run pa %temp% pa Enter

Posle toga isprazni recycle bin i skeniraj sa malwarebytes,

Sve to možeš odraditi i u Safe modu ... svakako da je bolje.

Ali pazi ovo:



I to se u prvom logu lepo pojavljuje ta lokacija, kasnije je nema posle brisanja drajvera. Najverovatnije je nesto petljao u medjuvremenu. Posle deinstalacije CF-a automatski ce mu resetovati system restore, tako da je moguce da vise nece prijavljivati trojanca.



Sa Combofixom se ne radi iz safe mode, jedino ako bas ne moze da se pokrene iz normal mode, u ekstremnim slucajevima, takodje ista je situacija i sa mbam-om. Ne znam koje si forume gledao, ja sam na jednom video da covek cak izmislja komande, znaci uzas. Jedino relevantni forumi su clanovi ASAP udruzenja (Alliance of Security Analysis Professionals), gde postoje striktna pravila.

Skenirao sam sa Dr.Web CureIT-om.Pronašao je 4 trojanca i obrisao ih:
Prvi:
object:VideoDownloader.exe
path:C:\Program Files\EasyVideoDownloader
status:Trojan.PWS.Gamania.19200
Drugi:
object:2LHCXPCA.NQF
path:C:\ProgramFiles\Eset\Infected
status:Trojan.Proxy.3109
Treci:
object:NPJRKYDA.NQF
path:C:\ProgramFiles\Eset\Infected
status:Trojan.Packed.166
Cetvrti:
object:AOO46520.exe
path:C:\SystemVolumeInformation\-restore...
status:Trojan.PWS.Gamania.19200


Kad je završio sa skeniranjem restartovao sam računar i pokrenuo ga u normal modu i ponovo je prijavio viruse.Inače sada kada motam film unazad možda sam i obrisao nešto što nisam trebao.Sećam se da su u folderu C:\Program Files\Compaq\Set Refresh bila dva fila SetRefresh.exe i ja sam onda iz sada već ne znam kojih razloga pokušao da ih obrišem.Tom prilikom jedan sam uspeo da obrišem a za drugi mi je javio da ne može da se obriše i on i sada stoji tamo.Da nisam možda tada zeznuo stvar?

Skenirao sam sa Dr.Web CureIT-om.Pronašao je 4 trojanca i obrisao ih:
Prvi:
object:VideoDownloader.exe
path:C:\Program Files\EasyVideoDownloader
status:Trojan.PWS.Gamania.19200
Drugi:
object:2LHCXPCA.NQF
path:C:\ProgramFiles\Eset\Infected
status:Trojan.Proxy.3109
Treci:
object:NPJRKYDA.NQF
path:C:\ProgramFiles\Eset\Infected
status:Trojan.Packed.166
Cetvrti:
object:AOO46520.exe
path:C:\SystemVolumeInformation\-restore...
status:Trojan.PWS.Gamania.19200


Kad je završio sa skeniranjem restartovao sam računar i pokrenuo ga u normal modu i ponovo je prijavio viruse.Inače sada kada motam film unazad možda sam i obrisao nešto što nisam trebao.Sećam se da su u folderu C:\Program Files\Compaq\Set Refresh bila dva fila SetRefresh.exe i ja sam onda iz sada već ne znam kojih razloga pokušao da ih obrišem.Tom prilikom jedan sam uspeo da obrišem a za drugi mi je javio da ne može da se obriše i on i sada stoji tamo.Da nisam možda tada zeznuo stvar?

Probaj sa bootabilnim BitDefender rescue diskom:

http://download.bitdefender.co...rRescueCD_v2.0.0_3_08_2009.iso

Bas me zanima da li ce ti nesto pronaci i pomoci.

Ovo ti je karantin u koji NOD32 smesta sumnjive fajlove. Sasvim je normalno da prilikom skeniranja jednim AV programom on pronadje malware u karantinu nekog drugog AV programa.


Sad me bas zanima na koga se odnosi:




Da li je NOD32 ponovo prijavio, Dr.Web ili ko? I gde ih je prijavio? Da nije sada NOD32 pronasao nesto u DR.Web-ovom karantinu?


E da:



Iskljuci System Restore i ocisti ga, i tako ces se verovatno resiti ovog cetvrtog sa spiska:

Kllikni desnim dugmetom misa na My Computer, odaberi Properties, pronadji karticu System Restore, i stikliraj kucicu "Turn off System Restore on all drives". Iskoristi Windowsovu Disk Cleanup alatku - kliknes na Start, (All) Programs > Accessories > System Tools > Disk Cleanup, odaberes C: disk, odes na More Options jezicak, i u odeljku System Restore kliknes na Clean Up dugme.

Posle ciscenja ponovo ukljuci System Restore (ista procedura kao sa pocetka prethodnog pasusa, samo sad treba isprazniti, odnosno odstiklirati kucicu "Turn off System Restore on all drives").

Uspeo sam nekako.Hvala svima koji su mi nesebično pomogli da se rešim napasti.

evo ja se baš registrirao isključivo da ti pomognem jer i ja sam imao sve do sad isti problem,malo je kasno sad al napisat ću za druge koji će možda trebati pomoć oko riješavanja ove napasti.

ovako sam riješio:

The easiest and safest way to do this is:

* Go to Start > Programs > Accessories > System Tools and click "System Restore".
* Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
* Then go to Start > Run and type: Cleanmgr
* Click "OK".
* Click the "More Options" Tab.
* Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

ovim postupkom virus mi se više nije javljao,da samo napomenem da ni SDFix,ni ComboFix ni Malwarebytes nisu riješili problem!
pozdrav