Sta reci osim veliko hvala za expresnu pomoc!!!Pokusacu sa Avirom,nadam se da je to pametno resenje...

ako mogu da se nadovezem na temu ja sam narezao kaspersky i avirin rescue CD ali imam problem prilikom boot-ovanja kod kasperskog mi izbaci "cannot load linux kernel" i tu sve staje.....a kod avirinog kad izaberem onu rezoluciju pokusa nesto i samo blinkne pri vrhu ekrana neka informacija koju ne stignem da procitam i "kao" ugasi monitor i nista se ne desava moram da restartujem racunar. imam neki gadan virus a ne znam kako da ga se resim.jel zna neko sta bih mogao da uradim povodom toga???

Kamo da vidimo o cemu se radi, isprati ovo uputsvo:

Skini Program DDS http://download.bleepingcomputer.com/sUBs/dds.scr
Dvoklikom pokreni DDS
Sacekaj malo, izbacice ti dva loga
Zakaci mi log DDS.txt

DDS (Ver_09-12-01.01) - NTFSx86
Run by milan at 12:38:06.54 on Sat 12/05/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.305 [GMT 1:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Documents and Settings\milan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\milan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\milan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\milan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\milan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\milan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\DOCUME~1\milan\LOCALS~1\Temp\Rar$EX00.719\procexp.exe
C:\Documents and Settings\milan\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Documents and Settings\milan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearch Page = hxxp://searchbox.digsby.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://searchbox.digsby.com/ie
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {ECDEE021-0D17-467F-A1FF-C7A115230949} - No File
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
uRun: [DU Meter] c:\program files\du meter\DUMeter.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LClock] c:\program files\lclock\LClock.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {BFFD36EB-35F3-4E7C-81FD-B0E545DCA425} = 10.10.2.69,10.10.2.79
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs:
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\milan\applic~1\mozilla\firefox\profiles\54pyq3di.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\milan\application data\mozilla\firefox\profiles\54pyq3di.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - component: c:\program files\dap\dapfirefox\components\DAPFireFox.dll
FF - plugin: c:\documents and settings\milan\application data\mozilla\firefox\profiles\54pyq3di.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\milan\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\milan\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\milan\local settings\application data\octoshape\octoshape streaming services\octoprogram-l03-nms0810164_sua_900\npoctoshape.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks); user_pref(capability.policy.localfilelinks.sites, hxxp://s3.travian.rs http://s2.travian.rs); user_pref(capability.policy.localfilelinks.checkloaduri.enabled, allAccessc:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-12-2 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-12-2 24336]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 74480]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-12-2 700152]
R2 DUMeterSvc;DU Meter Service;c:\program files\du meter\DUMeterSvc.exe [2008-8-18 1382672]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R3 aic32p;aic32p;\??\c:\windows\system32\drivers\uolnnn.sys --> c:\windows\system32\drivers\uolnnn.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\milan\locals~1\temp\hzz3e7.tmp --> c:\docume~1\milan\locals~1\temp\HZZ3E7.tmp [?]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\drivers\MTK.SYS [2009-6-6 15670]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S3 SIVDRIVER;SIV Kernel Driver;c:\windows\system32\drivers\SIVX32.sys [2009-4-1 49632]
S4 gupdate1c9a989fa518a12;Google Update Service (gupdate1c9a989fa518a12);c:\program files\google\update\GoogleUpdate.exe [2009-3-20 133104]
S4 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29247856]

=============== Created Last 30 ================

2009-12-03 23:49:47 0 d-----w- c:\docume~1\milan\applic~1\QuickScan
2009-12-02 22:11:56 48 ----a-w- c:\windows\wininit.ini
2009-12-02 09:55:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo
2009-12-02 09:54:59 24336 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-02 09:54:59 155384 ----a-w- c:\windows\system32\guard32.dll
2009-12-02 09:54:59 110992 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-11-30 22:20:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-30 22:19:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-30 22:18:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 18:31:37 153 ----a-w- c:\windows\cavscan.INI
2009-11-26 13:47:27 0 d-----w- c:\windows\Logs
2009-11-24 18:27:47 146 ----a-w- c:\windows\Video To Audio Converter.ini
2009-11-24 18:27:07 0 d-----w- C:\temp
2009-11-24 18:25:34 9 ----a-w- c:\windows\system32\Video To Audio Converter0902.dat

==================== Find3M ====================

2009-11-24 17:48:38 72192 ----a-w- c:\windows\system32\dumprep.exe
2009-10-25 17:53:24 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-10-24 22:35:33 253688 ----a-w- c:\windows\system32\cssdll32.dll
2009-10-11 03:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-08-18 17:16:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat

============= FINISH: 12:38:48.73 ===============

Iskljuci Comodo IS i FW i AV
Skini sledeci program na desktop http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Pokreni ga sa Deskopa dvoklikom
Prihvati sve sto trazi Yes \ Ok
Kad zavrsi sa skeniranjem izbacice ti log u notepadu koji ces idkopirati ovde.

pokrene ga i kaze da mi hvali regedit i da ga kopiram sa druge masine i onda prekine :S

Skini ovaj program pokreni ga, odradi update na pocetku i skeniraj Quick scan (obrisi sve sto nadje)

http://download.cnet.com/3001-...6d27fdcbc&part=dl-10804572

Okaci mi log po zavrsetku.

imama MBAM skenirao sam nekoliko puta al ajde da probam opet

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

12/5/2009 1:51:47 PM
mbam-log-2009-12-05 (13-51-47).txt

Scan type: Quick Scan
Objects scanned: 94347
Time elapsed: 10 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Ajde probaj ovako, malware ti je blokirao regedit

Start \ run \ cmd \ iskopiraj ovo

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /f

Enter.

Pokusaj posle ovoga da pokrenes Combofix.

U brate nema ovde pomoci sad sam malo bolje zagledao, imas Sality, ne moze ovde CF nista da uradi.
Mozes da probas sa ovim CD live diskom http://www.freedrweb.com/livecd/?lng=en
Ili sa CureIt verzijom is Safe Mode http://www.freedrweb.com/cureit/

Ali postoji mogucnost, zavisi koliko je ostecen sistem, da posle ciscenja i dezinfekcije ne mozes da podignes sistem. Sad odluci sam. Najbolja varijanta je da formatiras C, nikako da ne otvaras D ili neku drugu particiju. Instaliraj sa diska drajvere za plocu, skini neki AV, recimo Avast, on uklanja ovaj fajl infektor i sa njim odradi skeniranje pre podizanja sistema, kompletneg hard diska. Ovo ti je preporuka.

kako mislis da ne otvaram D? kad srusim sistem pa ga posle opet podignem?neda mi da idem na linkove koje si mi dao :) probacu jos sa hiren's boot CD pa ako uradi nesto uradio je a ako ne ne gine mi rushenje.bedak mi je da rusim sistem kad znam koliko imam stvari na njemu :S hvala tebi za izdvojeno vreme ;)

Kompletan racunar ti je zarazen, sve paticije, ukoliko posle obaranja sistema otvoris neku particiju pre skeniranja sa AV-om, dzabe si se mucio. Ima vec tema o ovom fajl infektoru, pricali smo o tome, mrzi me da trazim link.
Sad vidi, skeniranje moze da potraje nekoliko sati, a postoji velika verovatnoca da posle ciscenja neces moci da pokrenes windows (ukoliko su zarazeni sistemski fajlovi), tako da se ne isplati, kazem ti da je najbolja i najsigurnija varijanta ona koju sam ti predlozio.

Ljudi na forumu toliko kukaju i zale se na Sality i Virut,a ja ga pomocu Eset Smart Security 4 sutnuo kao obicnog crvica... :))) Skenirao sam posle toga i sa Malwarebytes'-om i sa dva Rescue CD-a (Avira i DrWeb) i nista,totalno cist sistem... :)))

obrisan offtopic

_{[Ovu poruku je menjao Dashkes dana 05.12.2009. u 16:58 GMT+1]}

"Momci evo jos jednog zadatka za vas...do sada nisam bio u situaciji da trazim pomoc,vec sam samo kupio prave savete...kod druga sam primetio da kada se sistem podize,nakon ucitavanja Windowsa samo blicne plava slika i restartuje se kompjuter...safe mode je nemoguce koristiti..."

Prvo ne mora da znaci da je bilo kakav virus ili trojanac. Ja bi pri toj situaciji prvo posumljao na memoriju, napajanje ili hard disk pa tek onda virusi. Moguce da ti je neki virus sjebao sistemski file, ali zasto je renstall problem, nista ne gubis od podataka! Samo da dosjes do safe mode pa posle scaniraj.

Dal imas neki kontrolni "beep" i koliko, pogledaj manual proizvodjaca, moguce da ti to kaze dosta.

Ma bad sectori na hardu, kakvi bre virusi .

Momci pojasnite malo ovo...check hard disc itd,kako da dodjem do safe moda u oakvoj situaciji?Nije nista u pitanju,ni memorija,ni napon,pa to je drugov hard,nosio sam ga i kod mene i isto je...a sa rescue cd-om sam ga ocistio i isto je,uklonio sam 4 trojanca sa DrWeb-om...

Nije mi tesko,promenim Windows za 30 min tj Repair...ali opet,ako moze nesto da se uradi ovako,sto da komplikujem bezveze...

Nije mi tesko,promenim Windows za 30 min tj Repair...ali opet,ako moze nesto da se uradi ovako,sto da komplikujem bezveze...

_{[Ovu poruku je menjao Goran Mijailovic dana 06.12.2009. u 12:54 GMT+1]}

Auuuuuu pa ne reaguje ni na Windows-ov CD!!!Ucita boot i kada hocu da formatiram C:/ odbija...ovo mi se prvi put desava...hard disk je Western Digital 250 GB,uzet je pre tri meseca...

Ja lepo rekoh hard disk, bad sectors .

Kako si ga nosio kod sebe i isto je? Dal ja to razumem da si uzeo njegov hard, povezao kao master na svom racunaru i ocekivao nesto da uradis?!?!?!

Ako vec mozes da nosas taj hard unaokolo, donesi ga kuci, povezi kao sekundarni ide, scsi ili koji vec i lepo scaniraj za viruse, bad sectors i to je to. Videces dal je hard uopste u pitanju.

Plavi ekran i restart koji su tebi simptomi uglavnom nisu sistemskog poreka. Ja sam ti lepo rekao ja sumnjam na hardver. Ali uradi prvo ovo sto sam ti vec rekao i videcemo. Koji alat da koristis - nemam pojma, progoglaj malo,skini neki dobar alat za scaniranje harda sa torenta, ostavi da zavrsi lepo, procitaj izvestaj ti to je to.