Zaboravio sam napisati da je prije formatiranja,kada sam izvrsio skeniranje,antivirus pronasao mnogo fajlova zarazenih Sality virusom.

Ovde imas sve sto treba

http://support.kaspersky.com/faq/?qid=208279889

Skini prvo http://support.kaspersky.com/downloads/utils/salitykiller.zip
a zatim i http://support.kaspersky.com/downloads/utils/sality_regkeys.zip

prvo raspakuj i pokreni kao administrator salitykiller.exe a zatim raspakuj sality_regkeys.zip i pokreni Disable_autorun.reg i SafeBootWinXP.reg
restartuj i jos jednom pokreni kao administrator salitykiller.exe

Sality će ti zaraziti baš svaki exe fajl koji pokreneš dok je računar inficiran, tako da ako si sačuvao makar jedan prilikom formatiranja, velika je verovatnoća da si opet zaražen. Takođe, neke varijante Salityja umeju da se nastane u MBR diska koji se ne menja prilikom formatiranja, tako da si i sa te strane možda još uvek zaražen. Pravilna procedura bi bila da sačuvaš sve što ti je bitno, ali da zaboraviš na exe fajlove, sve instalacije skini ponovo kad završiš sa čišćenjem, formatiraj disk, pokreni recovery console sa instalacionog CD-a za Win XP i odradi FIXMBR, pa onda instaliraj ponovo sve. Ako ti trebaju detaljnije instrukcije, slobodno kaži.

Preporučujem ti da sad odradiš skeniranje specijalizovanim alatom poput DrWeb CureIt! ili Vipre Rescue, koji su pravljeni za skeniranje teško zaraženih sistema i imaju dobru samozaštitu, tako da bi trebali dovoljno dugo da prežive pored Salityja i daju ti upotrebljiv izveštaj.

Postupak ciscenja u tvom slucaju ne bi bio uspesan, tako da cemo poceti sa efikasnijom metodom. Formatiraj hard disk, ukoliko imas vise particija nikako ne ulazi u druge particije osim one sistemske nakon instalacije Windowsa. Kada podignes sistem odmah instaliraj neki antivirus (u ovom slucaju preporucujem Kaspersky), update-uj ga i skeniraj ostale particije bez ulaska u njih. Kada ocistis te particije skeniraj za svaki slucaj kompletan hard ponovo radi sigurnosti. Ukoliko koristis USB memorije nikako nemoj u toku postupka da ih ubacujes. To cemo kasnije odraditi. Odradi prvo ovo navedeno, javi sta se desava nakon toga. Pozdrav.

Ovako,prvo,hvala svima na prijedlozima.Pokusao sam i odradio sve,od Kaspersky Sality killer-a (koji nije pronasao nista na racunaru),zatim sam formatirao disk i pokrenuo recovery console i izvrsio FIXMBR,takodjer sam i neposredno po dizanju sistema instalirao antivirus i skenirao sve,no isti nije nista pronasao.Medjutim,ni dalje ne mogu da pokrenem instalaciju Windows live messengera,a s obzirom da je racunar bukvalno prazan jer ni na C: ni na D: nema nista i dalje mi djeluje nekako ''tromo''.

http://explore.live.com/windows-live-family-safety-xp

Preuzmi odavde, odaberi jezik.

Jesi li formatirao obe particije ili nisi? Koji AV si koristio za skeniranje i na koji nacin, iz aktivnog windowsa ili safe mode?
Drajvere, jesi instalirao i odakle si skidao?

_{[Ovu poruku je menjao kristi1 dana 07.08.2011. u 09:52 GMT+1]}

Ovaj mogu preuzeti,hvala ti.

Volio bih na neki nacin provjeriti stanje sistema i recimo hard diskove.Laik sam,nestrucan oko tih stvari i zanima me moze li virus ostetiti HD ,postoji li neka mogucnost provjere,reparacije?

Virus ne moze ostetiti HDD. Mozes proveriti HDD sledecim alatom.

Preuzmi MHDD http://files.hddguru.com/index...ip&directory=Software&


Raspakuj i narezi kao ISO
Ubaci i bootuj sa diska
Kad se ucitaju fajlovi izaberi opciju 1
Kad se pojavi meni izaberi disk koji ces skenirati
Ukucaj scan pa enter
U sledecem meniju klikni F4
Pocece skeniranje
Ukoliko se pojavi vise od 3 upisa u delu X UNC: disk ti je octecen

U isto vreme smo valjan, Goran i ja pisali poruku. Ispalo je kao da se svadjamo ko ce prvi. Dok radis evo sto ti je @kristi1 predlozio, stavi u medjuvremenu da se skida Dr.Web Live CD, kada ga budes preuzeo narezi ga na cd (to je ustvari .iso fajl). Ubaci ga u citac, restartuj Windows i pokreni skeniranje. Ocisti kompletan hard disk, nemoj da improvizujes. Javi sta si uradio.

Dr.Web Live CD: www.freedrweb.com/livecd/

Ako sumnjas da imas virus onda ga verovatno i imas :D Vrlo je moguce da je i u samom Windowsu ili drajverima, antivirusu tj. u bilo cemu sto nije na optickom medijumu. Znaci bilo sta sto je na hard disku ili na fles memoriji moglo je biti a verovatno i jeste zarazeno virusom. Takodje ako nisi brisao D particiju postoji mogucnost da je nesto prezivelo. Puno resenje je instalacija Windowsa sa sigurnog diska a onda preuzimanje AV-a sa neta sa proizvodjacevog sajta. Brisanje svih particija i full format se podrazumeva, ja bih se malo i poigrao pa pustio neki linux da napravi perticije na tom racunaru pa tek onda vratio ntfs fajl sistem ali ovo nemoj da me slusas ;0)



_{[Ovu poruku je menjao Goran Mijailovic dana 07.08.2011. u 18:03 GMT+1]}

Moje pitanje se ne tice same teme ali je veoma usko vezano za temu pa ne bih da otvaram novu.
Meni je pre dve nedelje NOD32,a kasnije i Avast prijavio neki virus u MBR.
Ja nisam radio FIXMBR sa instalacionog CD-a.
Ja sam koristio Hiren's Boot CD i pomocu Partition Magic izbrisao particije, formatirao hard i napravio nove particije.
Pre formata sam upotrebio program sa tog diska MBRWork, resetovao MBR na "nulu" i instalirao "standardni" MBR kod.
Da li sam ja postigao isti efekat kao i FIXMBR jer mi posle toga nije prijavljivao virus.
pozz

Da, efekat je isti.

Ne znam vise sta da radim,tj. odradio sam sve sto je ovdje predlozeno,formatirao ponovo,no sada mi se desavaju jos cudnije stvari.Evo prilazem sliku gdje se moze vidjeti u najmanju ruku cudno ponasanje nekih procesa.Recimo firefox tek kada upalim je na cirka 70.000 K dok je evo sada poslije 2 minute koristenja dosegao vrijednost od 120.000 K,a cpu usage varira od 8-16 %.Ne znam sta se desava,pomazite ljudi :)



Uploaded with ImageShack.us

Da,zaboravio sam napisati,racunar mi poslije odredjednog vremena jednostavno zaledi,ne mogu otvoriti task manager uopste,nego moram rucno restartovati.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:38:02, on 9.8.2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Process Lasso\processlasso.exe
C:\Program Files\Process Lasso\processgovernor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\klwtblfs.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\32788R22FWJFW\cmd.cfxxe
C:\32788R22FWJFW\CSCRIPT.cfxxe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
c:\program files\logitech\logitech webcam software\lu\lulnchr.exe
C:\32788R22FWJFW\PEV.exe
c:\program files\logitech\logitech webcam software\lu\LogitechUpdate.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigseekpro.com/burn...4-BE0E-45C8-A163-889E1A7D9C61}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigseekpro.com/burn...4-BE0E-45C8-A163-889E1A7D9C61}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dts.search-results.com/...stemid=421&q={searchTerms}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\ievkbd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI9130~1\Datamngr\ToolBar\searchqudtx.dll (file missing)
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\klwtbbho.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI9130~1\Datamngr\ToolBar\searchqudtx.dll (file missing)
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ProcessLassoManagementConsole] "C:\Program Files\Process Lasso\processlasso.exe"
O4 - HKLM\..\Run: [ProcessGovernor] "C:\Program Files\Process Lasso\processgovernor.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-583907252-343818398-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\ievkbd.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\klwtbbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe (file missing)

--
End of file - 6246 bytes

CPU usage nenormalno skace,sa nekih 10 % ide na 60,70 i onda kada dodje do maximuma racunar mi zabaguje,zaledi i tada ga moram rucno restartovati.

Instalirao si Combofix?



I ovaj nesto petlja oko procesora:


Sve neka egzotika na tvom racunaru koji je tek instaliran, kao ovaj na primer:
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WI9130~1\Datamngr\ToolBar\searchqudtx.dll
Evo sta MS Answers kaze za taj Searchqu Toolbar koji imas instaliran: http://answers.microsoft.com/e...d5-b745-4c8f-878a-f936ad49e87b





_{[Ovu poruku je menjao Goran Mijailovic dana 09.08.2011. u 07:10 GMT+1]}

Bandoo, sa ovim s****m je instalirao Searchqu.

Daj taj CF log da pogledam, nalazi se na rootu C:\ Combofix.txt

ComboFix 11-08-08.03 - Neko 09.08.2011 4:42:25.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.387.1033.18.2047.1443 [GMT 2:00]
Running from: C:\Documents and Settings\Neko\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll


((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 )))))))))))))))))))))))))))))))


2011-08-09 04:13:09 . 2011-08-09 04:18:36 16607084544 ----a-w- C:\bst35.tmp
2011-08-08 01:21:11 . 2011-08-08 01:21:11 -------- d-----w- C:\NVIDIA
2011-08-07 07:03:44 . 2011-08-09 02:37:11 -------- d-----r- C:\Program Files
2011-08-07 07:00:03 . 2011-08-08 00:02:36 -------- d-----w- C:\Documents and Settings
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-05-25 06:09:21 . 2011-05-21 04:01:00 61440 ----a-w- C:\WINDOWS\system32\OpenCL.dll
2011-05-25 06:09:21 . 2011-05-21 04:01:00 2808936 ----a-w- C:\WINDOWS\system32\nvcuvid.dll
2011-05-25 06:09:21 . 2011-05-21 04:01:00 2082408 ----a-w- C:\WINDOWS\system32\nvcuvenc.dll
2011-05-25 06:09:21 . 2011-05-21 04:01:00 16068608 ----a-w- C:\WINDOWS\system32\nvoglnt.dll
2011-05-25 06:09:20 . 2011-05-21 04:01:00 5332992 ----a-w- C:\WINDOWS\system32\nvcuda.dll
2011-05-25 06:09:20 . 2011-05-21 04:01:00 13004800 ----a-w- C:\WINDOWS\system32\nvcompiler.dll
2011-05-21 04:01:00 . 2011-05-21 04:01:00 899688 ----a-w- C:\WINDOWS\system32\nvdispco3220150.dll
2011-05-21 04:01:00 . 2011-05-21 04:01:00 865896 ----a-w- C:\WINDOWS\system32\nvgenco322090.dll
2011-05-21 04:01:00 . 2011-05-21 04:01:00 2328576 ----a-w- C:\WINDOWS\system32\nvapi.dll
2011-07-08 07:42:06 . 2011-08-08 23:02:02 142296 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 20:12:38 3872080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-05-14 11:16:28 29831168]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" [2011-04-24 21:15:02 202296]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 11:36:56 2793304]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2011-05-25 06:09:22 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-25 06:09:23 111208]
"nwiz"="C:\Program Files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 22:02:42 1632360]
"ProcessLassoManagementConsole"="C:\Program Files\Process Lasso\processlasso.exe" [2011-08-03 05:00:26 604176]
"ProcessGovernor"="C:\Program Files\Process Lasso\processgovernor.exe" [2011-08-03 05:00:26 329232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=

R1 kl2;kl2;C:\WINDOWS\system32\drivers\kl2.sys [4.3.2011 13:23:20 11352]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [8.8.2011 2:02:34 2214504]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\drivers\klim5.sys [10.3.2011 18:34:46 34608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\WINDOWS\system32\drivers\klmouflt.sys [2.11.2009 20:27:24 19472]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\WINDOWS\system32\drivers\viahduaa.sys [7.8.2011 7:24:49 238080]


------- Supplementary Scan -------

uStart Page = hxxp://www.bigseekpro.com/burn4free/{3D079E04-BE0E-45C8-A163-889E1A7D9C61}
mStart Page = hxxp://www.bigseekpro.com/burn4free/{3D079E04-BE0E-45C8-A163-889E1A7D9C61}
uSearchAssistant = hxxp://dts.search-results.com/sr?src=ieb&appid=0&systemid=421&q={searchTerms}
TCP: DhcpNameServer = 77.77.192.10 77.78.192.10 94.140.66.194
FF - ProfilePath - C:\Documents and Settings\Neko\Application Data\Mozilla\Firefox\Profiles\nbjngv6s.default\
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=421&q=
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3

- - - - ORPHANS REMOVED - - - -

Toolbar-10 - (no file)

Obrisi ikonicu Combofixa, preuzmi novu verziju, restartuj pa odradi jos jedan scan, zatim kopiraj log.


http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://deletemalware.blogspot....-searchqu-uninstall-guide.html

potpuno onesposobi KIS i ponovi skan combofixom

ComboFix 11-08-08.03 - Neko 09.08.2011 13:01:28.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.387.1033.18.2047.1532 [GMT 2:00]
Running from: C:\Documents and Settings\Neko\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll

---- Previous Run -------

C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll


((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 )))))))))))))))))))))))))))))))


2011-08-09 04:13:09 . 2011-08-09 04:18:36 16607084544 ----a-w- C:\bst35.tmp
2011-08-08 01:21:11 . 2011-08-08 01:21:11 -------- d-----w- C:\NVIDIA
2011-08-07 07:03:44 . 2011-08-09 10:39:36 -------- d-----r- C:\Program Files
2011-08-07 07:00:03 . 2011-08-08 00:02:36 -------- d-----w- C:\Documents and Settings
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-05-25 06:09:21 . 2011-05-21 04:01:00 61440 ----a-w- C:\WINDOWS\system32\OpenCL.dll
2011-05-25 06:09:21 . 2011-05-21 04:01:00 2808936 ----a-w- C:\WINDOWS\system32\nvcuvid.dll
2011-05-25 06:09:21 . 2011-05-21 04:01:00 2082408 ----a-w- C:\WINDOWS\system32\nvcuvenc.dll
2011-05-25 06:09:21 . 2011-05-21 04:01:00 16068608 ----a-w- C:\WINDOWS\system32\nvoglnt.dll
2011-05-25 06:09:20 . 2011-05-21 04:01:00 5332992 ----a-w- C:\WINDOWS\system32\nvcuda.dll
2011-05-25 06:09:20 . 2011-05-21 04:01:00 13004800 ----a-w- C:\WINDOWS\system32\nvcompiler.dll
2011-05-21 04:01:00 . 2011-05-21 04:01:00 899688 ----a-w- C:\WINDOWS\system32\nvdispco3220150.dll
2011-05-21 04:01:00 . 2011-05-21 04:01:00 865896 ----a-w- C:\WINDOWS\system32\nvgenco322090.dll
2011-05-21 04:01:00 . 2011-05-21 04:01:00 2328576 ----a-w- C:\WINDOWS\system32\nvapi.dll
2011-07-08 07:42:06 . 2011-08-08 23:02:02 142296 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((( SnapShot@2011-08-09_02.45.27 )))))))))))))))))))))))))))))))))))))))))

+ 2011-08-09 10:39:39 . 2011-07-06 17:52:42 41272 C:\WINDOWS\system32\drivers\mbamswissarmy.sys
+ 2011-08-09 10:39:36 . 2011-07-06 17:52:42 22712 C:\WINDOWS\system32\drivers\mbam.sys
+ 2011-08-09 10:23:56 . 2011-08-09 10:23:56 81920 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\3cd9646ed330cc4fbd64d00c61c6a62e\Microsoft.Build.Framework.ni.dll
+ 2011-08-09 10:23:54 . 2011-08-09 10:23:54 15360 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\9f2287b949ba5849bfbcab13a206a104\dfsvc.ni.exe
+ 2011-08-09 10:23:47 . 2011-08-09 10:23:47 26624 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\01dcd7520dd2b14dae19a884eb531ef6\Accessibility.ni.dll
+ 2011-08-09 10:24:17 . 2011-08-09 10:24:17 237568 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\0ceef84329c61945b841f4b18e526ed0\System.Web.RegularExpressions.ni.dll
+ 2011-08-09 10:24:06 . 2011-08-09 10:24:06 684032 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\e073bd404183b74eb7a3e7c75e2bb155\System.Transactions.ni.dll
+ 2011-08-09 10:24:05 . 2011-08-09 10:24:05 729088 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Security\131abcc1b7ef054ba4900954c99351fa\System.Security.ni.dll
+ 2011-08-09 10:24:04 . 2011-08-09 10:24:04 294912 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\67299ff82a8c594eb7f7f4b49a24f9f6\System.EnterpriseServices.Wrapper.dll
+ 2011-08-09 10:24:04 . 2011-08-09 10:24:04 659456 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\67299ff82a8c594eb7f7f4b49a24f9f6\System.EnterpriseServices.ni.dll
+ 2011-08-09 10:24:03 . 2011-08-09 10:24:03 512000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\1cef3403b2c306429e2ede5d89f5c751\System.DirectoryServices.Protocols.ni.dll
+ 2011-08-09 10:24:01 . 2011-08-09 10:24:01 962560 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d1716ce324e654f845b87019511d23d\System.Configuration.ni.dll
+ 2011-08-09 10:23:58 . 2011-08-09 10:23:58 163840 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\6a3a0fa314d3cb4fbb12b65e47a30b6a\Microsoft.Build.Utilities.ni.dll
+ 2011-08-09 10:23:55 . 2011-08-09 10:23:55 880640 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\4342b35c9082454c82deb6cafa8cc0cf\Microsoft.Build.Engine.ni.dll
+ 2011-08-09 10:23:54 . 2011-08-09 10:23:54 237568 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\2223d72fc83d574d81fea35f889e6c73\CustomMarshalers.ni.dll
+ 2011-08-09 10:23:54 . 2011-08-09 10:23:54 860160 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\01f346446ebfaa44adf4e69c3bc779bd\AspNetMMCExt.ni.dll
+ 2011-08-09 10:23:52 . 2011-08-09 10:23:52 8093696 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\0a34f3e8a117b4468631280ff816cec0\System.ni.dll
+ 2011-08-09 10:24:18 . 2011-08-09 10:24:18 1945600 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\dc40b2fd974c3a49acb8e7a290fa9b7c\System.Web.Services.ni.dll
+ 2011-08-09 10:24:16 . 2011-08-09 10:24:16 2310144 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\383575a6979c924c95622f503c9beb52\System.Web.Mobile.ni.dll
+ 2011-08-09 10:24:20 . 2011-08-09 10:24:20 1626112 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\258bc5bc6094464c86d2af3a3c7a6c8d\System.Drawing.ni.dll
+ 2011-08-09 10:24:03 . 2011-08-09 10:24:03 1220608 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\da5660486615bc4d87dd62f4ad5aeb88\System.DirectoryServices.ni.dll
+ 2011-08-09 10:24:02 . 2011-08-09 10:24:02 1712128 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\32912d4fb8057a4b9b435d47c888ba64\System.Deployment.ni.dll
+ 2011-08-09 10:24:00 . 2011-08-09 10:24:00 1724416 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\e9070e68480ef940b97ff2e2eb319340\Microsoft.VisualBasic.ni.dll
+ 2011-08-09 10:23:57 . 2011-08-09 10:23:57 1691648 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\44caefde55b7dd4588c4170d584bda27\Microsoft.Build.Tasks.ni.dll
+ 2011-08-09 10:24:14 . 2011-08-09 10:24:14 11808768 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\420864627c189242b8be400d4ee76de2\System.Web.ni.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 20:12:38 3872080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-05-14 11:16:28 29831168]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" [2011-04-24 21:15:02 202296]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 11:36:56 2793304]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2011-05-25 06:09:22 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-25 06:09:23 111208]
"nwiz"="C:\Program Files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 22:02:42 1632360]
"ProcessLassoManagementConsole"="C:\Program Files\Process Lasso\processlasso.exe" [2011-08-03 05:00:26 604176]
"ProcessGovernor"="C:\Program Files\Process Lasso\processgovernor.exe" [2011-08-03 05:00:26 329232]
"Malwarebytes' Anti-Malware"="C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 17:52:38 449584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=

R1 kl2;kl2;C:\WINDOWS\system32\drivers\kl2.sys [4.3.2011 13:23:20 11352]
R2 MBAMService;MBAMService;C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [9.8.2011 12:39:39 366640]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [8.8.2011 2:02:34 2214504]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\drivers\klim5.sys [10.3.2011 18:34:46 34608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\WINDOWS\system32\drivers\klmouflt.sys [2.11.2009 20:27:24 19472]
R3 MBAMProtector;MBAMProtector;C:\WINDOWS\system32\drivers\mbam.sys [9.8.2011 12:39:36 22712]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\WINDOWS\system32\drivers\viahduaa.sys [7.8.2011 7:24:49 238080]


------- Supplementary Scan -------

uStart Page = hxxp://www.bigseekpro.com/burn4free/{3D079E04-BE0E-45C8-A163-889E1A7D9C61}
mStart Page = hxxp://www.bigseekpro.com/burn4free/{3D079E04-BE0E-45C8-A163-889E1A7D9C61}
TCP: DhcpNameServer = 77.77.192.10 77.78.192.10 94.140.66.194
FF - ProfilePath - C:\Documents and Settings\Neko\Application Data\Mozilla\Firefox\Profiles\nbjngv6s.default\
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=421&q=
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3

- - - - ORPHANS REMOVED - - - -

Toolbar-10 - (no file)

Otvori Notepad i kopiraj tekst koji se nalazi ispod:



Klikni na File\Save as i sacuvaj tekst kao CFScript na desktop





Prati uputstvo sa slike i prevuci CFScript.txt preko ikonice ComboFix.exe
To ce startovati ComboFix
Kada zavrsi,pojavice se log (C:\ComboFix.txt)
Posalji ComboFix log na uvid.

Sad sam imao pokrenut samo combofix i cpu usage je islo do 90 %.Ne kontam sta je,ali CPU System idle proces je cirka 95.

ComboFix 11-08-08.03 - Neko 09.08.2011 13:34:35.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1250.387.1033.18.2047.1469 [GMT 2:00]
Running from: C:\Documents and Settings\Neko\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Neko\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


---- Previous Run -------

C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll


((((((((((((((((((((((((( Files Created from 2011-07-09 to 2011-08-09 )))))))))))))))))))))))))))))))


2011-08-09 04:13:09 . 2011-08-09 04:18:36 16607084544 ----a-w- C:\bst35.tmp
2011-08-08 01:21:11 . 2011-08-08 01:21:11 -------- d-----w- C:\NVIDIA
2011-08-07 07:03:44 . 2011-08-09 11:10:38 -------- d-----r- C:\Program Files
2011-08-07 07:00:03 . 2011-08-08 00:02:36 -------- d-----w- C:\Documents and Settings
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-05-25 06:09:21 . 2011-05-21 04:01:00 61440 ----a-w- C:\WINDOWS\system32\OpenCL.dll
2011-05-25 06:09:21 . 2011-05-21 04:01:00 2808936 ----a-w- C:\WINDOWS\system32\nvcuvid.dll
2011-05-25 06:09:21 . 2011-05-21 04:01:00 2082408 ----a-w- C:\WINDOWS\system32\nvcuvenc.dll
2011-05-25 06:09:21 . 2011-05-21 04:01:00 16068608 ----a-w- C:\WINDOWS\system32\nvoglnt.dll
2011-05-25 06:09:20 . 2011-05-21 04:01:00 5332992 ----a-w- C:\WINDOWS\system32\nvcuda.dll
2011-05-25 06:09:20 . 2011-05-21 04:01:00 13004800 ----a-w- C:\WINDOWS\system32\nvcompiler.dll
2011-05-21 04:01:00 . 2011-05-21 04:01:00 899688 ----a-w- C:\WINDOWS\system32\nvdispco3220150.dll
2011-05-21 04:01:00 . 2011-05-21 04:01:00 865896 ----a-w- C:\WINDOWS\system32\nvgenco322090.dll
2011-05-21 04:01:00 . 2011-05-21 04:01:00 2328576 ----a-w- C:\WINDOWS\system32\nvapi.dll
2011-07-08 07:42:06 . 2011-08-08 23:02:02 142296 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((( SnapShot@2011-08-09_02.45.27 )))))))))))))))))))))))))))))))))))))))))

+ 2011-08-09 11:09:53 . 2011-03-11 10:43:54 29763 C:\WINDOWS\LastGood\system32\DRIVERS\klopp.dat
+ 2011-08-09 11:09:55 . 2009-11-02 18:27:24 19472 C:\WINDOWS\LastGood\system32\DRIVERS\klmouflt.sys
+ 2011-08-09 11:09:56 . 2011-03-10 16:34:46 34608 C:\WINDOWS\LastGood\system32\DRIVERS\klim5.sys
+ 2011-08-09 11:09:54 . 2011-03-04 11:23:20 11352 C:\WINDOWS\LastGood\system32\DRIVERS\kl2.sys
+ 2011-08-09 10:23:56 . 2011-08-09 10:23:56 81920 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\3cd9646ed330cc4fbd64d00c61c6a62e\Microsoft.Build.Framework.ni.dll
+ 2011-08-09 10:23:54 . 2011-08-09 10:23:54 15360 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\9f2287b949ba5849bfbcab13a206a104\dfsvc.ni.exe
+ 2011-08-09 10:23:47 . 2011-08-09 10:23:47 26624 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\01dcd7520dd2b14dae19a884eb531ef6\Accessibility.ni.dll
+ 2011-08-09 11:09:55 . 2011-08-07 06:17:47 565552 C:\WINDOWS\LastGood\system32\DRIVERS\klif.sys
+ 2011-08-09 11:09:53 . 2011-03-04 11:23:14 133208 C:\WINDOWS\LastGood\system32\DRIVERS\kl1.sys
+ 2011-08-09 10:24:17 . 2011-08-09 10:24:17 237568 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\0ceef84329c61945b841f4b18e526ed0\System.Web.RegularExpressions.ni.dll
+ 2011-08-09 10:24:06 . 2011-08-09 10:24:06 684032 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\e073bd404183b74eb7a3e7c75e2bb155\System.Transactions.ni.dll
+ 2011-08-09 10:24:05 . 2011-08-09 10:24:05 729088 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Security\131abcc1b7ef054ba4900954c99351fa\System.Security.ni.dll
+ 2011-08-09 10:24:04 . 2011-08-09 10:24:04 294912 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\67299ff82a8c594eb7f7f4b49a24f9f6\System.EnterpriseServices.Wrapper.dll
+ 2011-08-09 10:24:04 . 2011-08-09 10:24:04 659456 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\67299ff82a8c594eb7f7f4b49a24f9f6\System.EnterpriseServices.ni.dll
+ 2011-08-09 10:24:03 . 2011-08-09 10:24:03 512000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\1cef3403b2c306429e2ede5d89f5c751\System.DirectoryServices.Protocols.ni.dll
+ 2011-08-09 10:24:01 . 2011-08-09 10:24:01 962560 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d1716ce324e654f845b87019511d23d\System.Configuration.ni.dll
+ 2011-08-09 10:23:58 . 2011-08-09 10:23:58 163840 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\6a3a0fa314d3cb4fbb12b65e47a30b6a\Microsoft.Build.Utilities.ni.dll
+ 2011-08-09 10:23:55 . 2011-08-09 10:23:55 880640 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\4342b35c9082454c82deb6cafa8cc0cf\Microsoft.Build.Engine.ni.dll
+ 2011-08-09 10:23:54 . 2011-08-09 10:23:54 237568 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\2223d72fc83d574d81fea35f889e6c73\CustomMarshalers.ni.dll
+ 2011-08-09 10:23:54 . 2011-08-09 10:23:54 860160 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\01f346446ebfaa44adf4e69c3bc779bd\AspNetMMCExt.ni.dll
+ 2011-08-09 10:23:52 . 2011-08-09 10:23:52 8093696 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\0a34f3e8a117b4468631280ff816cec0\System.ni.dll
+ 2011-08-09 10:24:18 . 2011-08-09 10:24:18 1945600 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\dc40b2fd974c3a49acb8e7a290fa9b7c\System.Web.Services.ni.dll
+ 2011-08-09 10:24:16 . 2011-08-09 10:24:16 2310144 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\383575a6979c924c95622f503c9beb52\System.Web.Mobile.ni.dll
+ 2011-08-09 10:24:20 . 2011-08-09 10:24:20 1626112 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\258bc5bc6094464c86d2af3a3c7a6c8d\System.Drawing.ni.dll
+ 2011-08-09 10:24:03 . 2011-08-09 10:24:03 1220608 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\da5660486615bc4d87dd62f4ad5aeb88\System.DirectoryServices.ni.dll
+ 2011-08-09 10:24:02 . 2011-08-09 10:24:02 1712128 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\32912d4fb8057a4b9b435d47c888ba64\System.Deployment.ni.dll
+ 2011-08-09 10:24:00 . 2011-08-09 10:24:00 1724416 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\e9070e68480ef940b97ff2e2eb319340\Microsoft.VisualBasic.ni.dll
+ 2011-08-09 10:23:57 . 2011-08-09 10:23:57 1691648 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\44caefde55b7dd4588c4170d584bda27\Microsoft.Build.Tasks.ni.dll
+ 2011-08-09 10:24:14 . 2011-08-09 10:24:14 11808768 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\420864627c189242b8be400d4ee76de2\System.Web.ni.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 20:12:38 3872080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-05-14 11:16:28 29831168]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 11:36:56 2793304]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2011-05-25 06:09:22 13895272]
"NvMediaCenter"="NvMCTray.dll" [2011-05-25 06:09:23 111208]
"nwiz"="C:\Program Files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-04 22:02:42 1632360]
"ProcessLassoManagementConsole"="C:\Program Files\Process Lasso\processlasso.exe" [2011-08-03 05:00:26 604176]
"ProcessGovernor"="C:\Program Files\Process Lasso\processgovernor.exe" [2011-08-03 05:00:26 329232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00:00 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=

R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [8.8.2011 2:02:34 2214504]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\WINDOWS\system32\drivers\viahduaa.sys [7.8.2011 7:24:49 238080]
R4 kl2;kl2;C:\WINDOWS\system32\DRIVERS\kl2.sys --> C:\WINDOWS\system32\DRIVERS\kl2.sys [?]
R4 klmouflt;Kaspersky Lab KLMOUFLT;C:\WINDOWS\system32\DRIVERS\klmouflt.sys --> C:\WINDOWS\system32\DRIVERS\klmouflt.sys [?]
R4 MBAMProtector;MBAMProtector;\??\C:\WINDOWS\system32\drivers\mbam.sys --> C:\WINDOWS\system32\drivers\mbam.sys [?]


------- Supplementary Scan -------

TCP: DhcpNameServer = 77.77.192.10 77.78.192.10 94.140.66.194
FF - ProfilePath - C:\Documents and Settings\Neko\Application Data\Mozilla\Firefox\Profiles\nbjngv6s.default\
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=421&q=
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3

- - - - ORPHANS REMOVED - - - -

Toolbar-10 - (no file)

ovo meni deluje chisto.system idle 95 je ok.sumnjiv je taj .tmp fajl na c particiji ali ne znachi nuzno da ga kreira infektivan proces.nije mi jasno kako si zakachio ovaj toolbar ako je bio clean instal?prichaj shta si sve radio kada ti se podigao novi sistem?

Toolbar sam pokupio naknadno uz instalaciju nekog programa za rezanje cd-a,ali sam ga isto tako ekpresno uklonio.Problem je postojao puno prije toga toolbar-a i mislim da u njemu nema problema :) Kada sam digao sistem instalirao sam kaspersky antivirus,skenirao i nista nije pronadjeno,sve cisto.No,prije formatiranja mi se nije desavalo ovo sa procesima i bagovanjem racunara,no sada se desava.Cini se da je sve cisto i po svemu sto sam odradio jeste,no izgleda da ima problem i to ne mali,cim se racunar ovako cudno ponasa.Eh sad,za mene je misaona imenica odgonetnuti taj problem,ne znam jednostavno sta da radim.

aj probaj ovo mada i ja imam neki utisak da je ovo vishe do instalacije nego do malwarea.pre skana iskljuchi KIS

http://www.eset.com/us/online-scanner

DrWeb,AVG,Avast,AVG PC Tune up,CCcleaner,Spy&Destroy cini mi se?...

Ne znam,mozda mi ne valja ni ovaj XP...

Pa ja imam obichaj da pre instalacije sistema iskeniram instalcioni cd sa 2-3 antivirusa chak i kada su sa Digital Rivera :D

Ni Eset nije nista pronasao.

Tragikomedija...

pa onda mislim da treba ici na korumpiranu instalaciju
odakle si skinuo drajver?

ja bi ponovio ccleaner,sfc /scannow,
otishao u safe mode proverio diskove na greshke a potom i defragmentaciju pa vidi da li i dalje imash probleme.
a za neko detaljnije analiziranje bi morao nekog da pozovesh da ga pogleda.
takodje bi deinstalirao sve programe i preuzeo ih iskljuchivo sa zvanichnog sajta.xpburner ne dolazi sa tim toolbarom.
cnet,softpedia,filehipo su bezbedna mesta za download
i naravno drajveri moraju da se skidaju iskljuchivo sa proizvodjachevog sajta a u sluchajevima integrisane grafichke kartice tada idi na sajt proizvodjacha matichne ploche i skini drajvere odatle.
za drajvere dobar tutorijal http://software.benchmark.rs/h...ja_drajvera_za_grafichke_karte

<sub>[Ovu poruku je menjao Vodomar dana 09.08.2011. u 15:43 GMT+1]

[Ovu poruku je menjao Vodomar dana 09.08.2011. u 15:50 GMT+1]</sub>

Kad sam poceo da radim u bivsoj firmi, moj prethodnik mi je dao instalacioni CD sa XP-om, i rekao da je to kopija instalacije od Volume Licensinga koju je on koristio na skoro svim racunarima u firmi. I nakon sto sam instalirao desetak sistema sa tog CD-a, odlucio sam da slipstrimujem SP3 kako bih skratio ukupno vreme za instaliranje sistema, prebacio sve sa CD-a na moj hard, kad tamo, trojanac (cim sam krenuo da kopiram fajlove, AV izleteo sa upozorenjem). Instalacija je bila ko zna odakle, on je to nasledio od svog prethodnika, a nije se preterano razumeo jer je bio programer a ne admin, i ja da nisam slucajno naleteo na trojanca verovatno bih to instalirao na jos desetak sistema. Od tada proveravam sve sto instaliram, makar imalo i sve zvanicne holograme na sebi... BTW, Kasperskog skidas svaki put novog nakon formatiranja harda? Mozda je i on kliconosa ako koristis uvek isti...

@satrospenzi,
Ubaci instalacioni disk Windows XP, skeniraj sa prethodno update-ovanim Kaspersky Antivirusom. Javi da li je bilo nekih detekcija.

da opreza nikad dosta.

postoji shansa da imash rootkita ali tu bi morao da ti pomogne neko bash bash udubljen u tu materiju ili da odradish skan i poshaljesh autoru na analizu
ja bi uradio skan sa gmerom i sa mbr.exe (na istoj strani).NISTA NE BRISHI!!!
Ali opet pre sumnjam na instalaciju


probaj i ovo i opet nishta ne brishi
http://www.sophos.com

<sub>[Ovu poruku je menjao Vodomar dana 09.08.2011. u 16:27 GMT+1]

[Ovu poruku je menjao Vodomar dana 09.08.2011. u 20:41 GMT+1]</sub>

@satrospenzi

Nisi dobro kopirao skriptu, mada nije toliko ni bitno jer ti je racunar cist, znaci nema ni M od malware-a.
Verovatno si kopirao i Code, sta god, nesto nisi odradio kako treba.

Kucaj u run Combofix /Uninstall i potvrdi deinstalaciju Combofixa.

Zasto se racunar cudno ponasa, ne znam, ali znam da nije u pitanju malware.

16607084544 ----a-w- C:\bst35.tmp

Ovo ne moze da bude maliciozno, ogroman je fajl, od cega je ne znam.


Ja bih ti predlozio da ponovo podignes sistem, instaliras samo drajvere i nekoliko osnovnih programa i pratis situaciju.

Ukoliko baguje, testiras komponente jednu po jednu.

gmer je pronasao neke skrivene procese,ali ne mogu da ih izbrisem u njemu direktno.cudno mi je sto je to explorer.exe

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [336] 0x6C330000
Library C:\Program (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [3736] 0x02A00000
Library C:\Program (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [3736] 0x6BC50000
Library C:\Program (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [3736] 0x6DB90000
Library C:\Program (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [3736] 0x6A920000
Library C:\Program (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [3736] 0x6BBD0000
Library C:\Program (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [3736] 0x09500000

Video sam ja da si cackao izmedju HJT i Combofixa, da si brisao, deinstalirao si onaj toolbar, pa rekoh da poteras CF jos jednom da vidim "zvanicno" stanje i napisao sam ti da je cist.

Ostavi se Gmer-a i ne cackaj. Isto se odnosi i na Combofix, ne pokreci ga vise na svoju ruku, jer to nije program za siroke mase, nije se zezati sa njim.

Ok.Formatirao sam jos jednom,sada nemam nista bukvalno na racunaru osim osnovnih drivera te antivirusa.Jos mi nije zabagovao,no zanima me do koliko obicno ide CPU usage,cini mi se da meni sada ide do nekih 50 %.

nisam rekao da ista brishesh sa gmerom! mozesh jedino da te nalaze poshaljesh autoru na analizu!imash mail na sajtu.samo to.u suprotnom mozesh slobodno da se pozdravish sa xp-om jer rad sa rootkitom podrazumeva specijaliste a neshto sumnjam da ih ovde mozesh naci.a brisanje na svoju ruku je prosto glupo.

Preuzmi i instaliraj System Explorer.
Proveri koji proces najvise crpi resurse. Idi desni klik na njega, zatim File Check. Odaberi jedan od dva popularna linka (Virustotal, Jotti) i posalji ga na skeniranje.
Takodje, na sredini ti se nalazi opcija System Explorer Security Check, klikni i sacekaj da program oceni da li je neki proces rizican ili ne.

Takodje, za ubuduce da znas preventive radi.

1.) Koristi proverene operativne sisteme i antiviruse (ili besplatan, ili licenciran, nikako krekovan!)

2.) Potrebno je onemoguciti automatsku reprodukciju uredjaja, odnosno, ugasiti AutoPlay.
Klikni na Start, zatim Run.
U polje unesi sledeci tekst: gpedit.msc
Potvrdi sa Enter.
Prati sledecu putanju:
Computer Configuration>Administrative Templates>Windows Components>AutoPlay Policies>Turn off AutoPlay
Odaberi "Turn off AutoPlay on All drives".
Stikliraj Enabled i potvrdi sa Ok.
Napusti Local Group Policy Editor.

3.) Za zastitu USB memorijskih uredjaja koristi MCShield.
Ne dolazi u konflikt sa antivirusom, veoma je lagan i koristan program.
Preuzmi MCShield i instaliraj ga.
Svaki put kada USB memorijski uredjaj bude ubacen program ce ga kratkotrajno skenirati.
Nakon zavrsenog skeniranja izaci ce obavestenje "Disk se cini cist" ili log sa informacijama ukoliko postoji malware.

4.) U racunaru drzi sto manje programa, a toolbarove izbegavaj.

5.) Skrati sto vise listu programa koji se podizu sa sistemom (Startup listu).
Klikni na Start, zatim Run.
U polje unesi sledeci tekst: msconfig
Odaberi karticu Startup i odstikliraj bespotrebne aplikacije.
Ostavi stiklirane objekte kao sto su antivirus, firewall, drajveri, a ostalo onemoguci.
Izmene potvrdi sa Ok.

Odavno htedoh da pitam dal je Kasperski koji je bio na sistemu krekovan?!

Ja već pitao ali onako izokola, pa najverovatnije me nije razumeo... To je jedna od prvih stavki koja je bila instalirana, i meni je nekako bolo oči da bi tu mogao biti uzrok...

Valjan,zaboravih ti odgovoriti,a evo sad i Goranu,uglavnom nisam krekovao kaspersky,skinuo sam onu neku trial verziju,30 dana...