Virus blokira internet

Otvori Notepad i kopiraj tekst koji se nalazi ispod:
Klikni na File\Save as i sacuvaj tekst kao CFScript na desktop





Prati uputstvo sa slike i prevuci CFScript.txt preko ikonice ComboFix.exe
To ce startovati ComboFix automatski ,mozda ce doci do restarta sistema (to je normalno)
Kada zavrsi,pojavice se log (C:\ComboFix.txt)
Posalji ComboFix log kao i svez HijackThis log


_{[Ovu poruku je menjao Goran Mijailovic dana 03.01.2009. u 00:11 GMT+1]}

zasto se maltretirati kad postoje ovakve stvari: http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

Da si citao celu temu video bi da smo vec radili resetovanje sa WinsockFix-om

On nije hteo da ih izbrise pa sam morao rucno

"J" - 2009-01-02 17:38:38 Service Pack 3
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\J\"
Command switches used :: ""C:\Documents and Settings\J\Desktop\CFScript.txt""


((((((((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 ))))))))))))))))))))))))))))))))))


2009-01-02 16:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avg8
2009-01-02 12:33 <DIR> d-------- C:\Program Files\AVG
2009-01-02 11:32 268,648 --a------ C:\WINDOWS\system32\mucltui.dll
2009-01-01 21:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-01 13:57 <DIR> d-------- C:\DOCUME~1\J\APPLIC~1\Thinstall
2008-12-31 17:08 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-12-31 17:08 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-12-31 16:45 49,152 --a------ C:\WINDOWS\nircmd.exe
2008-12-31 12:44 208,744 --a------ C:\WINDOWS\system32\muweb.dll
2008-12-30 19:34 <DIR> d-------- C:\Program Files\ChromePortable
2008-12-30 18:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-12-29 19:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Applications
2008-12-28 20:04 <DIR> d-------- C:\Program Files\Eidos Interactive
2008-12-25 18:11 <DIR> d-------- C:\Documents and Settings\J\Tracing
2008-12-25 18:11 <DIR> d-------- C:\DOCUME~1\J\Tracing
2008-12-25 17:56 <DIR> d-------- C:\Program Files\Microsoft Office Outlook Connector
2008-12-25 17:51 <DIR> d-------- C:\Program Files\Windows Live SkyDrive
2008-12-25 17:24 <DIR> d-------- C:\Program Files\Common Files\Windows Live
2008-12-24 19:02 <DIR> d-------- C:\Games
2008-12-18 13:13 <DIR> d-------- C:\WINDOWS\ie8updates
2008-12-16 17:36 <DIR> d-------- C:\Program Files\Voice Changer 4.0 Diamond
2008-12-14 14:34 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-12-11 18:16 16,252,928 --a------ C:\Documents and Settings\J\ntuser.dat
2008-12-11 18:16 16,252,928 --a------ C:\DOCUME~1\J\ntuser.dat
2008-12-08 15:41 <DIR> d-------- C:\Program Files\Microsoft Games for Windows - LIVE
2008-12-08 15:04 <DIR> d-------- C:\Program Files\Rockstar Games
2008-12-07 21:34 <DIR> d-------- C:\Program Files\RapidCheck
2008-12-02 22:37 49,480 --a------ C:\WINDOWS\system32\sirenacm.dll
2008-12-02 20:15 <DIR> d-------- C:\Program Files\titca
2008-12-02 17:05 <DIR> d-------- C:\Program Files\Uniblue
2008-12-02 16:49 <DIR> d-------- C:\DOCUME~1\J\APPLIC~1\Uniblue


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2009-01-01 19:09:04 -------- d-----w C:\Program Files\wLite
2009-01-01 19:05:31 -------- d-----w C:\DOCUME~1\J\APPLIC~1\Google
2009-01-01 12:55:27 -------- d-----w C:\DOCUME~1\J\APPLIC~1\Spy Emergency
2008-12-31 15:33:05 -------- d-----w C:\Program Files\Skype
2008-12-30 17:51:51 -------- d-----w C:\Program Files\Google
2008-12-30 16:18:27 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-12-29 18:19:33 -------- d-----w C:\Program Files\Microsoft Games
2008-12-25 16:54:34 -------- d-----w C:\Program Files\Windows Live
2008-12-24 16:42:07 -------- d-----w C:\Program Files\Illusion
2008-12-24 16:38:36 -------- d-----w C:\Program Files\DNA
2008-12-20 16:29:39 -------- d-----w C:\Program Files\PuppetMaster
2008-12-11 13:39:27 -------- d-----w C:\Program Files\Latinski Recnik 1.1
2008-12-08 14:06:05 -------- d--h--w C:\Program Files\InstallShield Installation Information
2008-12-04 13:56:11 410,984 ----a-w C:\WINDOWS\system32\deploytk.dll
2008-12-01 14:26:37 -------- d-----w C:\Program Files\SystemRequirementsLab
2008-11-28 15:51:09 -------- d-----w C:\Program Files\Siber Systems
2008-11-24 15:22:37 10 ----a-w C:\WINDOWS\popcinfo.dat
2008-11-23 14:18:22 -------- d-----w C:\Program Files\Njegos »Gorski vijenac«
2008-11-22 20:30:24 -------- d-----w C:\Program Files\mIRC
2008-11-22 17:30:16 -------- d-----w C:\DOCUME~1\J\APPLIC~1\SystemRequirementsLab
2008-11-21 19:56:01 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-11-15 18:20:52 -------- d-----w C:\DOCUME~1\J\APPLIC~1\PC Suite
2008-11-14 13:03:46 -------- d-----w C:\DOCUME~1\J\APPLIC~1\Skype
2008-11-14 13:00:33 -------- d-----w C:\DOCUME~1\J\APPLIC~1\skypePM
2008-11-12 13:20:35 -------- d-----w C:\Program Files\Mafia-WinterEdition
2008-11-12 12:44:54 -------- d-----w C:\Program Files\MSXML 4.0
2008-11-08 14:11:21 -------- d-----w C:\Program Files\Common Files\Skype
2008-10-23 12:36:14 286,720 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-10-22 04:29:02 14,303,392 ----a-w C:\WINDOWS\system32\xlive.dll
2008-10-22 04:29:02 13,643,936 ----a-w C:\WINDOWS\system32\xlivefnt.dll
2008-10-16 13:13:40 202,776 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-10-16 13:13:40 1,809,944 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-10-16 13:12:22 323,608 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-10-16 13:12:20 561,688 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-10-16 13:09:44 92,696 ----a-w C:\WINDOWS\system32\cdm.dll
2008-10-16 13:09:44 51,224 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-10-16 13:09:44 43,544 ----a-w C:\WINDOWS\system32\wups2.dll
2008-10-16 13:08:58 34,328 ----a-w C:\WINDOWS\system32\wups.dll
2008-10-13 18:05:29 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll
2008-10-10 03:52:38 452,440 ----a-w C:\WINDOWS\system32\d3dx10_40.dll
2008-10-10 03:52:38 4,379,984 ----a-w C:\WINDOWS\system32\D3DX9_40.dll
2008-10-10 03:52:38 2,036,576 ----a-w C:\WINDOWS\system32\D3DCompiler_40.dll
2008-10-03 10:02:42 247,326 ----a-w C:\WINDOWS\system32\strmdll.dll
2008-08-02 23:14:27 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{3049C3E9-B461-4BC5-8870-4C09146192CA}=C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-08-18 13:30]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 07:01]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-04 14:56]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2008-11-18 13:47]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2008-12-30 18:42]
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}=C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2008-12-30 18:42]
{DBC80044-A445-435b-BC74-9C25C1C588A9}=C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-04 14:56]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}=C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-04 14:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2008-12-02 22:41]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [2007-08-24 07:01]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 21:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
%SystemRoot%\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 C:\WINDOWS\system32\mlJDtrPg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Media Key.lnk]
backup=C:\WINDOWS\pss\Media Key.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\^.rnd]
path=\.rnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\^default.pls]
path=\default.pls

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\^ntuser.dat]
path=\ntuser.dat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\^ntuser.dat.LOG]
path=\ntuser.dat.LOG

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\^ntuser.ini]
path=\ntuser.ini

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\90208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\9c147f9a]
rundll32.exe "C:\WINDOWS\system32\rdftlkap.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntamediaBandwidth]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath323Domino]
C:\WINDOWS\Domino.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath323VMSnap]
C:\WINDOWS\VMSnap23.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Program Files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Caffe-Server]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
"C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RamBooster]
C:\Program Files\RamBooster 2.0\Rambooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RapidCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RGSC]
C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoftickPPP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyEmergency]
"C:\Program Files\NETGATE\Spy Emergency 2008\SpyEmergency.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThePrivacyGuard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMUAgent.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
napagent


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{059d64d4-d379-11dd-803b-0018f3ea3f39}]
AutoRun\command- H:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\Rgmen.exe
open\command- H:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\Rgmen.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08a941f0-6634-11dd-bf14-0018f3ea3f39}]
Auto\command- H:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
explore\Command- H:\gg.exe 0e
open\Command- H:\gg.exe 0o

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{220dba5a-71ea-11dd-bf54-0018f3ea3f39}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a9a04b8-4bea-11dc-9917-0018f3ea3f39}]
Auto\command- G:\RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce3ecb5c-6857-11dc-9995-0018f3ea3f39}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e86b5a62-4be3-11dc-9914-0018f3ea3f39}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e


Contents of the 'Scheduled Tasks' folder
2009-01-02 15:55:23 C:\WINDOWS\tasks\User_Feed_Synchronization-{132907F2-D634-4C67-9942-44DF435096B5}.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 17:43:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\JavaQuickStarterService]
"ImagePath"="\"C:\Program Files\Java\jre6\bin\jqs.exe\" -service -config \"C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf\""

[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet005\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSpqlt.sys"

Completion time: 2009-01-02 17:45:28
C:\ComboFix-quarantined-files.txt ... 2009-01-02 17:44
C:\ComboFix2.txt ... 2009-01-02 13:57
C:\ComboFix3.txt ... 2009-01-02 13:48

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:54:32, on 2.1.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Thoosje Vista Sidebar\Thoosje Sidebar.exe
C:\Program Files\NETGATE\Spy Emergency 2008\SpyEmergencySrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\titca\titca\titca.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.rs/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: Thoosje Sidebar.lnk = C:\Program Files\Thoosje Vista Sidebar\Thoosje Sidebar.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DAGP - Unknown owner - C:\DOCUME~1\J\LOCALS~1\Temp\DAGP.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: GWIZPWKDY - Unknown owner - C:\DOCUME~1\J\LOCALS~1\Temp\GWIZPWKDY.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo Product Update Service (ioloProductUpdate) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KJYXJSM - Unknown owner - C:\DOCUME~1\J\LOCALS~1\Temp\KJYXJSM.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spy Emergency Engine Service (SpyEmrgSrv) - NETGATE Technologies s.r.o. - C:\Program Files\NETGATE\Spy Emergency 2008\SpyEmergencySrv.exe
O23 - Service: TZZ - Unknown owner - C:\DOCUME~1\J\LOCALS~1\Temp\TZZ.exe (file missing)

--
End of file - 6653 bytes

Kako si izbrisao rucno, ponovo su tu kao da nista nismo radili. Kazi mi da li si skinuo novi ComboFix ili radis sa starom vezrijom.
Ovaj CF log je potpuno isti kao i onaj prethodni, sto nikako ne moze da bude ako si uradio kako sam ti napisao.
U HJT logu su se pojavili neki servisi kojih nije bilo u prethodnom logu pa cemo probati da ih obrisemo sa HJT-om.

GWIZPWKDY
KJYXJSM
TZZ

Pokreni HijackThis "Do a system scan only" Klikni Config, pa Misc Tools, i onda klikni na Delete an NT service.. dugme.
Kada se otvori unesi ime servisa i kliknite OK. Imena su ti gore iznad.

Ne znam koja je verzija jer ga nisam skinuo sa njihovog sajta posto mi ne dozvoljava a i morao sam da mu promenim ime da bi radio u Bokabom.exe(i ikonica mije drugacija nacrtan je znak X)









_{[Ovu poruku je menjao rime1 dana 02.01.2009. u 19:09 GMT+1]}

Ova dva sam izbrisao GWIZPWKDY TZZ
a ovaj KJYXJSM sam disable-ovo preko services.msc jer kaze da ga nema u registru

Izgleda da za mene nema resenja osim reinstalacije sistema,hvala na trudu svima posebno tebi @kristi1
@magna86 da to sam ja reko mozda oni imaju resenja ali...

Ne znam sta da ti kazem, imao sam volju ali problem je sto ne mozemo da pokrenemo ni jedan alat, a pitanje je i taj CF koja je verzija, znaci za svako pokretanje tog alata potrebana je najnovija verzija. Hosts file je ok tako da nije do toga, a ne pada mi trenutno ni jedna ideja na pamet.
Uradi jos ovo Start/ run Combofix/ u pa ok
i sacekaj da se deinstalira Combofix. i pocisti temp fajlove sa Registry disk Cleaner-om

Start/ run Combofix/ u ,nece da pokrene

ako si tako napisao nije dobro moras da ostavis razmak izmedju combofix i /, ovako Combofix /u
Bila je moja greska, nisam primetio

Skini ova dva programa pa malo pocisti komp, skini free verzije http://www.wisecleaner.com/download.html

Konacno,prcoces svchost.exe kada nje ga iskjucim dobijem pristup internetu na google chromu koji mi je blokiran od kako sam dobio ovaj virus,ali kad njega iskjucim ukjuci se ono odbrojavanje od 1 min do restarta sistema

Note: svchost.exe is a process registered as a backdoor vulnerability which may be installed for malicious purposes by an attacker allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data. If unaccounted for, this process should be removed immediately.

Note: svchost.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

Note: svchost.exe is a process belonging to Microsoft Service Host Process. This could also be a stealth monitoring software that sits in the background and tracks all activities such as keyboard input (including websites visited, passwords etc.) This information can be sent to third parties through email or ftp uploads. If you did not intentionally install this program make sure you remove it to protect your privacy.

evo ih lokacije na kojima se nalaze 6 svchost.exe fajlova

C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf

Ovaj mozes da brises, ovo ostalo nemoj.

izbrisao sam isve ove osim ovaj i system32 ali ga i dalje podize negde kada iskljucim sve svchost.exe u procesima hoce da se poveze na internet ali ostanu dva jedan sa usrname-om networkservice a drugi system ali mi restartuje kompjuter

Hm, rootkit? mozda..

probaj da skeniras sa Blacklightom, zakacicu ga uz ovu poruku.

***
nazalost morao sam da ga rarujem da bih mogao da ga uploadujem, zbog velicine fajla.



_{[Ovu poruku je menjao Goran Mijailovic dana 03.01.2009. u 00:48 GMT+1]}

Nista nije pronasao

a jel moze tebi net da radi iz safe moda with network?
aj probaj

---

Nece jer se virus pokrece i u safe modu zajedno sa svchostom

http://rapidshare.com/files/179470820/E-S.zip.html

Ajde skini Combofix odavde, iskljuci AV i pokreni ga pa postavi log da pogledam jos jednom. Onaj log mi je bio cudan.