Imam problem sa nekim virusom

e ovako : desava mi se da mi udje virus u komp preko fleske preko ne znam cega i pocne da brljavi . ali sve radi normalno samo pokrene ne znam ni ja koliko .exe fajla i oni su hidden files. nijedan antivirus nije uspeo da ih nadje a kad odem show hidden files ta opcija mi ne radi ... non stop jje na hiden.

---

Pozdrav Ivane,
Za pocetak skini program HijackThis.

Kada ga preuzmes preimenuj fajl u bilo sta npr. blabla.exe. Pokreni ga i klikni na "Do a system scan and save a logfile". Taj log fajl iskopiraj ovde da vidimo.

Napomena:Ako ti upustvo nije najjasnije pogledaj ovaj link.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:40 AM, on 4/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBUE.EXE
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\FOTOSE~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\FOTOSE~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Documents and Settings\Foto SELMA\Local Settings\Temporary Internet Files\Content.IE5\Y4W97RTS\HiJackThis[1].exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\gg.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo 1400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBUE.EXE /FU "C:\WINDOWS\TEMP\E_S8F.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON A3] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBUE.EXE /FU "C:\DOCUME~1\FOTOSE~1\LOCALS~1\Temp\E_S3E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [13CFG914-K641-26SF-N31P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe
O4 - HKCU\..\Run: [12CFG914-K641-26SF-N32P] C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 4760 bytes

---

Prvo ugasi svu zastitu koji imas:

Pokreni ESET Smart Security na sledeci nacin :
Start → All Programs → ESET → ESET Smart Security

• Kada ti se otvori glavni prozor programa, klikni na Setup opciju sa leve strane prozora;
• Izaberi Antivirus and Antispyware opciju i klikni na Temporarily disable Antivirus and Antispyware protection.
• Na sledece pitanje klikni Yes.

Skini ComboFix na Desktop. Startuj ga i ne diraj prozor programa dok skenira. Sledi uputstva koja ti program zadaje. Kada se zavrsi proces skeniranja pojavice se izvestaj koji ces ovde iskopirati. Ako slucajno ugasis izvestaj on se nalazi na C:\ComboFix.txt.

Napomena:Tek cu uvece oko 20h biti slobodan da ti pregledam izvestaj, pa bih te zamolio da sacekas do tada i da nista ne diras na racunaru (da ne pokreces antivirusna skeniranja i da ne instaliras nista od programa).

URADEO SAM KAKO SI MI NAPISAO I OVO MI JE LOG :

ComboFix 09-04-04.01 - Foto SELMA 2009-04-08 12:25:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1470 [GMT 2:00]
Running from: c:\documents and settings\Foto SELMA\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe
c:\windows\hosts
c:\windows\system32\Config.ini
D:\Autorun.inf
G:\autorun.inf
K:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 )))))))))))))))))))))))))))))))
.

2009-04-08 12:20 . 2009-04-08 12:23 30,660 --a------ c:\documents and settings\Foto SELMA\mscupdate.exe
2009-04-08 12:10 . 2009-04-08 12:22 22,484 --a------ c:\documents and settings\Foto SELMA\apow32.exe
2009-04-08 11:45 . 2009-04-08 11:45 27,083 --a------ c:\documents and settings\Foto SELMA\msesrv.exe
2009-04-08 11:41 . 2009-04-08 11:41 24,017 --a------ c:\documents and settings\Foto SELMA\msmp3.exe
2009-04-07 20:25 . 2009-04-08 11:40 28,616 --a------ c:\documents and settings\Foto SELMA\opti.exe
2009-04-07 18:56 . 2009-04-07 18:56 245,636 --ah----- c:\windows\system32\mlfcache.dat
2009-04-07 18:53 . 2008-11-20 21:19 9,200 --------- c:\windows\system32\drivers\cdralw2k.sys
2009-04-07 18:53 . 2008-11-20 21:19 9,072 --------- c:\windows\system32\drivers\cdr4_xp.sys
2009-04-07 18:52 . 2009-04-07 18:52 <DIR> d-------- c:\windows\system32\IOSUBSYS
2009-04-07 18:52 . 2009-04-07 18:52 <DIR> d-------- c:\program files\Google
2009-04-07 13:52 . 2009-04-07 13:52 17,829 --a------ c:\windows\system32\drivers\hosts
2009-04-07 11:27 . 2009-04-08 11:40 8,176 --a------ c:\documents and settings\Foto SELMA\plt32.exe
2009-04-06 11:32 . 2009-04-06 11:32 <DIR> d---s---- c:\documents and settings\Foto SELMA\UserData
2009-04-06 11:15 . 2007-08-29 21:41 36,864 -ra------ c:\windows\system32\drivers\l151x86.sys
2009-04-06 11:10 . 2009-04-06 11:10 16,620 --a------ c:\windows\Ascd_tmp.ini
2009-04-06 09:27 . 2009-04-06 09:27 <DIR> d-------- c:\documents and settings\Foto SELMA\Application Data\ACD Systems
2009-04-03 19:50 . 2009-04-03 19:50 <DIR> d-------- c:\documents and settings\Foto SELMA\Application Data\EPSON
2009-04-03 19:44 . 2003-12-12 09:30 855,542 -ra------ c:\windows\system32\drivers\mosuport.sys
2009-04-03 19:44 . 2003-12-12 11:38 270,336 -ra------ c:\windows\system32\MosUsbSerial.exe
2009-04-03 19:44 . 2003-12-12 11:23 237,568 -ra------ c:\windows\system32\MosUSBParallel.exe
2009-04-03 19:44 . 2003-12-12 11:35 65,536 -ra------ c:\windows\system32\MosUSBSerPropPage.dll
2009-04-03 19:44 . 2003-12-12 11:30 65,536 -ra------ c:\windows\system32\MosUSBParPropPage.dll
2009-04-03 19:44 . 2003-12-12 09:12 28,672 -ra------ c:\windows\system32\dbgmsgcfg.dll
2009-04-03 19:30 . 2003-12-12 09:12 305,344 -ra------ c:\windows\system32\monitor.exe
2009-04-03 19:30 . 2003-12-12 09:25 249,856 -ra------ c:\windows\system32\MosUnst.exe
2009-04-03 19:30 . 2004-09-28 06:46 245,760 -ra------ c:\windows\system32\MosUSer.exe
2009-04-03 19:30 . 2004-09-28 06:46 229,376 -ra------ c:\windows\system32\MosUPar.exe
2009-04-03 19:30 . 2006-05-05 00:26 144,756 -ra------ c:\windows\system32\mosUsbSr.sys
2009-04-03 19:30 . 2004-09-28 06:47 140,407 -ra------ c:\windows\system32\MCSENUM.vxd
2009-04-03 19:30 . 2004-09-17 06:15 18,496 -ra------ c:\windows\system32\drivers\DbgMsg9X.sys
2009-04-03 19:30 . 2004-09-28 06:49 8,720 -ra------ c:\windows\system32\MOSUSRPT.vxd
2009-04-03 19:30 . 2004-09-28 06:49 8,670 -ra------ c:\windows\system32\MOSUPRPT.vxd
2009-04-03 19:30 . 2003-09-05 10:17 6,064 -ra------ c:\windows\system32\MOSUSER.DLL
2009-04-03 19:30 . 2003-09-05 10:15 4,352 -ra------ c:\windows\system32\MOSUPAR.DLL
2009-04-03 19:24 . 2009-04-03 19:24 <DIR> d-------- C:\MosUPPSP
2009-04-03 19:19 . 2005-11-24 04:08 32,768 --a------ c:\windows\system32\ParallelMP.exe
2009-04-03 19:19 . 2005-11-24 01:10 59 --a------ c:\windows\system32\PConfig.ini
2009-04-03 19:19 . 2009-04-03 19:19 0 --a------ c:\windows\MONITOR.INI
2009-04-03 19:12 . 2004-09-28 06:44 233,472 --a------ c:\windows\system32\SerialMP.exe
2009-04-03 19:12 . 2004-09-28 06:47 204,800 --a------ c:\windows\system32\MosUsbPrintConfig.exe
2009-04-03 19:12 . 2003-12-12 09:12 18,240 -ra------ c:\windows\system32\drivers\DbgMsg.sys
2009-04-03 19:09 . 2009-04-03 19:09 <DIR> d-------- c:\program files\Atheros Communications Inc
2009-04-03 19:04 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-04-03 19:04 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-04-03 13:15 . 2009-04-03 13:15 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-04-03 13:15 . 2005-10-21 03:47 30,592 --------- c:\windows\system32\drivers\rndismpx.sys
2009-04-03 13:15 . 2005-10-21 03:47 12,800 --------- c:\windows\system32\drivers\usb8023x.sys
2009-04-03 12:58 . 2009-04-07 13:20 69 --a------ c:\windows\NeroDigital.ini
2009-04-03 12:30 . 2009-04-03 12:30 <DIR> d-------- c:\documents and settings\Foto SELMA\Application Data\ESET
2009-04-03 12:30 . 2008-01-07 14:29 352 --ah----- c:\windows\nod32fixtemdono.reg
2009-04-03 12:29 . 2009-04-03 12:29 <DIR> d-------- c:\program files\ESET
2009-04-03 12:29 . 2009-04-03 12:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2009-03-20 20:50 . 2009-03-20 20:50 3,358,720 --a------ c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-03 17:17 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-03 10:26 81,984 ----a-w c:\windows\system32\bdod.bin
2009-03-02 15:26 --------- d-----w c:\program files\Telenor
2009-03-02 15:25 10,368 ----a-w c:\windows\system32\drivers\pfc.sys
2009-03-02 15:25 --------- d-----w c:\program files\Common Files\ACD Systems
2009-03-02 15:25 --------- d-----w c:\program files\ACD Systems
2009-03-02 15:25 --------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2009-03-02 15:21 --------- d-----w c:\program files\Softwin
2009-03-02 15:21 --------- d-----w c:\program files\Common Files\Softwin
2009-03-02 15:19 --------- d-----w c:\program files\Nero
2009-03-02 15:19 --------- d-----w c:\program files\Common Files\Ahead
2009-03-02 15:19 --------- d-----w c:\documents and settings\Foto SELMA\Application Data\Ahead
2009-03-02 15:19 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-03-02 15:18 --------- d-----w c:\program files\Common Files\Adobe
2009-03-02 15:05 --------- d-----w c:\program files\PDF2Word v1.1
2009-03-02 15:05 --------- d-----w c:\program files\Microsoft.NET
2009-03-02 15:05 --------- d-----w c:\program files\Microsoft Works
2009-03-02 15:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-02 14:57 --------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-03-02 14:57 --------- d-----w c:\documents and settings\All Users\Application Data\Adobe Systems
2009-03-02 14:53 --------- d-----w c:\documents and settings\All Users\Application Data\EPSON
2009-03-02 14:46 --------- d-----w c:\documents and settings\Foto SELMA\Application Data\ATI
2009-03-02 14:46 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-03-02 14:41 --------- d-----w c:\program files\EPSON Print CD
2009-03-02 14:41 --------- d-----w c:\program files\EPSON
2009-03-02 14:36 --------- d-----w c:\program files\ATI Technologies
2009-03-02 14:27 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-02 14:23 315,392 ----a-w c:\windows\HideWin.exe
2009-03-02 14:23 --------- d-----w c:\program files\Realtek
2009-03-02 14:15 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-04-06 36864]
R3 mosuport;USB Serial/Parallel Ports;c:\windows\system32\drivers\mosuport.sys [2009-04-03 855542]
S3 DBGMSG;DBGMSG;dbgmsg.sys --> dbgmsg.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ADOBE_LM_SERVICE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - M:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{256b36b7-2287-11de-8e5f-001e8c9f306f}]
\Shell\AutoRun\command - M:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74da52df-073a-11de-8e52-00d0b7d54084}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74da52e2-073a-11de-8e52-00d0b7d54084}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b38a36f-0739-11de-a64e-806d6172696f}]
\Shell\AutoRun\command - gg.exe 0o
\Shell\explore\Command - gg.exe 0e
\Shell\open\Command - gg.exe 0o

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b38a370-0739-11de-a64e-806d6172696f}]
\Shell\AutoRun\command - gg.exe 0o
\Shell\explore\Command - gg.exe 0e
\Shell\open\Command - gg.exe 0o

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9804e4d7-20fb-11de-8e5d-00d0b7d54084}]
\Shell\AutoRun\command - H:\
\Shell\open\Command - rundll32.exe .\\jgplv00.dll,InstallM
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-08 12:26:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1088)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-08 12:26:37
ComboFix-quarantined-files.txt 2009-04-08 10:26:36

Pre-Run: 21,732,311,040 bytes free
Post-Run: 23,988,854,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NoExecute=AlwaysOff /fastdetect

179

---

Otvoriti Notepad i iskopirati sledeci tekst (bez ovo Code: sto pise na vrhu):



Snimiti taj fajl na Desktop pod imenom CFScript



Prevuci snimljenu tekst na ComboFix ikonicu kao na slici. Postavi u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

ok! probacu sutra u radnji. a posto mi je i kuci komp zarazen jer mogu da promenim meto foto selma sto pise da stavim administrator ili moram da ti posaljem kod da bi mi dao ?? e a u radnji sam uradeo ono i nema vise da brljavi komp. sad radi normalno i nema viruse jer da mu stavim ovaj kod sto si mi dao ili ?? unapred hvala na pomoci ! :)

---

Ove skripte koje ti pisem vezane su iskljcivo za taj racunar (Foto SELMA), na kome si pustio program ComboFix. Posto nismo jos sve zavrsili na tom racunaru, zamolio bih te da ispratis proces do kraja i da uradis ono sto sam ti naveo u poruci. Nemoj na svom kucnom racunaru sada raditi nista, niti nista pustati na svoju ruku. Za njega otvori posebnu temu, pa cemo u njoj obrisati viruse, naravno kada zavrsis sa ovim racunarom na poslu.

Kada zavrsimo sa ciscenjem ovog poslovnog racunara imam par saveta da ti dam, posto predpostavljam da imas dosta musterija koji ti donose USB diskove sa slikama (a 90% tih diskova je zarazeno virusima).

Cujemo se sutra oko 15h - nisam pre slobodan.

ComboFix 09-04-04.01 - Foto SELMA 2009-04-09 9:55:14.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1597 [GMT 2:00]
Running from: c:\documents and settings\Foto SELMA\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Foto SELMA\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*
* Created a new restore point

FILE ::
c:\documents and settings\Foto SELMA\apow32.exe
c:\documents and settings\Foto SELMA\mscupdate.exe
c:\documents and settings\Foto SELMA\msesrv.exe
c:\documents and settings\Foto SELMA\msmp3.exe
c:\documents and settings\Foto SELMA\opti.exe
c:\documents and settings\Foto SELMA\plt32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Foto SELMA\apow32.exe
c:\documents and settings\Foto SELMA\mscupdate.exe
c:\documents and settings\Foto SELMA\msesrv.exe
c:\documents and settings\Foto SELMA\msmp3.exe
c:\documents and settings\Foto SELMA\opti.exe
c:\documents and settings\Foto SELMA\plt32.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.

2009-04-08 14:20 . 2009-04-08 14:21 <DIR> d-------- c:\documents and settings\Foto SELMA\Application Data\U3
2009-04-07 18:56 . 2009-04-07 18:56 245,636 --ah----- c:\windows\system32\mlfcache.dat
2009-04-07 18:53 . 2008-11-20 21:19 9,200 --------- c:\windows\system32\drivers\cdralw2k.sys
2009-04-07 18:53 . 2008-11-20 21:19 9,072 --------- c:\windows\system32\drivers\cdr4_xp.sys
2009-04-07 18:52 . 2009-04-07 18:52 <DIR> d-------- c:\windows\system32\IOSUBSYS
2009-04-07 18:52 . 2009-04-07 18:52 <DIR> d-------- c:\program files\Google
2009-04-07 13:52 . 2009-04-07 13:52 17,829 --a------ c:\windows\system32\drivers\hosts
2009-04-06 11:32 . 2009-04-06 11:32 <DIR> d---s---- c:\documents and settings\Foto SELMA\UserData
2009-04-06 11:15 . 2007-08-29 21:41 36,864 -ra------ c:\windows\system32\drivers\l151x86.sys
2009-04-06 11:10 . 2009-04-06 11:10 16,620 --a------ c:\windows\Ascd_tmp.ini
2009-04-06 09:27 . 2009-04-06 09:27 <DIR> d-------- c:\documents and settings\Foto SELMA\Application Data\ACD Systems
2009-04-03 19:50 . 2009-04-03 19:50 <DIR> d-------- c:\documents and settings\Foto SELMA\Application Data\EPSON
2009-04-03 19:44 . 2003-12-12 09:30 855,542 -ra------ c:\windows\system32\drivers\mosuport.sys
2009-04-03 19:44 . 2003-12-12 11:38 270,336 -ra------ c:\windows\system32\MosUsbSerial.exe
2009-04-03 19:44 . 2003-12-12 11:23 237,568 -ra------ c:\windows\system32\MosUSBParallel.exe
2009-04-03 19:44 . 2003-12-12 11:35 65,536 -ra------ c:\windows\system32\MosUSBSerPropPage.dll
2009-04-03 19:44 . 2003-12-12 11:30 65,536 -ra------ c:\windows\system32\MosUSBParPropPage.dll
2009-04-03 19:44 . 2003-12-12 09:12 28,672 -ra------ c:\windows\system32\dbgmsgcfg.dll
2009-04-03 19:30 . 2003-12-12 09:12 305,344 -ra------ c:\windows\system32\monitor.exe
2009-04-03 19:30 . 2003-12-12 09:25 249,856 -ra------ c:\windows\system32\MosUnst.exe
2009-04-03 19:30 . 2004-09-28 06:46 245,760 -ra------ c:\windows\system32\MosUSer.exe
2009-04-03 19:30 . 2004-09-28 06:46 229,376 -ra------ c:\windows\system32\MosUPar.exe
2009-04-03 19:30 . 2006-05-05 00:26 144,756 -ra------ c:\windows\system32\mosUsbSr.sys
2009-04-03 19:30 . 2004-09-28 06:47 140,407 -ra------ c:\windows\system32\MCSENUM.vxd
2009-04-03 19:30 . 2004-09-17 06:15 18,496 -ra------ c:\windows\system32\drivers\DbgMsg9X.sys
2009-04-03 19:30 . 2004-09-28 06:49 8,720 -ra------ c:\windows\system32\MOSUSRPT.vxd
2009-04-03 19:30 . 2004-09-28 06:49 8,670 -ra------ c:\windows\system32\MOSUPRPT.vxd
2009-04-03 19:30 . 2003-09-05 10:17 6,064 -ra------ c:\windows\system32\MOSUSER.DLL
2009-04-03 19:30 . 2003-09-05 10:15 4,352 -ra------ c:\windows\system32\MOSUPAR.DLL
2009-04-03 19:24 . 2009-04-03 19:24 <DIR> d-------- C:\MosUPPSP
2009-04-03 19:19 . 2005-11-24 04:08 32,768 --a------ c:\windows\system32\ParallelMP.exe
2009-04-03 19:19 . 2005-11-24 01:10 59 --a------ c:\windows\system32\PConfig.ini
2009-04-03 19:19 . 2009-04-03 19:19 0 --a------ c:\windows\MONITOR.INI
2009-04-03 19:12 . 2004-09-28 06:44 233,472 --a------ c:\windows\system32\SerialMP.exe
2009-04-03 19:12 . 2004-09-28 06:47 204,800 --a------ c:\windows\system32\MosUsbPrintConfig.exe
2009-04-03 19:12 . 2003-12-12 09:12 18,240 -ra------ c:\windows\system32\drivers\DbgMsg.sys
2009-04-03 19:09 . 2009-04-03 19:09 <DIR> d-------- c:\program files\Atheros Communications Inc
2009-04-03 19:04 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-04-03 19:04 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-04-03 13:15 . 2009-04-03 13:15 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-04-03 13:15 . 2005-10-21 03:47 30,592 --------- c:\windows\system32\drivers\rndismpx.sys
2009-04-03 13:15 . 2005-10-21 03:47 12,800 --------- c:\windows\system32\drivers\usb8023x.sys
2009-04-03 12:58 . 2009-04-07 13:20 69 --a------ c:\windows\NeroDigital.ini
2009-04-03 12:30 . 2009-04-03 12:30 <DIR> d-------- c:\documents and settings\Foto SELMA\Application Data\ESET
2009-04-03 12:30 . 2008-01-07 14:29 352 --ah----- c:\windows\nod32fixtemdono.reg
2009-04-03 12:29 . 2009-04-03 12:29 <DIR> d-------- c:\program files\ESET
2009-04-03 12:29 . 2009-04-03 12:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2009-03-20 20:50 . 2009-03-20 20:50 3,358,720 --a------ c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-03 17:17 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-03 10:26 81,984 ----a-w c:\windows\system32\bdod.bin
2009-03-02 15:26 --------- d-----w c:\program files\Telenor
2009-03-02 15:25 10,368 ----a-w c:\windows\system32\drivers\pfc.sys
2009-03-02 15:25 --------- d-----w c:\program files\Common Files\ACD Systems
2009-03-02 15:25 --------- d-----w c:\program files\ACD Systems
2009-03-02 15:25 --------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2009-03-02 15:21 --------- d-----w c:\program files\Softwin
2009-03-02 15:21 --------- d-----w c:\program files\Common Files\Softwin
2009-03-02 15:19 --------- d-----w c:\program files\Nero
2009-03-02 15:19 --------- d-----w c:\program files\Common Files\Ahead
2009-03-02 15:19 --------- d-----w c:\documents and settings\Foto SELMA\Application Data\Ahead
2009-03-02 15:19 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-03-02 15:18 --------- d-----w c:\program files\Common Files\Adobe
2009-03-02 15:05 --------- d-----w c:\program files\PDF2Word v1.1
2009-03-02 15:05 --------- d-----w c:\program files\Microsoft.NET
2009-03-02 15:05 --------- d-----w c:\program files\Microsoft Works
2009-03-02 15:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-02 14:57 --------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-03-02 14:57 --------- d-----w c:\documents and settings\All Users\Application Data\Adobe Systems
2009-03-02 14:53 --------- d-----w c:\documents and settings\All Users\Application Data\EPSON
2009-03-02 14:46 --------- d-----w c:\documents and settings\Foto SELMA\Application Data\ATI
2009-03-02 14:46 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-03-02 14:41 --------- d-----w c:\program files\EPSON Print CD
2009-03-02 14:41 --------- d-----w c:\program files\EPSON
2009-03-02 14:36 --------- d-----w c:\program files\ATI Technologies
2009-03-02 14:27 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-02 14:23 315,392 ----a-w c:\windows\HideWin.exe
2009-03-02 14:23 --------- d-----w c:\program files\Realtek
2009-03-02 14:15 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

c:\documents and settings\Foto SELMA\Start Menu\Programs\Startup\
ESET Smart Security.lnk - c:\program files\ESET\ESET Smart Security\egui.exe [2007-12-21 1443072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-04-06 36864]
R3 mosuport;USB Serial/Parallel Ports;c:\windows\system32\drivers\mosuport.sys [2009-04-03 855542]
S3 DBGMSG;DBGMSG;dbgmsg.sys --> dbgmsg.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3feffdec-2437-11de-8e6d-001e8c9f306f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3feffded-2437-11de-8e6d-001e8c9f306f}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\\clang.dll,InstallM
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 09:55:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-09 9:56:21
ComboFix-quarantined-files.txt 2009-04-09 07:56:20
ComboFix2.txt 2009-04-08 10:39:31
ComboFix3.txt 2009-04-08 10:26:38

Pre-Run: 24,951,816,192 bytes free
Post-Run: 24,941,133,824 bytes free

160

---

Otvori Notepad i iskopiraj sledeci tekst (bez ovo Code: sto pise na vrhu):



Snimiti taj fajl na Desktop pod imenom CFScript



Prevuci snimljenu tekst na ComboFix ikonicu kao na slici. Postavi u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

e sad cu do radnje da odem da uradim ovo . a kazi mi zasto nemam nista na start up ni antivirus ni nista. kako da mi se startuje bar samo antivirus .

---

Zato sto smo ga iskljucili u prvoj poruci. Secas se da sam ti rekao da pogasis svu zastitu. Upalicemo ga kada zavrsimo sa ovim. Da li si ti ubacivao neke nove USB flashove juce i jutros?

ComboFix 09-04-04.01 - Foto SELMA 2009-04-09 16:06:18.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1625 [GMT 2:00]
Running from: c:\documents and settings\Foto SELMA\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Foto SELMA\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.

2009-04-09 12:21 . 2009-04-09 12:22 158 --a------ c:\windows\wcx_ftp.ini
2009-04-09 12:19 . 2009-04-09 12:19 0 --a------ c:\windows\nsreg.dat
2009-04-09 12:18 . 2009-04-09 12:18 <DIR> d-------- C:\totalcmd
2009-04-09 12:18 . 2004-04-16 06:03 545 --a------ c:\windows\UC.PIF
2009-04-09 12:18 . 2004-04-16 06:03 545 --a------ c:\windows\RAR.PIF
2009-04-09 12:18 . 2004-04-16 06:03 545 --a------ c:\windows\PKZIP.PIF
2009-04-09 12:18 . 2004-04-16 06:03 545 --a------ c:\windows\PKUNZIP.PIF
2009-04-09 12:18 . 2004-04-16 06:03 545 --a------ c:\windows\NOCLOSE.PIF
2009-04-09 12:18 . 2004-04-16 06:03 545 --a------ c:\windows\LHA.PIF
2009-04-09 12:18 . 2004-04-16 06:03 545 --a------ c:\windows\ARJ.PIF
2009-04-09 12:18 . 2009-04-09 12:22 244 --a------ c:\windows\wincmd.ini
2009-04-09 12:08 . 2009-04-09 12:08 <DIR> d-------- c:\program files\Macromedia
2009-04-09 12:08 . 2009-04-09 12:09 <DIR> d-------- c:\program files\Common Files\Macromedia
2009-04-08 14:20 . 2009-04-08 14:21 <DIR> d-------- c:\documents and settings\Foto SELMA\Application Data\U3
2009-04-07 18:56 . 2009-04-07 18:56 245,636 --ah----- c:\windows\system32\mlfcache.dat
2009-04-07 18:53 . 2008-11-20 21:19 9,200 --------- c:\windows\system32\drivers\cdralw2k.sys
2009-04-07 18:53 . 2008-11-20 21:19 9,072 --------- c:\windows\system32\drivers\cdr4_xp.sys
2009-04-07 18:52 . 2009-04-07 18:52 <DIR> d-------- c:\windows\system32\IOSUBSYS
2009-04-07 18:52 . 2009-04-07 18:52 <DIR> d-------- c:\program files\Google
2009-04-07 13:52 . 2009-04-07 13:52 17,829 --a------ c:\windows\system32\drivers\hosts
2009-04-06 11:32 . 2009-04-06 11:32 <DIR> d---s---- c:\documents and settings\Foto SELMA\UserData
2009-04-06 11:15 . 2007-08-29 21:41 36,864 -ra------ c:\windows\system32\drivers\l151x86.sys
2009-04-06 11:10 . 2009-04-06 11:10 16,620 --a------ c:\windows\Ascd_tmp.ini
2009-04-06 09:27 . 2009-04-06 09:27 <DIR> d-------- c:\documents and settings\Foto SELMA\Application Data\ACD Systems
2009-04-03 19:50 . 2009-04-03 19:50 <DIR> d-------- c:\documents and settings\Foto SELMA\Application Data\EPSON
2009-04-03 19:44 . 2003-12-12 09:30 855,542 -ra------ c:\windows\system32\drivers\mosuport.sys
2009-04-03 19:44 . 2003-12-12 11:38 270,336 -ra------ c:\windows\system32\MosUsbSerial.exe
2009-04-03 19:44 . 2003-12-12 11:23 237,568 -ra------ c:\windows\system32\MosUSBParallel.exe
2009-04-03 19:44 . 2003-12-12 11:35 65,536 -ra------ c:\windows\system32\MosUSBSerPropPage.dll
2009-04-03 19:44 . 2003-12-12 11:30 65,536 -ra------ c:\windows\system32\MosUSBParPropPage.dll
2009-04-03 19:44 . 2003-12-12 09:12 28,672 -ra------ c:\windows\system32\dbgmsgcfg.dll
2009-04-03 19:30 . 2003-12-12 09:12 305,344 -ra------ c:\windows\system32\monitor.exe
2009-04-03 19:30 . 2003-12-12 09:25 249,856 -ra------ c:\windows\system32\MosUnst.exe
2009-04-03 19:30 . 2004-09-28 06:46 245,760 -ra------ c:\windows\system32\MosUSer.exe
2009-04-03 19:30 . 2004-09-28 06:46 229,376 -ra------ c:\windows\system32\MosUPar.exe
2009-04-03 19:30 . 2006-05-05 00:26 144,756 -ra------ c:\windows\system32\mosUsbSr.sys
2009-04-03 19:30 . 2004-09-28 06:47 140,407 -ra------ c:\windows\system32\MCSENUM.vxd
2009-04-03 19:30 . 2004-09-17 06:15 18,496 -ra------ c:\windows\system32\drivers\DbgMsg9X.sys
2009-04-03 19:30 . 2004-09-28 06:49 8,720 -ra------ c:\windows\system32\MOSUSRPT.vxd
2009-04-03 19:30 . 2004-09-28 06:49 8,670 -ra------ c:\windows\system32\MOSUPRPT.vxd
2009-04-03 19:30 . 2003-09-05 10:17 6,064 -ra------ c:\windows\system32\MOSUSER.DLL
2009-04-03 19:30 . 2003-09-05 10:15 4,352 -ra------ c:\windows\system32\MOSUPAR.DLL
2009-04-03 19:24 . 2009-04-03 19:24 <DIR> d-------- C:\MosUPPSP
2009-04-03 19:19 . 2005-11-24 04:08 32,768 --a------ c:\windows\system32\ParallelMP.exe
2009-04-03 19:19 . 2005-11-24 01:10 59 --a------ c:\windows\system32\PConfig.ini
2009-04-03 19:19 . 2009-04-03 19:19 0 --a------ c:\windows\MONITOR.INI
2009-04-03 19:12 . 2004-09-28 06:44 233,472 --a------ c:\windows\system32\SerialMP.exe
2009-04-03 19:12 . 2004-09-28 06:47 204,800 --a------ c:\windows\system32\MosUsbPrintConfig.exe
2009-04-03 19:12 . 2003-12-12 09:12 18,240 -ra------ c:\windows\system32\drivers\DbgMsg.sys
2009-04-03 19:09 . 2009-04-03 19:09 <DIR> d-------- c:\program files\Atheros Communications Inc
2009-04-03 19:04 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-04-03 19:04 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-04-03 13:15 . 2009-04-03 13:15 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-04-03 13:15 . 2005-10-21 03:47 30,592 --------- c:\windows\system32\drivers\rndismpx.sys
2009-04-03 13:15 . 2005-10-21 03:47 12,800 --------- c:\windows\system32\drivers\usb8023x.sys
2009-04-03 12:58 . 2009-04-07 13:20 69 --a------ c:\windows\NeroDigital.ini
2009-04-03 12:30 . 2009-04-03 12:30 <DIR> d-------- c:\documents and settings\Foto SELMA\Application Data\ESET
2009-04-03 12:30 . 2008-01-07 14:29 352 --ah----- c:\windows\nod32fixtemdono.reg
2009-04-03 12:29 . 2009-04-03 12:29 <DIR> d-------- c:\program files\ESET
2009-04-03 12:29 . 2009-04-03 12:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2009-03-20 20:50 . 2009-03-20 20:50 3,358,720 --a------ c:\windows\system32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 10:08 --------- d-----w c:\program files\Common Files\InstallShield
2009-04-03 17:17 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-03 10:26 81,984 ----a-w c:\windows\system32\bdod.bin
2009-03-02 15:26 --------- d-----w c:\program files\Telenor
2009-03-02 15:25 10,368 ----a-w c:\windows\system32\drivers\pfc.sys
2009-03-02 15:25 --------- d-----w c:\program files\Common Files\ACD Systems
2009-03-02 15:25 --------- d-----w c:\program files\ACD Systems
2009-03-02 15:25 --------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2009-03-02 15:21 --------- d-----w c:\program files\Softwin
2009-03-02 15:21 --------- d-----w c:\program files\Common Files\Softwin
2009-03-02 15:19 --------- d-----w c:\program files\Nero
2009-03-02 15:19 --------- d-----w c:\program files\Common Files\Ahead
2009-03-02 15:19 --------- d-----w c:\documents and settings\Foto SELMA\Application Data\Ahead
2009-03-02 15:19 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-03-02 15:18 --------- d-----w c:\program files\Common Files\Adobe
2009-03-02 15:05 --------- d-----w c:\program files\PDF2Word v1.1
2009-03-02 15:05 --------- d-----w c:\program files\Microsoft.NET
2009-03-02 15:05 --------- d-----w c:\program files\Microsoft Works
2009-03-02 15:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-02 14:57 --------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-03-02 14:57 --------- d-----w c:\documents and settings\All Users\Application Data\Adobe Systems
2009-03-02 14:53 --------- d-----w c:\documents and settings\All Users\Application Data\EPSON
2009-03-02 14:46 --------- d-----w c:\documents and settings\Foto SELMA\Application Data\ATI
2009-03-02 14:46 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-03-02 14:41 --------- d-----w c:\program files\EPSON Print CD
2009-03-02 14:41 --------- d-----w c:\program files\EPSON
2009-03-02 14:36 --------- d-----w c:\program files\ATI Technologies
2009-03-02 14:23 315,392 ----a-w c:\windows\HideWin.exe
2009-03-02 14:23 --------- d-----w c:\program files\Realtek
2009-03-02 14:15 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((( SnapShot@2009-04-08_12.26.18.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-30 13:18:10 114,688 ----a-w c:\windows\Downloaded Installations\Macromedia Dreamweaver 8\DW_Client_Installer.exe
+ 2005-08-30 13:18:12 2,003,176 ----a-w c:\windows\Downloaded Installations\Macromedia Dreamweaver 8\WindowsInstaller-KB884016-v2-x86.exe
+ 2009-04-09 10:09:23 65,536 ----a-r c:\windows\Installer\{0837A661-FEC3-48B3-876C-91E7D32048A9}\DWARPPRODUCTICON.exe
+ 2009-04-09 10:08:30 65,536 ----a-r c:\windows\Installer\{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}\EMARPPRODUCTICON.exe
+ 2009-02-03 02:15:28 3,771,296 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-02-03 02:15:30 240,544 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-04-09 10:23:19 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

c:\documents and settings\Foto SELMA\Start Menu\Programs\Startup\
ESET Smart Security.lnk - c:\program files\ESET\ESET Smart Security\egui.exe [2007-12-21 1443072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2009-04-06 36864]
R3 mosuport;USB Serial/Parallel Ports;c:\windows\system32\drivers\mosuport.sys [2009-04-03 855542]
S3 DBGMSG;DBGMSG;dbgmsg.sys --> dbgmsg.sys [?]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Foto SELMA\Application Data\Mozilla\Firefox\Profiles\znqyr4d0.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 16:06:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-09 16:07:27
ComboFix-quarantined-files.txt 2009-04-09 14:07:25
ComboFix2.txt 2009-04-09 07:56:22
ComboFix3.txt 2009-04-08 10:39:31
ComboFix4.txt 2009-04-08 10:26:38

Pre-Run: 24,500,559,872 bytes free
Post-Run: 24,497,246,208 bytes free

172

---

OK. Kakvo je sada stanje?

mogu da ti kazem da je posle prve seanse bilo mnooooogo bolje. a sad je extra. nit se koci komp . ... nit brljavi kao sto je radeo. on mi je quad core a radeo je kao 486 :))

---

Odlicno. Sada je red da uninstaliramo ComboFix:

Otvori Start > Run i ukucaj combofix /u

Program ce se automatski uninstalirati. Nemoj zaboraviti da ukljucis svu zastitu, posto si je gasio zbog rada ovog programa.

Pokreni ESET Smart Security na sledeci nacin :
Start → All Programs → ESET → ESET Smart Security

• Kada ti se otvori glavni prozor programa, klikni na Setup opciju sa leve strane prozora;
• Izaberi Antivirus and Antispyware opciju i klikni na Enable Antivirus and Antispyware protection.

*****************************************

Posto verujem da imas dosta musterija koji ti donose USB diskove/kartice ovo sledece je OBAVEZNO da uradis:

Upustvo za gasenje Autoplay-a:

• Otvorite Start > Run > i ukucajte gpedit.msc
• Idite na User Configuration > Administrative Templates > System
• Kada ste kliknuli na System sad desne strane nadjite stavku Turn off Autoplay
• Kliknite dva puta na nju i u novom prozoru, koji se otvori, oznacite Enabled, a ispod te stavke pod Turn off Autoplay on: u padajucem meniju izaberite All drives i potvrdite sa OK
• Idite na Computer Configuration > Administrative Templates > System
• Kada ste kliknuli na System sad desne strane nadjite stavku Turn off Autoplay
• Kliknite dva puta na nju i u novom prozoru, koji se otvori, oznacite Enabled, a ispod te stavke pod Turn off Autoplay on: u padajucem meniju izaberite All drives i potvrdite sa OK
• Izadjite iz ovog prozora - File > Exit

Gasenjem Autoplay-a onemogucavas da se virusi automatski pokrenu sa flash-a ili CD-a i zaraze ti racunar. Gasenjem Autoplay-a znaci da ces kad ubacis CD/DVD ili USB trebati da ides u My Computer pa da ih odatle pokrenes, iscitas sadrzaj ili sta vec imas u planu.

Dalje, iz istog razloga (musterija) predlazem ti da svaki USB flash pre nego sto otvoris skeniras sa NOD-om (desni klik na USB flash pa Clean ili Advanced pa Clean, ne znam kako je to kod tvoje verzije) i sacekaj da se USB disk ocisti od "gamadi".

*****************************************

I za kraj pogledaj i ovaj link:
http://www.elitesecurity.org/t359653-0#2246800

Dakle procitaj moj odgovor, instaliraj CCleaner i MBAM. Za CCleaner imas upustvo (mozes ga pokretati jednom mesecno da ocistis racunar), a MBAM instaliraj kao dodatnu zastitu na racunaru (imas i za njega upustvo, ali isprati samo prve dve tacke - nema potrebe da skeniras racunar).

Ako ti jos nesto nije jasno slobodno pitaj.

Pozdrav

_{[Ovu poruku je menjao Nemanja Živanović dana 09.04.2009. u 21:36 GMT+1]}

ok . sve sam uradeo a ako hocu da nemam autorun onda samo da idem onde na disable i onda nikako virusi nemogu da se pokrenu . ok . instaliracu ovo . a za kucni racunar je sve ok . samo cu da mu ubacim CCleaner i MBAM jer ja kad donesem flesku iz radnje kuci kad kopiram nesto onda me nacisto unisti. javicu ti se ako imam jos nekih problema . a za ovo ti puno hvala . spasio si me do 101 i nazad . PozZ

---

Ovo je uputstvo za gasenje Autoplay funkcije, a ne Autorun funkcije!!! I gornje uputstvo ima jednu manu, jer ako se u Computer Configuration nadje suprotno pdesavanje, ono ima prioritet i Autoplay ce ipak raditi. A da bi bio siguran da se Autorun.inf nece nikad izvrsiti, moras ga onesposobiti iz registry baze. Ja sam to vec postovao ovde ali je poruka obrisana, pa ako imas vremena da se "igras" sa tim javi da ti posaljem uputstvo kako to da izvedes.

Hvala na napomeni, totalno sam zaboravio na Computer Configuration. Izmenjeno...

OK, samo sto se Autoplay izvrsi samo prvi put kada se CD/DVD ubaci u uredjaj, ili kada se USB disk prikaci na racunar, a Autorun.inf se izvrsi svaki put kada se iz Windows Explorera otvori folder koji ga sadrzi (cak i kad je Autoplay iskljucen). Da bi se onesposobio Autorun.inf, potrebno je preko reigistry baze preusmeriti otvaranje Autorun.inf fajla:



Vise detalja o Autorun-u i Autoplay-u se izmedju ostalog moze pronaci i na Wikipediji.

A da bi se na ovaj nacin iskljucio Autorun.inf, sve sto treba uraditi je da se otvori notepad, iskopira ovo iznad oznaceno sa "Code:", i snimi na desktop sa imenom recimo NoAutoRun.reg, ili bilo kojim drugim imenom, bitno je samo da stoji ".reg" na kraju. Posle toga treba samo dvokliknuti na taj novi fajl na desktopu, i potvrditi sa "Yes" kada upita da li si siguran da zelis da upises sadrzaj tog fajla u registry bazu.