Task Manager i Registry Editor disabled + W32/Sality.AA

Naime, nadrljao sam ! Od juce komp poceo da brljavi, pun virusa.... Posto mi je MALWAREBYTES nasao preko 30 komada itd, resio sam da ga formatiram sto sam i uradio. Jutros pokrenem komp, ponovo virusi. Naime, nece da mi otvara TASK MANAGER, Registry Editor... (Regedit has been disabled by your administrator). Pratio sam svakakva uputstva sa google-a, skidao one reg fajlove, nista ne pomaze. Ukljuci ga jednom i posle ponovo isto ! Skinuo sam neke antimalware programe, i naslo mi je neke trojance. Sve sam to pobrisao, ali opet problem sa ovim.
Sta preporucujete ? Da radim isto po gornjem postupku, kao sto je u postu, pa da ostavim i ja LOGOVE ?

Pozdrav i pomozite ! ! ! !

_{[Ovu poruku je menjao Nemanja Živanović dana 10.04.2009. u 17:16 GMT+1]}

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:51 AM, on 4/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\-Bajt\Desktop\blabla.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.enigmasoftware.a013...tulation_spyhunter_scanner.php
O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
O1 - Hosts: 82.98.231.89 best-click-scanner.info
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.231.89 onlinenotifyq.net
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3070 bytes

A ovo je sa COMBOFIX-a:
_________________________________



ComboFix 09-04-04.01 - -Bajt 2009-04-10 12:02:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2511 [GMT 2:00]
Running from: c:\documents and settings\-Bajt\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bo1dhu.bat
c:\windows\system32\aajehubl.ini
c:\windows\Tasks\lkhumjsx.job
D:\2.bat
D:\bo1dhu.bat
D:\dbrxubcw.com
D:\resycled
D:\uxkl0apt.bat
D:\yh.cmd
E:\2.bat
E:\bo1dhu.bat
E:\uxkl0apt.bat
E:\yh.cmd
F:\bo1dhu.bat
G:\2.bat
G:\bo1dhu.bat
G:\dbrxubcw.com
G:\resycled
G:\uxkl0apt.bat
G:\yh.cmd
H:\2.bat
H:\bo1dhu.bat
H:\dbrxubcw.com
H:\resycled
H:\uxkl0apt.bat
H:\yh.cmd
I:\2.bat
I:\bo1dhu.bat
I:\uxkl0apt.bat
I:\yh.cmd
J:\2.bat
J:\bo1dhu.bat
J:\uxkl0apt.bat
J:\yh.cmd
K:\2.bat
K:\bo1dhu.bat
K:\uxkl0apt.bat
K:\yh.cmd
L:\2.bat
L:\bo1dhu.bat
L:\uxkl0apt.bat
L:\yh.cmd

.
((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-10 11:36 . 2009-04-10 11:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\TrojanHunter
2009-04-10 10:55 . 2009-04-10 10:55 <DIR> d--h----- c:\windows\PIF
2009-04-10 10:55 . 2009-04-10 11:55 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-04-10 10:33 . 2009-04-10 10:52 <DIR> d-------- c:\program files\Anti Trojan Elite
2009-04-10 10:17 . 2009-04-10 10:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 10:16 . 2009-04-10 10:16 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Simply Super Software
2009-04-10 09:19 . 2009-04-09 22:52 110,321 --a------ c:\windows\system32\olhrwef.exe.vir
2009-04-09 23:43 . 2009-04-09 23:43 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Malwarebytes
2009-04-09 23:13 . 2009-04-09 23:13 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Macromedia
2009-04-09 23:13 . 2009-04-09 23:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Adobe
2009-04-09 23:10 . 2009-04-09 23:10 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\BSplayer PRO
2009-04-09 23:09 . 2009-04-09 23:09 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Ahead
2009-04-09 23:06 . 2009-04-09 23:06 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 08:17 55 ----a-w C:\autorun.inf.vir
2009-04-10 07:19 --------- d-----w c:\program files\Enigma Software Group
2009-04-09 21:43 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-09 21:32 --------- d-----w c:\program files\Common Files\Adobe
2009-04-09 21:31 --------- d-----w c:\program files\Adobe Media Player
2009-04-09 21:30 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-09 21:28 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-09 21:10 --------- d-----w c:\program files\Webteh
2009-04-09 21:10 --------- d-----w c:\program files\QuickTime
2009-04-09 21:10 --------- d-----w c:\program files\Apple Software Update
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-09 21:09 --------- d-----w c:\program files\K-Lite Codec Pack
2009-04-09 21:09 --------- d-----w c:\program files\Common Files\Ahead
2009-04-09 21:08 --------- d-----w c:\program files\Nero
2009-04-09 21:06 --------- d-----w c:\program files\Opera
2009-04-09 21:05 --------- d-----w c:\program files\Winamp
2009-04-09 20:52 110,321 --sh--r C:\1ogf.exe
2009-04-09 20:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-04-09 20:35 --------- d-----w c:\program files\microsoft frontpage
2009-04-06 13:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"SW20"="c:\windows\system32\sw20.exe" [2009-01-02 389120]
"SW24"="c:\windows\system32\sw24.exe" [2009-01-02 139264]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 233472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 364544]
"nwiz"="nwiz.exe" [2006-06-01 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\WINDOWS\\system32\\sw20.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter3.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe"=

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\qkhjpn.sys --> c:\windows\system32\drivers\qkhjpn.sys [?]
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99999aac-2553-11de-ab30-806d6172696f}]
\Shell\AutoRun\command - M:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Anti Trojan Elite - c:\program files\Anti Trojan Elite\TJEnder.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.enigmasoftware.a013.com/congratulation_spyhunter_scanner.php
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 12:03:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-10 12:04:02
ComboFix-quarantined-files.txt 2009-04-10 10:04:00

Pre-Run: 40,498,290,688 bytes free
Post-Run: 40,809,775,104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

176

Pozdrav Djordje,
Naravno da mozes i ti, samo bih te molio da sledeci put NE PUSTAS na svoju ruku ComboFix. Sad cu da pogledam log, pa da ti napisem sta da radis u sledecoj poruci

Opet iskljuci svu zastitu koju imas. Otvori Notepad i iskopiraj sledeci tekst:



Snimiti taj fajl na Desktop pod imenom CFScript



Prevuci snimljeni tekst na ComboFix ikonicu kao na slici. Postavi u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

_{[Ovu poruku je menjao Nemanja Živanović dana 10.04.2009. u 19:46 GMT+1]}

ComboFix 09-04-04.01 - -Bajt 2009-04-10 17:56:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2585 [GMT 2:00]
Running from: c:\documents and settings\-Bajt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\-Bajt\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\1ogf.exe
C:\autorun.inf.vir
c:\windows\system32\drivers\qkhjpn.sys
c:\windows\system32\olhrwef.exe.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1ogf.exe
C:\autorun.inf.vir
c:\windows\system32\olhrwef.exe.vir

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Service_abp470n5


((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-10 14:59 . 2009-04-10 14:59 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> dr------- c:\program files\Skype
2009-04-10 14:58 . 2009-04-10 15:01 <DIR> d-------- c:\program files\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> d-------- c:\program files\Common Files\Skype
2009-04-10 14:58 . 2009-04-10 16:04 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\skypePM
2009-04-10 14:58 . 2009-04-10 17:54 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Skype
2009-04-10 14:58 . 2009-04-10 14:58 48 --ah----- c:\windows\system32\ezsidmv.dat
2009-04-10 14:57 . 2009-04-10 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-04-10 14:51 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-04-10 14:36 . 2009-04-10 14:36 69 --a------ c:\windows\NeroDigital.ini
2009-04-10 11:36 . 2009-04-10 11:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\TrojanHunter
2009-04-10 10:55 . 2009-04-10 10:55 <DIR> d--h----- c:\windows\PIF
2009-04-10 10:55 . 2009-04-10 11:55 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-04-10 10:33 . 2009-04-10 10:52 <DIR> d-------- c:\program files\Anti Trojan Elite
2009-04-10 10:17 . 2009-04-10 10:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 10:16 . 2009-04-10 10:16 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Simply Super Software
2009-04-09 23:43 . 2009-04-09 23:43 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Malwarebytes
2009-04-09 23:13 . 2009-04-09 23:13 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Macromedia
2009-04-09 23:13 . 2009-04-09 23:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Adobe
2009-04-09 23:10 . 2009-04-09 23:10 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\BSplayer PRO
2009-04-09 23:09 . 2009-04-09 23:09 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Ahead
2009-04-09 23:06 . 2009-04-09 23:06 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 07:19 --------- d-----w c:\program files\Enigma Software Group
2009-04-09 21:43 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-09 21:32 --------- d-----w c:\program files\Common Files\Adobe
2009-04-09 21:31 --------- d-----w c:\program files\Adobe Media Player
2009-04-09 21:30 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-09 21:28 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-09 21:10 --------- d-----w c:\program files\Webteh
2009-04-09 21:10 --------- d-----w c:\program files\QuickTime
2009-04-09 21:10 --------- d-----w c:\program files\Apple Software Update
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-09 21:09 --------- d-----w c:\program files\K-Lite Codec Pack
2009-04-09 21:09 --------- d-----w c:\program files\Common Files\Ahead
2009-04-09 21:08 --------- d-----w c:\program files\Nero
2009-04-09 21:06 --------- d-----w c:\program files\Opera
2009-04-09 21:05 --------- d-----w c:\program files\Winamp
2009-04-09 20:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-04-09 20:35 --------- d-----w c:\program files\microsoft frontpage
2009-04-06 13:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-10_12.03.31.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-04-10 12:58:04 364,726 ----a-r c:\windows\Installer\{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}\SkypeIcon.exe
+ 2004-08-03 21:08:48 26,496 ----a-w c:\windows\system32\drivers\USBSTOR.SYS
+ 2009-04-10 15:58:40 16,384 ----atw c:\windows\temp\Perflib_Perfdata_56c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"SW20"="c:\windows\system32\sw20.exe" [2009-01-02 389120]
"SW24"="c:\windows\system32\sw24.exe" [2009-01-02 139264]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 233472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 364544]
"nwiz"="nwiz.exe" [2006-06-01 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\WINDOWS\\system32\\sw20.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter3.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5166c978-25ce-11de-91c9-0013d311484b}]
\Shell\AutOPlAy\CommanD - N:\wjtexs.exe
\Shell\AutoRun\command - N:\wjtexs.exe
\Shell\expLore\COmMand - N:\wjtexs.exe
\Shell\OpEN\COmmand - N:\wjtexs.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.enigmasoftware.a013.com/congratulation_spyhunter_scanner.php
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 17:58:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2009-04-10 18:00:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-10 16:00:02
ComboFix2.txt 2009-04-10 10:04:03

Pre-Run: 40,166,346,752 bytes free
Post-Run: 40,059,277,312 bytes free

171

Da li si ubacivao si neki flash izmedju ova dva izvestaja? Ako jesi zarazen je. Nemoj da ga ubacujes dok ne zavrsimo, posle cu ti datu upustvo da ga ocistis. Opet iskljuci svu zastitu koju imas. Otvori Notepad i iskopiraj sledeci tekst:



Snimiti taj fajl na Desktop pod imenom CFScript



Prevuci snimljeni tekst na ComboFix ikonicu kao na slici. Postavi u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

_{[Ovu poruku je menjao Nemanja Živanović dana 10.04.2009. u 19:46 GMT+1]}

ComboFix 09-04-04.01 - -Bajt 2009-04-10 18:35:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2593 [GMT 2:00]
Running from: c:\documents and settings\-Bajt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\-Bajt\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-10 14:59 . 2009-04-10 14:59 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> dr------- c:\program files\Skype
2009-04-10 14:58 . 2009-04-10 15:01 <DIR> d-------- c:\program files\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> d-------- c:\program files\Common Files\Skype
2009-04-10 14:58 . 2009-04-10 16:04 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\skypePM
2009-04-10 14:58 . 2009-04-10 17:59 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Skype
2009-04-10 14:58 . 2009-04-10 14:58 48 --ah----- c:\windows\system32\ezsidmv.dat
2009-04-10 14:57 . 2009-04-10 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-04-10 14:51 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-04-10 14:36 . 2009-04-10 14:36 69 --a------ c:\windows\NeroDigital.ini
2009-04-10 11:36 . 2009-04-10 11:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\TrojanHunter
2009-04-10 10:55 . 2009-04-10 10:55 <DIR> d--h----- c:\windows\PIF
2009-04-10 10:55 . 2009-04-10 11:55 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-04-10 10:33 . 2009-04-10 10:52 <DIR> d-------- c:\program files\Anti Trojan Elite
2009-04-10 10:17 . 2009-04-10 10:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 10:16 . 2009-04-10 10:16 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Simply Super Software
2009-04-09 23:43 . 2009-04-09 23:43 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Malwarebytes
2009-04-09 23:13 . 2009-04-09 23:13 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Macromedia
2009-04-09 23:13 . 2009-04-09 23:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Adobe
2009-04-09 23:10 . 2009-04-09 23:10 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\BSplayer PRO
2009-04-09 23:09 . 2009-04-09 23:09 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Ahead
2009-04-09 23:06 . 2009-04-09 23:06 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 07:19 --------- d-----w c:\program files\Enigma Software Group
2009-04-09 21:43 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-09 21:32 --------- d-----w c:\program files\Common Files\Adobe
2009-04-09 21:31 --------- d-----w c:\program files\Adobe Media Player
2009-04-09 21:30 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-09 21:28 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-09 21:10 --------- d-----w c:\program files\Webteh
2009-04-09 21:10 --------- d-----w c:\program files\QuickTime
2009-04-09 21:10 --------- d-----w c:\program files\Apple Software Update
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-09 21:09 --------- d-----w c:\program files\K-Lite Codec Pack
2009-04-09 21:09 --------- d-----w c:\program files\Common Files\Ahead
2009-04-09 21:08 --------- d-----w c:\program files\Nero
2009-04-09 21:06 --------- d-----w c:\program files\Opera
2009-04-09 21:05 --------- d-----w c:\program files\Winamp
2009-04-09 20:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-04-09 20:35 --------- d-----w c:\program files\microsoft frontpage
2009-04-06 13:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-10_12.03.31.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-04-10 12:58:04 364,726 ----a-r c:\windows\Installer\{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}\SkypeIcon.exe
+ 2004-08-03 21:08:48 26,496 ----a-w c:\windows\system32\drivers\USBSTOR.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"SW20"="c:\windows\system32\sw20.exe" [2009-01-02 389120]
"SW24"="c:\windows\system32\sw24.exe" [2009-01-02 139264]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 233472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 364544]
"nwiz"="nwiz.exe" [2006-06-01 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\WINDOWS\\system32\\sw20.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter3.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.enigmasoftware.a013.com/congratulation_spyhunter_scanner.php
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 18:35:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-10 18:36:36
ComboFix-quarantined-files.txt 2009-04-10 16:36:34
ComboFix2.txt 2009-04-10 16:00:05
ComboFix3.txt 2009-04-10 10:04:03

Pre-Run: 40,071,774,208 bytes free
Post-Run: 40,059,076,608 bytes free

140



_________________
Ok. Nisam bio kuci, moguce da je neko ubacivao flash. Vise nece ;). Cekam dalje instrukcije....

Pokreni HijackThis, klikni na "Do a system scan only". Pronadji sledecu liniju, oznaci je i pritisni Fix Checked:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Posle toga ponovo skeniraj sa HijackThis-om i postavi izvestaj.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:26 PM, on 4/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\-Bajt\Desktop\blabla.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.enigmasoftware.a013...tulation_spyhunter_scanner.php
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3863 bytes

Opet iskljuci svu zastitu koju imas. Otvori Notepad i iskopiraj sledeci tekst:



Snimiti taj fajl na Desktop pod imenom CFScript



Prevuci snimljeni tekst na ComboFix ikonicu kao na slici. Postavi u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

_{[Ovu poruku je menjao Nemanja Živanović dana 10.04.2009. u 19:46 GMT+1]}

Kazi mi na koji nacin da iskljucim zastitu ? ! Desni taster, my computer ? I + antivirus da iskljucim, jel pod iskljucivanjem zastite to podrazumevas ? :)

ComboFix 09-04-04.01 - -Bajt 2009-04-10 19:26:50.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2591 [GMT 2:00]
Running from: c:\documents and settings\-Bajt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\-Bajt\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5


((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-10 14:59 . 2009-04-10 14:59 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> dr------- c:\program files\Skype
2009-04-10 14:58 . 2009-04-10 15:01 <DIR> d-------- c:\program files\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> d-------- c:\program files\Common Files\Skype
2009-04-10 14:58 . 2009-04-10 16:04 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\skypePM
2009-04-10 14:58 . 2009-04-10 19:28 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Skype
2009-04-10 14:58 . 2009-04-10 14:58 48 --ah----- c:\windows\system32\ezsidmv.dat
2009-04-10 14:57 . 2009-04-10 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-04-10 14:51 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-04-10 14:36 . 2009-04-10 14:36 69 --a------ c:\windows\NeroDigital.ini
2009-04-10 11:36 . 2009-04-10 11:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\TrojanHunter
2009-04-10 10:55 . 2009-04-10 10:55 <DIR> d--h----- c:\windows\PIF
2009-04-10 10:55 . 2009-04-10 11:55 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-04-10 10:33 . 2009-04-10 10:52 <DIR> d-------- c:\program files\Anti Trojan Elite
2009-04-10 10:17 . 2009-04-10 10:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 10:16 . 2009-04-10 10:16 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Simply Super Software
2009-04-09 23:43 . 2009-04-09 23:43 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Malwarebytes
2009-04-09 23:13 . 2009-04-09 23:13 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Macromedia
2009-04-09 23:13 . 2009-04-10 19:00 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Adobe
2009-04-09 23:10 . 2009-04-09 23:10 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\BSplayer PRO
2009-04-09 23:09 . 2009-04-09 23:09 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Ahead
2009-04-09 23:06 . 2009-04-09 23:06 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 16:59 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-10 07:19 --------- d-----w c:\program files\Enigma Software Group
2009-04-09 21:43 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 21:32 --------- d-----w c:\program files\Common Files\Adobe
2009-04-09 21:31 --------- d-----w c:\program files\Adobe Media Player
2009-04-09 21:30 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-09 21:28 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-09 21:10 --------- d-----w c:\program files\Webteh
2009-04-09 21:10 --------- d-----w c:\program files\QuickTime
2009-04-09 21:10 --------- d-----w c:\program files\Apple Software Update
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-09 21:09 --------- d-----w c:\program files\K-Lite Codec Pack
2009-04-09 21:09 --------- d-----w c:\program files\Common Files\Ahead
2009-04-09 21:08 --------- d-----w c:\program files\Nero
2009-04-09 21:06 --------- d-----w c:\program files\Opera
2009-04-09 21:05 --------- d-----w c:\program files\Winamp
2009-04-09 20:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-04-09 20:35 --------- d-----w c:\program files\microsoft frontpage
2009-04-06 13:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-10_12.03.31.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-04-10 12:58:04 364,726 ----a-r c:\windows\Installer\{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}\SkypeIcon.exe
+ 2004-08-03 21:08:48 26,496 ----a-w c:\windows\system32\drivers\USBSTOR.SYS
+ 2009-04-10 17:28:19 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"SW20"="c:\windows\system32\sw20.exe" [2009-01-02 389120]
"SW24"="c:\windows\system32\sw24.exe" [2009-01-02 139264]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 233472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 364544]
"nwiz"="nwiz.exe" [2006-06-01 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\WINDOWS\\system32\\sw20.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter3.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\qkhjpn.sys --> c:\windows\system32\drivers\qkhjpn.sys [?]
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.enigmasoftware.a013.com/congratulation_spyhunter_scanner.php
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 19:28:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-10 19:29:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-10 17:29:39
ComboFix2.txt 2009-04-10 16:36:37
ComboFix3.txt 2009-04-10 16:00:05
ComboFix4.txt 2009-04-10 10:04:03

Pre-Run: 39,549,247,488 bytes free
Post-Run: 39,483,949,056 bytes free

151

Cekaj, ti nemas antivirus? Zasto? Pod hitno instaliraj neki antivirus (mozes za pocetak neki besplatni - izaberi samo jedan od ova 3):

Avast: http://www.avast.com/eng/download-avast-home.html
Avira: http://www.free-av.com/en/download/index.html
AVG: http://free.avg.com/download-avg-anti-virus-free-edition

I ove programe pobrisi sa racunara:
Anti Trojan Elite
TrojanHunter 5.0
SpyHunter

Pa se onda javi.

Nema ih u ADD REMOVE PROGRAMS ! Obrisao sam SpyHunter. Ove sam danas obrisao.... Sad ih nema u ADD/Remove P... ??

A u kompu imam Malwarebytes, a sad cu i da instaliram Avast.

Ok, samo nastavi. Ako nisi jos instalirao Antivirus uradi ovo. Ako si instalirao Antivirus iskljuci ga pa nastavi. Ako ne znas kako se iskljucuje reci koji si Antivirus instalirao da ti objasnim. Imaj na umu da NE SMES da nastavis dalje, ako imas ukljucen i aktivan Antivirus.

Otvori Notepad i iskopiraj sledeci tekst:



Snimiti taj fajl na Desktop pod imenom CFScript



Prevuci snimljeni tekst na ComboFix ikonicu kao na slici. Postavi u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Pa imam Malwarebytes ! ! ??

Samo njega... i naravno, iskljucio sam ga ! On cak i nije neki antivirus....

Ostavi Malwarebytes` Antimalware. On je dobar, ali pored njega moras instalirati neki Antivirus. Hajde prvo pusti onu skriptu koju sam ti dao i postavi izvestaj. Da li si instalirao neki od ona 3 antivirusa koja sam ti predlozio?

Evo skripte....

ComboFix 09-04-04.01 - -Bajt 2009-04-10 19:46:53.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2661 [GMT 2:00]
Running from: c:\documents and settings\-Bajt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\-Bajt\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\qkhjpn.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Service_abp470n5


((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-10 14:59 . 2009-04-10 14:59 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> dr------- c:\program files\Skype
2009-04-10 14:58 . 2009-04-10 15:01 <DIR> d-------- c:\program files\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> d-------- c:\program files\Common Files\Skype
2009-04-10 14:58 . 2009-04-10 16:04 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\skypePM
2009-04-10 14:58 . 2009-04-10 19:48 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Skype
2009-04-10 14:58 . 2009-04-10 14:58 48 --ah----- c:\windows\system32\ezsidmv.dat
2009-04-10 14:57 . 2009-04-10 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-04-10 14:51 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-04-10 14:36 . 2009-04-10 14:36 69 --a------ c:\windows\NeroDigital.ini
2009-04-10 11:36 . 2009-04-10 11:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\TrojanHunter
2009-04-10 10:55 . 2009-04-10 10:55 <DIR> d--h----- c:\windows\PIF
2009-04-10 10:55 . 2009-04-10 11:55 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-04-10 10:17 . 2009-04-10 10:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 10:16 . 2009-04-10 10:16 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Simply Super Software
2009-04-09 23:43 . 2009-04-09 23:43 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Malwarebytes
2009-04-09 23:13 . 2009-04-09 23:13 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Macromedia
2009-04-09 23:13 . 2009-04-10 19:00 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Adobe
2009-04-09 23:10 . 2009-04-09 23:10 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\BSplayer PRO
2009-04-09 23:09 . 2009-04-09 23:09 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Ahead
2009-04-09 23:06 . 2009-04-09 23:06 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 17:40 --------- d-----w c:\program files\Enigma Software Group
2009-04-10 16:59 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-09 21:43 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 21:32 --------- d-----w c:\program files\Common Files\Adobe
2009-04-09 21:31 --------- d-----w c:\program files\Adobe Media Player
2009-04-09 21:30 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-09 21:28 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-09 21:10 --------- d-----w c:\program files\Webteh
2009-04-09 21:10 --------- d-----w c:\program files\QuickTime
2009-04-09 21:10 --------- d-----w c:\program files\Apple Software Update
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-09 21:09 --------- d-----w c:\program files\K-Lite Codec Pack
2009-04-09 21:09 --------- d-----w c:\program files\Common Files\Ahead
2009-04-09 21:08 --------- d-----w c:\program files\Nero
2009-04-09 21:06 --------- d-----w c:\program files\Opera
2009-04-09 21:05 --------- d-----w c:\program files\Winamp
2009-04-09 20:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-04-09 20:35 --------- d-----w c:\program files\microsoft frontpage
2009-04-06 13:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-10_12.03.31.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-04-10 12:58:04 364,726 ----a-r c:\windows\Installer\{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}\SkypeIcon.exe
+ 2004-08-03 21:08:48 26,496 ----a-w c:\windows\system32\drivers\USBSTOR.SYS
+ 2009-04-10 17:48:23 16,384 ----atw c:\windows\temp\Perflib_Perfdata_538.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"SW20"="c:\windows\system32\sw20.exe" [2009-01-02 389120]
"SW24"="c:\windows\system32\sw24.exe" [2009-01-02 139264]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 233472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 364544]
"nwiz"="nwiz.exe" [2006-06-01 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\WINDOWS\\system32\\sw20.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.enigmasoftware.a013.com/congratulation_spyhunter_scanner.php
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 19:48:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2009-04-10 19:49:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-10 17:49:37
ComboFix2.txt 2009-04-10 17:29:42
ComboFix3.txt 2009-04-10 16:36:37
ComboFix4.txt 2009-04-10 16:00:05
ComboFix5.txt 2009-04-10 17:46:42

Pre-Run: 39,533,035,520 bytes free
Post-Run: 39,500,132,352 bytes free

159



_____________________

Evo sad instaliram AVAST

Instaliraj Avast. Imas ovde detaljno upustvo sa slikama kroz instalaciju:

http://www.bleepingcomputer.com/tutorials/tutorial104.html

Samo pogledaj deo upustva za instalaciju, ostalo ti nije bitno. Posle instalacije, pristani da program restartuje racunar. Posle restartovanja pusti kompletno skeniranje racunara i postavimi izvestaj kad se to zavrsi.