Kaspersky Internet Security 7 i Kingston USB konflikt?

Pozdrav svima,
imam problem sa USB fleš memorijom (Kingston 2GB) koga kad je formatiran i prazan KIS7 ne dira i ne prepoznaje nikakve viruse, dok posle izvesnog korišćenja USB-a (dakle sa isključivo muzikom na njemu), KIS7 odmah nakon spajanja sa kompjuterom, prijavljuje nekoliko virusa (ako su virusi... mada uvek prijavljuje istu stvar).
KIS7 prijavljuje neke fajlove "auto.exe" za koje kaže da su

Trojan program Trojan-Downloader.Win32.Agent.fso File: H:\auto.exe//PE_Patch//UPack

Meni to deluje da je samo klasični autoran koji se javi i kada se najobičniji CD ubaci.
...može li mi neko objasniti šta je to i kako to da rešim? KIS7 kao stopira virus, obriše ga, ali preko My Computer ja ne mogu da uđem na USB, već moram putem desnog klika pa na Explore.

Hvala unapred, Vlada

---

Pozdrav Vladimire. Za pocetak skini program HijackThis.

Kada ga preuzmes preimenuj fajl u bilo sta npr. blabla.exe. Pokreni ga i klikni na "Do a system scan and save a logfile". Taj log fajl iskopiraj ovde da vidimo.

Napomena:Ako ti upustvo nije najjasnije pogledaj ovaj link.

Evo ga:

Logfile of HijackThis v1.99.1
Scan saved at 23:47:51, on 16.4.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
D:\Instal\Staro\HiJackThis\HijackThis 1.99.0.1\HJThis chorbay.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -startup
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

---

Privremeno ugasi Kaspersky:

• Klikni desnim tasterom na Kaspersky ikonicu u donjem, desnom uglu ekrana i izaberi Pause Protection.
• U prozoru koji se otvori, izaberi By User Request.

Skini ComboFix na Desktop. Startuj ga i ne diraj prozor programa dok skenira. Sledi uputstva koja ti program zadaje. Kada se zavrsi proces skeniranja pojavice se izvestaj koji ces ovde iskopirati. Ako slucajno ugasis izvestaj on se nalazi na C:\ComboFix.txt.

Napomena: Ukoliko ti upustvo nije najjasnije pogledaj ovaj link.

Pokusajte sa formatiranjem USB-a. Da li mozete normalno da udjete na hard disk?

Kada formatiram USB, u početku upotrebe (prvih nekoliko konektovanja USB-a sa kompjuterom) ne postoje problemi; autorun radi normalno, KIS7 ništa ne prijavljuje, mogu da uđem u njega preko My Computer-a.
Na particije harda mogu sasvim normalno da uđem i kad ovi problemi sa USB-om postoje.

_{[Ovu poruku je menjao Nemanja Živanović dana 17.04.2009. u 10:21 GMT+1]}

---

Sigurno koristite USB za prebacivanje podataka sa zarazenog kompjutera na vas. Nema nikakvih konflikata izmedju Kasperskog i USB-a vec se USB zarazi pri konektovanju sa drugim kompjuterom.

ComboFix 09-04-17.01 - Vlada 17.04.2009 0:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512.305 [GMT 2:00]
Running from: c:\documents and settings\Vlada\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\98613.exe
c:\windows\system32\_000122_.tmp.dll
c:\windows\system32\cccdd.ini2
c:\windows\system32\drivers\npf.sys
c:\windows\system32\hjllm.ini
c:\windows\system32\hjllm.ini2
c:\windows\system32\Packet.dll
c:\windows\system32\rqtss.ini2
c:\windows\system32\rtvwa.ini2
c:\windows\system32\tmp.reg
c:\windows\system32\wpcap.dll
c:\windows\system32\xybeg.ini
c:\windows\system32\xybeg.ini2

----- BITS: Possible infected sites -----

hxxp://freefile.kristopherw.us
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-15 13:16 . 2009-04-15 13:16 -------- d-----w c:\documents and settings\Vlada\Local Settings\Application Data\Google
2009-04-15 13:07 . 2009-04-15 13:07 -------- d-----w c:\program files\Google
2009-04-12 17:31 . 2009-04-15 14:45 -------- d-----w c:\documents and settings\Vlada\Application Data\skypePM
2009-04-12 17:29 . 2009-04-15 16:57 -------- d-----w c:\documents and settings\Vlada\Application Data\Skype
2009-04-12 17:29 . 2009-04-12 17:29 -------- d-----r c:\program files\Skype
2009-04-12 17:28 . 2009-04-12 17:29 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-02 14:56 . 2009-04-02 14:57 -------- d-----w c:\program files\AllMyMovies
2009-03-26 00:45 . 2009-03-26 00:45 -------- d-----w c:\documents and settings\Vlada\Application Data\Media Player Classic
2009-03-26 00:24 . 2009-03-26 00:24 50088 ----a-w c:\documents and settings\Vlada\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-25 19:27 . 2009-03-26 00:19 -------- d-----w c:\program files\FlashGet
2009-03-23 20:47 . 2009-03-23 20:47 -------- d-----w c:\windows\Applian FLV Player
2009-03-19 21:32 . 2009-03-21 01:15 -------- d-----w c:\documents and settings\Vlada\Application Data\Thinstall
2009-03-19 21:32 . 2009-03-19 21:32 -------- d-----w c:\documents and settings\Vlada\Local Settings\Application Data\Thinstall

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 22:50 . 2008-11-20 00:05 28408608 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-16 22:49 . 2008-11-20 00:05 1183520 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-16 22:47 . 2008-11-20 00:05 386672 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-16 22:47 . 2008-11-20 00:05 116132 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-16 16:07 . 2008-11-20 00:05 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-16 10:23 . 2009-04-12 11:00 1582 ----a-w C:\hpfr3740.log
2009-04-16 07:59 . 2007-10-25 18:52 -------- d-----w c:\program files\TextAloud
2009-04-15 05:08 . 2007-10-11 20:37 -------- d-----w c:\documents and settings\Vlada\Application Data\uTorrent
2009-04-14 22:14 . 2007-12-01 01:42 -------- d-----w c:\documents and settings\All Users\Application Data\Babylon
2009-04-13 00:01 . 2007-10-08 20:41 -------- d-----w c:\program files\Winamp
2009-04-12 17:57 . 2007-10-08 21:25 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-09 23:19 . 2009-02-10 23:44 -------- d-----w c:\documents and settings\Vlada\Application Data\LimeWire
2009-04-09 10:46 . 2007-11-17 11:53 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-31 19:09 . 2004-07-17 09:36 163644 ----a-w c:\windows\system32\drivers\secdrv.sys
2009-03-19 22:01 . 2008-07-21 13:08 -------- d-----w c:\program files\Common Files\Adobe
2009-03-11 18:13 . 2009-03-11 18:13 -------- d-----w c:\program files\LizardTech
2009-03-11 18:13 . 2007-10-08 19:40 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-11 12:39 . 2007-10-08 21:24 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-02 13:15 . 2009-03-02 13:15 -------- d-----w c:\documents and settings\Vlada\Application Data\Apple Computer
2009-03-02 13:11 . 2009-03-02 13:10 -------- d-----w c:\program files\QuickTime
2009-03-02 13:10 . 2009-03-02 13:10 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-02 13:10 . 2009-03-02 13:10 -------- d-----w c:\program files\Apple Software Update
2009-03-02 13:10 . 2009-03-02 13:10 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-02-28 16:57 . 2009-02-28 16:57 -------- d-----w c:\program files\PowerISO
2009-02-26 00:02 . 2009-02-26 00:02 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-02-17 23:22 . 2007-10-08 20:36 -------- d-----w c:\program files\CCleaner
2009-02-16 01:02 . 2008-07-23 01:32 -------- d-----w c:\program files\Your Uninstaller 2008
2009-01-25 21:10 . 2009-01-25 21:10 179200 ----a-w c:\windows\system32\xvidvfw.dll
2006-07-30 22:20 . 2008-08-20 15:02 959 --sha-r c:\windows\system32\autorun.bin
2007-11-17 11:58 . 2007-11-13 23:22 44026 --sha-w c:\windows\system32\hjllm.ini.ren
2007-11-17 11:58 . 2007-11-13 23:22 44026 --sha-w c:\windows\system32\hjllm.ini2.ren
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 1015808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 227856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete\0autocheck OODBS

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Neobee Speeedy Internet Accelerator.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Vlada^Start Menu^Programs^Startup^LimeWire Turbo Accelerator.lnk]
backup=c:\windows\pss\LimeWire Turbo Accelerator.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChrisTV Agent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSFox
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nitro PDF Printer Monitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 16:10 35696 ----a-w c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-02 14:41 45056 ----a-w c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2008-08-16 01:49 3551456 ----a-w c:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 06:38 241664 ----a-w c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2004-03-04 15:46 172032 ----a-w c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40 155648 ----a-w c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-11-02 08:38 167936 ----a-w c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 15:18 413696 ----a-w c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 02:27 144784 ----a-w c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2004-08-03 23:56 110592 ----a-w c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImLc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 mpr_freader;MPR FileReader Driver; [x]
S3 Cap713x;Cap713x Video Capture;c:\windows\system32\DRIVERS\Cap713x.sys [2004-10-14 751104]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-12-13 24592]

.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BM77702592 - c:\windows\system32\yjsyeddj.dll
MSConfigStartUp-Microsoft Windows Sound - svuhost.exe


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
FF - ProfilePath - c:\documents and settings\Vlada\Application Data\Mozilla\Firefox\Profiles\d12q1ntd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-17 00:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-117609710-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5CFCCDBE-3FE4-2D00-35CD-007A38E65D6A}\MiscStatus]
@Denied: (2) (Everyone)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="3AD67ABAF8F661FEAF676A9717C7968D1CE75A16376C8361C03CAF532B032A67061E6377A8C2D2086F45FADE68B0E693DAAD49458966A1BA125E080CCFEB099C2A50B48C261A3BDD33524C797B140CD33A934E526649713F9A270C65A5143D981D29D3E05F57AC68E56DE279413B45303B38A81864EF7F6A10155B9F0707410F68ABDF3E9457AFB187B779CF81F5C72DF08151D1ED3ACC573BEC4BE024560353AA9B28535A7CBDE9AA187C5654163A708513F11FC10CCE4678B7E1B27F16E561970431341AABC6E277FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667BA7FD869164D6794C038D530D6EB345214E6C224846D1E765B8C24362E642C08BAF1C5DF1567D3DF9C18D8E2EDE82332CA75043426B3E28E4AD73404503E3690D01B029017C1BF60B8AB9F56452ADB02185B5F835B516E78DA06C7C3358A3C34F4072E53C20156541D7BF0F04E6311389B5AB88CD05E91DC2C54C6545A6F6810EA8D5C0E87783C704D9D2A3E88B27F3EBB64D31FB86AC3F9A534816CC1098AD7373E857A5771387C12DB8A9CF631889120A259DF45769CA3EFC8A995F0E394D225D70426A7263654F3B438BEA1E3B043336FD8C6B1795C3FF6EAD5AAF0061D5DC25298F17549C8E9445B39AA934A217927D9429DB8DC6546EC28805DD065DF6461D664943EFBA03F15367BBB5DD427EB6E276B869BFD3B4846BF073121EBBCEC97427118845896ED3DDFCFA191E7B268424C0E741F2F88E6BCA62D01F7F9B40EBF26A8D9CF692722D8266A5EC8DD59D01EF7C6AE8C389BD84D0598F7EEE2EF7378C75B8BA92F719B478C61C81E82539A430717512FD066673938D39723EB38DBA2213BB3219E3B302A49348AB1977E4E358E654CD8287FF205D0CDB43751FD9A65DF61AAC99E69C5E9464225A7D15B09BB55FA63DC601FEAFA12D778D0435316AB66C81F398B0B5A31234EE8265A0E7CE3D683AD950F25D7A7F52ADD17E1EECAA1C7501389B6CCFD6F3083FCD9CD606E7CC391985E3E91525C28DC373B462BC73ACFBBDB5B6285D458F76C5CF13D3F371BFD9BE198EC8B8A2E8A6F29ECFA0830ABFAB1A2CE472B1661B07A57A2AEBB45961E799E298BDC41752F452CE27FA8BBF07BBE678D91DA1046CB010E249A89190CEF69B67701F14ED060248D5546D2B4473551794061D3A1076A397930ED03475CF18C6470A75F1A201AB46E0336F1FA31C4BD0015C9F93FE6633F630789247AA9D767B9854DD8A3898D08412D2A1581F3F33A74BF54D5F06CC114EA6DC20EEE5C0AE498ABB239FCF59E0F519972EF501B4763A476FA925462C31B03AAE186F623A352B9DB0F7ECD12E5A03A92D0570374F2B8B175B0001858DB9CF089257476EA73DF298F0DC9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(952)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll

- - - - - - - > 'explorer.exe'(2624)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll
c:\windows\system32\msi.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-16 0:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 22:56

Pre-Run: 2.827.309.056 bytes free
Post-Run: 2.747.756.544 bytes free

Current=2 Default=2 Failed=0 LastKnownGood=4 Sets=1,2,3,4
230

---

Kakvo je sada stanje?

Kompjuter mi za nijansu brže radi, što je super! Ali na USB preko My Computer-a na dvoklik ne mogu da uđem. Čak me sad na dvoklik pita "Open with" (preko kog programa želim da otvorim taj fajl - tj. USB)??? Skeniranjem KIS7 na USB-u ne nalazi viruse. USB ikonica više nije kao i particija harda, kao ranije, nego je sad u vidu žute fascikle, kao My Documents.
... da možda KIS7 sebi nije napravio neko pravilo "rule" za USB, pošto ga je nekoliko puta registrovao kao zaražen?!
Uhhh... ne vredi, sačuvaću par stvari sa USB-a i formatirati ga, pa ću videti kako će se ponašati.

---

Da li ste videli moj odgovor? Da li korisite taj USB na nekom drugom kompjuteru? Ako je odgovor "da" onda to znaci da je drugi kompjuter zarazen i nije do vaseg problem. To je virus koji se prenosi putem USB-a, i pri pokretanju zarazenog USB-a se aktivira i virus. Kada se virus obrise, dvoklikom na USB ne moze da se pokrene virus(jer je izbrisan) i zato izbacuje "Open with". Sve ovo sto sam napisao je jako grubo i veoma pojednostavljeno tako da se nadam da mi necete zameriti.

_{[Ovu poruku je menjao Dashkes dana 17.04.2009. u 13:37 GMT+1]}

To je najverovatnije to! Negde je pokupljen virus... Koristio sam USB na kompjuteru u kafiću gde sam radio, za slušanje muzike. Formatirao sam USB i za sada radi normalno.
...interesuje me da li je centralni štab virusa na kompjuteru ili na samom USB-u? Tj. da li sam sad formatiranjem USB-a rešio problem ili će se stvar ponoviti jer će se sa kompjutera ponovo zaraziti u USB?

---

"Centralni stab virusa" se nalazi sigurno na kompjuteru u kaficu. Cim budete ponovo prikljucili USB na zarazen kompjuter, USB ce se zaraziti.
Mozete isprobati Panda USB Vaccine.
USB ce se ipak zaraziti tako da ga morate skenirati svaki put kada dodjete kuci, ali se nadam da necete morati da ga formatirate.
http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

Autorun.inf fajl na USB-u je krivac za ono "Open With" i sto nije mogao da se prikaze sadrzaj. Dovoljno je da ga obrises i USB ce ponovo raditi bez problema (so sledece zaraze). Da bi stalno onesposobio izvrsavanje Autorun.inf fajlova, treba da uradis ono sto smo napisali u sledecoj temi:

http://www.elitesecurity.org/p2249439
http://www.elitesecurity.org/p2249633

Mnogo hvala svima! Pozdrav

---

Dragi mi je da smo resili problem. Sada je red da uninstaliramo ComboFix. Privremeno ugasi Kaspersky, pa:

Otvori Start > Run i ukucaj combofix /u

Program ce se automatski uninstalirati. Nemoj zaboraviti da ukljucis svu zastitu, posto si je gasio zbog rada ovog programa.

Hvala, zaboravio sam da deinstaliram ComboFix...
Pronašao sam i Panda USB Vaccine 1.0.0.19 pa ću videti kako će se USB ponašati u buduće!
Pozdrav dobri ljudi!

---