Task Manager i Registry Editor disabled + W32/Sality.AA

[es] :: Zaštita :: Task Manager i Registry Editor disabled + W32/Sality.AA

Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 10:47 - pre 185 meseci
Naime, nadrljao sam ! Od juce komp poceo da brljavi, pun virusa.... Posto mi je MALWAREBYTES nasao preko 30 komada itd, resio sam da ga formatiram sto sam i uradio. Jutros pokrenem komp, ponovo virusi. Naime, nece da mi otvara TASK MANAGER, Registry Editor... (Regedit has been disabled by your administrator). Pratio sam svakakva uputstva sa google-a, skidao one reg fajlove, nista ne pomaze. Ukljuci ga jednom i posle ponovo isto ! Skinuo sam neke antimalware programe, i naslo mi je neke trojance. Sve sam to pobrisao, ali opet problem sa ovim.
Sta preporucujete ? Da radim isto po gornjem postupku, kao sto je u postu, pa da ostavim i ja LOGOVE ?

Pozdrav i pomozite ! ! ! !

Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 10:50 - pre 185 meseci
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:51 AM, on 4/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Winamp\winampa.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\-Bajt\Desktop\blabla.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.enigmasoftware.a013...tulation_spyhunter_scanner.php
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

End of file - 3070 bytes
Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 11:07 - pre 185 meseci
A ovo je sa COMBOFIX-a:

ComboFix 09-04-04.01 - -Bajt 2009-04-10 12:02:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2511 [GMT 2:00]
Running from: c:\documents and settings\-Bajt\Desktop\ComboFix.exe
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))

2009-04-10 11:36 . 2009-04-10 11:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\TrojanHunter
2009-04-10 10:55 . 2009-04-10 10:55 <DIR> d--h----- c:\windows\PIF
2009-04-10 10:55 . 2009-04-10 11:55 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-04-10 10:33 . 2009-04-10 10:52 <DIR> d-------- c:\program files\Anti Trojan Elite
2009-04-10 10:17 . 2009-04-10 10:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 10:16 . 2009-04-10 10:16 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Simply Super Software
2009-04-10 09:19 . 2009-04-09 22:52 110,321 --a------ c:\windows\system32\olhrwef.exe.vir
2009-04-09 23:43 . 2009-04-09 23:43 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Malwarebytes
2009-04-09 23:13 . 2009-04-09 23:13 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Macromedia
2009-04-09 23:13 . 2009-04-09 23:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Adobe
2009-04-09 23:10 . 2009-04-09 23:10 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\BSplayer PRO
2009-04-09 23:09 . 2009-04-09 23:09 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Ahead
2009-04-09 23:06 . 2009-04-09 23:06 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Opera

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-04-10 08:17 55 ----a-w C:\autorun.inf.vir
2009-04-10 07:19 --------- d-----w c:\program files\Enigma Software Group
2009-04-09 21:43 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-09 21:32 --------- d-----w c:\program files\Common Files\Adobe
2009-04-09 21:31 --------- d-----w c:\program files\Adobe Media Player
2009-04-09 21:30 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-09 21:28 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-09 21:10 --------- d-----w c:\program files\Webteh
2009-04-09 21:10 --------- d-----w c:\program files\QuickTime
2009-04-09 21:10 --------- d-----w c:\program files\Apple Software Update
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-09 21:09 --------- d-----w c:\program files\K-Lite Codec Pack
2009-04-09 21:09 --------- d-----w c:\program files\Common Files\Ahead
2009-04-09 21:08 --------- d-----w c:\program files\Nero
2009-04-09 21:06 --------- d-----w c:\program files\Opera
2009-04-09 21:05 --------- d-----w c:\program files\Winamp
2009-04-09 20:52 110,321 --sh--r C:\1ogf.exe
2009-04-09 20:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-04-09 20:35 --------- d-----w c:\program files\microsoft frontpage
2009-04-06 13:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"SW20"="c:\windows\system32\sw20.exe" [2009-01-02 389120]
"SW24"="c:\windows\system32\sw24.exe" [2009-01-02 139264]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 233472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 364544]
"nwiz"="nwiz.exe" [2006-06-01 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]

"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"EnableFirewall"= 0 (0x0)

"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter3.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe"=

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\qkhjpn.sys --> c:\windows\system32\drivers\qkhjpn.sys [?]
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]

\Shell\AutoRun\command - M:\setup.exe
Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Anti Trojan Elite - c:\program files\Anti Trojan Elite\TJEnder.exe

------- Supplementary Scan -------
uStart Page = hxxp://
uInternet Connection Wizard,ShellNext = hxxp://


catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-04-10 12:03:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Completion time: 2009-04-10 12:04:02
ComboFix-quarantined-files.txt 2009-04-10 10:04:00

Pre-Run: 40,498,290,688 bytes free
Post-Run: 40,809,775,104 bytes free

[boot loader]
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 16:18 - pre 185 meseci
Nemanja Živanović
Pozdrav Djordje,
Naravno da mozes i ti, samo bih te molio da sledeci put NE PUSTAS na svoju ruku ComboFix. Sad cu da pogledam log, pa da ti napisem sta da radis u sledecoj poruci
Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 16:28 - pre 185 meseci
Nemanja Živanović
Opet iskljuci svu zastitu koju imas. Otvori Notepad i iskopiraj sledeci tekst:





Snimiti taj fajl na Desktop pod imenom CFScript

Prevuci snimljeni tekst na ComboFix ikonicu kao na slici. Postavi u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 17:01 - pre 185 meseci
ComboFix 09-04-04.01 - -Bajt 2009-04-10 17:56:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2585 [GMT 2:00]
Running from: c:\documents and settings\-Bajt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\-Bajt\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))

2009-04-10 14:59 . 2009-04-10 14:59 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> dr------- c:\program files\Skype
2009-04-10 14:58 . 2009-04-10 15:01 <DIR> d-------- c:\program files\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> d-------- c:\program files\Common Files\Skype
2009-04-10 14:58 . 2009-04-10 16:04 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\skypePM
2009-04-10 14:58 . 2009-04-10 17:54 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Skype
2009-04-10 14:58 . 2009-04-10 14:58 48 --ah----- c:\windows\system32\ezsidmv.dat
2009-04-10 14:57 . 2009-04-10 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-04-10 14:51 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-04-10 14:36 . 2009-04-10 14:36 69 --a------ c:\windows\NeroDigital.ini
2009-04-10 11:36 . 2009-04-10 11:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\TrojanHunter
2009-04-10 10:55 . 2009-04-10 10:55 <DIR> d--h----- c:\windows\PIF
2009-04-10 10:55 . 2009-04-10 11:55 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-04-10 10:33 . 2009-04-10 10:52 <DIR> d-------- c:\program files\Anti Trojan Elite
2009-04-10 10:17 . 2009-04-10 10:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 10:16 . 2009-04-10 10:16 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Simply Super Software
2009-04-09 23:43 . 2009-04-09 23:43 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Malwarebytes
2009-04-09 23:13 . 2009-04-09 23:13 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Macromedia
2009-04-09 23:13 . 2009-04-09 23:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Adobe
2009-04-09 23:10 . 2009-04-09 23:10 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\BSplayer PRO
2009-04-09 23:09 . 2009-04-09 23:09 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Ahead
2009-04-09 23:06 . 2009-04-09 23:06 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Opera

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-04-10 07:19 --------- d-----w c:\program files\Enigma Software Group
2009-04-09 21:43 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-09 21:32 --------- d-----w c:\program files\Common Files\Adobe
2009-04-09 21:31 --------- d-----w c:\program files\Adobe Media Player
2009-04-09 21:30 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-09 21:28 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-09 21:10 --------- d-----w c:\program files\Webteh
2009-04-09 21:10 --------- d-----w c:\program files\QuickTime
2009-04-09 21:10 --------- d-----w c:\program files\Apple Software Update
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-09 21:09 --------- d-----w c:\program files\K-Lite Codec Pack
2009-04-09 21:09 --------- d-----w c:\program files\Common Files\Ahead
2009-04-09 21:08 --------- d-----w c:\program files\Nero
2009-04-09 21:06 --------- d-----w c:\program files\Opera
2009-04-09 21:05 --------- d-----w c:\program files\Winamp
2009-04-09 20:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-04-09 20:35 --------- d-----w c:\program files\microsoft frontpage
2009-04-06 13:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

((((((((((((((((((((((((((((( SnapShot@2009-04-10_12.03.31.51 )))))))))))))))))))))))))))))))))))))))))
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-04-10 12:58:04 364,726 ----a-r c:\windows\Installer\{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}\SkypeIcon.exe
+ 2004-08-03 21:08:48 26,496 ----a-w c:\windows\system32\drivers\USBSTOR.SYS
+ 2009-04-10 15:58:40 16,384 ----atw c:\windows\temp\Perflib_Perfdata_56c.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"SW20"="c:\windows\system32\sw20.exe" [2009-01-02 389120]
"SW24"="c:\windows\system32\sw24.exe" [2009-01-02 139264]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 233472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 364544]
"nwiz"="nwiz.exe" [2006-06-01 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]

"EnableLUA"= 0 (0x0)

"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"EnableFirewall"= 0 (0x0)

"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter3.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5

\Shell\AutOPlAy\CommanD - N:\wjtexs.exe
\Shell\AutoRun\command - N:\wjtexs.exe
\Shell\expLore\COmMand - N:\wjtexs.exe
\Shell\OpEN\COmmand - N:\wjtexs.exe
Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

------- Supplementary Scan -------
uStart Page = hxxp://
uInternet Connection Wizard,ShellNext = hxxp://


catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-04-10 17:58:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

------------------------ Other Running Processes ------------------------
Completion time: 2009-04-10 18:00:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-10 16:00:02
ComboFix2.txt 2009-04-10 10:04:03

Pre-Run: 40,166,346,752 bytes free
Post-Run: 40,059,277,312 bytes free

Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 17:28 - pre 185 meseci
Nemanja Živanović
Da li si ubacivao si neki flash izmedju ova dva izvestaja? Ako jesi zarazen je. Nemoj da ga ubacujes dok ne zavrsimo, posle cu ti datu upustvo da ga ocistis. Opet iskljuci svu zastitu koju imas. Otvori Notepad i iskopiraj sledeci tekst:


"DisableTaskMgr"= 0
"DisableRegistryTools"= 0

Snimiti taj fajl na Desktop pod imenom CFScript

Prevuci snimljeni tekst na ComboFix ikonicu kao na slici. Postavi u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 17:37 - pre 185 meseci
ComboFix 09-04-04.01 - -Bajt 2009-04-10 18:35:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2593 [GMT 2:00]
Running from: c:\documents and settings\-Bajt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\-Bajt\Desktop\CFScript.txt
* Created a new restore point

((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))

2009-04-10 14:59 . 2009-04-10 14:59 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> dr------- c:\program files\Skype
2009-04-10 14:58 . 2009-04-10 15:01 <DIR> d-------- c:\program files\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> d-------- c:\program files\Common Files\Skype
2009-04-10 14:58 . 2009-04-10 16:04 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\skypePM
2009-04-10 14:58 . 2009-04-10 17:59 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Skype
2009-04-10 14:58 . 2009-04-10 14:58 48 --ah----- c:\windows\system32\ezsidmv.dat
2009-04-10 14:57 . 2009-04-10 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-04-10 14:51 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-04-10 14:36 . 2009-04-10 14:36 69 --a------ c:\windows\NeroDigital.ini
2009-04-10 11:36 . 2009-04-10 11:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\TrojanHunter
2009-04-10 10:55 . 2009-04-10 10:55 <DIR> d--h----- c:\windows\PIF
2009-04-10 10:55 . 2009-04-10 11:55 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-04-10 10:33 . 2009-04-10 10:52 <DIR> d-------- c:\program files\Anti Trojan Elite
2009-04-10 10:17 . 2009-04-10 10:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 10:16 . 2009-04-10 10:16 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Simply Super Software
2009-04-09 23:43 . 2009-04-09 23:43 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Malwarebytes
2009-04-09 23:13 . 2009-04-09 23:13 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Macromedia
2009-04-09 23:13 . 2009-04-09 23:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Adobe
2009-04-09 23:10 . 2009-04-09 23:10 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\BSplayer PRO
2009-04-09 23:09 . 2009-04-09 23:09 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Ahead
2009-04-09 23:06 . 2009-04-09 23:06 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Opera

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-04-10 07:19 --------- d-----w c:\program files\Enigma Software Group
2009-04-09 21:43 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 21:35 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-09 21:32 --------- d-----w c:\program files\Common Files\Adobe
2009-04-09 21:31 --------- d-----w c:\program files\Adobe Media Player
2009-04-09 21:30 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-09 21:28 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-09 21:10 --------- d-----w c:\program files\Webteh
2009-04-09 21:10 --------- d-----w c:\program files\QuickTime
2009-04-09 21:10 --------- d-----w c:\program files\Apple Software Update
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-09 21:09 --------- d-----w c:\program files\K-Lite Codec Pack
2009-04-09 21:09 --------- d-----w c:\program files\Common Files\Ahead
2009-04-09 21:08 --------- d-----w c:\program files\Nero
2009-04-09 21:06 --------- d-----w c:\program files\Opera
2009-04-09 21:05 --------- d-----w c:\program files\Winamp
2009-04-09 20:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-04-09 20:35 --------- d-----w c:\program files\microsoft frontpage
2009-04-06 13:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

((((((((((((((((((((((((((((( SnapShot@2009-04-10_12.03.31.51 )))))))))))))))))))))))))))))))))))))))))
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-04-10 12:58:04 364,726 ----a-r c:\windows\Installer\{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}\SkypeIcon.exe
+ 2004-08-03 21:08:48 26,496 ----a-w c:\windows\system32\drivers\USBSTOR.SYS
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"SW20"="c:\windows\system32\sw20.exe" [2009-01-02 389120]
"SW24"="c:\windows\system32\sw24.exe" [2009-01-02 139264]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 233472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 364544]
"nwiz"="nwiz.exe" [2006-06-01 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]

"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"EnableFirewall"= 0 (0x0)

"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter3.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5
Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
------- Supplementary Scan -------
uStart Page = hxxp://
uInternet Connection Wizard,ShellNext = hxxp://


catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-04-10 18:35:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Completion time: 2009-04-10 18:36:36
ComboFix-quarantined-files.txt 2009-04-10 16:36:34
ComboFix2.txt 2009-04-10 16:00:05
ComboFix3.txt 2009-04-10 10:04:03

Pre-Run: 40,071,774,208 bytes free
Post-Run: 40,059,076,608 bytes free


Ok. Nisam bio kuci, moguce da je neko ubacivao flash. Vise nece ;). Cekam dalje instrukcije....
Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 18:01 - pre 185 meseci
Nemanja Živanović
Pokreni HijackThis, klikni na "Do a system scan only". Pronadji sledecu liniju, oznaci je i pritisni Fix Checked:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 18:08 - pre 185 meseci
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:26 PM, on 4/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\-Bajt\Desktop\blabla.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.enigmasoftware.a013...tulation_spyhunter_scanner.php
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

End of file - 3863 bytes
Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 18:20 - pre 185 meseci
Nemanja Živanović
Opet iskljuci svu zastitu koju imas. Otvori Notepad i iskopiraj sledeci tekst:




Snimiti taj fajl na Desktop pod imenom CFScript

Prevuci snimljeni tekst na ComboFix ikonicu kao na slici. Postavi u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 18:25 - pre 185 meseci
Kazi mi na koji nacin da iskljucim zastitu ? ! Desni taster, my computer ? I + antivirus da iskljucim, jel pod iskljucivanjem zastite to podrazumevas ? :)
Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 18:31 - pre 185 meseci
ComboFix 09-04-04.01 - -Bajt 2009-04-10 19:26:50.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2591 [GMT 2:00]
Running from: c:\documents and settings\-Bajt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\-Bajt\Desktop\CFScript.txt
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))

2009-04-10 14:59 . 2009-04-10 14:59 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> dr------- c:\program files\Skype
2009-04-10 14:58 . 2009-04-10 15:01 <DIR> d-------- c:\program files\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> d-------- c:\program files\Common Files\Skype
2009-04-10 14:58 . 2009-04-10 16:04 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\skypePM
2009-04-10 14:58 . 2009-04-10 19:28 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Skype
2009-04-10 14:58 . 2009-04-10 14:58 48 --ah----- c:\windows\system32\ezsidmv.dat
2009-04-10 14:57 . 2009-04-10 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-04-10 14:51 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-04-10 14:36 . 2009-04-10 14:36 69 --a------ c:\windows\NeroDigital.ini
2009-04-10 11:36 . 2009-04-10 11:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\TrojanHunter
2009-04-10 10:55 . 2009-04-10 10:55 <DIR> d--h----- c:\windows\PIF
2009-04-10 10:55 . 2009-04-10 11:55 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-04-10 10:33 . 2009-04-10 10:52 <DIR> d-------- c:\program files\Anti Trojan Elite
2009-04-10 10:17 . 2009-04-10 10:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 10:16 . 2009-04-10 10:16 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Simply Super Software
2009-04-09 23:43 . 2009-04-09 23:43 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Malwarebytes
2009-04-09 23:13 . 2009-04-09 23:13 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Macromedia
2009-04-09 23:13 . 2009-04-10 19:00 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Adobe
2009-04-09 23:10 . 2009-04-09 23:10 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\BSplayer PRO
2009-04-09 23:09 . 2009-04-09 23:09 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Ahead
2009-04-09 23:06 . 2009-04-09 23:06 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Opera

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-04-10 16:59 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-10 07:19 --------- d-----w c:\program files\Enigma Software Group
2009-04-09 21:43 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 21:32 --------- d-----w c:\program files\Common Files\Adobe
2009-04-09 21:31 --------- d-----w c:\program files\Adobe Media Player
2009-04-09 21:30 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-09 21:28 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-09 21:10 --------- d-----w c:\program files\Webteh
2009-04-09 21:10 --------- d-----w c:\program files\QuickTime
2009-04-09 21:10 --------- d-----w c:\program files\Apple Software Update
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-09 21:09 --------- d-----w c:\program files\K-Lite Codec Pack
2009-04-09 21:09 --------- d-----w c:\program files\Common Files\Ahead
2009-04-09 21:08 --------- d-----w c:\program files\Nero
2009-04-09 21:06 --------- d-----w c:\program files\Opera
2009-04-09 21:05 --------- d-----w c:\program files\Winamp
2009-04-09 20:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-04-09 20:35 --------- d-----w c:\program files\microsoft frontpage
2009-04-06 13:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

((((((((((((((((((((((((((((( SnapShot@2009-04-10_12.03.31.51 )))))))))))))))))))))))))))))))))))))))))
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-04-10 12:58:04 364,726 ----a-r c:\windows\Installer\{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}\SkypeIcon.exe
+ 2004-08-03 21:08:48 26,496 ----a-w c:\windows\system32\drivers\USBSTOR.SYS
+ 2009-04-10 17:28:19 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7e8.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"SW20"="c:\windows\system32\sw20.exe" [2009-01-02 389120]
"SW24"="c:\windows\system32\sw24.exe" [2009-01-02 139264]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 233472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 364544]
"nwiz"="nwiz.exe" [2006-06-01 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]

"EnableLUA"= 0 (0x0)

"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"EnableFirewall"= 0 (0x0)

"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter3.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\qkhjpn.sys --> c:\windows\system32\drivers\qkhjpn.sys [?]
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
------- Supplementary Scan -------
uStart Page = hxxp://
uInternet Connection Wizard,ShellNext = hxxp://


catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-04-10 19:28:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Completion time: 2009-04-10 19:29:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-10 17:29:39
ComboFix2.txt 2009-04-10 16:36:37
ComboFix3.txt 2009-04-10 16:00:05
ComboFix4.txt 2009-04-10 10:04:03

Pre-Run: 39,549,247,488 bytes free
Post-Run: 39,483,949,056 bytes free

Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 18:33 - pre 185 meseci
Nemanja Živanović
Cekaj, ti nemas antivirus? Zasto? Pod hitno instaliraj neki antivirus (mozes za pocetak neki besplatni - izaberi samo jedan od ova 3):


I ove programe pobrisi sa racunara:
Anti Trojan Elite
TrojanHunter 5.0

Pa se onda javi.
Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 18:41 - pre 185 meseci
Nema ih u ADD REMOVE PROGRAMS ! Obrisao sam SpyHunter. Ove sam danas obrisao.... Sad ih nema u ADD/Remove P... ??

A u kompu imam Malwarebytes, a sad cu i da instaliram Avast.
Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 18:42 - pre 185 meseci
Nemanja Živanović
Ok, samo nastavi. Ako nisi jos instalirao Antivirus uradi ovo. Ako si instalirao Antivirus iskljuci ga pa nastavi. Ako ne znas kako se iskljucuje reci koji si Antivirus instalirao da ti objasnim. Imaj na umu da NE SMES da nastavis dalje, ako imas ukljucen i aktivan Antivirus.

Otvori Notepad i iskopiraj sledeci tekst:





Snimiti taj fajl na Desktop pod imenom CFScript

Prevuci snimljeni tekst na ComboFix ikonicu kao na slici. Postavi u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.
Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 18:45 - pre 185 meseci
Pa imam Malwarebytes ! ! ??

Samo njega... i naravno, iskljucio sam ga ! On cak i nije neki antivirus....
Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 18:48 - pre 185 meseci
Nemanja Živanović
Ostavi Malwarebytes` Antimalware. On je dobar, ali pored njega moras instalirati neki Antivirus. Hajde prvo pusti onu skriptu koju sam ti dao i postavi izvestaj. Da li si instalirao neki od ona 3 antivirusa koja sam ti predlozio?
Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 18:50 - pre 185 meseci
Evo skripte....

ComboFix 09-04-04.01 - -Bajt 2009-04-10 19:46:53.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2661 [GMT 2:00]
Running from: c:\documents and settings\-Bajt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\-Bajt\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))

2009-04-10 14:59 . 2009-04-10 14:59 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> dr------- c:\program files\Skype
2009-04-10 14:58 . 2009-04-10 15:01 <DIR> d-------- c:\program files\Google
2009-04-10 14:58 . 2009-04-10 14:58 <DIR> d-------- c:\program files\Common Files\Skype
2009-04-10 14:58 . 2009-04-10 16:04 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\skypePM
2009-04-10 14:58 . 2009-04-10 19:48 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Skype
2009-04-10 14:58 . 2009-04-10 14:58 48 --ah----- c:\windows\system32\ezsidmv.dat
2009-04-10 14:57 . 2009-04-10 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-04-10 14:51 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-04-10 14:36 . 2009-04-10 14:36 69 --a------ c:\windows\NeroDigital.ini
2009-04-10 11:36 . 2009-04-10 11:36 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\TrojanHunter
2009-04-10 10:55 . 2009-04-10 10:55 <DIR> d--h----- c:\windows\PIF
2009-04-10 10:55 . 2009-04-10 11:55 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-04-10 10:17 . 2009-04-10 10:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 10:16 . 2009-04-10 10:16 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Simply Super Software
2009-04-09 23:43 . 2009-04-09 23:43 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Malwarebytes
2009-04-09 23:13 . 2009-04-09 23:13 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Macromedia
2009-04-09 23:13 . 2009-04-10 19:00 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Adobe
2009-04-09 23:10 . 2009-04-09 23:10 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\BSplayer PRO
2009-04-09 23:09 . 2009-04-09 23:09 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Ahead
2009-04-09 23:06 . 2009-04-09 23:06 <DIR> d-------- c:\documents and settings\-Bajt\Application Data\Opera

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-04-10 17:40 --------- d-----w c:\program files\Enigma Software Group
2009-04-10 16:59 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-09 21:43 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 21:43 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 21:32 --------- d-----w c:\program files\Common Files\Adobe
2009-04-09 21:31 --------- d-----w c:\program files\Adobe Media Player
2009-04-09 21:30 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-09 21:28 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-09 21:10 --------- d-----w c:\program files\Webteh
2009-04-09 21:10 --------- d-----w c:\program files\QuickTime
2009-04-09 21:10 --------- d-----w c:\program files\Apple Software Update
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-09 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-09 21:09 --------- d-----w c:\program files\K-Lite Codec Pack
2009-04-09 21:09 --------- d-----w c:\program files\Common Files\Ahead
2009-04-09 21:08 --------- d-----w c:\program files\Nero
2009-04-09 21:06 --------- d-----w c:\program files\Opera
2009-04-09 21:05 --------- d-----w c:\program files\Winamp
2009-04-09 20:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-04-09 20:35 --------- d-----w c:\program files\microsoft frontpage
2009-04-06 13:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 13:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

((((((((((((((((((((((((((((( SnapShot@2009-04-10_12.03.31.51 )))))))))))))))))))))))))))))))))))))))))
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-04-10 12:58:04 364,726 ----a-r c:\windows\Installer\{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}\SkypeIcon.exe
+ 2004-08-03 21:08:48 26,496 ----a-w c:\windows\system32\drivers\USBSTOR.SYS
+ 2009-04-10 17:48:23 16,384 ----atw c:\windows\temp\Perflib_Perfdata_538.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-02-04 23975720]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"SW20"="c:\windows\system32\sw20.exe" [2009-01-02 389120]
"SW24"="c:\windows\system32\sw24.exe" [2009-01-02 139264]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 233472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 364544]
"nwiz"="nwiz.exe" [2006-06-01 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]

"EnableLUA"= 0 (0x0)

"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"EnableFirewall"= 0 (0x0)

"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
------- Supplementary Scan -------
uStart Page = hxxp://
uInternet Connection Wizard,ShellNext = hxxp://


catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-04-10 19:48:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

------------------------ Other Running Processes ------------------------
Completion time: 2009-04-10 19:49:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-10 17:49:37
ComboFix2.txt 2009-04-10 17:29:42
ComboFix3.txt 2009-04-10 16:36:37
ComboFix4.txt 2009-04-10 16:00:05
ComboFix5.txt 2009-04-10 17:46:42

Pre-Run: 39,533,035,520 bytes free
Post-Run: 39,500,132,352 bytes free



Evo sad instaliram AVAST
Re: Task Manager i Registry Editor disabled + W32/Sality.AA
10.04.2009. u 19:07 - pre 185 meseci
Nemanja Živanović
Instaliraj Avast. Imas ovde detaljno upustvo sa slikama kroz instalaciju:

Samo pogledaj deo upustva za instalaciju, ostalo ti nije bitno. Posle instalacije, pristani da program restartuje racunar. Posle restartovanja pusti kompletno skeniranje racunara i postavimi izvestaj kad se to zavrsi.
