system volume & recycler

unaprijed zahvaljujem
komp nije moj (od kolege) al je dobar momak
zalio se na kocenje,trzanje i nemogucnost pristupa nekim fajlovima a takodje i brisanja pojedinih

e ovako ja sam iz ranijeg iskustva odradio neka skeniranja ali samo ova bezopasna pa da vas uputim ono bas 100%

nod 32 je obrisao ove fajlove kao viruse
C:\System Volume Information\_restore{FD492DAD-9D71-43AE-8D1A-5CF200121D62}\RP221\A0020384.exe - probably unknown NewHeur_PE virus [7] – deleted

C:\Program Files\Electronic Arts\Need for Speed Carbon\NFSC.exe - probably unknown NewHeur_PE virus [7] - deleted

mbm je obrisao ove fajlove


e sad evo i hj log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:22 PM, on 12/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\monus export doo\Desktop\New Folder\TR3.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DAE6500-285E-4BF4-9B23-879F5417774C}: NameServer = 10.0.0.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CE69B9A-40ED-4ED5-B281-9221F3EB0476}: NameServer = 62.68.96.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{5DAE6500-285E-4BF4-9B23-879F5417774C}: NameServer = 10.0.0.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{5DAE6500-285E-4BF4-9B23-879F5417774C}: NameServer = 10.0.0.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8601 bytes

jos jednom hvala



zaboravio sam mozda najbitnije
na sve tri particije se nalazi folder system volume koji se ne moze otvoriti i folder recycler a u njemu korpa za smece
i svetliji su kao da su hidirani ili mozda trebaju biti
eto toliko

System Volume postoji na svakoj NTFS particiji, to je normalno.
Recycler ti je korpa za otpatke, i isto postoji na svakoj particiji.
U prvi ne mozes uci, dok u drugi mozes.

To je sasvim uobicajeno stanje.

Log je inace cist.

Mozes li da postavis izvestaj iz MBAM (dugme Sacuvaj Izvestaj se vidi na slici koju si postavio)?

Bojim se da je NOD obrisao igricu Need For Speed Carbon greskom.

evo ga druze

Malwarebytes' Anti-Malware 1.31
Verzija baze podataka: 1512
Windows 5.1.2600 Service Pack 2

12/17/2008 10:39:39 PM
mbam-log-2008-12-17 (22-39-39).txt

Tip skeniranja: Kompletno Skeniranje (C:\|E:\|F:\
Skeniranih objekata: 146902
Proteklo vreme: 59 minute(s), 48 second(s)

Inficirani procesi u memoriji: 0
Inficirani moduli u memoriji: 0
Inficirani kljuèevi u registru: 0
Inficirane vrednosti u registru: 1
Inficirani podaci u registru: 3
Inficirane fascikle: 3
Inficirane datoteke: 6

Inficirani procesi u memoriji:
(Maliciozne stavke nisu detektovane)

Inficirani moduli u memoriji:
(Maliciozne stavke nisu detektovane)

Inficirani kljuèevi u registru:
(Maliciozne stavke nisu detektovane)

Inficirane vrednosti u registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Inficirani podaci u registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\ntos.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Inficirane fascikle:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Inficirane datoteke:
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\audio.dll.cla (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot.

ma nema veze za igricu vidio sam ja da je nid for spid al sta fali nek instalira nanovo kontao sam da nije neki njen fajl zarazen



dali da stavim na folder opciju da ne pokazuje skrivene foldere??

OK. MBAM je obavio posao.

Sto se tice skrivenih foldera - zavisi od tvojih potreba. U svakom slucaju ih uvek mozes ukljucivasti i iskljucivati kada god pozelis

ok druze hvala



e druze eb ga opet cu ja dosadjivati
kod mene je na folder opcijama zaqkaceno da prikazuje skrivene foldere i na svih 5 particija nema foldera system volume i recycler
a kod kolege su nestale kad sam stavio da ne prikazuje skrivene foldere
kakop sad to??

Jel imate apsolutno iste verzije Windowsa?

cini mi se da su oba XP SP2 samo je kod njega noviji komp znatno i jaci mnogo po performansama ako to ima ike veze
ako hoces postavicu sliku da vidis kako to izgleda



evo cisto da vidis kako izgleda

local c


local e


local f


local disk f je totalno prazan
ovo je stanje kad je upaljena opcija pokazi skrivene foldere

Da, tako treba da bude prikazano kada je ukljucena opcija za prikaz skrivenih fajlova u Exploreru.
Kada je ta opcija iskljucena, onda se tih par foldera uopste ne prikazuju na listi.
To je cisto funkcija samog Explorera. Ukoliko koristis neki drugi fajl-menadzer, onda on moze imati drugacija podesavanja za izgled ikonica skrivenih foldera.

Znaci, ono podesavanje nije globalno na nivou celog Windowsa, vec samo lokalno za Windows Explorer.

Ako mozes sada da mi objasnis u cemu je tacno problem, posto iz tvoje dosadasnje price nisam uspeo da pohvatam.

ovako
covjek se zalio da ga ubise virusi al ni on meni nije bas konkretno i jasno objasnio pa sam ja uzeo komp i malo ga precistio av-om i anti malwareima (ne ide mi u glavu uopste nije imao instaliran AV)
obrisali su to sto su obrisali(slike iznad) i meni se cini da masina radi extra s obzirom da se nisam prije susretao sa core duo ili core2duo ili sta je vec
i jos da kazem kod mene nema sistem information i recicler foldera na obe opcije
to je to
izvini ako te maltretiram i ako smatras da treba jos jedan sken HJT-om cisto 100%-tne provjere radi
pozdrav

Recycle folder se kreira tek kada sa te particije prvi put obrises neki fajl.
Svaka particija ima svoju Kantu (Recycler folder), a ti to na desktopu vidis kao jednu ikonicu.

Onaj drugi folder postoji samo ukoliko je za tu particiju ukljucen System Restore. Tu se cuvaju Restore Point-i.
Nazalost, na NTFS particijama je nemoguce obrisati taj folder cak ni kada iskljucis System Restore za tu particiju.
Na FAT32 particijama je to bilo moguce, ako se dobro secam.

Ni jedan od ova dva foldera normalno nisu vidljivi u Exploreru sve dok ne ukljucis prikaz skrivenih fajlova.
Postoje jos i Super hidden fajlovi i folderi, i njih ne mozes videti iz Explorera cak ni sa ukljucenom opcijom za prikaz skrivenih fajlova.
Iz drugih fajl-menadzera ih je moguce videti (ja koristim Total Commander).

Mozda su kod tebe ti folderi podeseni da budu super hidden, a kod njega su bili samo hidden.
Ne bih znao tacno sta se tu kod vas izdesavalo, ali to ni u kom slucaju nije opasno, niti utice na normalan rad Windowsa.

Sto se tice HJT loga, slobodno postavi, ja cu ga pregledati i reci ukoliko nesto ne valja.