Imao sam problem sa zin blogom koji je na jedan trenutak bio uklonjen medjutim
iako ga sada ne vidim,opet ne mogu da startujem regedit i task menager.Takodje
ne mogu da iskljucim ni system restore sto me pretpostavljam i najvise koci u trajnom
uklanjanju pomenute gamadi(disabled by group policy).
Da li bi neko imao resenje za ovo?

Evo sta kaze HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:22 PM, on 17.12.07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\SafeSignCertReg.exe
C:\WINDOWS\svhost32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\CAPRPCSK.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\Program Files\sentryPM\TokenManager\spmTMcertManager.exe
C:\Program Files\sentryPM\TokenManager\spmTMStatusMonitor.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\Program Files\sentryPM\TokenManager\spmTMSvc.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\BizniSOFT\DataBase\bin\mysqld-nt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://unihomepg.com
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\lsass.exe
O1 - Hosts: 64.26.25.75 google.com
O1 - Hosts: 64.26.25.75 google.co.uk
O1 - Hosts: 64.26.25.75 www.google.co.uk
O1 - Hosts: 64.26.25.75 google.jp
O1 - Hosts: 64.26.25.75 www.google.jp
O1 - Hosts: 64.26.25.75 google.cn
O1 - Hosts: 64.26.25.75 www.google.cn
O1 - Hosts: 64.26.25.75 search.msn.com
O1 - Hosts: 64.26.25.75 search.live.com
O1 - Hosts: 64.26.25.75 search.yahoo.com
O1 - Hosts: 64.26.25.75 search.aol.com
O1 - Hosts: 64.26.25.75 ask.com
O1 - Hosts: 64.26.25.75 www.ask.com
O1 - Hosts: 64.26.25.75 google.ca
O1 - Hosts: 64.26.25.75 www.google.ca
O1 - Hosts: 64.26.25.75 answer.com
O1 - Hosts: 64.26.25.75 www.answer.com
O1 - Hosts: 64.26.25.75 www.altavista.com
O1 - Hosts: 64.26.25.75 altavista.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [CertificateRegistration] SafeSignCertReg.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\svhost32.exe
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Canon LBP-810 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Certificate Manager.lnk = C:\Program Files\sentryPM\TokenManager\spmTMcertManager.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0648553-0CEE-4B49-A621-D19C5001B99F}: NameServer = 212.200.36.11 212.200.36.12
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BizniSOFT - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE



Hvala unapred

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0648553-0CEE-4B49-A621-D19C5001B99F}: NameServer = 212.200.36.11 212.200.36.12
O23 - Service: BizniSOFT - Unknown owner - C:\Program.exe (file missing)
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE

Nece ti tako Moderatori gledati log,prvo skeniraj sa AV,Spyboot,pa ako i dalje nije u redu kacis log,a log ti je katastrofa

moze li neko da mi objasni kako taj log skidate(skenirate)?
koja je procedura i cemu to tacno sluzi ako je neko voljan da mi malo pojasni.
I kako se to fix-uje?
thank you

@dusan80

Udji u safe mode (F8 pritisni pre nego win pocne da se ucitava)
U safe modu pokreni HJT

Kada skeniras i izbaci listu, za pocetak fix-uj samo ovo:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://unihomepg.com
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\lsass.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

zatvori HJT
restart u normal modu

Kad se podigne win, start/run/regedit
U registry-ju sa leve strane navedi do kljuca:

 HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Run
Kada si naveo do tog kljuca , u desnom panelu trebalo bi da postoji i ovaj unos:
 Task Manager = "%Windows%\svchost32.exe"
Obrisi ga

Izadji iz registry-ja
Pokreni Spybot Search&destroy
Sve sto nadje obrisi

Restart u safe-modu

U safe modu pokreni HJT
Fix-uj sledece:

O1 - Hosts: 64.26.25.75 google.com
O1 - Hosts: 64.26.25.75 google.co.uk
O1 - Hosts: 64.26.25.75 www.google.co.uk
O1 - Hosts: 64.26.25.75 google.jp
O1 - Hosts: 64.26.25.75 www.google.jp
O1 - Hosts: 64.26.25.75 google.cn
O1 - Hosts: 64.26.25.75 www.google.cn
O1 - Hosts: 64.26.25.75 search.msn.com
O1 - Hosts: 64.26.25.75 search.live.com
O1 - Hosts: 64.26.25.75 search.yahoo.com
O1 - Hosts: 64.26.25.75 search.aol.com
O1 - Hosts: 64.26.25.75 ask.com
O1 - Hosts: 64.26.25.75 www.ask.com
O1 - Hosts: 64.26.25.75 google.ca
O1 - Hosts: 64.26.25.75 www.google.ca
O1 - Hosts: 64.26.25.75 answer.com
O1 - Hosts: 64.26.25.75 www.answer.com
O1 - Hosts: 64.26.25.75 www.altavista.com
O1 - Hosts: 64.26.25.75 altavista.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\svhost32.exe
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Certificate Manager.lnk = C:\Program Files\sentryPM\TokenManager\spmTMcertManager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Kas si sve to fix-ovao, zatvori HJT
Izadji iz safe-moda
Pokreni win regularno

My computer/tools/folder option/View/ omoguci "Show hidden files and folders"/apply/ok
Nadji ova dva fajla:


Obrisi ih

Kopiraj ova dva unosa pod kodom od gore, od pocetka do kraja, kako su napisani (markiraj i pritisni ctrl+c)
SKini Killbox software sa kraja ovog posta, otpakuj ga, i za sad ga nemoj pokretati

Pokreni HJT ponovo, dok si i dalje u normalnom win-u, posto pretpostavljamo da su se neki unosi vratili.
Ako postoje i dalje fix-uj sledece:

O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\svhost32.exe
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\svchost.exe

Ako ne postoje ne fix-uj nista.
Zatvori HJT.
Sad pokreni Killbox.exe koji si otpakovao na, recimo, desktop.

U killbox-u izaberi "Delete on Reboot".
Klikni na "File" u gornjem levom uglu Killbox-a, i izaberi "Paste from Clipboard". (time unosis ona dva kopirana unosa od ranije, ako si zaboravio to da uradis, vrati se, kopiraj ponova ta dva reda i ponovo u Killbox-u izaberi "Paste from clipboard")
Klikni na crvenu tacku sa belim X u gornjem desnom uglu Killbox-a, zatim Yes, pa opet Yes.

Nakon restarta, mozes ponovo pokrenuti HJT i zakaciti novi log ovde.

Leleeeee,      znas li i u dlan da gledas ??   

Znam, zi' mi ti 

Svaka čast  ma ženio bi te ako nisi već zauzeta 
šalu na stranu veliku uslugu mi činiš ovo je samo jedan
računar a imam još 3 da čistim u firmi
Inače regedit mi posle 1. koraka nije mi uspelo da startujem
regedit iz ms dos prompta(nemam run u star meniju)
pa sam odradio 2. korak iz safe moda.Javljam se kada budem
imao vremena da kompletiram sve
Hvala

E, ne moze, hocu ja!