updateuj nod32 ..pa skeniraj iz safe moda
skini,uradi update pa skeniraj i sa Malwarebutes AntiMalware iz safe moda
kasnije..skini ,updateuj pa skeniraj i sa Spybot s&d (ne iz safe moda)


ako se posle ovoga problem i dalje javlja..
Skini HiJackThis program sa sledeceg linka:
http://www.majorgeeks.com/download5554.html
Stavi ga u zaseban folder na Desktop
Promeni naziv foldera i programa (opcija Rename) u Systav.exe

* Pokreni HijackThis
* Izaberi opciju "Do a system scan and save the logfile"
* Na kreju skeniranja program ce izbaciti tekstualni log.
* taj log kopiraj ovde ( opcije copy / paste)

srecno :)

nista nije nasao ni sa anti-malware ni sa spybotom,sa nod-om samo nije mogao da otvori pagefile.sys, prefetch/layout.ini i system32/drivers/sptd.sys

iako nista nije nasao otvorio sam notepad i bezveze napisao nesto i sacuvao ga na desktopu kad sam ga otvorio nod32 je opet prijavio virus> probably modified trojan Win32/TrojanDownloader.Agent u C:/WINDOWS/system32/dx6vcl.dll

evo ga hijeckthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:19:10, on 8.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Media Key\MagicKey.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Media Key\OSD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.posted.co.yu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [flockbox] C:\Program Files\My Lockbox\flockbox.exe /a
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Media Key.lnk = C:\Program Files\Media Key\MagicKey.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Remote Control.lnk = C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/...ngerStatsPAClient.cab56907.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe

--
End of file - 6272 bytes

Probaj C:/WINDOWS/system32/dx6vcl.dll da ruchno obrishesh iz Safe moda. A mozda ti je lakshe da ga uklonish Trojan removerom.

1. nisi ispratio uputstvo za HijackThis
2. ovaj log koji si postavio je cist...

skini ovaj program
http://www.gmer.net/gmer.zip

ubaci ga u neki folder
Izaberi Rootkit/Malware
i klikni Scan.

PS:obavezno obrisi C:/WINDOWS/system32/dx6vcl.dll
iz safe moda (shift+delete)

@C.R.E.A.M.
sa trojan removalom sam vec probao prekljuce,komp mi je potpuno zakazao ,zablokirao i nekako sam uspeo opet da podignem windows.


@magna 86
ne verujem da nisam ispratio poruku za hijackthis, sto se tice brisanja dx6vcl.dll naravno da bi ga vec obrisao da uopste mogu da ga vidim,uopste se ne prikazuje...posto skenira sa gmer-om ,sta onda?da stavim log?
opet vidim u prefetchu taj fajl ,exe NOTEPOD.EXE-2CBCD0BE.pf koji se uvek pojavi pri restartu.

jel neko zna uopste konkretnu namenu tog virusa ,za sta on sluzi ,predpostavljam da je dosao preko usb-a,ali nisam siguran.

@Bum Stavi HJT u neki folder i promeni mu ime u naprimer bum.exe pa pusti ponovo HJT log, znaci promeni ime i folderu i HJT. I postavi log ovde

i dalje ne shvatam sta ne valja al valjda je dobro sad

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:51, on 9.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Media Key\MagicKey.exe
C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe
C:\Program Files\Media Key\OSD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.posted.co.yu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [flockbox] C:\Program Files\My Lockbox\flockbox.exe /a
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Media Key.lnk = C:\Program Files\Media Key\MagicKey.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Remote Control.lnk = C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/...ngerStatsPAClient.cab56907.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe

--
End of file - 6190 bytes

Probaj ComboFix i Spyware Terminator!
Oprezno sa ovim drugim, obavezno pogledaj sta ti nudi da obrise!

Sta ne valja, pa ne valja to sto nisi promenio ime , umesto hijack this.exe, trebao si da stavis bum.exe. To je vazno, jer ako malware vidi HJT kao takav, sakrije se od njega i nema ga u logu, drugo, ako postoje linije 020 i 02 nece sve da pokaze kao HJT. exe, nije ti dzabe dva puta receno da to uradis.
Trece, nemoj da koristis ComboFix na svoju ruku ako neznas, zato sto on menja postavke na racunaru.

ja vidim iz aviona Explorer.EXE a tu nesto nije u redu-pri skeniranju sa nod-om ubij Explorer.EXE
probaj da ubijes taj Explorer.EXE a u Task Menageru u run pokreni explorer.exe i vidi sta ce ti pokrenuti ovaj sa velikim slovima ili normalan sa malim sve.

Skini sysinternals-ov proces explorer i pogledaj sta ti sve trci zakaceno za Explorer.exe-vidi i gde se to nalazi -tu je i ta gamad pa je ubij.
Preporuka je da probas neki boot scan sa nekim antivirusom-znam da avast 4.8 to ima posle ovoga trebalo bi da ga nema.

probaj pa javi

Kakve veze ima dal li su mala ili velika slova, pokrenuce mu isto explorer, ne vidim sta fali tom procesu.

ma isto je to sa malim ili velikim exe-om, opet sam pokrenuo nod i sad nalazi win32/mefir.a worm pored notepod.exe-a i rsvp-exe-a ....onaj hijack log uvek je isti ionako sam pratio upustva, osecam da pravim neku glupu gresku ... inace kolko vidim smesi mi se reinstall...stvarno ne znam kako neko moze da smisli neku ovako upornu gamad,a ne znam ni za sta sluzi,ko zna sta je sve zeznulo...

jbmu mater..ovaj log je cist...

mogao bi da fixas neke linije u HjT logu,ali
neverujem da ce to resiti stvar...

a jesi li ti siguran da je taj nod..ok? da nebrljavi on a?
aj ako si voljan skini avast ili jos bolje Kaspersky Internet Sec. pa ako i oni cute..jbga..ne znam mozda je lazna uzbuna
a ti inace nams nekih konkretnih problema? jel mozes postaviti nodov log ili screen shot ? da vidimo sta prijavljuje
Gmair nije nista nasao? samo nam to reci jel nasao nesto?
a sto se tice rename-a..

nadji sledeci file..
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

renameuj i HjT.exe (program) i folder u kom se nalazi...znaci promeni u bum.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

znaci setup i ako moze folder..kopije obrisi pa ga pokreni odatle
pokreni HjT odatle pa postavi ponovo log..valjda ce da prikaze neki malware

naravno izvadi usb..usb ces formatirati

..........................

mada..ja neverujem da je tu umesan virus...
ovo je verovatno cist kompjuter..
tu ili zeza nod ili..ne znam

pa znas kako nod koliko koristim zadnjih 3-4 godine problem mi nije napravio,mada posle ovoga cu verovatno razmisliti o promeni AV, nisam bas siguran da ovo nije virus ,na guglu kad ukucas notepod.exe ,mozes i sad da vidis sta sve izadje, povezuje ih sa dx6vcl.dll i rsvp.exe........zadnji put kad sam radio(pre par sati) detaljnu analizu nod-om izbacio mi je da je nasao 3 virusa (iskreno mrzi me da opet ukljucujem nod posto bi sat vremena skenirao,pa necu stavljati screen)ali ti virusi su bili :
1. C:/system32/win32/Mefir.A worm (ovaj je danas prvi put prikazao)
2. notepod.exe NewHeur_PE
3. rsvp.exe NewHeur_PE

sve u svemu sva tri prikazuje kao neku vrstu modifikovanog trojanca

gmair mi nista nije posebno rekao ali evo ga njegov log pa ako ti on nesto razjasni super


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-09 08:54:22
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xF73E70D0]
SSDT sptd.sys ZwEnumerateKey [0xF73ECE2C]
SSDT sptd.sys ZwEnumerateValueKey [0xF73ED1BA]
SSDT sptd.sys ZwOpenKey [0xF73E70B0]
SSDT sptd.sys ZwQueryKey [0xF73ED292]
SSDT sptd.sys ZwQueryValueKey [0xF73ED112]
SSDT sptd.sys ZwSetValueKey [0xF73ED324]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F69278AC 5 Bytes JMP 86CD51C8
? System32\Drivers\aunb64pa.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F73FD886] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F73FD832] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F741F892] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F73FD886] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73E7AD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73E7C1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73E7B9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73E8748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73E861E] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F73FCACA] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 86FD11E8

AttachedDevice \FileSystem\Ntfs \Ntfs MPRIFL.SYS (My Private Folder driver/FSPro Labs)
AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset)

Device \Driver\PCI_NTPNP3160 \Device\00000042 sptd.sys
Device \Driver\PCI_NTPNP3160 \Device\00000042 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-0 86D801E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F661E8
Device \Driver\dmio \Device\DmControl\DmConfig 86F661E8
Device \Driver\dmio \Device\DmControl\DmPnP 86F661E8
Device \Driver\dmio \Device\DmControl\DmInfo 86F661E8
Device \Driver\usbuhci \Device\USBPDO-1 86D801E8
Device \Driver\usbuhci \Device\USBPDO-2 86D801E8
Device \Driver\usbuhci \Device\USBPDO-3 86D801E8
Device \Driver\usbehci \Device\USBPDO-4 86CBE1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 86FD31E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{6CEE628C-DEF3-4B1A-A9BC-CD73E13C62A5} 86AFD7A0
Device \Driver\Ftdisk \Device\HarddiskVolume2 86FD31E8
Device \Driver\Cdrom \Device\CdRom0 86C2C7A0
Device \Driver\Cdrom \Device\CdRom1 86C2C7A0
Device \Driver\NetBT \Device\NetBt_Wins_Export 86AFD7A0
Device \Driver\NetBT \Device\NetBT_Tcpip_{6C69AF31-810E-4F3B-9A07-8F2870E94919} 86AFD7A0
Device \Driver\NetBT \Device\NetbiosSmb 86AFD7A0
Device \Driver\usbuhci \Device\USBFDO-0 86D801E8
Device \Driver\usbuhci \Device\USBFDO-1 86D801E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 868401E8
Device \Driver\usbuhci \Device\USBFDO-2 86D801E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 868401E8
Device \Driver\usbuhci \Device\USBFDO-3 86D801E8
Device \Driver\usbehci \Device\USBFDO-4 86CBE1E8
Device \Driver\Ftdisk \Device\FtControl 86FD31E8
Device \Driver\aunb64pa \Device\Scsi\aunb64pa1 86C2D1E8
Device \Driver\aunb64pa \Device\Scsi\aunb64pa1Port4Path0Target0Lun0 86C2D1E8
Device \FileSystem\Cdfs \Cdfs 86C761E8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xFB 0x49 0x34 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x12 0x21 0x51 0x41 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x43 0x49 0xF9 0x9D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x41 0x17 0x09 0x22 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xFB 0x49 0x34 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x12 0x21 0x51 0x41 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x43 0x49 0xF9 0x9D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x41 0x17 0x09 0x22 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xFB 0x49 0x34 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x12 0x21 0x51 0x41 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD9 0xFF 0x24 0x3F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x41 0x17 0x09 0x22 ...

---- EOF - GMER 1.0.14 ----



evo ga i novi hijackthis log po tvojim zadnjim uputsvima


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:39:10, on 9.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Media Key\MagicKey.exe
C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe
C:\Program Files\Media Key\OSD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\bum.exe\bum.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.posted.co.yu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [flockbox] C:\Program Files\My Lockbox\flockbox.exe /a
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Media Key.lnk = C:\Program Files\Media Key\MagicKey.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Remote Control.lnk = C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/...ngerStatsPAClient.cab56907.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe

--
End of file - 6266 bytes



kao sto sam gore i naveo u predhodnim porukama virus alert se aktivira kad otvorim otvorim neki tekstualni file koji je u notepadu.kad pogledam u prefetchu vidim da je otvoren i notepad.exe i notepod.exe tako da jos jedan razlog zasto mislim da je virus, i da kad mi nod izbaci poruku za virus i odaberem rename izbaci mi u system 32 ovaj file dx6vcl.Vdll
sa ovim V ispred dll.ispisao sam bukvalno sve podatke o ovom virusu koje sam nasao na kompu ,a da su povezani.

vise puta sam naleteo na taj slucaj da se proces explorer.exe zameni sa Explorer.EXE ili EXPLORER.EXE ili nekom varijacijom i to uvek samo kada je u pitanju neki virus,drugo pretpostavka je da se virus kaci za sistemski proces i nod mu ne moze nista,verovatno je zakacen za explorer.exe.
jesi li probao sa proces explorerom da vidis sta ti se sve pokrece sa explorerom? jesi li svaki put pri skeniranju ubijao explorer?
skini i autoruns.exe isto alat od system internals-a i lepo pregledaj sve sto ti se startuje-pogasi sve suvisno(za ovo ti je potrebno osnovno poznavanje rada racunara tako da ne bi trebalo da ti bude problem). kada sve gluposti pogasis onda lepo odradi scan i trebalo bi da se resis problema,a ako je scaner los pobrisi napast rucno.

mihajlo, nije to u ovom slucaju, ovde je explorer u redu.

@Bum skini ComboFix odavde http://download.bleepingcomputer.com/sUBs/ComboFix.exe
klikni na Nod u sys tay-u, iz Threat Protection izaberi Amon, decekiraj File system monitor- enabled.
sacekaj da pocrveni. Kad zavrsi ciscenje ukljuci ovu opciju
Pokreni ComboFix i ne diraj prozor dok skenira
kad zavrsi skeniranje log ce se nalaziti u C:\ComboFix.txt
iskopiraj ga ovde na forumu.

meni se nesto slicno desavalo , problem sam resio tako sto sam skinuo avira antivirus izbrisao smesni nod32 koji nije mogao nista da nadje i to je to ,

NOD32 u poslednje vreme pravi veeeeeeliiiiiikiiiii problem ako nije legalan. Posle vise od tri godine koriscenja zauvek sam ga izbrisala iz racunara. Instalirala sam Avast free verziju i taj je nasao gamad (19 komada trojanaca fino ususkanih) koju nije nasao ni NOD32 ni Spyware terminator.
Moj ti je savet da NOD32 zamenis nekim drugim AV (Avast, Avira), pustis da skenira pre nego sto boot-uje Windows pa da onda javis sta se desava.

pazi, razlika je izmedju explorer.exe i expIorer.exe - to se ne vidi u taskmg.
Prvo je sa L a drugo sa I

Najbolje ovako, uoci sta su trojanci i gde se nalaze.
Restartuj kom sa nekom linux-live varijantom.
Idi do problematicnih fajlova i otvori ih u NotePad (ili kako se vec zove), selektuj citav tekst, izbrisi ga i sacuvaj kao prazan dokument. Mozes iste prvo da kopiras i na flash, ukoliko greskom obrises pogresne fajlove

Aj sad lepo, iz pocetka...

- Isključiti System Restore (System Properties > System restore > štiklirati Turn off System Restore on all drives )
- Isprazniti Recycle Bin
- Obrisati sadržaj foldera C:\Windows\Temp
- Isprazniti Temporary Internet Files

Onda sva ostala prica...

Mozda da pokusas sa spybot s&d scan iz safe mod-a.

ma sve sam to vec radio nego evo ga combofix log



ComboFix 08-10-09.06 - home 2008-10-10 10:12:29.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.640 [GMT 2:00]
Running from: C:\Documents and Settings\home\Desktop\ComboFix.exe
* Created a new restore point

[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.

((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 )))))))))))))))))))))))))))))))
.

2008-10-09 21:24 . 2008-10-09 21:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-09 08:42 . 2008-10-09 14:46 250 --a------ C:\WINDOWS\gmer.ini
2008-10-08 20:23 . 2008-10-08 20:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-08 18:28 . 2008-10-08 18:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-08 18:28 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-08 18:28 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-08 12:29 . 2008-10-09 11:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-04 21:18 . 2008-10-04 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-10-03 10:06 . 2008-10-03 10:06 <DIR> d-------- C:\WINDOWS\Logs
2008-10-03 08:59 . 2008-10-03 08:59 <DIR> d-------- C:\Program Files\KONAMI
2008-10-02 18:07 . 2008-10-02 18:07 <DIR> d-------- C:\Documents and Settings\home\Application Data\Malwarebytes
2008-10-02 18:07 . 2008-10-02 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-27 14:25 . 2008-10-10 09:49 24,414 ---hs---- C:\WINDOWS\system32\disk.ico
2008-09-23 22:09 . 2008-10-01 15:01 <DIR> d-------- C:\Program Files\DC++
2008-09-18 18:32 . 2008-09-18 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-09 16:01 68,768 ----a-w C:\WINDOWS\system32\mmsystem.dll
2008-10-04 19:27 --------- d-----w C:\Program Files\GameHouse Games Collection
2008-10-04 16:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-27 12:37 --------- d-----w C:\Documents and Settings\home\Application Data\Winamp
2008-09-23 20:55 --------- d-----w C:\Program Files\LimeWire
2008-09-20 21:38 --------- d-----w C:\Documents and Settings\home\Application Data\Wildfire
2008-09-01 21:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-18 20:30 --------- d-----w C:\Documents and Settings\home\Application Data\Mount&Blade
2008-08-17 14:21 --------- d-----w C:\Program Files\Pro Evolution Soccer 2008
2008-08-16 18:55 --------- d-----w C:\Program Files\Samsung
2008-08-16 18:30 --------- d-----w C:\Program Files\Analog Devices
2008-07-31 08:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 08:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 08:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-12 06:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 06:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 06:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
2007-06-26 15:18 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-09-27 12:28 163,840 --sh--w C:\WINDOWS\system32\notepod.exe
2005-10-10 07:49 163,840 --sh--w C:\WINDOWS\system32\rsvp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 57344]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 165784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 61440]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2004-09-05 847872]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-30 32768]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-07 282624]
"Device Detector"="C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" [2003-09-17 212992]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-29 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-07-09 36352]
"flockbox"="C:\Program Files\My Lockbox\flockbox.exe" [2007-12-14 1071472]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 C:\WINDOWS\system32\HdAShCut.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-06 61440]
Media Key.lnk - C:\Program Files\Media Key\MagicKey.exe [2006-08-07 159744]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]
Remote Control.lnk - C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe [2006-08-07 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\Bf2_w32ded.exe"=
"C:\\Program Files\\valve\\hl.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Pro Evolution Soccer 2008\\PES2008.exe"=
"C:\\Program Files\\valve\\hltv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 MPRIFL;MPRIFL;C:\WINDOWS\system32\DRIVERS\MPRIFL.SYS [2007-12-13 17264]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2002-07-11 12856]
R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys [2003-12-29 8576]
R3 Cap713x;Philips Cap713x Video Capture;C:\WINDOWS\system32\DRIVERS\Cap713x.sys [2005-05-04 686080]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
S3 SUSCOM;Susteen Serial port driver;C:\WINDOWS\system32\DRIVERS\SUSCOM.SYS [2002-10-22 40448]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abeb5c28-f79a-11dc-91b8-000e5c3a2bcd}]
\Shell\Auto\command - G:\UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\home\Application Data\Mozilla\Firefox\Profiles\sv7f5quf.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-10 10:24:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\imon.dll
.
Completion time: 2008-10-10 10:27:40
ComboFix-quarantined-files.txt 2008-10-10 08:27:24

Pre-Run: 79.733.923.840 bytes free
Post-Run: 79,720,222,720 bytes free

139 --- E O F --- 2008-09-10 10:04:51

Ok prekopiraj ovo u notepad i snimi ga kao CFScript na desktop



prevuci ga levim klikom u Combofix
kad zavrsi proces klikni na start\ run , ukucaj Combofix /u pa ok. Sacekaj da se deinstalira combofix (on ce automatski i da resetuje system restore)

jos jedno pitanje ,a ovaj rsvp.exe sto prijavljuje s njim?

To je neki proces za audio i video streaming, nije toliko bitan ali ne mora da se uklanja nije parazit. Da li imas sad nekih problema, e da zaboravih, ne bi bilo lose da deinstaliras tu Javu i da instaliras novu verziju. skini Program JavaRa odavde http://sourceforge.net/project...JavaRa.zip&use_mirror=osdn
klikni na Remove older versions, kad izbaci log onda klikni na Search for updates, pa odaberi donju opciju i klikni na Search. To ce te odvesti na sajt sa koga ces skinuti najnoviju Javu.
Skini Wise registry cleaner i Wise disc cleaner, oba programcica su free i sredi malo registry i disk, bolje ce da ti radi komp.

problen resen,combofix je ocigledno odradio posao,posto vise nema tih fajlova pri startu i otvaranju notepada i nod kaze da je sve cisto ,hvala ti puno ,i ostalima sto su se potrudili da pomognu, JAVU sam cini mi se skoro apdejtovo ali nisam siguran, uradicu to u svakom slucaju, verovatno cu promeniti i AV.

hvala jos jednom

Rekoh ja, Combofix je zakon..
Mada je Kristi odradio lavovski deo posla...

Jeste, zakon je, on je automatski pocistio one druge fajlove, ali je ostao samo notepod.exe, koji se nije video u HJT logu, tako da sam znao da ce CF ili da ga pocisti odmah, ili ce da ga razotkrije da bi mogli da ga uklonimo

Ja sam ga izgleda isto zakacio jel imas kakvo resenje?


Uocio sam samo haozs0.dll i kao sto vidim nan netu to je neki rootkit ili tako nekako, ajde ako si resio pomagaj.....?

otvori novu temu i okaci HjT log ;)

Skini HiJackThis program:


Stavi ga u zaseban Folder na Desktop
Promeni naziv Foldera u ES2 i Programa u ES2.exe

* Pokreni HijackThis
* Izaberi opciju "Do a system scan and save the logfile"
* Na kraju skeniranja program ce izbaciti tekstualni log.
* taj log kopiraj ovde ( opcije copy / paste)

A zašto je bitno da system restore bude isključen?

Suočavam se sa jednim problemom (virusom). Naime na svakoj particiji ili bilo kom nosaču memorije (USB flash ili MP3 player) mi se nakon što ih ubacim (za USB i MP3) dobijem skrivene foldere RECYCLER i System Volume Information. Nakon što ih skeniram Avast mi nadje virus. Obrišem i foldere i viruse sa svih particija i svih mem uređaja i opet mi se stvore!

Ne znam da li je ovaj sledeći problem uzrokovan ovim gore ali dešava mi se i sledeće. Dakle radim normalno i odjednom mi se isključi svchost.exe proces i pojavi prozor od visual studija 2008 koji nudi debug i close opcije. Sve dok ne kliknem na close internet i muzika mi rade. Ako kliknem na close, linija ova dole gde je start dugme izgubi na kratko skin XP i dobije onaj obični i kao da se restartuje proces explorer.exe. Nakon toga ne mogu na internet (dial up je u pitanju) niti mogu da pustim muziku jer mi prijavljuje da nema drajvere. Šta da radim?

Imam još jedan problem. U firmi u kojoj sam na nekoj kao praksi ima 15-tak računara i stalno mi se javljaju isti virusi koje pronalazi avast a nalazi ih negde u documents and settings/system information/xcxswrz.jpg OVAKO NEŠTO SLIČNO. I često po neki računar ne može da se isključi već stane zamrzne se, a ne može ni da se uključi jer ima neki virus koga mogu da obrišem tek kroz safe mode i sa avastom. Ali avast ih stalno briše i oni se nakon nekog vremena opet pojavljuju isti ti virusi.

Lepo su ti objasnili i kristi i magna, znaci sistem restore moras da iskljucis jer odatle program vraca sve sto mu fali...znaci postupi po naredjenju i odradi kao sto su ti momci rekli.... a nakon toga ako mozes da azuriras antivirus (sto kod mene nije bio slucaj , procitaj zasebno temu '...nesto jeste a ne znam sta je') uradi full scan i sve ce biti gotovo (pored obrisanih izvrsnih fajlova obrisace i biblioteke *.dll naravno one koje virus koristi, pa ces restartovati racunar verovatno da bi on ponovo skenirao pre podizanja samog Windowsa (ja sam koristio NAV 2009) i u najboljem slucaju ce ti napisati sta je u registru promenjeno e to ces morati rucno da menjas (tipa kod mene je promenio folder settings na hiden i nisam mogao da ga kroz windows vratim) ). I jos nesto obavezno stavi poslednje zakrpe za windows!!!!

Eh da ovo sam zaboravio da napomenem: skini Tweak Ui Powertoy (microsoftov alat) gde ces da skines Autorun opcije (jer tako se najvise zarazis) sa svih uredjaja cak i sa HD-ova.