Trojan downloader agent - kako da ga uklonim?

Pri svakom ukljucivanju kompa uvek se pojavi koliko god puta da ga obrisem.Nod32 ga nalazi u system32 pod nazivom dx6vcl.dll ali ne moze da ga ukloni,dok pri detaljnijem skeniranju nalazi fajlove notepod.exe i rsvp.exe(koje uglavnom nalazim u C:/Windows/Prefetch) .aktivira se svakim otvaranjem teksta u notepad-u. Iskreno svako resenje sem reinstaliranja windowsa bi prihvatio,posto nemam zivaca da opet sve instaliram i da pogubim gomilu stvari,ne bih da rizikujem prebacivanjem podataka i fajlova na drugi hard ili stick posto me brine da se nece provuci virus opet kad budem reinstalirao windows i vracao podatke ...
molim za pomoc

hvala unapred

updateuj nod32 ..pa skeniraj iz safe moda
skini,uradi update pa skeniraj i sa Malwarebutes AntiMalware iz safe moda
kasnije..skini ,updateuj pa skeniraj i sa Spybot s&d (ne iz safe moda)


ako se posle ovoga problem i dalje javlja..
Skini HiJackThis program sa sledeceg linka:
http://www.majorgeeks.com/download5554.html
Stavi ga u zaseban folder na Desktop
Promeni naziv foldera i programa (opcija Rename) u Systav.exe

* Pokreni HijackThis
* Izaberi opciju "Do a system scan and save the logfile"
* Na kreju skeniranja program ce izbaciti tekstualni log.
* taj log kopiraj ovde ( opcije copy / paste)

srecno :)

---

nista nije nasao ni sa anti-malware ni sa spybotom,sa nod-om samo nije mogao da otvori pagefile.sys, prefetch/layout.ini i system32/drivers/sptd.sys

iako nista nije nasao otvorio sam notepad i bezveze napisao nesto i sacuvao ga na desktopu kad sam ga otvorio nod32 je opet prijavio virus> probably modified trojan Win32/TrojanDownloader.Agent u C:/WINDOWS/system32/dx6vcl.dll

evo ga hijeckthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:19:10, on 8.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Media Key\MagicKey.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Media Key\OSD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.posted.co.yu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [flockbox] C:\Program Files\My Lockbox\flockbox.exe /a
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Media Key.lnk = C:\Program Files\Media Key\MagicKey.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Remote Control.lnk = C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/...ngerStatsPAClient.cab56907.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe

--
End of file - 6272 bytes

Probaj C:/WINDOWS/system32/dx6vcl.dll da ruchno obrishesh iz Safe moda. A mozda ti je lakshe da ga uklonish Trojan removerom.

---

1. nisi ispratio uputstvo za HijackThis
2. ovaj log koji si postavio je cist...

skini ovaj program
http://www.gmer.net/gmer.zip

ubaci ga u neki folder
Izaberi Rootkit/Malware
i klikni Scan.

PS:obavezno obrisi C:/WINDOWS/system32/dx6vcl.dll
iz safe moda (shift+delete)

---

@C.R.E.A.M.
sa trojan removalom sam vec probao prekljuce,komp mi je potpuno zakazao ,zablokirao i nekako sam uspeo opet da podignem windows.


@magna 86
ne verujem da nisam ispratio poruku za hijackthis, sto se tice brisanja dx6vcl.dll naravno da bi ga vec obrisao da uopste mogu da ga vidim,uopste se ne prikazuje...posto skenira sa gmer-om ,sta onda?da stavim log?
opet vidim u prefetchu taj fajl ,exe NOTEPOD.EXE-2CBCD0BE.pf koji se uvek pojavi pri restartu.

jel neko zna uopste konkretnu namenu tog virusa ,za sta on sluzi ,predpostavljam da je dosao preko usb-a,ali nisam siguran.

@Bum Stavi HJT u neki folder i promeni mu ime u naprimer bum.exe pa pusti ponovo HJT log, znaci promeni ime i folderu i HJT. I postavi log ovde

i dalje ne shvatam sta ne valja al valjda je dobro sad

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:51, on 9.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Media Key\MagicKey.exe
C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe
C:\Program Files\Media Key\OSD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.posted.co.yu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [flockbox] C:\Program Files\My Lockbox\flockbox.exe /a
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Media Key.lnk = C:\Program Files\Media Key\MagicKey.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Remote Control.lnk = C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/...ngerStatsPAClient.cab56907.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe

--
End of file - 6190 bytes

Probaj ComboFix i Spyware Terminator!
Oprezno sa ovim drugim, obavezno pogledaj sta ti nudi da obrise!

---

Sta ne valja, pa ne valja to sto nisi promenio ime , umesto hijack this.exe, trebao si da stavis bum.exe. To je vazno, jer ako malware vidi HJT kao takav, sakrije se od njega i nema ga u logu, drugo, ako postoje linije 020 i 02 nece sve da pokaze kao HJT. exe, nije ti dzabe dva puta receno da to uradis.
Trece, nemoj da koristis ComboFix na svoju ruku ako neznas, zato sto on menja postavke na racunaru.

ja vidim iz aviona Explorer.EXE a tu nesto nije u redu-pri skeniranju sa nod-om ubij Explorer.EXE
probaj da ubijes taj Explorer.EXE a u Task Menageru u run pokreni explorer.exe i vidi sta ce ti pokrenuti ovaj sa velikim slovima ili normalan sa malim sve.

Skini sysinternals-ov proces explorer i pogledaj sta ti sve trci zakaceno za Explorer.exe-vidi i gde se to nalazi -tu je i ta gamad pa je ubij.
Preporuka je da probas neki boot scan sa nekim antivirusom-znam da avast 4.8 to ima posle ovoga trebalo bi da ga nema.

probaj pa javi

---

Kakve veze ima dal li su mala ili velika slova, pokrenuce mu isto explorer, ne vidim sta fali tom procesu.

ma isto je to sa malim ili velikim exe-om, opet sam pokrenuo nod i sad nalazi win32/mefir.a worm pored notepod.exe-a i rsvp-exe-a ....onaj hijack log uvek je isti ionako sam pratio upustva, osecam da pravim neku glupu gresku ... inace kolko vidim smesi mi se reinstall...stvarno ne znam kako neko moze da smisli neku ovako upornu gamad,a ne znam ni za sta sluzi,ko zna sta je sve zeznulo...

jbmu mater..ovaj log je cist...

mogao bi da fixas neke linije u HjT logu,ali
neverujem da ce to resiti stvar...

a jesi li ti siguran da je taj nod..ok? da nebrljavi on a?
aj ako si voljan skini avast ili jos bolje Kaspersky Internet Sec. pa ako i oni cute..jbga..ne znam mozda je lazna uzbuna
a ti inace nams nekih konkretnih problema? jel mozes postaviti nodov log ili screen shot ? da vidimo sta prijavljuje
Gmair nije nista nasao? samo nam to reci jel nasao nesto?
a sto se tice rename-a..

nadji sledeci file..
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

renameuj i HjT.exe (program) i folder u kom se nalazi...znaci promeni u bum.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

znaci setup i ako moze folder..kopije obrisi pa ga pokreni odatle
pokreni HjT odatle pa postavi ponovo log..valjda ce da prikaze neki malware

naravno izvadi usb..usb ces formatirati

..........................

mada..ja neverujem da je tu umesan virus...
ovo je verovatno cist kompjuter..
tu ili zeza nod ili..ne znam

---

pa znas kako nod koliko koristim zadnjih 3-4 godine problem mi nije napravio,mada posle ovoga cu verovatno razmisliti o promeni AV, nisam bas siguran da ovo nije virus ,na guglu kad ukucas notepod.exe ,mozes i sad da vidis sta sve izadje, povezuje ih sa dx6vcl.dll i rsvp.exe........zadnji put kad sam radio(pre par sati) detaljnu analizu nod-om izbacio mi je da je nasao 3 virusa (iskreno mrzi me da opet ukljucujem nod posto bi sat vremena skenirao,pa necu stavljati screen)ali ti virusi su bili :
1. C:/system32/win32/Mefir.A worm (ovaj je danas prvi put prikazao)
2. notepod.exe NewHeur_PE
3. rsvp.exe NewHeur_PE

sve u svemu sva tri prikazuje kao neku vrstu modifikovanog trojanca

gmair mi nista nije posebno rekao ali evo ga njegov log pa ako ti on nesto razjasni super


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-09 08:54:22
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xF73E70D0]
SSDT sptd.sys ZwEnumerateKey [0xF73ECE2C]
SSDT sptd.sys ZwEnumerateValueKey [0xF73ED1BA]
SSDT sptd.sys ZwOpenKey [0xF73E70B0]
SSDT sptd.sys ZwQueryKey [0xF73ED292]
SSDT sptd.sys ZwQueryValueKey [0xF73ED112]
SSDT sptd.sys ZwSetValueKey [0xF73ED324]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F69278AC 5 Bytes JMP 86CD51C8
? System32\Drivers\aunb64pa.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F73FD886] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F73FD832] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F741F892] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F73FD886] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73E7AD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73E7C1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73E7B9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73E8748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73E861E] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F73FCACA] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 86FD11E8

AttachedDevice \FileSystem\Ntfs \Ntfs MPRIFL.SYS (My Private Folder driver/FSPro Labs)
AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset)

Device \Driver\PCI_NTPNP3160 \Device\00000042 sptd.sys
Device \Driver\PCI_NTPNP3160 \Device\00000042 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-0 86D801E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F661E8
Device \Driver\dmio \Device\DmControl\DmConfig 86F661E8
Device \Driver\dmio \Device\DmControl\DmPnP 86F661E8
Device \Driver\dmio \Device\DmControl\DmInfo 86F661E8
Device \Driver\usbuhci \Device\USBPDO-1 86D801E8
Device \Driver\usbuhci \Device\USBPDO-2 86D801E8
Device \Driver\usbuhci \Device\USBPDO-3 86D801E8
Device \Driver\usbehci \Device\USBPDO-4 86CBE1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 86FD31E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{6CEE628C-DEF3-4B1A-A9BC-CD73E13C62A5} 86AFD7A0
Device \Driver\Ftdisk \Device\HarddiskVolume2 86FD31E8
Device \Driver\Cdrom \Device\CdRom0 86C2C7A0
Device \Driver\Cdrom \Device\CdRom1 86C2C7A0
Device \Driver\NetBT \Device\NetBt_Wins_Export 86AFD7A0
Device \Driver\NetBT \Device\NetBT_Tcpip_{6C69AF31-810E-4F3B-9A07-8F2870E94919} 86AFD7A0
Device \Driver\NetBT \Device\NetbiosSmb 86AFD7A0
Device \Driver\usbuhci \Device\USBFDO-0 86D801E8
Device \Driver\usbuhci \Device\USBFDO-1 86D801E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 868401E8
Device \Driver\usbuhci \Device\USBFDO-2 86D801E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 868401E8
Device \Driver\usbuhci \Device\USBFDO-3 86D801E8
Device \Driver\usbehci \Device\USBFDO-4 86CBE1E8
Device \Driver\Ftdisk \Device\FtControl 86FD31E8
Device \Driver\aunb64pa \Device\Scsi\aunb64pa1 86C2D1E8
Device \Driver\aunb64pa \Device\Scsi\aunb64pa1Port4Path0Target0Lun0 86C2D1E8
Device \FileSystem\Cdfs \Cdfs 86C761E8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xFB 0x49 0x34 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x12 0x21 0x51 0x41 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x43 0x49 0xF9 0x9D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x41 0x17 0x09 0x22 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xFB 0x49 0x34 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x12 0x21 0x51 0x41 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x43 0x49 0xF9 0x9D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x41 0x17 0x09 0x22 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xFB 0x49 0x34 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x12 0x21 0x51 0x41 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD9 0xFF 0x24 0x3F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x41 0x17 0x09 0x22 ...

---- EOF - GMER 1.0.14 ----



evo ga i novi hijackthis log po tvojim zadnjim uputsvima


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:39:10, on 9.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Media Key\MagicKey.exe
C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe
C:\Program Files\Media Key\OSD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\bum.exe\bum.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.posted.co.yu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [flockbox] C:\Program Files\My Lockbox\flockbox.exe /a
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Media Key.lnk = C:\Program Files\Media Key\MagicKey.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Remote Control.lnk = C:\Program Files\KWorld Multimedia\PVR-TV 7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/...ngerStatsPAClient.cab56907.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe

--
End of file - 6266 bytes



kao sto sam gore i naveo u predhodnim porukama virus alert se aktivira kad otvorim otvorim neki tekstualni file koji je u notepadu.kad pogledam u prefetchu vidim da je otvoren i notepad.exe i notepod.exe tako da jos jedan razlog zasto mislim da je virus, i da kad mi nod izbaci poruku za virus i odaberem rename izbaci mi u system 32 ovaj file dx6vcl.Vdll
sa ovim V ispred dll.ispisao sam bukvalno sve podatke o ovom virusu koje sam nasao na kompu ,a da su povezani.

vise puta sam naleteo na taj slucaj da se proces explorer.exe zameni sa Explorer.EXE ili EXPLORER.EXE ili nekom varijacijom i to uvek samo kada je u pitanju neki virus,drugo pretpostavka je da se virus kaci za sistemski proces i nod mu ne moze nista,verovatno je zakacen za explorer.exe.
jesi li probao sa proces explorerom da vidis sta ti se sve pokrece sa explorerom? jesi li svaki put pri skeniranju ubijao explorer?
skini i autoruns.exe isto alat od system internals-a i lepo pregledaj sve sto ti se startuje-pogasi sve suvisno(za ovo ti je potrebno osnovno poznavanje rada racunara tako da ne bi trebalo da ti bude problem). kada sve gluposti pogasis onda lepo odradi scan i trebalo bi da se resis problema,a ako je scaner los pobrisi napast rucno.

---

mihajlo, nije to u ovom slucaju, ovde je explorer u redu.

@Bum skini ComboFix odavde http://download.bleepingcomputer.com/sUBs/ComboFix.exe
klikni na Nod u sys tay-u, iz Threat Protection izaberi Amon, decekiraj File system monitor- enabled.
sacekaj da pocrveni. Kad zavrsi ciscenje ukljuci ovu opciju
Pokreni ComboFix i ne diraj prozor dok skenira
kad zavrsi skeniranje log ce se nalaziti u C:\ComboFix.txt
iskopiraj ga ovde na forumu.

meni se nesto slicno desavalo , problem sam resio tako sto sam skinuo avira antivirus izbrisao smesni nod32 koji nije mogao nista da nadje i to je to ,

---

NOD32 u poslednje vreme pravi veeeeeeliiiiiikiiiii problem ako nije legalan. Posle vise od tri godine koriscenja zauvek sam ga izbrisala iz racunara. Instalirala sam Avast free verziju i taj je nasao gamad (19 komada trojanaca fino ususkanih) koju nije nasao ni NOD32 ni Spyware terminator.
Moj ti je savet da NOD32 zamenis nekim drugim AV (Avast, Avira), pustis da skenira pre nego sto boot-uje Windows pa da onda javis sta se desava.

---

pazi, razlika je izmedju explorer.exe i expIorer.exe - to se ne vidi u taskmg.
Prvo je sa L a drugo sa I

Najbolje ovako, uoci sta su trojanci i gde se nalaze.
Restartuj kom sa nekom linux-live varijantom.
Idi do problematicnih fajlova i otvori ih u NotePad (ili kako se vec zove), selektuj citav tekst, izbrisi ga i sacuvaj kao prazan dokument. Mozes iste prvo da kopiras i na flash, ukoliko greskom obrises pogresne fajlove

---