Imam dve stetocine

bravo,koliko vidim ovo je resilo problem



evo i dokaz





za svaki slucaj evo i log

ComboFix 09-01-07.02 - Administrator 2009-01-08 15:06:11.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.579 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090107-0] *On-access scanning disabled* (Updated)
* Created a new restore point

[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]

FILE ::
c:\windows\ativpsrm.bin
c:\windows\nsreg.dat
c:\windows\system32\frsvyou.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ativpsrm.bin
c:\windows\nsreg.dat
c:\windows\system32\frsvyou.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_dztwbejgo
-------\Legacy_wqenk
-------\Service_dztwbejgo
-------\Service_wqenk


((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-07 21:41 . 2009-01-07 21:41 <DIR> d-------- c:\program files\sXe Injected
2009-01-07 20:34 . 2009-01-07 20:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\True Sword
2009-01-07 20:31 . 2009-01-08 11:59 <DIR> d-------- c:\program files\True Sword 5
2009-01-07 19:41 . 2009-01-07 19:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Uniblue
2009-01-07 18:00 . 2009-01-07 18:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-07 17:31 . 2009-01-07 17:31 <DIR> d-------- c:\program files\Alwil Software
2009-01-07 16:56 . 2009-01-07 16:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-07 16:55 . 2009-01-07 16:55 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-07 16:55 . 2009-01-07 16:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-01-07 12:19 . 2009-01-07 12:19 <DIR> d-------- c:\program files\Trend Micro
2009-01-07 12:08 . 2009-01-07 12:08 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-07 12:07 . 2004-08-04 00:56 2,897,920 --------- c:\windows\system32\xpsp2res.dll
2009-01-07 12:06 . 2004-07-17 11:40 19,528 --a------ c:\windows\002509_.tmp
2009-01-07 12:05 . 2009-01-07 12:05 <DIR> d-------- c:\windows\EHome
2009-01-07 00:51 . 2009-01-07 00:51 <DIR> d-------- c:\program files\FreePack
2009-01-07 00:51 . 2009-01-07 00:53 94 --a------ c:\windows\Folders.ini
2009-01-07 00:46 . 2009-01-07 00:48 <DIR> d-------- c:\program files\Girder
2009-01-07 00:45 . 2009-01-07 00:45 <DIR> d-------- c:\program files\Foxit Software
2009-01-07 00:45 . 2009-01-07 00:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Foxit
2009-01-07 00:42 . 2009-01-07 01:00 <DIR> d-------- C:\ProgDVB
2009-01-07 00:36 . 2009-01-07 00:36 <DIR> d-------- c:\program files\DVBViewerTE
2009-01-07 00:34 . 2009-01-07 00:34 <DIR> d-------- c:\program files\TechniSat DVB
2009-01-07 00:34 . 2004-03-10 23:37 1,045,776 --a------ c:\windows\system32\msjet35.dll
2009-01-07 00:34 . 2004-03-10 23:37 368,912 --a------ c:\windows\system32\vbar332.dll
2009-01-07 00:34 . 2004-03-10 23:37 252,176 --a------ c:\windows\system32\msrd2x35.dll
2009-01-07 00:34 . 2004-03-10 23:37 123,664 --a------ c:\windows\system32\Msjint35.dll
2009-01-07 00:34 . 2004-05-02 20:30 118,784 --a------ c:\windows\system32\SkyDll.dll
2009-01-07 00:34 . 2004-05-02 20:30 118,784 --a------ c:\windows\system32\Sky2PCUI.dll
2009-01-07 00:34 . 2004-04-13 13:15 102,400 --a------ c:\windows\system32\libbz2.dll
2009-01-07 00:34 . 2004-03-10 23:37 24,848 --a------ c:\windows\system32\msjter35.dll
2009-01-07 00:33 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2009-01-07 00:32 . 2004-05-02 20:30 451,816 -ra------ c:\windows\system32\drivers\SkyNET.sys
2009-01-07 00:04 . 2009-01-07 00:05 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-07 00:04 . 2009-01-07 00:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-07 00:04 . 2009-01-07 00:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-07 00:04 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 00:04 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 23:34 . 2009-01-06 23:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ACD Systems
2009-01-06 23:33 . 2009-01-06 23:33 <DIR> d-------- c:\program files\Common Files\ACD Systems
2009-01-06 23:33 . 2009-01-06 23:33 <DIR> d-------- c:\program files\ACD Systems
2009-01-06 23:33 . 2009-01-06 23:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2009-01-06 22:31 . 2009-01-06 22:31 <DIR> d-------- c:\program files\Lavasoft
2009-01-06 22:31 . 2009-01-06 22:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-06 22:30 . 2009-01-07 16:55 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-06 22:21 . 2009-01-07 21:45 <DIR> d-------- c:\program files\Valve
2009-01-06 22:10 . 2009-01-06 22:10 <DIR> d-------- c:\windows\system32\bits
2009-01-06 22:10 . 2009-01-06 23:34 <DIR> d--h----- c:\windows\$hf_mig$
2009-01-06 21:43 . 2004-08-04 00:56 438,784 --------- c:\windows\system32\xpob2res.dll
2009-01-06 21:43 . 2004-08-04 00:56 351,232 --a------ c:\windows\system32\winhttp.dll
2009-01-06 21:43 . 2004-08-04 00:56 18,944 --a------ c:\windows\system32\qmgrprxy.dll
2009-01-06 21:43 . 2004-08-04 00:56 8,192 --------- c:\windows\system32\bitsprx2.dll
2009-01-06 21:43 . 2004-08-04 00:56 7,168 --------- c:\windows\system32\bitsprx3.dll
2009-01-06 21:37 . 2009-01-06 21:37 <DIR> d---s---- c:\documents and settings\Administrator\UserData
2009-01-06 21:34 . 2008-10-16 14:12 561,688 --a------ c:\windows\system32\wuapi.dll
2009-01-06 21:34 . 2008-10-16 14:12 323,608 --a------ c:\windows\system32\wucltui.dll
2009-01-06 21:34 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl
2009-01-06 21:34 . 2008-10-16 14:13 202,776 --a------ c:\windows\system32\wuweb.dll
2009-01-06 21:34 . 2004-08-03 14:03 186,136 --a------ c:\windows\system32\wuaueng1.dll
2009-01-06 21:34 . 2004-08-03 14:01 167,704 --a------ c:\windows\system32\wuauclt1.exe
2009-01-06 21:34 . 2008-10-16 14:08 34,328 --a------ c:\windows\system32\wups.dll
2009-01-06 21:28 . 2009-01-06 21:28 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-06 21:28 . 2009-01-06 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 21:18 . 2009-01-06 21:18 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Logitech
2009-01-06 21:15 . 2009-01-06 21:15 <DIR> d-------- c:\program files\Logitech
2009-01-06 21:15 . 2009-01-06 21:15 <DIR> d-------- c:\program files\Common Files\Logitech
2009-01-06 21:15 . 2005-01-28 13:44 1,119,744 --a------ c:\windows\system32\wmsdmoe2.dll
2009-01-06 21:06 . 2007-12-20 21:05 593,920 --------- c:\windows\system32\ati2sgag.exe
2009-01-06 21:06 . 2004-08-03 22:59 57,472 --a------ c:\windows\system32\drivers\redbook.sys
2009-01-06 21:06 . 2001-08-17 14:46 6,400 --a------ c:\windows\system32\drivers\enum1394.sys
2009-01-06 21:06 . 2001-08-17 14:59 3,072 --a------ c:\windows\system32\drivers\audstub.sys
2009-01-06 21:05 . 2009-01-06 20:13 <DIR> dr------- c:\documents and settings\All Users\Documents
2009-01-06 21:04 . 2009-01-08 12:17 <DIR> d-------- c:\windows\system32\CatRoot2
2009-01-06 21:04 . 2009-01-06 21:04 <DIR> d-------- c:\program files\VID_0E8F&PID_0003
2009-01-06 21:02 . 2009-01-06 20:17 261 --a------ c:\windows\system32\$winnt$.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 11:19 196,608 ----a-w c:\windows\system32\drivers\aStandard.bin
2009-01-06 21:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-06 20:10 --------- d-----w c:\documents and settings\Administrator\Application Data\ATI
2009-01-06 19:54 --------- d-----w c:\program files\My Company Name
2009-01-06 19:52 --------- d-----w c:\program files\ATI Technologies
2009-01-06 19:51 --------- d-----w c:\program files\Common Files\ATI Technologies
2009-01-06 19:44 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-06 19:34 --------- d-----w c:\program files\Realtek
2009-01-06 19:20 --------- d-----w c:\program files\Intel
2009-01-06 19:15 558,142 ----a-w c:\windows\java\Packages\0FJNJ9FL.ZIP
2009-01-06 19:15 155,995 ----a-w c:\windows\java\Packages\OVRHZTND.ZIP
2009-01-06 19:15 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Girder3.lnk - c:\program files\Girder\Girder.exe [2009-01-07 1830912]
PowerInstall Softcam Updater.lnk - c:\program files\FreePack\PSU\PSU.EXE [2008-10-07 57003]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-01-06 450560]
Server4PC.lnk - c:\program files\TechniSat DVB\bin\Server4PC.exe [2009-01-07 430080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\TechniSat DVB\\bin\\Server4PC.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7253:TCP"= 7253:TCP:xkwwjmol

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-07 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
R3 SKYNET;B2C2 Broadband Receiver PCI Adapter;c:\windows\system32\drivers\SkyNET.sys [2009-01-07 451816]
R3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\Video3D32.sys [2009-01-06 10752]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-07 20560]
R4 atidgllk;atidgllk;c:\windows\atidgllk.sys [2009-01-06 5376]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S3 xzyhysqm;xzyhysqm;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S4 dztwbejgo;Microsoft Security;c:\windows\system32\svchost.exe -k netsvcs [2001-08-23 14336]
S4 hkxbzg;hkxbzg;c:\windows\system32\svchost.exe -k netsvcs [2001-08-23 14336]
S4 wqenk;Task Windows;c:\windows\system32\svchost.exe -k netsvcs [2001-08-23 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - DZTWBEJGO
*NewlyCreated* - WQENK

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hkxbzg
dztwbejgo
wqenk
.
.
------- Supplementary Scan -------
.
TCP: {AACF6E13-2B55-499D-A999-253A0FB321E6} = 93.93.93.2,194.106.162.3

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0u3h6l59.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.elitesecurity.org/f101-PC-DVB-kartice
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 15:09:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xzyhysqm]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dztwbejgo]
"ServiceDll"="c:\windows\System32\frsvyou.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wqenk]
"ServiceDll"="c:\windows\system32\frsvyou.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\windows\ATKKBService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-08 15:11:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-08 14:11:03

Pre-Run: 46,272,319,488 bytes free
Post-Run: 46,231,392,256 bytes free

223 --- E O F --- 2009-01-06 21:10:44

sta je bio problem

nsreg.dat - verujem da je ovo neka nova vrsta malware-a
AV jos neznaju za njega ,HjT ga nevidi...a format ocigledno nepomaze

ativpsrm.bin je takodje neki malware mozda je deo onog gornjeg

i ovaj zadnji je takodje nepoznat

u CF logu sam nasao neke meni sumnjive stavke koje su povezane sa javom i virusom zvanim CoolWebSearch

zato sam i rekao da odradis ono gore sa datim alatima za svaki slucaj

molim te nadji sledeci folder
C:\QooBox
spakuj ga u .rar ili .zip i uploaduj ga negde npr. na rapidshare
posalji mi na PP link

pa uninstaliraj CF


Start / Run kopirati ovo:

Combofix /u

pa Ok



i odradi ono sto sam napisao za Javu i CWS

_{[Ovu poruku je menjao magna86 dana 08.01.2009. u 16:19 GMT+1]}

---

problem resen novom instalacijom sa treceg diska posto se sve vratilo na staro posle nekog vremena,ociti da je ovaj virus dosta pametan....
hvala svima na trudu posebno kristi1 i magna86

_{[Ovu poruku je menjao izida dana 08.01.2009. u 21:42 GMT+1]}

hm...svasta...
mozda se vratio sa nekog diska ili fleske ili pak nekog programa sto koristis..ko zna

---

nemam pojma,od diskova sam ubacivao samo fabricke drivere a flash nikad nije usao u moje kuciste.....
sa ovom novom instalacijom sistema radi super,sam meo sad buni ona IP adresa iz hjt... provajderu sam poslao mail i cekam da mi odgovore...

http://www.spywaredata.com/spyware/malware/nsreg.dat.php
http://tech.firdooze.com/2008/...-msn-virus-from-your-computer/


http://www.lavasoftsupport.com/index.php?showtopic=13632

hehe..znaci ipak sam bio u pravu
CWShredder bi to razbio
samo..sto ga @izida nije pokrenuo kao sto sam predlozio

---

ja se izvinjavam sto ponovo pokrecem temu,ali,problem je bio na drugom mestu,CWShredder sam pokrenuo ali posto nije resio problem zaboravio sam to da napomenem u poruci...
posto sam opet instalirao operativni sistem sa tog spornog diska,evo gde je bio problem http://tinypic.com/view.php?pic=u6mut&s=5 posle brisanja ovog fajla problem je trajno nestao.....