autorun.exe

1

autorun.exe

offline
  • Pridružio: 21 Sep 2008
  • Poruke: 8

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:00 PM, on 11/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\HSDPA USB MODEM\USB Modem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\sertw.exe.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O3 - Toolbar: (zabranjeno) Find Search - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\SrchPlug.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - go.microsoft.com/fwlink/?linkid=67633
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D709B6E-BAD0-46EC-9037-D5769808C09D}: NameServer = 79.143.101.225 79.143.98.35
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 3974 bytes

Dopuna: 11 Nov 2008 12:25

molim za pomoc !

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Pozdrav...


* Klikni desnim tasterom miša na AVG ikonicu ( ) u donjem, desnom uglu ekrana.
* Kada se pokrene AVG Control Center, dvoklikni na AVG Resident Shield komponentu.
* U prozoru koji se otvori, deštikliraj opciju Turn on AVG Resident Shield i klikni OK.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.




Arrow Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

offline
  • Pridružio: 21 Sep 2008
  • Poruke: 8

ComboFix 08-11-10.01 - DENIS 2008-11-11 23:14:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.278 [GMT 1:00]
Running from: c:\documents and settings\DENIS\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-11 19:26 . 2008-11-11 19:26 109,736 -r-hs---- C:\lky.exe
2008-11-11 14:44 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-11 14:44 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-11-11 14:44 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-11 14:44 . 2004-08-03 23:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-11-11 00:00 . 2008-11-11 10:50 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-10 23:57 . 2008-11-11 11:08 <DIR> d-------- c:\documents and settings\DENIS\Application Data\U3
2008-11-10 23:57 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-11-10 23:26 . 2008-11-11 00:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-10 23:26 . 2008-11-11 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-10 23:12 . 2008-11-11 00:13 <DIR> d-------- c:\program files\Wise Registry Cleaner 3 Pro
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd106.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 20:47 --------- d-----w c:\documents and settings\DENIS\Application Data\AVG7
2008-11-11 18:26 85,504 --sh--r c:\windows\system32\gasretyw1.dll
2008-11-11 18:26 109,736 --sh--r c:\windows\system32\kamsoft.exe
2008-11-11 18:25 85,504 ------w c:\windows\system32\gasretyw0.dll
2008-11-10 23:29 108,271 --sh--r C:\whi.com
2008-11-10 23:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-11-10 21:55 --------- d-----w c:\program files\Common Files\Adobe
2008-11-10 21:40 --------- d-----w c:\program files\Intel
2008-11-10 21:39 355,584 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-11-10 21:39 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-11-10 21:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 21:39 --------- d-----w c:\documents and settings\DENIS\Application Data\TuneUp Software
2008-11-10 21:39 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-10 21:23 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2008-11-10 21:21 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-10 21:21 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-10 21:21 110,592 ----a-w c:\windows\system32\avgfwafu.dll
2008-11-10 21:21 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-11-10 21:09 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-10 21:09 --------- d-----w c:\program files\Realtek
2008-11-10 21:08 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-10 21:03 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-10 20:51 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-11-10 590848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-11-10 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kamsoft"=c:\windows\system32\kamsoft.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"RTHDCPL"=RTHDCPL.EXE
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-04 14336]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-11-10 355584]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-11 23:14:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-11 23:15:21
ComboFix-quarantined-files.txt 2008-11-11 22:15:19

Pre-Run: 49.490.903.040 bytes free
Post-Run: 49,500,868,608 bytes free

120

Dopuna: 11 Nov 2008 23:21

jos jedno pitanje : kako da podesim da mi se fleshka sama ne startuje,posto imam utisak da sa nje pokupim neke viruse ?

Dopuna: 11 Nov 2008 23:26

evo jos jednom...uz ukljucenu fleshku...mislim da je i ona inficirana

Dopuna: 11 Nov 2008 23:27

ComboFix 08-11-10.01 - DENIS 2008-11-11 23:21:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.253 [GMT 1:00]
Running from: c:\documents and settings\DENIS\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\autorun.inf
H:\nq0cq.cmd

.
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-11 19:26 . 2008-11-11 19:26 109,736 -r-hs---- C:\lky.exe
2008-11-11 14:44 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-11 14:44 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-11-11 14:44 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-11 14:44 . 2004-08-03 23:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-11-11 00:00 . 2008-11-11 10:50 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-10 23:57 . 2008-11-11 11:08 <DIR> d-------- c:\documents and settings\DENIS\Application Data\U3
2008-11-10 23:57 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-11-10 23:26 . 2008-11-11 00:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-10 23:26 . 2008-11-11 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-10 23:12 . 2008-11-11 00:13 <DIR> d-------- c:\program files\Wise Registry Cleaner 3 Pro
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd106.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 20:47 --------- d-----w c:\documents and settings\DENIS\Application Data\AVG7
2008-11-11 18:26 85,504 --sh--r c:\windows\system32\gasretyw1.dll
2008-11-11 18:26 109,736 --sh--r c:\windows\system32\kamsoft.exe
2008-11-11 18:25 85,504 ------w c:\windows\system32\gasretyw0.dll
2008-11-10 23:29 108,271 --sh--r C:\whi.com
2008-11-10 23:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-11-10 21:55 --------- d-----w c:\program files\Common Files\Adobe
2008-11-10 21:40 --------- d-----w c:\program files\Intel
2008-11-10 21:39 355,584 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-11-10 21:39 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-11-10 21:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 21:39 --------- d-----w c:\documents and settings\DENIS\Application Data\TuneUp Software
2008-11-10 21:39 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-10 21:23 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2008-11-10 21:21 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-10 21:21 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-10 21:21 110,592 ----a-w c:\windows\system32\avgfwafu.dll
2008-11-10 21:21 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-11-10 21:09 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-10 21:09 --------- d-----w c:\program files\Realtek
2008-11-10 21:08 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-10 21:03 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-10 20:51 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-11-10 590848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-11-10 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kamsoft"=c:\windows\system32\kamsoft.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"RTHDCPL"=RTHDCPL.EXE
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-04 14336]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-11-10 355584]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-11 23:22:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-11 23:22:59
ComboFix-quarantined-files.txt 2008-11-11 22:22:58
ComboFix2.txt 2008-11-11 22:15:22

Pre-Run: 49.506.025.472 bytes free
Post-Run: 49,497,763,840 bytes free

126

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\lky.exe
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
c:\windows\system32\gasretyw0.dll
C:\whi.com

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kamsoft"=-


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 21 Sep 2008
  • Poruke: 8

ComboFix 08-11-10.01 - Administrator 2008-11-12 16:27:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.270 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\lky.exe
C:\whi.com
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\whi.com
c:\windows\system32\gasretyw0.dll
c:\windows\system32\kamsoft.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.

2008-11-12 16:17 . 2008-11-12 16:17 <DIR> d-------- c:\program files\Opera
2008-11-12 16:10 . 2008-11-12 16:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-11-12 12:15 . 2008-11-12 12:15 <DIR> d--hs---- c:\windows\system32\dllcache
2008-11-11 11:52 . 2008-11-12 12:08 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-08 12:52 . 2008-11-08 13:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-11-08 12:52 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-11-08 12:52 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-08 12:51 . 2008-11-08 12:52 <DIR> d-------- c:\program files\iTunes
2008-11-08 12:51 . 2008-11-08 12:51 <DIR> d-------- c:\program files\iPod
2008-11-08 12:51 . 2008-11-08 12:51 <DIR> d-------- c:\program files\Bonjour
2008-11-08 12:51 . 2008-11-08 12:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-08 12:50 . 2008-11-08 12:51 <DIR> d-------- c:\program files\QuickTime
2008-11-08 12:50 . 2008-11-08 12:50 <DIR> d-------- c:\program files\Apple Software Update
2008-11-08 12:50 . 2008-11-08 12:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-08 12:50 . 2008-11-08 12:50 108,973 -r-hs---- C:\sq.com
2008-11-08 12:50 . 2008-10-01 13:01 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-11-08 12:49 . 2008-11-08 12:50 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-08 12:49 . 2008-11-08 12:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-08 11:34 . 2008-11-08 11:34 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-11-08 11:21 . 2008-11-08 11:21 <DIR> d-------- c:\program files\MSECache
2008-11-07 17:16 . 2008-11-07 17:16 355,584 --a------ c:\windows\system32\TuneUpDefragService.exe
2008-11-07 17:16 . 2008-05-29 09:28 28,416 --a------ c:\windows\system32\uxtuneup.dll
2008-11-07 17:15 . 2008-11-07 17:15 <DIR> d-------- c:\program files\TuneUp Utilities 2008
2008-11-07 17:15 . 2008-11-07 17:15 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-07 16:57 . 2008-11-07 16:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TuneUp Software
2008-11-07 16:55 . 2008-11-07 16:56 <DIR> d-------- c:\program files\Diagnose Windows
2008-11-07 16:55 . 2008-11-07 16:55 255 --a------ c:\windows\system32\diag.lic
2008-11-07 16:54 . 2008-11-07 17:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-07 16:53 . 2008-11-07 16:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ACD Systems
2008-11-07 16:52 . 2008-11-07 16:52 <DIR> d-------- c:\program files\Common Files\ACD Systems
2008-11-07 16:52 . 2008-11-07 16:52 <DIR> d-------- c:\program files\ACD Systems
2008-11-07 16:52 . 2008-11-07 16:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2008-11-07 16:52 . 2008-11-07 16:52 10,368 --a------ c:\windows\system32\drivers\pfc.sys
2008-11-07 16:50 . 2008-11-07 16:50 <DIR> d-------- c:\windows\Downloaded Installations
2008-11-07 16:11 . 2008-11-07 16:11 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-07 16:10 . 2008-11-07 16:11 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-07 15:56 . 2008-11-07 15:56 <DIR> d-------- c:\program files\NOS
2008-11-07 15:56 . 2008-11-07 16:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2008-11-07 13:26 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-07 13:26 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-07 13:26 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-04 16:07 . 2004-08-04 00:56 21,504 --a------ c:\windows\system32\hidserv.dll
2008-11-04 16:06 . 2004-08-03 22:58 14,848 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-03 16:48 . 2008-11-03 16:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Duplicate File Hunter
2008-11-03 10:45 . 2008-11-12 16:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\skypePM
2008-11-03 10:45 . 2008-11-03 10:45 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-11-03 10:44 . 2008-11-03 10:44 <DIR> d-------- c:\program files\Skype
2008-11-03 10:44 . 2008-11-03 10:44 <DIR> d-------- c:\program files\Common Files\Skype
2008-11-03 10:44 . 2008-11-12 16:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Skype
2008-11-03 10:43 . 2008-11-03 10:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2008-11-03 10:00 . 2008-11-03 10:00 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AVG7
2008-11-03 10:00 . 2008-11-03 10:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2008-11-03 10:00 . 2008-11-11 11:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg7
2008-11-03 10:00 . 2008-11-12 13:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVG7
2008-10-30 17:08 . 2008-10-30 17:11 <DIR> d-------- c:\documents and settings\Administrator\Phone Browser
2008-10-30 17:08 . 2008-10-30 17:11 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DataLayer
2008-10-30 17:07 . 2008-10-30 17:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Nokia
2008-10-30 17:07 . 2004-08-03 23:10 38,016 --a------ c:\windows\system32\drivers\bthmodem.sys
2008-10-30 17:06 . 2008-10-30 17:06 <DIR> d-------- c:\program files\DIFX
2008-10-30 17:05 . 2008-11-08 12:52 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-10-30 17:05 . 2008-10-30 17:05 <DIR> d-------- c:\program files\Nokia
2008-10-30 17:05 . 2008-10-30 17:05 <DIR> d-------- c:\program files\Common Files\PCSuite
2008-10-30 17:05 . 2008-10-30 17:06 <DIR> d-------- c:\program files\Common Files\Nokia
2008-10-30 17:05 . 2008-10-30 17:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2008-10-30 17:05 . 2008-10-30 17:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\PC Suite
2008-10-30 17:05 . 2006-05-29 08:26 50,688 --a------ c:\windows\system32\nmwcdcls.dll
2008-10-30 17:04 . 2008-10-30 17:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations
2008-10-30 17:00 . 2004-08-03 22:58 100,992 --a------ c:\windows\system32\drivers\bthpan.sys
2008-10-30 16:59 . 2004-08-03 23:10 274,304 --a------ c:\windows\system32\drivers\bthport.sys
2008-10-30 16:59 . 2004-08-03 23:10 59,648 --a------ c:\windows\system32\drivers\rfcomm.sys
2008-10-30 16:59 . 2004-08-03 23:10 18,944 --a------ c:\windows\system32\drivers\BTHUSB.SYS
2008-10-30 16:59 . 2004-08-03 23:10 17,024 --a------ c:\windows\system32\drivers\BthEnum.sys
2008-10-29 14:12 . 2008-10-29 14:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Corel
2008-10-29 14:10 . 2008-10-29 14:10 <DIR> d-------- c:\windows\Corel
2008-10-29 14:08 . 2008-10-29 14:08 <DIR> d-------- c:\program files\Common Files\Corel
2008-10-29 14:06 . 2008-10-29 14:06 <DIR> d-------- c:\program files\Corel
2008-10-29 12:55 . 2008-10-29 12:55 672,077 --a------ c:\windows\system32\em010_32.dat
2008-10-29 12:55 . 2008-10-29 12:55 158,036 --a------ c:\windows\system32\em008_32.dat
2008-10-29 12:47 . 2008-10-29 12:47 376 --a------ c:\windows\ODBC.INI
2008-10-29 12:46 . 2003-06-18 17:31 17,920 --a------ c:\windows\system32\mdimon.dll
2008-10-29 12:45 . 2008-10-29 12:45 <DIR> d-------- c:\program files\Microsoft.NET
2008-10-29 12:45 . 2008-10-29 12:45 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-10-29 12:44 . 2008-10-29 12:45 <DIR> d-------- c:\windows\SHELLNEW
2008-10-29 11:25 . 2008-10-29 11:26 <DIR> d-------- c:\program files\weblin
2008-10-29 11:23 . 2008-10-29 11:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\zweitgeist
2008-10-29 11:14 . 2008-10-29 14:52 13,257,349 --a------ c:\windows\system32\em002_32.dat
2008-10-29 11:14 . 2008-10-29 11:20 437,148 --a------ c:\windows\system32\em004_32.dat
2008-10-29 11:14 . 2008-10-29 11:19 323,764 --a------ c:\windows\system32\em001_32.dat
2008-10-29 11:14 . 2008-10-29 11:20 220,329 --a------ c:\windows\system32\em003_32.dat
2008-10-29 11:14 . 2008-10-29 11:19 49,503 --a------ c:\windows\system32\em000_32.dat
2008-10-29 11:14 . 2008-10-29 11:20 43,291 --a------ c:\windows\system32\em005_32.dat
2008-10-29 11:14 . 2008-10-29 11:20 10,393 --a------ c:\windows\system32\em006_32.dat
2008-10-29 11:14 . 2008-10-29 17:16 4,321 --a------ C:\CACHE.NDB
2008-10-29 11:12 . 2008-11-03 09:30 195 --a------ c:\windows\system32\mod_comp.dat
2008-10-29 11:01 . 2008-10-29 11:01 <DIR> d-------- c:\program files\ESET
2008-10-29 10:35 . 2008-11-07 17:01 <DIR> d-------- c:\program files\Yahoo!
2008-10-29 10:34 . 2008-10-29 10:35 <DIR> d-------- c:\program files\CCleaner
2008-10-29 10:30 . 2008-10-29 10:30 0 --a------ c:\windows\nsreg.dat
2008-10-29 10:24 . 2008-10-29 10:24 <DIR> d-------- c:\program files\Recnik20
2008-10-29 10:21 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-10-29 10:21 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-10-29 10:21 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd106.dll
2008-10-29 10:21 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-10-29 10:21 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-10-29 10:21 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-10-29 10:17 . 2008-11-08 11:00 <DIR> d-------- c:\program files\HSDPA USB MODEM
2008-10-29 10:17 . 2007-11-01 15:35 103,424 --a------ c:\windows\system32\MyDIT_GenClassCoInst.dll
2008-10-29 10:17 . 2007-10-16 11:40 97,408 --a------ c:\windows\system32\drivers\cmusbser.sys
2008-10-29 10:17 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-10-29 10:14 . 2008-11-03 09:30 <DIR> d-------- c:\windows\system32\updfiles
2008-10-29 10:13 . 2008-11-03 09:28 87 --a------ c:\windows\system32\EpfwUser.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 11:52 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2008-10-29 13:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 13:04 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-28 20:12 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-10-28 20:02 --------- d-----w c:\program files\Hewlett-Packard
2008-10-28 20:01 45,056 ----a-w c:\windows\NCUNINST.EXE
2008-10-28 19:58 6,656 ----a-w c:\windows\system32\haspvdd.dll
2008-10-28 19:58 47,616 ----a-w c:\windows\system32\drivers\Haspnt.sys
2008-10-28 19:58 453,632 ----a-w c:\windows\system32\drivers\hardlock.sys
2008-10-28 19:58 18,944 ----a-w c:\windows\system32\drivers\aksusb.sys
2008-10-28 19:48 --------- d-----w c:\program files\Common Files\SWF Studio
2008-10-28 19:46 --------- d-----w c:\program files\Realtek Sound Manager
2008-10-28 19:46 --------- d-----w c:\program files\AvRack
2008-08-29 09:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 08:53 61,440 ----a-w c:\windows\system32\dnssd.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-12_12.11.50.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-12 11:13:10 253,952 ----a-w c:\windows\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-11-04 590848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-11-06 4730880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-11-03 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
--a------ 2002-12-16 16:51 36864 c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
--a------ 2003-03-31 19:28 155648 c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"<NO NAME>"=
"nwiz"=nwiz.exe /install

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\Drivers\eusk2par.sys [2004-11-18 24786]
R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-04 14336]
R3 qcusbser;Mobile Connector USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\cmusbser.sys [2007-10-16 97408]
S3 eusk3usb;SmartKey 3 USB;c:\windows\system32\Drivers\eusk3usb.sys [2004-11-18 45534]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-11-07 355584]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]

2008-11-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-12 16:28:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-12 16:29:14
ComboFix-quarantined-files.txt 2008-11-12 15:29:11
ComboFix2.txt 2008-11-12 15:14:47
ComboFix3.txt 2008-11-12 11:12:10

Pre-Run: 27,882,688,512 bytes free
Post-Run: 27,873,615,872 bytes free

228

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Potrebno je da koristiš uvek isti user account dok ovo radimo (prvi put je bio DENIS a sada Administrator).


Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\sq.com


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

offline
  • Pridružio: 21 Sep 2008
  • Poruke: 8

ComboFix 08-11-11.01 - DENIS 2008-11-12 23:54:54.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.248 [GMT 1:00]
Running from: c:\documents and settings\DENIS\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DENIS\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\sq.com
.

((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.

2008-11-12 01:08 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-12 01:08 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-12 01:08 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-12 01:08 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-12 00:50 . 2008-11-12 00:50 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-12 00:50 . 2008-04-14 05:42 294,912 -----c--- c:\windows\system32\dllcache\dlimport.exe
2008-11-12 00:47 . 2006-12-29 00:31 19,569 --a------ c:\windows\002888_.tmp
2008-11-12 00:11 . 2008-11-12 00:11 <DIR> d-------- c:\documents and settings\DENIS\Application Data\ACD Systems
2008-11-12 00:09 . 2008-11-12 01:50 <DIR> d-------- c:\documents and settings\DENIS\Application Data\Apple Computer
2008-11-12 00:08 . 2008-11-12 00:08 <DIR> d-------- c:\program files\iTunes
2008-11-12 00:08 . 2008-11-12 00:08 <DIR> d-------- c:\program files\iPod
2008-11-12 00:08 . 2008-11-12 00:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-12 00:08 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-11-12 00:08 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-12 00:07 . 2008-11-12 00:07 <DIR> d-------- c:\program files\QuickTime
2008-11-12 00:07 . 2008-11-12 00:07 <DIR> d-------- c:\program files\Bonjour
2008-11-12 00:07 . 2008-11-12 00:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-12 00:06 . 2008-11-12 00:08 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-12 00:06 . 2008-11-12 00:06 <DIR> d-------- c:\program files\Apple Software Update
2008-11-12 00:06 . 2008-10-01 13:01 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-11-12 00:05 . 2008-11-12 00:05 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-12 00:05 . 2008-11-12 00:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-12 00:03 . 2008-11-12 23:45 <DIR> d-------- c:\documents and settings\DENIS\Application Data\skypePM
2008-11-12 00:03 . 2008-11-12 00:03 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-11-12 00:02 . 2008-11-12 00:02 <DIR> d-------- c:\program files\Skype
2008-11-12 00:02 . 2008-11-12 00:02 <DIR> d-------- c:\program files\Common Files\Skype
2008-11-12 00:02 . 2008-11-12 23:53 <DIR> d-------- c:\documents and settings\DENIS\Application Data\Skype
2008-11-12 00:02 . 2008-11-12 00:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2008-11-11 23:49 . 2008-04-14 00:16 85,248 --a------ c:\windows\system32\drivers\nabtsfec.sys
2008-11-11 23:49 . 2008-04-14 00:16 19,200 --a------ c:\windows\system32\drivers\wstcodec.sys
2008-11-11 23:49 . 2008-04-14 05:42 16,384 --a------ c:\windows\system32\ipsink.ax
2008-11-11 23:49 . 2008-04-14 00:16 15,232 --a------ c:\windows\system32\drivers\streamip.sys
2008-11-11 23:49 . 2008-04-14 00:16 11,136 --a------ c:\windows\system32\drivers\slip.sys
2008-11-11 23:49 . 2008-04-14 00:16 10,880 --a------ c:\windows\system32\drivers\ndisip.sys
2008-11-11 23:49 . 2008-04-14 00:09 5,504 --a------ c:\windows\system32\drivers\mstee.sys
2008-11-11 23:48 . 2008-11-11 23:48 <DIR> d-------- c:\windows\PixArt
2008-11-11 23:48 . 2008-11-11 23:48 <DIR> d-------- c:\program files\Common Files\PAC207
2008-11-11 23:48 . 2008-04-14 05:42 91,136 --a------ c:\windows\system32\kswdmcap.ax
2008-11-11 23:48 . 2008-04-14 05:42 61,952 --a------ c:\windows\system32\kstvtune.ax
2008-11-11 23:48 . 2008-04-14 05:42 53,760 --a------ c:\windows\system32\vfwwdm32.dll
2008-11-11 23:48 . 2006-11-03 10:59 48,128 --a------ c:\windows\system32\Remove.exe
2008-11-11 23:48 . 2008-04-14 05:42 43,008 --a------ c:\windows\system32\ksxbar.ax
2008-11-11 23:48 . 2008-04-14 05:42 28,672 --a------ c:\windows\system32\vidcap.ax
2008-11-11 23:48 . 2008-04-14 00:16 17,024 --a------ c:\windows\system32\drivers\ccdecode.sys
2008-11-11 23:48 . 2007-05-24 16:32 284 --a------ c:\windows\system32\Remover.ini
2008-11-11 23:47 . 2008-11-11 23:47 <DIR> d-------- c:\windows\Album
2008-11-11 23:47 . 2008-11-11 23:47 <DIR> d-------- c:\program files\KYE
2008-11-11 23:47 . 2008-11-11 23:47 <DIR> d-------- c:\documents and settings\DENIS\Application Data\InstallShield
2008-11-11 23:47 . 2005-04-03 20:56 1,060,864 --a------ c:\windows\system32\mfc71.dll
2008-11-11 23:36 . 2008-11-11 23:36 <DIR> d-------- c:\program files\Common Files\ACD Systems
2008-11-11 23:36 . 2008-11-11 23:36 <DIR> d-------- c:\program files\ACD Systems
2008-11-11 23:36 . 2008-11-11 23:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2008-11-11 23:36 . 2008-11-11 23:36 10,368 --a------ c:\windows\system32\drivers\pfc.sys
2008-11-11 23:34 . 2008-11-11 23:48 <DIR> d-------- c:\windows\Downloaded Installations
2008-11-11 23:30 . 2008-11-11 23:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-11-11 23:29 . 2008-11-11 23:29 <DIR> d-------- c:\program files\Recnik20
2008-11-11 23:27 . 2008-11-12 01:03 <DIR> d-------- c:\program files\Opera
2008-11-11 19:26 . 2008-11-11 19:26 109,736 -r-hs---- C:\lky.exe
2008-11-11 14:44 . 2008-04-14 00:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-11 14:44 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-11 00:00 . 2008-11-11 10:50 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-10 23:57 . 2008-11-12 00:08 <DIR> d-------- c:\documents and settings\DENIS\Application Data\U3
2008-11-10 23:26 . 2008-11-12 01:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-10 23:26 . 2008-11-12 01:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-10 23:12 . 2008-11-11 00:13 <DIR> d-------- c:\program files\Wise Registry Cleaner 3 Pro
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-11-10 23:11 . 2008-04-14 05:39 6,144 --a------ c:\windows\system32\kbd106.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 01:07 --------- d-----w c:\documents and settings\DENIS\Application Data\AVG7
2008-11-11 22:48 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 22:48 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-11 18:26 85,504 --sh--r c:\windows\system32\gasretyw1.dll
2008-11-11 18:26 109,736 --sh--r c:\windows\system32\kamsoft.exe
2008-11-11 18:25 85,504 ------w c:\windows\system32\gasretyw0.dll
2008-11-10 23:29 108,271 --sh--r C:\whi.com
2008-11-10 23:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-11-10 21:55 --------- d-----w c:\program files\Common Files\Adobe
2008-11-10 21:40 --------- d-----w c:\program files\Intel
2008-11-10 21:39 355,584 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-11-10 21:39 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-11-10 21:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 21:39 --------- d-----w c:\documents and settings\DENIS\Application Data\TuneUp Software
2008-11-10 21:39 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-10 21:23 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2008-11-10 21:21 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-10 21:21 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-10 21:21 110,592 ----a-w c:\windows\system32\avgfwafu.dll
2008-11-10 21:21 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-11-10 21:09 --------- d-----w c:\program files\Realtek
2008-11-10 21:08 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-10 20:51 --------- d-----w c:\program files\microsoft frontpage
2008-08-29 09:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 08:53 61,440 ----a-w c:\windows\system32\dnssd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-11-10 590848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-11-10 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kamsoft"=c:\windows\system32\kamsoft.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"RTHDCPL"=RTHDCPL.EXE
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Monitor"=c:\windows\PixArt\PAC207\Monitor.exe
"SMSERIAL"=sm56hlpr.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 PAC207;i-Look 111;c:\windows\system32\DRIVERS\PFC027.SYS [2007-06-29 611584]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-11-10 355584]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{571077df-af72-11dd-92ab-00138fc79baf}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-12 23:55:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-12 23:56:24
ComboFix-quarantined-files.txt 2008-11-12 22:56:20

Pre-Run: 47.770.746.880 bytes free
Post-Run: 47,772,884,992 bytes free

190

Dopuna: 13 Nov 2008 0:16

ne mogu da vjerujem...pa ja sam poslao log od drugog racunara Bebee Dol ...izvini ali sam to totalno smetnuo jer upravo cistim oba racunara...zato je jedan denis a drugi administrator ....

Sta sad da radim dali da uradim opet skeniranje sa onim proslim kodom tj. ovim :File::
C:\lky.exe
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
c:\windows\system32\gasretyw0.dll
C:\whi.com

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kamsoft"=-

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Da, da... Na ''DENIS kompjuteru'' iskoristi ovaj skript:

File::
C:\lky.exe
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
c:\windows\system32\gasretyw0.dll
C:\whi.com

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kamsoft"=-

offline
  • Pridružio: 21 Sep 2008
  • Poruke: 8

ComboFix 08-11-12.01 - DENIS 2008-11-13 23:18:50.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.179 [GMT 1:00]
Running from: c:\documents and settings\DENIS\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DENIS\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\lky.exe
C:\whi.com
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\lky.exe
C:\whi.com
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 )))))))))))))))))))))))))))))))
.

2008-11-13 23:02 . 2008-11-13 23:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\KONAMI
2008-11-13 22:57 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll
2008-11-13 22:57 . 2006-09-28 16:05 2,414,360 --a------ c:\windows\system32\d3dx9_31.dll
2008-11-13 22:57 . 2006-12-08 12:02 251,672 --a------ c:\windows\system32\xactengine2_5.dll
2008-11-13 22:57 . 2006-09-28 16:05 237,848 --a------ c:\windows\system32\xactengine2_4.dll
2008-11-13 22:57 . 2006-09-28 16:04 68,888 --a------ c:\windows\system32\xinput1_3.dll
2008-11-13 22:57 . 2006-11-15 11:38 15,128 --a------ c:\windows\system32\x3daudio1_1.dll
2008-11-13 22:54 . 2008-11-13 22:54 <DIR> d-------- c:\program files\KONAMI
2008-11-12 01:08 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-12 01:08 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-12 01:08 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-12 01:08 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-12 00:50 . 2008-11-12 00:50 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-12 00:50 . 2008-04-14 05:42 294,912 -----c--- c:\windows\system32\dllcache\dlimport.exe
2008-11-12 00:47 . 2006-12-29 00:31 19,569 --a------ c:\windows\002888_.tmp
2008-11-12 00:11 . 2008-11-12 00:11 <DIR> d-------- c:\documents and settings\DENIS\Application Data\ACD Systems
2008-11-12 00:09 . 2008-11-12 01:50 <DIR> d-------- c:\documents and settings\DENIS\Application Data\Apple Computer
2008-11-12 00:08 . 2008-11-12 00:08 <DIR> d-------- c:\program files\iTunes
2008-11-12 00:08 . 2008-11-12 00:08 <DIR> d-------- c:\program files\iPod
2008-11-12 00:08 . 2008-11-12 00:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-12 00:08 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-11-12 00:08 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-12 00:07 . 2008-11-12 00:07 <DIR> d-------- c:\program files\QuickTime
2008-11-12 00:07 . 2008-11-12 00:07 <DIR> d-------- c:\program files\Bonjour
2008-11-12 00:07 . 2008-11-12 00:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-12 00:06 . 2008-11-12 00:08 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-12 00:06 . 2008-11-12 00:06 <DIR> d-------- c:\program files\Apple Software Update
2008-11-12 00:06 . 2008-10-01 13:01 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-11-12 00:05 . 2008-11-12 00:05 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-12 00:05 . 2008-11-12 00:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-12 00:03 . 2008-11-13 16:35 <DIR> d-------- c:\documents and settings\DENIS\Application Data\skypePM
2008-11-12 00:03 . 2008-11-12 00:03 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-11-12 00:02 . 2008-11-12 00:02 <DIR> d-------- c:\program files\Skype
2008-11-12 00:02 . 2008-11-12 00:02 <DIR> d-------- c:\program files\Common Files\Skype
2008-11-12 00:02 . 2008-11-13 22:49 <DIR> d-------- c:\documents and settings\DENIS\Application Data\Skype
2008-11-12 00:02 . 2008-11-12 00:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2008-11-11 23:49 . 2008-04-14 00:16 85,248 --a------ c:\windows\system32\drivers\nabtsfec.sys
2008-11-11 23:49 . 2008-04-14 00:16 19,200 --a------ c:\windows\system32\drivers\wstcodec.sys
2008-11-11 23:49 . 2008-04-14 05:42 16,384 --a------ c:\windows\system32\ipsink.ax
2008-11-11 23:49 . 2008-04-14 00:16 15,232 --a------ c:\windows\system32\drivers\streamip.sys
2008-11-11 23:49 . 2008-04-14 00:16 11,136 --a------ c:\windows\system32\drivers\slip.sys
2008-11-11 23:49 . 2008-04-14 00:16 10,880 --a------ c:\windows\system32\drivers\ndisip.sys
2008-11-11 23:49 . 2008-04-14 00:09 5,504 --a------ c:\windows\system32\drivers\mstee.sys
2008-11-11 23:48 . 2008-11-11 23:48 <DIR> d-------- c:\windows\PixArt
2008-11-11 23:48 . 2008-11-11 23:48 <DIR> d-------- c:\program files\Common Files\PAC207
2008-11-11 23:48 . 2008-04-14 05:42 91,136 --a------ c:\windows\system32\kswdmcap.ax
2008-11-11 23:48 . 2008-04-14 05:42 61,952 --a------ c:\windows\system32\kstvtune.ax
2008-11-11 23:48 . 2008-04-14 05:42 53,760 --a------ c:\windows\system32\vfwwdm32.dll
2008-11-11 23:48 . 2006-11-03 10:59 48,128 --a------ c:\windows\system32\Remove.exe
2008-11-11 23:48 . 2008-04-14 05:42 43,008 --a------ c:\windows\system32\ksxbar.ax
2008-11-11 23:48 . 2008-04-14 05:42 28,672 --a------ c:\windows\system32\vidcap.ax
2008-11-11 23:48 . 2008-04-14 00:16 17,024 --a------ c:\windows\system32\drivers\ccdecode.sys
2008-11-11 23:48 . 2007-05-24 16:32 284 --a------ c:\windows\system32\Remover.ini
2008-11-11 23:47 . 2008-11-11 23:47 <DIR> d-------- c:\windows\Album
2008-11-11 23:47 . 2008-11-11 23:47 <DIR> d-------- c:\program files\KYE
2008-11-11 23:47 . 2008-11-11 23:47 <DIR> d-------- c:\documents and settings\DENIS\Application Data\InstallShield
2008-11-11 23:47 . 2005-04-03 20:56 1,060,864 --a------ c:\windows\system32\mfc71.dll
2008-11-11 23:36 . 2008-11-11 23:36 <DIR> d-------- c:\program files\Common Files\ACD Systems
2008-11-11 23:36 . 2008-11-11 23:36 <DIR> d-------- c:\program files\ACD Systems
2008-11-11 23:36 . 2008-11-11 23:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2008-11-11 23:36 . 2008-11-11 23:36 10,368 --a------ c:\windows\system32\drivers\pfc.sys
2008-11-11 23:34 . 2008-11-11 23:48 <DIR> d-------- c:\windows\Downloaded Installations
2008-11-11 23:30 . 2008-11-11 23:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-11-11 23:29 . 2008-11-11 23:29 <DIR> d-------- c:\program files\Recnik20
2008-11-11 23:27 . 2008-11-12 01:03 <DIR> d-------- c:\program files\Opera
2008-11-11 14:44 . 2008-04-14 00:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-11 14:44 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-11 00:00 . 2008-11-11 10:50 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-10 23:57 . 2008-11-12 00:08 <DIR> d-------- c:\documents and settings\DENIS\Application Data\U3
2008-11-10 23:26 . 2008-11-12 01:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-10 23:26 . 2008-11-12 01:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-10 23:12 . 2008-11-11 00:13 <DIR> d-------- c:\program files\Wise Registry Cleaner 3 Pro
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-11-10 23:11 . 2008-04-14 05:39 6,144 --a------ c:\windows\system32\kbd106.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 21:50 --------- d-----w c:\documents and settings\DENIS\Application Data\AVG7
2008-11-11 22:48 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 22:48 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-10 23:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-11-10 21:55 --------- d-----w c:\program files\Common Files\Adobe
2008-11-10 21:40 --------- d-----w c:\program files\Intel
2008-11-10 21:39 355,584 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-11-10 21:39 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-11-10 21:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 21:39 --------- d-----w c:\documents and settings\DENIS\Application Data\TuneUp Software
2008-11-10 21:39 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-10 21:23 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2008-11-10 21:21 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-10 21:21 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-10 21:21 110,592 ----a-w c:\windows\system32\avgfwafu.dll
2008-11-10 21:21 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-11-10 21:09 --------- d-----w c:\program files\Realtek
2008-11-10 21:08 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-10 20:51 --------- d-----w c:\program files\microsoft frontpage
2008-08-29 09:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 08:53 61,440 ----a-w c:\windows\system32\dnssd.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-12_23.56.08,01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-13 22:12:26 38,943 ----a-r c:\windows\Installer\{A8DB611A-D80E-450D-85F6-3ACDD164BE31}\ARPPRODUCTICON.exe
+ 2008-11-13 22:12:26 81,920 ----a-r c:\windows\Installer\{A8DB611A-D80E-450D-85F6-3ACDD164BE31}\Shortcut_PES2009_E_19E2C126E9A346458082E1106EC36033.exe
+ 2008-11-13 22:12:26 86,016 ----a-r c:\windows\Installer\{A8DB611A-D80E-450D-85F6-3ACDD164BE31}\Shortcut_SETTINGS__E16DFE45D7AC4FBF87BBB412D05EFC15.exe
+ 2006-02-03 07:41:26 14,032 ----a-w c:\windows\LastGood\system32\x3daudio1_0.dll
+ 2006-09-28 15:03:28 15,128 ----a-w c:\windows\LastGood\system32\x3daudio1_1.dll
+ 2005-02-05 18:45:26 2,222,800 ----a-w c:\windows\system32\d3dx9_24.dll
+ 2005-03-18 16:19:58 2,337,488 ----a-w c:\windows\system32\d3dx9_25.dll
+ 2005-05-26 14:34:52 2,297,552 ----a-w c:\windows\system32\d3dx9_26.dll
+ 2005-07-22 18:59:04 2,319,568 ----a-w c:\windows\system32\d3dx9_27.dll
+ 2005-12-05 17:09:18 2,323,664 ----a-w c:\windows\system32\d3dx9_28.dll
+ 2006-02-03 07:43:16 2,332,368 ----a-w c:\windows\system32\d3dx9_29.dll
+ 2006-03-31 11:40:58 2,388,176 ----a-w c:\windows\system32\d3dx9_30.dll
+ 2006-02-03 07:41:26 14,032 ----a-w c:\windows\system32\x3daudio1_0.dll
+ 2006-02-03 07:42:06 230,096 ----a-w c:\windows\system32\xactengine2_0.dll
+ 2006-03-31 11:39:48 229,584 ----a-w c:\windows\system32\xactengine2_1.dll
+ 2006-05-31 06:24:16 230,168 ----a-w c:\windows\system32\xactengine2_2.dll
+ 2006-07-28 08:30:32 236,824 ----a-w c:\windows\system32\xactengine2_3.dll
+ 2006-03-31 11:39:24 62,672 ----a-w c:\windows\system32\xinput1_1.dll
+ 2006-07-28 08:30:14 62,744 ----a-w c:\windows\system32\xinput1_2.dll
+ 2005-12-05 17:07:30 61,136 ----a-w c:\windows\system32\xinput9_1_0.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-11-10 590848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-11-10 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"RTHDCPL"=RTHDCPL.EXE
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Monitor"=c:\windows\PixArt\PAC207\Monitor.exe
"SMSERIAL"=sm56hlpr.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=

R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 PAC207;i-Look 111;c:\windows\system32\DRIVERS\PFC027.SYS [2007-06-29 611584]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-11-10 355584]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{571077df-af72-11dd-92ab-00138fc79baf}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-13 23:20:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-13 23:20:32
ComboFix-quarantined-files.txt 2008-11-13 22:20:27
ComboFix2.txt 2008-11-12 22:56:24

Pre-Run: 39.808.733.184 bytes free
Post-Run: 39,826,898,944 bytes free

229

offline
  • dr_Bora  Male
  • Anti Malware Fighter
    Rank 2
  • Pridružio: 24 Jul 2007
  • Poruke: 12280
  • Gde živiš: Höganäs, SE

Sa ''Administrator kompjutera'' obriši sledeći file:

C:\sq.com


-------------------------------------------------------------------------------------


Oba kompjutera su sada čista. Preostaje da odradiš sledeće:
Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi

Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji

Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore

Ko je trenutno na forumu
 

Ukupno su 1128 korisnika na forumu :: 41 registrovanih, 7 sakrivenih i 1080 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: 357magnum, A.R.Chafee.Jr., amaterSRB, ArmyBoss, bigfoot, bojank, Boris90, ccoogg123, comi_pfc, Denaya, Dimitrije Paunovic, Doca, draganl, HrcAk47, ivan1973, ivica976, Još malo pa deda, Klecaviks, kokodakalo, kuntalo, Lieutenant, Magistar78, mane123, Mercury, Metanoja, milenko crazy north, miodrag, MiroslavD, mkukoleca, MrNo, nextyamb, ostoja, ozzy, raptorsi, raykan, Recce, royst33, shone34, solic, Vlada1389, zlaya011