Trojanci :S

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Proveri sledeci fajl na www.virustotal.com :
C:\WINDOWS\System32\msftpd.dll

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

http://www.virustotal.com/analisis/b6bbe5792f30b87cbb55021956d6a116

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\WINDOWS\System32\msftpd.dll


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 08-09-26.06 - Janki 2008-09-28 3:09:21.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1539 [GMT 2:00]
Running from: C:\Documents and Settings\Janki\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Janki\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\System32\msftpd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\System32\msftpd.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.

2008-09-27 12:58 . 2008-09-28 03:11 0 --a------ C:\WINDOWS\system32\ativvaxx.cap
2008-09-26 23:04 . 2008-09-26 23:04 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-26 21:30 . 2008-09-26 21:30 <DIR> d---s---- C:\WINDOWS\Cookies
2008-09-26 20:53 . 2008-09-26 21:31 <DIR> d-------- C:\Documents and Settings\Janki\Application Data\BSplayer PRO
2008-09-26 15:11 . 2008-09-26 15:15 <DIR> d-------- C:\Program Files\a-squared Free
2008-09-26 15:10 . 2008-09-27 12:10 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-09-18 20:16 . 2008-09-18 20:16 <DIR> d-------- C:\Program Files\Safer Networking
2008-09-18 20:11 . 2008-09-18 20:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-18 20:11 . 2008-09-27 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-18 12:31 . 2008-09-18 12:33 <DIR> d-------- C:\Program Files\Magic Swf2Avi 2008
2008-09-18 00:51 . 2008-09-27 17:19 <DIR> d-------- C:\Documents and Settings\Janki\Application Data\SWF.max
2008-09-17 19:34 . 2008-09-17 19:34 <DIR> d-------- C:\Program Files\SWF.max
2008-09-17 19:27 . 2008-09-17 19:29 <DIR> d-------- C:\Program Files\FlashGet
2008-09-16 22:53 . 2008-09-27 23:13 250 --a------ C:\WINDOWS\gmer.ini
2008-09-08 16:38 . 2008-09-08 16:38 354,560 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-09-08 16:37 . 2008-09-08 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-09-08 16:37 . 2008-04-04 14:51 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-09-08 16:36 . 2008-05-02 02:38 301,656 --a------ C:\WINDOWS\system32\BtCoreIf.dll
2008-09-08 16:36 . 2008-09-08 16:36 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-08 16:36 . 2008-09-08 16:36 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-09-08 16:36 . 2008-09-08 16:36 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-09-08 16:35 . 2008-09-08 16:36 <DIR> d-------- C:\Program Files\Common Files\Logishrd
2008-09-08 16:35 . 2008-09-08 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-09-08 15:30 . 2008-09-08 15:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-03 23:59 . 2008-09-03 23:59 <DIR> d-------- C:\Program Files\Binaryfish
2008-09-03 17:22 . 2008-09-03 17:22 <DIR> d-------- C:\Program Files\Muff
2008-08-30 13:04 . 2008-08-30 13:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 01:10 --------- d-----w C:\Documents and Settings\Janki\Application Data\uTorrent
2008-09-27 15:33 --------- d-----w C:\Documents and Settings\Janki\Application Data\Orbit
2008-09-27 10:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-27 10:17 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-09-27 10:16 --------- d-----w C:\Program Files\TQ Defiler
2008-09-27 10:11 --------- d-----w C:\Documents and Settings\Janki\Application Data\My Games
2008-09-26 19:49 --------- d-----w C:\Program Files\DAEMON Tools Pro
2008-09-25 17:27 --------- d-----w C:\Program Files\ICQ6
2008-09-23 11:02 --------- d-----w C:\Documents and Settings\Janki\Application Data\OpenOffice.org2
2008-09-19 15:00 --------- d-----w C:\Program Files\SpeedFan
2008-09-08 14:38 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-09-08 14:36 --------- d-----w C:\Program Files\Common Files\Logitech
2008-09-08 13:57 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-08-30 11:02 --------- d-----w C:\Program Files\ATI Technologies
2008-08-28 22:23 --------- d-----w C:\Documents and Settings\Janki\Application Data\skypePM
2008-08-28 22:23 --------- d-----w C:\Documents and Settings\Janki\Application Data\Skype
2008-08-24 18:33 --------- d-----w C:\Documents and Settings\Janki\Application Data\MyPhoneExplorer
2008-08-23 13:56 --------- d-----w C:\Program Files\Lavalys
2008-08-19 22:09 --------- d-----w C:\Documents and Settings\Janki\Application Data\Winamp
2008-08-13 17:50 --------- d-----w C:\Program Files\Western Digital
2008-08-08 04:23 --------- d-----w C:\Program Files\Recuva
2008-08-03 02:24 --------- d-----w C:\Program Files\Skype
2008-08-03 02:24 --------- d-----w C:\Program Files\Common Files\Skype
2008-08-03 02:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-02 14:52 --------- d-----w C:\Program Files\Opera
2008-08-01 06:38 3,266,560 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-01 03:39 53,248 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-07-14 07:07 714 ----a-w C:\ma477.bin
2008-07-09 21:48 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-07-09 21:48 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-03-09 05:25 236 ----a-w C:\Program Files\Common Files\dx.reg
.

------- Sigcheck -------

2008-05-15 16:51 359040 27a5959c94ee173a063ca06bd14f021a C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-05-15 16:51 359040 27a5959c94ee173a063ca06bd14f021a C:\WINDOWS\system32\drivers\TCPIP.SYS

2004-08-04 02:56 57856 5274e48efcd5a464b7d17424debc3d6d C:\WINDOWS\system32\spoolsv.exe
2004-08-04 02:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\system32\dllcache\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-09-03 267056]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2008-06-10 2645528]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTuner"="C:\Program Files\RivaTuner v2.09\RivaTuner.exe" [2008-04-28 2707456]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.09\RivaTuner.exe" [2008-04-28 2707456]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 1447168]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 C:\WINDOWS\RTHDCPL.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 C:\WINDOWS\KHALMNPR.Exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-09-08 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
-r------- 2007-05-25 06:13 1957888 C:\WINDOWS\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-06-16 06:03 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 06:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r------- 2007-03-20 08:36 36864 C:\WINDOWS\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSelectorReinstall]
--a------ 2007-02-22 19:53 2209224 C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-07-16 16:57 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"D:\\Games\\Pro Evolution Soccer 2008\\PES2008.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 13696]
R1 BS_I2cIo;BS_I2cIo;C:\WINDOWS\system32\drivers\BS_I2cIo.sys [2006-04-13 8192]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 34312]
R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2008-06-10 1386008]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-05-25 3712]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 GPU-Z;GPU-Z;C:\DOCUME~1\Janki\LOCALS~1\Temp\GPU-Z.sys [ ]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);C:\WINDOWS\system32\DRIVERS\se46bus.sys [2006-11-30 61536]
S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se46mdfl.sys [2006-11-30 9360]
S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se46mdm.sys [2006-11-30 97088]
S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se46mgmt.sys [2006-11-30 88624]
S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se46nd5.sys [2006-11-30 18704]
S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se46obex.sys [2006-11-30 86432]
S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se46unic.sys [2006-11-30 90800]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-09-08 354560]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f5ecb81-5739-11dd-b5bc-00055dd3fac7}]
\Shell\AutoRun\command - I:\Programs\totalcmd\TCPowerPack.exe
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 03:11:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-28 3:13:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-28 01:13:42
ComboFix2.txt 2008-09-27 20:12:21
ComboFix3.txt 2008-09-27 14:29:59
ComboFix4.txt 2008-09-26 18:39:39

Pre-Run: 19,423,264,768 bytes free
Post-Run: 19,411,767,296 bytes free

204

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Kazi kako se sada komp ponasa.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Izgleda da je sve ok
Hvala na pomoci

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ako ti nije tesko, posalji mi primerak tog msftpd.dll.
Nacices ga u C:\QooBox\Quarantine\C\Windows\System32
Imace ekstenziju VIR
Uploaduje ga preko one forme za upload koju si vec koristio u ovoj temi.

Ostavicemo ComboFix jos malo na tvom kompu, pa ako sve bude u redu deinstaliracemo ga sutra ili prekosutra.
Znaci, postavi sutra uvece nov ComboFix log, da se uverim da se infekcija ne vraca.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Uploadovao sam.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Hvala puno, poslacu ga AV kompanijama na analizu, da ga ubace u definicije.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Tu je novi log jos jednom hvala na pomoci

ComboFix 08-09-26.06 - Janki 2008-09-29 18:43:12.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1599 [GMT 2:00]
Running from: C:\Documents and Settings\Janki\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-29 )))))))))))))))))))))))))))))))
.

2008-09-27 12:58 . 2008-09-29 18:42 0 --a------ C:\WINDOWS\system32\ativvaxx.cap
2008-09-26 23:04 . 2008-09-26 23:04 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-26 21:30 . 2008-09-26 21:30 <DIR> d---s---- C:\WINDOWS\Cookies
2008-09-26 20:53 . 2008-09-26 21:31 <DIR> d-------- C:\Documents and Settings\Janki\Application Data\BSplayer PRO
2008-09-26 15:11 . 2008-09-26 15:15 <DIR> d-------- C:\Program Files\a-squared Free
2008-09-26 15:10 . 2008-09-27 12:10 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-09-18 20:16 . 2008-09-18 20:16 <DIR> d-------- C:\Program Files\Safer Networking
2008-09-18 20:11 . 2008-09-18 20:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-18 20:11 . 2008-09-27 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-18 12:31 . 2008-09-18 12:33 <DIR> d-------- C:\Program Files\Magic Swf2Avi 2008
2008-09-18 00:51 . 2008-09-27 17:19 <DIR> d-------- C:\Documents and Settings\Janki\Application Data\SWF.max
2008-09-17 19:34 . 2008-09-17 19:34 <DIR> d-------- C:\Program Files\SWF.max
2008-09-17 19:27 . 2008-09-17 19:29 <DIR> d-------- C:\Program Files\FlashGet
2008-09-16 22:53 . 2008-09-27 23:13 250 --a------ C:\WINDOWS\gmer.ini
2008-09-08 16:38 . 2008-09-08 16:38 354,560 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-09-08 16:37 . 2008-09-08 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-09-08 16:37 . 2008-04-04 14:51 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-09-08 16:36 . 2008-05-02 02:38 301,656 --a------ C:\WINDOWS\system32\BtCoreIf.dll
2008-09-08 16:36 . 2008-09-08 16:36 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-08 16:36 . 2008-09-08 16:36 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-09-08 16:36 . 2008-09-08 16:36 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-09-08 16:35 . 2008-09-08 16:36 <DIR> d-------- C:\Program Files\Common Files\Logishrd
2008-09-08 16:35 . 2008-09-08 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-09-08 15:30 . 2008-09-08 15:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-03 23:59 . 2008-09-03 23:59 <DIR> d-------- C:\Program Files\Binaryfish
2008-09-03 17:22 . 2008-09-03 17:22 <DIR> d-------- C:\Program Files\Muff
2008-08-30 13:04 . 2008-08-30 13:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-29 16:43 --------- d-----w C:\Documents and Settings\Janki\Application Data\uTorrent
2008-09-27 15:33 --------- d-----w C:\Documents and Settings\Janki\Application Data\Orbit
2008-09-27 10:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-27 10:17 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-09-27 10:16 --------- d-----w C:\Program Files\TQ Defiler
2008-09-27 10:11 --------- d-----w C:\Documents and Settings\Janki\Application Data\My Games
2008-09-26 19:49 --------- d-----w C:\Program Files\DAEMON Tools Pro
2008-09-25 17:27 --------- d-----w C:\Program Files\ICQ6
2008-09-23 11:02 --------- d-----w C:\Documents and Settings\Janki\Application Data\OpenOffice.org2
2008-09-19 15:00 --------- d-----w C:\Program Files\SpeedFan
2008-09-08 14:38 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-09-08 14:36 --------- d-----w C:\Program Files\Common Files\Logitech
2008-09-08 13:57 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-08-30 11:02 --------- d-----w C:\Program Files\ATI Technologies
2008-08-28 22:23 --------- d-----w C:\Documents and Settings\Janki\Application Data\skypePM
2008-08-28 22:23 --------- d-----w C:\Documents and Settings\Janki\Application Data\Skype
2008-08-24 18:33 --------- d-----w C:\Documents and Settings\Janki\Application Data\MyPhoneExplorer
2008-08-23 13:56 --------- d-----w C:\Program Files\Lavalys
2008-08-19 22:09 --------- d-----w C:\Documents and Settings\Janki\Application Data\Winamp
2008-08-13 17:50 --------- d-----w C:\Program Files\Western Digital
2008-08-08 04:23 --------- d-----w C:\Program Files\Recuva
2008-08-03 02:24 --------- d-----w C:\Program Files\Skype
2008-08-03 02:24 --------- d-----w C:\Program Files\Common Files\Skype
2008-08-03 02:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-08-02 14:52 --------- d-----w C:\Program Files\Opera
2008-08-01 06:38 3,266,560 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-01 05:40 9,928,704 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-08-01 04:58 253,952 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-08-01 04:33 425,984 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-08-01 04:32 311,296 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-08-01 04:23 184,320 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-08-01 04:23 143,360 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-08-01 04:22 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-08-01 04:22 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-08-01 04:22 143,360 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-08-01 04:21 573,440 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-08-01 04:19 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-08-01 04:10 3,917,568 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-08-01 03:59 2,183,552 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-08-01 03:46 48,640 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-08-01 03:42 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-08-01 03:40 35,328 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-08-01 03:40 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-08-01 03:39 53,248 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-08-01 03:39 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-08-01 03:34 561,152 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-07-31 19:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2008-07-14 07:07 714 ----a-w C:\ma477.bin
2008-07-09 21:48 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-07-09 21:48 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-06-30 18:08 692,058 ----a-w C:\WINDOWS\system32\unins000.exe
2008-03-09 05:25 236 ----a-w C:\Program Files\Common Files\dx.reg
.

------- Sigcheck -------

2008-05-15 16:51 359040 27a5959c94ee173a063ca06bd14f021a C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-05-15 16:51 359040 27a5959c94ee173a063ca06bd14f021a C:\WINDOWS\system32\drivers\TCPIP.SYS

2004-08-04 02:56 57856 5274e48efcd5a464b7d17424debc3d6d C:\WINDOWS\system32\spoolsv.exe
2004-08-04 02:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\system32\dllcache\spoolsv.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-27_16.29.46.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-27 10:57:58 149,992 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-09-29 16:41:08 149,992 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-09-03 267056]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2008-06-10 2645528]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTuner"="C:\Program Files\RivaTuner v2.09\RivaTuner.exe" [2008-04-28 2707456]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.09\RivaTuner.exe" [2008-04-28 2707456]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 1447168]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 C:\WINDOWS\RTHDCPL.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 C:\WINDOWS\KHALMNPR.Exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-09-08 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
-r------- 2007-05-25 06:13 1957888 C:\WINDOWS\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-06-16 06:03 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-06-16 06:03 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r------- 2007-03-20 08:36 36864 C:\WINDOWS\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSelectorReinstall]
--a------ 2007-02-22 19:53 2209224 C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-07-16 16:57 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"D:\\Games\\Pro Evolution Soccer 2008\\PES2008.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 13696]
R1 BS_I2cIo;BS_I2cIo;C:\WINDOWS\system32\drivers\BS_I2cIo.sys [2006-04-13 8192]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 34312]
R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2008-06-10 1386008]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-05-25 3712]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 GPU-Z;GPU-Z;C:\DOCUME~1\Janki\LOCALS~1\Temp\GPU-Z.sys [ ]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);C:\WINDOWS\system32\DRIVERS\se46bus.sys [2006-11-30 61536]
S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se46mdfl.sys [2006-11-30 9360]
S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se46mdm.sys [2006-11-30 97088]
S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se46mgmt.sys [2006-11-30 88624]
S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se46nd5.sys [2006-11-30 18704]
S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se46obex.sys [2006-11-30 86432]
S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se46unic.sys [2006-11-30 90800]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-09-08 354560]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f5ecb81-5739-11dd-b5bc-00055dd3fac7}]
\Shell\AutoRun\command - I:\Programs\totalcmd\TCPowerPack.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Janki\Application Data\Mozilla\Firefox\Profiles\f0srcxv9.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 18:44:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
Completion time: 2008-09-29 18:45:04
ComboFix-quarantined-files.txt 2008-09-29 16:44:58
ComboFix2.txt 2008-09-28 01:13:46
ComboFix3.txt 2008-09-27 20:12:21
ComboFix4.txt 2008-09-27 14:29:59
ComboFix5.txt 2008-09-29 16:43:07

Pre-Run: 19,422,875,648 bytes free
Post-Run: 19,409,653,760 bytes free

211