autorun.exe

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:00 PM, on 11/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\HSDPA USB MODEM\USB Modem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\sertw.exe.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O3 - Toolbar: (zabranjeno) Find Search - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\WINDOWS\SrchPlug.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - go.microsoft.com/fwlink/?linkid=67633
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D709B6E-BAD0-46EC-9037-D5769808C09D}: NameServer = 79.143.101.225 79.143.98.35
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 3974 bytes

Dopuna: 11 Nov 2008 12:25

molim za pomoc !

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pozdrav...


* Klikni desnim tasterom miša na AVG ikonicu ( ) u donjem, desnom uglu ekrana.
* Kada se pokrene AVG Control Center, dvoklikni na AVG Resident Shield komponentu.
* U prozoru koji se otvori, deštikliraj opciju Turn on AVG Resident Shield i klikni OK.

Napomena: Ne zaboravi da uključiš ovu opciju po završetku čišćenja.




Skini ComboFix sa jedne od sledecih adresa na Desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Startuj ga i ne diraj prozor programa dok skenira.
Sledi uputstva na ekranu. Kada zavrsi pojavice se log (C:\ComboFix.txt) koji ces nam ovde iskopirati.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 08-11-10.01 - DENIS 2008-11-11 23:14:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.278 [GMT 1:00]
Running from: c:\documents and settings\DENIS\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-11 19:26 . 2008-11-11 19:26 109,736 -r-hs---- C:\lky.exe
2008-11-11 14:44 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-11 14:44 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-11-11 14:44 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-11 14:44 . 2004-08-03 23:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-11-11 00:00 . 2008-11-11 10:50 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-10 23:57 . 2008-11-11 11:08 <DIR> d-------- c:\documents and settings\DENIS\Application Data\U3
2008-11-10 23:57 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-11-10 23:26 . 2008-11-11 00:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-10 23:26 . 2008-11-11 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-10 23:12 . 2008-11-11 00:13 <DIR> d-------- c:\program files\Wise Registry Cleaner 3 Pro
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd106.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 20:47 --------- d-----w c:\documents and settings\DENIS\Application Data\AVG7
2008-11-11 18:26 85,504 --sh--r c:\windows\system32\gasretyw1.dll
2008-11-11 18:26 109,736 --sh--r c:\windows\system32\kamsoft.exe
2008-11-11 18:25 85,504 ------w c:\windows\system32\gasretyw0.dll
2008-11-10 23:29 108,271 --sh--r C:\whi.com
2008-11-10 23:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-11-10 21:55 --------- d-----w c:\program files\Common Files\Adobe
2008-11-10 21:40 --------- d-----w c:\program files\Intel
2008-11-10 21:39 355,584 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-11-10 21:39 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-11-10 21:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 21:39 --------- d-----w c:\documents and settings\DENIS\Application Data\TuneUp Software
2008-11-10 21:39 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-10 21:23 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2008-11-10 21:21 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-10 21:21 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-10 21:21 110,592 ----a-w c:\windows\system32\avgfwafu.dll
2008-11-10 21:21 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-11-10 21:09 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-10 21:09 --------- d-----w c:\program files\Realtek
2008-11-10 21:08 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-10 21:03 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-10 20:51 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-11-10 590848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-11-10 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kamsoft"=c:\windows\system32\kamsoft.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"RTHDCPL"=RTHDCPL.EXE
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-04 14336]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-11-10 355584]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-11 23:14:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-11 23:15:21
ComboFix-quarantined-files.txt 2008-11-11 22:15:19

Pre-Run: 49.490.903.040 bytes free
Post-Run: 49,500,868,608 bytes free

120

Dopuna: 11 Nov 2008 23:21

jos jedno pitanje : kako da podesim da mi se fleshka sama ne startuje,posto imam utisak da sa nje pokupim neke viruse ?

Dopuna: 11 Nov 2008 23:26

evo jos jednom...uz ukljucenu fleshku...mislim da je i ona inficirana

Dopuna: 11 Nov 2008 23:27

ComboFix 08-11-10.01 - DENIS 2008-11-11 23:21:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.253 [GMT 1:00]
Running from: c:\documents and settings\DENIS\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\autorun.inf
H:\nq0cq.cmd

.
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-11 19:26 . 2008-11-11 19:26 109,736 -r-hs---- C:\lky.exe
2008-11-11 14:44 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-11 14:44 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-11-11 14:44 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-11 14:44 . 2004-08-03 23:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-11-11 00:00 . 2008-11-11 10:50 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-10 23:57 . 2008-11-11 11:08 <DIR> d-------- c:\documents and settings\DENIS\Application Data\U3
2008-11-10 23:57 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-11-10 23:26 . 2008-11-11 00:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-10 23:26 . 2008-11-11 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-10 23:12 . 2008-11-11 00:13 <DIR> d-------- c:\program files\Wise Registry Cleaner 3 Pro
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd106.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 20:47 --------- d-----w c:\documents and settings\DENIS\Application Data\AVG7
2008-11-11 18:26 85,504 --sh--r c:\windows\system32\gasretyw1.dll
2008-11-11 18:26 109,736 --sh--r c:\windows\system32\kamsoft.exe
2008-11-11 18:25 85,504 ------w c:\windows\system32\gasretyw0.dll
2008-11-10 23:29 108,271 --sh--r C:\whi.com
2008-11-10 23:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-11-10 21:55 --------- d-----w c:\program files\Common Files\Adobe
2008-11-10 21:40 --------- d-----w c:\program files\Intel
2008-11-10 21:39 355,584 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-11-10 21:39 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-11-10 21:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 21:39 --------- d-----w c:\documents and settings\DENIS\Application Data\TuneUp Software
2008-11-10 21:39 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-10 21:23 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2008-11-10 21:21 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-10 21:21 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-10 21:21 110,592 ----a-w c:\windows\system32\avgfwafu.dll
2008-11-10 21:21 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-11-10 21:09 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-10 21:09 --------- d-----w c:\program files\Realtek
2008-11-10 21:08 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-10 21:03 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-10 20:51 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-11-10 590848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-11-10 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kamsoft"=c:\windows\system32\kamsoft.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"RTHDCPL"=RTHDCPL.EXE
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-04 14336]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-11-10 355584]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-11 23:22:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-11 23:22:59
ComboFix-quarantined-files.txt 2008-11-11 22:22:58
ComboFix2.txt 2008-11-11 22:15:22

Pre-Run: 49.506.025.472 bytes free
Post-Run: 49,497,763,840 bytes free

126

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\lky.exe
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
c:\windows\system32\gasretyw0.dll
C:\whi.com

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kamsoft"=-


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 08-11-10.01 - Administrator 2008-11-12 16:27:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.270 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\lky.exe
C:\whi.com
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\whi.com
c:\windows\system32\gasretyw0.dll
c:\windows\system32\kamsoft.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.

2008-11-12 16:17 . 2008-11-12 16:17 <DIR> d-------- c:\program files\Opera
2008-11-12 16:10 . 2008-11-12 16:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-11-12 12:15 . 2008-11-12 12:15 <DIR> d--hs---- c:\windows\system32\dllcache
2008-11-11 11:52 . 2008-11-12 12:08 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-08 12:52 . 2008-11-08 13:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-11-08 12:52 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-11-08 12:52 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-08 12:51 . 2008-11-08 12:52 <DIR> d-------- c:\program files\iTunes
2008-11-08 12:51 . 2008-11-08 12:51 <DIR> d-------- c:\program files\iPod
2008-11-08 12:51 . 2008-11-08 12:51 <DIR> d-------- c:\program files\Bonjour
2008-11-08 12:51 . 2008-11-08 12:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-08 12:50 . 2008-11-08 12:51 <DIR> d-------- c:\program files\QuickTime
2008-11-08 12:50 . 2008-11-08 12:50 <DIR> d-------- c:\program files\Apple Software Update
2008-11-08 12:50 . 2008-11-08 12:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-08 12:50 . 2008-11-08 12:50 108,973 -r-hs---- C:\sq.com
2008-11-08 12:50 . 2008-10-01 13:01 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-11-08 12:49 . 2008-11-08 12:50 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-08 12:49 . 2008-11-08 12:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-08 11:34 . 2008-11-08 11:34 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-11-08 11:21 . 2008-11-08 11:21 <DIR> d-------- c:\program files\MSECache
2008-11-07 17:16 . 2008-11-07 17:16 355,584 --a------ c:\windows\system32\TuneUpDefragService.exe
2008-11-07 17:16 . 2008-05-29 09:28 28,416 --a------ c:\windows\system32\uxtuneup.dll
2008-11-07 17:15 . 2008-11-07 17:15 <DIR> d-------- c:\program files\TuneUp Utilities 2008
2008-11-07 17:15 . 2008-11-07 17:15 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-07 16:57 . 2008-11-07 16:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TuneUp Software
2008-11-07 16:55 . 2008-11-07 16:56 <DIR> d-------- c:\program files\Diagnose Windows
2008-11-07 16:55 . 2008-11-07 16:55 255 --a------ c:\windows\system32\diag.lic
2008-11-07 16:54 . 2008-11-07 17:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-07 16:53 . 2008-11-07 16:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ACD Systems
2008-11-07 16:52 . 2008-11-07 16:52 <DIR> d-------- c:\program files\Common Files\ACD Systems
2008-11-07 16:52 . 2008-11-07 16:52 <DIR> d-------- c:\program files\ACD Systems
2008-11-07 16:52 . 2008-11-07 16:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2008-11-07 16:52 . 2008-11-07 16:52 10,368 --a------ c:\windows\system32\drivers\pfc.sys
2008-11-07 16:50 . 2008-11-07 16:50 <DIR> d-------- c:\windows\Downloaded Installations
2008-11-07 16:11 . 2008-11-07 16:11 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-07 16:10 . 2008-11-07 16:11 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-07 15:56 . 2008-11-07 15:56 <DIR> d-------- c:\program files\NOS
2008-11-07 15:56 . 2008-11-07 16:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2008-11-07 13:26 . 2004-08-04 00:56 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-07 13:26 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-07 13:26 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-04 16:07 . 2004-08-04 00:56 21,504 --a------ c:\windows\system32\hidserv.dll
2008-11-04 16:06 . 2004-08-03 22:58 14,848 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-03 16:48 . 2008-11-03 16:50 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Duplicate File Hunter
2008-11-03 10:45 . 2008-11-12 16:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\skypePM
2008-11-03 10:45 . 2008-11-03 10:45 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-11-03 10:44 . 2008-11-03 10:44 <DIR> d-------- c:\program files\Skype
2008-11-03 10:44 . 2008-11-03 10:44 <DIR> d-------- c:\program files\Common Files\Skype
2008-11-03 10:44 . 2008-11-12 16:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Skype
2008-11-03 10:43 . 2008-11-03 10:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2008-11-03 10:00 . 2008-11-03 10:00 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AVG7
2008-11-03 10:00 . 2008-11-03 10:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2008-11-03 10:00 . 2008-11-11 11:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg7
2008-11-03 10:00 . 2008-11-12 13:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVG7
2008-10-30 17:08 . 2008-10-30 17:11 <DIR> d-------- c:\documents and settings\Administrator\Phone Browser
2008-10-30 17:08 . 2008-10-30 17:11 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DataLayer
2008-10-30 17:07 . 2008-10-30 17:07 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Nokia
2008-10-30 17:07 . 2004-08-03 23:10 38,016 --a------ c:\windows\system32\drivers\bthmodem.sys
2008-10-30 17:06 . 2008-10-30 17:06 <DIR> d-------- c:\program files\DIFX
2008-10-30 17:05 . 2008-11-08 12:52 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-10-30 17:05 . 2008-10-30 17:05 <DIR> d-------- c:\program files\Nokia
2008-10-30 17:05 . 2008-10-30 17:05 <DIR> d-------- c:\program files\Common Files\PCSuite
2008-10-30 17:05 . 2008-10-30 17:06 <DIR> d-------- c:\program files\Common Files\Nokia
2008-10-30 17:05 . 2008-10-30 17:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2008-10-30 17:05 . 2008-10-30 17:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\PC Suite
2008-10-30 17:05 . 2006-05-29 08:26 50,688 --a------ c:\windows\system32\nmwcdcls.dll
2008-10-30 17:04 . 2008-10-30 17:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations
2008-10-30 17:00 . 2004-08-03 22:58 100,992 --a------ c:\windows\system32\drivers\bthpan.sys
2008-10-30 16:59 . 2004-08-03 23:10 274,304 --a------ c:\windows\system32\drivers\bthport.sys
2008-10-30 16:59 . 2004-08-03 23:10 59,648 --a------ c:\windows\system32\drivers\rfcomm.sys
2008-10-30 16:59 . 2004-08-03 23:10 18,944 --a------ c:\windows\system32\drivers\BTHUSB.SYS
2008-10-30 16:59 . 2004-08-03 23:10 17,024 --a------ c:\windows\system32\drivers\BthEnum.sys
2008-10-29 14:12 . 2008-10-29 14:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Corel
2008-10-29 14:10 . 2008-10-29 14:10 <DIR> d-------- c:\windows\Corel
2008-10-29 14:08 . 2008-10-29 14:08 <DIR> d-------- c:\program files\Common Files\Corel
2008-10-29 14:06 . 2008-10-29 14:06 <DIR> d-------- c:\program files\Corel
2008-10-29 12:55 . 2008-10-29 12:55 672,077 --a------ c:\windows\system32\em010_32.dat
2008-10-29 12:55 . 2008-10-29 12:55 158,036 --a------ c:\windows\system32\em008_32.dat
2008-10-29 12:47 . 2008-10-29 12:47 376 --a------ c:\windows\ODBC.INI
2008-10-29 12:46 . 2003-06-18 17:31 17,920 --a------ c:\windows\system32\mdimon.dll
2008-10-29 12:45 . 2008-10-29 12:45 <DIR> d-------- c:\program files\Microsoft.NET
2008-10-29 12:45 . 2008-10-29 12:45 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-10-29 12:44 . 2008-10-29 12:45 <DIR> d-------- c:\windows\SHELLNEW
2008-10-29 11:25 . 2008-10-29 11:26 <DIR> d-------- c:\program files\weblin
2008-10-29 11:23 . 2008-10-29 11:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\zweitgeist
2008-10-29 11:14 . 2008-10-29 14:52 13,257,349 --a------ c:\windows\system32\em002_32.dat
2008-10-29 11:14 . 2008-10-29 11:20 437,148 --a------ c:\windows\system32\em004_32.dat
2008-10-29 11:14 . 2008-10-29 11:19 323,764 --a------ c:\windows\system32\em001_32.dat
2008-10-29 11:14 . 2008-10-29 11:20 220,329 --a------ c:\windows\system32\em003_32.dat
2008-10-29 11:14 . 2008-10-29 11:19 49,503 --a------ c:\windows\system32\em000_32.dat
2008-10-29 11:14 . 2008-10-29 11:20 43,291 --a------ c:\windows\system32\em005_32.dat
2008-10-29 11:14 . 2008-10-29 11:20 10,393 --a------ c:\windows\system32\em006_32.dat
2008-10-29 11:14 . 2008-10-29 17:16 4,321 --a------ C:\CACHE.NDB
2008-10-29 11:12 . 2008-11-03 09:30 195 --a------ c:\windows\system32\mod_comp.dat
2008-10-29 11:01 . 2008-10-29 11:01 <DIR> d-------- c:\program files\ESET
2008-10-29 10:35 . 2008-11-07 17:01 <DIR> d-------- c:\program files\Yahoo!
2008-10-29 10:34 . 2008-10-29 10:35 <DIR> d-------- c:\program files\CCleaner
2008-10-29 10:30 . 2008-10-29 10:30 0 --a------ c:\windows\nsreg.dat
2008-10-29 10:24 . 2008-10-29 10:24 <DIR> d-------- c:\program files\Recnik20
2008-10-29 10:21 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-10-29 10:21 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-10-29 10:21 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd106.dll
2008-10-29 10:21 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-10-29 10:21 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-10-29 10:21 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-10-29 10:17 . 2008-11-08 11:00 <DIR> d-------- c:\program files\HSDPA USB MODEM
2008-10-29 10:17 . 2007-11-01 15:35 103,424 --a------ c:\windows\system32\MyDIT_GenClassCoInst.dll
2008-10-29 10:17 . 2007-10-16 11:40 97,408 --a------ c:\windows\system32\drivers\cmusbser.sys
2008-10-29 10:17 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-10-29 10:14 . 2008-11-03 09:30 <DIR> d-------- c:\windows\system32\updfiles
2008-10-29 10:13 . 2008-11-03 09:28 87 --a------ c:\windows\system32\EpfwUser.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 11:52 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2008-10-29 13:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 13:04 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-28 20:12 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-10-28 20:02 --------- d-----w c:\program files\Hewlett-Packard
2008-10-28 20:01 45,056 ----a-w c:\windows\NCUNINST.EXE
2008-10-28 19:58 6,656 ----a-w c:\windows\system32\haspvdd.dll
2008-10-28 19:58 47,616 ----a-w c:\windows\system32\drivers\Haspnt.sys
2008-10-28 19:58 453,632 ----a-w c:\windows\system32\drivers\hardlock.sys
2008-10-28 19:58 18,944 ----a-w c:\windows\system32\drivers\aksusb.sys
2008-10-28 19:48 --------- d-----w c:\program files\Common Files\SWF Studio
2008-10-28 19:46 --------- d-----w c:\program files\Realtek Sound Manager
2008-10-28 19:46 --------- d-----w c:\program files\AvRack
2008-08-29 09:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 08:53 61,440 ----a-w c:\windows\system32\dnssd.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-12_12.11.50.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-12 11:13:10 253,952 ----a-w c:\windows\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-11-04 590848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-11-06 4730880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-11-03 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
--a------ 2002-12-16 16:51 36864 c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
--a------ 2003-03-31 19:28 155648 c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"<NO NAME>"=
"nwiz"=nwiz.exe /install

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\Drivers\eusk2par.sys [2004-11-18 24786]
R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2004-08-04 14336]
R3 qcusbser;Mobile Connector USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\cmusbser.sys [2007-10-16 97408]
S3 eusk3usb;SmartKey 3 USB;c:\windows\system32\Drivers\eusk3usb.sys [2004-11-18 45534]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-11-07 355584]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]

2008-11-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-12 16:28:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-12 16:29:14
ComboFix-quarantined-files.txt 2008-11-12 15:29:11
ComboFix2.txt 2008-11-12 15:14:47
ComboFix3.txt 2008-11-12 11:12:10

Pre-Run: 27,882,688,512 bytes free
Post-Run: 27,873,615,872 bytes free

228

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Potrebno je da koristiš uvek isti user account dok ovo radimo (prvi put je bio DENIS a sada Administrator).


Otvoriti Notepad i iskopirati sledeci tekst:

File::
C:\sq.com


Snimiti na Desktop fajl iz Notepada kao "CFScript"




Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 08-11-11.01 - DENIS 2008-11-12 23:54:54.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.248 [GMT 1:00]
Running from: c:\documents and settings\DENIS\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DENIS\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\sq.com
.

((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.

2008-11-12 01:08 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-12 01:08 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-12 01:08 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-12 01:08 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-12 00:50 . 2008-11-12 00:50 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-12 00:50 . 2008-04-14 05:42 294,912 -----c--- c:\windows\system32\dllcache\dlimport.exe
2008-11-12 00:47 . 2006-12-29 00:31 19,569 --a------ c:\windows\002888_.tmp
2008-11-12 00:11 . 2008-11-12 00:11 <DIR> d-------- c:\documents and settings\DENIS\Application Data\ACD Systems
2008-11-12 00:09 . 2008-11-12 01:50 <DIR> d-------- c:\documents and settings\DENIS\Application Data\Apple Computer
2008-11-12 00:08 . 2008-11-12 00:08 <DIR> d-------- c:\program files\iTunes
2008-11-12 00:08 . 2008-11-12 00:08 <DIR> d-------- c:\program files\iPod
2008-11-12 00:08 . 2008-11-12 00:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-12 00:08 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-11-12 00:08 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-12 00:07 . 2008-11-12 00:07 <DIR> d-------- c:\program files\QuickTime
2008-11-12 00:07 . 2008-11-12 00:07 <DIR> d-------- c:\program files\Bonjour
2008-11-12 00:07 . 2008-11-12 00:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-12 00:06 . 2008-11-12 00:08 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-12 00:06 . 2008-11-12 00:06 <DIR> d-------- c:\program files\Apple Software Update
2008-11-12 00:06 . 2008-10-01 13:01 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-11-12 00:05 . 2008-11-12 00:05 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-12 00:05 . 2008-11-12 00:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-12 00:03 . 2008-11-12 23:45 <DIR> d-------- c:\documents and settings\DENIS\Application Data\skypePM
2008-11-12 00:03 . 2008-11-12 00:03 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-11-12 00:02 . 2008-11-12 00:02 <DIR> d-------- c:\program files\Skype
2008-11-12 00:02 . 2008-11-12 00:02 <DIR> d-------- c:\program files\Common Files\Skype
2008-11-12 00:02 . 2008-11-12 23:53 <DIR> d-------- c:\documents and settings\DENIS\Application Data\Skype
2008-11-12 00:02 . 2008-11-12 00:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2008-11-11 23:49 . 2008-04-14 00:16 85,248 --a------ c:\windows\system32\drivers\nabtsfec.sys
2008-11-11 23:49 . 2008-04-14 00:16 19,200 --a------ c:\windows\system32\drivers\wstcodec.sys
2008-11-11 23:49 . 2008-04-14 05:42 16,384 --a------ c:\windows\system32\ipsink.ax
2008-11-11 23:49 . 2008-04-14 00:16 15,232 --a------ c:\windows\system32\drivers\streamip.sys
2008-11-11 23:49 . 2008-04-14 00:16 11,136 --a------ c:\windows\system32\drivers\slip.sys
2008-11-11 23:49 . 2008-04-14 00:16 10,880 --a------ c:\windows\system32\drivers\ndisip.sys
2008-11-11 23:49 . 2008-04-14 00:09 5,504 --a------ c:\windows\system32\drivers\mstee.sys
2008-11-11 23:48 . 2008-11-11 23:48 <DIR> d-------- c:\windows\PixArt
2008-11-11 23:48 . 2008-11-11 23:48 <DIR> d-------- c:\program files\Common Files\PAC207
2008-11-11 23:48 . 2008-04-14 05:42 91,136 --a------ c:\windows\system32\kswdmcap.ax
2008-11-11 23:48 . 2008-04-14 05:42 61,952 --a------ c:\windows\system32\kstvtune.ax
2008-11-11 23:48 . 2008-04-14 05:42 53,760 --a------ c:\windows\system32\vfwwdm32.dll
2008-11-11 23:48 . 2006-11-03 10:59 48,128 --a------ c:\windows\system32\Remove.exe
2008-11-11 23:48 . 2008-04-14 05:42 43,008 --a------ c:\windows\system32\ksxbar.ax
2008-11-11 23:48 . 2008-04-14 05:42 28,672 --a------ c:\windows\system32\vidcap.ax
2008-11-11 23:48 . 2008-04-14 00:16 17,024 --a------ c:\windows\system32\drivers\ccdecode.sys
2008-11-11 23:48 . 2007-05-24 16:32 284 --a------ c:\windows\system32\Remover.ini
2008-11-11 23:47 . 2008-11-11 23:47 <DIR> d-------- c:\windows\Album
2008-11-11 23:47 . 2008-11-11 23:47 <DIR> d-------- c:\program files\KYE
2008-11-11 23:47 . 2008-11-11 23:47 <DIR> d-------- c:\documents and settings\DENIS\Application Data\InstallShield
2008-11-11 23:47 . 2005-04-03 20:56 1,060,864 --a------ c:\windows\system32\mfc71.dll
2008-11-11 23:36 . 2008-11-11 23:36 <DIR> d-------- c:\program files\Common Files\ACD Systems
2008-11-11 23:36 . 2008-11-11 23:36 <DIR> d-------- c:\program files\ACD Systems
2008-11-11 23:36 . 2008-11-11 23:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2008-11-11 23:36 . 2008-11-11 23:36 10,368 --a------ c:\windows\system32\drivers\pfc.sys
2008-11-11 23:34 . 2008-11-11 23:48 <DIR> d-------- c:\windows\Downloaded Installations
2008-11-11 23:30 . 2008-11-11 23:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-11-11 23:29 . 2008-11-11 23:29 <DIR> d-------- c:\program files\Recnik20
2008-11-11 23:27 . 2008-11-12 01:03 <DIR> d-------- c:\program files\Opera
2008-11-11 19:26 . 2008-11-11 19:26 109,736 -r-hs---- C:\lky.exe
2008-11-11 14:44 . 2008-04-14 00:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-11 14:44 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-11 00:00 . 2008-11-11 10:50 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-10 23:57 . 2008-11-12 00:08 <DIR> d-------- c:\documents and settings\DENIS\Application Data\U3
2008-11-10 23:26 . 2008-11-12 01:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-10 23:26 . 2008-11-12 01:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-10 23:12 . 2008-11-11 00:13 <DIR> d-------- c:\program files\Wise Registry Cleaner 3 Pro
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-11-10 23:11 . 2008-04-14 05:39 6,144 --a------ c:\windows\system32\kbd106.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 01:07 --------- d-----w c:\documents and settings\DENIS\Application Data\AVG7
2008-11-11 22:48 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 22:48 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-11 18:26 85,504 --sh--r c:\windows\system32\gasretyw1.dll
2008-11-11 18:26 109,736 --sh--r c:\windows\system32\kamsoft.exe
2008-11-11 18:25 85,504 ------w c:\windows\system32\gasretyw0.dll
2008-11-10 23:29 108,271 --sh--r C:\whi.com
2008-11-10 23:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-11-10 21:55 --------- d-----w c:\program files\Common Files\Adobe
2008-11-10 21:40 --------- d-----w c:\program files\Intel
2008-11-10 21:39 355,584 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-11-10 21:39 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-11-10 21:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 21:39 --------- d-----w c:\documents and settings\DENIS\Application Data\TuneUp Software
2008-11-10 21:39 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-10 21:23 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2008-11-10 21:21 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-10 21:21 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-10 21:21 110,592 ----a-w c:\windows\system32\avgfwafu.dll
2008-11-10 21:21 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-11-10 21:09 --------- d-----w c:\program files\Realtek
2008-11-10 21:08 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-10 20:51 --------- d-----w c:\program files\microsoft frontpage
2008-08-29 09:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 08:53 61,440 ----a-w c:\windows\system32\dnssd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-11-10 590848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-11-10 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kamsoft"=c:\windows\system32\kamsoft.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"RTHDCPL"=RTHDCPL.EXE
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Monitor"=c:\windows\PixArt\PAC207\Monitor.exe
"SMSERIAL"=sm56hlpr.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 PAC207;i-Look 111;c:\windows\system32\DRIVERS\PFC027.SYS [2007-06-29 611584]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-11-10 355584]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{571077df-af72-11dd-92ab-00138fc79baf}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-12 23:55:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-12 23:56:24
ComboFix-quarantined-files.txt 2008-11-12 22:56:20

Pre-Run: 47.770.746.880 bytes free
Post-Run: 47,772,884,992 bytes free

190

Dopuna: 13 Nov 2008 0:16

ne mogu da vjerujem...pa ja sam poslao log od drugog racunara ...izvini ali sam to totalno smetnuo jer upravo cistim oba racunara...zato je jedan denis a drugi administrator ....

Sta sad da radim dali da uradim opet skeniranje sa onim proslim kodom tj. ovim :File::
C:\lky.exe
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
c:\windows\system32\gasretyw0.dll
C:\whi.com

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kamsoft"=-

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Da, da... Na ''DENIS kompjuteru'' iskoristi ovaj skript:

File::
C:\lky.exe
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
c:\windows\system32\gasretyw0.dll
C:\whi.com

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"kamsoft"=-

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

ComboFix 08-11-12.01 - DENIS 2008-11-13 23:18:50.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.179 [GMT 1:00]
Running from: c:\documents and settings\DENIS\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DENIS\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\lky.exe
C:\whi.com
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\lky.exe
C:\whi.com
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 )))))))))))))))))))))))))))))))
.

2008-11-13 23:02 . 2008-11-13 23:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\KONAMI
2008-11-13 22:57 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll
2008-11-13 22:57 . 2006-09-28 16:05 2,414,360 --a------ c:\windows\system32\d3dx9_31.dll
2008-11-13 22:57 . 2006-12-08 12:02 251,672 --a------ c:\windows\system32\xactengine2_5.dll
2008-11-13 22:57 . 2006-09-28 16:05 237,848 --a------ c:\windows\system32\xactengine2_4.dll
2008-11-13 22:57 . 2006-09-28 16:04 68,888 --a------ c:\windows\system32\xinput1_3.dll
2008-11-13 22:57 . 2006-11-15 11:38 15,128 --a------ c:\windows\system32\x3daudio1_1.dll
2008-11-13 22:54 . 2008-11-13 22:54 <DIR> d-------- c:\program files\KONAMI
2008-11-12 01:08 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-12 01:08 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-12 01:08 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-12 01:08 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-12 00:50 . 2008-11-12 00:50 <DIR> d-------- c:\windows\ServicePackFiles
2008-11-12 00:50 . 2008-04-14 05:42 294,912 -----c--- c:\windows\system32\dllcache\dlimport.exe
2008-11-12 00:47 . 2006-12-29 00:31 19,569 --a------ c:\windows\002888_.tmp
2008-11-12 00:11 . 2008-11-12 00:11 <DIR> d-------- c:\documents and settings\DENIS\Application Data\ACD Systems
2008-11-12 00:09 . 2008-11-12 01:50 <DIR> d-------- c:\documents and settings\DENIS\Application Data\Apple Computer
2008-11-12 00:08 . 2008-11-12 00:08 <DIR> d-------- c:\program files\iTunes
2008-11-12 00:08 . 2008-11-12 00:08 <DIR> d-------- c:\program files\iPod
2008-11-12 00:08 . 2008-11-12 00:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-12 00:08 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-11-12 00:08 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-12 00:07 . 2008-11-12 00:07 <DIR> d-------- c:\program files\QuickTime
2008-11-12 00:07 . 2008-11-12 00:07 <DIR> d-------- c:\program files\Bonjour
2008-11-12 00:07 . 2008-11-12 00:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-12 00:06 . 2008-11-12 00:08 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-12 00:06 . 2008-11-12 00:06 <DIR> d-------- c:\program files\Apple Software Update
2008-11-12 00:06 . 2008-10-01 13:01 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-11-12 00:05 . 2008-11-12 00:05 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-12 00:05 . 2008-11-12 00:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-12 00:03 . 2008-11-13 16:35 <DIR> d-------- c:\documents and settings\DENIS\Application Data\skypePM
2008-11-12 00:03 . 2008-11-12 00:03 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-11-12 00:02 . 2008-11-12 00:02 <DIR> d-------- c:\program files\Skype
2008-11-12 00:02 . 2008-11-12 00:02 <DIR> d-------- c:\program files\Common Files\Skype
2008-11-12 00:02 . 2008-11-13 22:49 <DIR> d-------- c:\documents and settings\DENIS\Application Data\Skype
2008-11-12 00:02 . 2008-11-12 00:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2008-11-11 23:49 . 2008-04-14 00:16 85,248 --a------ c:\windows\system32\drivers\nabtsfec.sys
2008-11-11 23:49 . 2008-04-14 00:16 19,200 --a------ c:\windows\system32\drivers\wstcodec.sys
2008-11-11 23:49 . 2008-04-14 05:42 16,384 --a------ c:\windows\system32\ipsink.ax
2008-11-11 23:49 . 2008-04-14 00:16 15,232 --a------ c:\windows\system32\drivers\streamip.sys
2008-11-11 23:49 . 2008-04-14 00:16 11,136 --a------ c:\windows\system32\drivers\slip.sys
2008-11-11 23:49 . 2008-04-14 00:16 10,880 --a------ c:\windows\system32\drivers\ndisip.sys
2008-11-11 23:49 . 2008-04-14 00:09 5,504 --a------ c:\windows\system32\drivers\mstee.sys
2008-11-11 23:48 . 2008-11-11 23:48 <DIR> d-------- c:\windows\PixArt
2008-11-11 23:48 . 2008-11-11 23:48 <DIR> d-------- c:\program files\Common Files\PAC207
2008-11-11 23:48 . 2008-04-14 05:42 91,136 --a------ c:\windows\system32\kswdmcap.ax
2008-11-11 23:48 . 2008-04-14 05:42 61,952 --a------ c:\windows\system32\kstvtune.ax
2008-11-11 23:48 . 2008-04-14 05:42 53,760 --a------ c:\windows\system32\vfwwdm32.dll
2008-11-11 23:48 . 2006-11-03 10:59 48,128 --a------ c:\windows\system32\Remove.exe
2008-11-11 23:48 . 2008-04-14 05:42 43,008 --a------ c:\windows\system32\ksxbar.ax
2008-11-11 23:48 . 2008-04-14 05:42 28,672 --a------ c:\windows\system32\vidcap.ax
2008-11-11 23:48 . 2008-04-14 00:16 17,024 --a------ c:\windows\system32\drivers\ccdecode.sys
2008-11-11 23:48 . 2007-05-24 16:32 284 --a------ c:\windows\system32\Remover.ini
2008-11-11 23:47 . 2008-11-11 23:47 <DIR> d-------- c:\windows\Album
2008-11-11 23:47 . 2008-11-11 23:47 <DIR> d-------- c:\program files\KYE
2008-11-11 23:47 . 2008-11-11 23:47 <DIR> d-------- c:\documents and settings\DENIS\Application Data\InstallShield
2008-11-11 23:47 . 2005-04-03 20:56 1,060,864 --a------ c:\windows\system32\mfc71.dll
2008-11-11 23:36 . 2008-11-11 23:36 <DIR> d-------- c:\program files\Common Files\ACD Systems
2008-11-11 23:36 . 2008-11-11 23:36 <DIR> d-------- c:\program files\ACD Systems
2008-11-11 23:36 . 2008-11-11 23:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2008-11-11 23:36 . 2008-11-11 23:36 10,368 --a------ c:\windows\system32\drivers\pfc.sys
2008-11-11 23:34 . 2008-11-11 23:48 <DIR> d-------- c:\windows\Downloaded Installations
2008-11-11 23:30 . 2008-11-11 23:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-11-11 23:29 . 2008-11-11 23:29 <DIR> d-------- c:\program files\Recnik20
2008-11-11 23:27 . 2008-11-12 01:03 <DIR> d-------- c:\program files\Opera
2008-11-11 14:44 . 2008-04-14 00:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-11 14:44 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-11 00:00 . 2008-11-11 10:50 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-10 23:57 . 2008-11-12 00:08 <DIR> d-------- c:\documents and settings\DENIS\Application Data\U3
2008-11-10 23:26 . 2008-11-12 01:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-10 23:26 . 2008-11-12 01:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-10 23:12 . 2008-11-11 00:13 <DIR> d-------- c:\program files\Wise Registry Cleaner 3 Pro
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-11-10 23:11 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-11-10 23:11 . 2008-04-14 05:39 6,144 --a------ c:\windows\system32\kbd106.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-11-10 23:11 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-11-10 23:11 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 21:50 --------- d-----w c:\documents and settings\DENIS\Application Data\AVG7
2008-11-11 22:48 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 22:48 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-10 23:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-11-10 21:55 --------- d-----w c:\program files\Common Files\Adobe
2008-11-10 21:40 --------- d-----w c:\program files\Intel
2008-11-10 21:39 355,584 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-11-10 21:39 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-11-10 21:39 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 21:39 --------- d-----w c:\documents and settings\DENIS\Application Data\TuneUp Software
2008-11-10 21:39 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-10 21:23 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2008-11-10 21:21 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-10 21:21 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-10 21:21 110,592 ----a-w c:\windows\system32\avgfwafu.dll
2008-11-10 21:21 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2008-11-10 21:09 --------- d-----w c:\program files\Realtek
2008-11-10 21:08 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-10 20:51 --------- d-----w c:\program files\microsoft frontpage
2008-08-29 09:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 08:53 61,440 ----a-w c:\windows\system32\dnssd.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-12_23.56.08,01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-13 22:12:26 38,943 ----a-r c:\windows\Installer\{A8DB611A-D80E-450D-85F6-3ACDD164BE31}\ARPPRODUCTICON.exe
+ 2008-11-13 22:12:26 81,920 ----a-r c:\windows\Installer\{A8DB611A-D80E-450D-85F6-3ACDD164BE31}\Shortcut_PES2009_E_19E2C126E9A346458082E1106EC36033.exe
+ 2008-11-13 22:12:26 86,016 ----a-r c:\windows\Installer\{A8DB611A-D80E-450D-85F6-3ACDD164BE31}\Shortcut_SETTINGS__E16DFE45D7AC4FBF87BBB412D05EFC15.exe
+ 2006-02-03 07:41:26 14,032 ----a-w c:\windows\LastGood\system32\x3daudio1_0.dll
+ 2006-09-28 15:03:28 15,128 ----a-w c:\windows\LastGood\system32\x3daudio1_1.dll
+ 2005-02-05 18:45:26 2,222,800 ----a-w c:\windows\system32\d3dx9_24.dll
+ 2005-03-18 16:19:58 2,337,488 ----a-w c:\windows\system32\d3dx9_25.dll
+ 2005-05-26 14:34:52 2,297,552 ----a-w c:\windows\system32\d3dx9_26.dll
+ 2005-07-22 18:59:04 2,319,568 ----a-w c:\windows\system32\d3dx9_27.dll
+ 2005-12-05 17:09:18 2,323,664 ----a-w c:\windows\system32\d3dx9_28.dll
+ 2006-02-03 07:43:16 2,332,368 ----a-w c:\windows\system32\d3dx9_29.dll
+ 2006-03-31 11:40:58 2,388,176 ----a-w c:\windows\system32\d3dx9_30.dll
+ 2006-02-03 07:41:26 14,032 ----a-w c:\windows\system32\x3daudio1_0.dll
+ 2006-02-03 07:42:06 230,096 ----a-w c:\windows\system32\xactengine2_0.dll
+ 2006-03-31 11:39:48 229,584 ----a-w c:\windows\system32\xactengine2_1.dll
+ 2006-05-31 06:24:16 230,168 ----a-w c:\windows\system32\xactengine2_2.dll
+ 2006-07-28 08:30:32 236,824 ----a-w c:\windows\system32\xactengine2_3.dll
+ 2006-03-31 11:39:24 62,672 ----a-w c:\windows\system32\xinput1_1.dll
+ 2006-07-28 08:30:14 62,744 ----a-w c:\windows\system32\xinput1_2.dll
+ 2005-12-05 17:07:30 61,136 ----a-w c:\windows\system32\xinput9_1_0.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-11-10 590848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-13 7557120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-11-10 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"RTHDCPL"=RTHDCPL.EXE
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Monitor"=c:\windows\PixArt\PAC207\Monitor.exe
"SMSERIAL"=sm56hlpr.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=

R2 UxTuneUp;TuneUp Theme Extension;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 PAC207;i-Look 111;c:\windows\system32\DRIVERS\PFC027.SYS [2007-06-29 611584]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;c:\windows\System32\TuneUpDefragService.exe [2008-11-10 355584]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{571077df-af72-11dd-92ab-00138fc79baf}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2008-11-13 23:20:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-13 23:20:32
ComboFix-quarantined-files.txt 2008-11-13 22:20:27
ComboFix2.txt 2008-11-12 22:56:24

Pre-Run: 39.808.733.184 bytes free
Post-Run: 39,826,898,944 bytes free

229

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Sa ''Administrator kompjutera'' obriši sledeći file:

C:\sq.com


-------------------------------------------------------------------------------------


Oba kompjutera su sada čista. Preostaje da odradiš sledeće:
Klikni START a zatim RUN
U liniju za unos teksta ukucaj Combofix /u i klikni OK





Sačekaj da se proces deinstalacije završi
Gornja procedura će:
Obrisati sledeće:
ComboFix i njegove file-ove i foldere
VundoFix Backups folder, ako postoji
C:\Deckard folder, ako postoji
C:\OtMoveIt folder, ako postoji
Resetovati podešavanja sata na kompjuteru
Sakriti ekstenzije file-ova, ako je potrebno
Sakriti sistemske/skrivene file-ove/foldere, ako je potrebno
Resetovati System Restore