Iskljuci System Restore. Skini HiJackThis! i skeniraj sistem. Postavi HiJackThis! log. Skini Combofix. Sve ce ti biti jasno oko koriscenja ova 2 alata kad pogledas ovu temu (procitaj sve pazljivo. problem nije slican tvome ali HiJackThis! i Combofix su alati koji ce nam najverovatnije pomoci da resimo i tvoj problem):

http://www.elitesecurity.org/t306988-0#1835930

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 18:27:16, on 5.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vypress Chat\VyChat.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\DOCUME~1\Slobodan\LOCALS~1\Temp\Rar$EX00.938\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.10.3.242:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=021008 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - Global Startup: Vypress Chat StartUp.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE3E502B-C617-4A24-8B00-D5B9ED53DD1A}: NameServer = 10.10.3.241
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4134 bytes

ComboFix 08-02.05.3 - Slobodan 2008-02-05 18:29:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.257 [GMT 1:00]
Running from: \\10d1\Install\Bobito\ComboFix.exe
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\semo2x.exe
C:\u.bat
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\winsys.exe
D:\Autorun.inf
D:\semo2x.exe
D:\u.bat
E:\Autorun.inf
E:\semo2x.exe
E:\u.bat
F:\Autorun.inf
F:\semo2x.exe
F:\u.bat

.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-05 18:27 . 2004-08-03 23:56 388,608 --a------ C:\kmd.exe
2008-02-05 12:42 . 2008-02-05 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-04 21:54 . 2008-02-04 09:16 104,044 -r-hs---- C:\h.cmd
2008-02-04 21:46 . 2008-02-04 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-01-30 16:35 . 2008-01-30 16:35 72,838 --a------ C:\WINDOWS\FontData.fdb
2008-01-29 03:17 . 2008-01-29 03:17 104,734 -r-hs---- C:\ylr.exe
2008-01-28 00:49 . 2008-01-28 00:49 <DIR> d---s---- C:\Documents and Settings\Slobodan\UserData
2008-01-26 22:19 . 2008-01-26 22:19 <DIR> d-------- C:\Documents and Settings\Slobodan\Application Data\Corel
2008-01-26 22:16 . 2008-01-26 22:16 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-01-26 22:15 . 2008-01-26 22:15 <DIR> d-------- C:\Program Files\Corel
2008-01-25 15:50 . 2008-01-27 21:01 103,781 -r-hs---- C:\xo8wr9.exe
2008-01-25 00:30 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-01-25 00:02 . 2008-01-25 00:09 <DIR> d-------- C:\Program Files\3dmax
2008-01-24 23:12 . 2008-01-25 00:02 <DIR> d-------- C:\Program Files\backburner 2
2008-01-18 13:26 . 2008-01-23 14:47 105,199 -r-hs---- C:\xn1i9x.com
2008-01-18 01:48 . 2008-01-18 02:11 105,525 -r-hs---- C:\m1t8ta.com
2008-01-12 12:18 . 2008-01-15 13:33 104,451 -r-hs---- C:\d.com
2008-01-10 12:08 . 2001-07-06 13:41 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2008-01-10 12:08 . 2001-07-06 11:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2008-01-10 12:08 . 2001-07-06 17:24 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2008-01-10 12:08 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-10 12:08 . 2004-03-03 20:30 125,184 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
2008-01-10 12:08 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-01-10 12:08 . 2001-06-26 07:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2008-01-10 12:08 . 2004-03-03 20:30 5,504 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2008-01-10 10:53 . 2008-01-10 10:53 <DIR> d-------- C:\Documents and Settings\Slobodan\Application Data\Ahead
2008-01-10 10:52 . 2008-01-10 12:08 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-10 04:54 . 2008-01-22 05:18 191,783 --a------ C:\acadminidump.dmp
2008-01-09 23:52 . 2008-01-26 22:18 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-08 00:18 . 2008-01-08 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 11:42 5,767,168 ---ha-w C:\Documents and Settings\Slobodan\NTUSER.DAT
2008-02-04 20:36 --------- d-----w C:\Program Files\Yahoo!
2008-01-30 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-27 20:01 103,781 ----a-w C:\WINDOWS\system32\help.exe.tmp
2008-01-26 21:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-26 21:16 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-24 23:27 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-01-24 23:25 --------- d-----w C:\Program Files\Autodesk
2008-01-24 23:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-01-20 16:27 --------- d-----w C:\Program Files\Yu recnik
2008-01-10 11:08 --------- d-----w C:\Program Files\Ahead
2008-01-08 20:48 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\Autodesk
2008-01-02 22:12 --------- d-----w C:\Program Files\Valve
2007-12-28 11:19 104,507 --sh--r C:\xfoolavp.com
2007-12-23 19:05 --------- d-----w C:\Program Files\FastStone Image Viewer
2007-12-22 16:02 10,368 ----a-w C:\WINDOWS\system32\drivers\pfc.sys
2007-12-22 16:02 --------- d-----w C:\Program Files\Common Files\ACD Systems
2007-12-22 16:02 --------- d-----w C:\Program Files\ACD Systems
2007-12-22 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-12-18 19:38 --------- d-----w C:\Program Files\Don't Get Angry 2
2007-12-18 19:22 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-12-18 11:03 --------- d-----w C:\Program Files\Google
2007-12-16 20:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-16 19:47 --------- d-----w C:\Program Files\acdsee 9.0
2007-12-16 19:47 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\ACD Systems
2007-12-15 19:58 --------- d-----w C:\Program Files\GetData
2007-12-15 19:36 --------- d-----w C:\Program Files\Alcohol Soft
2007-12-15 19:30 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-12-15 19:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-15 19:30 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\TuneUp Software
2007-12-15 19:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-12-15 19:21 --------- d-----w C:\Program Files\MSBuild
2007-12-15 19:21 --------- d-----w C:\Program Files\Microsoft Works
2007-12-15 19:20 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-15 19:18 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-12-15 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-15 19:12 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-15 19:12 --------- d-----w C:\Program Files\Bonjour
2007-12-15 19:05 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-15 19:03 --------- d-----w C:\Program Files\LAN Search Pro
2007-12-15 18:58 --------- d-----w C:\Program Files\AutoCAD 2008
2007-12-15 18:46 --------- d-----w C:\Program Files\Vypress Chat
2007-12-15 18:45 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\VyPRESS
2007-12-15 18:33 --------- d-----w C:\Program Files\Winamp
2007-12-15 18:32 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\BSplayer Pro
2007-12-15 18:31 --------- d-----w C:\Program Files\Webteh
2007-12-15 18:31 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\Media Player Classic
2007-12-15 18:30 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-15 18:22 --------- d-----w C:\Program Files\Realtek
2007-12-15 18:12 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 10:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 10:22 7618560]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 13:39 729088]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Vypress Chat StartUp.lnk - C:\WINDOWS\Installer\{A1E1619F-036F-4176-8563-AA9E570113F0}\iconVCAdvertised.exe [2007-12-15 19:45:52 12390]

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-03 23:56]
S3 SetupNTGLM7X;SetupNTGLM7X;G:\NTGLM7X.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70c5882f-b39d-11dc-b77b-001617bcc494}]
\Shell\AutoRun\command - J:\xn1i9x.com
\Shell\explore\Command - J:\xn1i9x.com
\Shell\open\Command - J:\xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a7558d-b52d-11dc-b77d-001617bcc494}]
\Shell\AutoRun\command - I:\xo8wr9.exe
\Shell\explore\Command - I:\xo8wr9.exe
\Shell\open\Command - I:\xo8wr9.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8edb37f1-ab47-11dc-b76d-001617bcc494}]
\Shell\AutoRun\command - h.cmd
\Shell\explore\Command - h.cmd
\Shell\open\Command - h.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef42ac40-cb4f-11dc-b794-001617bcc494}]
\Shell\AutoRun\command - I:\ntde1ect.com
\Shell\explore\Command - I:\ntde1ect.com
\Shell\open\Command - I:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fff7d752-b5fa-11dc-b77e-001617bcc494}]
\Shell\AutoRun\command - I:\xfoolavp.com
\Shell\explore\Command - I:\xfoolavp.com
\Shell\open\Command - I:\xfoolavp.com

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 16:32:44 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 18:31:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-05 18:31:30
ComboFix-quarantined-files.txt 2008-02-05 17:31:23

ComboFix je resio stvari tako da vise nema nikakvih problema, sve radi super skeniracu sada sve sa najnovijom bazom kasperskog i valjda ne bi trebalo da bude vise problema?

Nije nista combofix resio... Jos. :)

sledece obrisi pomocu: HiJackThis! (stikliraj i pritisni "fix checked"):




Sledece sto ces uraditi je da ces kreirati Notepad dokument u koji ces kopirati sledeci text::



sacuvaces to kao "CFScript.txt" i prevuci ces na Combofix koji ce ponovo poceti da radi. Ne diraj nista dok radi pusti da se komp restartuje. Posle ponovo okaci novi HiJackThis! log i Combofix log.

Pertpostavljam da je i USB stick, kojim si naverovatnije i zaradio jednu od nekoliko infekcija, uboden jer ako nije nismo uradili nista (ponovo ces se inficirati cim ponovo pokrenes stick). Ne aktiviraj USB stick nego samo pusti da Combofix da radi svoje...

Mozes da skeniras sa Kasperskim ali ja bih te zamolio da uradis sken sa Kaspersky Online Scannerom jer on kreira log koji je pregledan sto se tice potencijalno inficiranih fajlova. Kad skine sve baze idi u podesavanja (settings) i pogledaj da li je izabran Extended Scan. Pored toga nista ne diraj...

Ne zaboravi da okacis sva 3 loga sto sam trazio...

Odradio sam sve kako si rekao, medjutim ja nemam stick, ali je verovatno upao sa drugovog koji necu vise ubacivati, viruse koje si mi rekao da kopiram u notepad, odstranio sam sa kaspersky-im, ali bolje ti pogledaj ove log-fajlove, combofix nije restartovao racunar ako ti nesto znaci.Izvoli Hijackthis log.


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 0:33:34, on 6.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vypress Chat\VyChat.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Slobodan\LOCALS~1\Temp\Rar$EX07.984\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.10.3.242:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=021008 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Vypress Chat StartUp.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE3E502B-C617-4A24-8B00-D5B9ED53DD1A}: NameServer = 10.10.3.241
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4668 bytes

A evo i combofix log-fajl, napisao si tri log fajla ali ja nisam uspeo da protumacim koji je treci.

ComboFix 08-02.05.3 - Slobodan 2008-02-06 0:22:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.259 [GMT 1:00]
Running from: C:\Documents and Settings\Slobodan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Slobodan\Desktop\CFScript.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]

FILE
C:\d.com
C:\h.cmd
C:\kmd.exe
C:\m1t8ta.com
C:\xn1i9x.com
C:\xo8wr9.exe
C:\ylr.exe
D:\Autorun.inf
D:\semo2x.exe
D:\u.bat
E:\Autorun.inf
E:\semo2x.exe
E:\u.bat
F:\Autorun.inf
F:\semo2x.exe
F:\u.bat
.

((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-05 18:45 . 2008-02-05 18:45 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-05 18:45 . 2008-02-05 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-05 18:45 . 2008-02-06 00:28 948,000 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-05 18:45 . 2008-02-05 19:40 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-05 18:45 . 2008-02-05 19:40 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-05 18:45 . 2008-02-06 00:27 12,832 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-05 18:45 . 2008-02-05 19:40 11,924 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-05 18:45 . 2008-02-05 19:40 2,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-05 12:42 . 2008-02-05 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-04 21:46 . 2008-02-05 18:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-01-30 16:35 . 2008-01-30 16:35 72,838 --a------ C:\WINDOWS\FontData.fdb
2008-01-28 00:49 . 2008-01-28 00:49 <DIR> d---s---- C:\Documents and Settings\Slobodan\UserData
2008-01-26 22:19 . 2008-01-26 22:19 <DIR> d-------- C:\Documents and Settings\Slobodan\Application Data\Corel
2008-01-26 22:16 . 2008-01-26 22:16 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-01-26 22:15 . 2008-01-26 22:15 <DIR> d-------- C:\Program Files\Corel
2008-01-25 00:30 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-01-25 00:02 . 2008-01-25 00:09 <DIR> d-------- C:\Program Files\3dmax
2008-01-24 23:12 . 2008-01-25 00:02 <DIR> d-------- C:\Program Files\backburner 2
2008-01-10 12:08 . 2001-07-06 13:41 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2008-01-10 12:08 . 2001-07-06 11:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2008-01-10 12:08 . 2001-07-06 17:24 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2008-01-10 12:08 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-10 12:08 . 2004-03-03 20:30 125,184 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
2008-01-10 12:08 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-01-10 12:08 . 2001-06-26 07:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2008-01-10 12:08 . 2004-03-03 20:30 5,504 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2008-01-10 10:53 . 2008-01-10 10:53 <DIR> d-------- C:\Documents and Settings\Slobodan\Application Data\Ahead
2008-01-10 10:52 . 2008-01-10 12:08 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-10 04:54 . 2008-02-06 00:17 221,278 --a------ C:\acadminidump.dmp
2008-01-09 23:52 . 2008-01-26 22:18 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-08 00:18 . 2008-01-08 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 18:40 5,767,168 ---ha-w C:\Documents and Settings\Slobodan\NTUSER.DAT
2008-02-04 20:36 --------- d-----w C:\Program Files\Yahoo!
2008-01-30 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-27 20:01 103,781 ----a-w C:\WINDOWS\system32\help.exe.tmp
2008-01-26 21:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-26 21:16 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-24 23:27 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-01-24 23:25 --------- d-----w C:\Program Files\Autodesk
2008-01-24 23:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-01-20 16:27 --------- d-----w C:\Program Files\Yu recnik
2008-01-10 11:08 --------- d-----w C:\Program Files\Ahead
2008-01-08 20:48 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\Autodesk
2008-01-02 22:12 --------- d-----w C:\Program Files\Valve
2007-12-23 19:05 --------- d-----w C:\Program Files\FastStone Image Viewer
2007-12-22 16:02 10,368 ----a-w C:\WINDOWS\system32\drivers\pfc.sys
2007-12-22 16:02 --------- d-----w C:\Program Files\Common Files\ACD Systems
2007-12-22 16:02 --------- d-----w C:\Program Files\ACD Systems
2007-12-22 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-12-18 19:38 --------- d-----w C:\Program Files\Don't Get Angry 2
2007-12-18 19:22 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-12-18 11:03 --------- d-----w C:\Program Files\Google
2007-12-16 20:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-16 19:47 --------- d-----w C:\Program Files\acdsee 9.0
2007-12-16 19:47 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\ACD Systems
2007-12-15 19:58 --------- d-----w C:\Program Files\GetData
2007-12-15 19:36 --------- d-----w C:\Program Files\Alcohol Soft
2007-12-15 19:30 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-12-15 19:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-15 19:30 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\TuneUp Software
2007-12-15 19:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-12-15 19:21 --------- d-----w C:\Program Files\MSBuild
2007-12-15 19:21 --------- d-----w C:\Program Files\Microsoft Works
2007-12-15 19:20 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-15 19:18 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-12-15 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-15 19:12 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-15 19:12 --------- d-----w C:\Program Files\Bonjour
2007-12-15 19:05 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-15 19:03 --------- d-----w C:\Program Files\LAN Search Pro
2007-12-15 18:58 --------- d-----w C:\Program Files\AutoCAD 2008
2007-12-15 18:46 --------- d-----w C:\Program Files\Vypress Chat
2007-12-15 18:45 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\VyPRESS
2007-12-15 18:33 --------- d-----w C:\Program Files\Winamp
2007-12-15 18:32 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\BSplayer Pro
2007-12-15 18:31 --------- d-----w C:\Program Files\Webteh
2007-12-15 18:31 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\Media Player Classic
2007-12-15 18:30 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-15 18:22 --------- d-----w C:\Program Files\Realtek
2007-12-15 18:12 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 10:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 10:22 7618560]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 13:39 729088]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Vypress Chat StartUp.lnk - C:\WINDOWS\Installer\{A1E1619F-036F-4176-8563-AA9E570113F0}\iconVCAdvertised.exe [2007-12-15 19:45:52 12390]

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-03 23:56]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 SetupNTGLM7X;SetupNTGLM7X;G:\NTGLM7X.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70c5882f-b39d-11dc-b77b-001617bcc494}]
\Shell\AutoRun\command - J:\xn1i9x.com
\Shell\explore\Command - J:\xn1i9x.com
\Shell\open\Command - J:\xn1i9x.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a7558d-b52d-11dc-b77d-001617bcc494}]
\Shell\AutoRun\command - I:\xo8wr9.exe
\Shell\explore\Command - I:\xo8wr9.exe
\Shell\open\Command - I:\xo8wr9.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef42ac40-cb4f-11dc-b794-001617bcc494}]
\Shell\AutoRun\command - I:\ntde1ect.com
\Shell\explore\Command - I:\ntde1ect.com
\Shell\open\Command - I:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fff7d752-b5fa-11dc-b77e-001617bcc494}]
\Shell\AutoRun\command - I:\xfoolavp.com
\Shell\explore\Command - I:\xfoolavp.com
\Shell\open\Command - I:\xfoolavp.com

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 16:32:44 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 00:28:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-06 0:28:48
ComboFix-quarantined-files.txt 2008-02-05 23:28:37


_{[Ovu poruku je menjao bobito dana 06.02.2008. u 01:03 GMT+1]}

Meni ovo sumnjivo osim ako ne koristis neki proxy... Ako ne koristis brisi u HiJackThis!.

Sad napravi notepad file koji ces naravno sacuvati kao "CFScript.txt" i prevuci na Combofix. Ono sto ces kopirati na taj .txt fajl je sledece:



i naravno pustiti da obrise ove unose u registry...

Sto se tice 3. loga (isto Kaspersky samo "Online Scanner") sad nije bitno jer vidim da je tvoj Kasperski najverovatnije dobro obavio posao

Sad sve sto treba je da okacis jos jedan najnoviji Combofix log i mislim da ce posle toga biti sve u redu.

{edit}

Svaki od onih registry kljuceva koji su kodirani kopiraj tako da budu u jednom redu ako me razumes. Kao sto je bio i onaj predjasnji za fajlove... znaci jedan kljuc jedan red u notepadu... Ovde su mi totalno pobenaveli

{edit2}

Evo napravio sam ja. Samo skini attachment i prevuci u Combofix, a kad se sve zavrsi okaci najnoviji log da vidim da li je jos nesto ostalo.


_{[Ovu poruku je menjao Binary Mind dana 06.02.2008. u 01:48 GMT+1]}

Koristim proxy to nije problem, a izgleda da ih vise i nema. Evo najnoviji nadam se poslednji combofix log-fajl. Uzivaj

ComboFix 08-02.05.3 - Ljiljana 2008-02-06 1:37:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.224 [GMT 1:00]
Running from: C:\Documents and Settings\Slobodan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Slobodan\Desktop\CFScript.txt.txt
* Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-05 18:45 . 2008-02-05 18:45 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-05 18:45 . 2008-02-05 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-05 18:45 . 2008-02-06 01:40 1,123,616 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-05 18:45 . 2008-02-05 19:40 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-05 18:45 . 2008-02-05 19:40 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-05 18:45 . 2008-02-06 01:39 18,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-05 18:45 . 2008-02-05 19:40 11,924 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-05 18:45 . 2008-02-05 19:40 2,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-05 12:42 . 2008-02-05 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-04 21:46 . 2008-02-05 18:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-01-30 16:35 . 2008-01-30 16:35 72,838 --a------ C:\WINDOWS\FontData.fdb
2008-01-28 00:49 . 2008-01-28 00:49 <DIR> d---s---- C:\Documents and Settings\Slobodan\UserData
2008-01-26 22:19 . 2008-01-26 22:19 <DIR> d-------- C:\Documents and Settings\Slobodan\Application Data\Corel
2008-01-26 22:16 . 2008-01-26 22:16 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-01-26 22:15 . 2008-01-26 22:15 <DIR> d-------- C:\Program Files\Corel
2008-01-25 00:30 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-01-25 00:02 . 2008-01-25 00:09 <DIR> d-------- C:\Program Files\3dmax
2008-01-24 23:12 . 2008-01-25 00:02 <DIR> d-------- C:\Program Files\backburner 2
2008-01-10 12:08 . 2001-07-06 13:41 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2008-01-10 12:08 . 2001-07-06 11:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2008-01-10 12:08 . 2001-07-06 17:24 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2008-01-10 12:08 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-10 12:08 . 2004-03-03 20:30 125,184 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
2008-01-10 12:08 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-01-10 12:08 . 2001-06-26 07:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2008-01-10 12:08 . 2004-03-03 20:30 5,504 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2008-01-10 10:53 . 2008-01-10 10:53 <DIR> d-------- C:\Documents and Settings\Slobodan\Application Data\Ahead
2008-01-10 10:52 . 2008-01-10 12:08 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-01-10 04:54 . 2008-02-06 00:17 221,278 --a------ C:\acadminidump.dmp
2008-01-09 23:52 . 2008-01-26 22:18 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-08 00:18 . 2008-01-08 00:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 18:40 5,767,168 ---ha-w C:\Documents and Settings\Slobodan\NTUSER.DAT
2008-02-04 20:36 --------- d-----w C:\Program Files\Yahoo!
2008-01-30 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-27 20:01 103,781 ----a-w C:\WINDOWS\system32\help.exe.tmp
2008-01-26 21:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-26 21:16 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-24 23:27 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-01-24 23:25 --------- d-----w C:\Program Files\Autodesk
2008-01-24 23:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-01-20 16:27 --------- d-----w C:\Program Files\Yu recnik
2008-01-10 11:08 --------- d-----w C:\Program Files\Ahead
2008-01-08 20:48 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\Autodesk
2008-01-02 22:12 --------- d-----w C:\Program Files\Valve
2007-12-23 19:05 --------- d-----w C:\Program Files\FastStone Image Viewer
2007-12-22 16:02 10,368 ----a-w C:\WINDOWS\system32\drivers\pfc.sys
2007-12-22 16:02 --------- d-----w C:\Program Files\Common Files\ACD Systems
2007-12-22 16:02 --------- d-----w C:\Program Files\ACD Systems
2007-12-22 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-12-18 19:38 --------- d-----w C:\Program Files\Don't Get Angry 2
2007-12-18 19:22 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-12-18 11:03 --------- d-----w C:\Program Files\Google
2007-12-16 20:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-16 19:47 --------- d-----w C:\Program Files\acdsee 9.0
2007-12-16 19:47 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\ACD Systems
2007-12-15 19:58 --------- d-----w C:\Program Files\GetData
2007-12-15 19:36 --------- d-----w C:\Program Files\Alcohol Soft
2007-12-15 19:30 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-12-15 19:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-15 19:30 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\TuneUp Software
2007-12-15 19:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-12-15 19:21 --------- d-----w C:\Program Files\MSBuild
2007-12-15 19:21 --------- d-----w C:\Program Files\Microsoft Works
2007-12-15 19:20 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-15 19:18 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-12-15 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-15 19:12 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-15 19:12 --------- d-----w C:\Program Files\Bonjour
2007-12-15 19:05 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-15 19:03 --------- d-----w C:\Program Files\LAN Search Pro
2007-12-15 18:58 --------- d-----w C:\Program Files\AutoCAD 2008
2007-12-15 18:46 --------- d-----w C:\Program Files\Vypress Chat
2007-12-15 18:45 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\VyPRESS
2007-12-15 18:33 --------- d-----w C:\Program Files\Winamp
2007-12-15 18:32 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\BSplayer Pro
2007-12-15 18:31 --------- d-----w C:\Program Files\Webteh
2007-12-15 18:31 --------- d-----w C:\Documents and Settings\Slobodan\Application Data\Media Player Classic
2007-12-15 18:30 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-15 18:22 --------- d-----w C:\Program Files\Realtek
2007-12-15 18:12 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 10:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 10:22 7618560]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"CorelDRAW Graphics Suite 11b"="C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 13:39 729088]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Vypress Chat StartUp.lnk - C:\WINDOWS\Installer\{A1E1619F-036F-4176-8563-AA9E570113F0}\iconVCAdvertised.exe [2007-12-15 19:45:52 12390]

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-03 23:56]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 SetupNTGLM7X;SetupNTGLM7X;G:\NTGLM7X.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 16:32:44 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 01:39:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-06 1:40:38
ComboFix-quarantined-files.txt 2008-02-06 00:40:34

Cist si k'o suza Sad mozes slobodno da ukljucis System restore ako si ga slucajno iskljucio...

Poz.

Posto sam cini mi se resio ove probleme oko ovih sranja, da li mozes da mi pojasnis ovo oko combofix-a. Naime donekle mi je dosta jasno sta sam radio, ali mi reci sta je ovo zadnje sto sam kopirao, i kako u log fajlu prepoznajes sta nije dobro. Skapirao sam da combfix moze da sluzi kao antivirus koji sam update-ujes txt. fajlom na osnovu log fajla, a on onda skenira i trazi to sto si u txt fajlu ubacio. Da li sam u pravu?

I ako mozes da mi kazes koliko je opasno pokretati ga na racunaru, da li moze izazvati neki kvar ili slicno.

Izvini sto te sad maltretiram ovim pitanjima.

Vecno zahvalan-Bobito#21

Ukratko mocan je alat u rukama onog ko zna sta radi, a moze da zezne sistem ako ga koristi onaj koji nije iskusan virusolovac Ajd' citamo se neki drugi put. Moram na spavanje

Iz log-a iskusniji user-i ovde mogu da vide sta valja a sta ne valja i sta treba brisati a sta ne... Kad prebacis log preko njega on trayi i brise to sto si stavio u fajl.

To sam i mislio, samo je pitanje kako postati iskusni korisnik combofix-a, dosta ljudi ga koristi a ima malo zvanicnih stranica na netu.

Prva stepenica je da poznajes OS koji cistis (prepoznavanje onoga sto treba da bude tu i onoga sto ne treba) jer ako obrises nesto sto ne treba da obrises mozes slobodno da popravljas ili reinstaliras Windows :) Potrebno je iskustvo u prepoznavanju onoga sto treba da se ocisti a za to je najbitnije dosta prakse u cistcenju racunara od malware-a. Naravno potrebno je i da te to interesuje...

Ja sam ovaj problem imao na više računara i riješio sam ga na sledeći način:

1) Instalirati i update-ovati program AntiVir PE Classic, besplatan je.
2) Skenirati sistem, on će maći sve spyware iz sistema.
3) Pomoću CMD-a obrisati fajlove Autorun.inf i xo8wr9.exe sa SVIH particija u sistemu.
Komande su: E:\>del /A:R autorun.inf
E:\>del /A:R xo8wr9.exe

4) Isključitu AutoRun opciju na svim drajvovima:
Start > Run (kucajte gpedit.msc) i lupite enter.
Otvorite: computer configuration > administrative templates > system
Desno imate stavku: Turn off autoplay, desni klik > properties > enabled

5) I osposobiti opciju da možete vidjeti Hidden Object na sistemu:

U registry-u:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

Ključ REG_DWORD mora imati decimalnu vrijednost 1.





<sub>[Ovu poruku je menjao suadhm dana 07.02.2008. u 12:19 GMT+1]

[Ovu poruku je menjao suadhm dana 07.02.2008. u 12:20 GMT+1]</sub>