RPTDOC
2008-04-26, 08:42
I am sure all of you are getting tired of fixing this problem. I am a noob at this so here we go.
I do know that I have Virtumonde. I ran Vundofix and it found nothing.
Here is a Combofix log. If this helps.
C:\WINDOWS\system32\hgOVyyay.ini
C:\WINDOWS\system32\hgOVyyay.ini2
C:\WINDOWS\system32\Jmnmonpo.ini
C:\WINDOWS\system32\Jmnmonpo.ini2
C:\WINDOWS\system32\lrhqyqcr.ini
C:\WINDOWS\system32\nnnliiIX.dll
C:\WINDOWS\system32\opnNFUoP.dll
C:\WINDOWS\system32\opnomnmJ.dll
C:\WINDOWS\system32\rcqyqhrl.dll
C:\WINDOWS\system32\rqRIaXNE.dll
C:\WINDOWS\system32\ssqRhGaA.dll
C:\WINDOWS\system32\tuvTnMGW.dll
C:\WINDOWS\system32\vhqvqxvn.ini
C:\WINDOWS\system32\xxywTKBS.dll
C:\WINDOWS\system32\yaywwXon.dll
.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.
2008-04-26 01:50 . 2008-04-26 01:50 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-26 01:10 . 2008-04-26 01:10 <DIR> d-------- C:\VundoFix Backups
2008-04-26 01:08 . 2008-04-26 01:08 0 --a------ C:\hpfr3420.xml
2008-04-26 00:43 . 2008-04-26 00:43 107,072 --a------ C:\WINDOWS\system32\nuvdnwqb.dll_old
2008-04-25 20:14 . 2008-04-25 20:14 96,320 --a------ C:\WINDOWS\system32\nvxqvqhv.dll_old
2008-04-25 19:54 . 2008-04-25 19:54 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-25 12:10 . 2008-04-25 16:57 1,505,395 --ahs---- C:\WINDOWS\system32\rhujfhoh.ini
2008-04-25 12:04 . 2008-04-25 12:04 109,734 --a------ C:\WINDOWS\BM076dc359.xml
2008-04-24 22:15 . 2008-04-24 22:15 <DIR> d-------- C:\WINDOWS\InCD
2008-04-24 22:15 . 2008-04-24 22:15 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-04-24 22:15 . 2003-09-10 05:06 1,269,760 --------- C:\WINDOWS\NuNinst.exe
2008-04-24 22:15 . 2003-09-10 05:12 1,167,360 --------- C:\WINDOWS\UNNMP.exe
2008-04-24 22:15 . 2003-09-10 05:06 87,040 --a------ C:\WINDOWS\system32\drivers\incdfs.sys
2008-04-24 22:15 . 2003-09-10 05:12 49,533 --------- C:\WINDOWS\UNNMP.cfg
2008-04-24 22:15 . 2003-09-10 05:06 46,451 --------- C:\WINDOWS\NuNinst.cfg
2008-04-24 22:15 . 2003-09-10 05:06 28,464 --a------ C:\WINDOWS\system32\drivers\incdpass.sys
2008-04-24 22:15 . 2003-09-10 05:06 5,264 --a------ C:\WINDOWS\system32\drivers\incdrec.sys
2008-04-24 22:14 . 2003-09-10 05:05 1,204,224 --------- C:\WINDOWS\UNMRW.exe
2008-04-24 22:14 . 2003-09-10 05:05 29,426 --------- C:\WINDOWS\UNMRW.cfg
2008-04-24 22:14 . 2003-09-10 05:05 22,848 --a------ C:\WINDOWS\system32\drivers\incdrm.sys
2008-04-24 22:04 . 2008-04-24 22:05 769,536 --a------ C:\Documents and Settings\Robert\Application Data\sfdnwin.dll
2008-04-24 22:01 . 2008-04-24 22:10 468 --a------ C:\Documents and Settings\Robert\Application Data\SamsungLiveUpdateConfig.ini
2008-04-24 21:57 . 2008-04-24 21:57 <DIR> d-------- C:\Program Files\SAMSUNG
2008-04-24 21:57 . 2008-04-26 01:03 499 --a------ C:\WINDOWS\wininit.ini
2008-04-24 21:06 . 2008-04-24 21:17 37,376 --a------ C:\WINDOWS\17PHolmes922.exe
2008-04-22 20:38 . 2008-04-22 20:38 319 --a------ C:\WINDOWS\game.ini
2008-04-22 20:24 . 2008-04-22 20:24 <DIR> d-------- C:\Program Files\Activision
2008-04-18 00:39 . 2008-04-18 00:39 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-04-18 00:39 . 2008-04-18 00:39 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-04-09 21:29 . 2008-04-09 21:29 <DIR> d-------- C:\Program Files\UPSMON
2008-04-09 21:29 . 2008-04-09 21:29 796,672 --a------ C:\WINDOWS\GPInstall.exe
2008-04-06 21:09 . 2008-04-06 22:14 <DIR> d-------- C:\Documents and Settings\Robert\old harddrive
2008-04-05 00:54 . 2008-04-05 17:26 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-03-29 01:11 . 2008-04-05 12:19 <DIR> d-------- C:\Documents and Settings\Robert\Application Data\Command and Conquer 3 Tiberium Wars
2008-03-29 01:09 . 2008-03-29 01:09 <DIR> dr-h----- C:\Documents and Settings\Robert\Application Data\SecuROM
2008-03-29 01:09 . 2008-04-01 23:39 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-03-29 00:46 . 2008-03-29 00:46 <DIR> d-------- C:\ProgramData
2008-03-28 23:46 . 2008-04-05 21:55 <DIR> d-------- C:\Program Files\Electronic Arts
2008-03-28 15:22 . 2008-03-28 15:23 <DIR> d-------- C:\Program Files\viewsonic
2008-03-28 15:22 . 2008-03-28 15:22 <DIR> d-------- C:\Documents and Settings\Robert\WINDOWS
2008-03-28 15:22 . 2008-03-28 15:22 <DIR> d-------- C:\Documents and Settings\Robert\Application Data\Leadertech
2008-03-28 15:21 . 2008-03-28 15:23 102 --a------ C:\WINDOWS\VSWizard.ini
2008-03-27 20:50 . 2008-03-27 20:50 <DIR> d-------- C:\Documents and Settings\Robert\Application Data\Motive
2008-03-27 20:48 . 2008-03-27 20:48 <DIR> d-------- C:\Program Files\Verizon
2008-03-27 20:48 . 2008-03-27 20:48 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-03-27 18:14 . 2008-04-13 17:31 <DIR> d-------- C:\Documents and Settings\Robert\Application Data\GSC
2008-03-27 18:13 . 2008-03-27 18:13 <DIR> d-------- C:\Program Files\GSC
2008-03-26 00:43 . 2008-03-26 01:09 <DIR> d-------- C:\Program Files\SpeedFan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 04:42 --------- d-----w C:\Documents and Settings\Robert\Application Data\BitTorrent
2008-04-26 00:27 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-26 00:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 02:29 --------- d-----w C:\Documents and Settings\Robert\Application Data\DNA
2008-04-25 02:16 --------- d-----w C:\Program Files\Ahead
2008-04-25 01:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-24 00:17 --------- d-----w C:\Program Files\Network Print Monitor
2008-04-23 04:42 --------- d-----w C:\Program Files\PunkBuster
2008-04-23 00:38 22,328 ----a-w C:\Documents and Settings\Robert\Application Data\PnkBstrK.sys
2008-04-18 04:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-01 01:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-29 04:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 01:42 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-23 03:59 --------- d-----w C:\Program Files\DNA
2008-03-23 03:59 --------- d-----w C:\Program Files\BitTorrent
2008-03-23 03:24 --------- d-----w C:\Documents and Settings\Robert\Application Data\Skyline
2008-03-22 05:33 --------- d-----w C:\Program Files\Skyline
2008-03-22 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skyline
2008-03-18 01:37 --------- d-----w C:\Documents and Settings\Robert\Application Data\CyberLink
2008-03-18 01:36 --------- d-----w C:\Program Files\CyberLink
2008-03-18 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-18 01:08 --------- d-----w C:\Program Files\Photodex Presenter
2008-03-18 01:08 --------- d-----w C:\Program Files\Photodex
2008-03-18 01:08 --------- d-----w C:\Documents and Settings\Robert\Application Data\Netscape
2008-03-18 01:07 --------- d-----w C:\Documents and Settings\Robert\Application Data\Photodex
2008-03-15 22:29 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-03-15 22:29 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-03-15 22:29 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-15 22:20 215,144 ----a-w C:\WINDOWS\patchw32.dll
2008-03-15 22:02 --------- d-----w C:\Program Files\AGEIA Technologies
2008-03-15 21:41 --------- d-----w C:\Program Files\THQ
2008-03-10 08:10 4,224 ----a-w C:\WINDOWS\system32\drivers\NVStrap.sys
2008-03-07 05:43 --------- d-----w C:\Program Files\Java
2008-03-07 05:42 --------- d-----w C:\Program Files\Common Files\Java
2008-03-07 05:36 --------- d-----w C:\Program Files\ModernRcon
2008-03-05 18:53 --------- d-----w C:\Program Files\WIDCOMM
2008-03-03 03:37 --------- d-----w C:\Documents and Settings\Robert\Application Data\TomTom
2008-03-03 03:36 --------- d-----w C:\Program Files\TomTom HOME 2
2008-03-03 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\TomTom
2008-03-01 22:16 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-03-01 22:08 --------- d-----w C:\Documents and Settings\Robert\Application Data\teamspeak2
2008-03-01 03:55 --------- d-----w C:\Program Files\Google
2008-03-01 03:27 --------- d-----w C:\Program Files\McAfee.com
2008-03-01 03:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-02-29 02:05 --------- d-----w C:\Program Files\Hewlett-Packard
2008-02-29 01:39 --------- d-----w C:\Program Files\Hp
2008-02-28 23:25 --------- d-----w C:\Program Files\Microsoft Works
2008-02-28 23:25 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-28 23:25 --------- d-----w C:\Program Files\Common Files\L&H
2008-02-28 23:24 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-28 04:40 105,168 ----a-w C:\WINDOWS\NSUninst.exe
2008-02-28 04:40 105,168 ----a-w C:\WINDOWS\GREUninstall.exe
2008-02-28 04:40 --------- d-----w C:\Program Files\Netscape
2008-02-28 04:40 --------- d-----w C:\Program Files\Common Files\mozilla.org
2008-02-28 03:15 --------- d-----w C:\Documents and Settings\Robert\Application Data\Hewlett-Packard
2008-02-28 02:54 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-02-27 00:08 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-02-26 04:37 --------- d-----w C:\Program Files\Java Web Start
2008-02-26 04:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-26 04:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 04:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 19:29 303104]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"BM076dc359"="C:\WINDOWS\system32\gfgqafnw.dll" [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIaXNE]
rqRIaXNE.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Robert^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-04-24 00:15 288576 C:\Program Files\DNA\btdna.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-12-12 11:46 19456 C:\WINDOWS\system32\CtHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-05-24 00:20 18944 C:\WINDOWS\system32\Ctxfihlp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2003-09-10 05:06 1208380 C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 19:29 303104 c:\PROGRA~1\mcafee.com\agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 13:05 212992 c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name of App]
--a------ 2008-01-04 17:33 684118 C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2003-09-10 05:07 155648 C:\WINDOWS\system32\\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 02:41 8523776 C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]
--a------ 2004-06-11 12:15 83968 C:\WINDOWS\system32\nvraidservice.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--a------ 2005-07-01 21:42 49152 C:\Program Files\McAfee.com\VSO\oasclnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 05:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a--c--- 2008-02-18 06:58 206184 C:\Program Files\TomTom HOME 2\HOMERunner.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UPSMON]
--------- 2005-03-30 16:13 429568 C:\Program Files\UPSMON\UPSMON.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
--a------ 2007-03-11 17:37 936960 C:\Program Files\Verizon\McciTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a------ 2005-07-01 21:42 163840 C:\Program Files\McAfee.com\VSO\mcvsshld.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2005-07-08 19:18 151552 C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\THQ\\Frontlines-Fuel of War\\Binaries\\FFOW.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-05-23 23:40]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 05:13:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1204438370.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 01:54:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Ahead\InCD\incdsrv.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Photodex\ProShowGold\scsiaccess.exe
C:\Program Files\UPSMON\UPSMON_Service.exe
C:\Program Files\UPSMON\UPSInt2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cscript.exe
.
**************************************************************************
.
Completion time: 2008-04-26 1:55:53 - machine was rebooted [Robert]
ComboFix-quarantined-files.txt 2008-04-26 05:55:50
Pre-Run: 191,974,764,544 bytes free
Post-Run: 192,898,215,936 bytes free
I do know that I have Virtumonde. I ran Vundofix and it found nothing.
Here is a Combofix log. If this helps.
C:\WINDOWS\system32\hgOVyyay.ini
C:\WINDOWS\system32\hgOVyyay.ini2
C:\WINDOWS\system32\Jmnmonpo.ini
C:\WINDOWS\system32\Jmnmonpo.ini2
C:\WINDOWS\system32\lrhqyqcr.ini
C:\WINDOWS\system32\nnnliiIX.dll
C:\WINDOWS\system32\opnNFUoP.dll
C:\WINDOWS\system32\opnomnmJ.dll
C:\WINDOWS\system32\rcqyqhrl.dll
C:\WINDOWS\system32\rqRIaXNE.dll
C:\WINDOWS\system32\ssqRhGaA.dll
C:\WINDOWS\system32\tuvTnMGW.dll
C:\WINDOWS\system32\vhqvqxvn.ini
C:\WINDOWS\system32\xxywTKBS.dll
C:\WINDOWS\system32\yaywwXon.dll
.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.
2008-04-26 01:50 . 2008-04-26 01:50 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-26 01:10 . 2008-04-26 01:10 <DIR> d-------- C:\VundoFix Backups
2008-04-26 01:08 . 2008-04-26 01:08 0 --a------ C:\hpfr3420.xml
2008-04-26 00:43 . 2008-04-26 00:43 107,072 --a------ C:\WINDOWS\system32\nuvdnwqb.dll_old
2008-04-25 20:14 . 2008-04-25 20:14 96,320 --a------ C:\WINDOWS\system32\nvxqvqhv.dll_old
2008-04-25 19:54 . 2008-04-25 19:54 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-25 12:10 . 2008-04-25 16:57 1,505,395 --ahs---- C:\WINDOWS\system32\rhujfhoh.ini
2008-04-25 12:04 . 2008-04-25 12:04 109,734 --a------ C:\WINDOWS\BM076dc359.xml
2008-04-24 22:15 . 2008-04-24 22:15 <DIR> d-------- C:\WINDOWS\InCD
2008-04-24 22:15 . 2008-04-24 22:15 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-04-24 22:15 . 2003-09-10 05:06 1,269,760 --------- C:\WINDOWS\NuNinst.exe
2008-04-24 22:15 . 2003-09-10 05:12 1,167,360 --------- C:\WINDOWS\UNNMP.exe
2008-04-24 22:15 . 2003-09-10 05:06 87,040 --a------ C:\WINDOWS\system32\drivers\incdfs.sys
2008-04-24 22:15 . 2003-09-10 05:12 49,533 --------- C:\WINDOWS\UNNMP.cfg
2008-04-24 22:15 . 2003-09-10 05:06 46,451 --------- C:\WINDOWS\NuNinst.cfg
2008-04-24 22:15 . 2003-09-10 05:06 28,464 --a------ C:\WINDOWS\system32\drivers\incdpass.sys
2008-04-24 22:15 . 2003-09-10 05:06 5,264 --a------ C:\WINDOWS\system32\drivers\incdrec.sys
2008-04-24 22:14 . 2003-09-10 05:05 1,204,224 --------- C:\WINDOWS\UNMRW.exe
2008-04-24 22:14 . 2003-09-10 05:05 29,426 --------- C:\WINDOWS\UNMRW.cfg
2008-04-24 22:14 . 2003-09-10 05:05 22,848 --a------ C:\WINDOWS\system32\drivers\incdrm.sys
2008-04-24 22:04 . 2008-04-24 22:05 769,536 --a------ C:\Documents and Settings\Robert\Application Data\sfdnwin.dll
2008-04-24 22:01 . 2008-04-24 22:10 468 --a------ C:\Documents and Settings\Robert\Application Data\SamsungLiveUpdateConfig.ini
2008-04-24 21:57 . 2008-04-24 21:57 <DIR> d-------- C:\Program Files\SAMSUNG
2008-04-24 21:57 . 2008-04-26 01:03 499 --a------ C:\WINDOWS\wininit.ini
2008-04-24 21:06 . 2008-04-24 21:17 37,376 --a------ C:\WINDOWS\17PHolmes922.exe
2008-04-22 20:38 . 2008-04-22 20:38 319 --a------ C:\WINDOWS\game.ini
2008-04-22 20:24 . 2008-04-22 20:24 <DIR> d-------- C:\Program Files\Activision
2008-04-18 00:39 . 2008-04-18 00:39 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-04-18 00:39 . 2008-04-18 00:39 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-04-09 21:29 . 2008-04-09 21:29 <DIR> d-------- C:\Program Files\UPSMON
2008-04-09 21:29 . 2008-04-09 21:29 796,672 --a------ C:\WINDOWS\GPInstall.exe
2008-04-06 21:09 . 2008-04-06 22:14 <DIR> d-------- C:\Documents and Settings\Robert\old harddrive
2008-04-05 00:54 . 2008-04-05 17:26 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-03-29 01:11 . 2008-04-05 12:19 <DIR> d-------- C:\Documents and Settings\Robert\Application Data\Command and Conquer 3 Tiberium Wars
2008-03-29 01:09 . 2008-03-29 01:09 <DIR> dr-h----- C:\Documents and Settings\Robert\Application Data\SecuROM
2008-03-29 01:09 . 2008-04-01 23:39 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-03-29 00:46 . 2008-03-29 00:46 <DIR> d-------- C:\ProgramData
2008-03-28 23:46 . 2008-04-05 21:55 <DIR> d-------- C:\Program Files\Electronic Arts
2008-03-28 15:22 . 2008-03-28 15:23 <DIR> d-------- C:\Program Files\viewsonic
2008-03-28 15:22 . 2008-03-28 15:22 <DIR> d-------- C:\Documents and Settings\Robert\WINDOWS
2008-03-28 15:22 . 2008-03-28 15:22 <DIR> d-------- C:\Documents and Settings\Robert\Application Data\Leadertech
2008-03-28 15:21 . 2008-03-28 15:23 102 --a------ C:\WINDOWS\VSWizard.ini
2008-03-27 20:50 . 2008-03-27 20:50 <DIR> d-------- C:\Documents and Settings\Robert\Application Data\Motive
2008-03-27 20:48 . 2008-03-27 20:48 <DIR> d-------- C:\Program Files\Verizon
2008-03-27 20:48 . 2008-03-27 20:48 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-03-27 18:14 . 2008-04-13 17:31 <DIR> d-------- C:\Documents and Settings\Robert\Application Data\GSC
2008-03-27 18:13 . 2008-03-27 18:13 <DIR> d-------- C:\Program Files\GSC
2008-03-26 00:43 . 2008-03-26 01:09 <DIR> d-------- C:\Program Files\SpeedFan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 04:42 --------- d-----w C:\Documents and Settings\Robert\Application Data\BitTorrent
2008-04-26 00:27 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-26 00:04 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 02:29 --------- d-----w C:\Documents and Settings\Robert\Application Data\DNA
2008-04-25 02:16 --------- d-----w C:\Program Files\Ahead
2008-04-25 01:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-24 00:17 --------- d-----w C:\Program Files\Network Print Monitor
2008-04-23 04:42 --------- d-----w C:\Program Files\PunkBuster
2008-04-23 00:38 22,328 ----a-w C:\Documents and Settings\Robert\Application Data\PnkBstrK.sys
2008-04-18 04:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-01 01:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-29 04:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 01:42 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-23 03:59 --------- d-----w C:\Program Files\DNA
2008-03-23 03:59 --------- d-----w C:\Program Files\BitTorrent
2008-03-23 03:24 --------- d-----w C:\Documents and Settings\Robert\Application Data\Skyline
2008-03-22 05:33 --------- d-----w C:\Program Files\Skyline
2008-03-22 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skyline
2008-03-18 01:37 --------- d-----w C:\Documents and Settings\Robert\Application Data\CyberLink
2008-03-18 01:36 --------- d-----w C:\Program Files\CyberLink
2008-03-18 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-18 01:08 --------- d-----w C:\Program Files\Photodex Presenter
2008-03-18 01:08 --------- d-----w C:\Program Files\Photodex
2008-03-18 01:08 --------- d-----w C:\Documents and Settings\Robert\Application Data\Netscape
2008-03-18 01:07 --------- d-----w C:\Documents and Settings\Robert\Application Data\Photodex
2008-03-15 22:29 --------- d-----w C:\Program Files\NVIDIA nTune Performance Application
2008-03-15 22:29 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-03-15 22:29 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-15 22:20 215,144 ----a-w C:\WINDOWS\patchw32.dll
2008-03-15 22:02 --------- d-----w C:\Program Files\AGEIA Technologies
2008-03-15 21:41 --------- d-----w C:\Program Files\THQ
2008-03-10 08:10 4,224 ----a-w C:\WINDOWS\system32\drivers\NVStrap.sys
2008-03-07 05:43 --------- d-----w C:\Program Files\Java
2008-03-07 05:42 --------- d-----w C:\Program Files\Common Files\Java
2008-03-07 05:36 --------- d-----w C:\Program Files\ModernRcon
2008-03-05 18:53 --------- d-----w C:\Program Files\WIDCOMM
2008-03-03 03:37 --------- d-----w C:\Documents and Settings\Robert\Application Data\TomTom
2008-03-03 03:36 --------- d-----w C:\Program Files\TomTom HOME 2
2008-03-03 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\TomTom
2008-03-01 22:16 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-03-01 22:08 --------- d-----w C:\Documents and Settings\Robert\Application Data\teamspeak2
2008-03-01 03:55 --------- d-----w C:\Program Files\Google
2008-03-01 03:27 --------- d-----w C:\Program Files\McAfee.com
2008-03-01 03:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-02-29 02:05 --------- d-----w C:\Program Files\Hewlett-Packard
2008-02-29 01:39 --------- d-----w C:\Program Files\Hp
2008-02-28 23:25 --------- d-----w C:\Program Files\Microsoft Works
2008-02-28 23:25 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-28 23:25 --------- d-----w C:\Program Files\Common Files\L&H
2008-02-28 23:24 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-28 04:40 105,168 ----a-w C:\WINDOWS\NSUninst.exe
2008-02-28 04:40 105,168 ----a-w C:\WINDOWS\GREUninstall.exe
2008-02-28 04:40 --------- d-----w C:\Program Files\Netscape
2008-02-28 04:40 --------- d-----w C:\Program Files\Common Files\mozilla.org
2008-02-28 03:15 --------- d-----w C:\Documents and Settings\Robert\Application Data\Hewlett-Packard
2008-02-28 02:54 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-02-27 00:08 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-02-26 04:37 --------- d-----w C:\Program Files\Java Web Start
2008-02-26 04:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-26 04:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-26 04:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 19:29 303104]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"BM076dc359"="C:\WINDOWS\system32\gfgqafnw.dll" [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIaXNE]
rqRIaXNE.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Robert^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-04-24 00:15 288576 C:\Program Files\DNA\btdna.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-12-12 11:46 19456 C:\WINDOWS\system32\CtHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-05-24 00:20 18944 C:\WINDOWS\system32\Ctxfihlp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2003-09-10 05:06 1208380 C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 19:29 303104 c:\PROGRA~1\mcafee.com\agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 13:05 212992 c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name of App]
--a------ 2008-01-04 17:33 684118 C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2003-09-10 05:07 155648 C:\WINDOWS\system32\\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 02:41 8523776 C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]
--a------ 2004-06-11 12:15 83968 C:\WINDOWS\system32\nvraidservice.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--a------ 2005-07-01 21:42 49152 C:\Program Files\McAfee.com\VSO\oasclnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 05:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a--c--- 2008-02-18 06:58 206184 C:\Program Files\TomTom HOME 2\HOMERunner.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UPSMON]
--------- 2005-03-30 16:13 429568 C:\Program Files\UPSMON\UPSMON.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
--a------ 2007-03-11 17:37 936960 C:\Program Files\Verizon\McciTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a------ 2005-07-01 21:42 163840 C:\Program Files\McAfee.com\VSO\mcvsshld.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2005-07-08 19:18 151552 C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\THQ\\Frontlines-Fuel of War\\Binaries\\FFOW.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-05-23 23:40]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 05:13:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1204438370.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 01:54:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Ahead\InCD\incdsrv.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Photodex\ProShowGold\scsiaccess.exe
C:\Program Files\UPSMON\UPSMON_Service.exe
C:\Program Files\UPSMON\UPSInt2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cscript.exe
.
**************************************************************************
.
Completion time: 2008-04-26 1:55:53 - machine was rebooted [Robert]
ComboFix-quarantined-files.txt 2008-04-26 05:55:50
Pre-Run: 191,974,764,544 bytes free
Post-Run: 192,898,215,936 bytes free