mydlo
2008-05-17, 17:11
when i run hijack from my desktop it writes: Aplication cant be run, because MSVBVM60.dll cant be found. Troubles may be rem oved by reinstalling aplication. (my translation from Czech language), i also have virtumonde repairing on my mashine. i located it HKLM/software/microsoft/MSSMGR. I downloaded some antispyware like Spy sweeper that find threads but remove just for gold and removed them manually in regedit. I also made log in combofix a i saw in one report
ComboFix 08-05-15.3 - VLADO 2008-05-17 16:41:34.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.1392 [GMT 2:00]
Running from: C:\Documents and Settings\VLADO\Plocha\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\pskt.ini
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\cyukvdmp.ini
C:\WINDOWS\system32\deevbcje.ini
C:\WINDOWS\system32\dfgroeny.ini
C:\WINDOWS\system32\dykkheqp.ini
C:\WINDOWS\system32\jfkfdyil.ini
C:\WINDOWS\system32\JmmmSvut.ini
C:\WINDOWS\system32\JmmmSvut.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\wlempaog.ini
----- BITS: Possible infected sites -----
hxxp://onsafepro.com
.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.
2008-05-17 15:55 . 2008-05-17 15:55 <DIR> d-------- C:\Program Files\Webroot
2008-05-17 15:55 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-05-17 15:55 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-05-17 15:55 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-05-17 15:55 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-05-17 15:55 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-05-17 15:52 . 2008-05-17 15:52 164 --a------ C:\install.dat
2008-05-17 15:21 . 2008-05-17 15:21 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-17 14:07 . 2008-05-17 14:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 11:14 . 2008-05-17 11:14 <DIR> d-------- C:\Program Files\Safer Networking
2008-05-17 11:08 . 2008-05-17 11:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-17 10:54 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-17 10:54 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-17 10:54 . 2007-12-21 00:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-17 10:54 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-17 10:54 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-17 10:54 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-17 10:21 . 2008-05-17 10:21 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-05-16 13:18 . 2008-05-16 13:18 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-05-16 13:18 . 2008-05-16 13:18 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-05-11 19:30 . 2008-05-11 19:30 <DIR> d-------- C:\VundoFix Backups
2008-05-11 12:43 . 2008-05-11 12:43 0 --ah----- C:\Documents and Settings\VLADO\NTUSER.DAT_TU_71470.LOG
2008-05-11 12:43 . 2008-05-11 12:43 0 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT_TU_16631.LOG
2008-05-11 12:43 . 2008-05-11 12:43 0 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT_TU_64679.LOG
2008-05-11 09:31 . 2008-05-17 10:50 109,816 --a------ C:\WINDOWS\BMaf3f33e4.xml
2008-05-10 11:19 . 2008-05-10 11:19 26,624 --a------ C:\WINDOWS\system32\winuqw32.dll
2008-05-04 19:56 . 2008-05-04 19:56 8,192 --ahs---- C:\WINDOWS\o2cLicStore.bin
2008-05-04 19:54 . 2008-05-04 19:56 520 --a------ C:\WINDOWS\netdet.ini
2008-05-04 19:51 . 2008-05-04 19:52 <DIR> d-------- C:\WINDOWS\mbgruppe
2008-05-04 19:51 . 2008-05-04 19:52 <DIR> d-------- C:\Program Files\ArCon
2008-05-04 19:51 . 2008-05-04 19:51 <DIR> d-------- C:\ArCon
2008-05-04 19:51 . 1998-06-24 00:00 525,352 --a------ C:\WINDOWS\system32\DBGRID32.OCX
2008-05-04 19:51 . 1998-06-24 00:00 200,496 --a------ C:\WINDOWS\system32\Dblist32.ocx
2008-05-04 19:51 . 1998-06-24 00:00 164,144 --a------ C:\WINDOWS\system32\COMCT232.OCX
2008-05-04 19:51 . 1998-06-24 00:00 140,096 --a------ C:\WINDOWS\system32\COMDLG32.OCX
2008-05-04 13:26 . 2008-05-04 13:28 <DIR> d-------- C:\Program Files\Autodesk
2008-05-03 13:05 . 2008-05-03 13:05 <DIR> d-------- C:\Program Files\DesignSoft
2008-05-03 11:17 . 2008-05-17 10:59 <DIR> d-------- C:\Garmin
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 13:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-17 09:19 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-17 09:00 --------- d-----w C:\Program Files\ICQToolbar
2008-05-17 08:23 --------- d-----w C:\Program Files\Spyware Terminator
2008-05-15 16:59 --------- d-----w C:\Program Files\Norton 360
2008-05-04 17:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-04 11:28 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-04-16 16:32 --------- d-----w C:\Program Files\ICQ6
2008-04-12 10:06 --------- d-----w C:\Program Files\DivX
2008-04-06 11:17 --------- d-----w C:\Program Files\Opera
2008-03-31 13:25 2,033 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2008-03-21 20:25 --------- d-----w C:\Program Files\AGEIA Technologies
2008-03-21 20:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 07:25 --------- d-----w C:\Program Files\Java
2008-03-15 17:04 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-03-15 17:04 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-01-14 15:44 88 --sh--r C:\WINDOWS\system32\5D75E9E25B.sys
2008-01-14 15:44 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61E5B246-08ED-49E5-B284-B94E14999F3A}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA800ECF-D6F4-42EC-9E80-9005D4195D71}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 14:00 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-19 22:13 486856]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23 102400]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-18 08:22 843776]
"Habu"="C:\Program Files\Razer\Habu\razerhid.exe" [2006-08-23 12:20 159744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
"CTHelper"="CTHELPER.EXE" [2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 14:06 40048]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" [2006-05-18 15:26 729088]
"ac0c0078"="C:\WINDOWS\system32\liydfkfj.dll" [ ]
"BMaf3f33e4"="C:\WINDOWS\system32\spcnsfwv.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-18 14:00 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-03-01 15:02 124928 C:\WINDOWS\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuqw32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"VIDC.ACDV"= ACDV.dll
"SENTINEL"= snti386.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LightScribe Control Panel"=C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"ASUS SmartDoctor"=C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
"GhostStartTrayApp"=C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\games\\Need For Speed III\\nfs3.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\games\\Battlefield 2\\BF2.exe"=
"C:\\games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\games\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Alias\\Maya8.0\\bin\\maya.exe"=
"C:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"=
"C:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\backburner\\server.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2003-12-17 16:41]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2003-11-07 11:09]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-18 14:00]
R3 HabuFltr;Habu Mouse;C:\WINDOWS\system32\drivers\habu.sys [2006-08-14 11:21]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-18 14:00]
R3 usbhub;Ovladač standardního rozbočovače USB;C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-18 14:00]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-18 14:00]
R3 usbstor;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-18 14:00]
S3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 11:03]
S3 fixustor;fixustor;C:\WINDOWS\system32\drivers\fixustor.sys []
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-06-16 09:30]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2006-03-31 05:39]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 00:08]
S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys []
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a32f9343-9626-11dc-b9c4-806d6172696f}]
\Shell\AutoRun\command - H:\Setup.exe
*Newly Created Service* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 15:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-05-17 13:55:14 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 16:44:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Razer\Habu\razertra.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-05-17 16:48:48 - machine was rebooted [VLADO]
ComboFix-quarantined-files.txt 2008-05-17 14:48:42
Adresářů: 18, Volných bajtů: 12,771,012,608
Adres*ý…: 20, Volněch bajt…: 12,631,240,704
247 --- E O F --- 2008-05-16 19:50:11
ComboFix 08-05-15.3 - VLADO 2008-05-17 16:41:34.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.1392 [GMT 2:00]
Running from: C:\Documents and Settings\VLADO\Plocha\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\pskt.ini
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\cyukvdmp.ini
C:\WINDOWS\system32\deevbcje.ini
C:\WINDOWS\system32\dfgroeny.ini
C:\WINDOWS\system32\dykkheqp.ini
C:\WINDOWS\system32\jfkfdyil.ini
C:\WINDOWS\system32\JmmmSvut.ini
C:\WINDOWS\system32\JmmmSvut.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\wlempaog.ini
----- BITS: Possible infected sites -----
hxxp://onsafepro.com
.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.
2008-05-17 15:55 . 2008-05-17 15:55 <DIR> d-------- C:\Program Files\Webroot
2008-05-17 15:55 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-05-17 15:55 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-05-17 15:55 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-05-17 15:55 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-05-17 15:55 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-05-17 15:52 . 2008-05-17 15:52 164 --a------ C:\install.dat
2008-05-17 15:21 . 2008-05-17 15:21 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-17 14:07 . 2008-05-17 14:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 11:14 . 2008-05-17 11:14 <DIR> d-------- C:\Program Files\Safer Networking
2008-05-17 11:08 . 2008-05-17 11:08 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-17 10:54 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-17 10:54 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-17 10:54 . 2007-12-21 00:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-17 10:54 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-17 10:54 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-17 10:54 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-17 10:21 . 2008-05-17 10:21 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-05-16 13:18 . 2008-05-16 13:18 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-05-16 13:18 . 2008-05-16 13:18 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-05-11 19:30 . 2008-05-11 19:30 <DIR> d-------- C:\VundoFix Backups
2008-05-11 12:43 . 2008-05-11 12:43 0 --ah----- C:\Documents and Settings\VLADO\NTUSER.DAT_TU_71470.LOG
2008-05-11 12:43 . 2008-05-11 12:43 0 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT_TU_16631.LOG
2008-05-11 12:43 . 2008-05-11 12:43 0 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT_TU_64679.LOG
2008-05-11 09:31 . 2008-05-17 10:50 109,816 --a------ C:\WINDOWS\BMaf3f33e4.xml
2008-05-10 11:19 . 2008-05-10 11:19 26,624 --a------ C:\WINDOWS\system32\winuqw32.dll
2008-05-04 19:56 . 2008-05-04 19:56 8,192 --ahs---- C:\WINDOWS\o2cLicStore.bin
2008-05-04 19:54 . 2008-05-04 19:56 520 --a------ C:\WINDOWS\netdet.ini
2008-05-04 19:51 . 2008-05-04 19:52 <DIR> d-------- C:\WINDOWS\mbgruppe
2008-05-04 19:51 . 2008-05-04 19:52 <DIR> d-------- C:\Program Files\ArCon
2008-05-04 19:51 . 2008-05-04 19:51 <DIR> d-------- C:\ArCon
2008-05-04 19:51 . 1998-06-24 00:00 525,352 --a------ C:\WINDOWS\system32\DBGRID32.OCX
2008-05-04 19:51 . 1998-06-24 00:00 200,496 --a------ C:\WINDOWS\system32\Dblist32.ocx
2008-05-04 19:51 . 1998-06-24 00:00 164,144 --a------ C:\WINDOWS\system32\COMCT232.OCX
2008-05-04 19:51 . 1998-06-24 00:00 140,096 --a------ C:\WINDOWS\system32\COMDLG32.OCX
2008-05-04 13:26 . 2008-05-04 13:28 <DIR> d-------- C:\Program Files\Autodesk
2008-05-03 13:05 . 2008-05-03 13:05 <DIR> d-------- C:\Program Files\DesignSoft
2008-05-03 11:17 . 2008-05-17 10:59 <DIR> d-------- C:\Garmin
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 13:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-17 09:19 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-17 09:00 --------- d-----w C:\Program Files\ICQToolbar
2008-05-17 08:23 --------- d-----w C:\Program Files\Spyware Terminator
2008-05-15 16:59 --------- d-----w C:\Program Files\Norton 360
2008-05-04 17:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-04 11:28 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-04-16 16:32 --------- d-----w C:\Program Files\ICQ6
2008-04-12 10:06 --------- d-----w C:\Program Files\DivX
2008-04-06 11:17 --------- d-----w C:\Program Files\Opera
2008-03-31 13:25 2,033 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2008-03-21 20:25 --------- d-----w C:\Program Files\AGEIA Technologies
2008-03-21 20:24 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 07:25 --------- d-----w C:\Program Files\Java
2008-03-15 17:04 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-03-15 17:04 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-01-14 15:44 88 --sh--r C:\WINDOWS\system32\5D75E9E25B.sys
2008-01-14 15:44 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61E5B246-08ED-49E5-B284-B94E14999F3A}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA800ECF-D6F4-42EC-9E80-9005D4195D71}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 14:00 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-19 22:13 486856]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23 102400]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-18 08:22 843776]
"Habu"="C:\Program Files\Razer\Habu\razerhid.exe" [2006-08-23 12:20 159744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
"CTHelper"="CTHELPER.EXE" [2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 14:06 40048]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" [2006-05-18 15:26 729088]
"ac0c0078"="C:\WINDOWS\system32\liydfkfj.dll" [ ]
"BMaf3f33e4"="C:\WINDOWS\system32\spcnsfwv.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-18 14:00 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-03-01 15:02 124928 C:\WINDOWS\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuqw32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"VIDC.ACDV"= ACDV.dll
"SENTINEL"= snti386.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LightScribe Control Panel"=C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"ASUS SmartDoctor"=C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
"GhostStartTrayApp"=C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\games\\Need For Speed III\\nfs3.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\games\\Battlefield 2\\BF2.exe"=
"C:\\games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\games\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Alias\\Maya8.0\\bin\\maya.exe"=
"C:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"=
"C:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\backburner\\server.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2003-12-17 16:41]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2003-11-07 11:09]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-18 14:00]
R3 HabuFltr;Habu Mouse;C:\WINDOWS\system32\drivers\habu.sys [2006-08-14 11:21]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-18 14:00]
R3 usbhub;Ovladač standardního rozbočovače USB;C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-18 14:00]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-18 14:00]
R3 usbstor;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-18 14:00]
S3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 11:03]
S3 fixustor;fixustor;C:\WINDOWS\system32\drivers\fixustor.sys []
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-06-16 09:30]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2006-03-31 05:39]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 00:08]
S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys []
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a32f9343-9626-11dc-b9c4-806d6172696f}]
\Shell\AutoRun\command - H:\Setup.exe
*Newly Created Service* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 15:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-05-17 13:55:14 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 16:44:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Razer\Habu\razertra.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-05-17 16:48:48 - machine was rebooted [VLADO]
ComboFix-quarantined-files.txt 2008-05-17 14:48:42
Adresářů: 18, Volných bajtů: 12,771,012,608
Adres*ý…: 20, Volněch bajt…: 12,631,240,704
247 --- E O F --- 2008-05-16 19:50:11