Virtumonde (?) - jkkjk.dll

[white|ghost]

VirusTotal didn't find anything. Same as Jotti (so far).


File ctfmon_.exe received on 12.25.2007 17:57:33 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.12.25.10 2007.12.24 -
AntiVir 7.6.0.46 2007.12.25 -
Authentium 4.93.8 2007.12.25 -
Avast 4.7.1098.0 2007.12.25 -
AVG 7.5.0.516 2007.12.25 -
BitDefender 7.2 2007.12.25 -
CAT-QuickHeal 9.00 2007.12.25 -
ClamAV 0.91.2 2007.12.25 -
DrWeb 4.44.0.09170 2007.12.25 -
eSafe 7.0.15.0 2007.12.25 -
eTrust-Vet 31.3.5400 2007.12.24 -
Ewido 4.0 2007.12.25 -
FileAdvisor 1 2007.12.25 -
Fortinet 3.14.0.0 2007.12.25 -
F-Prot 4.4.2.54 2007.12.25 -
F-Secure 6.70.13030.0 2007.12.25 -
Ikarus T3.1.1.15 2007.12.25 -
Kaspersky 7.0.0.125 2007.12.25 -
McAfee 5192 2007.12.24 -
Microsoft 1.3109 2007.12.25 -
NOD32v2 2747 2007.12.25 -
Norman 5.80.02 2007.12.24 -
Panda 9.0.0.4 2007.12.25 -
Prevx1 V2 2007.12.25 -
Rising 20.24.12.00 2007.12.25 -
Sophos 4.24.0 2007.12.25 -
Sunbelt 2.2.907.0 2007.12.21 -
Symantec 10 2007.12.25 -
TheHacker 6.2.9.168 2007.12.22 -
VBA32 3.12.2.5 2007.12.24 -
VirusBuster 4.3.26:9 2007.12.25 -
Webwasher-Gateway 6.0.1 2007.12.25 -
Additional information
File size: 15360 bytes
MD5: cbfa30492d70ce3938d8a7783d0c0436
SHA1: fcbaa6077201778bb8f1c6d1d33e33db14b4f074
PEiD: -

[white|ghost]

Yes, for Jotti it's clean too.

Scanner results
Scan taken on 25 Dec 2007 17:02:57 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

[Shaba]

Hi

For some reason I don't believe that it's clean though scanners claim otherwise. But we'll see.

Try to find also this file -> C:\WINDOWS\system32\ctfmon.exe and scan it in jotti/virustotal

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\kjkkj.ini
C:\WINDOWS\system32\RCX22.tmp
C:\WINDOWS\system32\jkkjk.exe
C:\WINDOWS\system32\RCX18.tmp
C:\WINDOWS\system32\jkkjk.VIR002
C:\WINDOWS\system32\RCX11.tmp
C:\WINDOWS\system32\jkkjk.VIR001
C:\WINDOWS\system32\RCX13.tmp
C:\WINDOWS\system32\jkkjk.VIR000
C:\WINDOWS\system32\RCXC.tmp
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\jkkjk.VIR
C:\WINDOWS\system32\RCX2D.tmp

Driver::
MicrosoftCOMSysApp

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkklmj]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmxw32]
winmxw32.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

[white|ghost]

Both (jotti and virustotal) says that ctfmon.exe is clean too.

Here are the fresh logs:


ComboFix 07-12-21.4 - Administrator 2007-12-25 21:53:16.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1458 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\jkkjk.exe
C:\WINDOWS\system32\jkkjk.VIR
C:\WINDOWS\system32\jkkjk.VIR000
C:\WINDOWS\system32\jkkjk.VIR001
C:\WINDOWS\system32\jkkjk.VIR002
C:\WINDOWS\system32\kjkkj.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\RCX11.tmp
C:\WINDOWS\system32\RCX13.tmp
C:\WINDOWS\system32\RCX18.tmp
C:\WINDOWS\system32\RCX22.tmp
C:\WINDOWS\system32\RCX2D.tmp
C:\WINDOWS\system32\RCXC.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\jkkjk.exe
C:\WINDOWS\system32\jkkjk.VIR
C:\WINDOWS\system32\jkkjk.VIR000
C:\WINDOWS\system32\jkkjk.VIR001
C:\WINDOWS\system32\jkkjk.VIR002
C:\WINDOWS\system32\kjkkj.ini
C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\RCX11.tmp
C:\WINDOWS\system32\RCX13.tmp
C:\WINDOWS\system32\RCX18.tmp
C:\WINDOWS\system32\RCX22.tmp
C:\WINDOWS\system32\RCX2D.tmp
C:\WINDOWS\system32\RCXC.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MICROSOFTCOMSYSAPP
-------\MicrosoftCOMSysApp


((((((((((((((((((((((((( Files Created from 2007-11-25 to 2007-12-25 )))))))))))))))))))))))))))))))
.

2007-12-25 21:56 . 2007-12-25 21:56 331,776 --------- C:\WINDOWS\system32\jkkjk.dll
2007-12-25 21:56 . 2007-12-25 21:57 319 --ahs---- C:\WINDOWS\system32\kjkkj.ini
2007-12-25 01:15 . 2007-12-25 01:15 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\InstallShield Installation Information
2007-12-25 00:13 . 2007-12-25 00:13 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-25 00:13 . 2007-12-25 21:55 168,480 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-25 00:13 . 2007-12-25 00:20 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-25 00:13 . 2007-12-25 00:20 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-25 00:13 . 2007-12-25 21:55 11,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-25 00:13 . 2007-12-25 21:55 3,332 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-25 00:13 . 2007-12-25 21:55 2,180 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-25 00:12 . 2007-12-25 00:12 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2007-12-24 12:06 . 2007-12-24 12:06 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-12-24 12:03 . 2007-12-24 12:03 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2007-12-24 00:30 . 2007-12-24 00:30 <DIR> d-------- C:\Program Files\TVAnts
2007-12-22 04:26 . 2007-12-24 14:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-22 04:26 . 2007-12-22 04:27 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-22 04:24 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-22 04:23 . 2007-12-22 04:23 <DIR> d-------- C:\Program Files\Java
2007-12-22 04:23 . 2007-12-22 04:23 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-22 03:51 . 2007-12-22 03:51 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-21 09:46 . 2007-12-21 09:46 <DIR> d-------- C:\Program Files\OpenAL
2007-12-21 09:46 . 2007-12-21 09:46 413,696 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-12-21 09:46 . 2007-12-21 09:46 110,592 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-12-21 09:45 . 2007-12-21 09:45 <DIR> d-------- C:\WINDOWS\system32\xlive
2007-12-21 00:23 . 2007-12-21 00:23 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2007-12-20 14:24 . 2007-12-20 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2007-12-20 14:23 . 2007-12-20 14:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-20 14:18 . 2007-12-20 14:18 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-20 12:35 . 2007-12-20 12:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-20 02:57 . 2007-12-20 02:57 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Tages
2007-12-20 02:48 . 2007-12-20 02:48 278,728 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-12-20 02:48 . 2007-12-20 02:48 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-12-20 02:43 . 2007-12-20 02:43 <DIR> d-------- C:\Program Files\Ubisoft
2007-12-20 01:58 . 2007-12-20 12:07 1,953,792 --a------ C:\WINDOWS\system32\JMRaidSetup .exe
2007-12-20 01:58 . 2007-12-25 15:02 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-20 01:57 . 2007-12-20 01:57 <DIR> d--hs---- C:\FOUND.009
2007-12-20 01:54 . 2007-12-20 01:55 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2007-12-20 01:54 . 2007-12-20 01:54 <DIR> d-------- C:\Documents and Settings\LocalService\Pulpit
2007-12-20 01:54 . 2007-12-20 01:55 <DIR> dr------- C:\Documents and Settings\LocalService\Moje dokumenty
2007-12-20 01:54 . 2007-12-20 01:54 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Start
2007-12-20 01:49 . 2007-12-20 01:49 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-12-20 01:48 . 2007-12-20 01:48 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-20 01:48 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-20 00:41 . 2007-12-20 00:41 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Hamachi
2007-12-20 00:40 . 2007-12-20 00:40 <DIR> d-------- C:\Program Files\Hamachi
2007-12-20 00:40 . 2007-12-20 00:40 10,578 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-12-16 18:25 . 2007-12-16 18:25 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\InstallShield
2007-12-11 00:08 . 2007-12-11 00:08 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Nokia Multimedia Player
2007-12-06 00:27 . 2007-12-06 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\PC Suite
2007-12-06 00:26 . 2007-12-06 00:26 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-12-06 00:26 . 2007-12-06 00:26 <DIR> d-------- C:\Program Files\DIFX
2007-12-06 00:26 . 2007-12-06 00:26 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-12-06 00:26 . 2007-12-06 00:26 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-12-06 00:26 . 2007-02-22 11:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-12-06 00:26 . 2007-02-22 11:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-12-06 00:26 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-12-06 00:26 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-12-06 00:26 . 2007-02-22 11:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-12-06 00:23 . 2007-12-06 00:23 <DIR> d-------- C:\Program Files\Nokia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 20:56 352,256 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-25 20:56 335,360 ----a-w C:\WINDOWS\system32\jkkjk.exe
2007-12-25 17:28 4,000 ----a-w C:\ao.dat
2007-12-25 14:03 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
2007-12-24 23:35 2,322,432 ----a-w C:\WINDOWS\system32\JMRaidSetup.exe
2007-12-21 08:59 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-07 17:28 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-13 19:43 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\mIRC
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 22:57 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-31 22:57 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-31 22:32 22,328 ----a-w C:\Documents and Settings\Administrator\Dane aplikacji\PnkBstrK.sys
2007-10-30 23:26 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:44 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:44 1,291,264 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-25 16:57 8,483,328 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-20 05:01 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-20 05:01 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-12 22:19 13,653,824 ----a-w C:\WINDOWS\system32\xlivefnt.dll
2007-10-12 22:19 10,155,840 ----a-w C:\WINDOWS\system32\xlive.dll
2007-10-10 23:52 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:52 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:52 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:52 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:52 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:52 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:52 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:52 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:52 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:52 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:52 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:52 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:52 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:52 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:52 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:52 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:52 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:52 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:52 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:52 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:52 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:52 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 11:03 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 11:03 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2007-08-22 22:41 1,781 --sha-w C:\WINDOWS\system32\2357453822.dat
2007-06-14 00:39 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012007061420070615\index.dat
2007-06-21 03:42 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012007062120070622\index.dat
2007-06-26 01:38 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012007062620070627\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{497509B3-AB69-49AB-870C-878DC5061E96}]
2007-12-25 21:56 331776 --------- C:\WINDOWS\system32\jkkjk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DesktopX"="C:\PROGRA~1\STARDOCK\OBJECT~2\DESKTOPX\DesktopX .exe" [2007-12-25 15:10]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon .exe" [2007-12-25 15:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-25 15:03]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:44 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-25 15:10]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-12-25 15:02]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17]

C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-08-26 15:44:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 15:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\jkkjk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\jkkjk

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys [2004-04-14 11:08]
R3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys [2004-04-14 11:08]
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys [2004-04-14 11:08]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-05-09 16:46]
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys [2004-04-14 11:08]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-20 17:26:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-25 21:57:41
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\jkkjk.dll
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
Completion time: 2007-12-25 21:58:33 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-25 15:12
.
2007-12-20 13:27:49 --- E O F ---

[white|ghost]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:01:26, on 2007-12-25
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\PROGRA~1\STARDOCK\OBJECT~2\DESKTOPX\DesktopX .exe
C:\Program Files\DAEMON Tools\daemon .exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\white.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {497509B3-AB69-49AB-870C-878DC5061E96} - C:\WINDOWS\system32\jkkjk.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [DesktopX] "C:\PROGRA~1\STARDOCK\OBJECT~2\DESKTOPX\DesktopX .exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon .exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper InCDsrvNetDDEdsdm (InCDsrvNetDDEdsdm) - Nero AG - (no file)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 6132 bytes

[Shaba]

Hi

Looks like it's back. And I really don't believe that it's clean because of this:

2007-12-25 20:56 352,256 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-25 20:56 335,360 ----a-w C:\WINDOWS\system32\jkkjk.exe

Ctfmon.exe has the same date/time as jkkjk.exe and its size has changed.

Do this:

Copy this file C:\WINDOWS\system32\dllcache\ctfmon.exe to C:\WINDOWS\system32 and choose yes when it asks to overwrite.

After that:

We remove now some startup to play safe.

Uninstall the following programs (you can re-install them when you're clean again):

Nokia PC Suite 6
DesktopX
DAEMON Tools

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\kjkkj.ini
C:\WINDOWS\system32\jkkjk.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{497509B3-AB69-49AB-870C-878DC5061E96}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DesktopX"=-
"DAEMON Tools"=-
"ctfmon.exe"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=-
"PCSuiteTrayApplication"=-

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

[white|ghost]

ctfmon.exe from system32\dllcache has the same size and date as that one from system32, but it aked me to overwrite tho.
Here are the new logs:

ComboFix 07-12-21.4 - Administrator 2007-12-26 11:19:38.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1580 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Pulpit\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\jkkjk.exe
C:\WINDOWS\system32\kjkkj.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\jkkjk.exe
C:\WINDOWS\system32\kjkkj.ini
C:\WINDOWS\system32\kjkkj.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-26 11:12 . 2007-12-26 11:12 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-12-25 01:15 . 2007-12-25 01:15 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\InstallShield Installation Information
2007-12-25 00:13 . 2007-12-25 00:13 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-25 00:13 . 2007-12-26 11:22 175,648 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-25 00:13 . 2007-12-25 00:20 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-25 00:13 . 2007-12-25 00:20 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-25 00:13 . 2007-12-26 11:22 12,320 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-25 00:13 . 2007-12-26 11:22 3,428 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-25 00:13 . 2007-12-26 11:22 2,228 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-25 00:12 . 2007-12-25 00:12 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2007-12-24 12:06 . 2007-12-24 12:06 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-12-24 12:03 . 2007-12-24 12:03 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2007-12-24 00:30 . 2007-12-24 00:30 <DIR> d-------- C:\Program Files\TVAnts
2007-12-22 04:24 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-22 04:23 . 2007-12-22 04:23 <DIR> d-------- C:\Program Files\Java
2007-12-22 04:23 . 2007-12-22 04:23 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-22 03:51 . 2007-12-22 03:51 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-21 09:46 . 2007-12-21 09:46 <DIR> d-------- C:\Program Files\OpenAL
2007-12-21 09:46 . 2007-12-21 09:46 413,696 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-12-21 09:46 . 2007-12-21 09:46 110,592 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-12-21 09:45 . 2007-12-21 09:45 <DIR> d-------- C:\WINDOWS\system32\xlive
2007-12-21 00:23 . 2007-12-21 00:23 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2007-12-20 14:24 . 2007-12-20 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2007-12-20 14:23 . 2007-12-20 14:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-20 14:18 . 2007-12-20 14:18 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-20 12:35 . 2007-12-20 12:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-20 02:57 . 2007-12-20 02:57 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Tages
2007-12-20 02:48 . 2007-12-20 02:48 278,728 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-12-20 02:48 . 2007-12-20 02:48 25,416 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-12-20 02:43 . 2007-12-20 02:43 <DIR> d-------- C:\Program Files\Ubisoft
2007-12-20 01:58 . 2007-12-20 12:07 1,953,792 --a------ C:\WINDOWS\system32\JMRaidSetup .exe
2007-12-20 01:58 . 2007-12-26 11:15 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-20 01:57 . 2007-12-20 01:57 <DIR> d--hs---- C:\FOUND.009
2007-12-20 01:54 . 2007-12-20 01:55 <DIR> dr------- C:\Documents and Settings\LocalService\Ulubione
2007-12-20 01:54 . 2007-12-20 01:54 <DIR> d-------- C:\Documents and Settings\LocalService\Pulpit
2007-12-20 01:54 . 2007-12-20 01:55 <DIR> dr------- C:\Documents and Settings\LocalService\Moje dokumenty
2007-12-20 01:54 . 2007-12-20 01:54 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Start
2007-12-20 01:49 . 2007-12-20 01:49 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-12-20 01:48 . 2007-12-20 01:48 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-20 01:48 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-20 00:41 . 2007-12-20 00:41 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Hamachi
2007-12-20 00:40 . 2007-12-20 00:40 <DIR> d-------- C:\Program Files\Hamachi
2007-12-20 00:40 . 2007-12-20 00:40 10,578 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-12-16 18:25 . 2007-12-16 18:25 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\InstallShield
2007-12-06 00:27 . 2007-12-06 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\PC Suite
2007-12-06 00:26 . 2007-12-06 00:26 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-12-06 00:26 . 2007-12-06 00:26 <DIR> d-------- C:\Program Files\DIFX
2007-12-06 00:26 . 2007-02-22 11:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-12-06 00:26 . 2007-02-22 11:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-12-06 00:26 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-12-06 00:26 . 2007-02-22 11:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-12-06 00:26 . 2007-02-22 11:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 17:28 4,000 ----a-w C:\ao.dat
2007-12-25 14:03 15,360 ----a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
2007-12-25 14:03 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-24 23:35 2,322,432 ----a-w C:\WINDOWS\system32\JMRaidSetup.exe
2007-12-21 08:59 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-07 17:28 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-13 19:43 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\mIRC
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-31 22:57 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-31 22:57 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-31 22:32 22,328 ----a-w C:\Documents and Settings\Administrator\Dane aplikacji\PnkBstrK.sys
2007-10-30 23:26 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:44 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:44 1,291,264 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-25 16:57 8,483,328 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-20 05:01 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-20 05:01 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-12 22:19 13,653,824 ----a-w C:\WINDOWS\system32\xlivefnt.dll
2007-10-12 22:19 10,155,840 ----a-w C:\WINDOWS\system32\xlive.dll
2007-10-10 23:52 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:52 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:52 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:52 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:52 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:52 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:52 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:52 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:52 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:52 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:52 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:52 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:52 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:52 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:52 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:52 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:52 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:52 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:52 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:52 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:52 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:52 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 11:03 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 11:03 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2007-08-22 22:41 1,781 --sha-w C:\WINDOWS\system32\2357453822.dat
2007-06-14 00:39 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012007061420070615\index.dat
2007-06-21 03:42 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012007062120070622\index.dat
2007-06-26 01:38 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012007062620070627\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:44 C:\WINDOWS\system32\rundll32.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]

C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-08-26 15:44:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 15:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys [2004-04-14 11:08]
R3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys [2004-04-14 11:08]
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys [2004-04-14 11:08]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-05-09 16:46]
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys [2004-04-14 11:08]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-20 17:26:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 11:23:34
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
Completion time: 2007-12-26 11:25:43 - machine was rebooted
C:\ComboFix3.txt ... 2007-12-25 15:12
C:\ComboFix2.txt ... 2007-12-25 21:58
.
2007-12-20 13:27:49 --- E O F ---

[white|ghost]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:40, on 2007-12-26
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\white.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper InCDsrvNetDDEdsdm (InCDsrvNetDDEdsdm) - Nero AG - (no file)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 4873 bytes

[Shaba]

Hi

That seemed to work, great

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report

[white|ghost]

Wow, Kaspersky detected 9 viruses and 269 infected files.
Log is in polish, so if you'll need some translation let me know.
Log is too long so I'll have to send it in 3 posts.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
26 grudzień 2007 13:28:31
System operacyjny: Microsoft Windows XP Professional, Dodatek Service Pack 2 (Build 2600)
Kaspersky Online Scanner wersja: 5.0.98.0
Ostatnia aktualizacja Kaspersky Anti-Virus26/12/2007
Liczba wpisów w bazie danych Kaspersky Anti-Virus494081
-------------------------------------------------------------------------------

Ustawienia skanowania:
Skanowanie przy użyciu następujących baz danych: rozszerzone
Skanuj archiwa: tak
Skanuj pocztowe bazy danych: tak

Obszar skanowania - Mój komputer:
A:\
C:\
D:\
E:\

Statystyki skanowania:
Liczba skanowanych obiektów: 112839
Liczba wykrytych wirusów: 9
Liczba zainfekowanych obiektów: 269
Liczba podejrzanych obiektów: 0
Czas trwania skanowania: 01:45:12

Nazwa zainfekowanego obiektu / Nazwa wirusa / Ostatnie działanie
C:\WINDOWS\system32\config\system.LOG Object is locked pominięty
C:\WINDOWS\system32\config\software.LOG Object is locked pominięty
C:\WINDOWS\system32\config\default.LOG Object is locked pominięty
C:\WINDOWS\system32\config\SAM.LOG Object is locked pominięty
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked pominięty
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked pominięty
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked pominięty
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked pominięty
C:\WINDOWS\system32\config\OSession.evt Object is locked pominięty
C:\WINDOWS\system32\config\ODiag.evt Object is locked pominięty
C:\WINDOWS\system32\config\Internet.evt Object is locked pominięty
C:\WINDOWS\system32\config\SECURITY Object is locked pominięty
C:\WINDOWS\system32\config\SOFTWARE Object is locked pominięty
C:\WINDOWS\system32\config\SYSTEM Object is locked pominięty
C:\WINDOWS\system32\config\DEFAULT Object is locked pominięty
C:\WINDOWS\system32\config\SAM Object is locked pominięty
C:\WINDOWS\system32\drivers\sptd.sys Object is locked pominięty
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked pominięty
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked pominięty
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked pominięty
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked pominięty
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked pominięty
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked pominięty
C:\WINDOWS\system32\h323log.txt Object is locked pominięty
C:\WINDOWS\system32\JMRaidSetup.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\WINDOWS\Debug\PASSWD.LOG Object is locked pominięty
C:\WINDOWS\wiaservc.log Object is locked pominięty
C:\WINDOWS\wiadebug.log Object is locked pominięty
C:\WINDOWS\Sti_Trace.log Object is locked pominięty
C:\WINDOWS\WindowsUpdate.log Object is locked pominięty
C:\WINDOWS\SchedLgU.Txt Object is locked pominięty
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked pominięty
C:\WINDOWS\JM\JMInsIDE.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\WINDOWS\tmp5967729.log Zainfekowanych: Trojan-Clicker.Win32.Delf.hh pominięty
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked pominięty
C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty
C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked pominięty
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked pominięty
C:\Documents and Settings\LocalService\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty
C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty
C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty
C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked pominięty
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked pominięty
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked pominięty
C:\Documents and Settings\Administrator\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty
C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty
C:\Documents and Settings\Administrator\Ustawienia lokalne\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked pominięty
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\fyont9gv.default\Cache\_CACHE_MAP_ Object is locked pominięty
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\fyont9gv.default\Cache\_CACHE_001_ Object is locked pominięty
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\fyont9gv.default\Cache\_CACHE_002_ Object is locked pominięty
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\fyont9gv.default\Cache\_CACHE_003_ Object is locked pominięty
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked pominięty
C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\fyont9gv.default\history.dat Object is locked pominięty
C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\fyont9gv.default\cert8.db Object is locked pominięty
C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\fyont9gv.default\key3.db Object is locked pominięty
C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\fyont9gv.default\parent.lock Object is locked pominięty
C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\fyont9gv.default\search.sqlite Object is locked pominięty
C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\fyont9gv.default\urlclassifier2.sqlite Object is locked pominięty
C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\fyont9gv.default\formhistory.dat Object is locked pominięty
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked pominięty
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\Program Files\Sony\SonicStage\SsAAD.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP286\A0059442.dll Zainfekowanych: not-a-virus:FraudTool.Win32.BraveSentry.b pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP286\A0059450.exe Zainfekowanych: not-virus:Hoax.Win32.Renos.wk pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP287\A0059526.dll Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.clc pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP287\A0059528.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP287\A0059541.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP287\A0059542.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP287\A0059543.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP287\A0059545.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP287\A0059546.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP287\A0059547.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP287\A0059548.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP287\A0059549.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP287\A0059550.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP287\A0059552.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP288\A0059595.dll Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.clc pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP288\A0059596.dll Zainfekowanych: not-a-virus:AdWare.Win32.BHO.aj pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP288\A0059598.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP288\A0060544.EXE Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP288\A0060545.EXE Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP288\A0060546.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP288\A0060547.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP288\A0060548.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP288\A0060549.EXE Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP288\A0060550.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP288\A0060551.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty
C:\System Volume Information\_restore{0555D77D-79AC-4D93-968B-A29880FA3240}\RP288\A0060552.exe Zainfekowanych: not-a-virus:AdWare.Win32.Virtumonde.cli pominięty