combofix log pt 3:
C:\pos68.tmp
C:\pos680.tmp
C:\pos681.tmp
C:\pos682.tmp
C:\pos683.tmp
C:\pos684.tmp
C:\pos685.tmp
C:\pos686.tmp
C:\pos687.tmp
C:\pos688.tmp
C:\pos689.tmp
C:\pos68A.tmp
C:\pos68B.tmp
C:\pos68C.tmp
C:\pos68D.tmp
C:\pos68E.tmp
C:\pos68F.tmp
C:\pos69.tmp
C:\pos690.tmp
C:\pos691.tmp
C:\pos692.tmp
C:\pos693.tmp
C:\pos694.tmp
C:\pos695.tmp
C:\pos696.tmp
C:\pos697.tmp
C:\pos698.tmp
C:\pos699.tmp
C:\pos69A.tmp
C:\pos69B.tmp
C:\pos69C.tmp
C:\pos69D.tmp
C:\pos69E.tmp
C:\pos69F.tmp
C:\pos6A.tmp
C:\pos6A0.tmp
C:\pos6A1.tmp
C:\pos6A2.tmp
C:\pos6A3.tmp
C:\pos6A4.tmp
C:\pos6A5.tmp
C:\pos6A6.tmp
C:\pos6A7.tmp
C:\pos6A8.tmp
C:\pos6A9.tmp
C:\pos6AA.tmp
C:\pos6AB.tmp
C:\pos6AC.tmp
C:\pos6AD.tmp
C:\pos6AE.tmp
C:\pos6AF.tmp
C:\pos6B.tmp
C:\pos6B0.tmp
C:\pos6B1.tmp
C:\pos6B2.tmp
C:\pos6B3.tmp
C:\pos6B4.tmp
C:\pos6B5.tmp
C:\pos6B6.tmp
C:\pos6B7.tmp
C:\pos6B8.tmp
C:\pos6B9.tmp
C:\pos6BA.tmp
C:\pos6BB.tmp
C:\pos6BC.tmp
C:\pos6BD.tmp
C:\pos6BE.tmp
C:\pos6BF.tmp
C:\pos6C.tmp
C:\pos6C0.tmp
C:\pos6C1.tmp
C:\pos6C2.tmp
C:\pos6C3.tmp
C:\pos6C4.tmp
C:\pos6C5.tmp
C:\pos6C6.tmp
C:\pos6C7.tmp
C:\pos6C8.tmp
C:\pos6C9.tmp
C:\pos6CA.tmp
C:\pos6CB.tmp
C:\pos6CC.tmp
C:\pos6CD.tmp
C:\pos6D.tmp
C:\pos6E.tmp
C:\pos6F.tmp
C:\pos7.tmp
C:\pos70.tmp
C:\pos71.tmp
C:\pos72.tmp
C:\pos73.tmp
C:\pos74.tmp
C:\pos75.tmp
C:\pos76.tmp
C:\pos77.tmp
C:\pos78.tmp
C:\pos79.tmp
C:\pos7A.tmp
C:\pos7B.tmp
C:\pos7C.tmp
C:\pos7D.tmp
C:\pos7E.tmp
C:\pos7F.tmp
C:\pos8.tmp
C:\pos80.tmp
C:\pos81.tmp
C:\pos82.tmp
C:\pos83.tmp
C:\pos84.tmp
C:\pos85.tmp
C:\pos86.tmp
C:\pos87.tmp
C:\pos88.tmp
C:\pos89.tmp
C:\pos8A.tmp
C:\pos8B.tmp
C:\pos8C.tmp
C:\pos8D.tmp
C:\pos8E.tmp
C:\pos8F.tmp
C:\pos9.tmp
C:\pos90.tmp
C:\pos91.tmp
C:\pos92.tmp
C:\pos93.tmp
C:\pos94.tmp
C:\pos95.tmp
C:\pos96.tmp
C:\pos97.tmp
C:\pos98.tmp
C:\pos99.tmp
C:\pos9A.tmp
C:\pos9B.tmp
C:\pos9C.tmp
C:\pos9D.tmp
C:\pos9E.tmp
C:\pos9F.tmp
C:\posA.tmp
C:\posA0.tmp
C:\posA1.tmp
C:\posA2.tmp
C:\posA3.tmp
C:\posA4.tmp
C:\posA5.tmp
C:\posA6.tmp
C:\posA7.tmp
C:\posA8.tmp
C:\posA9.tmp
C:\posAA.tmp
C:\posAB.tmp
C:\posAC.tmp
C:\posAD.tmp
C:\posAE.tmp
C:\posAF.tmp
C:\posB.tmp
C:\posB0.tmp
C:\posB1.tmp
C:\posB2.tmp
C:\posB3.tmp
C:\posB4.tmp
C:\posB5.tmp
C:\posB6.tmp
C:\posB7.tmp
C:\posB8.tmp
C:\posB9.tmp
C:\posBA.tmp
C:\posBB.tmp
C:\posBC.tmp
C:\posBD.tmp
C:\posBE.tmp
C:\posBF.tmp
C:\posC.tmp
C:\posC0.tmp
C:\posC1.tmp
C:\posC2.tmp
C:\posC3.tmp
C:\posC4.tmp
C:\posC5.tmp
C:\posC6.tmp
C:\posC7.tmp
C:\posC8.tmp
C:\posC9.tmp
C:\posCA.tmp
C:\posCB.tmp
C:\posCC.tmp
C:\posCD.tmp
C:\posCE.tmp
C:\posCF.tmp
C:\posD.tmp
C:\posD0.tmp
C:\posD1.tmp
C:\posD2.tmp
C:\posD3.tmp
C:\posD4.tmp
C:\posD5.tmp
C:\posD6.tmp
C:\posD7.tmp
C:\posD8.tmp
C:\posD9.tmp
C:\posDA.tmp
C:\posDB.tmp
C:\posDC.tmp
C:\posDD.tmp
C:\posDE.tmp
C:\posDF.tmp
C:\posE.tmp
C:\posE0.tmp
C:\posE1.tmp
C:\posE2.tmp
C:\posE3.tmp
C:\posE4.tmp
C:\posE5.tmp
C:\posE6.tmp
C:\posE7.tmp
C:\posE8.tmp
C:\posE9.tmp
C:\posEA.tmp
C:\posEB.tmp
C:\posEC.tmp
C:\posED.tmp
C:\posEE.tmp
C:\posEF.tmp
C:\posF.tmp
C:\posF0.tmp
C:\posF1.tmp
C:\posF2.tmp
C:\posF3.tmp
C:\posF4.tmp
C:\posF5.tmp
C:\posF6.tmp
C:\posF7.tmp
C:\posF8.tmp
C:\posF9.tmp
C:\posFA.tmp
C:\posFB.tmp
C:\posFC.tmp
C:\posFD.tmp
C:\posFE.tmp
C:\posFF.tmp
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\gebyv.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msvcsv60.dll
C:\WINDOWS\system32\rbcvuxrp.ini
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.
2008-01-15 13:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 02:33 . 2008-01-15 14:42 2,128,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-15 02:33 . 2008-01-15 14:42 7,148 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-15 01:36 . 2008-01-15 14:42 9,504 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-15 01:36 . 2008-01-15 14:42 1,940 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-15 01:19 . 2008-01-15 01:19 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-15 01:19 . 2008-01-15 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-15 01:13 . 2008-01-15 01:13 <DIR> d-------- C:\KAV
2008-01-14 18:04 . 2008-01-14 19:48 <DIR> d-------- C:\VundoFix Backups
2008-01-13 11:52 . 2008-01-14 00:16 <DIR> d-------- C:\Documents and Settings\User\Application Data\Uniblue
2008-01-13 11:46 . 2008-01-13 23:51 <DIR> d-------- C:\Program Files\Uniblue
2008-01-12 03:23 . 2008-01-14 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-11 20:25 . 2008-01-11 20:25 <DIR> d-------- C:\Program Files\AVI MPEG RM WMV Joiner
2008-01-07 23:40 . 2008-01-15 13:28 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-07 15:58 . 2008-01-07 19:24 <DIR> d-------- C:\DVD_01_1
2008-01-07 14:46 . 2008-01-07 14:47 1,067 --a------ C:\WINDOWS\ARPR.INI
2008-01-07 13:46 . 2008-01-07 13:46 <DIR> d-------- C:\WINDOWS\WinAVI Video Converter 9.0
2008-01-07 13:46 . 2008-01-07 13:46 <DIR> d-------- C:\Program Files\WinAVI Video Converter 9.0
2008-01-06 00:00 . 2008-01-06 00:00 <DIR> d-------- C:\Program Files\uTorrent
2008-01-06 00:00 . 2008-01-14 00:16 <DIR> d-------- C:\Documents and Settings\User\Application Data\uTorrent
2008-01-05 14:59 . 2008-01-14 14:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-05 14:59 . 2008-01-05 14:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-05 13:42 . 2008-01-05 13:42 <DIR> d-------- C:\Documents and Settings\User\Application Data\Flickr
2008-01-05 13:41 . 2008-01-05 13:42 <DIR> d-------- C:\Program Files\Flickr Uploadr
2008-01-04 16:27 . 2008-01-05 00:15 <DIR> d-------- C:\Documents and Settings\User\Application Data\FileZilla
2008-01-04 15:51 . 2008-01-04 15:51 <DIR> d-------- C:\NFRoot
2008-01-04 15:47 . 2008-01-04 15:47 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-01-04 15:46 . 2008-01-04 16:00 <DIR> d-------- C:\Program Files\Fastream IQ Web FTP Server GUI
2008-01-04 15:45 . 2008-01-04 19:23 <DIR> d-------- C:\Program Files\Fastream IQ Web FTP Server Engine
2008-01-04 15:04 . 2008-01-04 15:04 <DIR> d-------- C:\Program Files\Ableton
2008-01-04 15:03 . 2003-06-20 12:28 1,777,664 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-01-01 12:41 . 2007-03-17 11:11 675,840 -ra------ C:\WINDOWS\system32\hpowiax3.dll
2008-01-01 12:41 . 2007-03-17 11:11 569,344 -ra------ C:\WINDOWS\system32\hpotscl3.dll
2008-01-01 12:41 . 2007-03-17 11:11 303,104 -ra------ C:\WINDOWS\system32\hpovst10.dll
2007-12-31 16:22 . 2007-12-31 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-12-31 16:22 . 2007-03-07 23:20 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-12-31 16:22 . 2007-03-07 23:20 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-12-31 16:21 . 2007-03-07 23:20 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2007-12-31 16:21 . 2007-03-07 23:20 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2007-12-31 16:21 . 2007-03-30 10:07 267,864 -ra------ C:\WINDOWS\system32\hpzids01.dll
2007-12-31 16:21 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2007-12-31 16:21 . 2007-03-07 23:20 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 18:27 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd0253.sys
2008-01-15 17:34 --------- d-----w C:\Program Files\QuickTime
2008-01-14 02:47 --------- d-----w C:\Program Files\Apple Software Update
2008-01-13 17:07 --------- d-----w C:\Program Files\Soulseek-Test
2008-01-11 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-09 00:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-04 20:04 --------- d-----w C:\Documents and Settings\User\Application Data\Ableton
2008-01-04 06:14 --------- d-----w C:\Program Files\Soulseek
2008-01-03 23:40 --------- d-----w C:\Documents and Settings\User\Application Data\RipIt4Me
2007-12-27 08:42 --------- d-----w C:\Program Files\Yahoo!
2007-12-27 08:41 --------- d-----w C:\Program Files\CyberLink DVD Solution
2007-12-27 08:37 --------- d-----w C:\Program Files\Sonic Foundry
2007-12-24 07:46 --------- d-----w C:\Documents and Settings\User\Application Data\REAPER
2007-12-07 17:21 --------- d-----w C:\Program Files\REAPER
2007-11-23 21:07 --------- d-----w C:\Program Files\Freecorder
2007-11-23 00:15 560 ----a-w C:\Documents and Settings\User\Application Data\ViewerApp.dat
2007-11-18 07:41 --------- d-----w C:\Program Files\Waves
2007-11-18 07:40 --------- d-----w C:\Program Files\Common Files\PACE Anti-Piracy
2007-11-18 07:40 --------- d-----w C:\Documents and Settings\User\Application Data\Waves Audio
2007-11-18 07:40 --------- d-----w C:\Documents and Settings\User\Application Data\PACE Anti-Piracy
2007-11-18 07:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy
2007-11-18 07:36 72,032 ----a-w C:\WINDOWS\system32\drivers\TPkd.sys
2007-11-18 07:36 27,328 ----a-w C:\WINDOWS\system32\drivers\iLokDrvr.sys
2007-11-17 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-16 03:10 --------- d-----w C:\Program Files\Common Files\Scanner
2007-11-16 02:45 --------- d-----w C:\Program Files\Windows Live
2007-11-16 02:44 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-16 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-15 22:34 --------- d-----w C:\Program Files\iZotope
2007-05-24 02:42 298 ----a-w C:\Program Files\INSTALL.LOG
2004-03-11 17:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
Code:
<pre>
----a-w 1,871,872 2008-01-15 18:28:38 C:\Program Files\Ahead\Nero BackItUp\NBJ .exe
----a-w 2,234,368 2008-01-15 18:28:13 C:\Program Files\Ahead\Nero BackItUp\NBJ .exe
----a-w 2,234,368 2008-01-15 18:20:09 C:\Program Files\Ahead\Nero BackItUp\NBJ .exe
----a-w 2,234,368 2008-01-15 18:10:06 C:\Program Files\Ahead\Nero BackItUp\NBJ .exe
----a-w 231,952 2008-01-15 18:28:28 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
----a-w 231,952 2008-01-15 19:44:28 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
----a-w 569,856 2008-01-15 18:20:11 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
----a-w 1,877,272 2008-01-14 16:05:49 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster .exe
----a-w 9,495,832 2008-01-14 16:06:35 C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC .exe
----a-w 1,269,000 2008-01-14 16:05:47 C:\Program Files\Uniblue\SpyEraser\SpyEraser .exe
----a-w 224,248 2008-01-15 07:32:42 C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w 15,360 2008-01-15 18:28:31 C:\WINDOWS\system32\ctfmon .exe
</pre>
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a00a30d9-2b3e-42a6-87c1-97d471064a21}]
C:\WINDOWS\system32\dkvgmhbx.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ .exe" [2008-01-15 13:28 1871872]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe" [2008-01-15 14:44 231952]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 07:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnkjk]
opnnkjk.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\gebyv
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-12-17 17:13 3810544 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe
R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 19:27]
R2 NFService;Fastream IQ Web/FTP Server;C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe [2007-07-21 13:28]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 20:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a910635d-19d7-11da-952a-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 19:46:20 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 14:43:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\gebyv.dll 324608 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
Completion time: 2008-01-15 14:47:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-15 19:47:23
.
2008-01-11 22:37:58 --- E O F ---
thanks again!