log z hijack pomooc vir

[zao]

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:17:41, on 7.5.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Ashampoo\Ashampoo FireWall PRO\FireWall.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\OETRN.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\AMD X2\Plocha\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.icq.com/start
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WebTransBHO Class - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - C:\WINDOWS\WebIE.dll
O2 - BHO: (no name) - {4BD64A3C-ACF6-4BC3-9249-7682368226A2} - C:\WINDOWS\system32\jkkjk.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7AC06F58-F80C-4940-A14C-E09FE77F9DD2} - C:\WINDOWS\system32\ddcyyay.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\qwegpvyt.dll
O2 - BHO: BearShareMediaBar BHO - {E49CE891-CD83-4841-8CC9-6E284D7978D0} - C:\Program Files\BearShare Applications\MediaBar\1.bin\BEARSMBR.DLL
O3 - Toolbar: BearShare Media Bar - {E49CE899-CD83-4841-8CC9-6E284D7978D0} - C:\Program Files\BearShare Applications\MediaBar\1.bin\BEARSMBR.DLL
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\WINDOWS\WebIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\ilpxjyad.dll",realset
O4 - HKLM\..\Run: [Ashampoo FireWall PRO] "C:\Program Files\Ashampoo\Ashampoo FireWall PRO\FireWall.exe" -TRAY
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [OEXPRESS] C:\WINDOWS\OETRN.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: WebTran - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - C:\WINDOWS\WebIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: &Nastavit překladač - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: &Slovník - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\WebIE.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ddcyyay - C:\WINDOWS\SYSTEM32\ddcyyay.dll
O20 - Winlogon Notify: jkkjk - C:\WINDOWS\system32\jkkjk.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 10024 bytes

[Reklama]

[sakiri]

Nejprve odstraníme toho hlavního šmejda.

Postupuj dle tohoto návodu.

Akorát mám k tomu dvě připomínky:

1. Hned jak spustíš Vundofix tak klikni na Scan for Vundo

2. Je možné že se ti po restartu Vundofix znovu zapne, v tom případě opakuj postup s Vundofixem.

Poté sem zkopíruj log z VundoFixa bude na C:\VundoFix.txt

Také přejmenuj HiJackThis_v2.exe na Analyse.exe a z toho přejmenovanýho souboru sem zjkopíruj log.

Takže pak sem dej log z HJT a log z Vundofixa.

[zao]

trvá to dlouho velkem a myslíš že by nepomahla obnova systému??

[sakiri]

můžeš mi říct jak to trvá dlouho.

Obnovu systému teď nech stranou.

Zkus to zatím ještě jednou. Kdyby to fakt trvalo dlouho tak řekni. Budeme postupovat jinak.

[zao]

už asi půl hodiny

[sakiri]

cože

Jako to scanování?

Tak to zastav.

Stáhni si ComboFix a spusť ho.

Postupuj dle pokynů během aplikování ComboFixu neklikej do zobrazujícího se okna může se stát totiž že to proces zastaví.
Po skončení se vytvoří log tak sem zkopíruj jeho obsah.

(Je možné že se počítač restartuje, bude to kvůli tomu že ComboFix našel infikované soubory aby je smazal tak se restartuje PC)

[zao]

"AMD X2" - 2007-05-07 20:13:45 Service Pack 2
ComboFix 07-05.07.3.V - Running from: "C:\Documents and Settings\AMD X2\Plocha\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ilpxjyad.dll
C:\WINDOWS\system32\qwegpvyt.dll
C:\WINDOWS\system32\dayjxpli.ini
C:\WINDOWS\system32\ddcyyay.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bund1\temp.txt
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\bund1


((((((((((((((((((((((((((((((( Files Created from 2007-04-07 to 2007-05-07 ))))))))))))))))))))))))))))))))))


2007-05-07 19:30 <DIR> d-------- C:\VundoFix Backups
2007-05-07 10:29 <DIR> d-------- C:\Program Files\Ashampoo
2007-05-07 10:06 491,520 --a------ C:\WINDOWS\WebIE.dll
2007-05-07 10:06 45,056 --a------ C:\WINDOWS\TRNOEH.DLL
2007-05-07 10:06 352,256 --a------ C:\WINDOWS\TrnOutl.dll
2007-05-07 10:06 299,008 --a------ C:\WINDOWS\TrnWord.dll
2007-05-07 10:06 26,624 --a------ C:\WINDOWS\OETRN.EXE
2007-05-07 10:06 200,704 --a------ C:\WINDOWS\TRNOET.DLL
2007-05-07 10:05 189,952 --a------ C:\WINDOWS\UN32.EXE
2007-05-07 10:03 <DIR> d-------- C:\TRANSLAT
2007-05-06 21:35 618,226 ---hs---- C:\WINDOWS\system32\kjkkj.bak2
2007-05-06 18:35 617,382 ---hs---- C:\WINDOWS\system32\kjkkj.bak1
2007-05-06 18:35 284,756 ---hs---- C:\WINDOWS\system32\jkkjk.dll
2007-05-05 22:07 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-05-04 14:09 <DIR> d-------- C:\DOCUME~1\AMDX2~1\DATAAP~1\Ulead Systems
2007-05-04 14:02 <DIR> d-------- C:\SmartSound Software
2007-05-04 14:02 <DIR> d-------- C:\Program Files\SmartSound Software
2007-05-04 14:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\SmartSound Software Inc
2007-05-04 14:01 <DIR> d-------- C:\Program Files\Windows Media Components
2007-05-04 14:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\InstallShield
2007-05-04 14:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Ulead Systems
2007-05-02 17:44 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-05-02 17:44 <DIR> d-------- C:\Program Files\MTA San Andreas
2007-05-02 17:13 <DIR> d-------- C:\Program Files\Rockstar Games
2007-04-29 09:20 <DIR> d-------- C:\NVIDIA
2007-04-23 08:19 <DIR> d-------- C:\DOCUME~1\AMDX2~1\DATAAP~1\TrojanHunter
2007-04-23 08:06 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-04-21 23:33 <DIR> d-a------ C:\WINDOWS\zts2.exe
2007-04-21 23:33 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-04-21 23:33 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-04-21 23:33 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2007-04-21 23:33 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2007-04-21 23:33 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2007-04-21 23:31 418,304 --a------ C:\WINDOWS\R.COM
2007-04-21 23:31 353,280 --a------ C:\WINDOWS\system32\T.COM
2007-04-19 17:16 33,824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-04-19 17:13 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-04-19 17:13 638,976 --a------ C:\WINDOWS\system32\divx.dll
2007-04-19 17:13 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-04-19 17:13 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-04-19 17:13 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-04-19 17:13 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-04-19 17:13 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-04-19 17:13 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-04-19 17:13 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-04-19 17:13 <DIR> d-------- C:\Program Files\AVSMedia
2007-04-19 11:04 <DIR> d-------- C:\Program Files\ICQ6
2007-04-18 17:51 215,000 --a------ C:\WINDOWS\system32\LpCom.dll
2007-04-18 17:51 192,984 --a------ C:\WINDOWS\system32\qpl.dll
2007-04-18 17:51 <DIR> d-------- C:\Program Files\Odigo
2007-04-18 11:59 <DIR> d-------- C:\Program Files\Codemasters
2007-04-18 09:37 <DIR> d-------- C:\DOCUME~1\AMDX2~1\DATAAP~1\ICQ6
2007-04-18 09:24 <DIR> d-------- C:\DOCUME~1\AMDX2~1\DATAAP~1\ICQ Toolbar
2007-04-17 21:15 <DIR> d-------- C:\DOCUME~1\AMDX2~1\DATAAP~1\ICQ
2007-04-17 08:56 <DIR> d-------- C:\Program Files\thriXXX
2007-04-16 12:15 <DIR> d-------- C:\DOCUME~1\AMDX2~1\DATAAP~1\Apple Computer
2007-04-16 12:13 <DIR> d-------- C:\Program Files\QuickTime
2007-04-16 12:13 <DIR> d-------- C:\Program Files\Apple Software Update
2007-04-16 12:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Apple Computer
2007-04-16 10:50 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-04-16 10:50 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-04-16 10:50 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-04-16 10:50 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-04-16 10:50 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-04-16 10:50 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-04-16 10:50 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-04-16 10:49 <DIR> d-------- C:\Program Files\Techland
2007-04-10 12:59 <DIR> d-------- C:\DOCUME~1\AMDX2~1\DATAAP~1\GrabCaptureScreen
2007-04-09 12:26 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\DATAAP~1\TEMP


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-07 18:19:38 -------- d-----w C:\Program Files\Spyware Terminator
2007-05-07 18:16:12 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\Azureus
2007-05-07 18:14:45 -------- d-----w C:\Program Files\ICQToolbar
2007-05-07 18:11:37 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\Hamachi
2007-05-07 17:55:27 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\Skype
2007-05-06 19:26:07 -------- d-----w C:\Program Files\Azureus
2007-05-05 07:58:43 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-04 12:10:31 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\Ulead Systems
2007-05-04 12:00:49 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-03 10:17:29 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\Ahead
2007-05-02 17:37:18 -------- d-----w C:\Program Files\WinClamAVShield
2007-04-23 18:51:29 -------- d-----w C:\Program Files\QIP
2007-04-23 06:19:51 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\TrojanHunter
2007-04-21 16:13:47 62,674 ----a-w C:\WINDOWS\system32\perfc005.dat
2007-04-21 16:13:47 380,970 ----a-w C:\WINDOWS\system32\perfh005.dat
2007-04-18 16:15:34 26,056 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-04-18 07:39:18 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\ICQ6
2007-04-18 07:24:06 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\ICQ Toolbar
2007-04-17 19:15:43 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\ICQ
2007-04-16 10:15:29 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\Apple Computer
2007-04-10 17:32:41 -------- d-----w C:\Program Files\Counter-Strike 1.6
2007-04-10 11:00:04 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\GrabCaptureScreen
2007-04-06 20:58:16 -------- d-----w C:\Program Files\Microsoft Works
2007-04-06 20:58:08 -------- d-----w C:\Program Files\MSBuild
2007-04-06 20:57:00 -------- d-----w C:\Program Files\Microsoft.NET
2007-04-06 19:56:40 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\BearShare
2007-04-06 09:42:09 -------- d-----w C:\Program Files\Free Audio Pack
2007-04-04 20:35:08 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-04 20:32:13 -------- d-----w C:\Program Files\Nero
2007-04-04 05:12:01 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\MegauploadToolbar
2007-04-03 19:15:23 -------- d-----w C:\Program Files\Disc2Phone
2007-03-29 06:35:03 -------- d-----w C:\Program Files\MegauploadToolbar
2007-03-28 20:31:32 -------- d-----w C:\Program Files\Hamachi
2007-03-28 20:13:55 -------- d-----w C:\Program Files\BearShare Applications
2007-03-28 12:38:10 -------- d-----w C:\Program Files\DAEMON Tools
2007-03-28 12:36:23 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-03-28 06:03:27 -------- d-----w C:\Program Files\Codec Pack - All In 1
2007-03-28 06:02:46 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-03-27 19:01:40 -------- d-----w C:\Program Files\Microsoft Virtual PC
2007-03-27 18:45:27 -------- d-----w C:\Program Files\Lavalys
2007-03-27 18:33:57 2,160 ----a-w C:\WINDOWS\BricoPackFoldersDelete.cmd
2007-03-27 18:33:56 47,251 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2007-03-27 18:33:56 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-03-27 18:17:28 135,936 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-03-27 16:57:52 12,972 ---ha-w C:\WINDOWS\system32\mlfcache.dat
2007-03-27 16:53:53 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-03-27 16:49:12 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\OpenOffice.org2
2007-03-27 16:43:46 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\ESTsoft
2007-03-27 16:43:06 -------- d-----w C:\Program Files\mozilla.org
2007-03-27 16:20:21 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2007-03-27 16:20:20 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-03-27 16:20:20 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2007-03-27 16:16:00 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-03-27 16:09:14 -------- d-----w C:\Program Files\Skype
2007-03-27 16:09:14 -------- d-----w C:\Program Files\Common Files\Skype
2007-03-27 16:05:58 335 ----a-w C:\WINDOWS\nsreg.dat
2007-03-27 16:05:58 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\Talkback
2007-03-27 16:05:51 8,657 ----a-w C:\WINDOWS\mozver.dat
2007-03-27 15:59:31 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\ICQLite
2007-03-27 13:37:01 -------- d-----w C:\Program Files\Common Files\ODBC
2007-03-27 13:36:59 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-03-27 12:52:27 -------- d-----w C:\Program Files\Futuremark
2007-03-27 12:44:52 -------- d-----w C:\Program Files\Winamp
2007-03-27 12:43:53 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-03-27 12:43:53 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-03-27 12:43:34 -------- d-----w C:\Program Files\Kerio
2007-03-27 12:40:29 -------- d-----w C:\Program Files\AMD
2007-03-27 12:38:38 -------- d-----w C:\Program Files\Realtek AC97
2007-03-27 11:46:40 -------- d-----w C:\Program Files\microsoft frontpage
2007-03-27 11:46:29 0 --sha-r C:\MSDOS.SYS
2007-03-27 11:46:29 0 --sha-r C:\IO.SYS
2007-03-27 11:46:29 0 ----a-w C:\CONFIG.SYS
2007-03-27 11:46:29 0 ------w C:\AUTOEXEC.BAT
2007-03-27 11:45:34 -------- d--h--w C:\Program Files\WindowsUpdate
2007-03-27 11:45:32 -------- d-----w C:\Program Files\Online Services
2007-03-27 11:44:49 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-03-27 11:44:42 -------- d-----w C:\Program Files\Movie Maker
2007-03-27 11:44:04 21,812 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-27 11:43:45 -------- d-----w C:\Program Files\Messenger
2007-03-27 11:43:41 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-03-27 11:43:34 -------- d-----w C:\Program Files\Windows NT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{055FD26D-3A88-4e15-963D-DC8493744B1D}"="C:\PROGRA~1\ICQTOO~1\toolbaru.dll"
"{26111998-6BE7-4695-9995-E6BD55C56CF8}"="C:\WINDOWS\system32\jkkjk.dll"
"{2DB66063-BB98-466A-AA0D-3E7ACF5ED853}"="C:\WINDOWS\WebIE.dll"
"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}"="C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL"
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"="C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0\bin\ssv.dll"
"{E49CE891-CD83-4841-8CC9-6E284D7978D0}"="C:\Program Files\BearShare Applications\MediaBar\1.bin\BEARSMBR.DLL"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"SpywareTerminator"="\"C:\\Program Files\\Spyware Terminator\\SpywareTerminatorShield.exe\""
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"Ashampoo FireWall PRO"="\"C:\\Program Files\\Ashampoo\\Ashampoo FireWall PRO\\FireWall.exe\" -TRAY"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ICQ"="\"C:\\Program Files\\ICQ6\\ICQ.exe\" silent"
"OEXPRESS"="C:\\WINDOWS\\OETRN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjk

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\daemon tools
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0
bthsvcs BthServ\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-07 20:20:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-07 20:20:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-07 20:20

[sakiri]

Super ComboFix něco smazal avšak pořád tam něco je.

Stáhni si Avenger.

Ten Avenger použijeme na zlikvidování zbytků Vundo nákazy. (ale zatím s ním nic nedělej)

zítra ti zkontroluji log z Combofixu + odstraníme zbytky Vundo nákazy.

[zao]

dobrá a díky moc

[sakiri]

a tak tam je ještě další šmejd a to ten C:\WINDOWS\system32\drivers\oreans32.sys takže ho smáznem spolu s Vundem.


Spusť Avenger a zvol - Input script manually.
Klikni na ikonku lupy vyskočí prázné okno kam zkopíruj ten tučně označený text:
Drivers to unload:
oreans32

Files to delete:
C:\WINDOWS\system32\kjkkj.bak2
C:\WINDOWS\system32\kjkkj.bak1
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\drivers\oreans32.sys

Pak klikni na Done.

poté ti vyskočí hláška kde odklikni Yes poté další Kde odklikni Yes.

Tvůj počítač se 2krát restartuje.

Poté by se ti měl zobrazit log z Avengeru tak ho sem zkopíruj + Po aplikování Avengeru se zkopíruj nový log z ComboFixu + log z HJT (již z toho přejmenovanýho souboru)

Znáš tuhle složku?:
C:\Program Files\thriXXX

[zao]

Avanger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gqlyemew

*******************

Script file located at: \??\C:\^cerolpf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver oreans32 unloaded successfully.
File C:\WINDOWS\system32\kjkkj.bak2 deleted successfully.
File C:\WINDOWS\system32\kjkkj.bak1 deleted successfully.
File C:\WINDOWS\system32\jkkjk.dll deleted successfully.
File C:\WINDOWS\system32\drivers\oreans32.sys deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[zao]

ComboFix:


"AMD X2" - 2007-05-08 18:19:29 Service Pack 2
ComboFix 07-05.07.3.V - Running from: "C:\Documents and Settings\AMD X2\Plocha\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\fmikabvk.dll
C:\WINDOWS\system32\huospwpd.dll
C:\WINDOWS\system32\dpwpsouh.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((( Files Created from 2007-04-08 to 2007-05-08 ))))))))))))))))))))))))))))))))))


2007-05-08 18:17 <DIR> d-------- C:\avenger
2007-05-07 20:20 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-07 19:30 <DIR> d-------- C:\VundoFix Backups
2007-05-07 10:06 491,520 --a------ C:\WINDOWS\WebIE.dll
2007-05-07 10:06 45,056 --a------ C:\WINDOWS\TRNOEH.DLL
2007-05-07 10:06 352,256 --a------ C:\WINDOWS\TrnOutl.dll
2007-05-07 10:06 299,008 --a------ C:\WINDOWS\TrnWord.dll
2007-05-07 10:06 26,624 --a------ C:\WINDOWS\OETRN.EXE
2007-05-07 10:06 200,704 --a------ C:\WINDOWS\TRNOET.DLL
2007-05-07 10:05 189,952 --a------ C:\WINDOWS\UN32.EXE
2007-05-07 10:03 <DIR> d-------- C:\TRANSLAT
2007-05-05 22:07 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-05-04 14:09 <DIR> d-------- C:\DOCUME~1\AMDX2~1\DATAAP~1\Ulead Systems
2007-05-04 14:02 <DIR> d-------- C:\SmartSound Software
2007-05-04 14:02 <DIR> d-------- C:\Program Files\SmartSound Software
2007-05-04 14:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\SmartSound Software Inc
2007-05-04 14:01 <DIR> d-------- C:\Program Files\Windows Media Components
2007-05-04 14:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\InstallShield
2007-05-04 14:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Ulead Systems
2007-05-02 17:44 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-05-02 17:44 <DIR> d-------- C:\Program Files\MTA San Andreas
2007-05-02 17:13 <DIR> d-------- C:\Program Files\Rockstar Games
2007-04-29 09:20 <DIR> d-------- C:\NVIDIA
2007-04-23 08:19 <DIR> d-------- C:\DOCUME~1\AMDX2~1\DATAAP~1\TrojanHunter
2007-04-23 08:06 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-04-21 23:33 <DIR> d-a------ C:\WINDOWS\zts2.exe
2007-04-21 23:33 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-04-21 23:33 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-04-21 23:33 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2007-04-21 23:33 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2007-04-21 23:33 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2007-04-21 23:31 418,304 --a------ C:\WINDOWS\R.COM
2007-04-21 23:31 353,280 --a------ C:\WINDOWS\system32\T.COM
2007-04-19 17:13 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-04-19 17:13 638,976 --a------ C:\WINDOWS\system32\divx.dll
2007-04-19 17:13 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-04-19 17:13 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-04-19 17:13 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-04-19 17:13 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-04-19 17:13 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-04-19 17:13 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-04-19 17:13 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-04-19 17:13 <DIR> d-------- C:\Program Files\AVSMedia
2007-04-19 11:04 <DIR> d-------- C:\Program Files\ICQ6
2007-04-18 17:51 215,000 --a------ C:\WINDOWS\system32\LpCom.dll
2007-04-18 17:51 192,984 --a------ C:\WINDOWS\system32\qpl.dll
2007-04-18 17:51 <DIR> d-------- C:\Program Files\Odigo
2007-04-18 11:59 <DIR> d-------- C:\Program Files\Codemasters
2007-04-18 09:37 <DIR> d-------- C:\DOCUME~1\AMDX2~1\DATAAP~1\ICQ6
2007-04-18 09:24 <DIR> d-------- C:\DOCUME~1\AMDX2~1\DATAAP~1\ICQ Toolbar
2007-04-17 21:15 <DIR> d-------- C:\DOCUME~1\AMDX2~1\DATAAP~1\ICQ
2007-04-17 08:56 <DIR> d-------- C:\Program Files\thriXXX
2007-04-16 12:15 <DIR> d-------- C:\DOCUME~1\AMDX2~1\DATAAP~1\Apple Computer
2007-04-16 12:13 <DIR> d-------- C:\Program Files\QuickTime
2007-04-16 12:13 <DIR> d-------- C:\Program Files\Apple Software Update
2007-04-16 12:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Apple Computer
2007-04-16 10:50 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-04-16 10:50 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-04-16 10:50 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-04-16 10:50 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-04-16 10:50 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-04-16 10:50 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-04-16 10:50 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-04-16 10:49 <DIR> d-------- C:\Program Files\Techland
2007-04-10 12:59 <DIR> d-------- C:\DOCUME~1\AMDX2~1\DATAAP~1\GrabCaptureScreen
2007-04-09 12:26 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\DATAAP~1\TEMP


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-08 16:19:20 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\Skype
2007-05-08 16:15:16 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\Azureus
2007-05-07 18:39:50 -------- d-----w C:\Program Files\Spyware Terminator
2007-05-07 18:21:48 -------- d-----w C:\Program Files\ICQToolbar
2007-05-07 18:11:37 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\Hamachi
2007-05-06 19:26:07 -------- d-----w C:\Program Files\Azureus
2007-05-05 07:58:43 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-04 12:10:31 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\Ulead Systems
2007-05-04 12:00:49 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-03 10:17:29 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\Ahead
2007-05-02 17:37:18 -------- d-----w C:\Program Files\WinClamAVShield
2007-04-23 18:51:29 -------- d-----w C:\Program Files\QIP
2007-04-23 06:19:51 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\TrojanHunter
2007-04-21 16:13:47 62,674 ----a-w C:\WINDOWS\system32\perfc005.dat
2007-04-21 16:13:47 380,970 ----a-w C:\WINDOWS\system32\perfh005.dat
2007-04-18 16:15:34 26,056 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-04-18 07:39:18 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\ICQ6
2007-04-18 07:24:06 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\ICQ Toolbar
2007-04-17 19:15:43 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\ICQ
2007-04-16 10:15:29 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\Apple Computer
2007-04-10 17:32:41 -------- d-----w C:\Program Files\Counter-Strike 1.6
2007-04-10 11:00:04 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\GrabCaptureScreen
2007-04-06 20:58:16 -------- d-----w C:\Program Files\Microsoft Works
2007-04-06 20:58:08 -------- d-----w C:\Program Files\MSBuild
2007-04-06 20:57:00 -------- d-----w C:\Program Files\Microsoft.NET
2007-04-06 19:56:40 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\BearShare
2007-04-06 09:42:09 -------- d-----w C:\Program Files\Free Audio Pack
2007-04-04 20:35:08 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-04 20:32:13 -------- d-----w C:\Program Files\Nero
2007-04-04 05:12:01 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\MegauploadToolbar
2007-04-03 19:15:23 -------- d-----w C:\Program Files\Disc2Phone
2007-03-29 06:35:03 -------- d-----w C:\Program Files\MegauploadToolbar
2007-03-28 20:31:32 -------- d-----w C:\Program Files\Hamachi
2007-03-28 20:13:55 -------- d-----w C:\Program Files\BearShare Applications
2007-03-28 12:38:10 -------- d-----w C:\Program Files\DAEMON Tools
2007-03-28 12:36:23 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-03-28 06:03:27 -------- d-----w C:\Program Files\Codec Pack - All In 1
2007-03-28 06:02:46 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-03-27 19:01:40 -------- d-----w C:\Program Files\Microsoft Virtual PC
2007-03-27 18:45:27 -------- d-----w C:\Program Files\Lavalys
2007-03-27 18:33:57 2,160 ----a-w C:\WINDOWS\BricoPackFoldersDelete.cmd
2007-03-27 18:33:56 47,251 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2007-03-27 18:33:56 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-03-27 18:17:28 135,936 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-03-27 16:57:52 12,972 ---ha-w C:\WINDOWS\system32\mlfcache.dat
2007-03-27 16:53:53 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-03-27 16:49:12 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\OpenOffice.org2
2007-03-27 16:43:46 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\ESTsoft
2007-03-27 16:43:06 -------- d-----w C:\Program Files\mozilla.org
2007-03-27 16:20:21 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2007-03-27 16:20:20 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-03-27 16:20:20 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2007-03-27 16:16:00 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-03-27 16:09:14 -------- d-----w C:\Program Files\Skype
2007-03-27 16:09:14 -------- d-----w C:\Program Files\Common Files\Skype
2007-03-27 16:05:58 335 ----a-w C:\WINDOWS\nsreg.dat
2007-03-27 16:05:58 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\Talkback
2007-03-27 16:05:51 8,657 ----a-w C:\WINDOWS\mozver.dat
2007-03-27 15:59:31 -------- d-----w C:\DOCUME~1\AMDX2~1\DATAAP~1.\ICQLite
2007-03-27 13:37:01 -------- d-----w C:\Program Files\Common Files\ODBC
2007-03-27 13:36:59 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-03-27 12:52:27 -------- d-----w C:\Program Files\Futuremark
2007-03-27 12:44:52 -------- d-----w C:\Program Files\Winamp
2007-03-27 12:43:53 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-03-27 12:43:53 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-03-27 12:43:34 -------- d-----w C:\Program Files\Kerio
2007-03-27 12:40:29 -------- d-----w C:\Program Files\AMD
2007-03-27 12:38:38 -------- d-----w C:\Program Files\Realtek AC97
2007-03-27 11:46:40 -------- d-----w C:\Program Files\microsoft frontpage
2007-03-27 11:46:29 0 --sha-r C:\MSDOS.SYS
2007-03-27 11:46:29 0 --sha-r C:\IO.SYS
2007-03-27 11:46:29 0 ----a-w C:\CONFIG.SYS
2007-03-27 11:46:29 0 ------w C:\AUTOEXEC.BAT
2007-03-27 11:45:34 -------- d--h--w C:\Program Files\WindowsUpdate
2007-03-27 11:45:32 -------- d-----w C:\Program Files\Online Services
2007-03-27 11:44:49 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-03-27 11:44:42 -------- d-----w C:\Program Files\Movie Maker
2007-03-27 11:44:04 21,812 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-27 11:43:45 -------- d-----w C:\Program Files\Messenger
2007-03-27 11:43:41 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-03-27 11:43:34 -------- d-----w C:\Program Files\Windows NT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{055FD26D-3A88-4e15-963D-DC8493744B1D}"="C:\PROGRA~1\ICQTOO~1\toolbaru.dll"
"{2DB66063-BB98-466A-AA0D-3E7ACF5ED853}"="C:\WINDOWS\WebIE.dll"
"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}"="C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL"
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"="C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0\bin\ssv.dll"
"{D81EF0DE-D027-4753-82B1-C1150301D03F}"="C:\WINDOWS\system32\jkkjk.dll" [x]
"{E49CE891-CD83-4841-8CC9-6E284D7978D0}"="C:\Program Files\BearShare Applications\MediaBar\1.bin\BEARSMBR.DLL"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"SpywareTerminator"="\"C:\\Program Files\\Spyware Terminator\\SpywareTerminatorShield.exe\""
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"WindowsService"="rundll32.exe \"C:\\WINDOWS\\system32\\huospwpd.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ICQ"="\"C:\\Program Files\\ICQ6\\ICQ.exe\" silent"
"OEXPRESS"="C:\\WINDOWS\\OETRN.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjk

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\daemon tools
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0
bthsvcs BthServ\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-08 18:21:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-08 18:21:41
C:\ComboFix-quarantined-files.txt ... 2007-05-08 18:21
C:\ComboFix2.txt ... 2007-05-07 20:20