Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My case with maleware

Started by Sober , Dec 15 2008 10:06 AM

  • Please log in to reply

#1
Sober
Posted 15 December 2008 - 10:06 AM

Sober

    New Member

  • Member
  • Pip
  • 2 posts
My case with malware is like this
I did almost all as. I have downloaded and started SDFix and ComboFix. They have fulfilled well.
What to me to do further?
Whether it is necessary for me to load the program Malwarebytes' Anti-Malware ?

Is my operation system clear now?

Sorry for bad English :)

CDFix Report


SDFix: Version 1.240
Run by Froggy-user on 14.12.2008 at 09:46

Microsoft Windows XP [‚ҐабЁп 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
TDSSserv.sys

Path :
\systemroot\system32\drivers\TDSSpqlt.sys

TDSSserv.sys - Deleted



Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\WINDOWS\system32\geBqPJAP.dll - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\ALFMH.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\BVIKZ.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\CAECI.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\CFPIU.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\CJLAE.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\DZQZC.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\EAZCU.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\EDZTC.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\EFVOL.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\EIJJY.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\ESXJQ.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\FEUSY.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\FGWQV.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\FLQPH.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\FXTFO.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\GGORG.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\GJVFX.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\GRXLN.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\IGCII.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\IHPCX.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\IKPRT.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\IKXJJ.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\IOLEJ.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\IQGNF.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\JTOPW.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\KSETY.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\LPXEH.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\LVSWF.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\MAHTU.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\MBICZ.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\MFRET.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\MUBMP.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\ORBHJ.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\PCHKS.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\PGJCC.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\QJNVV.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\QXWMK.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\RGJYK.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\RIBFQ.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\RMKPK.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\RTHRD.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\RVLKG.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\TGOIF.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\UFZWN.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\VZPNA.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\WZVIZ.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\XAGAO.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\XRFLQ.EXE - Deleted
C:\DOCUME~1\FROGGY~1\COOKIES\ZPNZE.EXE - Deleted
C:\DOCUME~1\FROGGY~1\LOCALS~1\Temp\pwrmgr.exe.bat - Deleted
C:\DOCUME~1\FROGGY~1\LOCALS~1\Temp\smchk.exe.bat - Deleted
C:\DOCUME~1\FROGGY~1\LOCALS~1\Temp\windfr.exe.bat - Deleted
C:\DOCUME~1\FROGGY~1\LOCALS~1\Temp\pwrmgr.exe - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\k.txt - Deleted
C:\WINDOWS\system32\drivers\TDSSpqlt.sys - Deleted
C:\WINDOWS\system32\TDSSxfum.dll - Deleted
C:\WINDOWS\system32\TDSSlxwp.dll - Deleted
C:\WINDOWS\system32\TDSSosvd.dat - Deleted
C:\WINDOWS\SYSTEM32\TDSSOSVD.dat - Deleted
C:\WINDOWS\system32\TDSStkdu.log - Deleted
C:\WINDOWS\SYSTEM32\TDSSTKDU.log - Deleted


Could Not Remove C:\WINDOWS\system32\smwin32.dll

Folder C:\Program Files\TS-2009 - Removed
Folder C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1015 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 21:55:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"!\0045\4B\0045\0042\4>\49\4 ?0\0044\0040\4?\4B\0045\[email protected]\4 ?1?3?9?4?"=str(7):"1\0"
"\34\48\4=\48\4?\4>\[email protected]\4B\4 ?W?A?N? ?(?L?2?T?P?)?"=str(7):"1\0"
"\34\48\4=\48\4?\4>\[email protected]\4B\4 ?W?A?N? ?(?P?P?T?P?)?"=str(7):"1\0"
"\34\48\4=\48\4?\4>\[email protected]\4B\4 ?W?A?N? ?(?P?P?P?o?E?)?"=str(7):"1\0"
"\37\[email protected]\4O\4<\4>\49\4 ??\0040\[email protected]\0040\4;\4;\0045\4;\4L\4=\4K\49\4 ??\4>\[email protected]\4B\4"=str(7):"1\0"
"\34\48\4=\48\4?\4>\[email protected]\4B\4 ?W?A?N? ?(?I?P?)?"=str(7):"1\0"
"\34\48\4=\48\4?\4>\[email protected]\4B\4 ??\4;\0040\4=\48\[email protected]\4>\0042\4I\48\4:\0040\4 ??\0040\4:\0045\4B\4>\0042\4"=str(7):"1\0002\0003\0004\0"
"\24\[email protected]\0040\49\0042\0045\[email protected]\4 ?A\0045\[email protected]\0042\0045\[email protected]\0040\4 ?4\4>\4A\4B\4C\4?\0040\4 ?:\4 ?;\4>\4:\0040\4;\4L\4=\4>\49\4 ?A\0045\4B\48\4 ?B?l?u?e?t?o?o?t?h?"=str(7):"1\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"!\0045\4B\0045\0042\4>\49\4 ?0\0044\0040\4?\4B\0045\[email protected]\4 ?1?3?9?4?"=str(7):"1\0"
"\34\48\4=\48\4?\4>\[email protected]\4B\4 ?W?A?N? ?(?L?2?T?P?)?"=str(7):"1\0"
"\34\48\4=\48\4?\4>\[email protected]\4B\4 ?W?A?N? ?(?P?P?T?P?)?"=str(7):"1\0"
"\34\48\4=\48\4?\4>\[email protected]\4B\4 ?W?A?N? ?(?P?P?P?o?E?)?"=str(7):"1\0"
"\37\[email protected]\4O\4<\4>\49\4 ??\0040\[email protected]\0040\4;\4;\0045\4;\4L\4=\4K\49\4 ??\4>\[email protected]\4B\4"=str(7):"1\0"
"\34\48\4=\48\4?\4>\[email protected]\4B\4 ?W?A?N? ?(?I?P?)?"=str(7):"1\0"
"\34\48\4=\48\4?\4>\[email protected]\4B\4 ??\4;\0040\4=\48\[email protected]\4>\0042\4I\48\4:\0040\4 ??\0040\4:\0045\4B\4>\0042\4"=str(7):"1\0002\0003\0004\0"
"\24\[email protected]\0040\49\0042\0045\[email protected]\4 ?A\0045\[email protected]\0042\0045\[email protected]\0040\4 ?4\4>\4A\4B\4C\4?\0040\4 ?:\4 ?;\4>\4:\0040\4;\4L\4=\4>\49\4 ?A\0045\4B\48\4 ?B?l?u?e?t?o?o?t?h?"=str(7):"1\0"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"!\4B\0040\4=\0044\0040\[email protected]\4B\4=\0040\4O\4 ?W?i?n?d?o?w?s?"="",,,,,,,,,,,,,""
"\37\4>\0044\0042\48\0046\4=\0040\4O\4 ?W?i?n?d?o?w?s?"=""C:\WINDOWS\Cursors\rainbow.ani,,C:\WINDOWS\Cursors\appstart.ani,C:\WINDOWS\Cursors\hourglas.ani,C:\WINDOWS\Cursors\cross.cur,,,,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,,""
"\36\0041\4J\0045\4<\4=\0040\4O\4 ?1\0045\4;\0040\4O\4"=""C:\WINDOWS\Cursors\3dwarro.cur,,C:\WINDOWS\Cursors\appstar3.ani,C:\WINDOWS\Cursors\hourgla3.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dwno.cur,C:\WINDOWS\Cursors\3dwns.cur,C:\WINDOWS\Cursors\3dwwe.cur,C:\WINDOWS\Cursors\3dwnwse.cur,C:\WINDOWS\Cursors\3dwnesw.cur,C:\WINDOWS\Cursors\3dwmove.cur,""
" \4C\4:\48\4 ?1?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
" \4C\4:\48\4 ?2?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,""
"\24\48\4=\4>\0047\0040\0042\[email protected]\4"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur,""
"\22\4 ?A\4B\0040\[email protected]\4>\4<\4 ?A\4B\48\4;\0045\4"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
"\24\48\[email protected]\48\0046\0045\[email protected]\4"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"#\0042\0045\4;\48\4G\0045\4=\4=\0040\4O\4"=""C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,""
"\22\0040\[email protected]\48\0040\4F\48\48\4"=""C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,""
"\36\0041\4J\0045\4<\4=\0040\4O\4 ?1\[email protected]\4>\4=\0047\4>\0042\0040\4O\4"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\appstar2.ani,C:\WINDOWS\Cursors\hourgla2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dgno.cur,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
"'\0045\[email protected]\4=\0040\4O\4 ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"'\0045\[email protected]\4=\0040\4O\4 ?(?:\[email protected]\4C\4?\4=\0040\4O\4)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"'\0045\[email protected]\4=\0040\4O\4 ?(?>\0043\[email protected]\4>\4<\4=\0040\4O\4)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
"\30\4=\0042\0045\[email protected]\4A\4=\0040\4O\4"="C:\WINDOWS\cursors\arrow_i.cur,C:\WINDOWS\cursors\help_i.cur,C:\WINDOWS\cursors\wait_i.cur,C:\WINDOWS\cursors\busy_i.cur,C:\WINDOWS\cursors\cross_i.cur,C:\WINDOWS\cursors\beam_i.cur,C:\WINDOWS\cursors\pen_i.cur,C:\WINDOWS\cursors\no_i.cur,C:\WINDOWS\cursors\size4_i.cur,C:\WINDOWS\cursors\size3_i.cur,C:\WINDOWS\cursors\size2_i.cur,C:\WINDOWS\cursors\size1_i.cur,C:\WINDOWS\cursors\move_i.cur,C:\WINDOWS\cursors\up_i.cur"
"\30\4=\0042\0045\[email protected]\4A\4=\0040\4O\4 ?(?:\[email protected]\4C\4?\4=\0040\4O\4)?"="C:\WINDOWS\cursors\arrow_im.cur,C:\WINDOWS\cursors\help_im.cur,C:\WINDOWS\cursors\wait_im.cur,C:\WINDOWS\cursors\busy_im.cur,C:\WINDOWS\cursors\cross_im.cur,C:\WINDOWS\cursors\beam_im.cur,C:\WINDOWS\cursors\pen_im.cur,C:\WINDOWS\cursors\no_im.cur,C:\WINDOWS\cursors\size4_im.cur,C:\WINDOWS\cursors\size3_im.cur,C:\WINDOWS\cursors\size2_im.cur,C:\WINDOWS\cursors\size1_im.cur,C:\WINDOWS\cursors\move_im.cur,C:\WINDOWS\cursors\up_im.cur"
"\30\4=\0042\0045\[email protected]\4A\4=\0040\4O\4 ?(?>\0043\[email protected]\4>\4<\4=\0040\4O\4)?"="C:\WINDOWS\cursors\arrow_il.cur,C:\WINDOWS\cursors\help_il.cur,C:\WINDOWS\cursors\wait_il.cur,C:\WINDOWS\cursors\busy_il.cur,C:\WINDOWS\cursors\cross_il.cur,C:\WINDOWS\cursors\beam_il.cur,C:\WINDOWS\cursors\pen_il.cur,C:\WINDOWS\cursors\no_il.cur,C:\WINDOWS\cursors\size4_il.cur,C:\WINDOWS\cursors\size3_il.cur,C:\WINDOWS\cursors\size2_il.cur,C:\WINDOWS\cursors\size1_il.cur,C:\WINDOWS\cursors\move_il.cur,C:\WINDOWS\cursors\up_il.cur"
"!\4B\0040\4=\0044\0040\[email protected]\4B\4=\0040\4O\4 ?(?:\[email protected]\4C\4?\4=\0040\4O\4)?"="C:\WINDOWS\cursors\arrow_m.cur,C:\WINDOWS\cursors\help_m.cur,C:\WINDOWS\cursors\wait_m.cur,C:\WINDOWS\cursors\busy_m.cur,C:\WINDOWS\cursors\cross_m.cur,C:\WINDOWS\cursors\beam_m.cur,C:\WINDOWS\cursors\pen_m.cur,C:\WINDOWS\cursors\no_m.cur,C:\WINDOWS\cursors\size4_m.cur,C:\WINDOWS\cursors\size3_m.cur,C:\WINDOWS\cursors\size2_m.cur,C:\WINDOWS\cursors\size1_m.cur,C:\WINDOWS\cursors\move_m.cur,C:\WINDOWS\cursors\up_m.cur"
"!\4B\0040\4=\0044\0040\[email protected]\4B\4=\0040\4O\4 ?(?>\0043\[email protected]\4>\4<\4=\0040\4O\4)?"="C:\WINDOWS\cursors\arrow_l.cur,C:\WINDOWS\cursors\help_l.cur,C:\WINDOWS\cursors\wait_l.cur,C:\WINDOWS\cursors\busy_l.cur,C:\WINDOWS\cursors\cross_l.cur,C:\WINDOWS\cursors\beam_l.cur,C:\WINDOWS\cursors\pen_l.cur,C:\WINDOWS\cursors\no_l.cur,C:\WINDOWS\cursors\size4_l.cur,C:\WINDOWS\cursors\size3_l.cur,C:\WINDOWS\cursors\size2_l.cur,C:\WINDOWS\cursors\size1_l.cur,C:\WINDOWS\cursors\move_l.cur,C:\WINDOWS\cursors\up_l.cur"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups]
"\30\0043\[email protected]\4K\4"="![email protected]=K5\[email protected]"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\QIP\\qip.exe"="C:\\Program Files\\QIP\\qip.exe:*:Enabled:Quiet Internet Pager"
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Ad-Aware 2008\\ad_aware_2008_portable_7.1.0.1\\App\\AdAware\\Ad-Aware.exe"="C:\\Program Files\\Ad-Aware 2008\\ad_aware_2008_portable_7.1.0.1\\App\\AdAware\\Ad-Aware.exe:*:Enabled:AdAware"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Ad-Aware 2008\\ad_aware_2008_portable_7.1.0.1\\App\\AdAware\\Ad-Aware.exe"="C:\\Program Files\\Ad-Aware 2008\\ad_aware_2008_portable_7.1.0.1\\App\\AdAware\\Ad-Aware.exe:*:Enabled:AdAware"

Remaining Files :

C:\WINDOWS\default.htm Found
C:\WINDOWS\system32\smwin32.dll Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :


Finished!



ComboFix Report
ComboFix 08-12-09.03 - Froggy-user 2008-12-14 22:01:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.1613 [GMT 5:00]
Running from: c:\documents and settings\Froggy-user\Рабочий стол\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\default.htm
c:\windows\system32\_000110_.tmp.dll
c:\windows\system32\_000870_.tmp.dll
c:\windows\system32\akbuumpv.dll
c:\windows\system32\auesqrmq.ini
c:\windows\system32\auytgehi.ini
c:\windows\system32\bjrnqnja.ini
c:\windows\system32\bnhggxko.ini
c:\windows\system32\cduosniw.ini
c:\windows\system32\cspjyeoe.ini
c:\windows\system32\ddfkthfy.ini
c:\windows\system32\Desktop_.ini
c:\windows\system32\dlujsaey.ini
c:\windows\system32\ejvtuyse.ini
c:\windows\system32\fcrkthbt.ini
c:\windows\system32\frmylvay.ini
c:\windows\system32\getfn32.dll
c:\windows\system32\GgOVEfhk.ini
c:\windows\system32\GgOVEfhk.ini2
c:\windows\system32\gvcpxkuk.ini
c:\windows\system32\hbwjuwfk.ini
c:\windows\system32\hgGwXppp.dll
c:\windows\system32\ijtpamwg.ini
c:\windows\system32\invsisyo.ini
c:\windows\system32\ixyrwxkf.ini
c:\windows\system32\khfCtrPi.dll
c:\windows\system32\khfEVOgG.dll
c:\windows\system32\kqynhvap.ini
c:\windows\system32\ljlljjxu.dll
c:\windows\system32\lmtceinn.ini
c:\windows\system32\lrjkwugi.ini
c:\windows\system32\ltbynowo.ini
c:\windows\system32\lumquypm.dll
c:\windows\system32\lvgfmjyi.ini
c:\windows\system32\mcdlkvku.ini
c:\windows\system32\mcsbqing.ini
c:\windows\system32\mpyuqmul.ini
c:\windows\system32\mumwijjt.ini
c:\windows\system32\mwmjlotb.ini
c:\windows\system32\nnnNeBtS.dll
c:\windows\system32\nvdxviyy.ini
c:\windows\system32\olvsmsde.ini
c:\windows\system32\owkpppwy.ini
c:\windows\system32\oysisvni.dll
c:\windows\system32\pavhnyqk.dll
c:\windows\system32\pfqtxqui.ini
c:\windows\system32\pgivaujc.ini
c:\windows\system32\ppruodlf.ini
c:\windows\system32\qmfbkwdp.ini
c:\windows\system32\qutcunil.ini
c:\windows\system32\rmboohif.ini
c:\windows\system32\rsdsbhcc.ini
c:\windows\system32\ruaofynu.ini
c:\windows\system32\rxddbmem.ini
c:\windows\system32\rxgqexnh.ini
c:\windows\system32\smwin32.dll
c:\windows\system32\sowwekwb.ini
c:\windows\system32\syophucu.ini
c:\windows\system32\uaxfwauv.ini
c:\windows\system32\ueevgdft.ini
c:\windows\system32\ueqanaem.ini
c:\windows\system32\uesiuqcr.exe
c:\windows\system32\uxjjlljl.ini
c:\windows\system32\vpmuubka.ini
c:\windows\system32\vuawfxau.dll
c:\windows\system32\vyjwpgdh.ini
c:\windows\system32\wtxxhqxt.dll
c:\windows\system32\xgugiklf.ini
c:\windows\system32\xmqswnes.ini
c:\windows\system32\yfdcwmqc.ini
c:\windows\system32\yfhtkfdd.dll
c:\windows\system32\yuyhnogd.ini
c:\windows\system32\yyfgwtfw.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETWORK_DRIVER_INTERFACE


((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-14 21:47 . 2008-12-14 21:47 60,506 --a------ c:\documents and settings\Froggy-user\catchme.zip
2008-12-14 21:43 . 2008-12-14 21:43 <DIR> d-------- c:\windows\ERUNT
2008-12-14 21:13 . 2008-12-14 21:56 <DIR> d-------- C:\SDFix
2008-12-14 21:10 . 2008-12-14 21:10 <DIR> d-------- c:\program files\Trend Micro
2008-12-11 00:38 . 2008-12-11 00:38 11,264 --a------ c:\windows\system32\drivers\uzezmza0.sys
2008-12-10 23:48 . 2008-12-10 23:48 <DIR> d-------- c:\program files\Enigma Software Group
2008-12-10 23:27 . 2008-12-10 23:27 <DIR> d-------- c:\program files\AVZ4
2008-12-10 22:06 . 2008-12-10 23:10 <DIR> d-------- c:\program files\Anti Trojan Elite
2008-12-10 22:00 . 2008-12-10 22:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-10 20:18 . 2008-12-10 20:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\LavasoftBackup
2008-12-09 23:51 . 2001-10-20 17:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2008-12-09 23:50 . 2001-10-20 17:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2008-12-09 23:49 . 2004-08-17 17:04 2,134,528 --a--c--- c:\windows\system32\dllcache\smtpsnap.dll
2008-12-09 23:47 . 2008-12-09 23:47 749 -rah----- c:\windows\WindowsShell.Manifest
2008-12-09 23:47 . 2008-12-09 23:47 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2008-12-09 23:47 . 2008-12-09 23:47 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2008-12-09 23:47 . 2008-12-09 23:47 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2008-12-09 23:47 . 2008-12-09 23:47 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2008-12-09 23:47 . 2008-12-09 23:47 488 -rah----- c:\windows\system32\logonui.exe.manifest
2008-12-09 22:23 . 2008-12-09 22:23 <DIR> d-------- c:\documents and settings\Администратор\Application Data\Media Player Classic
2008-12-09 22:15 . 2008-12-09 22:15 <DIR> d-------- c:\documents and settings\Администратор\Application Data\DivX
2008-12-09 21:53 . 2008-12-09 21:53 <DIR> d-------- c:\program files\Lavasoft
2008-12-09 21:46 . 2008-12-09 21:46 <DIR> d-------- c:\program files\2gis
2008-12-09 21:46 . 2008-12-09 21:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\2GIS
2008-12-09 20:27 . 2008-12-08 22:50 <DIR> d--h----- c:\documents and settings\Администратор\Шаблоны
2008-12-09 20:27 . 2008-12-08 22:50 <DIR> d--h----- c:\documents and settings\Администратор\Шаблоны
2008-12-09 20:27 . 2008-04-05 18:57 <DIR> d-------- c:\documents and settings\Администратор\Рабочий стол
2008-12-09 20:27 . 2008-04-05 18:57 <DIR> d-------- c:\documents and settings\Администратор\Рабочий стол
2008-12-09 20:27 . 2008-04-05 18:57 <DIR> d-------- c:\documents and settings\Администратор\Мои документы
2008-12-09 20:27 . 2008-04-05 18:57 <DIR> d-------- c:\documents and settings\Администратор\Мои документы
2008-12-09 20:27 . 2008-04-05 18:57 <DIR> dr------- c:\documents and settings\Администратор\Главное меню
2008-12-09 20:27 . 2008-04-05 18:57 <DIR> dr------- c:\documents and settings\Администратор\Главное меню
2008-12-09 20:27 . 2008-12-09 22:30 <DIR> d-------- c:\documents and settings\Администратор\Избранное
2008-12-09 20:27 . 2008-12-09 22:30 <DIR> d-------- c:\documents and settings\Администратор\Избранное
2008-12-09 20:27 . 2008-12-09 22:26 <DIR> d-------- c:\documents and settings\Администратор
2008-12-09 19:14 . 2008-12-09 19:14 91,700 --a------ c:\windows\system32\drivers\klin.dat
2008-12-09 19:14 . 2008-12-09 19:14 85,860 --a------ c:\windows\system32\drivers\klick.dat
2008-12-09 19:10 . 2008-12-09 19:10 <DIR> d-------- c:\program files\Kaspersky Lab
2008-12-09 19:10 . 2008-12-14 21:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-09 19:10 . 2008-12-14 22:08 879,904 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-09 19:10 . 2008-12-14 22:07 54,048 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-12-09 19:10 . 2008-12-14 22:06 13,880 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-09 19:10 . 2008-12-14 22:06 7,136 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-12-09 19:08 . 2008-12-09 19:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-08 22:50 . 2004-08-17 16:54 14,043 -ra------ c:\windows\SET7F.tmp
2008-12-08 22:49 . 2004-08-17 16:54 1,086,058 -ra------ c:\windows\SET73.tmp
2008-12-08 22:49 . 2004-08-17 16:57 1,014,193 -ra------ c:\windows\SET70.tmp
2008-12-08 22:48 . 2008-12-08 22:48 <DIR> d---s---- c:\windows\system32\config\systemprofile\History
2008-12-06 23:05 . 2008-12-06 23:05 106,496 --a------ c:\windows\system32\ipdll.dll
2008-12-06 23:05 . 2008-12-06 23:05 57,344 --a------ c:\windows\system32\svchоst.exe
2008-12-06 23:05 . 2008-12-06 23:05 46,080 --a------ c:\windows\system32\bits.dll
2008-11-26 21:31 . 2008-11-26 21:31 <DIR> d-------- c:\documents and settings\Froggy-user\Application Data\ESET
2008-11-26 17:48 . 2008-11-26 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-11-26 00:22 . 2008-11-26 17:41 <DIR> d-------- c:\program files\PC Protection Center 2008
2008-11-17 20:09 . 2008-11-17 20:31 <DIR> d-------- C:\Новая папка
2008-11-17 17:39 . 2008-11-17 16:09 172,032 --a------ c:\windows\vbernwafxfk.dll
2008-11-17 17:39 . 2008-11-17 16:09 151,552 --a------ c:\windows\kopnvqat.dll
2008-11-17 17:39 . 2008-11-17 16:09 135,168 --a------ c:\windows\faxtsbpv.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 17:05 --------- d-----w c:\program files\jv16 PowerTools
2008-12-02 17:09 --------- d-----w c:\documents and settings\Froggy-user\Application Data\Ahead
2008-11-26 15:47 --------- d-----w c:\program files\ESET
2008-11-11 19:39 --------- d-----w c:\program files\awz
2008-11-10 16:20 --------- d-----w c:\documents and settings\Froggy-user\Application Data\Canon
2008-10-28 07:21 1,233,920 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 13:21 78,910 ----a-w c:\program files\2410232.jpg
2008-08-22 19:35 6,907,758 ----a-w c:\program files\2gisPerm8.exe
2008-08-19 21:30 9,390,936 ----a-w c:\program files\winamp5541_full_emusic-7plus_ru-ru.exe
2008-08-02 16:27 1,495,112 ----a-w c:\program files\install_flash_player.exe
2008-08-02 16:20 1,377,264 ----a-w c:\program files\YandexOnlineSetup.exe
2008-06-14 18:27 144,920,878 ----a-r c:\program files\business_card_by_theslam.rar
2008-06-07 12:58 1,785,480 ----a-w c:\program files\setup_punto_switcher_2963.exe
2008-04-13 17:43 2,047,832 ----a-w c:\program files\qip8050.exe
2008-04-13 17:04 1,506,352 ----a-w c:\program files\qip8050.rar
2006-12-06 14:30 2,461,180 ----a-w c:\windows\inf\SET1F7.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46E0A068-CF0A-4C6D-BC8D-0CA4CCB5697F}]
2008-11-17 16:09 172032 --a------ c:\windows\vbernwafxfk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]
"Punto Switcher"="c:\program files\Punto Switcher\ps.exe" [2008-05-30 722112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-23 827392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-23 8433664]
"CorelDRAW Graphics Suite 11b"="c:\program files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 729088]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 227856]
"nwiz"="nwiz.exe" [2007-07-23 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-23 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\All Users\ѓ« ў®Ґ ¬Ґо\Џа®Ја ¬¬л\Ђўв®§ Јаг§Є \
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-04-01 568176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"kopnvqat"= {FA839F42-A27D-48A2-A9D0-79C600B40DD8} - c:\windows\kopnvqat.dll [2008-11-17 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Главное меню^Программы^Автозагрузка^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 15:30 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 15:30 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lingvo Launcher]
--a------ 2004-10-09 17:17 110592 c:\program files\ABBYY Lingvo 10 Multilingual Dictionary\LvAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LingvoTraining]
--a------ 2004-10-09 17:23 1159168 c:\program files\ABBYY Lingvo 10 Multilingual Dictionary\Tutor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-17 15:17 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-07-23 22:11 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
--a------ 2002-06-03 10:38 49152 c:\program files\ScanSoft\OmniPageSE\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yupdate!]
--a------ 2008-05-14 15:25 460040 c:\program files\Common Files\Yandex\Yupdate\yupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-07-23 22:12 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 uzezmza0;AVZ-RK Kernel Driver;\??\c:\windows\system32\Drivers\uzezmza0.sys [2008-12-11 11264]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-12-13 24592]
S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0970beb0-82dd-11dd-bb24-001c26e25fc8}]
\Shell\AutoRun\command - tio8x6.cmd
\Shell\explore\Command - tio8x6.cmd
\Shell\open\Command - tio8x6.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1347a9e4-823d-11dd-bb21-001b384fa0ff}]
\Shell\AutoRun\command - F:\a3g3.bat
\Shell\explore\Command - F:\a3g3.bat
\Shell\open\Command - F:\a3g3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1347a9e6-823d-11dd-bb21-001b384fa0ff}]
\Shell\AutoRun\command - F:\a3g3.bat
\Shell\explore\Command - F:\a3g3.bat
\Shell\open\Command - F:\a3g3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16e47699-a447-11dd-bb86-001c26e25fc8}]
\Shell\AutoRun\command - F:\a3g3.bat
\Shell\explore\Command - F:\a3g3.bat
\Shell\open\Command - F:\a3g3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5190e65a-032e-11dd-ba08-001c269608ab}]
\Shell\AutoRun\command - F:\a3g3.bat
\Shell\explore\Command - F:\a3g3.bat
\Shell\open\Command - F:\a3g3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6705e1df-3316-11dd-baa2-001c26e25fc8}]
\Shell\AutoRun\command - F:\a3g3.bat
\Shell\explore\Command - F:\a3g3.bat
\Shell\open\Command - F:\a3g3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{795e4a42-c079-11dd-bbd0-001b384fa0ff}]
\Shell\AutoRun\command - tio8x6.cmd
\Shell\explore\Command - tio8x6.cmd
\Shell\open\Command - tio8x6.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d89c018-030a-11dd-ba04-001b384fa0ff}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95a4e7b2-a73e-11dd-bb89-001c26e25fc8}]
\Shell\AutoRun\command - F:\a3g3.bat
\Shell\explore\Command - F:\a3g3.bat
\Shell\open\Command - F:\a3g3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3b8ed9a-8324-11dd-bb26-001c26e25fc8}]
\Shell\AutoRun\command - F:\a3g3.bat
\Shell\explore\Command - F:\a3g3.bat
\Shell\open\Command - F:\a3g3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3b8ed9b-8324-11dd-bb26-001c26e25fc8}]
\Shell\AutoRun\command - G:\a3g3.bat
\Shell\explore\Command - G:\a3g3.bat
\Shell\open\Command - G:\a3g3.bat
.
- - - - ORPHANS REMOVED - - - -

BHO-{6C6FE55F-67CF-465B-B1EF-45835495F179} - c:\windows\system32\khfEVOgG.dll
HKLM-Run-Anti Trojan Elite - c:\program files\Anti Trojan Elite\TJEnder.exe
SSODL-tslmavew-{8FB84E99-D3E7-4777-8C64-D17678487C4B} - (no file)
MSConfigStartUp-5c473880 - c:\windows\system32\oysisvni.dll
MSConfigStartUp-TotalSecure2009 - c:\program files\TS-2009\scan.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 22:08:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1308)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1364)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll

- - - - - - - > 'explorer.exe'(4000)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\windows\system32\Msi.dll
c:\program files\Common Files\Microsoft Shared\Web Components\10\1049\OWCI10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\program files\Common Files\Microsoft Shared\Web Components\11\1049\OWCI11.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\docume~1\FROGGY~1\LOCALS~1\temp\RtkBtMnt.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-14 22:11:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-14 17:11:43

Pre-Run: 2 692 145 152 байт свободно
Post-Run: 2,581,860,352 байт свободно
  • 0

Advertisements

#2
Sober
Posted 15 December 2008 - 11:01 AM

Sober

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
my last logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:51, on 15.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Punto Switcher\ps.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\DOCUME~1\FROGGY~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WRL Advisor - {46E0A068-CF0A-4C6D-BC8D-0CA4CCB5697F} - C:\WINDOWS\vbernwafxfk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: PROMT - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Program Files\PRMT6\PRMTIE\prmtie.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=121708 serial=DR12CUB-3258082-RKB lang=EN
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Punto Switcher] C:\Program Files\Punto Switcher\ps.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Отправить на устройство Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with Lingvo - res://C:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lingvo.exe/3000
O8 - Extra context menu item: Добавить в Анти-Баннер - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Cтатистика Веб-Антивируса - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: Настройка перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PRMT6\PRMTIE\options.htm
O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{04E7714E-0644-4AEB-A0FC-DA9FDCF09DD3}: NameServer = 212.33.224.131 212.33.225.211
O17 - HKLM\System\CS1\Services\Tcpip\..\{04E7714E-0644-4AEB-A0FC-DA9FDCF09DD3}: NameServer = 212.33.224.131 212.33.225.211
O21 - SSODL: kopnvqat - {FA839F42-A27D-48A2-A9D0-79C600B40DD8} - C:\WINDOWS\kopnvqat.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Ad-Aware 2008\ad_aware_2008_portable_7.1.0.1\App\AdAware\aawservice.exe (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 7329 bytes
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP