Tech Support Forum - View Single Post

bryanchew · 01-17-2008, 02:41 AM

Hey i have scanned the using the combofix thing and this is wad i got

ComboFix 08-01-17.5 - Owner 2008-01-17 16:59:30.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\nfo
C:\Documents and Settings\All Users\Application Data.\nfo\keys.dat
C:\Documents and Settings\All Users\Application Data.\nfo\mon0104.dbd
C:\Documents and Settings\All Users\Application Data.\nfo\mon0106.ddx
C:\Documents and Settings\All Users\Application Data.\nfo\mon0204.ddx
C:\Documents and Settings\All Users\Application Data.\nfo\mon0315.ddx
C:\Documents and Settings\All Users\Application Data.\nfo\mon0412.ddx
C:\Documents and Settings\All Users\Application Data.\nfo\mon0504.ddx
C:\Documents and Settings\All Users\Application Data.\nfo\mon0904.ddx
C:\Documents and Settings\All Users\Application Data.\nfo\mon1125.ddx
C:\Documents and Settings\All Users\Application Data.\nfo\mon1204.ddx
C:\Documents and Settings\All Users\Application Data.\nfo\mon1215.dbd
C:\Documents and Settings\All Users\Application Data.\nfo\mon1909.ddx
C:\Documents and Settings\All Users\Application Data.\nfo\mon1920.dbd
C:\Documents and Settings\All Users\Application Data.\nfo\mon2007.dbd
C:\Documents and Settings\All Users\Application Data.\vidmon
C:\Documents and Settings\All Users\Application Data.\vidmon\vidmon.inf
C:\Documents and Settings\All Users\Application Data.\vidmon\vidmonsh.inf
C:\Documents and Settings\Owner\Application Data\wtta.exe
C:\Documents and Settings\Owner\new.txt
C:\lswmv.ini
C:\Program Files\Common Files\uninstall information
C:\Program Files\Common Files\uninstall information\RemoveWebDP.exe
C:\Program Files\ISTsvc
C:\Program Files\pedevice
C:\Program Files\pedevice\communication.xml
C:\Program Files\pedevice\Domain.Watchlist.txt
C:\Program Files\pedevice\fixit2.exe
C:\Program Files\pedevice\pae-options.xml
C:\Program Files\pedevice\pae_url.xml
C:\Program Files\pedevice\PeDev.dll
C:\Program Files\pedevice\PeDev.exe
C:\Program Files\pedevice\pedevPS.dll
C:\Program Files\pedevice\Preparation.dll
C:\Program Files\pedevice\search.watchlist.txt
C:\Program Files\pedevice\stat_archive\2008-01-10
C:\Program Files\pedevice\stat_archive\2008-01-12
C:\Program Files\pedevice\statistic.xml
C:\Program Files\pedevice\tmp\tmp.html
C:\Program Files\pedevice\watchlist.xml
C:\Program Files\SideFind
C:\Program Files\SideFind\sfbho.dll
C:\Program Files\SideFind\sfexd001
C:\Program Files\SideFind\sidefind.dll
C:\Program Files\windows adstatus
C:\Program Files\windows adstatus\WinStatKeep.exe
C:\WINDOWS\180ax.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\6_exception.nls
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\bxchtirf.exe
C:\WINDOWS\system32\config\systemprofile\Application Data\wtta.exe
C:\WINDOWS\system32\dxtuseay.exe
C:\WINDOWS\system32\eykouuha.exe
C:\WINDOWS\system32\gcdnrbsa.exe
C:\WINDOWS\system32\hdsninvm.dll
C:\WINDOWS\system32\hfbhjuvx.exe
C:\WINDOWS\system32\huujpenv.exe
C:\WINDOWS\system32\jgcxxwpk.exe
C:\WINDOWS\system32\jkkhhhe.dll
C:\WINDOWS\system32\jtkbdqfq.exe
C:\WINDOWS\system32\kqjrllxw.exe
C:\WINDOWS\system32\ljxurelg.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mmguuvgx.exe
C:\WINDOWS\system32\mmvhiiuq.exe
C:\WINDOWS\system32\mujgktdw.exe
C:\WINDOWS\system32\nfomon
C:\WINDOWS\system32\nfomon\License.txt
C:\WINDOWS\system32\nfomon\nfo.ocx
C:\WINDOWS\system32\nfomon\nfom.dll
C:\WINDOWS\system32\nfomon\nfomon.ex_
C:\WINDOWS\system32\nfwrcbde.exe
C:\WINDOWS\system32\nvqnbdum.exe
C:\WINDOWS\system32\olkxwafh.exe
C:\WINDOWS\system32\pgfmdtmt.exe
C:\WINDOWS\system32\pjjvrcqm.exe
C:\WINDOWS\system32\pqtmocpj.dll
C:\WINDOWS\system32\qbawipqw.exe
C:\WINDOWS\system32\qpxssoea.exe
C:\WINDOWS\system32\sfgvkoii.exe
C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini2
C:\WINDOWS\system32\stvwa.tmp
C:\WINDOWS\system32\tblrdybv.exe
C:\WINDOWS\system32\tohgxykh.exe
C:\WINDOWS\system32\trmipexc.exe
C:\WINDOWS\system32\tybvbile.exe
C:\WINDOWS\system32\vidmon
C:\WINDOWS\system32\vidmon\vidmon.ex_
C:\WINDOWS\system32\wvuutuu.dll
C:\WINDOWS\system32\xcdrdwiu.exe
C:\WINDOWS\system32\xkjrcwtx.exe
C:\WINDOWS\system32\xthsptxm.exe
C:\WINDOWS\system32\xyhpipsy.exe
C:\WINDOWS\system32\yqjvnoow.exe
C:\WINDOWS\system32\ystjoign.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
-------\runtime

((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-17 16:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 17:16 . 2008-01-17 16:50 <DIR> d-------- C:\Program Files\Cheat Engine
2008-01-12 18:14 . 2008-01-12 18:14 <DIR> d-------- C:\Deckard
2007-12-30 13:55 . 2007-12-30 13:55 268 --ah----- C:\sqmdata19.sqm
2007-12-30 13:55 . 2007-12-30 13:55 244 --ah----- C:\sqmnoopt19.sqm
2007-12-24 11:46 . 2007-12-24 11:46 37,376 --a------ C:\WINDOWS\system32\qommnom.dll
2007-12-23 11:43 . 2007-12-23 11:43 37,376 --a------ C:\WINDOWS\system32\pmnonnn.dll
2007-12-22 11:39 . 2007-12-22 11:39 37,376 --a------ C:\WINDOWS\system32\khffcyw.dll
2007-12-22 09:35 . 2007-12-22 09:35 37,376 --a------ C:\WINDOWS\system32\ljjgfgg.dll
2007-12-21 23:56 . 2007-12-22 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-21 23:48 . 2007-12-22 09:28 <DIR> d-------- C:\Program Files\Google
2007-12-21 23:32 . 2007-12-21 23:32 37,376 --a------ C:\WINDOWS\system32\urqqqqp.dll
2007-12-21 17:07 . 2007-12-21 17:07 37,376 --a------ C:\WINDOWS\system32\yayxuss.dll
2007-12-21 11:15 . 2007-12-21 11:15 37,376 --a------ C:\WINDOWS\system32\iiffded.dll
2007-12-20 09:27 . 2007-12-20 09:27 37,376 --a------ C:\WINDOWS\system32\xxyvspp.dll
2007-12-19 14:26 . 2007-12-19 14:26 37,376 --a------ C:\WINDOWS\system32\iifdddd.dll
2007-12-18 14:22 . 2007-12-18 14:22 37,376 --a------ C:\WINDOWS\system32\nnnljhh.dll
2007-12-17 14:25 . 2007-12-17 14:25 37,376 --a------ C:\WINDOWS\system32\ljjkhfc.dll
2007-12-17 10:01 . 2007-12-17 10:01 37,376 --a------ C:\WINDOWS\system32\iiffcca.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 23:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-01-12 16:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\Hamachi
2008-01-03 07:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2007-12-01 07:04 --------- d-----w C:\Program Files\Gravity
2007-11-30 19:05 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-17 07:41 --------- d-----w C:\Program Files\ZNRO Server
2004-07-27 00:17 32 --sha-w C:\WINDOWS\{2A9D1721-1D2A-4DFA-BA52-EDBEDC8EEDBD}.dat
2004-12-03 02:39 32 --sha-w C:\WINDOWS\{8F7469FB-3F8A-4C82-892C-44218CCE49AA}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000062-2E5F-4AF7-986E-5B64E0951A96}]
2005-02-23 17:33 253952 --a------ C:\WINDOWS\imGiant.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"Win32 USB2 Driver"="usb2.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [ ]
"Acme.PCHButton"="C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-10-16 21:49 159744]
"Bias Barb"="C:\DOCUME~1\Owner\APPLIC~1\RDRFUN~1\dupe way boob.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-21 23:49 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:31 208952]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2003-08-17 00:24 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-08-17 00:25 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-08-17 00:25 455168]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"Power Scan"="C:\Program Files\Power Scan\powerscan.exe" [2005-03-09 14:00 8494]
"webrebates"="C:\Program Files\WebRebates4\webrebates.exe" [ ]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 03:10 579072]
"Windows AdService"="C:\Program Files\Windows AdService\WinAdServ.exe" [2007-09-12 19:24 25088]
"SYSTRAY"="C:\UNMT.EXE" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Win32 USB2 Driver"="usb2.exe" []
"System"="rundl.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Win32 USB2 Driver"="usb2.exe" []
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 03:10 219136]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe~ [2003-10-16 21:46:08]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 15:20:40]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcywxx]
ddcywxx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqqqp]
urqqqqp.dll 2007-12-21 23:32 37376 C:\WINDOWS\system32\urqqqqp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuspqr]
vtuspqr.dll

.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 09:00:06 C:\WINDOWS\Tasks\AC2996A4918A12AC.job"
- c:\docume~1\owner\applic~1\rdrfun~1\loadjunkbits.exe
"2008-01-12 16:00:03 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-17 01:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-17 02:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-17 03:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-17 04:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-17 05:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-17 06:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-17 07:00:01 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-17 08:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-17 09:00:07 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-14 10:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-12 17:00:02 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-07 11:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-07 12:00:01 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2007-12-31 13:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2007-12-31 14:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-05 15:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-12 18:00:05 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2007-12-31 19:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2007-12-31 20:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2007-12-31 21:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2007-12-31 22:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2007-12-31 23:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-17 00:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\JD363RLT.exe
"2008-01-17 08:24:23 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-01-17 09:29:06 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 17:24:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 17:34:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 09:34:36
.
2008-01-12 09:22:57 --- E O F ---

01-17-2008, 02:41 AM	#7 (permalink)
bryanchew Registered User Join Date: Jan 2008 Posts: 11 OS: window xp home edition	Re: Need help~~~ pc really dying =( Hey i have scanned the using the combofix thing and this is wad i got ComboFix 08-01-17.5 - Owner 2008-01-17 16:59:30.1 - NTFSx86 Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data.\nfo C:\Documents and Settings\All Users\Application Data.\nfo\keys.dat C:\Documents and Settings\All Users\Application Data.\nfo\mon0104.dbd C:\Documents and Settings\All Users\Application Data.\nfo\mon0106.ddx C:\Documents and Settings\All Users\Application Data.\nfo\mon0204.ddx C:\Documents and Settings\All Users\Application Data.\nfo\mon0315.ddx C:\Documents and Settings\All Users\Application Data.\nfo\mon0412.ddx C:\Documents and Settings\All Users\Application Data.\nfo\mon0504.ddx C:\Documents and Settings\All Users\Application Data.\nfo\mon0904.ddx C:\Documents and Settings\All Users\Application Data.\nfo\mon1125.ddx C:\Documents and Settings\All Users\Application Data.\nfo\mon1204.ddx C:\Documents and Settings\All Users\Application Data.\nfo\mon1215.dbd C:\Documents and Settings\All Users\Application Data.\nfo\mon1909.ddx C:\Documents and Settings\All Users\Application Data.\nfo\mon1920.dbd C:\Documents and Settings\All Users\Application Data.\nfo\mon2007.dbd C:\Documents and Settings\All Users\Application Data.\vidmon C:\Documents and Settings\All Users\Application Data.\vidmon\vidmon.inf C:\Documents and Settings\All Users\Application Data.\vidmon\vidmonsh.inf C:\Documents and Settings\Owner\Application Data\wtta.exe C:\Documents and Settings\Owner\new.txt C:\lswmv.ini C:\Program Files\Common Files\uninstall information C:\Program Files\Common Files\uninstall information\RemoveWebDP.exe C:\Program Files\ISTsvc C:\Program Files\pedevice C:\Program Files\pedevice\communication.xml C:\Program Files\pedevice\Domain.Watchlist.txt C:\Program Files\pedevice\fixit2.exe C:\Program Files\pedevice\pae-options.xml C:\Program Files\pedevice\pae_url.xml C:\Program Files\pedevice\PeDev.dll C:\Program Files\pedevice\PeDev.exe C:\Program Files\pedevice\pedevPS.dll C:\Program Files\pedevice\Preparation.dll C:\Program Files\pedevice\search.watchlist.txt C:\Program Files\pedevice\stat_archive\2008-01-10 C:\Program Files\pedevice\stat_archive\2008-01-12 C:\Program Files\pedevice\statistic.xml C:\Program Files\pedevice\tmp\tmp.html C:\Program Files\pedevice\watchlist.xml C:\Program Files\SideFind C:\Program Files\SideFind\sfbho.dll C:\Program Files\SideFind\sfexd001 C:\Program Files\SideFind\sidefind.dll C:\Program Files\windows adstatus C:\Program Files\windows adstatus\WinStatKeep.exe C:\WINDOWS\180ax.exe C:\WINDOWS\cookies.ini C:\WINDOWS\system32\6_exception.nls C:\WINDOWS\system32\awvts.dll C:\WINDOWS\system32\bxchtirf.exe C:\WINDOWS\system32\config\systemprofile\Application Data\wtta.exe C:\WINDOWS\system32\dxtuseay.exe C:\WINDOWS\system32\eykouuha.exe C:\WINDOWS\system32\gcdnrbsa.exe C:\WINDOWS\system32\hdsninvm.dll C:\WINDOWS\system32\hfbhjuvx.exe C:\WINDOWS\system32\huujpenv.exe C:\WINDOWS\system32\jgcxxwpk.exe C:\WINDOWS\system32\jkkhhhe.dll C:\WINDOWS\system32\jtkbdqfq.exe C:\WINDOWS\system32\kqjrllxw.exe C:\WINDOWS\system32\ljxurelg.exe C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mmguuvgx.exe C:\WINDOWS\system32\mmvhiiuq.exe C:\WINDOWS\system32\mujgktdw.exe C:\WINDOWS\system32\nfomon C:\WINDOWS\system32\nfomon\License.txt C:\WINDOWS\system32\nfomon\nfo.ocx C:\WINDOWS\system32\nfomon\nfom.dll C:\WINDOWS\system32\nfomon\nfomon.ex_ C:\WINDOWS\system32\nfwrcbde.exe C:\WINDOWS\system32\nvqnbdum.exe C:\WINDOWS\system32\olkxwafh.exe C:\WINDOWS\system32\pgfmdtmt.exe C:\WINDOWS\system32\pjjvrcqm.exe C:\WINDOWS\system32\pqtmocpj.dll C:\WINDOWS\system32\qbawipqw.exe C:\WINDOWS\system32\qpxssoea.exe C:\WINDOWS\system32\sfgvkoii.exe C:\WINDOWS\system32\stvwa.bak1 C:\WINDOWS\system32\stvwa.bak2 C:\WINDOWS\system32\stvwa.ini C:\WINDOWS\system32\stvwa.ini2 C:\WINDOWS\system32\stvwa.tmp C:\WINDOWS\system32\tblrdybv.exe C:\WINDOWS\system32\tohgxykh.exe C:\WINDOWS\system32\trmipexc.exe C:\WINDOWS\system32\tybvbile.exe C:\WINDOWS\system32\vidmon C:\WINDOWS\system32\vidmon\vidmon.ex_ C:\WINDOWS\system32\wvuutuu.dll C:\WINDOWS\system32\xcdrdwiu.exe C:\WINDOWS\system32\xkjrcwtx.exe C:\WINDOWS\system32\xthsptxm.exe C:\WINDOWS\system32\xyhpipsy.exe C:\WINDOWS\system32\yqjvnoow.exe C:\WINDOWS\system32\ystjoign.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DOMAINSERVICE -------\DomainService -------\runtime ((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 ))))))))))))))))))))))))))))))) . 2008-01-17 16:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-14 17:16 . 2008-01-17 16:50 <DIR> d-------- C:\Program Files\Cheat Engine 2008-01-12 18:14 . 2008-01-12 18:14 <DIR> d-------- C:\Deckard 2007-12-30 13:55 . 2007-12-30 13:55 268 --ah----- C:\sqmdata19.sqm 2007-12-30 13:55 . 2007-12-30 13:55 244 --ah----- C:\sqmnoopt19.sqm 2007-12-24 11:46 . 2007-12-24 11:46 37,376 --a------ C:\WINDOWS\system32\qommnom.dll 2007-12-23 11:43 . 2007-12-23 11:43 37,376 --a------ C:\WINDOWS\system32\pmnonnn.dll 2007-12-22 11:39 . 2007-12-22 11:39 37,376 --a------ C:\WINDOWS\system32\khffcyw.dll 2007-12-22 09:35 . 2007-12-22 09:35 37,376 --a------ C:\WINDOWS\system32\ljjgfgg.dll 2007-12-21 23:56 . 2007-12-22 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip 2007-12-21 23:48 . 2007-12-22 09:28 <DIR> d-------- C:\Program Files\Google 2007-12-21 23:32 . 2007-12-21 23:32 37,376 --a------ C:\WINDOWS\system32\urqqqqp.dll 2007-12-21 17:07 . 2007-12-21 17:07 37,376 --a------ C:\WINDOWS\system32\yayxuss.dll 2007-12-21 11:15 . 2007-12-21 11:15 37,376 --a------ C:\WINDOWS\system32\iiffded.dll 2007-12-20 09:27 . 2007-12-20 09:27 37,376 --a------ C:\WINDOWS\system32\xxyvspp.dll 2007-12-19 14:26 . 2007-12-19 14:26 37,376 --a------ C:\WINDOWS\system32\iifdddd.dll 2007-12-18 14:22 . 2007-12-18 14:22 37,376 --a------ C:\WINDOWS\system32\nnnljhh.dll 2007-12-17 14:25 . 2007-12-17 14:25 37,376 --a------ C:\WINDOWS\system32\ljjkhfc.dll 2007-12-17 10:01 . 2007-12-17 10:01 37,376 --a------ C:\WINDOWS\system32\iiffcca.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-16 23:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-01-12 16:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\Hamachi 2008-01-03 07:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7 2007-12-01 07:04 --------- d-----w C:\Program Files\Gravity 2007-11-30 19:05 --------- d-----w C:\Program Files\Windows Live Toolbar 2007-11-17 07:41 --------- d-----w C:\Program Files\ZNRO Server 2004-07-27 00:17 32 --sha-w C:\WINDOWS\{2A9D1721-1D2A-4DFA-BA52-EDBEDC8EEDBD}.dat 2004-12-03 02:39 32 --sha-w C:\WINDOWS\{8F7469FB-3F8A-4C82-892C-44218CCE49AA}.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000062-2E5F-4AF7-986E-5B64E0951A96}] 2005-02-23 17:33 253952 --a------ C:\WINDOWS\imGiant.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RecordNow!"="" [] "Win32 USB2 Driver"="usb2.exe" [] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352] "Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" [ ] "Acme.PCHButton"="C:\PROGRA~1\PRESAR~1\Presario\XPHWWRP4\plugin\bin\PCHButton.exe" [2003-10-16 21:49 159744] "Bias Barb"="C:\DOCUME~1\Owner\APPLIC~1\RDRFUN~1\dupe way boob.exe" [ ] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-21 23:49 171448] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:31 208952] "MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2003-08-17 00:24 59392] "PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-08-17 00:25 455168] "PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2003-08-17 00:25 455168] "HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ] "Power Scan"="C:\Program Files\Power Scan\powerscan.exe" [2005-03-09 14:00 8494] "webrebates"="C:\Program Files\WebRebates4\webrebates.exe" [ ] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 03:10 579072] "Windows AdService"="C:\Program Files\Windows AdService\WinAdServ.exe" [2007-09-12 19:24 25088] "SYSTRAY"="C:\UNMT.EXE" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "Win32 USB2 Driver"="usb2.exe" [] "System"="rundl.exe" [] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Win32 USB2 Driver"="usb2.exe" [] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 03:10 219136] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe~ [2003-10-16 21:46:08] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 15:20:40] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcywxx] ddcywxx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqqqp] urqqqqp.dll 2007-12-21 23:32 37376 C:\WINDOWS\system32\urqqqqp.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuspqr] vtuspqr.dll . Contents of the 'Scheduled Tasks' folder "2008-01-17 09:00:06 C:\WINDOWS\Tasks\AC2996A4918A12AC.job" - c:\docume~1\owner\applic~1\rdrfun~1\loadjunkbits.exe "2008-01-12 16:00:03 C:\WINDOWS\Tasks\At1.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-17 01:00:00 C:\WINDOWS\Tasks\At10.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-17 02:00:00 C:\WINDOWS\Tasks\At11.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-17 03:00:00 C:\WINDOWS\Tasks\At12.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-17 04:00:00 C:\WINDOWS\Tasks\At13.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-17 05:00:00 C:\WINDOWS\Tasks\At14.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-17 06:00:00 C:\WINDOWS\Tasks\At15.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-17 07:00:01 C:\WINDOWS\Tasks\At16.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-17 08:00:00 C:\WINDOWS\Tasks\At17.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-17 09:00:07 C:\WINDOWS\Tasks\At18.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-14 10:00:00 C:\WINDOWS\Tasks\At19.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-12 17:00:02 C:\WINDOWS\Tasks\At2.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-07 11:00:00 C:\WINDOWS\Tasks\At20.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-07 12:00:01 C:\WINDOWS\Tasks\At21.job" - C:\WINDOWS\system32\JD363RLT.exe "2007-12-31 13:00:00 C:\WINDOWS\Tasks\At22.job" - C:\WINDOWS\system32\JD363RLT.exe "2007-12-31 14:00:00 C:\WINDOWS\Tasks\At23.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-05 15:00:00 C:\WINDOWS\Tasks\At24.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-12 18:00:05 C:\WINDOWS\Tasks\At3.job" - C:\WINDOWS\system32\JD363RLT.exe "2007-12-31 19:00:00 C:\WINDOWS\Tasks\At4.job" - C:\WINDOWS\system32\JD363RLT.exe "2007-12-31 20:00:00 C:\WINDOWS\Tasks\At5.job" - C:\WINDOWS\system32\JD363RLT.exe "2007-12-31 21:00:00 C:\WINDOWS\Tasks\At6.job" - C:\WINDOWS\system32\JD363RLT.exe "2007-12-31 22:00:00 C:\WINDOWS\Tasks\At7.job" - C:\WINDOWS\system32\JD363RLT.exe "2007-12-31 23:00:00 C:\WINDOWS\Tasks\At8.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-17 00:00:00 C:\WINDOWS\Tasks\At9.job" - C:\WINDOWS\system32\JD363RLT.exe "2008-01-17 08:24:23 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE "2008-01-17 09:29:06 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-17 17:24:32 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-17 17:34:41 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-17 09:34:36 . 2008-01-12 09:22:57 --- E O F ---