PC napadnuty siszyd32.exe , prosim jak odstranit?
Napsal: 16 led 2010 12:34
log z combofix-u:
ComboFix 10-01-15.05 - User 16.01.2010 11:57:17.1.1 - x86
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Eset NOD32 Antivirus 2.70 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\User\Application Data\avdrn.dat
c:\documents and settings\User\Start Menu\Programs\Startup\siszyd32.exe
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\QIP
c:\program files\QIP\LI\Cesky\_cntry.lng
c:\program files\QIP\LI\Cesky\_intrsts.lng
c:\program files\QIP\LI\Cesky\_langs.lng
c:\program files\QIP\LI\Cesky\_marital.lng
c:\program files\QIP\LI\Cesky\_occup.lng
c:\program files\QIP\LI\Cesky\_orgs.lng
c:\program files\QIP\LI\Cesky\_past.lng
c:\program files\QIP\LI\Cesky\_rndchat.lng
c:\program files\QIP\LI\Cesky\desc.txt
c:\program files\QIP\LI\Cesky\chars_r.ini
c:\program files\QIP\LI\Cesky\chars_t.ini
c:\program files\QIP\LI\Cesky\lang.ini
c:\program files\QIP\LI\current.cfg
c:\program files\QIP\LI\langs.cfg
c:\program files\QIP\Skins\current.cfg
c:\program files\QIP\Skins\skins.cfg
c:\program files\QIP\Users\238669298\_birth.txt
c:\program files\QIP\Users\238669298\_botq.txt
c:\program files\QIP\Users\238669298\_events.txt
c:\program files\QIP\Users\238669298\_eye.txt
c:\program files\QIP\Users\238669298\_groups.txt
c:\program files\QIP\Users\238669298\_m_away.txt
c:\program files\QIP\Users\238669298\_m_depr.txt
c:\program files\QIP\Users\238669298\_m_dnd.txt
c:\program files\QIP\Users\238669298\_m_evil.txt
c:\program files\QIP\Users\238669298\_m_ffc.txt
c:\program files\QIP\Users\238669298\_m_home.txt
c:\program files\QIP\Users\238669298\_m_lunch.txt
c:\program files\QIP\Users\238669298\_m_na.txt
c:\program files\QIP\Users\238669298\_m_occup.txt
c:\program files\QIP\Users\238669298\_m_work.txt
c:\program files\QIP\Users\238669298\_premsg.txt
c:\program files\QIP\Users\238669298\_st_away.txt
c:\program files\QIP\Users\238669298\_st_cust.txt
c:\program files\QIP\Users\238669298\238669298.cl
c:\program files\QIP\Users\238669298\238669298.clg
c:\program files\QIP\Users\238669298\238669298.cli
c:\program files\QIP\Users\238669298\238669298.clv
c:\program files\QIP\Users\238669298\238669298.lcl
c:\program files\QIP\Users\238669298\238669298.nil
c:\program files\QIP\Users\238669298\BackupCL\238669298_2007_10.cl
c:\program files\QIP\Users\238669298\BackupCL\238669298_2007_10.clg
c:\program files\QIP\Users\238669298\BackupCL\238669298_2007_10.cli
c:\program files\QIP\Users\238669298\BackupCL\238669298_2007_10.clv
c:\program files\QIP\Users\238669298\Config.ini
c:\program files\QIP\Users\238669298\Devils\238669298.jpg
c:\program files\QIP\Users\238669298\Devils\337538007.jpg
c:\program files\QIP\Users\238669298\Devils\467599069.jpg
c:\program files\QIP\Users\238669298\History\_srvlog.txt
c:\program files\QIP\Users\238669298\History\388295464.txt
c:\program files\QIP\Users\238669298\History\448601365.txt
c:\program files\QIP\Users\467599069\_birth.txt
c:\program files\QIP\Users\467599069\_botq.txt
c:\program files\QIP\Users\467599069\_events.txt
c:\program files\QIP\Users\467599069\_eye.txt
c:\program files\QIP\Users\467599069\_groups.txt
c:\program files\QIP\Users\467599069\_m_away.txt
c:\program files\QIP\Users\467599069\_m_depr.txt
c:\program files\QIP\Users\467599069\_m_dnd.txt
c:\program files\QIP\Users\467599069\_m_evil.txt
c:\program files\QIP\Users\467599069\_m_ffc.txt
c:\program files\QIP\Users\467599069\_m_home.txt
c:\program files\QIP\Users\467599069\_m_lunch.txt
c:\program files\QIP\Users\467599069\_m_na.txt
c:\program files\QIP\Users\467599069\_m_occup.txt
c:\program files\QIP\Users\467599069\_m_work.txt
c:\program files\QIP\Users\467599069\_premsg.txt
c:\program files\QIP\Users\467599069\_st_away.txt
c:\program files\QIP\Users\467599069\_st_cust.txt
c:\program files\QIP\Users\467599069\467599069.cl
c:\program files\QIP\Users\467599069\467599069.clg
c:\program files\QIP\Users\467599069\467599069.cli
c:\program files\QIP\Users\467599069\467599069.clv
c:\program files\QIP\Users\467599069\467599069.lcl
c:\program files\QIP\Users\467599069\467599069.nil
c:\program files\QIP\Users\467599069\BackupCL\467599069_2007_10.cl
c:\program files\QIP\Users\467599069\BackupCL\467599069_2007_10.clg
c:\program files\QIP\Users\467599069\BackupCL\467599069_2007_10.cli
c:\program files\QIP\Users\467599069\BackupCL\467599069_2007_10.clv
c:\program files\QIP\Users\467599069\Config.ini
c:\program files\QIP\Users\467599069\Devils\238669298.jpg
c:\program files\QIP\Users\467599069\Devils\416953154.jpg
c:\program files\QIP\Users\467599069\Devils\420565595.jpg
c:\program files\QIP\Users\467599069\Devils\467599069.jpg
c:\program files\QIP\Users\467599069\History\_srvlog.txt
c:\program files\QIP\Users\467599069\History\205953980.txt
c:\program files\QIP\Users\467599069\History\268364939.txt
c:\program files\QIP\Users\467599069\History\274731223.txt
c:\program files\QIP\Users\467599069\History\420565595.txt
c:\program files\QIP\Users\467599069\History\493442246.txt
c:\program files\QIP\Users\Accounts.cfg
c:\program files\QIP\Users\Default.cfg
C:\Thumbs.db
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\Thumbs.db
.
((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.
2010-01-10 16:30 . 2010-01-10 16:30 118 ----a-w- c:\windows\system32\fjhdyfhsn.bat
2010-01-09 12:26 . 2010-01-09 12:26 165376 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-01-09 12:25 . 2010-01-09 12:25 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-01-02 16:23 . 2010-01-02 16:23 6868368 ----a-w- c:\documents and settings\User\Application Data\ESTsoft\ALUpdate\ALZIP\newfile\TEMP\ALZip.exe
2009-12-28 21:24 . 2009-12-28 21:24 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-28 21:22 . 2005-05-26 14:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-12-28 21:15 . 2009-12-28 21:15 -------- d-----w- c:\program files\Ubisoft
2009-12-28 21:08 . 2010-01-16 08:24 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-12-28 21:07 . 2009-12-28 21:13 -------- d-----w- c:\documents and settings\User\Application Data\DAEMON Tools Lite
2009-12-28 21:06 . 2009-12-28 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-15 18:44 . 2006-08-20 07:32 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent
2010-01-14 09:34 . 2008-03-08 00:16 -------- d-----w- c:\program files\Opera
2010-01-14 09:24 . 2006-07-25 06:31 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-12 21:48 . 2007-02-22 09:26 -------- d-----w- c:\program files\Java
2010-01-12 21:35 . 2007-09-17 07:37 -------- d-----w- c:\program files\eMule
2010-01-10 16:30 . 2010-01-10 16:30 16 ----a-w- c:\documents and settings\LocalService\Application Data\fvgqad.dat
2010-01-09 16:56 . 2007-03-08 10:53 -------- d-----w- c:\program files\Nobilis
2009-12-28 21:15 . 2006-07-24 15:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-28 21:08 . 2008-04-15 10:15 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-12-28 21:07 . 2007-02-18 17:38 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-28 04:19 . 2006-10-09 10:58 -------- d-----w- c:\program files\AstraScan Scanner
2009-12-28 04:18 . 2008-01-30 09:12 1926924 ----a-w- C:\sam.tmp
2009-12-05 12:13 . 2006-11-10 18:00 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2009-12-05 08:59 . 2009-12-05 08:59 -------- d-----w- c:\program files\uTorrent
2009-10-30 13:32 . 2007-02-03 11:28 10 -c--a-w- c:\windows\popcinfo.dat
2007-05-20 14:46 . 2007-05-20 14:43 2100 ----a-w- c:\program files\voidmp3fm.ini
2006-10-06 09:39 . 2007-05-20 14:36 802816 ----a-w- c:\program files\voidMP3FM.exe
2006-09-23 17:59 . 2006-09-23 17:59 8282187 ----a-w- c:\program files\vlc-0.8.5-win32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-03-19 949376]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Rapidown.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Rapidown.lnk
backup=c:\windows\pss\Rapidown.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2006-11-08 12:27 222208 -c--a-w- c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SlowDownCPU]
2005-02-25 02:22 208896 -c--a-w- c:\windows\inf\MSI\SlowDownCPU\SlowDownCPU.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoftAuto.exe]
2008-05-28 02:39 401408 ----a-w- c:\program files\Creative\Software Update 3\SoftAuto.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-01-07 01:36 81920 -c--a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-03-07 12:06 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox]
2005-09-14 19:44 65536 ----a-w- c:\program files\USB Disk Win98 Driver\Res.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.2.2007 18:38 691696]
R1 Angelnt;Angelnt;c:\windows\system32\drivers\ANGELNT.SYS [25.7.2006 16:47 52544]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [19.3.2007 4:51 15424]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [21.5.2008 12:42 64000]
S3 SlowDownCPU;SlowDownCPU;c:\windows\inf\MSI\SlowDownCPU\NTGLM7X.SYS [24.7.2006 16:47 23424]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 3.80\AMVConverter\grab.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 3.80\MediaManager\grab.html
LSP: c:\windows\system32\imon.dll
.
- - - - ORPHANS REMOVED - - - -
Notify-WgaLogon - (no file)
MSConfigStartUp-ICQ Lite - c:\program files\ICQLite\ICQLite.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-PWRISOVM - c:\program files\PowerISO\PWRISOVM.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 12:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\wuauclt.exe.wusetup.265578.bak 51224 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.270156.bak 1809944 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spmv.sys >>UNKNOWN [0x82F90938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8668f28
\Driver\ACPI -> ACPI.sys @ 0xf83f0cb8
\Driver\atapi -> atapi.sys @ 0xf83abb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Realtek RTL8169/8110 Family Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf82a1bb0
PacketIndicateHandler -> NDIS.sys @ 0xf82aea21
SendHandler -> NDIS.sys @ 0xf828c87b
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
- - - - - - - > 'explorer.exe'(1252)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\PC Connectivity Solution\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Eset\nod32krn.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-01-16 12:24:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-16 11:23
Pre-Run: 24 993 783 808 bytes free
Post-Run: 19 adresárov, 25 004 404 736 voľných bajtov
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 788BBE128A006953B29D3FA34CC3B46A
Dakujem
ComboFix 10-01-15.05 - User 16.01.2010 11:57:17.1.1 - x86
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Eset NOD32 Antivirus 2.70 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\User\Application Data\avdrn.dat
c:\documents and settings\User\Start Menu\Programs\Startup\siszyd32.exe
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\QIP
c:\program files\QIP\LI\Cesky\_cntry.lng
c:\program files\QIP\LI\Cesky\_intrsts.lng
c:\program files\QIP\LI\Cesky\_langs.lng
c:\program files\QIP\LI\Cesky\_marital.lng
c:\program files\QIP\LI\Cesky\_occup.lng
c:\program files\QIP\LI\Cesky\_orgs.lng
c:\program files\QIP\LI\Cesky\_past.lng
c:\program files\QIP\LI\Cesky\_rndchat.lng
c:\program files\QIP\LI\Cesky\desc.txt
c:\program files\QIP\LI\Cesky\chars_r.ini
c:\program files\QIP\LI\Cesky\chars_t.ini
c:\program files\QIP\LI\Cesky\lang.ini
c:\program files\QIP\LI\current.cfg
c:\program files\QIP\LI\langs.cfg
c:\program files\QIP\Skins\current.cfg
c:\program files\QIP\Skins\skins.cfg
c:\program files\QIP\Users\238669298\_birth.txt
c:\program files\QIP\Users\238669298\_botq.txt
c:\program files\QIP\Users\238669298\_events.txt
c:\program files\QIP\Users\238669298\_eye.txt
c:\program files\QIP\Users\238669298\_groups.txt
c:\program files\QIP\Users\238669298\_m_away.txt
c:\program files\QIP\Users\238669298\_m_depr.txt
c:\program files\QIP\Users\238669298\_m_dnd.txt
c:\program files\QIP\Users\238669298\_m_evil.txt
c:\program files\QIP\Users\238669298\_m_ffc.txt
c:\program files\QIP\Users\238669298\_m_home.txt
c:\program files\QIP\Users\238669298\_m_lunch.txt
c:\program files\QIP\Users\238669298\_m_na.txt
c:\program files\QIP\Users\238669298\_m_occup.txt
c:\program files\QIP\Users\238669298\_m_work.txt
c:\program files\QIP\Users\238669298\_premsg.txt
c:\program files\QIP\Users\238669298\_st_away.txt
c:\program files\QIP\Users\238669298\_st_cust.txt
c:\program files\QIP\Users\238669298\238669298.cl
c:\program files\QIP\Users\238669298\238669298.clg
c:\program files\QIP\Users\238669298\238669298.cli
c:\program files\QIP\Users\238669298\238669298.clv
c:\program files\QIP\Users\238669298\238669298.lcl
c:\program files\QIP\Users\238669298\238669298.nil
c:\program files\QIP\Users\238669298\BackupCL\238669298_2007_10.cl
c:\program files\QIP\Users\238669298\BackupCL\238669298_2007_10.clg
c:\program files\QIP\Users\238669298\BackupCL\238669298_2007_10.cli
c:\program files\QIP\Users\238669298\BackupCL\238669298_2007_10.clv
c:\program files\QIP\Users\238669298\Config.ini
c:\program files\QIP\Users\238669298\Devils\238669298.jpg
c:\program files\QIP\Users\238669298\Devils\337538007.jpg
c:\program files\QIP\Users\238669298\Devils\467599069.jpg
c:\program files\QIP\Users\238669298\History\_srvlog.txt
c:\program files\QIP\Users\238669298\History\388295464.txt
c:\program files\QIP\Users\238669298\History\448601365.txt
c:\program files\QIP\Users\467599069\_birth.txt
c:\program files\QIP\Users\467599069\_botq.txt
c:\program files\QIP\Users\467599069\_events.txt
c:\program files\QIP\Users\467599069\_eye.txt
c:\program files\QIP\Users\467599069\_groups.txt
c:\program files\QIP\Users\467599069\_m_away.txt
c:\program files\QIP\Users\467599069\_m_depr.txt
c:\program files\QIP\Users\467599069\_m_dnd.txt
c:\program files\QIP\Users\467599069\_m_evil.txt
c:\program files\QIP\Users\467599069\_m_ffc.txt
c:\program files\QIP\Users\467599069\_m_home.txt
c:\program files\QIP\Users\467599069\_m_lunch.txt
c:\program files\QIP\Users\467599069\_m_na.txt
c:\program files\QIP\Users\467599069\_m_occup.txt
c:\program files\QIP\Users\467599069\_m_work.txt
c:\program files\QIP\Users\467599069\_premsg.txt
c:\program files\QIP\Users\467599069\_st_away.txt
c:\program files\QIP\Users\467599069\_st_cust.txt
c:\program files\QIP\Users\467599069\467599069.cl
c:\program files\QIP\Users\467599069\467599069.clg
c:\program files\QIP\Users\467599069\467599069.cli
c:\program files\QIP\Users\467599069\467599069.clv
c:\program files\QIP\Users\467599069\467599069.lcl
c:\program files\QIP\Users\467599069\467599069.nil
c:\program files\QIP\Users\467599069\BackupCL\467599069_2007_10.cl
c:\program files\QIP\Users\467599069\BackupCL\467599069_2007_10.clg
c:\program files\QIP\Users\467599069\BackupCL\467599069_2007_10.cli
c:\program files\QIP\Users\467599069\BackupCL\467599069_2007_10.clv
c:\program files\QIP\Users\467599069\Config.ini
c:\program files\QIP\Users\467599069\Devils\238669298.jpg
c:\program files\QIP\Users\467599069\Devils\416953154.jpg
c:\program files\QIP\Users\467599069\Devils\420565595.jpg
c:\program files\QIP\Users\467599069\Devils\467599069.jpg
c:\program files\QIP\Users\467599069\History\_srvlog.txt
c:\program files\QIP\Users\467599069\History\205953980.txt
c:\program files\QIP\Users\467599069\History\268364939.txt
c:\program files\QIP\Users\467599069\History\274731223.txt
c:\program files\QIP\Users\467599069\History\420565595.txt
c:\program files\QIP\Users\467599069\History\493442246.txt
c:\program files\QIP\Users\Accounts.cfg
c:\program files\QIP\Users\Default.cfg
C:\Thumbs.db
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\Thumbs.db
.
((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.
2010-01-10 16:30 . 2010-01-10 16:30 118 ----a-w- c:\windows\system32\fjhdyfhsn.bat
2010-01-09 12:26 . 2010-01-09 12:26 165376 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-01-09 12:25 . 2010-01-09 12:25 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-01-02 16:23 . 2010-01-02 16:23 6868368 ----a-w- c:\documents and settings\User\Application Data\ESTsoft\ALUpdate\ALZIP\newfile\TEMP\ALZip.exe
2009-12-28 21:24 . 2009-12-28 21:24 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-28 21:22 . 2005-05-26 14:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-12-28 21:15 . 2009-12-28 21:15 -------- d-----w- c:\program files\Ubisoft
2009-12-28 21:08 . 2010-01-16 08:24 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-12-28 21:07 . 2009-12-28 21:13 -------- d-----w- c:\documents and settings\User\Application Data\DAEMON Tools Lite
2009-12-28 21:06 . 2009-12-28 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-15 18:44 . 2006-08-20 07:32 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent
2010-01-14 09:34 . 2008-03-08 00:16 -------- d-----w- c:\program files\Opera
2010-01-14 09:24 . 2006-07-25 06:31 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-12 21:48 . 2007-02-22 09:26 -------- d-----w- c:\program files\Java
2010-01-12 21:35 . 2007-09-17 07:37 -------- d-----w- c:\program files\eMule
2010-01-10 16:30 . 2010-01-10 16:30 16 ----a-w- c:\documents and settings\LocalService\Application Data\fvgqad.dat
2010-01-09 16:56 . 2007-03-08 10:53 -------- d-----w- c:\program files\Nobilis
2009-12-28 21:15 . 2006-07-24 15:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-28 21:08 . 2008-04-15 10:15 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-12-28 21:07 . 2007-02-18 17:38 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-28 04:19 . 2006-10-09 10:58 -------- d-----w- c:\program files\AstraScan Scanner
2009-12-28 04:18 . 2008-01-30 09:12 1926924 ----a-w- C:\sam.tmp
2009-12-05 12:13 . 2006-11-10 18:00 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2009-12-05 08:59 . 2009-12-05 08:59 -------- d-----w- c:\program files\uTorrent
2009-10-30 13:32 . 2007-02-03 11:28 10 -c--a-w- c:\windows\popcinfo.dat
2007-05-20 14:46 . 2007-05-20 14:43 2100 ----a-w- c:\program files\voidmp3fm.ini
2006-10-06 09:39 . 2007-05-20 14:36 802816 ----a-w- c:\program files\voidMP3FM.exe
2006-09-23 17:59 . 2006-09-23 17:59 8282187 ----a-w- c:\program files\vlc-0.8.5-win32.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-03-19 949376]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Rapidown.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\Rapidown.lnk
backup=c:\windows\pss\Rapidown.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 08:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2006-11-08 12:27 222208 -c--a-w- c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SlowDownCPU]
2005-02-25 02:22 208896 -c--a-w- c:\windows\inf\MSI\SlowDownCPU\SlowDownCPU.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoftAuto.exe]
2008-05-28 02:39 401408 ----a-w- c:\program files\Creative\Software Update 3\SoftAuto.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-01-07 01:36 81920 -c--a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-03-07 12:06 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox]
2005-09-14 19:44 65536 ----a-w- c:\program files\USB Disk Win98 Driver\Res.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.2.2007 18:38 691696]
R1 Angelnt;Angelnt;c:\windows\system32\drivers\ANGELNT.SYS [25.7.2006 16:47 52544]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [19.3.2007 4:51 15424]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [21.5.2008 12:42 64000]
S3 SlowDownCPU;SlowDownCPU;c:\windows\inf\MSI\SlowDownCPU\NTGLM7X.SYS [24.7.2006 16:47 23424]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 3.80\AMVConverter\grab.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 3.80\MediaManager\grab.html
LSP: c:\windows\system32\imon.dll
.
- - - - ORPHANS REMOVED - - - -
Notify-WgaLogon - (no file)
MSConfigStartUp-ICQ Lite - c:\program files\ICQLite\ICQLite.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-PWRISOVM - c:\program files\PowerISO\PWRISOVM.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 12:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\wuauclt.exe.wusetup.265578.bak 51224 bytes executable
c:\windows\system32\wuaueng.dll.wusetup.270156.bak 1809944 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spmv.sys >>UNKNOWN [0x82F90938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8668f28
\Driver\ACPI -> ACPI.sys @ 0xf83f0cb8
\Driver\atapi -> atapi.sys @ 0xf83abb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Realtek RTL8169/8110 Family Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf82a1bb0
PacketIndicateHandler -> NDIS.sys @ 0xf82aea21
SendHandler -> NDIS.sys @ 0xf828c87b
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
- - - - - - - > 'explorer.exe'(1252)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\PC Connectivity Solution\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Eset\nod32krn.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-01-16 12:24:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-16 11:23
Pre-Run: 24 993 783 808 bytes free
Post-Run: 19 adresárov, 25 004 404 736 voľných bajtov
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 788BBE128A006953B29D3FA34CC3B46A
Dakujem
