ComboFix 08-08-21.02 - AMD 2008-08-22 21:35:17.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.235 [GMT 2:00] Running from: C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\FunWebProducts C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\FunWebProducts\Data\AMD\avatar.dat C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Favorites\Download programs.url C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Favorites\Games.url C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Favorites\Translator.url C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Favorites\Videos.url C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Start Menu\Programs\Translator.url C:\WINDOWS\admintxt.txt C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\live.messenger.com C:\WINDOWS\system32\cssrss.exe C:\WINDOWS\system32\dPrass.dll C:\WINDOWS\system32\lsasss.exe C:\WINDOWS\system32\winlog.exe C:\WINDOWS\system32\winlogins.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_Windows_Interface_Service -------\Legacy_Windows_Logon -------\Legacy_windowsns2 -------\Legacy_winregfixer2 -------\Service_Windows Interface Service -------\Service_Windows Logon -------\Service_windowsns2 -------\Service_winregfixer2 ((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 ))))))))))))))))))))))))))))))) . 2080-05-30 14:13 . 2080-05-30 14:13 d-------- C:\Program Files\Alwil Software 2080-05-30 14:08 . 2080-05-30 14:08 d-------- C:\Program Files\uTorrent 2080-05-30 14:08 . 2008-06-18 23:09 d-------- C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\uTorrent 2080-05-24 11:07 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys 2080-05-24 11:06 . 2080-05-24 11:06 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2080-05-24 11:06 . 2080-05-24 11:06 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf 2080-05-24 10:53 . 2080-05-24 10:53 d-------- C:\Program Files\MSXML 6.0 2080-05-05 17:17 . 2080-05-05 17:17 d-------- C:\WINDOWS\solcache 2080-05-05 17:17 . 2080-05-05 17:17 d-------- C:\WINDOWS\Favorites 2080-05-05 17:16 . 2080-05-05 17:17 d-------- C:\Program Files\Sierra On-Line 2080-05-05 17:16 . 1998-03-05 10:25 1,022,976 --a------ C:\WINDOWS\system32\SierraNW.dll 2080-05-05 17:16 . 1998-03-05 10:34 231,936 --a------ C:\WINDOWS\system32\SNWValid.dll 2080-05-05 17:16 . 2080-05-05 17:16 287 --a------ C:\WINDOWS\SIERRA.INI 2080-04-23 17:33 . 2080-04-23 17:33 d--hs---- C:\WINDOWS\ftpcache 2080-04-21 22:58 . 2080-04-21 22:58 d-------- C:\Program Files\PC Connectivity Solution 2080-04-21 22:58 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys 2008-08-22 19:27 . 2008-08-22 19:27 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-22 19:27 . 2008-08-22 19:27 d-------- C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Malwarebytes 2008-08-22 19:27 . 2008-08-22 19:27 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes 2008-08-22 19:27 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-22 19:27 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-22 13:59 . 2008-08-22 14:00 28,672 --a------ C:\WINDOWS\system32\pstart.exe.New 2008-08-22 13:58 . 2008-08-22 13:59 61,440 --a------ C:\WINDOWS\system32\otherT1.exe.New 2008-08-22 13:57 . 2008-08-22 13:58 206,848 --a------ C:\WINDOWS\system32\RDpak.exe.New 2008-08-22 13:56 . 2008-08-15 03:09 1,213,101 --a------ C:\WINDOWS\system32\inspspfiles9.exe 2008-08-17 13:31 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-08-17 13:30 . 2008-08-17 13:31 d-------- C:\Program Files\Java . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2080-06-13 12:56 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller 2080-06-02 15:10 --------- d-----w C:\Program Files\Windows Live Toolbar 2080-06-02 15:07 --------- d--h--w C:\Program Files\InstallShield Installation Information 2080-05-30 13:20 --------- d-----w C:\Documents and Settings\Gal\Application Data\Windows Desktop Search 2080-05-24 09:32 --------- d-----w C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Nokia 2008-08-22 17:16 --------- d-----w C:\Program Files\Multi_Media 2006-07-08 16:14 183,830 --sh--r C:\WINDOWS\winudp.exe . ------- Sigcheck ------- 2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys 2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys 2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys 2006-08-07 23:37 360064 e5a5bd94feba349e9dd0d5d90268bdf1 C:\WINDOWS\system32\dllcache\TCPIP.SYS 2006-08-07 23:37 360064 e5a5bd94feba349e9dd0d5d90268bdf1 C:\WINDOWS\system32\drivers\TCPIP.SYS . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 22:10 335872] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 23:48 479232] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920] "BigDogPath"="C:\WINDOWS\VM_STI.EXE" [2004-06-09 16:37 40960] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 16:40:46 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 16:39 294400] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^AMD.AMD-C1F6EBFE7E7^Start Menu^Programs^Startup^Izrezovalnik zaslona in zaganjalnik za OneNote 2007.lnk] path=C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Start Menu\Programs\Startup\Izrezovalnik zaslona in zaganjalnik za OneNote 2007.lnk backup=C:\WINDOWS\pss\Izrezovalnik zaslona in zaganjalnik za OneNote 2007.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^AMD.AMD-C1F6EBFE7E7^Start Menu^Programs^Startup^Microsoft Office Groove.lnk] path=C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Start Menu\Programs\Startup\Microsoft Office Groove.lnk backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2007-05-11 14:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2007-09-20 16:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2005-11-09 00:00 128920 C:\Program Files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] --a--c--- 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] --a------ 2007-09-20 10:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 16:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2007-10-10 07:28 36352 C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "D:\\eMule\\emule.exe"= "C:\\Documents and Settings\\AMD.AMD-C1F6EBFE7E7\\My Documents\\GAL\\incredimail_install.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\WINDOWS\\system32\\winsspc.exe"= "C:\\WINDOWS\\system32\\dlllhosts.exe"= "%windir%\\\\system32\\\\sessmgr.exe"= "C:\\WINDOWS\\system32\\"= "C:\\WINDOWS\\system32\\ctffmon.exe"= "C:\\WINDOWS\\system32\\wincom.exe"= "C:\\WINDOWS\\system32\\spolsvs.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1700:TCP"= 1700:TCP:MioNet Remote Drive Access "1641:TCP"= 1641:TCP:MioNet Remote Drive Verification R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37] R2 Minidriver;Minidriver;C:\WINDOWS\system32\ctffmon.exe [2006-05-26 06:35] R2 NetLogonss;NetLogonss;C:\WINDOWS\system32\spolsvs.exe [2008-08-20 14:16] R2 r_server;Network Provisioning Service (RPC);C:\WINDOWS\system32\dlllhosts.exe [2006-12-04 04:06] R2 Wincach;Wincach;C:\WINDOWS\system32\wincom.exe [2007-11-02 05:04] . Contents of the 'Scheduled Tasks' folder 2008-08-22 C:\WINDOWS\Tasks\Norton Security Scan.job - C:\Program Files\Norton Security Scan\Nss.exe [] . - - - - ORPHANS REMOVED - - - - HKLM-Run-zzz_ImInstaller_IncrediMail - C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install.exe MSConfigStartUp-avgnt - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe MSConfigStartUp-Nokia - C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe MSConfigStartUp-PC Suite Tray - C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe MSConfigStartUp-MSN Messenger - live.messenger.com . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.si/webhp?client=firefox-a&rls=org.mozilla:sl:official&channel=s&hl=sl&cr=countrySI&btnG=Iskanje+Google . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-22 21:39:01 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\Ati2evxx.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\scardsvr.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\searchindexer.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\searchprotocolhost.exe C:\WINDOWS\system32\searchfilterhost.exe . ************************************************************************** . Completion time: 2008-08-22 21:41:26 - machine was rebooted [AMD] ComboFix-quarantined-files.txt 2008-08-22 19:41:14 Pre-Run: 4,082,659,328 bytes free Post-Run: 4,008,865,792 prosto bajtov WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 218 --- E O F --- 2008-06-20 21:58:58