ComboFix 08-08-21.02 - AMD 2008-08-22 21:35:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.235 [GMT 2:00]
Running from: C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\FunWebProducts
C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\FunWebProducts\Data\AMD\avatar.dat
C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Favorites\Download programs.url
C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Favorites\Games.url
C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Favorites\Translator.url
C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Favorites\Videos.url
C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Start Menu\Programs\Translator.url
C:\WINDOWS\admintxt.txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\live.messenger.com
C:\WINDOWS\system32\cssrss.exe
C:\WINDOWS\system32\dPrass.dll
C:\WINDOWS\system32\lsasss.exe
C:\WINDOWS\system32\winlog.exe
C:\WINDOWS\system32\winlogins.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_Windows_Interface_Service
-------\Legacy_Windows_Logon
-------\Legacy_windowsns2
-------\Legacy_winregfixer2
-------\Service_Windows Interface Service
-------\Service_Windows Logon
-------\Service_windowsns2
-------\Service_winregfixer2
((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 )))))))))))))))))))))))))))))))
.
2080-05-30 14:13 . 2080-05-30 14:13
d-------- C:\Program Files\Alwil Software
2080-05-30 14:08 . 2080-05-30 14:08 d-------- C:\Program Files\uTorrent
2080-05-30 14:08 . 2008-06-18 23:09 d-------- C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\uTorrent
2080-05-24 11:07 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2080-05-24 11:06 . 2080-05-24 11:06 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2080-05-24 11:06 . 2080-05-24 11:06 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2080-05-24 10:53 . 2080-05-24 10:53 d-------- C:\Program Files\MSXML 6.0
2080-05-05 17:17 . 2080-05-05 17:17 d-------- C:\WINDOWS\solcache
2080-05-05 17:17 . 2080-05-05 17:17 d-------- C:\WINDOWS\Favorites
2080-05-05 17:16 . 2080-05-05 17:17 d-------- C:\Program Files\Sierra On-Line
2080-05-05 17:16 . 1998-03-05 10:25 1,022,976 --a------ C:\WINDOWS\system32\SierraNW.dll
2080-05-05 17:16 . 1998-03-05 10:34 231,936 --a------ C:\WINDOWS\system32\SNWValid.dll
2080-05-05 17:16 . 2080-05-05 17:16 287 --a------ C:\WINDOWS\SIERRA.INI
2080-04-23 17:33 . 2080-04-23 17:33 d--hs---- C:\WINDOWS\ftpcache
2080-04-21 22:58 . 2080-04-21 22:58 d-------- C:\Program Files\PC Connectivity Solution
2080-04-21 22:58 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-08-22 19:27 . 2008-08-22 19:27 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-22 19:27 . 2008-08-22 19:27 d-------- C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Malwarebytes
2008-08-22 19:27 . 2008-08-22 19:27 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-08-22 19:27 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-22 19:27 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-22 13:59 . 2008-08-22 14:00 28,672 --a------ C:\WINDOWS\system32\pstart.exe.New
2008-08-22 13:58 . 2008-08-22 13:59 61,440 --a------ C:\WINDOWS\system32\otherT1.exe.New
2008-08-22 13:57 . 2008-08-22 13:58 206,848 --a------ C:\WINDOWS\system32\RDpak.exe.New
2008-08-22 13:56 . 2008-08-15 03:09 1,213,101 --a------ C:\WINDOWS\system32\inspspfiles9.exe
2008-08-17 13:31 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-17 13:30 . 2008-08-17 13:31 d-------- C:\Program Files\Java
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2080-06-13 12:56 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller
2080-06-02 15:10 --------- d-----w C:\Program Files\Windows Live Toolbar
2080-06-02 15:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2080-05-30 13:20 --------- d-----w C:\Documents and Settings\Gal\Application Data\Windows Desktop Search
2080-05-24 09:32 --------- d-----w C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Nokia
2008-08-22 17:16 --------- d-----w C:\Program Files\Multi_Media
2006-07-08 16:14 183,830 --sh--r C:\WINDOWS\winudp.exe
.
------- Sigcheck -------
2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2006-08-07 23:37 360064 e5a5bd94feba349e9dd0d5d90268bdf1 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2006-08-07 23:37 360064 e5a5bd94feba349e9dd0d5d90268bdf1 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 22:10 335872]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 23:48 479232]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"BigDogPath"="C:\WINDOWS\VM_STI.EXE" [2004-06-09 16:37 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 16:40:46 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 16:39 294400]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^AMD.AMD-C1F6EBFE7E7^Start Menu^Programs^Startup^Izrezovalnik zaslona in zaganjalnik za OneNote 2007.lnk]
path=C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Start Menu\Programs\Startup\Izrezovalnik zaslona in zaganjalnik za OneNote 2007.lnk
backup=C:\WINDOWS\pss\Izrezovalnik zaslona in zaganjalnik za OneNote 2007.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^AMD.AMD-C1F6EBFE7E7^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 14:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 16:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-11-09 00:00 128920 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a--c--- 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 10:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 16:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-10-10 07:28 36352 C:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\eMule\\emule.exe"=
"C:\\Documents and Settings\\AMD.AMD-C1F6EBFE7E7\\My Documents\\GAL\\incredimail_install.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\WINDOWS\\system32\\winsspc.exe"=
"C:\\WINDOWS\\system32\\dlllhosts.exe"=
"%windir%\\\\system32\\\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\"=
"C:\\WINDOWS\\system32\\ctffmon.exe"=
"C:\\WINDOWS\\system32\\wincom.exe"=
"C:\\WINDOWS\\system32\\spolsvs.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R2 Minidriver;Minidriver;C:\WINDOWS\system32\ctffmon.exe [2006-05-26 06:35]
R2 NetLogonss;NetLogonss;C:\WINDOWS\system32\spolsvs.exe [2008-08-20 14:16]
R2 r_server;Network Provisioning Service (RPC);C:\WINDOWS\system32\dlllhosts.exe [2006-12-04 04:06]
R2 Wincach;Wincach;C:\WINDOWS\system32\wincom.exe [2007-11-02 05:04]
.
Contents of the 'Scheduled Tasks' folder
2008-08-22 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-zzz_ImInstaller_IncrediMail - C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install.exe
MSConfigStartUp-avgnt - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
MSConfigStartUp-Nokia - C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
MSConfigStartUp-PC Suite Tray - C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
MSConfigStartUp-MSN Messenger - live.messenger.com
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.si/webhp?client=firefox-a&rls=org.mozilla:sl:official&channel=s&hl=sl&cr=countrySI&btnG=Iskanje+Google
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-22 21:39:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\searchindexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\WINDOWS\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-08-22 21:41:26 - machine was rebooted [AMD]
ComboFix-quarantined-files.txt 2008-08-22 19:41:14
Pre-Run: 4,082,659,328 bytes free
Post-Run: 4,008,865,792 prosto bajtov
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
218 --- E O F --- 2008-06-20 21:58:58