ComboFix 08-08-21.02 - AMD 2008-08-23 0:00:33.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.202 [GMT 2:00] Running from: C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINDOWS\system32\dlllhosts.exe C:\WINDOWS\system32\inspspfiles9.exe C:\WINDOWS\system32\otherT1.exe.New C:\WINDOWS\system32\pstart.exe.New C:\WINDOWS\system32\RDpak.exe.New C:\WINDOWS\system32\spolsvs.exe C:\WINDOWS\system32\wincom.exe C:\WINDOWS\winudp.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\blocklist.xml C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\bookmarkbackups\bookmarks-2008-08-22.html C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\bookmarkbackups\bookmarks-2080-06-10.html C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\bookmarkbackups\bookmarks-2080-06-11.html C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\bookmarkbackups\bookmarks-2080-06-12.html C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\bookmarkbackups\bookmarks-2080-06-13.html C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\bookmarks.bak C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\bookmarks.html C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\cert8.db C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\chrome\userChrome-example.css C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\chrome\userContent-example.css C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\compatibility.ini C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\compreg.dat C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\cookies.txt C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\downloads.rdf C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\extensions.cache C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\extensions.ini C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\extensions.rdf C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\extensions\sl@dictionaries.addons.mozilla.org\chrome.manifest C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\extensions\sl@dictionaries.addons.mozilla.org\dictionaries\sl.aff C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\extensions\sl@dictionaries.addons.mozilla.org\dictionaries\sl.dic C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\extensions\sl@dictionaries.addons.mozilla.org\install.js C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\extensions\sl@dictionaries.addons.mozilla.org\install.rdf C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\formhistory.dat C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\history.dat C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\hostperm.1 C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\key3.db C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\localstore-safe.rdf C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\localstore.rdf C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\mimeTypes.rdf C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\prefs.js C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\search.rdf C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\search.sqlite C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\secmod.db C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\signons2.txt C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\urlclassifier2.sqlite C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Mozilla\Firefox\Profiles\elyx4joi.default\xpti.dat C:\Program Files\Multi_Media C:\Program Files\Multi_Media\INSTALL.LOG C:\Program Files\Multi_Media\tbMul1.dll C:\Program Files\Multi_Media\toolbar.cfg C:\Program Files\Multi_Media\UNWISE.EXE C:\WINDOWS\system32\dlllhosts.exe C:\WINDOWS\system32\dPrass.dll C:\WINDOWS\system32\inspspfiles9.exe C:\WINDOWS\system32\otherT1.exe.New C:\WINDOWS\system32\pstart.exe.New C:\WINDOWS\system32\RDpak.exe.New C:\WINDOWS\system32\spolsvs.exe C:\WINDOWS\system32\wincom.exe C:\WINDOWS\winudp.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NETLOGONSS -------\Legacy_R_SERVER -------\Legacy_WINCACH -------\Service_NetLogonss -------\Service_r_server -------\Service_Wincach ((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 ))))))))))))))))))))))))))))))) . 2080-05-30 14:13 . 2080-05-30 14:13 d-------- C:\Program Files\Alwil Software 2080-05-30 14:08 . 2080-05-30 14:08 d-------- C:\Program Files\uTorrent 2080-05-30 14:08 . 2008-06-18 23:09 d-------- C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\uTorrent 2080-05-24 11:07 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys 2080-05-24 11:06 . 2080-05-24 11:06 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2080-05-24 11:06 . 2080-05-24 11:06 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf 2080-05-24 10:53 . 2080-05-24 10:53 d-------- C:\Program Files\MSXML 6.0 2080-05-05 17:17 . 2080-05-05 17:17 d-------- C:\WINDOWS\solcache 2080-05-05 17:17 . 2080-05-05 17:17 d-------- C:\WINDOWS\Favorites 2080-05-05 17:16 . 2080-05-05 17:17 d-------- C:\Program Files\Sierra On-Line 2080-05-05 17:16 . 1998-03-05 10:25 1,022,976 --a------ C:\WINDOWS\system32\SierraNW.dll 2080-05-05 17:16 . 1998-03-05 10:34 231,936 --a------ C:\WINDOWS\system32\SNWValid.dll 2080-05-05 17:16 . 2080-05-05 17:16 287 --a------ C:\WINDOWS\SIERRA.INI 2080-04-23 17:33 . 2080-04-23 17:33 d--hs---- C:\WINDOWS\ftpcache 2080-04-21 22:58 . 2080-04-21 22:58 d-------- C:\Program Files\PC Connectivity Solution 2080-04-21 22:58 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys 2008-08-22 19:27 . 2008-08-22 19:27 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-22 19:27 . 2008-08-22 19:27 d-------- C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Malwarebytes 2008-08-22 19:27 . 2008-08-22 19:27 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes 2008-08-22 19:27 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-22 19:27 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-17 13:31 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-08-17 13:30 . 2008-08-17 13:31 d-------- C:\Program Files\Java . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2080-06-13 12:56 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller 2080-06-02 15:10 --------- d-----w C:\Program Files\Windows Live Toolbar 2080-06-02 15:07 --------- d--h--w C:\Program Files\InstallShield Installation Information 2080-05-30 13:20 --------- d-----w C:\Documents and Settings\Gal\Application Data\Windows Desktop Search 2080-05-24 09:32 --------- d-----w C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Nokia . ------- Sigcheck ------- 2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys 2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys 2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys 2006-08-07 23:37 360064 e5a5bd94feba349e9dd0d5d90268bdf1 C:\WINDOWS\system32\dllcache\TCPIP.SYS 2006-08-07 23:37 360064 e5a5bd94feba349e9dd0d5d90268bdf1 C:\WINDOWS\system32\drivers\TCPIP.SYS . ((((((((((((((((((((((((((((( snapshot@2008-08-22_21.40.37.84 ))))))))))))))))))))))))))))))))))))))))) . - 2008-08-22 19:24:40 2,075 ----a-w C:\WINDOWS\system32\pspvv.dll + 2008-08-22 22:00:01 2,075 ----a-w C:\WINDOWS\system32\pspvv.dll + 2008-08-22 22:03:40 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_644.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 22:10 335872] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 23:48 479232] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920] "BigDogPath"="C:\WINDOWS\VM_STI.EXE" [2004-06-09 16:37 40960] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 16:40:46 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 16:39 294400] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^AMD.AMD-C1F6EBFE7E7^Start Menu^Programs^Startup^Izrezovalnik zaslona in zaganjalnik za OneNote 2007.lnk] path=C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Start Menu\Programs\Startup\Izrezovalnik zaslona in zaganjalnik za OneNote 2007.lnk backup=C:\WINDOWS\pss\Izrezovalnik zaslona in zaganjalnik za OneNote 2007.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^AMD.AMD-C1F6EBFE7E7^Start Menu^Programs^Startup^Microsoft Office Groove.lnk] path=C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Start Menu\Programs\Startup\Microsoft Office Groove.lnk backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2007-05-11 14:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2007-09-20 16:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2005-11-09 00:00 128920 C:\Program Files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] --a--c--- 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] --a------ 2007-09-20 10:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 16:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2007-10-10 07:28 36352 C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "D:\\eMule\\emule.exe"= "C:\\Documents and Settings\\AMD.AMD-C1F6EBFE7E7\\My Documents\\GAL\\incredimail_install.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\WINDOWS\\system32\\winsspc.exe"= "%windir%\\\\system32\\\\sessmgr.exe"= "C:\\WINDOWS\\system32\\"= "C:\\WINDOWS\\system32\\ctffmon.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1700:TCP"= 1700:TCP:MioNet Remote Drive Access "1641:TCP"= 1641:TCP:MioNet Remote Drive Verification R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37] R2 Minidriver;Minidriver;C:\WINDOWS\system32\ctffmon.exe [2006-05-26 06:35] . Contents of the 'Scheduled Tasks' folder 2008-08-22 C:\WINDOWS\Tasks\Norton Security Scan.job - C:\Program Files\Norton Security Scan\Nss.exe [] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-23 00:04:19 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\Ati2evxx.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\scardsvr.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\searchindexer.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\searchprotocolhost.exe C:\WINDOWS\system32\searchfilterhost.exe . ************************************************************************** . Completion time: 2008-08-23 0:06:23 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-22 22:06:17 ComboFix2.txt 2008-08-22 19:41:28 Pre-Run: 3,978,383,360 bytes free Post-Run: 3,968,176,128 prosto bajtov 239 --- E O F --- 2008-06-20 21:58:58