ComboFix 08-08-21.02 - AMD 2008-08-23 0:45:53.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.248 [GMT 2:00] Running from: C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 ))))))))))))))))))))))))))))))) . 2080-05-30 14:13 . 2080-05-30 14:13 d-------- C:\Program Files\Alwil Software 2080-05-30 14:08 . 2080-05-30 14:08 d-------- C:\Program Files\uTorrent 2080-05-30 14:08 . 2008-06-18 23:09 d-------- C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\uTorrent 2080-05-24 11:07 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys 2080-05-24 11:06 . 2080-05-24 11:06 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2080-05-24 11:06 . 2080-05-24 11:06 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf 2080-05-24 10:53 . 2080-05-24 10:53 d-------- C:\Program Files\MSXML 6.0 2080-05-05 17:17 . 2080-05-05 17:17 d-------- C:\WINDOWS\solcache 2080-05-05 17:17 . 2080-05-05 17:17 d-------- C:\WINDOWS\Favorites 2080-05-05 17:16 . 2080-05-05 17:17 d-------- C:\Program Files\Sierra On-Line 2080-05-05 17:16 . 1998-03-05 10:25 1,022,976 --a------ C:\WINDOWS\system32\SierraNW.dll 2080-05-05 17:16 . 1998-03-05 10:34 231,936 --a------ C:\WINDOWS\system32\SNWValid.dll 2080-05-05 17:16 . 2080-05-05 17:16 287 --a------ C:\WINDOWS\SIERRA.INI 2080-04-23 17:33 . 2080-04-23 17:33 d--hs---- C:\WINDOWS\ftpcache 2080-04-21 22:58 . 2080-04-21 22:58 d-------- C:\Program Files\PC Connectivity Solution 2080-04-21 22:58 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys 2008-08-22 19:27 . 2008-08-22 19:27 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-22 19:27 . 2008-08-22 19:27 d-------- C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Malwarebytes 2008-08-22 19:27 . 2008-08-22 19:27 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes 2008-08-22 19:27 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-22 19:27 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-17 13:31 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-08-17 13:30 . 2008-08-17 13:31 d-------- C:\Program Files\Java . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2080-06-13 12:56 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WLInstaller 2080-06-02 15:10 --------- d-----w C:\Program Files\Windows Live Toolbar 2080-06-02 15:07 --------- d--h--w C:\Program Files\InstallShield Installation Information 2080-05-30 13:20 --------- d-----w C:\Documents and Settings\Gal\Application Data\Windows Desktop Search 2080-05-24 09:32 --------- d-----w C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Application Data\Nokia 2008-08-22 22:00 2,075 ----a-w C:\WINDOWS\system32\pspvv.dll 2008-08-22 11:59 40,960 ----a-w C:\WINDOWS\system32\winxa.exe 2008-08-22 11:57 57,344 ----a-w C:\WINDOWS\system32\ctfmons.exe 2008-08-22 11:57 126,976 ----a-w C:\WINDOWS\system32\packpk.exe 2008-08-22 11:56 321,536 ----a-w C:\WINDOWS\system32\Netcpak.exe 2008-08-22 11:56 1,263,616 ----a-w C:\WINDOWS\system32\psppak.exe 2008-08-15 01:06 3,739,648 ----a-w C:\WINDOWS\system32\winst.exe 2008-08-07 22:17 40,960 ----a-w C:\WINDOWS\system32\psps2.exe 2008-08-07 22:10 62,464 ----a-w C:\WINDOWS\system32\pspfire.exe 2008-08-06 17:23 28,672 ----a-w C:\WINDOWS\system32\insregpsp4.exe . ------- Sigcheck ------- 2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys 2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys 2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys 2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys 2006-08-07 23:37 360064 e5a5bd94feba349e9dd0d5d90268bdf1 C:\WINDOWS\system32\dllcache\TCPIP.SYS 2006-08-07 23:37 360064 e5a5bd94feba349e9dd0d5d90268bdf1 C:\WINDOWS\system32\drivers\TCPIP.SYS . ((((((((((((((((((((((((((((( snapshot@2008-08-22_21.40.37.84 ))))))))))))))))))))))))))))))))))))))))) . + 2008-08-22 22:15:54 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_630.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 23:18 443968] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 22:10 335872] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 23:48 479232] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920] "BigDogPath"="C:\WINDOWS\VM_STI.EXE" [2004-06-09 16:37 40960] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 16:40:46 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 16:39 294400] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^AMD.AMD-C1F6EBFE7E7^Start Menu^Programs^Startup^Izrezovalnik zaslona in zaganjalnik za OneNote 2007.lnk] path=C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Start Menu\Programs\Startup\Izrezovalnik zaslona in zaganjalnik za OneNote 2007.lnk backup=C:\WINDOWS\pss\Izrezovalnik zaslona in zaganjalnik za OneNote 2007.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^AMD.AMD-C1F6EBFE7E7^Start Menu^Programs^Startup^Microsoft Office Groove.lnk] path=C:\Documents and Settings\AMD.AMD-C1F6EBFE7E7\Start Menu\Programs\Startup\Microsoft Office Groove.lnk backup=C:\WINDOWS\pss\Microsoft Office Groove.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2007-05-11 14:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2007-09-20 16:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2005-11-09 00:00 128920 C:\Program Files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] --a--c--- 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] --a------ 2007-09-20 10:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 16:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2007-10-10 07:28 36352 C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "D:\\eMule\\emule.exe"= "C:\\Documents and Settings\\AMD.AMD-C1F6EBFE7E7\\My Documents\\GAL\\incredimail_install.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\WINDOWS\\system32\\winsspc.exe"= "%windir%\\\\system32\\\\sessmgr.exe"= "C:\\WINDOWS\\system32\\"= "C:\\WINDOWS\\system32\\ctffmon.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1700:TCP"= 1700:TCP:MioNet Remote Drive Access "1641:TCP"= 1641:TCP:MioNet Remote Drive Verification R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37] R2 Minidriver;Minidriver;C:\WINDOWS\system32\ctffmon.exe [2006-05-26 06:35] *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder 2008-08-22 C:\WINDOWS\Tasks\Norton Security Scan.job - C:\Program Files\Norton Security Scan\Nss.exe [] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-23 00:47:25 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\Ati2evxx.dll . Completion time: 2008-08-23 0:48:17 ComboFix-quarantined-files.txt 2008-08-22 22:48:08 ComboFix2.txt 2008-08-22 22:06:24 ComboFix3.txt 2008-08-22 19:41:28 Pre-Run: 3,907,870,720 bytes free Post-Run: 3,910,017,024 prosto bajtov 159 --- E O F --- 2008-06-20 21:58:58