“Jar3k” - 2007-05-18 8:16:49 Dodatek Service Pack 2 ComboFix 07-05.17.6.V - Running from: “D:\Program Files\Mozilla Firefox” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\services.exe C:\Program Files\video access activex object ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-18 )))))))))))))))))))))))))))))))))) 2007-05-12 12:23 99,904 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-05-12 12:22 63,040 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-05-11 08:44 2007-05-08 16:49 2007-05-08 16:48 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-17 20:19:46 4,622 ----a-w C:\WINDOWS\mozver.dat 2007-05-08 13:09:38 -------- d-----w C:\DOCUME~1\Jar3k\DANEAP~1\Azureus 2007-05-04 11:41:13 -------- d-----w C:\DOCUME~1\Jar3k\DANEAP~1\Skype 2007-04-30 19:16:07 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-29 07:49:06 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-04-15 09:14:15 -------- d-----w C:\DOCUME~1\Jar3k\DANEAP~1\BinarySense 2007-04-13 19:15:23 -------- d-----w C:\DOCUME~1\Jar3k\DANEAP~1\GanymedeNet 2007-04-10 10:12:16 4 ----a-w C:\WINDOWS\vx86036.dat 2007-04-09 15:46:49 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2007-04-09 14:51:15 -------- d-----w C:\Program Files\Common Files\ESRI 2007-04-09 14:51:03 249,856 ------w C:\WINDOWS\Setup1.exe 2007-04-09 14:51:02 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-04-07 14:40:41 -------- d-----w C:\Program Files\Common Files\SWF Studio 2007-04-04 17:28:45 -------- d-----w C:\Program Files\MeMediaSetup 2007-04-01 11:43:23 36,734 -c–a-w C:\WINDOWS\system32\OggDSuninst.exe 2007-04-01 11:41:07 -------- d-----w C:\Program Files\Trymedia 2007-03-30 13:56:58 65,024 ----a-w C:\WINDOWS\IFinst26.exe 2007-03-28 09:43:28 28,880 ----a-w C:\WINDOWS\antyvirk.exe 2007-03-25 06:55:29 67,078 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-03-25 06:55:29 435,978 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-03-22 16:17:38 -------- d-----w C:\Program Files\Windows Media Connect 2 2007-03-20 13:55:20 -------- d-----w C:\DOCUME~1\Jar3k\DANEAP~1\Media Player Classic 2007-03-19 18:35:10 33,824 ----a-w C:\WINDOWS\system32\drivers\oreans32.sys 2007-03-19 18:35:05 -------- d-----w C:\Program Files\Common Files\AVSMedia 2007-03-06 19:43:15 -------- d-----w C:\Program Files\DaemonTools_WhenUSave_Installer 2007-02-24 02:55:40 175 ----a-w C:\WINDOWS\system32\Autoexnt.bat 2007-02-23 17:12:57 4,096 ----a-w C:\WINDOWS\d3dx.dat 2007-02-10 16:34:40 679,936 ----a-w C:\WINDOWS\system32\D3DX81AB.DLL (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 01:17] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 04:25] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NeroCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 12:50] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2003-12-12 12:31] “avast!”=“D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-18 18:13] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44] “Gadu-Gadu”=“D:\Program Files\Gadu-Gadu\gg.exe” [2006-10-10 17:51] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “SetVisualStyle”=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,\ 65,73,5c,54,68,65,6d,65,73,5c,43,72,79,73,74,61,6c,20,43,6c,65,61,72,20,41,\ 65,72,6f,5c,43,72,79,73,74,61,6c,20,43,6c,65,61,72,20,41,65,72,6f,2e,6d,73,\ 73,74,79,6c,65,73,00 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoRemoteRecursiveEvents”=dword:00000001 “ClearRecentDocsOnExit”=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “ClearRecentDocsOnExit”=dword:00000001 “NoSaveSettings”=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages msv1_0 Security Packages kerberos msv1_0 schannel wdigest Notification Packages scecli [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\trioService] “D:\Program Files\3D-Relax\Living 3D Sharks Trial\trioService.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HTTPFilter HTTPFilter LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV NetworkService DnsCache DcomLaunch DcomLaunch TermService rpcss RpcSs imgsvc StiSvc termsvcs TermService WudfServiceGroup WUDFSvc HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs* [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{bdf7dbea-abe3-11db-b7fd-00508df5bff6}] Shell\AutoRun\command F:\vcd_play.exe *newlycreated* -PROCEXP90 ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20070315-183220-666 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ backup-20070315-183220-457 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21 backup-20070315-183220-677 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21 backup-20070315-183220-852 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21 backup-20070315-183220-166 O17 - HKLM\System\CCS\Services\Tcpip…{5D3AA090-93AD-41E5-A1D5-31F8D8331138}: NameServer = 85.255.114.55,85.255.112.21 ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-18 08:17:49 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-05-18 8:18:14 C:\ComboFix-quarantined-files.txt … 2007-05-18 08:18 — E O F —