ComboFix 08-06-20.4 - Administrator 2008-06-25 14:30:51.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.356 [GMT 2:00]
Running from: E:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
Command switches used :: E:\Documents and Settings\Administrator\Pulpit\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
E:\WINDOWS\BMcfda54ca.xml
E:\WINDOWS\pskt.ini
E:\WINDOWS\system32\esutscwg.ini
E:\WINDOWS\system32\fccaYonO.dll
E:\WINDOWS\system32\OnoYaccf.ini
E:\WINDOWS\system32\OnoYaccf.ini2
.
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.
2008-06-25 14:12 . 2008-06-25 14:12
2008-06-25 13:24 . 2008-06-25 13:24 81,920 --a------ E:\WINDOWS\system32\gwcstuse.dll
2008-06-25 13:23 . 2008-06-25 13:23 40,960 --a------ E:\WINDOWS\system32\escufvdo.dll
2008-06-25 13:22 . 2008-06-25 13:22 91,136 --a------ E:\WINDOWS\system32\vapsinvs.dll
2008-06-25 05:01 . 2008-06-25 05:01 81,920 --a------ E:\WINDOWS\system32\eusmbdsb.dll
2008-06-25 04:58 . 2008-06-25 04:58 91,136 --a------ E:\WINDOWS\system32\wuhffadu.dll
2008-06-24 18:21 . 2008-06-24 18:21
2008-06-24 17:58 . 2008-06-24 17:58
2008-06-24 17:55 . 2008-06-25 14:33
2008-06-24 17:55 . 2007-10-17 15:51
2008-06-24 17:55 . 2007-10-17 13:58
2008-06-24 17:55 . 2008-06-25 14:30
2008-06-24 17:55 . 2008-06-25 14:25
2008-06-24 17:55 . 2007-10-17 15:51
2008-06-24 17:55 . 2008-06-25 14:12
2008-06-24 17:55 . 2008-06-24 17:55
2008-06-24 16:50 . 2008-06-24 16:50
2008-06-24 16:50 . 2008-06-24 17:52 94,208 --a------ E:\WINDOWS\system32\pphc1opj0ep83.exe
2008-06-24 16:47 . 2008-06-24 16:47 109,056 --a------ E:\WINDOWS\system32\lkaje3ewrkj.exe
2008-06-24 16:47 . 2008-06-24 16:47 25,600 --a------ E:\WINDOWS\system32\vtuTjgGY.dll
2008-06-24 16:46 . 63,920 E:\WINDOWS\system32\drivers\59631364.sys
2008-06-24 16:43 . 2008-06-24 16:47 109,056 --a------ E:\WINDOWS\system32\lphc1opj0ep83.exe
2008-06-24 16:43 . 2008-06-24 18:02 90,838 --a------ E:\WINDOWS\system32\phc1opj0ep83.bmp
2008-06-24 16:43 . 2008-06-24 18:02 60,928 --a------ E:\WINDOWS\system32\blphc1opj0ep83.scr
2008-06-24 16:43 . 2008-06-24 16:43 45,056 --a------ E:\WINDOWS\system32\sndcom.dll
2008-06-24 16:43 . 2008-06-24 16:47 14,336 --a------ E:\WINDOWS\system32\ldskjf2w.exe
2008-06-24 16:42 . 63,920 E:\WINDOWS\system32\drivers\b05dc26d.sys
2008-06-24 16:41 . 2008-06-24 16:46 45,056 --a------ E:\WINDOWS\system32\bsndcom.dll
2008-06-11 15:30 . 2008-06-14 20:01 273,024 --------- E:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 15:30 . 2008-06-14 20:01 273,024 -----c— E:\WINDOWS\system32\dllcache\bthport.sys
2008-05-29 11:52 . 2008-05-29 11:52
2008-05-29 10:00 . 2008-05-29 10:00
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 19:14 --------- d-----w E:\Program Files\Share_Accelerator_MM
2008-06-24 19:14 --------- d-----w E:\Program Files\Google
2008-06-24 19:14 --------- d-----w E:\Program Files\free-downloads.net
2008-06-05 04:18 --------- d-----w E:\Program Files\RegClean
2008-06-05 04:18 --------- d-----w E:\Documents and Settings\Domeczek\Dane aplikacji\RegClean
2008-06-04 13:04 --------- d-----w E:\Documents and Settings\Domeczek\Dane aplikacji\gtk-2.0
2008-05-11 13:24 --------- d-----w E:\Program Files\Gadu-Gadu
2008-05-08 12:28 202,752 ----a-w E:\WINDOWS\system32\drivers\rmcast.sys
2008-05-04 14:35 --------- d-----w E:\Program Files\GIMP-2.0
.
((((((((((((((((((((((((((((( snapshot@2008-06-25_ 6.58.52,37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 04:53:02 2,048 --s-a-w E:\WINDOWS\bootstat.dat
-
2008-06-25 12:35:20 2,048 --s-a-w E:\WINDOWS\bootstat.dat
-
2008-06-25 12:35:45 16,384 ----atw E:\WINDOWS\TEMP\Perflib_Perfdata_558.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 22:06 1135968 --a------ E:\Program Files\Winamp Toolbar\winamptb.dll
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{500DBD6E-6D95-4106-B9A2-DDDCCB2B30D1}]
2008-06-24 16:47 25600 --a------ E:\WINDOWS\system32\vtuTjgGY.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}”= E:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 22:06 1135968]
[HKEY_CLASSES_ROOT\clsid{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“BitComet”=“D:\Program Files\BitComet\BitComet.exe” [2007-11-07 17:06 1881400]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“avast!”=“E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-05-16 01:19 79224]
“447cf1de”=“E:\WINDOWS\system32\gwcstuse.dll” [2008-06-25 13:24 81920]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“E:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 00:44 15360]
E:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
InterVideo WinCinema Manager.lnk - D:\Common\Bin\WinCinemaMgr.exe [2008-01-07 21:28:24 278528]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“DisableLockWorkstation”= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“WRP”= 0 (0x0)
“DisableChangePassword”= 0 (0x0)
“DisableLockWorkstation”= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“NoLogoff”= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoLogoff”= 0 (0x0)
“NoViewOnDrive”= 0 (0x0)
“NoDesktopUpdate”= 0 (0x0)
“NoCloseDragDropBands”= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{500DBD6E-6D95-4106-B9A2-DDDCCB2B30D1}”= E:\WINDOWS\system32\vtuTjgGY.dll [2008-06-24 16:47 25600]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuTjgGY]
vtuTjgGY.dll 2008-06-24 16:47 25600 E:\WINDOWS\system32\vtuTjgGY.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusOverride”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“E:\Program Files\Gadu-Gadu\gg.exe”=
“D:\GRY\Medal Of Honor\MOHAA.exe”=
“E:\Program Files\The All-Seeing Eye\eye.exe”=
“D:\Program Files\BitComet\BitComet.exe”=
“C:\Gry\Call of Duty\CoDMP.exe”=
“C:\Gry\Call of Duty\CoDUOMP.exe”=
“C:\EMULE\emule.exe”=
“D:\Program Files\BitComet\plugin_emule\plugin_eMule.exe”=
“D:\Program Files\WinDVD.exe”=
“D:\GRY\Call Of Duty 2\CoD2MP_s.exe”=
“D:\GRY\Medal Of Honor\moh_spearhead.exe”=
“D:\GRY\Medal Of Honor\moh_Breakthrough.exe”=
“E:\Program Files\Zapu\Zapu\wDivi.exe”=
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“7464:TCP”= 7464:TCP:BitComet 7464 TCP(ED2K)
“7464:UDP”= 7464:UDP:BitComet 7464 UDP(ED2K)
“15119:TCP”= 15119:TCP:BitComet 15119 TCP
“15119:UDP”= 15119:UDP:BitComet 15119 UDP
“9821:TCP”= 9821:TCP:BitComet 9821 TCP
“9821:UDP”= 9821:UDP:BitComet 9821 UDP
“20417:TCP”= 20417:TCP:BitComet 20417 TCP(ED2K)
“20417:UDP”= 20417:UDP:BitComet 20417 UDP(ED2K)
R0 AFPAnsi;G-DATA Hidder Ansi;E:\WINDOWS\system32\Drivers\AFPAnsi.sys [2002-10-09 16:53]
R1 aswSP;avast! Self Protection;E:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 GLogin;GLogin;E:\WINDOWS\system32\drivers\GLogin.sys [2007-06-14 15:14]
R2 aswFsBlk;aswFsBlk;E:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
S3 FGUARD32;FGUARD32;E:\Program Files\Folder Guard 32-bit\FGUARD32.SYS [2008-01-05 01:00]
S3 usbscan;Sterownik skanera USB;E:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Sterownik magazynu masowego USB;E:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{8e8db9bd-7ee8-11dc-b8c2-000b6a65207c}]
\Shell\AutoRun\command - E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
.
Contents of the ‘Scheduled Tasks’ folder
“2008-06-25 01:30:04 E:\WINDOWS\Tasks\RegClean Scheduled Scan.job”
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 14:36:24
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: E:\WINDOWS\explorer.exe
.
------------------------ Other Running Processes ------------------------
.
E:\WINDOWS\system32\ati2evxx.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\ati2evxx.exe
E:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PnkBstrB.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-25 14:39:58 - machine was rebooted [Domeczek]
ComboFix-quarantined-files.txt 2008-06-25 12:39:50
ComboFix2.txt 2008-06-25 04:59:44
Pre-Run: 1,839,411,200 bajtów wolnych
Post-Run: 1,290,498,048 bajt˘w wolnych
186 — E O F — 2008-06-20 09:19:00
W dniu 25.06.2008 , o godzinie 14:51 został dopisany post przez PaticPL
Pisało mi coś o pasożycie Rootkin