ComboFix 08-06-03.4 - User 2008-06-04 19:53:24.1 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.257 [GMT 2:00] Running from: C:\Documents and Settings\User\Pulpit\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 ))))))))))))))))))))))))))))))) . 2008-06-04 19:27 . 2008-06-04 19:27 2008-06-04 19:24 . 2008-06-04 19:39 2008-06-03 21:57 . 2008-06-03 21:57 2008-06-03 21:57 . 2008-06-03 21:57 2008-06-03 21:57 . 2008-06-03 21:57 2008-06-03 21:57 . 2008-06-03 21:57 2008-06-03 21:57 . 2008-06-03 21:57 124,167 --a------ C:\WINDOWS\system32\SYMEVNT.386 2008-06-03 21:57 . 2008-06-03 21:57 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2008-06-03 21:57 . 2008-06-03 21:57 73,624 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-06-03 17:49 . 2008-06-03 17:51 2008-06-03 17:49 . 2008-06-03 17:49 2008-06-03 00:07 . 2008-06-03 00:07 2008-06-02 17:53 . 2008-06-03 21:46 2008-05-25 23:16 . 2008-05-25 23:16 2008-05-14 16:56 . 2008-05-14 16:56 2008-05-11 23:57 . 2008-05-11 23:57 2008-05-11 23:57 . 2005-06-24 16:24 438,272 -ra------ C:\WINDOWS\system32\vp6vfw.dll 2008-05-11 23:57 . 2004-12-10 09:06 327,680 --a------ C:\WINDOWS\system32\vp6dec.ax 2008-05-10 16:25 . 2008-05-10 16:25 2008-05-05 14:22 . 2003-06-19 01:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll 2008-05-05 14:22 . 2008-05-05 14:22 421 --a------ C:\WINDOWS\ODBC.INI 2008-05-05 14:21 . 2008-05-05 14:21 2008-05-05 14:20 . 2008-05-05 14:21 2008-05-05 11:18 . 2008-05-05 11:18 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-03 19:57 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-06-03 19:51 --------- d-----w C:\Program Files\Gadu-Gadu 2008-06-03 19:21 --------- d–h--w C:\Program Files\InstallShield Installation Information 2008-05-02 01:51 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Avira 2008-04-30 07:18 --------- d-----w C:\Program Files\Samsung 2008-04-30 06:55 --------- d-----w C:\Program Files\MobiRise 3GP Converter 2008-04-29 12:03 90,112 ----a-w C:\WINDOWS\DUMP49ca.tmp 2008-04-27 23:44 --------- d-----w C:\Documents and Settings\User\Dane aplikacji\Gadu-Gadu 2008-04-26 07:38 --------- d-----w C:\Program Files\D-Tools 2008-04-25 17:43 --------- d-----w C:\Program Files\Codemasters 2008-04-23 18:22 --------- d-----w C:\Program Files\ESET 2008-04-23 18:22 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ESET 2008-04-23 18:19 --------- d-----w C:\Program Files\Winamp 2008-04-23 18:15 --------- d-----w C:\Program Files\IrfanView 2008-04-23 18:15 --------- d-----w C:\Program Files\Google 2008-04-23 18:14 --------- d-----w C:\Program Files\SubEdit-Player 2008-04-23 18:13 --------- d-----w C:\Program Files\MarBit 2008-04-23 18:11 --------- d-----w C:\Documents and Settings\User\Dane aplikacji\Winamp 2008-04-23 17:02 --------- d-----w C:\Program Files\SUYIN 2008-04-23 17:02 --------- d-----w C:\Program Files\ACER Crystal Eye webcam 2008-04-23 17:02 --------- d-----w C:\Documents and Settings\User\Dane aplikacji\InstallShield 2008-04-23 16:56 315,392 ----a-w C:\WINDOWS\HideWin.exe 2008-04-23 16:56 --------- d-----w C:\Program Files\Realtek 2008-04-23 16:38 --------- d-----w C:\Program Files\Theorica Divx
Codecs 2008-04-23 16:35 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-04-23 16:15 277,784 ----a-w C:\WINDOWS\system32\drivers\iaStor.sys . ------- Sigcheck ------- 2007-05-10 17:11 2068096 a87ec7fc3c796046626fee113dfcaad9 C:\WINDOWS\system32\ntkrnlpa.exe 2007-05-10 17:11 2191104 c4738ec0df9ca4149ef16414dceec942 C:\WINDOWS\system32\ntoskrnl.exe 2007-05-10 21:55 1423872 a50dfe31981a01423d327fdd05bdf452 C:\WINDOWS\explorer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 02:44 15360] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2008-03-20 12:04 2127296] “swg”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe” [2008-04-23 20:15 171448] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2007-06-27 16:38 141848] “HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2007-06-27 16:38 162328] “Persistence”=“C:\WINDOWS\system32\igfxpers.exe” [2007-06-27 16:38 137752] “RTHDCPL”=“RTHDCPL.EXE” [2007-05-10 18:08 16342528 C:\WINDOWS\RTHDCPL.exe] “DAEMON Tools-1033”=“C:\Program Files\D-Tools\daemon.exe” [2004-08-22 17:05 81920] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2008-04-01 20:49 36352] “Google Desktop Search”=“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [2008-04-23 20:15 1838592] “egui”=“C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” [2008-03-13 16:48 1443072] “UnlockerAssistant”=“C:\Program Files\Unlocker\UnlockerAssistant.exe” [2008-05-02 06:15 15872] “vptray”=“C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe” [2003-04-26 01:18 90112] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-04 02:44 15360] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] “nltide_2”=“regsvr32 /s /n /i:U shell32” [] “nltide_3”=“advpack.dll” [2007-05-10 16:39 124928 C:\WINDOWS\system32\advpack.dll] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] “DisableCAD”= 1 (0x1) “DisableStatusMessages”= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSMHelp”= 1 (0x1) “NoSMMyPictures”= 1 (0x1) “NoSMConfigurePrograms”= 1 (0x1) “NoInstrumentation”= 1 (0x1) “NoStartMenuMFUprogramsList”= 1 (0x1) “NoResolveTrack”= 1 (0x1) “NoResolveSearch”= 1 (0x1) [HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer] “NoSMHelp”= 1 (0x1) “NoSMMyPictures”= 1 (0x1) “NoSMConfigurePrograms”= 1 (0x1) “NoInstrumentation”= 1 (0x1) “NoStartMenuMFUprogramsList”= 1 (0x1) “NoResolveTrack”= 1 (0x1) “NoResolveSearch”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “AppInit_DLLs”=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “VIDC.I420”= C:\WINDOWS\system32\i263_32.drv “vidc.DIV3”= DivXc32.dll “vidc.DIV4”= DivXc32f.dll “msacm.divxa32”= DivXa32.acm “VIDC.HFYU”= huffyuv.dll “vidc.ffds”= C:\Program Files\Theorica Divx
Codecs\ffdshow.ax “vidc.i263”= C:\WINDOWS\system32\i263_32.drv “msacm.imc”= C:\WINDOWS\system32\imc32.acm [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\Network Diagnostic\xpnetdiag.exe”= “%windir%\system32\sessmgr.exe”= “C:\Program Files\Gadu-Gadu\gg.exe”= “D:\DC++\DCPlusPlus.exe”= R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52] S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \Shell\AutoRun\command - G:\Autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e862b6e8-139b-11dd-8bfc-001b3823d4c4}] \Shell\AutoRun\command - F:\yltt8jpm.bat \Shell\explore\Command - F:\yltt8jpm.bat \Shell\open\Command - F:\yltt8jpm.bat . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-04 19:53:56 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe - C:\WINDOWS\system32\NavLogon.dll . Completion time: 2008-06-04 19:54:26 ComboFix-quarantined-files.txt 2008-06-04 17:54:21 Pre-Run: 9,000,820,736 bajtów wolnych Post-Run: 8,991,698,944 bajtów wolnych 154 log z SDFix SDFix: Version 1.187 Run by User on 2008-06-04 at 19:28 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : No Trojan Files Found Folder C:\Program Files\XP Antivirus - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-04 19:38:20 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40] “khjeh”=hex:20,02,00,00,76,c6,f3,df,9f,9d,19,ef,d2,8c,13,18,bf,71,75,c9,51,… “hj34z0”=hex:67,00,26,3b,7d,d1,05,6c,9d,3c,62,bd,c2,45,f5,48,82,40,b3,a3,71,… “hj34z1”=hex:a6,00,26,3b,05,d1,05,6c,9c,3c,63,bd,c3,45,f5,48,82,40,b3,a3,b1,… “hj34z2”=hex:a6,00,26,3b,05,d1,05,6c,9c,3c,63,bd,c3,45,f5,48,82,40,b3,a3,b1,… “hj34z3”=hex:a6,00,26,3b,05,d1,05,6c,9c,3c,63,bd,c3,45,f5,48,82,40,b3,a3,b1,… “hj34z4”=hex:a6,00,26,3b,05,d1,05,6c,9c,3c,63,bd,c3,45,f5,48,82,40,b3,a3,b1,… scanning hidden registry entries … [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] “AppInit_DLLs”=“C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL” “DeviceNotSelectedTimeout”=“15” “GDIProcessHandleQuota”=dword:00002710 “Spooler”=“yes” “swapdisk”="" “TransmissionRetryTimeout”=“90” “USERProcessHandleQuota”=dword:00002710 “LoadAppInit_DLLs”=dword:00000001 scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “D:\Quake3\quake3.exe”=“D:\Quake3\quake3.exe:*:Enabled:quake3” “C:\Program Files\Gadu-Gadu\gg.exe”=“C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program glowny” “C:\Program Files\DC++\DCPlusPlus.exe”=“C:\Program Files\DC++\DCPlusPlus.exe:*:Enabled:DC++” “D:\DC++\DCPlusPlus.exe”=“D:\DC++\DCPlusPlus.exe:*:Enabled:DC++” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files : Files with Hidden Attributes : Finished! W dniu 04.06.2008, o godzinie 23:06 został dopisany post przez juventinho proszę o jakiś odzew