ComboFix 08-05-01.3 - xp 2008-05-07 17:55:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.645 [GMT 2:00]
Running from: E:\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
C:\Documents and Settings\xp\Menu Start\Programy\Autostart\ctfmon.exe
C:\Recycled\Recycled
C:\Recycled\Recycled\ctfmon.exe
C:\WINDOWS\mrofinu1001186.exe
.
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.
2008-05-07 08:00 . 2008-05-07 08:00
2008-05-06 20:40 . 2008-05-06 20:40
2008-05-06 20:24 . 2008-05-06 19:50 211 --ahs---- C:\BOOT.BKK
2008-05-06 20:23 . 2008-05-06 20:23
2008-05-06 20:23 . 2008-05-07 12:04
2008-05-06 20:20 . 2008-05-07 07:58
2008-05-06 20:17 . 2008-05-07 17:12 63,804 --a------ C:\WINDOWS\system32\nvapps.xml
2008-05-06 20:16 . 2008-05-07 07:58
2008-05-06 20:16 . 2006-06-01 11:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-05-06 20:16 . 2006-06-01 11:22 16,960 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-05-06 20:15 . 2004-05-02 10:47 23,040 -ra------ C:\WINDOWS\system32\drivers\GVCplDrv.sys
2008-05-06 20:14 . 2008-05-06 20:14 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-06 20:11 . 2008-05-06 20:11 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-05-06 20:09 . 2006-04-14 14:00 208,896 --------- C:\WINDOWS\system32\nvuide.exe
2008-05-06 20:09 . 2006-02-20 13:00 1,570 --------- C:\WINDOWS\system32\nvide.nvu
2008-05-06 20:08 . 2008-05-06 20:08
2008-05-06 20:08 . 2008-05-06 20:08 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-05-06 20:08 . 2008-05-06 20:08 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-05-06 20:06 . 2008-05-06 20:07
2008-05-06 20:06 . 2008-05-06 20:06
2008-05-06 20:05 . 2008-05-06 20:05
2008-05-06 20:05 . 2008-05-06 20:06
2008-05-06 20:05 . 2008-05-06 20:05
2008-05-06 20:05 . 2008-03-19 18:26 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-05-06 20:05 . 2008-03-19 18:29 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-05-06 20:05 . 2005-03-09 15:53 43,008 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2008-05-06 20:05 . 2004-11-18 10:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-06 20:04 . 2008-05-06 20:04
2008-05-06 20:01 . 2008-05-07 11:55
2008-05-06 20:01 . 2008-05-06 20:01
2008-05-06 20:01 . 2008-05-06 19:53
2008-05-06 20:01 . 2008-05-07 12:29
2008-05-06 20:01 . 2008-05-07 12:01
2008-05-06 20:01 . 2008-05-06 21:46
2008-05-06 20:01 . 2008-05-06 20:28
2008-05-06 20:01 . 2008-05-07 08:00
2008-05-06 20:01 . 2008-05-07 17:55 323,584 --ah----- C:\Documents and Settings\xp\ntuser.dat.LOG
2008-05-06 20:00 . 2008-05-06 20:00
2008-05-06 20:00 . 2008-05-07 17:55
2008-05-06 20:00 . 2008-05-06 20:00
2008-05-06 20:00 . 2008-05-06 20:00
2008-05-06 20:00 . 2008-05-06 20:00 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-05-06 20:00 . 2008-05-07 17:13 1,024 --ah----- C:\Documents and Settings\LocalService\ntuser.dat.LOG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 17:57 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-06 17:56 --------- d-----w C:\Program Files\Usługi online
.
------- Sigcheck -------
2006-03-02 14:00 1040896 680867971164a896f1222485180868bc C:\WINDOWS\explorer.exe
2006-03-02 14:00 1040896 7160d413cbda849ad26039a9ad370f1c C:\WINDOWS\system32\dllcache\explorer.exe
2006-03-02 14:00 22528 a8f147cd8289a0fab145b85f2b484c76 C:\WINDOWS\system32\ctfmon.exe
2006-03-02 14:00 22528 156292c357469f8acb2bae2a051e3ba8 C:\WINDOWS\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-02 14:00 22528]
“STYLEXP”=“C:\Program Files\TGTSoft\StyleXP\StyleXP.exe” [2006-05-24 20:31 1372160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SkyTel”=“SkyTel.EXE” [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
“RTHDCPL”=“RTHDCPL.EXE” [2006-05-27 04:47 16208384 C:\WINDOWS\RTHDCPL.exe]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-06-01 11:22 7618560]
“nwiz”=“nwiz.exe” [2006-06-01 11:22 1519616 C:\WINDOWS\system32\nwiz.exe]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-06-01 11:22 86016]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-02 14:00 22528]
C:\Documents and Settings\xp\Menu Start\Programy\Autostart\
MoorHunt.lnk - C:\Program Files\MoorHunt\MoorHunt.exe [2008-05-06 20:23:10 3575808]
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 17:55:49
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-07 17:56:22
ComboFix-quarantined-files.txt 2008-05-07 15:56:14
Pre-Run: 11,006,279,680 bajtów wolnych
Post-Run: 11,030,454,272 bajtów wolnych
110