//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Dodatek Service Pack 2)
Wed May 14 19:11:00 2008
19:11:00: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Error: file “C:\WINDOWS\system32\iycjpiar.exe” not found!
Deletion of file “C:\WINDOWS\system32\iycjpiar.exe” failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
–> the object does not exist
File “C:\WINDOWS\system32\irpghjdl.exe” deleted successfully.
File “C:\WINDOWS\system32\rpnokefs.exe” deleted successfully.
File “C:\WINDOWS\system32\lypvtnyb.exe” deleted successfully.
File “C:\WINDOWS\system32\lnyrxeuf.exe” deleted successfully.
File “C:\WINDOWS\system32\gvgefljd.exe” deleted successfully.
Registry key “HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}” deleted successfully.
Registry key “HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix” deleted successfully.
Registry key “HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drmupgds” deleted successfully.
Registry key “HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process” deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
W dniu 14.05.2008 , o godzinie 19:24 został dopisany post przez apollo13
ComboFix 08-05-12.1 - Administrator 2008-05-14 19:18:02.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.45 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.
2010-05-12 18:04 . 2010-05-12 18:05
2010-05-12 08:07 . 2007-07-04 15:27 1,056,768 --a------ C:\WINDOWS\system32\ROBOEX32.DLL
2009-05-12 20:24 . 2009-05-12 20:24 731,136 --a------ C:\avenger.exe
2009-05-12 18:59 . 2009-05-12 18:59
2009-04-17 17:58 . 2009-04-17 17:58
2009-03-19 21:32 . 2009-03-19 21:32
2008-05-13 21:56 . 2008-05-13 21:56 2,986,038 --a------ C:\screenz wynikiem testu.bmp
2008-05-13 20:43 . 2008-05-13 20:43
2008-05-13 20:24 . 2008-05-13 20:36
2008-05-13 20:24 . 2006-07-14 16:41 332,288 -----c— C:\WINDOWS\system32\dllcache\netapi32.dll
2008-05-13 19:44 . 2008-05-14 19:14
2008-05-13 19:44 . 2008-05-13 19:44
2008-04-30 19:03 . 2008-04-30 19:46
2008-04-30 18:44 . 2008-04-30 18:44
2008-04-14 12:26 . 2008-04-14 12:29
2008-04-14 12:23 . 2008-04-14 12:23
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 17:04 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\MSN6
2010-05-12 12:58 --------- d-----w C:\Program Files\SkanerOnline
2009-05-12 17:59 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2009-05-12 17:14 --------- d-----w C:\Program Files\Norton Security Scan
2009-04-17 18:38 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles
2009-03-25 16:33 --------- d-----w C:\Program Files\SubEdit-Player
2008-05-14 18:13 --------- d—a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-05-14 18:11 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent
2008-05-14 14:36 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Skype
2008-05-14 10:59 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\skypePM
2008-05-13 18:44 --------- d–h--w C:\Program Files\InstallShield Installation Information
2008-03-05 19:50 32,256 ----a-w C:\WINDOWS\system32\NTSecurity.exe
2007-12-09 16:01 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:44 15360]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-08-04 00:44 1667584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“a-winpoet-service”=“C:\Program Files\DialNet\winpppoverethernet.exe” [2007-07-06 07:40 405504]
“z-WrDialer”=“C:\Program Files\DialNet\WrDialer.exe” [2007-07-11 16:11 561152]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:44 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
“Windows Printing Driver”= WinPrint.exe
“NT Security Service”= NTSecurity.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.YV12”= yv12vfw.dll
[HKLM~\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk]
path=C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk
backup=C:\WINDOWS\pss\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnkStartup
[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
–a------ 2007-07-04 15:27 110592 C:\PROGRA~1\DialNet\FPLICE~1.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
–a------ 2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
–a------ 2004-08-04 00:44 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
–a------ 2007-04-03 23:29 165784 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
–a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:44 1667584 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
–a------ 2007-06-13 14:49 16377344 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Trayp]
-ra------ 2007-02-06 00:30 176128 C:\WINDOWS\system32\S3Trayp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-11-12 15:51 21877544 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
–a------ 2007-06-15 16:45 1826816 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra------ 2006-09-21 09:36 53248 C:\WINDOWS\system32\VTTimer.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“MSConfig”=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“UpdatesDisableNotify”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\Program Files\uTorrent\uTorrent.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=
R0 ViBus;ViBus;C:\WINDOWS\system32\DRIVERS\ViBus.sys [2007-03-26 08:26]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-03-29 04:36]
R0 ViPrt;VIA SATA IDE Device Driver;C:\WINDOWS\system32\DRIVERS\ViPrt.sys [2007-03-26 08:26]
R2 TopWinPoETDriver;WinPoET PPPoE Optimized Driver;C:\WINDOWS\system32\DRIVERS\WrKPoET2000.sys [2007-07-04 15:27]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-02-27 09:14]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2007-03-05 02:54]
R3 WrKPoET2000;WrKPoET2000;C:\Program Files\DialNet\WrKPoET2000.sys [2007-07-04 15:27]
R3 WRSWanDD;WinPoET PPPoE Adapter;C:\WINDOWS\system32\DRIVERS\WrKPoETNic2000.sys [2007-07-04 15:27]
S3 FPD;Fine Point Packet Service;C:\WINDOWS\system32\drivers\fpd.sys []
S4 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:44]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the ‘Scheduled Tasks’ folder
“2008-05-07 17:44:01 C:\WINDOWS\Tasks\1-Click Maintenance.job”
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
“2009-05-12 17:16:32 C:\WINDOWS\Tasks\Norton Security Scan.job”
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 19:20:14
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-14 19:22:06
ComboFix-quarantined-files.txt 2008-05-14 18:22:02
Pre-Run: 7,554,220,032 bajtów wolnych
Post-Run: 7,621,230,592 bajtów wolnych
138