“vobis” - 2007-06-29 12:57:19 - ComboFix 07-06-27.7 - Dodatek Service Pack 2 NTFS (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\windows\system32\winhab32.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\nm ((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-29 ))))))))))))))))))))))))))))))) 2007-06-29 12:57 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-29 12:34 2007-06-29 10:56 4,096 --a------ C:\WINDOWS\d3dx.dat 2007-06-27 23:38 2007-06-27 21:53 2007-06-25 22:50 2007-06-25 16:48 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys 2007-06-25 16:41 2007-06-24 22:16 314,880 --a------ C:\WINDOWS\IsUninst.exe 2007-06-24 22:16 2007-06-24 21:40 2007-06-24 21:09 2007-06-24 21:09 2007-06-24 21:07 2007-06-24 21:04 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll 2007-06-24 21:04 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll 2007-06-24 21:04 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll 2007-06-24 21:04 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll 2007-06-24 21:04 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll 2007-06-24 21:04 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll 2007-06-24 21:04 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll 2007-06-24 21:04 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll 2007-06-24 21:04 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll 2007-06-24 21:04 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll 2007-06-24 21:04 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll 2007-06-24 21:04 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll 2007-06-24 21:04 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll 2007-06-24 21:04 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll 2007-06-24 21:04 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll 2007-06-24 21:04 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll 2007-06-24 21:04 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll 2007-06-24 21:04 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll 2007-06-24 21:04 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll 2007-06-22 23:01 3,478 -rahs---- C:\WINDOWS\pagefile.sys.vbs 2007-06-22 23:01 3,478 --a------ C:\pagefile.sys.vbs 2007-06-19 09:39 2007-06-19 09:04 72 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat 2007-06-15 07:41 71,680 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys 2007-06-15 07:41 261 --a------ C:\WINDOWS\system32\PavCPL.dat 2007-06-15 07:40 49,968 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys 2007-06-15 07:40 36,016 --a------ C:\WINDOWS\system32\drivers\smsflt.sys 2007-06-15 07:40 29,360 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys 2007-06-15 07:40 244,348 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT 2007-06-15 07:40 190,640 --a------ C:\WINDOWS\system32\drivers\idsflt.sys 2007-06-15 07:40 2007-06-15 07:39 58,800 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS 2007-06-15 07:39 15,792 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys 2007-06-15 07:39 121,392 --a------ C:\WINDOWS\system32\drivers\NETFLTDI.SYS 2007-06-15 07:38 63,024 --a------ C:\WINDOWS\system32\pavipc.dll 2007-06-15 07:38 50,736 --a------ C:\WINDOWS\system32\avldr.dll 2007-06-15 07:38 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll 2007-06-15 07:38 292,400 --a------ C:\WINDOWS\system32\PavSHook.dll 2007-06-15 07:38 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-06-15 07:38 17,792 --a------ C:\WINDOWS\system32\drivers\cpoint.sys 2007-06-15 07:38 161,328 --a------ C:\WINDOWS\system32\TpUtil.dll 2007-06-15 07:38 142,128 --a------ C:\WINDOWS\system32\drivers\netimflt.sys 2007-06-15 07:38 107,568 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL 2007-06-15 07:38 2007-06-15 07:38 2007-06-15 07:36 31,104 --a------ C:\WINDOWS\system32\drivers\ShlDrv51.sys 2007-06-15 07:36 170,800 --a------ C:\WINDOWS\system32\drivers\PavProc.sys 2007-06-15 07:36 2007-06-12 14:55 909,004 —hs---- C:\WINDOWS\system32\yybeg.bak2 2007-06-10 20:48 903,715 —hs---- C:\WINDOWS\system32\yybeg.bak1 2007-06-09 19:33 229,057 --a------ C:\WINDOWS\Alcohol_Toolbar_Uninstaller_6703.exe 2007-06-09 19:33 2007-06-09 19:33 2007-06-09 19:19 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2007-06-09 16:19 2007-06-09 16:17 2007-06-05 18:56 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys 2007-06-05 18:56 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys 2007-06-05 18:55 2007-06-05 11:08 2007-06-05 10:43 2007-05-30 23:24 2007-05-30 21:51 6,912 --a------ C:\WINDOWS\system32\drivers\vulfnth.sys 2007-05-30 21:51 45,056 --a------ C:\WINDOWS\system32\vusetup.dll 2007-05-30 21:51 11,264 --a------ C:\WINDOWS\system32\drivers\vulfntr.sys 2007-05-30 18:01 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-05-30 18:01 2007-05-30 18:01 2007-05-30 18:01 2007-05-30 18:01 2007-05-30 18:01 2007-05-30 18:01 2007-05-30 18:01 2007-05-30 18:01 2007-05-30 18:01 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-25 19:34:43 -------- d-----w C:\DOCUME~1\vobis\DANEAP~1\Skype 2007-06-25 14:41:03 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-06-25 11:06:54 -------- d-----w C:\Program Files\DC++ 2007-06-24 08:22:15 -------- d-----w C:\Program Files\Opera 2007-06-20 18:24:42 -------- d-----w C:\Program Files\Gadu-Gadu 2007-06-15 06:01:54 67,276 ----a-w C:\windows\system32\perfc015.dat 2007-06-15 06:01:54 436,216 ----a-w C:\windows\system32\perfh015.dat 2007-06-09 21:49:19 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-06-09 21:27:48 -------- d-----w C:\Program Files\Atheros 2007-06-09 21:26:26 -------- d-----w C:\Program Files\TOSHIBA 2007-06-09 18:39:44 -------- d-----w C:\Program Files\Winamp 2007-06-09 14:19:13 2,560 ----a-w C:\windows\system32\BitCometRes.dll 2007-05-30 18:58:28 -------- d-----w C:\Program Files\microsoft frontpage 2007-05-16 15:18:58 683,520 ----a-w C:\windows\system32\inetcomm.dll 2007-04-25 14:23:30 144,896 ----a-w C:\windows\system32\schannel.dll 2007-04-18 16:14:32 2,854,400 ----a-w C:\windows\system32\msi.dll 2007-04-16 20:47:36 33,624 ----a-w C:\windows\system32\wups.dll 2007-04-16 20:45:54 1,710,936 ----a-w C:\windows\system32\wuaueng.dll 2007-04-16 20:45:48 549,720 ----a-w C:\windows\system32\wuapi.dll 2007-04-16 20:45:42 325,976 ----a-w C:\windows\system32\wucltui.dll 2007-04-16 20:45:36 203,096 ----a-w C:\windows\system32\wuweb.dll 2007-04-16 20:45:28 92,504 ----a-w C:\windows\system32\cdm.dll 2007-04-16 20:45:20 53,080 ----a-w C:\windows\system32\wuauclt.exe 2007-04-16 20:45:20 43,352 ----a-w C:\windows\system32\wups2.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 06:12] {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}=C:\Program Files\BitComet\tools\BitCometBHO_1.1.5.19.dll [2007-05-18 20:17] {53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04] {5D07D924-61C5-494C-8F8A-CB367BC59242}=C:\WINDOWS\system32\umgyknau.dll [] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {8126A4A5-BFD3-46FE-BBDF-BFB5CF78E489}=C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll [2007-06-09 19:33] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2006-03-17 15:37] “RTHDCPL”=“RTHDCPL.EXE” [2006-04-18 06:34 C:\WINDOWS\RTHDCPL.exe] “Alcmtr”=“ALCMTR.EXE” [2005-05-04 09:43 C:\WINDOWS\Alcmtr.exe] “Apoint”=“C:\Program Files\Apoint2K\Apoint.exe” [2004-03-23 22:40] “AGRSMMSG”=“AGRSMMSG.exe” [2006-03-18 08:22 C:\WINDOWS\agrsmmsg.exe] “HWSetup”=“C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe” [2004-05-01 13:45] “TPNF”=“C:\Program Files\TOSHIBA\TouchPad\TPTray.exe” [2006-04-04 14:57] “Zooming”=“ZoomingHook.exe” [2005-06-06 09:58 C:\WINDOWS\system32\ZoomingHook.exe] “Tvs”=“C:\Program Files\TOSHIBA\Tvs\TvsTray.exe” [2006-02-02 13:11] “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 03:43] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\windows\system32\ctfmon.exe” [2004-08-04 12:00] “TOSCDSPD”=“C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” [2005-04-12 12:04] “MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24] “Komunikator”=“C:\Program Files\Tlen.pl\tlen.exe” [2006-05-12 14:13] “H/PC Connection Agent”=“C:\Program Files\Microsoft ActiveSync\wcescomm.exe” [2006-11-13 15:57] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr] avldr.dll [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{28bfe93e-0ec7-11dc-ac9a-cac4deb61e93}] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4bfb2888-2226-11dc-acea-0016d48a0ce2}] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{c5df99fa-2103-11dc-ace7-0016d48a0ce2}] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe pagefile.sys.vbs ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-29 13:01:41 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet003\Services\ShldDrv] “ImagePath”="??\C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys" “ImagePath”=“C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys” Completion time: 2007-06-29 13:03:22 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-06-29 13:02 — E O F — (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\windows\system32\winhab32.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\nm ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\nm ((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-29 )))))))))))))))))))))))))))))))
