ComboFix 08-09-05.02 - Maciej 2008-09-07 13:43:03.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1045.18.1628 [GMT 2:00] Running from: C:\Documents and Settings\Maciej\Pulpit\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\cfadfa3_r.dll . ((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 ))))))))))))))))))))))))))))))) . 2008-08-31 17:13 . 2008-08-31 17:13 2008-08-28 23:40 . 2008-08-28 23:40 2008-08-28 23:40 . 2008-08-28 23:40 2008-08-28 23:40 . 2008-08-28 23:40 2008-08-28 23:38 . 2008-08-28 23:38 2008-08-28 23:31 . 2008-08-28 23:31 2008-08-28 14:29 . 2004-08-04 00:35 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys 2008-08-13 10:31 . 2008-04-11 21:06 691,712 -----c— C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-08-13 10:23 . 2008-08-13 10:23 2008-08-13 10:20 . 2008-08-13 10:20 2008-08-13 10:20 . 2008-08-13 10:20 2008-08-13 10:20 . 2008-08-13 10:20 2008-08-13 10:19 . 2008-08-13 10:25 2008-08-13 10:19 . 2008-08-13 10:20 2008-08-13 10:10 . 2004-08-04 14:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-07 11:12 --------- d–h--w C:\Program Files\InstallShield Installation Information 2008-09-04 20:52 --------- d-----w C:\Program Files\eMule 2008-08-10 14:19 --------- d-----w C:\Documents and Settings\Maciej\Dane aplikacji\uTorrent 2008-07-30 16:20 --------- d-----w C:\Program Files\Common Files\INCA Shared 2008-07-29 22:47 --------- d-----w C:\Program Files\BitSpirit 2008-07-29 21:58 459 ----a-w C:\Program Files\server.met 2008-07-10 19:42 --------- d-----w C:\Program Files\SpeedFan 2008-07-08 16:34 --------- d-----w C:\Program Files\Real Alternative 2008-07-07 20:29 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-24 16:46 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 16:42 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:48 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-07 21:12 298,104 ----a-w C:\WINDOWS\system32\imon.dll 2007-11-19 17:56 22,328 -c–a-w C:\Documents and Settings\Maciej\Dane aplikacji\PnkBstrK.sys 2004-03-11 12:27 40,960 -c–a-w C:\Program Files\Uninstall_CDS.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 15360] “AQQ”=“C:\PROGRA~1\WapSter\AQQ\AQQ.exe” [2007-02-28 2351864] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2008-03-20 2127296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2007-02-02 7933952] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2008-06-07 949376] “MAAgent”=“C:\Program Files\MarkAny\ContentSafer\MAAgent.exe” [2007-01-30 57344] “RTHDCPL”=“RTHDCPL.EXE” [2006-03-14 C:\WINDOWS\RTHDCPL.exe] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2008-04-14 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] “{88485281-8b4b-4f8d-9ede-82e29a064277}”= “C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL” [2004-11-23 192512] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “VIDC.YV12”= yv12vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] --a------ 2008-03-20 12:04 2127296 C:\Program Files\Gadu-Gadu\gg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gainward] -ra------ 2006-02-07 10:57 2088960 C:\WINDOWS\TBPanel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2007-02-02 16:25 7933952 C:\WINDOWS\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2007-02-02 16:25 81920 C:\WINDOWS\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tapeciarz Pro] --a------ 2008-06-02 16:09 257024 c:\Program Files\tapeciarz pro\Tapeciarz Pro.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2008-04-01 20:49 36352 C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2007-02-02 16:25 1622016 C:\WINDOWS\system32\nwiz.exe [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “C:\Program Files\Gadu-Gadu\gg.exe”= “C:\WINDOWS\system32\sessmgr.exe”= “C:\Program Files\WapSter\AQQ\AQQ.exe”= “C:\PROGRA~1\WapSter\AQQ\AQQ.exe”= “C:\WINDOWS\system32\dpvsetup.exe”= “C:\WINDOWS\system32\PnkBstrA.exe”= “C:\WINDOWS\system32\PnkBstrB.exe”= “C:\Maćka\Gry\Activision\Tony Hawk’s Underground 2\Game\Thug2.exe”= “C:\Program Files\uTorrent\uTorrent.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= “C:\Maćka\Gry\Activision\THAW\Game\THAW.exe”= “C:\Program Files\eMule\emule.exe”= “C:\Maćka\Gry\CABAL Online (Europe)\launcher\update\ESTdnheadless.exe”= “C:\WINDOWS\system32\muzapp.exe”= “%windir%\system32\sessmgr.exe”= R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 28672] *Newly Created Service* - PROCEXP90 . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://start.icq.com/ R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore O8 -: Add to AMV Converter… - C:\Program Files\MP3 Player Utilities 4.09\AMVConverter\grab.html O8 -: Eksport do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 -: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.09\MediaManager\grab.html O8 -: Pobierz z BitSpirit - C:\Program Files\BitSpirit\bsurl.htm . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-07 13:45:14 Windows 5.1.2600 Dodatek Service Pack 3 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe - C:\Program Files\Eset\pr_imon.dll . Completion time: 2008-09-07 13:46:13 ComboFix-quarantined-files.txt 2008-09-07 11:46:00 Pre-Run: 11,828,424,704 bajtów wolnych Post-Run: 11,901,218,816 bajtów wolnych 131 — E O F — 2008-09-02 19:04:08