ComboFix 08-09-03.03 - Maciej i Iwonka 2008-09-04 9:12:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.1603 [GMT 1:00]
Running from: D:\INSTALKI\COMBOFIX.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Maciej i Iwonka\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows Media\10.0\WMSDKNSD.XML
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Service_6to4
((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))
.
2008-08-26 16:11 . 2008-08-26 16:11
2008-08-26 15:08 . 2008-09-02 02:51
2008-08-25 16:41 . 2008-08-25 16:46
2008-08-15 07:07 . 2008-04-14 18:20 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-08-14 07:14 . 2008-05-01 15:37 331,776 -----c— C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 07:11 . 2008-04-11 20:06 691,712 -----c— C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-06 20:15 . 2008-08-06 20:15
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 20:28 --------- d-----w C:\Program Files\CONEXANT
2008-08-27 18:52 --------- d-----w C:\Documents and Settings\Maciej i Iwonka\Dane aplikacji\Skype
2008-08-27 17:34 --------- d-----w C:\Documents and Settings\Maciej i Iwonka\Dane aplikacji\skypePM
2008-08-26 15:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-26 15:21 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Symantec
2008-08-26 13:59 --------- d–h--w C:\Program Files\InstallShield Installation Information
2008-07-31 08:27 --------- d-----w C:\Program Files\Sun
2008-07-31 08:26 --------- d-----w C:\Program Files\Java
2008-07-31 08:25 --------- d-----w C:\Program Files\Common Files\Java
2008-07-29 22:30 --------- d-----w C:\Documents and Settings\Maciej i Iwonka\Dane aplikacji\Apple Computer
2008-07-29 19:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-18 17:11 --------- d-----w C:\Program Files\Creative
2008-07-18 15:49 --------- d-----w C:\Program Files\Skype
2008-07-18 15:49 --------- d-----w C:\Program Files\Common Files\Skype
2008-07-18 15:49 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-07-18 14:35 --------- d-----w C:\Program Files\YzShadow
2008-07-18 14:35 --------- d-----w C:\Program Files\WinRoll
2008-07-18 14:35 --------- d-----w C:\Program Files\UberIcon
2008-07-18 14:35 --------- d-----w C:\Program Files\Tiger System Preferences v2
2008-07-18 14:35 --------- d-----w C:\Program Files\RK Launcher
2008-07-18 14:35 --------- d-----w C:\Program Files\ObjectDock
2008-07-18 14:35 --------- d-----w C:\Program Files\iColorFolder
2008-07-18 14:25 --------- d-----w C:\Program Files\Huawei technologies
2008-07-14 10:19 --------- d-----w C:\Program Files\Apple Software Update
2008-07-14 10:19 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple
2008-07-10 10:58 --------- d-----w C:\Documents and Settings\Maciej i Iwonka\Dane aplikacji\Thinstall
2008-07-07 18:11 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Symantec
2008-07-02 15:31 2,560 ----a-w C:\WINDOWS_MSRSTRT.EXE
2008-04-14 17:21 60,928 --sha-w C:\WINDOWS\FlyakiteOSX\Backup\msimn.exe
2008-04-14 17:21 1,695,232 --sha-w C:\WINDOWS\FlyakiteOSX\Backup\msmsgs.exe
.
------- Sigcheck -------
2004-08-03 23:44 578560 0c81764f50f32d376e6e4b9e9f4b01a0 C:\WINDOWS$NtServicePackUninstall$\user32.dll
2008-04-14 18:20 580096 a435c5c069afd901751ac323ad238793 C:\WINDOWS\FlyakiteOSX\Backup\user32.dll
2008-04-14 18:20 579584 3cbbc521c4782481f8f4ffcbac034e11 C:\WINDOWS\ServicePackFiles\i386\user32.dll
2008-04-14 18:20 579584 3cbbc521c4782481f8f4ffcbac034e11 C:\WINDOWS\system32\user32.dll
2004-08-03 23:54 2058112 44d1bc1b05e0c7c82e81687b79c653c7 C:\WINDOWS$NtServicePackUninstall$\ntkrnlpa.exe
2008-04-14 17:29 2067200 4bba965664faa56b187c27f4cad7e7c5 C:\WINDOWS\FlyakiteOSX\Backup\ntkrnlpa.exe
2008-04-14 17:29 2024960 fc933cbfdd9830214e01ddba1601b455 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2008-07-18 15:34 2024960 f2187d91bef9664eca1f690b65b9e3b4 C:\WINDOWS\system32\ntkrnlpa.exe
2004-08-03 23:39 2182272 dcf53422b7edded3b7431fbae4a7ee3f C:\WINDOWS$NtServicePackUninstall$\ntoskrnl.exe
2008-04-14 17:30 2190336 8ca14ecf04594eabbe93c9ff2e3cbfb1 C:\WINDOWS\FlyakiteOSX\Backup\ntoskrnl.exe
2008-04-14 17:30 2148096 869735ee0b6761cc2a84e42f5ebb96bb C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2008-07-18 15:34 2148096 4b43cf7a231e8bb4958158f554852630 C:\WINDOWS\system32\ntoskrnl.exe
2008-04-14 18:21 2825216 ba2661fa29ca108363f4907b95bd1c6f C:\WINDOWS\explorer.exe
2004-08-03 23:44 1033728 379098a96e6c165b659de7e4328010ea C:\WINDOWS$NtServicePackUninstall$\explorer.exe
2008-04-14 18:21 1035264 c791ed9eac5e76d9525e157b1d7a599a C:\WINDOWS\FlyakiteOSX\Backup\explorer.exe
2008-04-14 18:21 2825216 ba2661fa29ca108363f4907b95bd1c6f C:\WINDOWS\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“UberIcon”=“C:\Program Files\UberIcon\UberIcon Manager.exe” [2006-02-24 188416]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2008-04-14 15360]
“Yz Shadow”=“C:\Program Files\YzShadow\YzShadow.exe” [2006-02-24 172032]
“RK Launcher”=“C:\Program Files\RK Launcher\RKLauncher.exe” [2005-10-19 393216]
“HUAWEI 3G Data Card MTS”=“C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 DataModem HSDPA.exe” [2007-03-22 335872]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2007-01-12 827392]
“eabconfg.cpl”=“C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe” [2006-04-18 405504]
“V0250Mon.exe”=“C:\WINDOWS\V0250Mon.exe” [2006-06-08 32768]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
–a------ 2008-01-11 22:16 39792 D:\PROGRAMY\ADOBE READER 9\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alt+Q Hotkey Tool]
–a------ 2005-12-18 20:14 27648 C:\WINDOWS\Alt+Q Hotkey.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
–a------ 2005-12-01 21:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVFX Engine]
--------- 2006-06-09 01:11 24576 C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
–a------ 2007-08-03 12:51 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
–a------ 2008-04-14 18:21 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
–a------ 2005-12-13 16:45 507904 C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
–a------ 2007-08-08 09:25 1828136 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
–a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Files Updater]
–a------ 2006-02-26 00:41 118485 C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\V0250Mon.exe]
–a------ 2006-06-08 01:00 32768 C:\WINDOWS\V0250Mon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinRoll]
–a------ 2006-01-01 23:27 15872 C:\Program Files\WinRoll\winroll.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“D:\PROGRAMY\UTORRENT\uTorrent.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=
“C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 DataModem HSDPA.exe”=
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
“AllowInboundEchoRequest”= 0 (0x0)
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 231424]
S3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys [2006-06-27 185504]
S3 V0250Vfx;V0250Vfx;C:\WINDOWS\system32\DRIVERS\V0250Vfx.sys [2006-03-24 6272]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{5d817ece-7926-11dd-b233-8d2dec8c20f4}]
\Shell\AutoRun\command - H:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{5d817ecf-7926-11dd-b233-d0373fe09996}]
\Shell\AutoRun\command - H:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{a1e8d2e0-54ca-11dd-b1c5-0014a5b52ff3}]
\Shell\AutoRun\command - H:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{fa100784-54c7-11dd-b1c3-0014a5b52ff3}]
\Shell\AutoRun\command - H:\AutoRun.exe
.
Contents of the ‘Scheduled Tasks’ folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.wp.pl/
O17 -: HKLM\CCS\Interface{A4660A01-F020-4FA1-98FD-7466A4F66096}: NameServer = 172.31.140.69 172.30.140.69
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-04 09:17:49
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-04 9:19:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-04 08:19:30
Pre-Run: 7,158,685,696 bajtów wolnych
Post-Run: 12,040,740,864 bajt˘w wolnych
179 — E O F — 2008-08-28 07:04:10