offline
- Pridružio: 02 Feb 2009
- Poruke: 32
|
Poz
ComboFix 09-04-23.A3 - Administrator 23.04.2009 22:58.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.381.1033.18.3582.2960 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090423-0] *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Sysvxd.exe
.
((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-4-23 )))))))))))))))))))))))))))))))
.
2009-04-13 20:19 . 2009-04-13 20:19 -------- d-----w c:\documents and settings\Administrator\Application Data\Leadertech
2009-04-04 09:43 . 2009-04-04 09:43 -------- d-----w c:\documents and settings\Djole\Application Data\Rational
2009-04-03 11:40 . 2009-04-03 11:40 -------- d-----w c:\documents and settings\Administrator\Application Data\Rational
2009-04-03 11:39 . 2009-04-03 11:39 -------- d-----w c:\program files\Rational
2009-04-03 11:37 . 2009-04-03 11:38 -------- d-----w c:\program files\Rose Enterprise Edition for Windows
2009-03-29 15:00 . 2009-03-29 15:18 -------- d-----w c:\documents and settings\Administrator\DoctorWeb
2009-03-29 14:37 . 2009-03-29 14:37 5120 --sha-w c:\windows\system32\Thumbs.db
2009-03-26 22:23 . 2009-03-28 18:28 -------- d-----w c:\program files\Trend Micro
2009-03-25 15:03 . 2009-03-25 15:03 -------- d-----w c:\documents and settings\Vera\Local Settings\Application Data\Help
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 00:15 . 2008-04-30 10:02 -------- d-----w c:\program files\Winamp
2009-04-13 20:14 . 2008-04-30 09:06 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-04 00:36 . 2008-04-30 08:59 71048 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 00:35 . 2008-04-30 08:17 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-03 22:18 . 2009-01-20 00:27 71048 ----a-w c:\documents and settings\Vera\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-03 17:05 . 2009-01-20 12:38 71048 ----a-w c:\documents and settings\Djole\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 23:17 . 2009-01-20 00:22 70944 ----a-w c:\documents and settings\Djordje\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 21:52 . 2009-01-18 12:25 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-19 19:50 . 2009-03-19 19:50 -------- d-----w c:\documents and settings\Djole\Application Data\Ahead
2009-02-24 22:47 . 2009-02-15 22:23 -------- d-----w c:\program files\Microsoft Web Designer Tools
2009-02-24 22:47 . 2009-02-13 17:13 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-24 22:44 . 2009-02-15 22:25 -------- d-----w c:\program files\Microsoft Visual Studio 9.0
2009-02-24 22:39 . 2009-02-14 01:23 -------- d-----w c:\program files\Microsoft SQL Server
2009-02-24 22:39 . 2008-04-30 10:00 -------- d-----w c:\program files\Microsoft.NET
2009-02-15 22:22 . 2009-02-15 22:22 163000 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-02-09 07:47 . 2009-02-09 07:47 268 ---ha-w C:\sqmdata18.sqm
2009-02-09 07:47 . 2009-02-09 07:47 244 ---ha-w C:\sqmnoopt18.sqm
2009-02-09 01:13 . 2009-02-09 01:13 268 ---ha-w C:\sqmdata17.sqm
2009-02-09 01:13 . 2009-02-09 01:13 244 ---ha-w C:\sqmnoopt17.sqm
2009-02-08 21:34 . 2009-02-08 21:34 268 ---ha-w C:\sqmdata16.sqm
2009-02-08 21:34 . 2009-02-08 21:34 244 ---ha-w C:\sqmnoopt16.sqm
2009-02-08 20:36 . 2009-02-08 20:36 268 ---ha-w C:\sqmdata15.sqm
2009-02-08 20:36 . 2009-02-08 20:36 244 ---ha-w C:\sqmnoopt15.sqm
2009-01-30 11:03 . 2009-01-30 11:03 268 ---ha-w C:\sqmdata14.sqm
2009-01-30 11:03 . 2009-01-30 11:03 244 ---ha-w C:\sqmnoopt14.sqm
2009-01-30 10:05 . 2009-01-30 10:05 268 ---ha-w C:\sqmdata13.sqm
2009-01-30 10:05 . 2009-01-30 10:05 244 ---ha-w C:\sqmnoopt13.sqm
2009-01-25 18:30 . 2009-01-25 18:30 268 ---ha-w C:\sqmdata12.sqm
2009-01-25 18:30 . 2009-01-25 18:30 244 ---ha-w C:\sqmnoopt12.sqm
2009-01-06 21:25 . 2009-01-06 21:25 22328 ----a-w c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-06-23 847872]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"TWCU"="c:\program files\TP-LINK\TWCU\TWCU.exe" [2006-03-29 364544]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-10 136600]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Igre\\Valve\\hltv.exe"=
"d:\\Igre\\Valve\\hl.exe"=
"c:\\Program Files\\RadLight Company\\RadLight 4.0\\rlkernel.exe"=
"d:\\Igre\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"d:\\Igre\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"d:\\Igre\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\wamp\\bin\\apache\\apache2.2.8\\bin\\httpd.exe"=
"d:\\Igre\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"d:\\Igre\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"d:\\Igre\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"d:\\Igre\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
--- Other Services/Drivers In Memory ---
*Deregistered* - PROCEXP111
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80122fa4-1b8b-11dd-8725-001bfc3f3fe0}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {20289E75-291D-4615-8A43-12F434C92DE7} = 79.143.173.161 79.143.172.3
TCP: {630EAD48-B813-49BE-84CA-438219256428} = 212.200.13.13
TCP: {E064EEA7-82EF-4689-801B-AB95BF2B0AD0} = 212.200.13.13
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, gmer.net
Rootkit scan 2009-04-23 22:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1801674531-2077806209-839522115-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a2,6b,2a,37,79,3c,e4,81,c7,71,0b,25,8d,4e,fc,c5,59,2c,0a,9b,ba,a5,76,
b9,cb,bb,77,d3,b2,b7,a7,0e,b4,34,34,8e,94,86,6b,3a,51,c4,a3,41,57,37,58,69,\
"??"=hex:2e,c7,1e,64,a1,f2,51,ec,e8,bc,52,0f,50,53,63,93
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-23 23:00
ComboFix-quarantined-files.txt 2009-04-23 21:00
ComboFix2.txt 2009-03-28 21:42
Pre-Run: 925.741.056 bytes free
Post-Run: 1.048.739.840 bytes free
140
|