ComboFix 09-12-19.03 - rodzice 21/12/2009 7:55.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.2047.1570 [GMT 11:00]
Running from: c:\documents and settings\rodzice\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091220-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\EventSystem.log
c:\windows\system32\Cache
.
((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.
2009-12-20 20:34 . 2009-12-20 20:34 -------- d-----w- c:\program files\ERUNT
2009-12-18 10:38 . 2009-12-18 10:38 -------- d-----w- c:\documents and settings\rodzice\Application Data\Malwarebytes
2009-12-18 10:38 . 2009-12-03 05:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-18 10:38 . 2009-12-18 10:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-18 10:38 . 2009-12-18 10:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-18 10:38 . 2009-12-03 05:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-15 07:11 . 2009-12-15 07:11 139152 ----a-w- c:\documents and settings\rodzice\Application Data\PnkBstrK.sys
2009-12-15 07:11 . 2009-12-15 07:12 794408 ----a-w- c:\windows\system32\pbsvc(2).exe
2009-12-13 20:55 . 2009-12-13 20:55 -------- d-----w- c:\program files\Java
2009-12-13 20:42 . 2009-12-13 20:42 -------- d-----w- c:\documents and settings\rodzice\Application Data\Foxit
2009-12-13 20:40 . 2009-12-13 20:40 -------- d-----w- c:\program files\Foxit Software
2009-12-10 05:51 . 2009-10-21 05:38 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll
2009-12-10 05:51 . 2009-10-21 05:38 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll
2009-12-10 05:51 . 2009-10-20 16:20 265728 -c----w- c:\windows\system32\dllcache\http.sys
2009-12-10 05:49 . 2009-10-12 13:38 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
2009-12-10 05:49 . 2009-10-12 13:38 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2009-12-10 05:43 . 2009-10-13 10:30 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2009-12-08 07:27 . 2009-12-08 07:27 -------- d-----w- C:\rsit
2009-12-01 10:48 . 2009-12-01 10:48 -------- d-----w- c:\program files\Trend Micro
2009-11-21 08:54 . 2009-11-21 08:54 -------- d-----w- c:\program files\QuickTime
2009-11-21 08:30 . 2009-11-21 08:31 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-11-21 08:30 . 2009-11-21 08:31 -------- d-----w- c:\program files\DVDVideoSoft
2009-11-21 08:25 . 2009-11-21 08:25 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-20 21:34 . 2009-11-20 21:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 20:29 . 2006-06-11 10:44 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2009-12-16 09:48 . 2009-11-13 21:59 -------- d-----w- c:\program files\SpeedFan
2009-12-14 02:09 . 2009-11-18 08:49 -------- d-----w- c:\program files\RealFlightG3
2009-12-13 20:55 . 2009-10-26 11:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-13 20:33 . 2008-03-05 20:00 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-09 11:56 . 2009-10-01 08:38 -------- d-----w- c:\program files\Line Adventures
2009-12-07 05:53 . 2006-10-15 20:47 -------- d-----w- c:\program files\RealFlight G3 Demo
2009-11-30 10:26 . 2008-06-23 09:05 -------- d-----w- c:\documents and settings\bartek\Application Data\U3
2009-11-24 23:54 . 2006-06-11 09:50 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2006-06-11 09:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2006-06-11 09:51 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-04-07 09:32 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-04-07 09:32 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2006-06-11 09:51 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2006-06-11 09:51 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2006-06-11 09:51 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2006-06-11 09:50 97480 ----a-w- c:\windows\system32\AVASTSS.scr
2009-11-23 17:05 . 2009-11-23 12:26 664 ----a-w- c:\documents and settings\bartek\Local Settings\Application Data\d3d9caps.tmp
2009-11-21 08:54 . 2008-02-17 00:21 -------- d-----w- c:\program files\Common Files\Apple
2009-11-19 11:16 . 2009-11-19 11:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2009-11-19 11:16 . 2009-11-19 11:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Nexon
2009-11-19 11:13 . 2009-11-19 11:13 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-11-19 11:13 . 2009-11-19 11:13 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-11-19 11:13 . 2009-11-19 11:13 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-11-19 11:13 . 2009-11-19 11:13 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-11-19 11:13 . 2009-11-19 11:11 -------- d-----w- c:\program files\Nexon
2009-11-19 11:13 . 2009-11-19 11:13 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-11-19 11:13 . 2009-11-19 11:13 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2009-11-19 03:37 . 2009-11-19 03:37 -------- d-----w- c:\program files\ProcessMonitor
2009-11-18 09:09 . 2006-10-15 20:47 -------- d-----w- c:\program files\Common Files\KnifeEdge
2009-11-09 10:10 . 2009-11-09 10:10 106496 ----a-r- c:\documents and settings\rodzice\Application Data\Microsoft\Installer\{7EEA397D-3E3D-4C60-8585-DC897C8D36E0}\NewShortcut11_A6A6CD1325034D31BF37376961FDF28E.exe
2009-11-09 10:10 . 2009-11-09 10:10 106496 ----a-r- c:\documents and settings\rodzice\Application Data\Microsoft\Installer\{7EEA397D-3E3D-4C60-8585-DC897C8D36E0}\NewShortcut1_1BDBC422ED094C568457884B64FA9C98.exe
2009-11-09 10:10 . 2009-11-09 10:10 106496 ----a-r- c:\documents and settings\rodzice\Application Data\Microsoft\Installer\{7EEA397D-3E3D-4C60-8585-DC897C8D36E0}\ARPPRODUCTICON.exe
2009-11-09 10:10 . 2009-11-09 10:10 -------- d-----w- c:\program files\RealFlight G4 Demo
2009-11-05 10:20 . 2005-07-08 00:41 27816 ----a-w- c:\documents and settings\bartek\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:45 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 08:04 . 2009-10-28 08:04 81 ----a-w- C:\CTX.DAT
2009-10-27 23:38 . 2009-10-27 23:31 48873208 ----a-w- c:\documents and settings\bartek\Application Data\LEGO Company\LEGO Digital Designer\setupLDD-PC-3_0_9.exe
2009-10-26 10:37 . 2009-06-08 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Corporation
2009-10-26 10:34 . 2008-07-07 06:46 -------- d-----w- c:\program files\Atari
2009-10-26 10:30 . 2007-07-11 10:01 -------- d-----w- c:\program files\FreeRIP3
2009-10-21 05:38 . 2005-02-09 20:03 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38 . 2005-02-09 20:03 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-20 16:20 . 2005-02-09 20:03 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2001-08-23 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2001-08-23 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2001-08-23 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2004-03-11 02:27 . 2006-01-16 12:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 335872]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2005-08-18 113152]
"OEM03Mon.exe"="c:\windows\OEM03Mon.exe" [2007-05-18 36864]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-12 69632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-13 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
c:\documents and settings\rodzice\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-9-19 576000]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [28/06/2008 6:04 PM 116264]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/04/2008 8:32 PM 114768]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [14/01/2009 10:39 AM 72992]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/04/2008 8:32 PM 20560]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [29/03/2006 2:29 AM 1078560]
R3 OEM03Afx;Provides a software interface to control audio effects of OEM003 camera.;c:\windows\system32\drivers\OEM03Afx.sys [8/06/2007 2:00 AM 141376]
R3 OEM03Vfx;Creative Camera OEM003 Video VFX Driver;c:\windows\system32\drivers\OEM03Vfx.sys [5/03/2007 7:45 PM 7424]
R3 OEM03Vid;Creative Camera OEM003 Driver;c:\windows\system32\drivers\OEM03Vid.sys [25/04/2007 2:00 AM 235808]
S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);c:\windows\system32\drivers\atirtcap.sys [10/02/2005 9:54 AM 49920]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\rodzice\Application Data\Mozilla\Firefox\Profiles\7v9b78y8.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-12-21 08:09
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netdevice: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A6CF369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f00852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9d97bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9da4a21
SendHandler -> NDIS.sys @ 0xb9d8287b
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-117609710-261478967-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d2,30,b8,2d,2b,bb,35,4e,e2,cb,18,06,95,6e,3e,1b,c6,6c,04,0a,5b,f8,10,
88,92,e2,24,2f,05,0b,b9,e8,a8,f2,8e,7d,fc,f6,d6,7f,02,cc,32,cb,5b,57,4d,ee,\
"??"=hex:fe,c7,7b,27,fc,5b,58,08,33,6c,42,33,39,0b,95,e2
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(980)
c:\windows\system32\WININET.dll
.
Completion time: 2009-12-21 08:13:39
ComboFix-quarantined-files.txt 2009-12-20 21:13
Pre-Run: 26,792,292,352 bytes free
Post-Run: 26,988,146,688 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Professional" /Fastdetect
multi(0)disk(0)rdisk(2)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 77AA11CC144757D12FACD40358B813B9