ComboFix 08-08-05.05 - Admin 2008-08-06 20:11:23.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.95 [GMT 2:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.
2008-08-06 20:13 . 2008-08-06 20:13 268 --ah----- C:\sqmdata04.sqm
2008-08-06 20:13 . 2008-08-06 20:13 244 --ah----- C:\sqmnoopt04.sqm
2008-08-06 00:20 . 2008-08-06 00:20 268 --ah----- C:\sqmdata03.sqm
2008-08-06 00:20 . 2008-08-06 00:20 244 --ah----- C:\sqmnoopt03.sqm
2008-08-05 06:45 . 2008-08-05 06:45 268 --ah----- C:\sqmdata02.sqm
2008-08-05 06:45 . 2008-08-05 06:45 244 --ah----- C:\sqmnoopt02.sqm
2008-08-05 01:14 . 2008-08-05 01:14 268 --ah----- C:\sqmdata01.sqm
2008-08-05 01:14 . 2008-08-05 01:14 244 --ah----- C:\sqmnoopt01.sqm
2008-08-04 00:39 . 2008-08-04 00:39 268 --ah----- C:\sqmdata00.sqm
2008-08-04 00:39 . 2008-08-04 00:39 244 --ah----- C:\sqmnoopt00.sqm
2008-07-31 19:37 . 2008-07-31 19:37 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-20 12:01 . 2008-07-20 12:01 <DIR> d-------- C:\Documents and Settings\Admin\Contacts
2008-07-20 11:35 . 2008-07-20 11:40 <DIR> d-------- C:\Program Files\Windows Live
2008-07-20 11:35 . 2008-07-20 11:39 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-20 11:34 . 2008-07-20 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-15 14:12 . 2008-07-15 14:12 <DIR> d-------- C:\WINDOWS\CD95F661A5C444F5A6AAECDD91C240B6.TMP
2008-07-13 21:31 . 2008-07-13 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 18:18 --------- d-----w C:\Documents and Settings\Admin\Application Data\Skype
2008-08-06 15:42 --------- d-----w C:\Documents and Settings\Admin\Application Data\skypePM
2008-07-23 19:02 --------- d-----w C:\Program Files\Java
2008-07-20 19:05 --------- d-----w C:\Documents and Settings\Admin\Application Data\ICQ
2008-07-05 08:51 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-21 13:27 --------- d-----w C:\Documents and Settings\Admin\Application Data\LimeWire
2008-06-20 14:07 --------- d-----w C:\Program Files\ESET
2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 17:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-18 17:35 --------- d-----w C:\Program Files\ICQ6Toolbar
2008-06-18 17:35 --------- d-----w C:\Program Files\ICQ6
2008-06-18 17:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\ICQ
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 01:02 --------- d-----w C:\Program Files\Microsoft Works
2008-06-09 23:05 --------- d-----w C:\Documents and Settings\Admin\Application Data\Winamp
2008-03-15 22:18 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:35 5724184]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-05-18 18:30 172280]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 15:43 7630848]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-09-07 12:13 208896]
"SW24"="C:\WINDOWS\system32\sw24.exe" [2006-09-07 12:14 69632]
"WinSys2"="C:\WINDOWS\system32\winsys2.exe" [2006-10-03 08:37 217088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 15:43 86016]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-17 18:03 949376]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 07:28 36352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 11:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2006-08-11 15:43 1519616 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-04-28 11:20:00 415072]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "C:\PROGRA~1\DVDREG~1\DVDShell.dll" [2004-10-09 16:18 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 14:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 11:39]
R2 ICQ Service;ICQ Service;C:\Program Files\ICQ6Toolbar\ICQ Service.exe [2008-05-29 11:42]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 00:04]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1166c366-2705-11dd-bc0d-0019dbbd1168}]
\Shell\AutoRun\command - tym8a.exe
\Shell\explore\Command - tym8a.exe
\Shell\open\Command - tym8a.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1166c376-2705-11dd-bc0d-0019dbbd1168}]
\Shell\AutoRun\command - rthrw.com
\Shell\explore\Command - rthrw.com
\Shell\open\Command - rthrw.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d81306d-175f-11dd-bc01-0019dbbd1168}]
\Shell\AutoRun\command - J:\win.exe
\Shell\lost\command - J:\win.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6c7424b-951e-11dc-bb46-0019dbbd1168}]
\Shell\AutoRun\command - K:\USBNB.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d91d0ad7-15c6-11dd-bc00-0019dbbd1168}]
\Shell\AutoRun\command - J:\jfvkcsy.bat
\Shell\explore\Command - J:\jfvkcsy.bat
\Shell\open\Command - J:\jfvkcsy.bat
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-HTMLSupport - C:\Program Files\Common Files\Microsoft Shared\HTMLView\htmlsupport09.exe
HKLM-Run-Winram32 Driver - lolwut.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\41x6kufh.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
www.zoznam.sk
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-08-06 20:18:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-06 20:20:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-06 18:20:25
Pre-Run: 23,258,574,848 bytes free
Post-Run: 9 adres rov, 24,972,513,280 vo–něch bajtov
162 --- E O F --- 2008-07-10 07:12:53