ComboFix 09-04-15.08 - Tesa 04/16/2009 0:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.604 [GMT 2:00]
Running from: c:\documents and settings\Tesa\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090415-0] *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\resycled
c:\windows\system32\winjvd32.dll
c:\windows\system32\winmxw32.dll
D:\Desktop.exe
D:\resycled
.
((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.
2009-04-14 08:37 . 2009-04-14 08:37 -------- d-----w C:\novi sajt zenskog centra
2009-04-11 20:20 . 2009-04-11 20:20 -------- d-----w c:\documents and settings\Tesa\Application Data\scriptocean
2009-04-10 08:43 . 2009-04-10 09:34 -------- d-----w c:\documents and settings\Tesa\Application Data\ICQ
2009-04-09 08:51 . 2009-04-09 08:51 250 ----a-w c:\windows\gmer.ini
2009-03-28 13:43 . 2009-04-15 21:33 54156 ---ha-w c:\windows\QTFont.qfn
2009-03-28 13:43 . 2009-03-28 13:43 1409 ----a-w c:\windows\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 22:09 . 2009-01-08 09:59 -------- d-----w c:\program files\DNA
2009-04-15 22:09 . 2009-01-08 09:59 -------- d-----w c:\documents and settings\Tesa\Application Data\DNA
2009-04-11 21:47 . 2009-04-11 20:20 -------- d-----w c:\program files\Scriptocean
2009-04-11 17:19 . 2009-01-08 09:58 -------- d-----w c:\program files\BitComet
2009-04-11 17:00 . 2008-11-26 23:08 -------- d-----w c:\program files\CCleaner
2009-04-10 09:34 . 2009-04-10 09:04 -------- d-----w c:\program files\ICQ6.5
2009-04-10 09:14 . 2008-11-26 22:28 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-08 11:31 . 2008-11-29 08:37 -------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-04-08 11:30 . 2008-11-29 08:38 -------- d-----w c:\program files\Windows Live
2009-04-03 07:04 . 2009-02-12 16:52 -------- d-----w c:\program files\Java
2009-03-29 14:07 . 2008-11-29 08:50 -------- d-----w c:\program files\Messenger Plus! Live
2009-03-09 03:19 . 2009-02-12 16:53 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-28 14:06 . 2009-02-28 14:06 -------- d-----w c:\program files\GameSpy Arcade
2009-02-28 14:06 . 2009-02-28 14:06 -------- d-----w c:\program files\MSXML 4.0
2009-02-28 14:04 . 2009-02-28 14:04 -------- d-----w c:\program files\Microsoft Games
2009-02-28 13:29 . 2009-02-28 13:29 -------- d-----w c:\program files\dm
2009-02-22 16:08 . 2009-02-22 16:08 -------- d-----w c:\documents and settings\Tesa\Application Data\Smart PC Solutions
2009-02-22 16:08 . 2009-02-22 16:08 -------- d-----w c:\program files\Smart PC Solutions
2009-02-10 12:39 . 2008-11-26 22:35 43336 ----a-w c:\documents and settings\Tesa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-20 09:49 . 2009-01-20 09:49 2232 ----a-w c:\windows\java\Packages\Data\FJ75JLBL.DAT
2009-01-20 09:49 . 2009-01-20 09:49 155995 ----a-w c:\windows\java\Packages\7HVBTVN7.ZIP
2009-01-20 09:49 . 2009-01-20 09:49 2678 ----a-w c:\windows\java\Packages\Data\TVL3HV93.DAT
2009-01-20 09:49 . 2009-01-20 09:49 2678 ----a-w c:\windows\java\Packages\Data\3VZNLJL3.DAT
2009-01-20 09:49 . 2009-01-20 09:49 2678 ----a-w c:\windows\java\Packages\Data\NHJTN139.DAT
2009-01-20 09:49 . 2009-01-20 09:49 2678 ----a-w c:\windows\java\Packages\Data\KWLZT3HJ.DAT
2009-01-20 09:49 . 2009-01-20 09:49 2678 ----a-w c:\windows\java\Packages\Data\9F9ZJF3X.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-06 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-08 342848]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-01 185872]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-05-10 16342528]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-10 113664]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Server4PC.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Server4PC.lnk
backup=c:\windows\pss\Server4PC.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 00:06 1667584 --sh--w c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 05:24 286720 ----a-w c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-12-07 21:57 30208 ------w c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"SharedAccess"=2 (0x2)
"mnmsrvc"=3 (0x3)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"CiSvc"=3 (0x3)
"SamSs"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"Browser"=2 (0x2)
"WmiApSrv"=3 (0x3)
"BITS"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2006-09-06 22752]
R3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\Ndisprot.sys [2008-11-30 27904]
R3 SetupNTGLM7X;SetupNTGLM7X; [x]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S3 iadusb;MT882;c:\windows\system32\DRIVERS\glauiad.sys [2006-03-20 30336]
S3 SKYNET;TechniSat DVB-PC TV Star PCI;c:\windows\system32\DRIVERS\SkyNET.SYS [2007-10-01 419344]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{795df2d5-bc0c-11dd-8c46-001d9206c1b2}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad915bd6-0bd0-11de-8cfd-00180274bcaa}]
\Shell\AutoRun\command - xswhzu.exe
\Shell\explore\Command - xswhzu.exe
\Shell\open\Command - xswhzu.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e20a493e-027c-11de-8cec-00180274bcaa}]
\Shell\AutoRun\command - F:\em8tqm.cmd
\Shell\open\Command - F:\em8tqm.cmd
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-TrojanScanner - c:\program files\Trojan Remover\Trjscan.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.rs/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Tesa\Application Data\Mozilla\Firefox\Profiles\3u3k3w41.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.yu
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-04-16 00:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1108)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2932)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-04-15 0:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-15 22:11
Pre-Run: 4,540,735,488 bytes free
Post-Run: 4,653,608,960 bytes free
183