ComboFix 08-01-04.1 - Tomek 2008-01-06 13:17:22.1 -
FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1250.48.1045.18.1107 [GMT 1:00]
Running from: C:\Documents and Settings\Tomek\Pulpit\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Gadu-Gadu\gg .exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\myglobalsearch
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Crack.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\efcbcbx.dll
C:\WINDOWS\system32\RCX2C.tmp
C:\WINDOWS\system32\RCX2D.tmp
C:\WINDOWS\system32\RCX2E.tmp
C:\WINDOWS\system32\RCX2F.tmp
C:\WINDOWS\system32\RCX39.tmp
C:\WINDOWS\system32\RCX3A.tmp
C:\WINDOWS\system32\RCX3B.tmp
C:\WINDOWS\system32\RCX3C.tmp
C:\WINDOWS\system32\RCX4B.tmp
C:\WINDOWS\system32\RCX4C.tmp
C:\WINDOWS\system32\RCX52.tmp
C:\WINDOWS\system32\RCX53.tmp
C:\WINDOWS\system32\RCX54.tmp
C:\WINDOWS\system32\RCX55.tmp
C:\WINDOWS\system32\RCX56.tmp
C:\WINDOWS\system32\RCX57.tmp
C:\WINDOWS\system32\RCX58.tmp
C:\WINDOWS\system32\RCX59.tmp
C:\WINDOWS\system32\RCX5E.tmp
C:\WINDOWS\system32\RCX65.tmp
C:\winlogon.exe
C:\x.dat
C:\z.dat
- Kod: Zaznacz wszystko
<pre>
"C:\WINDOWS\system32\ctfmon .exe" moved to QooBox
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe" replaces infected copy of "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
"C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe" replaces infected copy of "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe" replaces infected copy of "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"C:\Program Files\Common Files\Real\Update_OB\realsched .exe" replaces infected copy of "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
"C:\Program Files\Gadu-Gadu\gg .exe" replaces infected copy of "C:\Program Files\Gadu-Gadu\gg.exe"
"C:\Program Files\Gadu-Gadu\gg .exe" replaces infected copy of "C:\Program Files\Gadu-Gadu\gg.exe"
"C:\Program Files\Gadu-Gadu\gg .exe" replaces infected copy of "C:\Program Files\Gadu-Gadu\gg.exe"
"C:\Program Files\Gadu-Gadu\gg .exe" replaces infected copy of "C:\Program Files\Gadu-Gadu\gg.exe"
"C:\Program Files\Gadu-Gadu\gg .exe" replaces infected copy of "C:\Program Files\Gadu-Gadu\gg.exe"
"C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication .exe" replaces infected copy of "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe"
"C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe" replaces infected copy of "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
"C:\Program Files\Analog Devices\SoundMAX\smax4 .exe" replaces infected copy of "C:\Program Files\Analog Devices\SoundMAX\smax4.exe"
"C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe" replaces infected copy of "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\nm
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.
2008-01-06 13:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 12:48 . 2008-01-06 12:48 <DIR> d-------- C:\VundoFix Backups
2008-01-06 12:43 . 2008-01-06 12:43 3,232 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-06 12:35 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-06 12:35 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-06 12:35 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-06 12:35 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-06 12:35 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-06 12:35 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-06 11:50 . 2008-01-06 11:50 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 19:52 . 2001-08-18 06:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-12-31 19:52 . 2001-08-18 06:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-12-31 19:52 . 2001-08-17 22:55 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-12-31 19:52 . 2001-08-17 22:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-12-31 19:52 . 2001-08-17 22:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-12-31 19:52 . 2001-08-17 22:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-12-30 03:00 . 2007-12-30 03:00 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2007-12-27 15:22 . 2007-12-27 15:22 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2007-12-27 13:04 . 2007-12-27 13:04 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-27 13:01 . 2007-12-27 13:01 134 --a------ C:\n.bat
2007-12-27 12:59 . 2007-12-27 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-12-26 13:45 . 2007-12-26 13:45 24 --a------ C:\WINDOWS\cdplayer.ini
2007-12-26 13:42 . 2007-12-26 13:42 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-12-26 13:42 . 2007-12-26 13:42 <DIR> d-------- C:\Program Files\Common Files\Real
2007-12-15 15:47 . 2007-12-15 15:47 <DIR> d-------- C:\WINDOWS\Pliki Instalatora aktualizacji Windows Update
2007-12-13 22:48 . 2007-12-13 22:48 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-13 22:37 . 2007-12-13 22:37 <DIR> d-------- C:\Program Files\Microsoft Analysis Services
2007-12-13 22:36 . 2007-12-13 22:36 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2007-12-13 22:34 . 2007-12-13 22:34 <DIR> d-------- C:\Instalki
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 01:54 839,685 ----a-w C:\WINDOWS\Fonts\svchost .exe
2007-12-26 16:59 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-10-01 23:34 3,140 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-01 23:33 88 --sh--r C:\WINDOWS\system32\564DAD6DE4.sys
.
- Kod: Zaznacz wszystko
<pre>
----a-w 839,685 2007-12-30 01:54:04 C:\WINDOWS\Fonts\svchost .exe
----a-w 1,460,560 2007-12-30 11:59:46 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-20 17:05 13312]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-06 13:15 139264]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg .exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2008-01-06 13:15 790528]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\smax4 .exe" [ ]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-05-10 09:48 94208 C:\WINDOWS\KHALMNPR.Exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-06 13:15 155648]
"AdslTaskBar"="stmctrl.dll" [2006-06-02 13:01 151552 C:\WINDOWS\system32\stmctrl.dll]
"WinampAgent"="d:\Program Files\Winamp\winampa.exe" [2007-05-15 00:22 35328]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2008-01-06 13:15 222720]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-01-06 13:15 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-01-06 13:15 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-06 13:15 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-06 13:15 185896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 17:05 13312]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Logitech SetPoint.lnk - D:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-12-21 01:26:22]
InterVideo WinCinema Manager.lnk - D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-12-22 19:43:17]
hpoddt01.exe.lnk - D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58]
hp psc 1000 series.lnk - D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 01:17:18]
R2 BBDemon;Backbone Service;h:\programy\Catia\intel_a\code\bin\CATSysDemon.exe [2002-06-15 12:56]
R2 LBeepKE;LBeepKE;C:\WINDOWS\System32\Drivers\LBeepKE.sys [2006-06-01 15:46]
R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\System32\DRIVERS\stmatm.sys [2003-08-12 16:51]
S3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\System32\DRIVERS\torususb.sys [2006-05-25 17:28]
S3 usb2vcom;DKU-5 Connectivity Adapter Cable;C:\WINDOWS\System32\DRIVERS\usb2vcom.sys [2005-08-06 04:06]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9c60b0b-bd2e-11db-a78b-00304f1b899e}]
\shell\open\command - %SystemRoot%\Explorer.exe /idlist,%I,%L
.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 22:35:02 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1166913294.job"
- D:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 13:22:59
Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-06 13:24:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-06 12:24:18
