ComboFix 08-05-25.5 - xxx 2008-05-26 20:52:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.426 [GMT 2:00]
Running from: D:\KAJETAN\odebrane\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\xxx\Ulubione.url
.
---- Previous Run -------
.
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\smdat32m.sys
.
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.
2008-05-26 20:55 . 2008-05-26 20:55
2008-05-26 20:55 . 2008-05-26 20:55 53,248 --a------ C:\Temp\catchme.dll
2008-05-26 20:54 . 2008-05-26 20:54
2008-05-26 20:54 . 2008-05-26 20:54 16,384 --a----t- C:\Temp\Perflib_Perfdata_674.dat
2008-05-26 19:07 . 2008-05-26 20:55
2008-05-23 22:32 . 2008-05-23 22:32 12,598 --a------ C:\WINDOWS\system32\wpa.bak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 18:47 --------- d-----w C:\Documents and Settings\xxx\Dane aplikacji\Skype
2008-05-26 14:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 14:05 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-04-20 14:07 --------- d-----w C:\Documents and Settings\xxx\Dane aplikacji\Lavasoft
2008-04-19 09:16 --------- d-----w C:\Documents and Settings\xxx\Dane aplikacji\OpenOffice.ux.pl2
2008-04-17 19:25 --------- d-----w C:\Program Files\English Translator 3
2008-04-04 11:04 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search Destroy
2008-03-22 10:10 150 ----a-w C:\System Volume Information.zip
2004-09-20 11:07 21,696,576 -c–a-w C:\Program Files\AdobeR…exe
2004-09-12 15:55 3,661,390 -c–a-w C:\Program Files\Gd-wygaszacz.exe
2004-11-01 15:18 56 --sh–r C:\WINDOWS\system32\D2A60B131A.sys
2004-11-01 15:18 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2004-09-16 22:47 0 -csha-w C:\WINDOWS\system32\mfcda.exe
2004-09-16 21:54 0 -csha-w C:\WINDOWS\system32\rkbuc.dll
2008-02-22 12:01 9,338,912 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-22 12:01 21,536 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2006-08-21 17:37 20053032]
“SpybotSD TeaTimer”=“D:\KAJETAN\Spybot - Search Destroy\TeaTimer.exe” [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-04-21 21:10 335872]
“SoundMan”=“SOUNDMAN.EXE” [2003-08-15 16:34 57344 C:\WINDOWS\SOUNDMAN.EXE]
“!AVG Anti-Spyware”=“D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 11:25 6731312]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 09:44 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
[HKLM~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^EPSON Status Monitor 3 Environment Check.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\EPSON Status Monitor 3 Environment Check.lnk
backup=C:\WINDOWS\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
C:\WINDOWS\system32\amvo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
–a------ 2004-04-21 21:10 335872 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
–a------ 2004-08-04 09:44 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
–a------ 2004-01-14 13:10 409600 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ILO_Office_Manager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
–a------ 2006-08-21 17:37 20053032 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
–a------ 2003-08-15 16:34 57344 C:\WINDOWS\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 D:\KAJETAN\Spybot - Search Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
–a--c— 2004-06-03 22:05 32881 C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\WINDOWS\system32\sessmgr.exe”=
“C:\Program Files\Tiny Personal Firewall\PERSFW.exe”=
“C:\Program Files\Internet Explorer\iexplore.exe”=
“D:\Program Files\Gadu-Gadu\gg.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“C:\Program Files\Skype\Phone\Skype.exe”=
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“3389:TCP”= 3389:TCP:@xpsp2res.dll,-22009
“1199:UDP”= 1199:UDP:Windows Media Format SDK (firefox.exe)
“1198:UDP”= 1198:UDP:Windows Media Format SDK (firefox.exe)
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 fwdrv;Tiny Personal Firewall Driver;C:\WINDOWS\system32\Drivers\fwdrv.sys [2001-10-22 17:54]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
S3 {A8303B2A-94C0-4a84-9C1F-BD9CCDD3A689};{A8303B2A-94C0-4a84-9C1F-BD9CCDD3A689};C:\WINDOWS\system32{A8303B2A-94C0-4a84-9C1F-BD9CCDD3A689} []
S3 ATICDSDr;ATICDSDr;C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\ATICDSDr.sys []
S3 DarkSpy;DarkSpy;C:\WINDOWS\system32\DarkSpyKernel.sys []
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\4A.tmp []
S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.SYS []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{29d0964c-265b-11dc-b256-00e04cbf69bf}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{3bc680b5-e15e-11dc-b665-00e04cbf69bf}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{63cad018-b2ee-11dc-b4aa-00e04cbf69bf}]
\Shell\AutoRun\command - F:\fppg1.exe
\Shell\explore\Command - F:\fppg1.exe
\Shell\open\Command - F:\fppg1.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 20:55:16
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
“ImagePath”="??\C:\WINDOWS\system32\4A.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services{A8303B2A-94C0-4a84-9C1F-BD9CCDD3A689}]
“ImagePath”="??\C:\WINDOWS\system32{A8303B2A-94C0-4a84-9C1F-BD9CCDD3A689}"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Tiny Personal Firewall\PERSFW.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cscript.exe
.
**************************************************************************
.
Completion time: 2008-05-26 20:58:02 - machine was rebooted [xxx]
ComboFix-quarantined-files.txt 2008-05-26 18:57:59
Pre-Run: 2,408,091,648 bajtów wolnych
Post-Run: 2,399,068,160 bajt˘w wolnych
147 — E O F — 2008-03-12 17:01:57
W dniu 26.05.2008 , o godzinie 20:58 został dopisany post przez Kaj
Log z combofixa… co dalej???
W dniu 26.05.2008 , o godzinie 21:22 został dopisany post przez Kaj
“Silent Runners.vbs”, revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
“Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]
“SpybotSD TeaTimer” = ““D:\KAJETAN\Spybot - Search Destroy\TeaTimer.exe”” [“Safer Networking Limited”]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
“ATIPTA” = ““C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”” [“ATI Technologies, Inc.”]
“SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”]
“!AVG Anti-Spyware” = ““D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe” /minimized” [“GRISOFT s.r.o.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
- {HKLM…CLSID} = “AcroIEHlprObj Class”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
- {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll” [“Sun Microsystems, Inc.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
- {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]
“{30D02401-6A81-11d0-8274-00C04FD5AE38}” = “IE Search Band”
- {HKLM…CLSID} = “IE Search Band”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
“{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}” = “Shell DocObject Viewer”
- {HKLM…CLSID} = “Shell DocObject Viewer”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
“{FBF23B40-E3F0-101B-8488-00AA003E56F8}” = “InternetShortcut”
- {HKLM…CLSID} = “Internet Shortcut”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
“{3C374A40-BAE4-11CF-BF7D-00AA006946EE}” = “Microsoft Url History Service”
- {HKLM…CLSID} = “Microsoft Url History Service”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
“{FF393560-C2A7-11CF-BFF4-444553540000}” = “History”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
“{7BD29E00-76C1-11CF-9DD0-00A0C9034933}” = “Temporary Internet Files”
- {HKLM…CLSID} = “Temporary Internet Files”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
“{7BD29E01-76C1-11CF-9DD0-00A0C9034933}” = “Temporary Internet Files”
- {HKLM…CLSID} = “Temporary Internet Files”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
“{CFBFAE00-17A6-11D0-99CB-00C04FD64497}” = “Microsoft Url Search Hook”
- {HKLM…CLSID} = “Microsoft Url Search Hook”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
W dniu 26.05.2008 , o godzinie 21:22 został dopisany post przez Kaj
silent runners log