ComboFix 08-09-22.06 - king of love 03/23/2009 21:20:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1256.1.1033.18.459 [GMT 3:00]
Running from: C:\DOCUME~1\KINGOF~1\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Docs\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\Program Files\Bifrost\logg.dat
C:\Program Files\bifrost\server.exe
C:\WINDOWS\system32\win.exe
D:\Autorun.inf
G:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-02-23 to 2009-03-23 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 18:27 --------- d-----w C:\Program Files\Bifrost
2009-03-23 18:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Babylon
2009-03-23 18:24 5,648,416 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2009-03-23 18:24 47,304 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2009-03-23 18:24 4,520 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2009-03-23 18:24 393,248 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2009-03-23 18:21 --------- d-----w C:\Documents and Settings\king of love\Application Data\DMCache
2009-03-23 17:58 120 ----a-w C:\Program Files\templog.log
2009-03-23 16:50 --------- d-----w C:\Documents and Settings\king of love\Application Data\Safer Networking
2009-03-23 16:49 --------- d-----w C:\Program Files\Safer Networking
2009-03-23 14:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2009-03-22 21:36 --------- d-----w C:\Program Files\Internet Download Manager
2009-03-22 21:27 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2009-03-22 20:00 --------- d-----w C:\Program Files\PCBugDoctor
2009-03-22 02:42 33,808 ----a-w C:\WINDOWS\system32\drivers\klbg.sys
2009-03-22 02:41 89,601 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2009-03-22 02:41 101,287 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2009-03-21 23:41 --------- d-----w C:\Program Files\Kaspersky Lab
2009-03-21 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2009-03-21 18:53 --------- d-----w C:\Documents and Settings\king of love\Application Data\Grisoft
2009-03-21 18:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2009-03-21 09:38 76,304 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2009-03-21 09:38 142,992 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2009-03-20 21:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-03-20 20:21 --------- d-----w C:\Program Files\Mask Surf Pro
2009-03-20 19:51 --------- d-----w C:\Program Files\Trend Micro
2009-03-19 17:24 --------- d-----w C:\Program Files\The Herbal Pharmacy
2009-03-18 18:19 --------- d-----w C:\Documents and Settings\king of love\Application Data\Babylon
2009-03-17 21:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2009-03-17 21:26 --------- d-----w C:\Program Files\JawsSystems
2009-03-17 18:37 --------- d-----w C:\Program Files\PDF Split-Merge v2.2
2009-03-17 04:11 --------- d-----w C:\Documents and Settings\king of love\Application Data\MxBoost
2009-03-12 23:36 --------- d-----w C:\Program Files\DivX
2009-03-12 23:04 --------- d-----w C:\Program Files\The KMPlayer
2009-03-12 21:58 --------- d-----w C:\Program Files\Common Files\Adobe
2009-03-12 14:06 --------- d-----w C:\Program Files\Easy RealMedia Tools
2009-03-12 00:28 --------- d-----w C:\Program Files\AviSynth 2.5
2009-03-11 22:27 --------- d-----w C:\Program Files\Allok Video Converter
2009-03-11 21:30 --------- d-----w C:\Program Files\Total Video Converter
2009-03-08 16:16 --------- d-----w C:\Program Files\Ozone
2009-03-07 18:27 --------- d-----w C:\Program Files\Microsoft ActiveSync
2009-03-07 18:27 --------- d-----w C:\Program Files\7-Zip
2009-03-05 22:34 --------- d-----w C:\Documents and Settings\king of love\Application Data\Lunascape
2009-03-05 21:44 --------- d-----w C:\Program Files\Lunascape
2009-03-05 09:56 410,984 ----a-w C:\WINDOWS\system32\deploytk.dll
2009-03-05 09:56 --------- d-----w C:\Program Files\Java
2009-03-03 14:44 --------- d-----w C:\Program Files\Rapid Express
2009-03-03 14:18 --------- d-----w C:\Program Files\Common Files\Java
2009-03-03 14:18 --------- d-----w C:\Documents and Settings\king of love\Application Data\VitySoft
2009-03-03 10:07 --------- d-----w C:\Documents and Settings\king of love\Application Data\Inspyder InSite
2009-02-20 18:07 --------- d-----w C:\Program Files\TSL
2009-02-16 11:17 --------- d-----w C:\Program Files\Maxthon2
2009-02-10 18:01 --------- d-----w C:\Program Files\InterActual
2009-02-09 11:13 1,846,784 ----a-w C:\WINDOWS\system32\win32k.sys
2009-01-29 11:52 --------- d-----w C:\Program Files\RssReader
2009-01-29 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Arovax
2009-01-29 00:20 --------- d-----w C:\Documents and Settings\king of love\Application Data\Tor
2009-01-28 11:14 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2009-01-28 11:14 --------- d-----w C:\Documents and Settings\king of love\Application Data\TuneUp Software
2009-01-28 11:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2009-01-28 11:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2009-01-26 16:07 --------- d-----w C:\Program Files\Mindscape
2009-01-25 15:17 --------- d-----w C:\Program Files\Medical Speller Trial
2009-01-24 19:22 --------- d-----w C:\Program Files\Microsoft Works
2009-01-24 19:22 --------- d-----w C:\Program Files\Microsoft Office 2007
2009-01-24 18:59 --------- d-----w C:\Documents and Settings\king of love\Application Data\oess
2009-01-24 18:57 --------- d-----w C:\Program Files\TEXTware
2009-01-24 18:57 --------- d-----w C:\Program Files\IDM
2009-01-24 18:56 --------- d-----w C:\Program Files\Oxford
2009-01-24 18:48 --------- d-----w C:\Program Files\Microsoft.NET
2009-01-22 20:31 40,960 ----a-w C:\WINDOWS\system32\SSubTmr6.dll
2008-12-25 15:26 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-12-25 15:26 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-11-22 08:24 615,936 ----a-w C:\Program Files\General_Removal.exe
2004-03-07 07:30 16 ----a-w C:\Documents and Settings\king of love\Application Data\QNVW601P.dll
2006-06-27 02:40 571,184 --sha-r C:\WINDOWS\system32\legitcheckcontrol.dll
.
كود:
<pre>
----a-w 420,137 2008-10-31 10:01:10 C:\Documents and Settings\king of love\My Documents\Downloads\Compressed\explorerxp .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/31/2007 12:32 AM 15360]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe" [12/19/2006 04:53 PM 310792]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [01/26/2004 08:03 PM 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [01/26/2004 08:03 PM 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [03/05/2009 12:56 PM 136600]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [02/14/2008 08:02 PM 3165920]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/25/2008 06:26 PM 185872]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/15/2008 01:04 AM 39792]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [03/21/2009 12:38 PM 718120]
"CTFMON"="C:\WINDOWS\system32\wscript.exe" [10/31/2007 12:33 AM 114688]
"regdiit"="C:\WINDOWS\system32\win.exe" [03/23/2009 09:26 PM 57748]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [03/22/2009 05:42 AM 206088]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [10/31/2007 12:32 AM 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe "
"Userinit"="userinit.exe "
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
12/16/2003 08:32 AM 110592 C:\WINDOWS\system32\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwtsn32.exe]
"Debugger"=C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dwwin.exe]
"Debugger"=C:\WINDOWS\system32\win.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MSConfig.exe]
"Debugger"=C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\procexp.exe]
"Debugger"=\win.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe]
"Debugger"=C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\rstrui.exe]
"Debugger"=C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]
"Debugger"=C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOW scecli scecli scecli scecli
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RssReader
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 10/15/2008 01:04 AM 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
--a------ 02/14/2008 08:02 PM 3165920 C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 11/15/2005 07:44 PM 1200128 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 01/06/2009 08:49 PM 2745776 C:\Program Files\Internet Download Manager\IDMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
--a------ 12/10/2003 02:36 AM 86016 C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmaTel StacMon]
--------- 08/03/2003 05:01 PM 86073 C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 12/25/2008 06:26 PM 185872 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TuneUp MemOptimizer]
--a------ 12/19/2006 04:53 PM 310792 C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Mask Surf Pro\\masksurf.exe"=
"C:\\Program Files\\Mask Surf Pro\\Tor\\tor.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [03/22/2009 05:42 AM 33808]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [03/05/2009 12:56 PM 152984]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [10/31/2007 12:32 AM 14336]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [03/13/2008 06:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [04/30/2008 05:06 PM 24592]
S3 tap0801;Smarthide TAP driver;C:\WINDOWS\system32\DRIVERS\tap0801.sys [10/12/2007 04:07 PM 55808]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{339c0cf1-d22c-11dd-967d-000e7b59181a}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Wscript.exe /e:vbs winfile.jpg
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{78EF1590-7028-A203-A4B3-EC3C46DF8542}]
C:\Program Files\Bifrost\server.exe s
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
Notify-Antiwpa - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\king of love\Application Data\Mozilla\Firefox\Profiles\qg5xopcg.default\
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdjvu.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-03-23 21:26:41
Windows 5.1.2600 Service Pack 3, v.5657 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\win.exe 57748 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\temp\DM604B.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
.
**************************************************************************
.
Completion time: 03/23/2009 21:31:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-23 18:31:23
Pre-Run: 41,465,356,288 bytes free
Post-Run: 41,596,637,184 bytes free
246 --- E O F --- 2009-03-13 22:42:11
