ComboFix 08-03-14.4 - Ania 2008-03-17 19:24:38.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.529 [GMT 1:00]
Running from: C:\Documents and Settings\Ania\Pulpit\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.
2008-03-17 19:21 . 2008-03-17 19:10 100,836 -r-hs---- C:\3o.exe
2008-03-14 21:48 . 2008-03-14 21:48 <DIR> d-------- C:\Documents and Settings\Ania\Dane aplikacji\Media Player Classic
2008-03-14 21:47 . 2008-03-14 21:47 <DIR> d-------- C:\Program Files\Real Alternative
2008-03-11 22:11 . 2008-03-11 22:10 100,457 -r-hs---- C:\v.cmd
2008-03-08 17:43 . 2008-03-11 17:46 103,034 -r-hs---- C:\b.com
2008-03-07 13:54 . 2008-03-07 13:53 106,068 -r-hs---- C:\xpbkh.com
2008-03-04 22:19 . 2008-03-04 22:19 107,057 -r-hs---- C:\uisvkqr.exe
2008-03-03 11:28 . 2008-03-03 11:28 106,210 -r-hs---- C:\y82td3td.com
2008-02-29 18:15 . 2008-02-29 18:14 105,263 -r-hs---- C:\ekugb3.bat
2008-02-21 22:44 . 2008-02-21 22:44 107,309 -r-hs---- C:\oufddh.exe
2008-02-18 22:04 . 2008-02-18 22:04 105,441 -r-hs---- C:\8ng8w.com
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 01:18 --------- d-----w C:\Program Files\DivoCodec
2008-02-14 06:41 102,211 --sh--r C:\x.com
2008-02-04 19:25 103,367 --sh--r C:\2ifetri.cmd
2008-02-04 19:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-28 08:03 105,293 --sh--r C:\xo8wr9.exe
2008-01-23 21:31 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-23 21:31 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-23 21:31 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-23 21:31 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-04 11:08 18,344 ----a-w C:\Documents and Settings\Ania\Dane aplikacji\GDIPFONTCACHEV1.DAT
2007-10-30 16:43 5,903,928 ----a-w C:\Program Files\picasaweb-current-setup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Secure Disks]
@={666C7836-A9B6-4AB4-94ED-DC238C81E925}
[HKEY_CLASSES_ROOT\CLSID\{666C7836-A9B6-4AB4-94ED-DC238C81E925}]
2006-04-03 01:08 381952 -ra------ c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\SFSShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 03:45 23120680]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-26 15:58 68856]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 02:17 443968]
"updateMgr"="c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-10-14 02:37 110592]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-08-13 23:39 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-08-13 23:41 114688]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-08-13 23:38 94208]
"CognizanceTS"="c:\PROGRA~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll" [2003-12-22 13:12 17920]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 04:49 16269312 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 03:04 2879488 C:\WINDOWS\SkyTel.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-08-07 06:11 573440]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 15:20 180224]
"Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [2005-10-17 17:09 987136]
"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-05-16 16:29 53248]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-21 07:26 761945]
"ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [2006-01-03 03:14 61440]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-14 17:46 90112]
"PowerForPhone"="C:\Program Files\ASUS\PowerForPhone\PowerForPhone.exe" [2006-06-29 14:40 774144]
"ACMON"="C:\Program Files\ASUS\Splendid\ACMON.exe" [2006-05-30 10:28 811008]
"UMonit"="C:\WINDOWS\system32\UMonit.exe" [2006-08-14 10:54 196608]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 18:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 17:58 696320]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40 155648]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-11-03 13:58 28160 C:\WINDOWS\KHALMNPR.Exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06 79224]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
C:\DOCUME~1\ALLUSE~1\MENUST~1\Programy\AUTOST~1\
MultiFrame.lnk - C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe [2007-05-27 20:57:37 491520]
Logitech SetPoint.lnk - C:\Program Files\SetPoint\SetPoint.exe [2007-05-27 21:10:06 532480]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll 2006-05-03 06:23 40448 c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\Gadu-Gadu\\GG.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 ItSDisk;ItSDisk;C:\WINDOWS\system32\Drivers\ItSDisk.sys [2006-05-16 19:14]
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2004-08-04 13:00]
S3 FIXUSTOR;FIXUSTOR;C:\WINDOWS\system32\DRIVERS\fixustor.sys [2006-08-10 06:38]
S3 ipswuio;ipswuio;C:\WINDOWS\system32\DRIVERS\ipswuio.sys [2006-01-24 10:45]
S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b50d9b1-ac14-11dc-b0df-0019d22bb970}]
\Shell\AutoRun\command - F:\ylr.exe
\Shell\explore\Command - F:\ylr.exe
\Shell\open\Command - F:\ylr.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48d59dbe-1821-11dc-b03f-0019d22bb970}]
\Shell\AutoRun\command - F:\3o.exe
\Shell\explore\Command - F:\3o.exe
\Shell\open\Command - F:\3o.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55922012-d889-11dc-b0f6-0019d22bb970}]
\Shell\AutoRun\command - F:\ylr.exe
\Shell\explore\Command - F:\ylr.exe
\Shell\open\Command - F:\ylr.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aaa79db6-1cd2-11dc-b045-0019d22bb970}]
\Shell\AutoRun\command - F:\xpbkh.com
\Shell\explore\Command - F:\xpbkh.com
\Shell\open\Command - F:\xpbkh.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abbd24e6-e900-11dc-b0fb-0019d22bb970}]
\Shell\AutoRun\command - F:\ekugb3.bat
\Shell\explore\Command - F:\ekugb3.bat
\Shell\open\Command - F:\ekugb3.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5d2acfe-8077-11dc-b0c5-0019d22bb970}]
\Shell\Auto\command - F:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - F:\activexdebugger32.exe f
\Shell\open\Command - F:\activexdebugger32.exe f
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b692c750-ca96-11dc-b0f4-0019d22bb970}]
\Shell\AutoRun\command - F:\2ifetri.cmd
\Shell\explore\Command - F:\2ifetri.cmd
\Shell\open\Command - F:\2ifetri.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7bdd388-5941-11dc-b09d-0019d22bb970}]
\Shell\AutoRun\command - F:\Autorun.exe /run
\Shell\Shell00\Command - F:\Autorun.exe /run
\Shell\Shell01\Command - F:\Autorun.exe /action
\Shell\Shell02\Command - F:\Autorun.exe /uninstall
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 19:28:28
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
C:\Program Files\ASUS\Asus MultiFrame\HookTitle.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\system32\acovcnt.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-03-17 19:31:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-17 18:30:58
.
2008-02-14 06:23:35 --- E O F ---
