Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ComboFix 10-03-04.04 - Dragan 03/05/2010 10:16:32.3.1 - x86
- Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.242 [GMT 1:00]
- Running from: c:\documents and settings\Dragan\Desktop\ComboFix.exe
- AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
- FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
- FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
- .
- ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
- .
- c:\windows\d.ini
- c:\windows\system32\vb6ko.dll
- .
- ((((((((((((((((((((((((( Files Created from 2010-02-05 to 2010-03-05 )))))))))))))))))))))))))))))))
- .
- 2010-02-23 09:50 . 2010-02-23 09:50 -------- d-----w- c:\documents and settings\Dragan\Downloads
- 2010-02-20 09:53 . 2010-02-20 09:53 -------- d-----w- c:\documents and settings\Dragan\Application Data\MailFrontier
- 2010-02-20 09:33 . 2010-02-20 09:33 -------- d-----w- c:\program files\Zone Labs
- 2010-02-20 09:20 . 2010-03-05 09:12 -------- d-----w- c:\windows\Internet Logs
- 2010-02-12 19:25 . 2010-02-12 19:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help
- 2010-02-11 12:45 . 2010-02-04 21:28 245760 ----a-w- c:\documents and settings\Dragan\Application Data\Mozilla\Firefox\Profiles\wavrpthw.Novi\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
- 2010-02-05 09:14 . 2010-02-05 09:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
- 2010-02-05 08:56 . 2010-02-05 08:56 -------- d-----w- c:\program files\Common Files\PCSuite
- 2010-02-05 08:56 . 2010-02-05 08:56 -------- d-----w- c:\program files\Common Files\Nokia
- 2010-02-05 08:55 . 2008-08-26 08:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
- 2010-02-05 08:55 . 2010-02-05 08:55 -------- d-----w- c:\program files\PC Connectivity Solution
- 2010-02-05 08:55 . 2009-10-06 10:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
- 2010-02-05 08:55 . 2009-10-06 10:52 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
- 2010-02-05 08:55 . 2009-10-06 10:52 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
- 2010-02-05 08:55 . 2009-10-06 10:55 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
- 2010-02-05 08:55 . 2009-10-06 10:52 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
- 2010-02-05 08:55 . 2009-10-06 10:52 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
- 2010-02-05 08:55 . 2010-02-05 08:56 -------- d-----w- c:\program files\Nokia
- 2010-02-05 08:54 . 2010-02-05 08:52 34399664 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_eng_web.exe
- 2010-02-05 08:54 . 2010-02-05 08:54 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\pcswpcsi.exe
- 2010-02-05 08:54 . 2010-02-05 08:54 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
- 2010-02-05 08:54 . 2010-02-05 08:54 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstCCD.exe
- 2010-02-05 08:54 . 2010-02-05 08:54 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCS.exe
- .
- (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
- .
- 2010-03-05 08:55 . 2009-12-23 13:17 4212 ---ha-w- c:\windows\system32\zllictbl.dat
- 2010-03-05 06:49 . 2010-02-20 09:36 144 ----a-w- c:\windows\system32\pdfl.dat
- 2010-03-04 15:52 . 2009-02-11 09:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
- 2010-02-26 06:48 . 2007-05-12 07:33 -------- d--h--w- c:\program files\InstallShield Installation Information
- 2010-02-20 09:53 . 2009-12-23 13:17 -------- d-----w- c:\documents and settings\Dragan\Application Data\CheckPoint
- 2010-02-20 09:36 . 2010-02-20 09:36 80 ----a-w- c:\windows\system32\ibfl.dat
- 2010-02-20 09:36 . 2010-02-20 09:36 144 ----a-w- c:\windows\system32\lkfl.dat
- 2010-02-20 09:36 . 2009-12-23 13:17 -------- d-----w- c:\program files\CheckPoint
- 2010-02-19 13:10 . 2007-10-01 14:24 -------- d-----w- c:\program files\Planplus
- 2010-02-17 15:35 . 2007-05-12 09:25 -------- d-----w- c:\program files\TuneUp Utilities 2007
- 2010-02-05 09:43 . 2007-05-30 07:19 -------- d-----w- c:\documents and settings\Dragan\Application Data\PC Suite
- 2010-02-05 09:15 . 2007-05-30 07:19 -------- d-----w- c:\documents and settings\Dragan\Application Data\Nokia
- 2010-02-05 08:56 . 2007-05-12 07:33 -------- d-----w- c:\program files\DIFX
- 2010-02-05 08:54 . 2009-10-03 11:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
- 2010-01-20 10:06 . 2010-01-20 10:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
- 2010-01-20 09:41 . 2009-02-11 09:01 -------- d-----w- c:\documents and settings\Dragan\Application Data\URSoft
- 2010-01-20 09:41 . 2010-01-20 09:41 -------- d-----w- c:\program files\Your Uninstaller 2010
- 2010-01-09 09:23 . 2010-01-09 09:23 -------- d-----w- c:\program files\Windows Media Connect 2
- 2010-01-07 15:07 . 2010-01-20 10:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
- 2010-01-07 15:07 . 2010-01-20 10:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
- 2009-12-31 16:50 . 2008-04-14 03:45 353792 ----a-w- c:\windows\system32\drivers\srv.sys
- 2009-12-21 19:14 . 2008-04-23 04:40 916480 ----a-w- c:\windows\system32\wininet.dll
- 2009-12-16 18:43 . 2007-05-12 07:18 343040 ----a-w- c:\windows\system32\mspaint.exe
- 2009-12-14 07:08 . 2008-04-14 08:41 33280 ----a-w- c:\windows\system32\csrsrv.dll
- 2009-12-08 19:27 . 2008-04-14 03:57 2189184 ------w- c:\windows\system32\ntoskrnl.exe
- 2009-12-08 18:43 . 2008-04-14 00:01 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
- 2008-09-26 10:08 . 2008-04-24 11:46 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
- .
- ------- Sigcheck -------
- [-] 2008-04-23 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
- .
- ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
- .
- .
- *Note* empty entries & legit default entries are not shown
- REGEDIT4
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "nwiz"="nwiz.exe" [2006-10-31 1622016]
- "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-03-19 2029640]
- "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
- "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
- "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
- "nltide_2"="shell32" [X]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
- @="Driver"
- [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
- 2008-04-14 08:42 15360 ------w- c:\windows\system32\ctfmon.exe
- [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
- 2004-06-14 09:54 200704 ----a-w- c:\program files\Gigabyte\ET5\GUI.exe
- [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
- 2010-01-07 15:07 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
- "ctfmon.exe"=c:\windows\system32\ctfmon.exe
- [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
- "DisableMonitoring"=dword:00000001
- [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
- "%windir%\\system32\\sessmgr.exe"=
- "c:\\Program Files\\Messenger\\msmsgs.exe"=
- "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
- "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
- "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
- [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
- "5700:TCP"= 5700:TCP:WWW
- R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/19/2009 10:44 AM 107256]
- R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [3/13/2008 9:25 AM 15424]
- R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [3/19/2009 10:44 AM 731840]
- R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 2:30 PM 25208]
- R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 2:30 PM 476528]
- R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/20/2010 11:06 AM 236368]
- R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [10/14/2009 2:29 PM 35448]
- R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/20/2010 11:06 AM 19160]
- R3 netModUSBService;Service for netMod USB CAPI Driver;c:\windows\system32\drivers\nMUSB.sys [5/20/2007 10:07 AM 59260]
- S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
- S2 cysagl;cysagl;c:\windows\system32\svchost.exe -k netsvcs [4/14/2008 9:42 AM 14336]
- S3 nMtskService;nMtskBar Service;c:\windows\nMtsk.exe [9/2/2009 4:38 PM 90112]
- .
- Contents of the 'Scheduled Tasks' folder
- 2010-02-26 c:\windows\Tasks\1-Click Maintenance.job
- - c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-19 04:51]
- .
- .
- ------- Supplementary Scan -------
- .
- uStart Page = https://www.ebank.nlb.rs/PravnaLica/
- uInternet Connection Wizard,ShellNext = iexplore
- IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
- LSP: c:\windows\system32\imon.dll
- Trusted Zone: lhb.co.rs\www.ebank
- Trusted Zone: nlb.rs\www.ebank
- Trusted Zone: ppbank.com\www.ebank
- DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} - hxxps://www.ebank.nlb.rs/DLL/FSINT.dll
- DPF: {62CF4D10-EBA7-45DA-ACA0-4B002E8B3A85} - hxxps://nlbklik.nlb.rs/corporate/Pages/Download/CABS/DigitrustApiNetSetPlugIn.cab
- DPF: {7136C6F0-DE59-4AD5-B4A3-CA8B779D035E} - hxxps://nlbklik.nlb.rs/corporate/Pages/Download/CABS/DigitrustApiSetPinPlugin.cab
- DPF: {73848533-39E1-49F1-9363-28054268C094} - hxxps://www.ebank.nlb.rs/DLL/FSINT9.dll
- DPF: {8BA2FE8E-8506-11D4-BFE2-CB5FED326646} - hxxps://www.ebank.nlb.rs/DLL/SAWZip.dll
- DPF: {A42DDE4E-DF36-4592-83B6-CCA28E770ABD} - hxxps://www.ebank.nlb.rs/DLL/EbankingWWW.dll
- DPF: {DC01983E-2FD5-4200-9C3A-755E86413172} - hxxps://nlbklik.nlb.rs/corporate/Pages/Download/CABS/DigitrustApiPKCS11Plugin.cab
- DPF: {E772C6B1-C3D6-4251-990B-1511D7822722} - hxxps://www.ebank.nlb.rs/DLL/EBCSCC2B.dll
- DPF: {EA5E79E5-3E25-46DA-A519-F8FC52B66ADC} - hxxps://www.ebank.nlb.rs/DLL/EBCCDC2.dll
- FF - ProfilePath - c:\documents and settings\Dragan\Application Data\Mozilla\Firefox\Profiles\wavrpthw.Novi\
- FF - prefs.js: browser.startup.homepage - hxxp://b2b.kemoimpex.com/b2b/login.php
- FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaDownload.dll
- FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\MozillaExtensions.dll
- FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
- FF - plugin: c:\documents and settings\Dragan\Application Data\Mozilla\Firefox\Profiles\wavrpthw.Novi\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
- ---- FIREFOX POLICIES ----
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
- c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
- c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
- c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
- c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
- c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
- c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
- c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
- c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
- c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
- c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
- c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
- c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
- c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
- c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
- c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
- c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
- .
- **************************************************************************
- catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
- Rootkit scan 2010-03-05 10:23
- Windows 5.1.2600 Service Pack 3 NTFS
- scanning hidden processes ...
- c:\windows\system32\zshp1018.exe [2072] 0x833042B0
- scanning hidden autostart entries ...
- scanning hidden files ...
- scan completed successfully
- hidden files: 0
- **************************************************************************
- .
- --------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - - > 'winlogon.exe'(1012)
- c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
- c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
- - - - - - - - > 'lsass.exe'(1068)
- c:\windows\system32\imon.dll
- c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
- c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
- - - - - - - - > 'csrss.exe'(980)
- c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
- .
- Completion time: 2010-03-05 10:25:58
- ComboFix-quarantined-files.txt 2010-03-05 09:25
- Pre-Run: 31,517,995,008 bytes free
- Post-Run: 31,509,626,880 bytes free
- - - End Of File - - 847D1BEB2804C6D6C38E40EDF9610889
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement