OK, I left ZoneAlarm enabled and the laptop NOT attached to the internet during the whole process, but allowed ALL actions whenever a ZoneAlarm message popped up (mostly messages of trying to connect to the trusted zone and changes in the registry).
ComboFix executed on reboot (quite a program this ComboFix
).
The results:
ComboFix 07-09-21.2 - "Eigenaar" 2007-09-23 13:02:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.34 [GMT 2:00]
* Created a new restore point
FILE::
C:\WINDOWS\system32\feeefddeeeb.dll
C:\WINDOWS\system32\awtqo.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\feeefddeeeb.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_AXU
-------\LEGACY_EF
-------\AXU
-------\EF
((((((((((((((((((((((((( Files Created from 2007-08-23 to 2007-09-23 )))))))))))))))))))))))))))))))
.
2007-09-22 16:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-19 21:25 <DIR> d-------- C:\VundoFix Backups
2007-09-17 21:31 87,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-17 21:31 107,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-17 21:26 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-09-17 21:26 <DIR> d-------- C:\Program Files\Symantec
2007-09-17 21:26 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-17 21:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-17 21:22 <DIR> d-------- C:\Symantec.Antivirus.Corporate.Edition.v10.1.4.4000.x86-jimi
2007-09-17 19:48 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-09-16 19:59 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-09-16 18:33 <DIR> d-------- C:\Program Files\RegVac Registry Cleaner
2007-09-15 18:37 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-09-15 18:35 700,416 --a------ C:\StubInstaller.exe
2007-09-15 18:19 <DIR> d-------- C:\Program Files\WLAN Card Utilities
2007-09-15 18:19 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2007-09-15 18:19 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-09-15 18:05 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-09-15 18:03 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-09-15 18:02 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-09-15 18:02 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-09-15 17:56 <DIR> dr-h----- C:\DOCUME~1\Eigenaar\Onlangs geopend
2007-09-15 17:56 <DIR> dr------- C:\DOCUME~1\Eigenaar\Mijn documenten
2007-09-15 17:56 <DIR> d--hs---- C:\DOCUME~1\Eigenaar\UserData
2007-09-15 17:56 <DIR> d--h----- C:\DOCUME~1\Eigenaar\Sjablonen
2007-09-15 17:56 <DIR> d--h----- C:\DOCUME~1\Eigenaar\Netwerkprinteromgeving
2007-09-15 17:56 <DIR> d-------- C:\DOCUME~1\Eigenaar\Shared
2007-09-15 17:43 <DIR> d-------- C:\DOCUME~1\Eigenaar\APPLIC~1\Leadertech
2007-09-15 17:43 <DIR> d-------- C:\DOCUME~1\Eigenaar\APPLIC~1\Help
2007-09-15 17:43 <DIR> d-------- C:\DOCUME~1\Eigenaar\APPLIC~1\Google
2007-09-15 17:43 <DIR> d-------- C:\DOCUME~1\Eigenaar\APPLIC~1\BitTorrent
2007-09-15 17:43 <DIR> d-------- C:\DOCUME~1\Eigenaar\APPLIC~1\Azureus
2007-09-15 17:43 <DIR> d-------- C:\DOCUME~1\Eigenaar\APPLIC~1\AdobeUM
2007-09-15 17:42 <DIR> dr------- C:\DOCUME~1\DEFAUL~1\Menu Start
2007-09-15 17:42 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Menu Start
2007-09-15 17:42 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Documenten
2007-09-15 17:42 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1\DRM
2007-09-15 17:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Favorieten
2007-09-15 17:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Bureaublad
2007-09-15 17:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Live Toolbar
2007-09-15 17:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-15 17:41 <DIR> d--h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CanonBJ
2007-09-15 17:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-15 17:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-09-15 17:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-09-15 14:00 <DIR> d-------- C:\DOCUME~1\Eigenaar\WINDOWS
2007-09-15 13:46 <DIR> d--h----- C:\DOCUME~1\DEFAUL~1\Onlangs geopend
2007-09-15 13:46 <DIR> d--h----- C:\DOCUME~1\DEFAUL~1\Netwerkprinteromgeving
2007-09-15 13:46 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Mijn documenten
2007-09-15 13:46 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Favorieten
2007-09-15 13:46 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Bureaublad
2007-09-14 20:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-11 22:21 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-11 20:58 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-09 22:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-26 08:10 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
.
((((((((((((((((((((((((((((( snapshot_2007-09-22_164546.35 )))))))))))))))))))))))))))))))))))))))))
.
---h--w 4,212 2007-09-22 14:52:01 C:\WINDOWS\system32\zllictbl.dat
.
---h--w 4,212 2007-09-22 10:04:20 C:\WINDOWS\system32\zllictbl.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-10-04 20:56 C:\WINDOWS\system32\SiSPower.dll]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 12:41]
"Hsfpwcfg.exe"="C:\WINDOWS\Hsfpwcfg.exe" [2004-01-28 10:36]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-16 13:12]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-04-01 16:38]
"Control Center"="C:\Program Files\WLAN Card Utilities\Center.exe" [2006-03-21 15:52]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 03:10]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-05-31 17:52]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 01:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
C:\DOCUME~1\ALLUSE~1\MENUST~1\PROGRA~1\OPSTAR~1\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2007-09-15 18:18:48]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2006-04-23 15:13:42]
R3 ASNDIS5;ASNDIS5 Protocol Driver;\??\C:\WINDOWS\system32\ASNDIS5.SYS
R3 HSFHWSIS;HSFHWSIS;C:\WINDOWS\system32\DRIVERS\HSFHWSIS.sys
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys
S3 ZD1211BU(ASUS);ASUS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ASUS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys
*Newly Created Service* - ASNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2007-09-22 13:51:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2007-09-23 13:16:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-09-23 13:24:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-22 16:47
C:\ComboFix2.txt ... 2007-09-22 16:47
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:31:44, on 23-9-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\Hsfpwcfg.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\WLAN Card Utilities\Center.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Documents and Settings\Eigenaar\Bureaublad\skanneri.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Hsfpwcfg.exe] C:\WINDOWS\Hsfpwcfg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://gfx2.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
http://javadl-esd.sun.com/update/1.6.0/ ... 586-jc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) -
http://asp03.photoprintit.de/microsite/ ... loader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) -
http://messenger.zone.msn.com/binary/So ... b31267.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7826 bytes