ComboFix 08-06-20.4 - ngp 2008-06-30 22:11:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.86.1033.18.213 [GMT 8:00]
Running from: C:\Documents and Settings\ngp\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.
2008-06-29 22:06 . 2008-06-29 22:27 <DIR> d-------- C:\Documents and Settings\ngp\DoctorWeb
2008-06-29 22:05 . 2008-06-29 22:05 <DIR> d-------- C:\Deckard
2008-06-29 17:54 . 2008-06-29 18:03 <DIR> d-------- C:\fixwareout
2008-06-29 14:00 . 2008-06-29 14:00 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-06-29 11:29 . 2008-06-29 11:29 <DIR> d-------- C:\VundoFix Backups
2008-06-29 10:10 . 2008-06-29 10:10 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-29 09:37 . 2008-06-29 10:26 <DIR> d-------- C:\SDFix
2008-06-28 23:44 . 2008-06-28 23:43 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-06-28 23:44 . 2008-06-28 23:43 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-28 22:50 . 2008-06-28 22:50 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-06-28 22:37 . 2008-06-28 22:37 <DIR> d-------- C:\Program Files\CCleaner
2008-06-28 19:39 . 2008-06-29 14:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-28 19:39 . 2008-06-28 19:39 <DIR> d-------- C:\Documents and Settings\ngp\Application Data\Malwarebytes
2008-06-28 19:39 . 2008-06-28 19:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-06-28 19:39 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-28 19:39 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-20 18:58 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-20 18:58 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-12 21:03 . 2008-06-12 21:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\PPLive
2008-06-09 19:10 . 2008-06-09 21:36 297 --a------ C:\WINDOWS\system32\admshare.dat
2008-06-09 19:07 . 2008-06-09 19:07 <DIR> d-------- C:\Program Files\KuGou
2008-06-09 19:07 . 2008-06-27 22:46 <DIR> d-------- C:\Program Files\Google
2008-06-09 19:07 . 2008-06-09 21:36 <DIR> d-------- C:\Documents and Settings\ngp\Application Data\BITS
2008-06-09 19:05 . 2008-06-09 19:05 <DIR> d-------- C:\Program Files\FlashGet Network
2008-05-31 20:16 . 2008-06-16 00:13 <DIR> d-------- C:\Documents and Settings\ngp\Application Data\QQUpdate
2008-05-31 20:04 . 2008-05-31 20:04 <DIR> d-------- C:\WINDOWS\system32\qqedit
2008-05-31 20:04 . 2008-06-16 00:13 <DIR> d-------- C:\Documents and Settings\ngp\Application Data\QQ
2008-05-31 20:03 . 2008-05-31 20:04 <DIR> d-------- C:\Program Files\Tencent
2008-05-30 23:48 . 2008-05-30 23:48 <DIR> d-------- C:\Documents and Settings\ngp\.zone1511
2008-05-30 23:41 . 2007-01-25 11:48 297,984 -ra------ C:\WINDOWS\system32\Midas.dll
2008-05-30 23:40 . 2008-05-30 23:45 <DIR> d-------- C:\Program Files\ZoiPPE
2008-05-15 23:58 . 2008-06-30 22:21 41 --a------ C:\WINDOWS\PCDNSetting.ini
2008-05-15 23:58 . 2008-06-30 22:21 27 --a------ C:\WINDOWS\ppssg.ini
2008-05-14 22:51 . 2008-06-22 23:19 45 --a------ C:\WINDOWS\msgtn.ini
2008-05-14 22:48 . 2008-05-14 22:48 <DIR> d-------- C:\WINDOWS\system32\backup
2008-05-07 00:16 . 2008-05-09 21:59 204 --a------ C:\WINDOWS\struct~.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 15:28 --------- d-----w C:\Program Files\PPStream
2008-06-29 06:00 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-28 20:32 --------- d-----w C:\Program Files\PPLive
2008-06-28 15:43 --------- d-----w C:\Program Files\Java
2008-06-24 00:35 --------- d-----w C:\Documents and Settings\ngp\Application Data\Skype
2008-06-22 13:45 --------- d-----w C:\Documents and Settings\ngp\Application Data\ppStream
2008-06-16 10:21 --------- d-----w C:\Program Files\UitvDll
2008-06-12 08:39 --------- d-----w C:\Documents and Settings\ngp\Application Data\VoipCheapCom
2008-06-10 07:05 --------- d-----w C:\Program Files\VTTV
2008-05-27 13:54 --------- d-----w C:\Program Files\KULflights
2008-05-06 16:15 --------- d-----w C:\Program Files\MSN Messenger
2008-04-30 13:54 --------- d-----w C:\Program Files\同花顺2008
2008-04-28 16:10 --------- d-----w C:\Program Files\亿诺软件
2008-04-28 15:13 --------- d-----w C:\Documents and Settings\ngp\Application Data\Coopen
2008-04-28 15:13 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Coopen
2008-04-28 15:09 --------- d-----w C:\Program Files\开屏桌面画报
.
------- Sigcheck -------
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2008-05-14 22:48 359040 ebeab4c47642cd68d7fd23187eeca1b0 C:\WINDOWS\system32\backup\tcpip.sys
2004-08-04 20:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-04 20:00 359040 3bb4b08619c111c7be8bda07aa0de6a2 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-29_12.44.24.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 04:39:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 14:15:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-11-20 08:04:32 1,523,536 ----a-w C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
+ 2008-03-24 11:33:02 1,527,056 ----a-w C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
- 2008-01-29 14:17:11 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-06-30 12:57:24 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-06-30 14:17:07 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_324.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2008-06-28 23:43 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2008-06-28 23:43 73728 --a------ C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-25 06:53 307200]
"ProxyWay"="C:\Program Files\ProxyWay\proxyway.exe" [ ]
"VoipCheapCom"="C:\Program Files\VoipCheapCom\VoipCheapCom.exe" [ ]
"PPS Accelerator"="C:\Program Files\PPStream\ppsap.exe" [2008-04-24 18:09 162976]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 16:05 122939]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 16:01 110592]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 23:04 53248]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-09-21 22:00 135224]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-23 11:00 94208]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 20:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 20:00 455168]
"yyxxi"="C:\Program Files\yyxxi\English.exe" [2007-01-02 15:15 0]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"DXDllRegExe"="dxdllreg.exe" []
"TBLFUNC"="tblmouse.exe" [2001-08-21 13:56 49152 C:\WINDOWS\system32\tblmouse.exe]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 20:00 44032]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-21 01:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-21 01:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-21 01:36 114688]
"UUCallMini"="C:\Documents and Settings\ngp\Local Settings\Temporary Internet Files\Content.IE5\J94SOQ5U\UUCall%E7%BD%91%E7%BB%9C%E7%94%B5%E8%AF%9D3[1].exe" [ ]
"D-Link Air Utility"="C:\Program Files\D-Link\Air Utility\AirCFG.exe" [2003-06-26 18:13 2695168]
"GCXX-Manager-Class"="C:\Program Files\Sony Ericsson\Wireless Manager\GCXXManager.exe" [2004-11-24 11:06 802921]
"Skype"="C:\Program Files\skype\Phone\Skype.exe" [ ]
"leeboo.exe"="C:\Program Files\Leeboo\leeboo.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-06-28 23:43 136600]
"udtablet"="C:\WINDOWS\udtablet\UDSetup.EXE" [2001-10-29 18:52 32768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 20:00 44544]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 13:05:26 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-29 14:00 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-29 14:00 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\PPStream\\PPStream.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Skype1\\Phone\\Skype.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\VoipStunt.com\\VoipStunt\\VoipStunt.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\PPStream\\PPSAP.exe"=
"C:\\Program Files\\FlashGet Network\\Flashget\\LiveUpdateEx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5060:UDP"= 5060:UDP:G
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
R2 JavaQuickStarterService;Java Quick Starter;"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" []
R2 NIOC;NIOC Service;C:\WINDOWS\system32\NIOC.SYS [2002-09-27 18:21]
R2 UiPlayer;Windows Network Media Service;C:\Program Files\UitvDll\msrv.exe [2007-11-30 15:46]
R2 WZCBDLService;WZCBDL Service;"C:\Program Files\WZCBDL Service\WZCBDLS.exe" [2002-03-19 12:15]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-06-01 02:46]
S3 SEMWModem;Sony Ericsson SEMWModem;C:\WINDOWS\system32\DRIVERS\GCXX.sys [2004-11-05 19:08]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;C:\WINDOWS\system32\DRIVERS\GCXXNet.sys [2004-11-05 19:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{309a1df2-bdd2-11db-a216-00166f7503a0}]
\Shell\AutoRun\command - F:\idstick.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 14:18:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-06-30 22:21:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\Wt32exe.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-06-30 22:23:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-30 14:23:38
ComboFix2.txt 2008-06-29 05:44:06
ComboFix3.txt 2008-06-29 04:44:41
Pre-Run: 7,788,777,472 bytes free
Post-Run: 7,806,238,720 bytes free
219 --- E O F --- 2008-06-27 17:18:14
