ComboFix 08-10-02.04 - User 2008-10-03 12:35:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.569 [GMT 10:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\MSINET.oca
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MCHINJDRV
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2008-09-03 to 2008-10-03 )))))))))))))))))))))))))))))))
.
2008-10-03 12:25 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-03 12:24 . 2008-10-03 12:25 <DIR> d-------- C:\Program Files\Java
2008-10-03 12:24 . 2008-10-03 12:24 <DIR> d-------- C:\Program Files\Common Files\Java
2008-10-03 08:35 . 2008-10-03 08:35 <DIR> d-------- C:\Program Files\CCleaner
2008-10-02 19:29 . 2008-10-02 19:58 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-10-02 18:54 . 2008-10-02 18:54 <DIR> d-------- C:\WINDOWS\ERUNT
2008-10-02 18:30 . 2008-10-03 12:13 <DIR> d-------- C:\SDFix
2008-10-02 11:32 . 2008-10-02 11:32 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-10-02 11:01 . 2008-10-02 12:10 <DIR> d-------- C:\Documents and Settings\User\Application Data\Symantec
2008-10-02 10:59 . 2008-10-02 10:59 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-10-02 10:58 . 2008-10-02 11:39 <DIR> d-------- C:\Program Files\Norton 360 Premier Edition
2008-10-02 10:57 . 2008-10-02 11:18 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-02 10:57 . 2008-10-02 11:18 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-10-02 10:57 . 2008-10-02 11:18 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-10-02 10:57 . 2008-10-02 11:18 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-02 10:56 . 2008-10-02 11:18 <DIR> d-------- C:\Program Files\Symantec
2008-10-02 10:56 . 2008-10-02 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-02 10:55 . 2008-10-03 12:40 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-09-06 15:31 . 2008-09-06 15:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Avanquest
2008-09-06 15:30 . 2008-09-06 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-06 15:29 . 2008-09-06 15:29 <DIR> dr-hs---- C:\_Backup.RC
2008-09-06 15:29 . 2008-10-02 10:40 <DIR> d--h----- C:\_Backup
2008-09-06 15:27 . 2008-09-06 15:27 <DIR> d-------- C:\Program Files\Avanquest
2008-09-06 15:27 . 2008-09-06 15:27 <DIR> d-------- C:\Documents and Settings\User\Application Data\Avanquest
2008-09-05 09:39 . 2008-09-05 09:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\f-secure
2008-09-05 08:50 . 2008-09-05 08:50 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-05 07:57 . 2008-09-05 07:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 02:42 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-10-03 02:14 --------- d-----w C:\Documents and Settings\User\Application Data\skypePM
2008-10-02 22:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-02 22:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-02 09:39 --------- d-----w C:\Program Files\Spyware Doctor
2008-09-27 04:05 77,824 ----a-w C:\WINDOWS\system32\kdfapi.dll
2008-09-27 04:05 722,472 ----a-w C:\WINDOWS\system32\kdfmgr.exe
2008-09-27 04:05 53,248 ----a-w C:\WINDOWS\system32\Kdfhok.dll
2008-09-27 04:05 192,512 ----a-w C:\WINDOWS\system32\kdfvmgr.exe
2008-09-27 01:14 81,288 ----a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-27 01:14 66,952 ----a-w C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-27 01:14 40,840 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-27 01:14 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-09 14:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 14:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-06 05:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-01 11:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-01 11:17 --------- d-----w C:\Program Files\Lavasoft
2008-09-01 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-01 10:38 --------- d-----w C:\Program Files\RegFix Mantra
2008-09-01 10:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-01 06:29 --------- d-----w C:\Documents and Settings\User\Application Data\Malwarebytes
2008-09-01 06:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-31 06:41 --------- d-----w C:\Program Files\DNA
2008-08-31 02:12 --------- d-----w C:\Program Files\Exterminate It!
2008-08-31 01:59 --------- d-----w C:\Documents and Settings\User\Application Data\Sunbelt
2008-08-31 01:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sunbelt
2008-08-31 01:58 --------- d-----w C:\Program Files\Sunbelt Software
2008-08-30 13:54 --------- d-----w C:\Program Files\Enigma Software Group
2008-08-30 13:46 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-08-30 13:46 --------- d-----w C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-08-30 13:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-30 13:33 --------- d-----w C:\Documents and Settings\User\Application Data\PC Tools
2008-08-30 12:06 --------- d-----w C:\Documents and Settings\User\Application Data\Uniblue
2008-08-30 12:05 --------- dc-h--w C:\Documents and Settings\All Users\Application Data\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}
2008-08-30 12:05 --------- d-----w C:\Program Files\Uniblue
2008-08-30 08:29 846,336 ----a-w C:\WINDOWS\system32\kdfinj.dll
2008-08-30 07:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-08-30 07:40 --------- d-----w C:\Program Files\Trend Micro
2008-08-26 07:20 59,176 ----a-w C:\WINDOWS\system32\sbbd.exe
2008-08-04 01:30 --------- d-----w C:\Documents and Settings\User\Application Data\SPORE Creature Creator
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-14 08:35 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-04-15 03:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-06 05:33 1 ----a-w C:\Documents and Settings\User\SI.bin
2005-03-31 11:17 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 18:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 18:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 18:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 1694208]
"Steam"="c:\games\steam\steam.exe" [2008-03-28 1271032]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2004-04-23 77824]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"Veoh"="C:\Mitch and Greg\Greg\Veoh\VeohClient.exe" [2008-02-22 3537968]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-03 21898024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 8466432]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-06-11 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"OpwareSE2"="C:\Program Files\Cannon MF5700\Software 1\OpwareSE2.exe" [2003-05-08 49152]
"VirtualCloneDrive"="C:\Games\Mechcommander Gold\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"QuickTime Task"="C:\Mitch and Greg\Greg\Quick Time\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 81920]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"SBAMTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2008-08-26 677160]
"VirusScannerPro"="C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe" [2007-10-12 173312]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-19 51048]
"osCheck"="C:\Program Files\Norton 360 Premier Edition\osCheck.exe" [2008-02-27 988512]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"nwiz"="nwiz.exe" [2007-06-29 C:\WINDOWS\system32\nwiz.exe]
C:\Documents and Settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
UltimateZip Quick Start.lnk - C:\Demos\UltimateZip\uzqkst.exe [2005-02-26 303616]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Demos\\Battlefield 2\\BF2.exe"=
"C:\\Demos\\Bet on Soldier Single Player Demo\\BoS.exe"=
"C:\\Games\\Game Spy\\Aphex.exe"=
"C:\\Games\\Little Fighter\\LF2_v1.9c\\lf2.exe"=
"C:\\Demos\\Battlefield 2\\Bf2_w32ded.exe"=
"C:\\Demos\\Battlefield 2\\BF2VoipServer_w32ded.exe"=
"C:\\Demos\\Battlefield 2\\BF2VoipServer.exe"=
"C:\\Games\\Steam\\SteamApps\\audio_stream\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Caplio Software\\RGateLXP.exe"=
"C:\\Games\\X Fire\\Xfire\\Xfire.exe"=
"C:\\Demos\\LimeWire\\LimeWire.exe"=
"C:\\Mitch and Greg\\Mitch\\LimeWire\\LimeWire.exe"=
"C:\\Demos\\firefox.exe"=
"C:\\Mitch and Greg\\Greg\\ChiChi\\Comet\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Games\\Never Winter Nights 2\\nwn2main.exe"=
"C:\\Games\\Never Winter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Games\\Never Winter Nights 2\\nwupdate.exe"=
"C:\\Games\\Never Winter Nights 2\\nwn2server.exe"=
"C:\\Games\\Counter-Strike\\cstrike.exe"=
"C:\\Mitch and Greg\\Greg\\pics\\ImagineFX\\3dsMax8\\3dsmax.exe"=
"C:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\backburner\\server.exe"=
"C:\\Games\\Steam\\Steam.exe"=
"C:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"C:\\Mitch and Greg\\Greg\\Miller Stuff\\weird al\\Weird\\CounterStrike2D.exe"=
"C:\\Games\\Mechcommander Gold\\MCX.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\MicroProse\\MCX\\MCX.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Games\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Games\\World of Warcraft\\WoW.exe"=
"C:\\Games\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Games\\Soldat\\Soldat.exe"=
"C:\\Mitch and Greg\\Greg\\Bittorent\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Games\\Warcraft III\\GG-Client\\GGclient.exe"=
"C:\\Mitch and Greg\\Greg\\Veoh\\VeohClient.exe"=
"C:\\Games\\AOWSM\\Age of Wonders Shadow Magic\\AoWSM.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Games\\MC2\\Mc2Rel.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8940:TCP"= 8940:TCP:BitComet 8940 TCP
"8940:UDP"= 8940:UDP:BitComet 8940 UDP
"6112:TCP"= 6112:TCP:Port 6112 TCP
"6112:UDP"= 6112:UDP:warcraft3(1)
"6113:TCP"= 6113:TCP:warcaft3
"6114:TCP"= 6114:TCP:warcaft3
"6115:TCP"= 6115:TCP:warcaft4
"6116:TCP"= 6116:TCP:warcaft3
"6117:TCP"= 6117:TCP:warcraft3
"6118:TCP"= 6118:TCP:warcraft3
"6119:TCP"= 6119:TCP:warcraft3
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-19 149352]
S2 SBAMSvc;Sunbelt VIPRE Antivirus Service;C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe [2008-08-26 869672]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S3 MailScan;MailScan;C:\PROGRA~1\AVANQU~1\Fix-It\MailScan.sys [2007-10-12 20496]
S3 SBRE;SBRE;C:\WINDOWS\system32\drivers\SBREdrv.sys [2007-11-06 87848]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdcb93cf-55f8-11dd-b276-0013d3635782}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
*Newly Created Service* - COMHOST
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-PowerBar - (no file)
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9icl1eap.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com.au/
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-10-03 12:41:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-03 12:47:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-03 02:47:23
Pre-Run: 82,341,744,640 bytes free
Post-Run: 82,276,352,000 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
280 --- E O F --- 2008-10-02 11:54:15