ComboFix 08-04-24.1 - John 2008-04-25 14:20:32.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1361 [GMT -6:00] Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\pskt.ini C:\WINDOWS\system32\awtsSLfF.dll C:\WINDOWS\system32\bfnhqkdu.dll C:\WINDOWS\system32\bgmjuvmj.dll C:\WINDOWS\system32\dgraxkhy.dll C:\WINDOWS\system32\drjpjdlm.dll C:\WINDOWS\system32\eejggfdh.dll C:\WINDOWS\system32\evolsmto.dll C:\WINDOWS\system32\frvlyrbp.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\MoppYcdd.ini C:\WINDOWS\system32\MoppYcdd.ini2 C:\WINDOWS\system32\NVGMVvut.ini C:\WINDOWS\system32\NVGMVvut.ini2 C:\WINDOWS\system32\oasfeuue.dll C:\WINDOWS\system32\otmslove.ini C:\WINDOWS\system32\tkhiyedd.ini C:\WINDOWS\system32\tkhiyedd.ini2 C:\WINDOWS\system32\tkhiyedd.tmp C:\WINDOWS\system32\tubcngdc.dll C:\WINDOWS\system32\tuvVMGVN.dll C:\WINDOWS\system32\Yaycefii.ini C:\WINDOWS\system32\Yaycefii.ini2 E:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 ))))))))))))))))))))))))))))))) . 2008-04-25 13:52 . 2008-04-25 13:52 d-------- C:\Program Files\Trend Micro 2008-04-24 02:36 . 2008-04-24 22:33 1,505,382 --ahs---- C:\WINDOWS\system32\lqsoxcsy.ini 2008-04-24 01:36 . 2008-04-24 01:36 d-------- C:\Program Files\DAEMON Tools Lite 2008-04-24 01:07 . 2008-04-24 01:07 d-------- C:\Program Files\AfkTools 2008-04-24 01:06 . 2008-04-24 22:00 d-------- C:\Program Files\Burnersware 2008-04-23 02:37 . 2008-04-23 23:45 1,540,737 --ahs---- C:\WINDOWS\system32\powehpeo.ini 2008-04-22 02:29 . 2008-04-23 02:29 1,540,617 --ahs---- C:\WINDOWS\system32\eedhbshh.ini 2008-04-22 01:35 . 2008-04-22 01:35 d-------- C:\Program Files\Alwil Software 2008-04-22 01:24 . 2008-04-22 01:24 1,540,617 --ahs---- C:\WINDOWS\system32\nebrqhmb.ini 2008-04-20 21:38 . 2008-04-20 21:38 d-------- C:\Program Files\Spybot - Search & Destroy 2008-04-20 21:38 . 2008-04-20 21:52 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-04-20 21:38 . 2008-04-22 02:14 1,024 --ah----- C:\Documents and Settings\All Users\ntuser.dat.LOG 2008-04-20 20:47 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-04-20 20:47 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2008-04-20 20:46 . 2008-04-25 14:27 d-------- C:\Program Files\Symantec AntiVirus 2008-04-20 20:46 . 2008-04-20 20:47 d-------- C:\Program Files\Symantec 2008-04-20 20:10 . 2008-04-20 20:10 d-------- C:\Program Files\Edelweiss 2008-04-20 13:42 . 2008-04-20 19:49 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-20 13:31 . 2008-04-20 20:48 d-------- C:\Program Files\Common Files\Symantec Shared 2008-04-20 13:10 . 2008-04-25 02:30 109,734 --a------ C:\WINDOWS\BM7b475bc0.xml 2008-04-20 13:09 . 2008-04-20 13:09 d-------- C:\Documents and Settings\All Users\Application Data\ATI 2008-04-20 03:23 . 2008-04-20 03:23 d-------- C:\Documents and Settings\John\Application Data\DAEMON Tools Pro 2008-04-20 03:22 . 2008-04-20 20:36 d-------- C:\Program Files\DAEMON Tools Pro 2008-04-19 17:17 . 2008-04-19 17:17 d--h----- C:\WINDOWS\PIF 2008-04-15 15:56 . 2008-04-20 13:08 d-------- C:\Program Files\Google 2008-04-14 21:31 . 2000-08-12 16:13 16,560 --a------ C:\CalcText.exe 2008-04-14 21:22 . 2000-12-08 21:59 122,880 --a------ C:\WINDOWS\UnGins.exe 2008-04-14 21:13 . 2008-04-15 05:26 353 --a------ C:\WINDOWS\Wlink83p.ini 2008-04-14 21:00 . 2008-04-14 21:13 d-------- C:\Program Files\TI Education 2008-04-14 21:00 . 1999-08-30 14:51 9,152 --a------ C:\WINDOWS\system32\drivers\Ticalc.sys 2008-04-14 21:00 . 2008-04-14 21:12 340 --a------ C:\WINDOWS\Wlink83.ini 2008-04-14 01:32 . 2008-04-14 01:32 d-------- C:\Documents and Settings\John\Application Data\DAEMON Tools 2008-04-14 01:32 . 2008-04-14 01:32 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx 2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts 2008-03-28 06:35 . 2008-03-28 06:35 d-------- C:\Program Files\GPLGS 2008-03-28 06:35 . 2008-03-28 06:35 d-------- C:\Program Files\Acro Software 2008-03-28 06:35 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll 2008-03-28 06:34 . 2008-03-28 06:34 d-------- C:\Program Files\BHOK It Consulting . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-25 18:25 --------- d-----w C:\Documents and Settings\John\Application Data\uTorrent 2008-04-25 05:06 --------- d-----w C:\Program Files\FFXI Windower 2008-04-24 22:37 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-21 02:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-04-21 02:25 --------- d-----w C:\Program Files\Lavasoft 2008-04-20 19:09 32,768 ----a-w C:\WINDOWS\system32\xtemp1.exe 2008-04-20 04:13 --------- d-----w C:\Program Files\ATI Technologies 2008-04-09 13:42 --------- d-----w C:\Program Files\QuickTime 2008-04-09 13:42 --------- d-----w C:\Program Files\iTunes 2008-04-09 13:42 --------- d-----w C:\Program Files\iPod 2008-04-02 03:34 --------- d-----w C:\Documents and Settings\John\Application Data\Ahead 2008-03-29 06:21 2,873,856 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys 2008-03-29 05:19 9,801,728 ----a-w C:\WINDOWS\system32\atioglx2.dll 2008-03-29 04:40 167,936 ----a-w C:\WINDOWS\system32\atiok3x2.dll 2008-03-29 04:05 372,736 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll 2008-03-29 04:04 299,008 ----a-w C:\WINDOWS\system32\ati2dvag.dll 2008-03-29 03:56 172,032 ----a-w C:\WINDOWS\system32\atipdlxx.dll 2008-03-29 03:56 126,976 ----a-w C:\WINDOWS\system32\Oemdspif.dll 2008-03-29 03:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll 2008-03-29 03:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe 2008-03-29 03:55 126,976 ----a-w C:\WINDOWS\system32\ati2evxx.dll 2008-03-29 03:54 536,576 ----a-w C:\WINDOWS\system32\ati2evxx.exe 2008-03-29 03:52 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL 2008-03-29 03:43 3,176,480 ----a-w C:\WINDOWS\system32\ati3duag.dll 2008-03-29 03:39 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll 2008-03-29 03:36 1,765,120 ----a-w C:\WINDOWS\system32\ativvaxx.dll 2008-03-29 03:24 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll 2008-03-29 03:23 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll 2008-03-29 03:21 393,216 ----a-w C:\WINDOWS\system32\atikvmag.dll 2008-03-29 03:19 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll 2008-03-29 03:18 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll 2008-03-29 03:12 520,192 ----a-w C:\WINDOWS\system32\ati2cqag.dll 2008-03-29 03:05 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe 2008-03-25 05:32 --------- d-----w C:\Program Files\Microsoft Works 2008-03-25 05:32 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-03-24 10:17 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll 2008-03-24 10:17 --------- d-----w C:\Program Files\MSN Content Plus 2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-19 03:58 --------- d-----w C:\Program Files\ASUS 2008-03-19 03:52 --------- d-----w C:\Program Files\CCleaner 2008-03-17 10:55 --------- d-----w C:\Program Files\uTorrent 2008-03-17 06:06 --------- d-----w C:\Program Files\Java 2008-03-17 02:46 --------- d-----w C:\Program Files\MSECache 2008-03-12 08:07 --------- d-----w C:\Program Files\ATI 2008-03-12 07:48 --------- d-----w C:\Documents and Settings\John\Application Data\ATI 2008-03-12 07:45 --------- d-----w C:\Program Files\iTunes Keys 2008-03-12 07:08 --------- d-----w C:\Program Files\Common Files\ATI Technologies 2008-03-12 01:53 --------- d-----w C:\Program Files\Bonjour 2008-03-12 00:27 --------- d-----w C:\Program Files\My Company Name 2008-03-12 00:26 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-03-10 03:01 --------- d-----w C:\Documents and Settings\John\Application Data\Intervideo 2008-03-10 03:00 --------- d-----w C:\Program Files\InterVideo 2008-03-10 03:00 --------- d-----w C:\Program Files\Common Files\InterVideo 2008-03-10 02:56 --------- d-----w C:\Program Files\Adaptec 2008-03-10 01:10 --------- d-----w C:\Documents and Settings\John\Application Data\Apple Computer 2008-02-26 13:31 --------- d-----w C:\Documents and Settings\John\Application Data\ZIM Corporation 2008-02-26 13:31 --------- d-----w C:\Documents and Settings\John\Application Data\vlc 2008-02-26 13:31 --------- d-----w C:\Documents and Settings\John\Application Data\SonyEricsson 2008-02-26 13:31 --------- d-----w C:\Documents and Settings\John\Application Data\Skype 2008-02-26 13:30 --------- d-----w C:\Documents and Settings\John\Application Data\Roxio 2008-02-26 13:30 --------- d-----w C:\Documents and Settings\John\Application Data\Nero 2008-02-26 13:29 --------- d-----w C:\Documents and Settings\John\Application Data\Media Player Classic 2008-02-26 13:29 --------- d-----w C:\Documents and Settings\John\Application Data\Echo Software 2008-02-26 13:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic 2008-02-26 10:47 --------- d-----w C:\Program Files\PlayOnline 2008-02-26 10:47 --------- d-----w C:\Program Files\Pegasys Inc 2008-02-26 10:47 --------- d-----w C:\Program Files\Padus 2008-02-26 10:47 --------- d-----w C:\Program Files\NtreevSoft 2008-02-26 10:47 --------- d-----w C:\Program Files\Nexon 2008-02-26 10:47 --------- d-----w C:\Program Files\MSN Messenger 2008-02-26 10:47 --------- d-----w C:\Program Files\MP3 Player Utilities 4.03 2008-02-26 10:46 --------- d-----w C:\Program Files\MP3 Player Utilities 3.68 2008-02-26 10:46 --------- d-----w C:\Program Files\MP3 Player Utilities 2008-02-26 10:46 --------- d-----w C:\Program Files\mIRC 2008-02-26 10:46 --------- d-----w C:\Program Files\Matroska Pack 2008-02-26 10:46 --------- d-----w C:\Program Files\M3 GAME Manager 2008-02-26 10:46 --------- d-----w C:\Program Files\LimeWire 2008-02-26 10:45 --------- d-----w C:\Program Files\ImgBurn 2008-02-26 10:45 --------- d-----w C:\Program Files\FineBytes 2008-02-26 10:45 --------- d-----w C:\Program Files\EO Video 2008-02-26 10:45 --------- d-----w C:\Program Files\DVDFab Decrypter 2008-02-26 10:45 --------- d-----w C:\Program Files\DVD Shrink 2008-02-26 10:45 --------- d-----w C:\Program Files\DVD Decrypter 2008-02-26 10:45 --------- d-----w C:\Program Files\DVD-RAM 2008-02-26 10:45 --------- d-----w C:\Program Files\DivX 2008-02-26 10:45 --------- d-----w C:\Program Files\DefilerPak 2008-02-26 10:45 --------- d-----w C:\Program Files\Datel 2008-02-26 10:44 --------- d-----w C:\Program Files\Common Files\L&H 2008-02-26 10:44 --------- d-----w C:\Program Files\Common Files\Java 2008-02-26 10:44 --------- d-----w C:\Program Files\Codec Pack - All In 1 2008-02-26 10:41 --------- d-----w C:\Program Files\Cloudbrain 2008-02-26 10:41 --------- d-----w C:\Program Files\CDisplay 2008-02-26 10:41 --------- d-----w C:\Program Files\AoA Audio Extractor 2008-02-26 10:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\InterVideo 2008-02-26 10:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software 2008-02-26 10:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems 2008-02-21 03:40 315,392 ----a-w C:\WINDOWS\HideWin.exe 2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-12 07:09 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll 2007-01-21 10:36 15,418,337 --sh--w C:\WINDOWS\Web\webpt\joints.ppt.zip 2007-01-21 11:29 19,696,325 --sh--w C:\WINDOWS\Web\webpt\muscles.ppt.zip 2007-01-21 11:02 13,016,792 --sh--w C:\WINDOWS\Web\webpt\osteology.ppt.zip . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4020100D-29D7-4392-AFD5-5AD713FF4B88}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41DDC6E4-C3F4-4A4A-813D-E57DE1F74D2D}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{713170B0-362F-4858-B28F-956893F732A6}] C:\WINDOWS\system32\iifecyaY.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC676082-F500-4DA5-94B7-0325DD594723}] C:\WINDOWS\system32\ddcYppoM.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 01:04 5724184] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "SpybotDeletingD4861"="cmd /c del C:\WINDOWS\system32\icuvwidi.dll_old" [ ] "SpybotDeletingB3573"="command /c del C:\WINDOWS\system32\iifecyaY.dll_old" [ ] "SpybotDeletingD9758"="cmd /c del C:\WINDOWS\system32\iifecyaY.dll_old" [ ] "SpybotDeletingB8954"="command /c del C:\WINDOWS\system32\vtxyxvqa.dll_old" [ ] "SpybotDeletingD1865"="cmd /c del C:\WINDOWS\system32\vtxyxvqa.dll_old" [ ] "SpybotDeletingB2107"="command /c del C:\WINDOWS\system32\icuvwidi.dll_old" [ ] "SpybotDeletingD6"="cmd /c del C:\WINDOWS\system32\icuvwidi.dll_old" [ ] "SpybotDeletingB4874"="command /c del C:\WINDOWS\system32\iifecyaY.dll_old" [ ] "SpybotDeletingD6413"="cmd /c del C:\WINDOWS\system32\iifecyaY.dll_old" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2003-04-01 20:20 12288] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26 52896] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33 125168] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsSLfF] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll "vidc.asv2"= asusasv2.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\NetMeeting\\conf.exe"= "C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"= "C:\\Program Files\\uTorrent\\utorrent.exe"= "C:\\WINDOWS\\system32\\dxdiag.exe"= "C:\\WINDOWS\\system32\\rtcshare.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "139:TCP"= 139:TCP:@xpsp2res.dll,-22004 "515:TCP"= 515:TCP:OS X Printer R2 TICalc;TICalc;C:\WINDOWS\system32\drivers\TICalc.sys [1999-08-30 14:51] S3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-08-28 10:58] S3 ASUSVRC;ASUSTeK Virtual Capture Device;C:\WINDOWS\system32\DRIVERS\AsusVRC.sys [2007-01-29 17:12] S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\Auto\command - Recycled\cleardisk.pif \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\cleardisk.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaff1a59-0a99-11dd-a6d5-001bfcae0ed9}] \Shell\AutoRun\command - G:\SETUP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder "2008-04-21 19:12:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-02-21 20:43:49 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IType_exe.job" - C:\Program Files\Microsoft IntelliType Pro\itype.exe . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-25 14:26:41 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\tcpsvcs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-04-25 14:30:04 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-25 20:30:01 Pre-Run: 519,702,360,064 bytes free Post-Run: 519,664,951,296 bytes free 283 --- E O F --- 2008-04-11 14:55:51