ComboFix 08-04-24.1 - John 2008-04-27 2:50:50.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1400 [GMT -6:00] Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\John\Desktop\cfscript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE :: C:\WINDOWS\system32\ddcYppoM.dll C:\WINDOWS\system32\eedhbshh.ini C:\WINDOWS\system32\iifecyaY.dll C:\WINDOWS\system32\lqsoxcsy.ini C:\WINDOWS\system32\nebrqhmb.ini C:\WINDOWS\system32\powehpeo.ini . ((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 ))))))))))))))))))))))))))))))) . 2008-04-25 23:28 . 2006-10-08 21:51 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe 2008-04-25 23:28 . 2008-04-25 23:28 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2008-04-25 23:28 . 2008-04-25 23:28 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf 2008-04-25 23:27 . 2008-04-25 23:27 d-------- C:\Program Files\MSXML 6.0 2008-04-25 23:27 . 2008-04-25 23:27 d-------- C:\Program Files\Microsoft IntelliType Pro 2008-04-25 23:27 . 2007-08-31 12:13 1,421,736 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll 2008-04-25 23:27 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll 2008-04-25 23:27 . 2007-08-31 12:15 18,856 --a------ C:\WINDOWS\system32\drivers\nuidfltr.sys 2008-04-25 23:26 . 2008-04-25 23:27 1,374 --a------ C:\WINDOWS\imsins.BAK 2008-04-25 13:52 . 2008-04-25 13:52 d-------- C:\Program Files\Trend Micro 2008-04-24 01:36 . 2008-04-24 01:36 d-------- C:\Program Files\DAEMON Tools Lite 2008-04-24 01:07 . 2008-04-24 01:07 d-------- C:\Program Files\AfkTools 2008-04-24 01:06 . 2008-04-24 22:00 d-------- C:\Program Files\Burnersware 2008-04-22 01:35 . 2008-04-22 01:35 d-------- C:\Program Files\Alwil Software 2008-04-20 21:38 . 2008-04-25 23:16 d-------- C:\Program Files\Spybot - Search & Destroy 2008-04-20 21:38 . 2008-04-25 22:57 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-04-20 21:38 . 2008-04-22 02:14 1,024 --ah----- C:\Documents and Settings\All Users\ntuser.dat.LOG 2008-04-20 20:47 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-04-20 20:47 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2008-04-20 20:46 . 2008-04-27 02:48 d-------- C:\Program Files\Symantec AntiVirus 2008-04-20 20:46 . 2008-04-20 20:47 d-------- C:\Program Files\Symantec 2008-04-20 20:10 . 2008-04-20 20:10 d-------- C:\Program Files\Edelweiss 2008-04-20 13:42 . 2008-04-20 19:49 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-20 13:31 . 2008-04-20 20:48 d-------- C:\Program Files\Common Files\Symantec Shared 2008-04-20 13:10 . 2008-04-25 02:30 109,734 --a------ C:\WINDOWS\BM7b475bc0.xml 2008-04-20 13:09 . 2008-04-20 13:09 d-------- C:\Documents and Settings\All Users\Application Data\ATI 2008-04-20 03:23 . 2008-04-20 03:23 d-------- C:\Documents and Settings\John\Application Data\DAEMON Tools Pro 2008-04-20 03:22 . 2008-04-20 20:36 d-------- C:\Program Files\DAEMON Tools Pro 2008-04-19 17:17 . 2008-04-19 17:17 d--h----- C:\WINDOWS\PIF 2008-04-15 15:56 . 2008-04-20 13:08 d-------- C:\Program Files\Google 2008-04-14 21:31 . 2000-08-12 16:13 16,560 --a------ C:\CalcText.exe 2008-04-14 21:22 . 2000-12-08 21:59 122,880 --a------ C:\WINDOWS\UnGins.exe 2008-04-14 21:13 . 2008-04-15 05:26 353 --a------ C:\WINDOWS\Wlink83p.ini 2008-04-14 21:00 . 2008-04-14 21:13 d-------- C:\Program Files\TI Education 2008-04-14 21:00 . 1999-08-30 14:51 9,152 --a------ C:\WINDOWS\system32\drivers\Ticalc.sys 2008-04-14 21:00 . 2008-04-14 21:12 340 --a------ C:\WINDOWS\Wlink83.ini 2008-04-14 01:32 . 2008-04-14 01:32 d-------- C:\Documents and Settings\John\Application Data\DAEMON Tools 2008-04-14 01:32 . 2008-04-14 01:32 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx 2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts 2008-03-28 06:35 . 2008-03-28 06:35 d-------- C:\Program Files\GPLGS 2008-03-28 06:35 . 2008-03-28 06:35 d-------- C:\Program Files\Acro Software 2008-03-28 06:35 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll 2008-03-28 06:34 . 2008-03-28 06:34 d-------- C:\Program Files\BHOK It Consulting . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-27 08:53 --------- d-----w C:\Documents and Settings\John\Application Data\uTorrent 2008-04-25 05:06 --------- d-----w C:\Program Files\FFXI Windower 2008-04-24 22:37 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-21 02:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-04-21 02:25 --------- d-----w C:\Program Files\Lavasoft 2008-04-20 19:09 32,768 ----a-w C:\WINDOWS\system32\xtemp1.exe 2008-04-20 04:13 --------- d-----w C:\Program Files\ATI Technologies 2008-04-09 13:42 --------- d-----w C:\Program Files\QuickTime 2008-04-09 13:42 --------- d-----w C:\Program Files\iTunes 2008-04-09 13:42 --------- d-----w C:\Program Files\iPod 2008-04-02 03:34 --------- d-----w C:\Documents and Settings\John\Application Data\Ahead 2008-03-29 06:21 2,873,856 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys 2008-03-29 05:19 9,801,728 ----a-w C:\WINDOWS\system32\atioglx2.dll 2008-03-29 04:40 167,936 ----a-w C:\WINDOWS\system32\atiok3x2.dll 2008-03-29 04:05 372,736 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll 2008-03-29 04:04 299,008 ----a-w C:\WINDOWS\system32\ati2dvag.dll 2008-03-29 03:56 172,032 ----a-w C:\WINDOWS\system32\atipdlxx.dll 2008-03-29 03:56 126,976 ----a-w C:\WINDOWS\system32\Oemdspif.dll 2008-03-29 03:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll 2008-03-29 03:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe 2008-03-29 03:55 126,976 ----a-w C:\WINDOWS\system32\ati2evxx.dll 2008-03-29 03:54 536,576 ----a-w C:\WINDOWS\system32\ati2evxx.exe 2008-03-29 03:52 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL 2008-03-29 03:43 3,176,480 ----a-w C:\WINDOWS\system32\ati3duag.dll 2008-03-29 03:39 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll 2008-03-29 03:36 1,765,120 ----a-w C:\WINDOWS\system32\ativvaxx.dll 2008-03-29 03:24 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll 2008-03-29 03:23 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll 2008-03-29 03:21 393,216 ----a-w C:\WINDOWS\system32\atikvmag.dll 2008-03-29 03:19 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll 2008-03-29 03:18 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll 2008-03-29 03:12 520,192 ----a-w C:\WINDOWS\system32\ati2cqag.dll 2008-03-29 03:05 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe 2008-03-25 05:32 --------- d-----w C:\Program Files\Microsoft Works 2008-03-25 05:32 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-03-24 10:17 356,352 ----a-w C:\WINDOWS\eSellerateEngine.dll 2008-03-24 10:17 --------- d-----w C:\Program Files\MSN Content Plus 2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-19 03:58 --------- d-----w C:\Program Files\ASUS 2008-03-19 03:52 --------- d-----w C:\Program Files\CCleaner 2008-03-17 10:55 --------- d-----w C:\Program Files\uTorrent 2008-03-17 06:06 --------- d-----w C:\Program Files\Java 2008-03-17 02:46 --------- d-----w C:\Program Files\MSECache 2008-03-12 08:07 --------- d-----w C:\Program Files\ATI 2008-03-12 07:48 --------- d-----w C:\Documents and Settings\John\Application Data\ATI 2008-03-12 07:45 --------- d-----w C:\Program Files\iTunes Keys 2008-03-12 07:08 --------- d-----w C:\Program Files\Common Files\ATI Technologies 2008-03-12 01:53 --------- d-----w C:\Program Files\Bonjour 2008-03-12 00:27 --------- d-----w C:\Program Files\My Company Name 2008-03-12 00:26 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-03-10 03:01 --------- d-----w C:\Documents and Settings\John\Application Data\Intervideo 2008-03-10 03:00 --------- d-----w C:\Program Files\InterVideo 2008-03-10 03:00 --------- d-----w C:\Program Files\Common Files\InterVideo 2008-03-10 02:56 --------- d-----w C:\Program Files\Adaptec 2008-03-10 01:10 --------- d-----w C:\Documents and Settings\John\Application Data\Apple Computer 2008-02-21 03:40 315,392 ----a-w C:\WINDOWS\HideWin.exe 2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-12 07:09 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll 2008-01-29 18:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll 2005-11-05 08:45 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NTUSER(1).DAT 2007-01-21 10:36 15,418,337 --sh--w C:\WINDOWS\Web\webpt\joints.ppt.zip 2007-01-21 11:29 19,696,325 --sh--w C:\WINDOWS\Web\webpt\muscles.ppt.zip 2007-01-21 11:02 13,016,792 --sh--w C:\WINDOWS\Web\webpt\osteology.ppt.zip . ((((((((((((((((((((((((((((( snapshot_2008-04-27_ 2.44.17.68 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-26 05:30:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-27 08:47:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 01:04 5724184] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2003-04-01 20:20 12288] "itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 12:13 988584] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll "vidc.asv2"= asusasv2.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\NetMeeting\\conf.exe"= "C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"= "C:\\Program Files\\uTorrent\\utorrent.exe"= "C:\\WINDOWS\\system32\\dxdiag.exe"= "C:\\WINDOWS\\system32\\rtcshare.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "139:TCP"= 139:TCP:@xpsp2res.dll,-22004 "515:TCP"= 515:TCP:OS X Printer R2 TICalc;TICalc;C:\WINDOWS\system32\drivers\TICalc.sys [1999-08-30 14:51] S3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-08-28 10:58] S3 ASUSVRC;ASUSTeK Virtual Capture Device;C:\WINDOWS\system32\DRIVERS\AsusVRC.sys [2007-01-29 17:12] S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\Auto\command - Recycled\cleardisk.pif \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\cleardisk.pif [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaff1a59-0a99-11dd-a6d5-001bfcae0ed9}] \Shell\AutoRun\command - G:\SETUP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder "2008-04-21 19:12:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-04-26 05:29:16 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IType_exe.job" - c:\Program Files\Microsoft IntelliType Pro\itype.exe . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-27 02:53:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-04-27 2:54:05 ComboFix-quarantined-files.txt 2008-04-27 08:53:55 ComboFix2.txt 2008-04-27 08:44:29 ComboFix3.txt 2008-04-26 02:46:05 ComboFix4.txt 2008-04-25 20:30:04 Pre-Run: 518,917,324,800 bytes free Post-Run: 518,902,546,432 bytes free 200 --- E O F --- 2008-04-11 14:55:51