ComboFix 08-04-22.5 - Maryan 2008-04-25 10:21:53.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.248 [GMT 8:00] Running from: C:\Documents and Settings\Maryan\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Maryan\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\pskt.ini C:\WINDOWS\system32\cbXQkiFx.dll C:\WINDOWS\system32\fPAGOqru.ini C:\WINDOWS\system32\fPAGOqru.ini2 . ((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 ))))))))))))))))))))))))))))))) . 2008-04-25 09:53 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll 2008-04-25 09:53 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys 2008-04-25 09:47 . 2008-04-25 09:47 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe 2008-04-25 09:33 . 2008-04-25 09:49 d-------- C:\VundoFix Backups 2008-04-25 08:50 . 2008-04-25 08:50 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot 2008-04-25 08:50 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys 2008-04-25 08:50 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys 2008-04-25 08:50 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys 2008-04-25 08:49 . 2008-04-25 08:49 d-------- C:\Program Files\Webroot 2008-04-25 08:49 . 2008-04-25 08:49 d-------- C:\Documents and Settings\Maryan\Application Data\Webroot 2008-04-25 08:49 . 2008-04-25 08:49 d-------- C:\Documents and Settings\All Users\Application Data\Webroot 2008-04-23 10:02 . 2008-04-24 17:34 1,504,986 --ahs---- C:\WINDOWS\system32\eeeursfb.ini 2008-04-23 09:59 . 2008-04-24 17:34 109,669 --a------ C:\WINDOWS\BM17bbacd7.xml 2008-04-22 21:57 . 2008-04-22 21:57 272,384 --a------ C:\WINDOWS\system32\urqOGAPf.dll 2008-04-22 21:55 . 2008-03-01 21:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll 2008-04-22 21:55 . 2007-04-17 17:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2008-04-22 21:55 . 2007-03-08 13:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2008-04-22 21:55 . 2008-03-01 21:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll 2008-04-22 21:55 . 2008-03-01 21:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2008-04-22 21:55 . 2008-03-01 21:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll 2008-04-22 21:55 . 2008-03-01 21:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll 2008-04-22 21:55 . 2008-03-01 21:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2008-04-22 21:55 . 2008-02-22 18:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-04-22 19:42 . 2008-04-22 19:43 d-------- C:\Program Files\Neat Image 2008-04-22 18:48 . 2008-04-22 18:48 d-------- C:\WINDOWS\system32\WTablet 2008-04-22 18:48 . 2008-04-22 18:48 d-------- C:\Program Files\Tablet 2008-04-22 18:48 . 2005-06-18 03:18 1,444,870 --a------ C:\WINDOWS\system32\PenTablet.znc 2008-04-22 18:48 . 2005-06-18 04:01 1,265,664 --a------ C:\WINDOWS\system32\PenTablet.cpl 2008-04-22 18:48 . 2005-06-18 04:00 749,568 --a------ C:\WINDOWS\system32\Tablet.exe 2008-04-22 18:48 . 2005-06-18 04:34 102,400 --a------ C:\WINDOWS\system32\Wintab32.dll 2008-04-22 18:48 . 1999-05-08 00:12 15,744 --a------ C:\WINDOWS\system32\Wintab.dll 2008-04-22 18:48 . 2001-04-10 04:45 8,138 --------- C:\WINDOWS\system32\drivers\PenClass.sys 2008-04-22 18:48 . 2008-04-25 10:36 336 --a------ C:\WINDOWS\system32\tablet.dat 2008-04-22 18:46 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2008-04-22 18:46 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys 2008-04-22 18:46 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2008-04-22 18:46 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys 2008-04-21 20:55 . 2008-04-21 20:55 d-------- C:\Program Files\DreamKana 2008-04-20 13:34 . 2008-04-20 13:34 d-------- C:\Program Files\Macromedia 2008-04-20 13:32 . 2008-04-20 13:32 d-------- C:\Shockwave 2008-04-20 13:20 . 2008-04-20 13:20 d-------- C:\Program Files\Common Files\Adobe Systems Shared 2008-04-20 13:20 . 2008-04-20 13:20 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems 2008-04-20 13:19 . 2008-04-22 21:50 d-------- C:\Program Files\Common Files\Adobe 2008-04-20 10:23 . 2008-04-20 10:25 d-------- C:\Program Files\VIA 2008-04-20 10:20 . 2008-04-20 10:20 d-------- C:\Program Files\uTorrent 2008-04-20 10:20 . 2008-04-22 23:45 d-------- C:\Documents and Settings\Maryan\Application Data\uTorrent 2008-04-20 06:02 . 2008-04-20 06:02 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-04-19 20:51 . 2008-04-19 20:51 1,160 --a------ C:\WINDOWS\mozver.dat 2008-04-19 20:29 . 2008-04-19 20:29 d-------- C:\WINDOWS\Downloaded Installations 2008-04-19 20:23 . 2008-04-19 20:23 d-------- C:\Program Files\Yahoo! 2008-04-19 20:18 . 2008-04-19 20:18 d-------- C:\Documents and Settings\Maryan\Application Data\Talkback 2008-04-19 20:17 . 2008-04-19 20:17 0 --a------ C:\WINDOWS\nsreg.dat 2008-04-19 20:15 . 2008-04-22 23:57 d--h----- C:\WINDOWS\$hf_mig$ 2008-04-19 20:11 . 2008-04-19 20:11 d---s---- C:\Documents and Settings\Maryan\UserData 2008-04-19 20:09 . 2008-04-19 20:09 3,932,214 --a------ C:\WINDOWS\AW_XenoMorph1280.bmp 2008-04-19 20:08 . 2008-04-19 20:08 d-------- C:\Program Files\XP Codec Pack 2008-04-19 20:08 . 2008-04-19 20:08 d-------- C:\Program Files\Common Files\Stardock 2008-04-19 20:08 . 2008-04-19 20:11 d-------- C:\Program Files\AlienGUIse 2008-04-19 20:08 . 2003-02-26 22:27 36,864 --a------ C:\WINDOWS\system32\wbsys.dll 2008-04-19 20:08 . 2008-04-19 20:08 56 --a------ C:\WINDOWS\wb.ini 2008-04-19 20:05 . 2008-04-20 14:14 d--h----- C:\Program Files\InstallShield Installation Information 2008-04-19 20:05 . 2008-04-19 20:05 d-------- C:\Program Files\Analog Devices 2008-04-19 20:03 . 2008-04-20 13:34 d-------- C:\Program Files\Common Files\InstallShield 2008-04-19 20:02 . 2004-09-17 17:37 61,440 --a------ C:\WINDOWS\system32\vuins32.dll 2008-04-19 20:02 . 2004-12-16 13:36 42,496 --a------ C:\WINDOWS\system32\drivers\fetnd5bv.sys 2008-04-19 20:02 . 2008-04-20 10:21 16,546 --a------ C:\WINDOWS\Ascd_tmp.ini 2008-04-19 20:02 . 2003-07-17 16:10 7,040 -ra------ C:\WINDOWS\system32\ntsim.sys 2008-04-19 20:01 . 2004-04-27 15:26 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS 2008-04-19 20:01 . 2004-08-13 10:56 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys 2008-04-19 20:00 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-24 09:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-04-19 22:07 --------- d-----w C:\Program Files\ESET 2008-04-19 12:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-04-19 11:59 --------- d-----w C:\Program Files\MSBuild 2008-04-19 11:59 --------- d-----w C:\Program Files\Microsoft Works 2008-04-19 11:57 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys 2008-04-19 11:57 298,104 ----a-w C:\WINDOWS\system32\imon.dll 2008-04-19 11:57 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys 2008-04-19 11:46 --------- d-----w C:\Program Files\microsoft frontpage 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26D2045D-50C8-4850-9285-035D79212D9B}] 2008-04-22 21:57 272384 --a------ C:\WINDOWS\system32\urqOGAPf.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-12-17 17:13 3810544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-19 19:57 949376] "RegistryMechanic"="" [] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 61952 C:\WINDOWS\system32\HdAShCut.exe] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-07-26 09:54 716800] "RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-08-12 16:38 1056768] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2008-04-22 18:48:16 114688] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB] C:\Program Files\AlienGUIse\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=wbsys.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax [HKLM\~\startupfolder\C:^Documents and Settings^Maryan^Start Menu^Programs^Startup^Alienware Dock.lnk] backup=C:\WINDOWS\pss\Alienware Dock.lnkStartup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-25 10:36:43 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\AlienGUIse\wbload.exe C:\Program Files\ESET\nod32krn.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Webroot\Spy Sweeper\ssu.exe . ************************************************************************** . Completion time: 2008-04-25 10:40:19 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-25 02:40:10 Pre-Run: 73,886,773,248 bytes free Post-Run: 73,967,919,104 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 172 --- E O F --- 2008-04-22 15:57:37