ComboFix 08-06-19.4 - Tam 2008-06-20 14:43:24.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.820 [GMT -4:00] Running from: C:\Documents and Settings\Tam\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Tam\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINDOWS\DUMP6a81.tmp C:\WINDOWS\Inf\Catalog\su\srunner.exe C:\WINDOWS\pchealth\Service.exe C:\WINDOWS\pchealth\taskmgr.exe C:\WINDOWS\system32\2D.tmp C:\WINDOWS\system32\phc1mnj0ee6v.bmp C:\WINDOWS\system32\REN1E.tmp C:\WINDOWS\system32\sysrest.sys C:\WINDOWS\system32\sysrest32.exe C:\WINDOWS\system32\thuk.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Tam\Application Data\shc7mnj0ee6v C:\WINDOWS\CURSORS\meta C:\WINDOWS\DUMP6a81.tmp C:\WINDOWS\system32\2D.tmp C:\WINDOWS\system32\phc1mnj0ee6v.bmp C:\WINDOWS\system32\REN1E.tmp C:\WINDOWS\system32\sysrest.sys C:\WINDOWS\system32\sysrest32.exe C:\WINDOWS\system32\thuk.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_POWERMANAGER ((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 ))))))))))))))))))))))))))))))) . 2008-06-19 19:55 . 2008-06-19 19:55 d-------- C:\_OTMoveIt 2008-06-19 19:50 . 2008-06-19 19:50 d-------- C:\Program Files\Alwil Software 2008-06-19 19:50 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-19 19:49 . 2008-06-19 19:49 d-------- C:\Program Files\Common Files\Java 2008-06-18 22:09 . 2008-06-18 22:09 d-------- C:\Deckard 2008-06-15 18:53 . 2008-06-15 19:02 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-14 01:18 . 2008-06-14 01:18 d-------- C:\VundoFix Backups 2008-06-13 02:47 . 2008-06-13 02:48 d-------- C:\Program Files\Panda Security 2008-06-13 00:54 . 2008-06-13 00:54 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-06-13 00:54 . 2008-06-13 00:54 d-------- C:\Documents and Settings\Tam\Application Data\Malwarebytes 2008-06-13 00:54 . 2008-06-13 00:54 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-13 00:54 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-13 00:54 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-06-13 00:49 . 2008-06-13 00:54 d-------- C:\Program Files\Common Files\Download Manager 2008-06-13 00:49 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2008-06-11 15:31 . 2008-06-11 15:31 d-------- C:\Program Files\Trend Micro 2008-06-10 17:21 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-02 03:58 . 2008-06-02 03:58 d-------- C:\Documents and Settings\All Users\Application Data\SlySoft . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-19 23:50 --------- d-----w C:\Program Files\Java 2008-06-19 07:57 --------- d-----w C:\Program Files\mIRC 2008-06-02 07:57 --------- d-----w C:\Documents and Settings\Tam\Application Data\.BitTornado 2008-05-16 18:18 129,459 ----a-w C:\Copy of index.zip 2008-05-16 05:00 85,209,372 ----a-w C:\images.zip 2008-05-16 03:00 --------- d-----w C:\Program Files\LeapFTP 2008-05-15 22:38 --------- d-----w C:\Program Files\Common Files\Adobe 2008-05-15 22:38 --------- d-----w C:\Program Files\Bonjour 2008-05-15 16:37 5,768,929 ----a-w C:\Picture.zip 2008-05-14 23:37 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-05-14 23:03 24,310 ----a-w C:\als_script.zip 2008-05-14 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-05-14 20:10 --------- d-----w C:\Program Files\Common Files\Macrovision Shared 2008-05-14 19:32 1,031,937 ----a-w C:\Picture 001.zip 2008-05-12 21:00 --------- d-----w C:\Program Files\SlySoft 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-02 04:49 --------- d-----w C:\Program Files\SMPlayer 2008-05-01 02:06 --------- d-----w C:\Program Files\MSN Messenger 2008-05-01 02:06 --------- d-----w C:\Documents and Settings\Tam\Application Data\ppStream 2008-04-18 03:44 186,034 ----a-w C:\WINDOWS\Jump Shot Basketball Uninstaller.exe 2007-12-06 03:20 38,264 ----a-w C:\Documents and Settings\Tam\Application Data\GDIPFONTCACHEV1.DAT 2007-05-12 18:02 1,568 ----a-w C:\Documents and Settings\Tam\Application Data\mpauth.dat 2007-03-31 00:51 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT 2006-07-23 05:56 289 ----a-w C:\Program Files\ESB Clientsconfig.ini 2003-02-16 00:19 103,936 ----a-w C:\WINDOWS\inf\Catalog\su\JAcheck.dll 2000-04-21 14:48 33,792 ----a-w C:\WINDOWS\inf\Catalog\su\servinst.exe 1998-07-31 20:00 47,104 ----a-w C:\WINDOWS\inf\Catalog\su\_ISREG32.DLL 2006-12-12 15:40 961 --sha-w C:\WINDOWS\system32\mmf.sys . ------- Sigcheck ------- 2001-08-24 14:00 36352 8194b38ba772df7288e4443244ec67d3 C:\WINDOWS\svchost.exe 2001-08-23 08:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe 2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe 2004-08-04 03:56 17408 3b1a2ef9432286919d0c40d8b7c6d891 C:\WINDOWS\system32\svchost.exe 2004-05-26 21:38 483328 e7f9d2e4e4a94a6f58014e5ffa16a65e C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe 2002-08-28 23:41 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtUninstallKB840987$\winlogon.exe 2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe 2004-08-04 03:56 506368 9f526cd9de244a1a3fdab470baf750db C:\WINDOWS\system32\winlogon.exe 2007-06-13 06:23 1035776 ff4cca7701a8823ad8ba9296d082d35f C:\WINDOWS\explorer.exe 2007-06-13 07:26 1069568 3ff20f0e62e7909b1c50991e9ff1f89d C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe 2002-08-28 23:41 1040384 d22a0b627c48120edbc085ba3dd2e318 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe 2004-08-04 03:56 1068544 82c7979fdaaaa7293472dcd17dc48228 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe 2004-08-04 03:56 1068544 20e9c777347e83a1444666d0f11de381 C:\WINDOWS\ServicePackFiles\i386\explorer.exe 2001-08-23 08:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe 2004-08-04 03:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe 2004-08-04 03:56 110592 e3c333f9d9dff424b66c96bf4735fbcb C:\WINDOWS\system32\services.exe 2002-08-28 23:41 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\$NtServicePackUninstall$\lsass.exe 2004-08-04 03:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe 2004-08-04 03:56 14848 7e4b0cd03d254eeb35e8705bf19c3ed0 C:\WINDOWS\system32\lsass.exe . ((((((((((((((((((((((((((((( snapshot@2008-06-20_14.34.56.73 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-20 18:26:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-20 18:49:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-06-20 00:17:12 64,052 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-06-20 18:31:50 64,052 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-06-20 00:17:12 407,296 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-06-20 18:31:50 407,296 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AIM"="C:\Program Files\AIM\aim.exe" [2004-12-08 18:50 67160] "Steam"="H:\Valve\Steam\Steam.exe" [ ] "PopUpStopperProfessional"="C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe" [2006-02-02 00:28 507904] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-22 22:05 339968] "DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05 81920] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-05-03 21:47 180269] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-10-25 01:37 35328] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048] "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 15:21 57344] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 180112] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360] NkbMonitor.exe.lnk - D:\Nikon\PictureProject\NkbMonitor.exe [2007-03-30 20:39:04 118784] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB] C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll "vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^palstart.exe] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe backup=C:\WINDOWS\pss\palstart.exeCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] --a------ 2006-09-28 15:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream] --a------ 2005-05-18 14:49 318976 C:\Program Files\DIGStream\digstream.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2007-11-15 14:11 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 10:50 192000 C:\WINDOWS\system32\NeroCheck.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20] R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-02-15 21:10] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16] R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2006-10-10 19:31] R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38] S2 PowerManager;Power Manager;C:\WINDOWS\svchost.exe [2001-08-24 14:00] S3 cdspacex;cdspacex;C:\WINDOWS\system32\DRIVERS\CDSPACEX.sys [] S3 TwoRabts;Two Rabbits Live Bus;C:\WINDOWS\system32\DRIVERS\TwoRabts.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff0f95d6-3621-11db-bbd2-00055dfdc3a2}] \Shell\AutoRun\command - J:\autoplay.exe *Newly Created Service* - POWERMANAGER . Contents of the 'Scheduled Tasks' folder "2008-06-12 01:20:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe . ************************************************************************** . Completion time: 2008-06-20 14:55:51 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-20 18:55:43 ComboFix2.txt 2008-06-20 18:35:37 ComboFix3.txt 2008-06-20 00:18:42 Pre-Run: 6,906,712,064 bytes free Post-Run: 6,898,864,128 bytes free 233 --- E O F --- 2008-06-15 22:47:07