ComboFix 08-06-20.4 - tam 2008-06-21 2:48:22.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.147 [GMT -4:00] Running from: C:\Documents and Settings\tam\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\tam\Desktop\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE :: C:\WINDOWS\system32\blphca7kj0eebe.scr C:\WINDOWS\system32\phca7kj0eebe.bmp . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\tam\Application Data\shcc7kj0eebe C:\WINDOWS\system32\blphca7kj0eebe.scr C:\WINDOWS\system32\phca7kj0eebe.bmp . ((((((((((((((((((((((((( Files Created from 2008-05-21 to 2008-06-21 ))))))))))))))))))))))))))))))) . 2008-06-21 02:15 . 2008-06-21 02:15 d-------- C:\_OTMoveIt 2008-06-21 02:07 . 2008-06-21 02:07 d-------- C:\WINDOWS\LastGood 2008-06-21 02:06 . 2008-06-21 02:06 d-------- C:\Program Files\Trend Micro 2008-06-16 22:56 . 2008-06-16 22:56 1,160 --a------ C:\WINDOWS\mozver.dat 2008-06-16 22:55 . 2008-06-16 22:55 0 --a------ C:\WINDOWS\nsreg.dat 2008-06-13 02:13 . 2008-06-13 02:13 d-------- C:\Documents and Settings\All Users\Application Data\SlySoft 2008-06-13 02:10 . 2008-06-13 02:10 0 ---hs---- C:\WINDOWS\S5646FDA2.tmp 2008-06-13 02:09 . 2008-06-13 02:09 d-------- C:\Program Files\SlySoft 2008-06-10 15:52 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-17 08:43 --------- d-----w C:\Program Files\mIRC 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-04 22:57 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys 2008-05-14 18:27 --------- d-----w C:\Program Files\Picasa2 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll 2008-03-26 08:09 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-25 14:20 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll 2007-02-14 03:08 64,376 ----a-w C:\Documents and Settings\tam\Application Data\GDIPFONTCACHEV1.DAT 2004-08-04 04:56 55,808 --shatr C:\WINDOWS\ServicePackFiles\i386\ipconfig.exe 2004-08-04 04:56 11,776 --shatr C:\WINDOWS\ServicePackFiles\i386\regsvr32.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ] "AIM"="C:\Program Files\AIM\aim.exe" [2004-08-10 10:37 61440] "msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 13:54 5674352] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 21:23 443968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-12 21:31 185896] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344] "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ] "CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 15:21 57344] "Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 13:00 531272] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 21:23 443968] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll "vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PalStart.lnk backup=C:\WINDOWS\pss\PalStart.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2006-11-12 06:48 193944 C:\Program Files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2006-10-30 10:36 292928 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.Exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] -ra------ 2001-07-09 06:50 192000 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] --a------ 2006-07-29 07:07 224768 C:\Program Files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2007-01-09 21:49 1306112 c:\program files\steam\steam.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Age Of Empires II\\age2_x1.exe"= "C:\\Program Files\\mIRC\\mirc.exe"= "C:\\Program Files\\BitTornado\\btdownloadgui.exe"= "C:\\Program Files\\Steam\\steamapps\\conanflare@hotmail.com\\counter-strike\\hl.exe"= "C:\\Program Files\\Common Files\\Adobe\\ESD\\AdobeDownloadManager.exe"= "C:\\Program Files\\Steam\\steamapps\\awptimistic\\counter-strike\\hl.exe"= "C:\\Program Files\\Paltalk Messenger\\paltalk.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\Program Files\\Steam\\steamapps\\michaelvanle\\counter-strike\\hl.exe"= "C:\\Program Files\\Steam\\steamapps\\sebbe\\counter-strike\\hl.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Age Of Empires II\\empires2.exe"= "C:\\Program Files\\Steam\\steamapps\\30_06808ninjamadethisaccount\\counter-strike\\hl.exe"= "C:\\Program Files\\Steam\\steamapps\\poweroffate\\counter-strike\\hl.exe"= "C:\\Warcraft III\\Warcraft III.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Warcraft III\\Frozen Throne.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6112:TCP"= 6112:TCP:Warcraft III Frozen Throne R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 18:36] R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29] R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 09:28] *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder "2006-12-14 20:40:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-06-21 06:04:30 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-21 02:51:15 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-06-21 2:53:14 ComboFix-quarantined-files.txt 2008-06-21 06:53:02 ComboFix2.txt 2008-06-21 06:24:17 Pre-Run: 33,001,070,592 bytes free Post-Run: 32,996,388,864 bytes free 140 --- E O F --- 2008-06-21 05:49:52