ComboFix 08-07-27.1 - Tit Kian 2008-07-28 1:03:30.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.936.1.1033.18.165 [GMT 8:00] Running from: C:\Documents and Settings\Tit Kian\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\lljydf16.ini C:\Documents and Settings\All Users\lljydf32.ini C:\Documents and Settings\Tit Kian\Application Data\macromedia\Flash Player\#SharedObjects\YQNZM3RQ\www.broadcaster.com C:\Documents and Settings\Tit Kian\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\Tit Kian\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\WINDOWS\system32\iexp_log.txt . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MZU_RK ((((((((((((((((((((((((( Files Created from 2008-06-27 to 2008-07-27 ))))))))))))))))))))))))))))))) . 2008-07-21 21:52 . 2008-07-21 21:52 d-------- C:\Documents and Settings\Tit Kian\Application Data\Malwarebytes 2008-07-21 21:52 . 2008-07-21 21:52 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-21 21:52 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-07-21 21:51 . 2008-07-21 21:52 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-21 21:51 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-07-21 11:29 . 2008-07-21 11:29 d-------- C:\Deckard 2008-07-21 11:22 . 2008-07-21 11:23 84,250,454 --a------ C:\registrybackup.reg 2008-07-21 11:17 . 2008-07-21 11:17 d-------- C:\_OTMoveIt 2008-07-21 00:50 . 2008-07-21 00:50 d-------- C:\Program Files\Trend Micro 2008-07-21 00:46 . 2008-07-21 01:26 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI 2008-07-20 23:12 . 2004-08-04 00:56 388,608 --a------ C:\WINDOWS\system32\tmplljydf0.exe 2008-07-14 22:05 . 2008-07-14 22:05 8,192 --ahs---- C:\WINDOWS\Thumbs.db 2008-07-09 17:12 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll 2008-07-09 17:09 . 2008-07-09 17:09 d-------- C:\Program Files\MSBuild 2008-07-09 16:52 . 2008-07-23 02:58 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-07-08 23:17 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2008-07-08 23:17 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-27 17:06 --------- d-----w C:\Documents and Settings\Tit Kian\Application Data\uTorrent 2008-07-21 16:41 --------- d-----w C:\Program Files\Windows Live Safety Center 2008-07-17 18:39 --------- d-----w C:\Program Files\uTorrent 2008-07-09 09:09 --------- d-----w C:\Program Files\Microsoft Works 2008-06-21 05:21 --------- d-----w C:\Documents and Settings\Tit Kian\Application Data\LimeWire 2008-06-18 11:31 33,184 ----a-w C:\Documents and Settings\Tit Kian\Application Data\GDIPFONTCACHEV1.DAT 2008-06-02 16:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM 2008-06-02 16:45 --------- d-----w C:\Program Files\Common Files\Adobe 2008-06-02 16:45 --------- d-----w C:\Program Files\Bonjour 2008-06-02 16:25 --------- d-----w C:\Program Files\Common Files\Macrovision Shared 2008-06-02 13:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-06-02 09:48 --------- d-----w C:\Program Files\PowerISO 2008-06-01 13:22 --------- d-----w C:\Program Files\Java 2008-06-01 13:10 --------- d-----w C:\Documents and Settings\Tit Kian\Application Data\OpenOffice.org2 2008-02-09 16:22 80 --sh--r C:\WINDOWS\system32\A5D7DACAE6.dll . ------- Sigcheck ------- 2002-08-29 09:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys 2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys 2007-10-31 01:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys 2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2qfe\tcpip.sys 2007-08-11 20:38 359040 c81d6a930a7805f6daa0c7902b99037e C:\WINDOWS\system32\dllcache\tcpip.sys 2007-08-11 20:38 359040 c81d6a930a7805f6daa0c7902b99037e C:\WINDOWS\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184] "BitComet"="C:\Program Files\BitComet\BitComet.exe" [2008-03-25 14:38 2196280] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 01:07 61440] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 17:35 32768] "vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35 77824] "QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2006-10-25 18:58 282624] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:32 208952] "IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 12:00 44032] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-15 07:50 233472] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016] "RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-04 19:56:55 113664] ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-06 01:07:30 61440] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system] "NoDispAppearancePage"= 0 (0x0) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktopChanges"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv] 2007-10-21 22:48 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=wbsys.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.3iv2"= 3ivxVfWCodec.dll "msacm.divxa32"= divxa32.acm "VIDC.HFYU"= huffyuv.dll "VIDC.VP31"= vp31vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\BitComet\\BitComet.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "24225:TCP"= 24225:TCP:BitComet 24225 TCP "24225:UDP"= 24225:UDP:BitComet 24225 UDP R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-10-29 11:21] S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-07-20 20:21] S3 XDva170;XDva170;C:\WINDOWS\system32\XDva170.sys [] S3 XDva177;XDva177;C:\WINDOWS\system32\XDva177.sys [] S3 XDva186;XDva186;C:\WINDOWS\system32\XDva186.sys [] S3 XDva187;XDva187;C:\WINDOWS\system32\XDva187.sys [] . - - - - ORPHANS REMOVED - - - - WebBrowser-{89FDCC4B-8D91-49B0-81A6-18BCFF582735} - (no file) HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = about:blank R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore R1 -: HKCU-Internet Settings,ProxyOverride = *.local O8 -: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 -: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 -: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 -: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 O16 -: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - hxxp://activex.matcash.com/speedtest2.dll C:\WINDOWS\Downloaded Program Files\speedtest2.dll ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-28 01:08:41 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\NavLogon.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\conime.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\WgaTray.exe . ************************************************************************** . Completion time: 2008-07-28 1:17:33 - machine was rebooted [Tit Kian] ComboFix-quarantined-files.txt 2008-07-27 17:17:25 Pre-Run: 7,337,127,936 bytes free Post-Run: 7,288,029,184 bytes free 169 --- E O F --- 2008-02-09 16:55:05