ComboFix 08-07-27.1 - Tit Kian 2008-07-29 1:59:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.1.1033.18.97 [GMT 8:00]
Running from: C:\Documents and Settings\Tit Kian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tit Kian\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\registrybackup.reg
C:\WINDOWS\system32\tmplljydf0.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\registrybackup.reg
C:\WINDOWS\system32\tmplljydf0.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_XDVA170
-------\Legacy_XDVA177
-------\Legacy_XDVA186
-------\Legacy_XDVA187
-------\Service_XDva170
-------\Service_XDva177
-------\Service_XDva186
-------\Service_XDva187
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.
2008-07-21 21:52 . 2008-07-21 21:52
d-------- C:\Documents and Settings\Tit Kian\Application Data\Malwarebytes
2008-07-21 21:52 . 2008-07-21 21:52 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 21:52 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-21 21:51 . 2008-07-21 21:52 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-21 21:51 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-21 11:29 . 2008-07-21 11:29 d-------- C:\Deckard
2008-07-21 11:17 . 2008-07-21 11:17 d-------- C:\_OTMoveIt
2008-07-21 00:50 . 2008-07-21 00:50 d-------- C:\Program Files\Trend Micro
2008-07-21 00:46 . 2008-07-21 01:26 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-14 22:05 . 2008-07-14 22:05 8,192 --ahs---- C:\WINDOWS\Thumbs.db
2008-07-09 17:12 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-07-09 17:09 . 2008-07-09 17:09 d-------- C:\Program Files\MSBuild
2008-07-09 16:52 . 2008-07-23 02:58 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-08 23:17 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-08 23:17 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 18:03 --------- d-----w C:\Documents and Settings\Tit Kian\Application Data\uTorrent
2008-07-28 09:33 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-07-17 18:39 --------- d-----w C:\Program Files\uTorrent
2008-07-09 09:09 --------- d-----w C:\Program Files\Microsoft Works
2008-06-21 05:21 --------- d-----w C:\Documents and Settings\Tit Kian\Application Data\LimeWire
2008-06-18 11:31 33,184 ----a-w C:\Documents and Settings\Tit Kian\Application Data\GDIPFONTCACHEV1.DAT
2008-06-02 16:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM
2008-06-02 16:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-02 16:45 --------- d-----w C:\Program Files\Bonjour
2008-06-02 16:25 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-06-02 13:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-02 09:48 --------- d-----w C:\Program Files\PowerISO
2008-06-01 13:22 --------- d-----w C:\Program Files\Java
2008-06-01 13:10 --------- d-----w C:\Documents and Settings\Tit Kian\Application Data\OpenOffice.org2
2008-02-09 16:22 80 --sh--r C:\WINDOWS\system32\A5D7DACAE6.dll
.
------- Sigcheck -------
2002-08-29 09:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2007-10-31 01:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys
2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2qfe\tcpip.sys
2007-08-11 20:38 359040 c81d6a930a7805f6daa0c7902b99037e C:\WINDOWS\system32\dllcache\tcpip.sys
2007-08-11 20:38 359040 c81d6a930a7805f6daa0c7902b99037e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-07-28_ 1.14.48.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-03 16:56:48 44,544 -c--a-w C:\WINDOWS\system32\dllcache\alg.exe
+ 2004-08-03 16:56:50 27,648 -c--a-w C:\WINDOWS\system32\dllcache\conime.exe
+ 2004-08-03 16:56:58 218,112 -c--a-w C:\WINDOWS\system32\dllcache\wmiprvse.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [2008-03-25 14:38 2196280]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 01:07 61440]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 17:35 32768]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35 77824]
"QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:32 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 12:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-15 07:50 233472]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-04 19:56:55 113664]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-06 01:07:30 61440]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-10-21 22:48 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24225:TCP"= 24225:TCP:BitComet 24225 TCP
"24225:UDP"= 24225:UDP:BitComet 24225 UDP
R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-10-29 11:21]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-07-20 20:21]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 -: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 -: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 -: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 02:06:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
C:\WINDOWS\explorer.exe [520] 0x8215E610
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2008-07-29 2:13:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-28 18:12:15
ComboFix2.txt 2008-07-27 17:17:35
Pre-Run: 7,260,618,752 bytes free
Post-Run: 7,168,237,568 bytes free
175 --- E O F --- 2008-02-09 16:55:05