ComboFix 08-07-27.1 - Tit Kian 2008-07-29 1:59:39.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.936.1.1033.18.97 [GMT 8:00] Running from: C:\Documents and Settings\Tit Kian\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Tit Kian\Desktop\CFScript.txt * Created a new restore point FILE :: C:\registrybackup.reg C:\WINDOWS\system32\tmplljydf0.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\registrybackup.reg C:\WINDOWS\system32\tmplljydf0.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_XDVA170 -------\Legacy_XDVA177 -------\Legacy_XDVA186 -------\Legacy_XDVA187 -------\Service_XDva170 -------\Service_XDva177 -------\Service_XDva186 -------\Service_XDva187 ((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 ))))))))))))))))))))))))))))))) . 2008-07-21 21:52 . 2008-07-21 21:52 d-------- C:\Documents and Settings\Tit Kian\Application Data\Malwarebytes 2008-07-21 21:52 . 2008-07-21 21:52 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-21 21:52 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-07-21 21:51 . 2008-07-21 21:52 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-21 21:51 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-07-21 11:29 . 2008-07-21 11:29 d-------- C:\Deckard 2008-07-21 11:17 . 2008-07-21 11:17 d-------- C:\_OTMoveIt 2008-07-21 00:50 . 2008-07-21 00:50 d-------- C:\Program Files\Trend Micro 2008-07-21 00:46 . 2008-07-21 01:26 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI 2008-07-14 22:05 . 2008-07-14 22:05 8,192 --ahs---- C:\WINDOWS\Thumbs.db 2008-07-09 17:12 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll 2008-07-09 17:09 . 2008-07-09 17:09 d-------- C:\Program Files\MSBuild 2008-07-09 16:52 . 2008-07-23 02:58 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-07-08 23:17 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2008-07-08 23:17 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-28 18:03 --------- d-----w C:\Documents and Settings\Tit Kian\Application Data\uTorrent 2008-07-28 09:33 --------- d-----w C:\Program Files\Windows Live Safety Center 2008-07-17 18:39 --------- d-----w C:\Program Files\uTorrent 2008-07-09 09:09 --------- d-----w C:\Program Files\Microsoft Works 2008-06-21 05:21 --------- d-----w C:\Documents and Settings\Tit Kian\Application Data\LimeWire 2008-06-18 11:31 33,184 ----a-w C:\Documents and Settings\Tit Kian\Application Data\GDIPFONTCACHEV1.DAT 2008-06-02 16:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\ALM 2008-06-02 16:45 --------- d-----w C:\Program Files\Common Files\Adobe 2008-06-02 16:45 --------- d-----w C:\Program Files\Bonjour 2008-06-02 16:25 --------- d-----w C:\Program Files\Common Files\Macrovision Shared 2008-06-02 13:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-06-02 09:48 --------- d-----w C:\Program Files\PowerISO 2008-06-01 13:22 --------- d-----w C:\Program Files\Java 2008-06-01 13:10 --------- d-----w C:\Documents and Settings\Tit Kian\Application Data\OpenOffice.org2 2008-02-09 16:22 80 --sh--r C:\WINDOWS\system32\A5D7DACAE6.dll . ------- Sigcheck ------- 2002-08-29 09:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys 2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys 2007-10-31 01:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys 2007-10-31 00:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2qfe\tcpip.sys 2007-08-11 20:38 359040 c81d6a930a7805f6daa0c7902b99037e C:\WINDOWS\system32\dllcache\tcpip.sys 2007-08-11 20:38 359040 c81d6a930a7805f6daa0c7902b99037e C:\WINDOWS\system32\drivers\tcpip.sys . ((((((((((((((((((((((((((((( snapshot@2008-07-28_ 1.14.48.56 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-03 16:56:48 44,544 -c--a-w C:\WINDOWS\system32\dllcache\alg.exe + 2004-08-03 16:56:50 27,648 -c--a-w C:\WINDOWS\system32\dllcache\conime.exe + 2004-08-03 16:56:58 218,112 -c--a-w C:\WINDOWS\system32\dllcache\wmiprvse.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184] "BitComet"="C:\Program Files\BitComet\BitComet.exe" [2008-03-25 14:38 2196280] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 01:07 61440] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 17:35 32768] "vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35 77824] "QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2006-10-25 18:58 282624] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:32 208952] "IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 12:00 44032] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-15 07:50 233472] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016] "RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-04 19:56:55 113664] ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-06 01:07:30 61440] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system] "NoDispAppearancePage"= 0 (0x0) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktopChanges"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv] 2007-10-21 22:48 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=wbsys.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.3iv2"= 3ivxVfWCodec.dll "msacm.divxa32"= divxa32.acm "VIDC.HFYU"= huffyuv.dll "VIDC.VP31"= vp31vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\BitComet\\BitComet.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "24225:TCP"= 24225:TCP:BitComet 24225 TCP "24225:UDP"= 24225:UDP:BitComet 24225 UDP R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-10-29 11:21] S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-07-20 20:21] . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = about:blank R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore R1 -: HKCU-Internet Settings,ProxyOverride = *.local O8 -: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 -: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 -: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 -: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-29 02:06:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... C:\WINDOWS\explorer.exe [520] 0x8215E610 scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\NavLogon.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\conime.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\WgaTray.exe . ************************************************************************** . Completion time: 2008-07-29 2:13:22 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-28 18:12:15 ComboFix2.txt 2008-07-27 17:17:35 Pre-Run: 7,260,618,752 bytes free Post-Run: 7,168,237,568 bytes free 175 --- E O F --- 2008-02-09 16:55:05