ComboFix 08-07-29.1 - Administrator 2008-08-01 19:05:24.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1583 [GMT 12:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINNT\system32\BeepEx.sys C:\WINNT\system32\ddserh.dll C:\WINNT\system32\wklsdd.dll.LoG C:\WINNT\system32\wyrsdj.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\[u]0[/u]0009124 C:\[u]0[/u]0009124\102437 C:\[u]0[/u]0009124\135906 C:\[u]0[/u]0009124\156875 C:\[u]0[/u]0009124\204187 C:\[u]0[/u]0009124\228640 C:\[u]0[/u]0009124\275921 C:\[u]0[/u]0009124\308218 C:\[u]0[/u]0009124\332078 C:\[u]0[/u]0009124\358234 C:\[u]0[/u]0009124\401546 C:\[u]0[/u]0009124\423765 C:\[u]0[/u]0009124\444515 C:\[u]0[/u]0009124\489812 C:\[u]0[/u]0009124\511796 C:\[u]0[/u]0009124\533734 C:\[u]0[/u]0009124\557812 C:\[u]0[/u]0009124\580328 C:\[u]0[/u]0009124\610328 C:\[u]0[/u]0009124\640796 C:\[u]0[/u]0009124\701265 C:\[u]0[/u]0009124\728109 C:\[u]0[/u]0009124\755093 C:\[u]0[/u]0009124\776984 C:\[u]0[/u]0009124\820843 C:\[u]0[/u]0009124\841390 C:\[u]0[/u]0009124\862296 C:\[u]0[/u]0009124\883000 C:\[u]0[/u]0009124\904890 C:\[u]0[/u]0009124\925593 C:\[u]0[/u]0917202 C:\[u]0[/u]0931C56 C:\[u]0[/u]0931D70 C:\WINNT\system32\BeepEx.sys C:\WINNT\system32\ddserh.dll C:\WINNT\system32\fmcvxy.dll C:\WINNT\system32\fmcvxy.dll.LoG C:\WINNT\system32\jdsaex.dll C:\WINNT\system32\jhfrxz.dll C:\WINNT\system32\sgdewg.dll C:\WINNT\system32\wcnonpe.dll C:\WINNT\system32\wcnonpek.exe C:\WINNT\system32\wklsdd.dll C:\WINNT\system32\wklsdd.dll.LoG C:\WINNT\system32\wyrsdj.dll . ((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 ))))))))))))))))))))))))))))))) . 2008-08-01 19:09 . 2008-08-01 19:11 d--hs---- C:\[u]0[/u]0008EB3 2008-08-01 19:08 . 2008-08-01 19:08 d--hs---- C:\[u]0[/u]03143F0 2008-08-01 19:08 . 2008-08-01 19:08 d--hs---- C:\[u]0[/u]031424A 2008-08-01 19:05 . 2008-08-01 19:05 d--hs---- C:\[u]0[/u]02EBD26 2008-08-01 19:02 . 2008-08-01 19:05 d--hs---- C:\[u]0[/u]02C5AAC 2008-08-01 18:14 . 2008-08-01 18:29 d--hs---- C:\[u]0[/u]0008DE8 2008-08-01 18:08 . 2008-08-01 18:08 d--hs---- C:\[u]0[/u]019548E 2008-08-01 17:48 . 2008-08-01 17:48 d--h----- C:\WINNT\PIF 2008-08-01 17:41 . 2008-08-01 17:54 d--hs---- C:\[u]0[/u]0009039 2008-08-01 07:58 . 2008-08-01 07:58 14,336 --a------ C:\WINNT\system32\aliensk.exe 2008-08-01 07:42 . 2008-08-01 17:42 d--hs---- C:\[u]0[/u]0008E65 2008-08-01 07:30 . 2008-08-01 07:30 d--hs---- C:\[u]0[/u]0008F01 2008-07-31 22:50 . 2008-08-01 18:26 225,792 --ah----- C:\WINNT\system32\zsdgff.dll 2008-07-31 22:45 . 2008-08-01 18:22 232,960 --ah----- C:\WINNT\system32\zgtwfx.dll 2008-07-31 22:43 . 2008-08-01 07:58 28,672 --a------ C:\WINNT\system32\aliens.dll 2008-07-31 17:40 . 2008-07-31 17:40 d-------- C:\Deckard 2008-07-30 22:07 . 2008-07-30 22:43 d--h----- C:\WINNT\system32\GroupPolicy 2008-07-30 21:16 . 2008-07-31 20:12 d-------- C:\Program Files\a-squared Anti-Malware 2008-07-30 20:01 . 2008-07-30 20:01 d-------- C:\Program Files\Trend Micro 2008-07-17 17:30 . 2008-06-14 01:10 272,128 -----c--- C:\WINNT\system32\dllcache\bthport.sys 2008-07-02 21:34 . 2008-07-02 21:36 139,264 --a------ C:\WINNT\War3Unin.exe 2008-07-02 21:34 . 2008-07-02 22:15 97,595 --a------ C:\WINNT\War3Unin.dat 2008-07-02 21:34 . 2008-07-02 21:36 2,829 --a------ C:\WINNT\War3Unin.pif . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-01 07:04 --------- d-----w C:\Program Files\FlashGet 2008-08-01 07:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent 2008-08-01 06:08 4,224 ----a-w C:\WINNT\system32\drivers\beep.sys 2008-07-31 10:29 --------- d-----w C:\Program Files\Warcraft III 2008-07-30 10:43 --------- d-----w C:\Program Files\free-downloads.net 2008-07-30 10:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7 2008-07-30 08:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-07-30 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation 2008-06-29 03:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SPORE Creature Creator 2008-06-20 17:41 245,248 ----a-w C:\WINNT\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINNT\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\drivers\tcpip6.sys 2008-06-17 11:09 107,888 ----a-w C:\WINNT\system32\CmdLineExt.dll 2008-06-17 11:07 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-17 11:07 --------- d-----w C:\Program Files\Electronic Arts 2008-06-17 06:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Realtime Soft 2008-06-17 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles 2008-06-13 13:10 272,128 ------w C:\WINNT\system32\drivers\bthport.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINNT\system32\quartz.dll 2007-09-16 19:53 56 --sh--r C:\WINNT\system32\C680CC8D45.sys 2007-09-16 19:53 3,350 --sha-w C:\WINNT\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-07-31_20.01.08.96 ))))))))))))))))))))))))))))))))))))))))) . - 2008-07-31 07:56:27 16,384 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat + 2008-08-01 07:09:33 16,384 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat - 2008-07-31 07:56:27 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-08-01 07:09:33 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-07-31 07:56:27 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-08-01 07:09:33 32,768 --sha-w C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2008-07-31 05:51:02 4,224 -c--a-w C:\WINNT\system32\dllcache\beep.sys + 2008-08-01 06:08:35 4,224 -c--a-w C:\WINNT\system32\dllcache\beep.sys - 2008-07-31 07:56:46 211,432 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin + 2008-08-01 07:10:09 211,427 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-07-24 19:12 1298432] "ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 00:56 15360] "STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-25 06:31 1372160] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PHIME2002ASync"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168] "PHIME2002A"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168] "VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2006-04-05 17:19 122880] "NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [2007-12-05 00:41 8523776] "RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.06\RivaTuner.exe" [2007-10-31 06:05 2650112] "nwiz"="nwiz.exe" [2007-12-05 00:41 1626112 C:\WINNT\system32\nwiz.exe] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINNT\KHALMNPR.Exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 07:10 219136] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{006CA8A1-61BC-4774-A54C-F49034270BAD}"= "C:\WINNT\system32\zgtwfx.dll" [2008-08-01 18:22 232960] "{53D44DB6-E22B-4B17-97D3-572C96CCA6E1}"= "C:\WINNT\system32\zsdgff.dll" [2008-08-01 18:26 225792] "{E8A3B193-77E3-4FB3-986D-F4FA4828BAFC}"= "C:\WINNT\system32\wklsdd.dll" [2008-08-01 19:12 236544] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=wcnonpe.dll aliens.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll "msacm.l3fhg"= mp3fhg.acm "VIDC.X264"= x264vfw.dll "VIDC.HFYU"= huffyuv.dll "msacm.iac2"= C:\WINDOWS\system32\iac25_32. ax "vidc.i263"= i263_32.drv "VIDC.YV12"= yv12vfw.dll "msacm.divxa32"= divxa32.acm "VIDC.VP40"= vp4vfw.dll "VIDC.DRAW"= DVIDEO.DLL "VIDC.MSUD"= msulvc05.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 relog_ap [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\Warcraft III\\war3.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"= "C:\\Program Files\\Warcraft III\\Warcraft III.exe"= "C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"= "C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"= "C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NeroMediaHome.exe"= "C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NMMediaServer.exe"= "C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"= "C:\\Program Files\\TVersity\\Media Server\\TVersity.exe"= "C:\\Program Files\\FlashGet\\FlashGet.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "C:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"= R2 NwSapAgent;SAP Agent;C:\WINNT\system32\svchost.exe [2004-08-04 00:56] R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2007-10-18 11:12] R3 ha20x2k;Creative 20X HAL Driver;C:\WINNT\system32\drivers\ha20x2k.sys [2006-05-24 15:40] S3 cpuz126;cpuz126;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cpuz.sys [] S3 FUCKALLGUARD;FUCKALLGUARD;C:\[u]0[/u]010927E\[u]0[/u]0109286 [] S3 NPF;NetGroup Packet Filter Driver;C:\WINNT\system32\drivers\npf.sys [2005-08-03 09:10] S3 SaiH8000;SaiH8000;C:\WINNT\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25] S3 UltraMonMirror;UltraMonMirror;C:\WINNT\system32\DRIVERS\UltraMonMirror.sys [] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-01 19:10:01 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\FUCKALLGUARD] "ImagePath"="\??\C:\[u]0[/u]010927E\[u]0[/u]0109286" . ------------------------ Other Running Processes ------------------------ . C:\WINNT\system32\debug.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINNT\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\wscntfy.exe C:\WINNT\system32\CTXFISPI.EXE C:\Program Files\MSN Messenger\usnsvc.exe C:\WINNT\system32\wcnonpek.exe . ************************************************************************** . Completion time: 2008-08-01 19:14:07 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-01 07:14:05 ComboFix2.txt 2008-07-31 10:42:43 ComboFix3.txt 2008-07-31 08:02:17 Pre-Run: 43,145,097,216 bytes free Post-Run: 43,132,088,320 bytes free 243 --- E O F --- 2008-07-31 06:44:19