ComboFix 08-07-29.1 - Administrator 2008-08-01 21:32:04.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1552 [GMT 12:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINNT\system32\aliens.dll C:\WINNT\system32\aliensk.exe C:\WINNT\system32\zgtwfx.dll C:\WINNT\system32\zsdgff.dll C:\WINNT\PIF :#: . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\[u]0[/u]0008DE8 C:\[u]0[/u]0008DE8\139562 C:\[u]0[/u]0008DE8\170140 C:\[u]0[/u]0008DE8\191015 C:\[u]0[/u]0008DE8\232375 C:\[u]0[/u]0008DE8\253281 C:\[u]0[/u]0008DE8\278609 C:\[u]0[/u]0008DE8\303531 C:\[u]0[/u]0008DE8\325031 C:\[u]0[/u]0008DE8\344406 C:\[u]0[/u]0008DE8\363750 C:\[u]0[/u]0008DE8\383109 C:\[u]0[/u]0008DE8\402484 C:\[u]0[/u]0008DE8\421921 C:\[u]0[/u]0008DE8\464562 C:\[u]0[/u]0008DE8\485062 C:\[u]0[/u]0008DE8\504828 C:\[u]0[/u]0008DE8\524546 C:\[u]0[/u]0008DE8\544281 C:\[u]0[/u]0008DE8\564000 C:\[u]0[/u]0008DE8\583625 C:\[u]0[/u]0008DE8\603281 C:\[u]0[/u]0008DE8\628765 C:\[u]0[/u]0008DE8\649109 C:\[u]0[/u]0008DE8\673593 C:\[u]0[/u]0008DE8\694609 C:\[u]0[/u]0008DE8\714953 C:\[u]0[/u]0008DE8\735359 C:\[u]0[/u]0008DE8\755578 C:\[u]0[/u]0008DE8\776109 C:\[u]0[/u]0008DE8\797250 C:\[u]0[/u]0008DE8\823203 C:\[u]0[/u]0008DE8\848031 C:\[u]0[/u]0008DE8\868296 C:\[u]0[/u]0008E65 C:\[u]0[/u]0008E65\1008218 C:\[u]0[/u]0008E65\1053515 C:\[u]0[/u]0008E65\1075546 C:\[u]0[/u]0008E65\1118984 C:\[u]0[/u]0008E65\1141062 C:\[u]0[/u]0008E65\1162921 C:\[u]0[/u]0008E65\1184812 C:\[u]0[/u]0008E65\1206687 C:\[u]0[/u]0008E65\1228562 C:\[u]0[/u]0008E65\1249281 C:\[u]0[/u]0008E65\1269984 C:\[u]0[/u]0008E65\1315000 C:\[u]0[/u]0008E65\1337156 C:\[u]0[/u]0008E65\1359062 C:\[u]0[/u]0008E65\1380953 C:\[u]0[/u]0008E65\1424906 C:\[u]0[/u]0008E65\1445437 C:\[u]0[/u]0008E65\1466328 C:\[u]0[/u]0008E65\1494109 C:\[u]0[/u]0008E65\186265 C:\[u]0[/u]0008E65\294046 C:\[u]0[/u]0008E65\36476 C:\[u]0[/u]0008E65\940718 C:\[u]0[/u]0008E65\965765 C:\[u]0[/u]0008E65\987343 C:\[u]0[/u]0008EB3 C:\[u]0[/u]0008EB3\185500 C:\[u]0[/u]0008EB3\211640 C:\[u]0[/u]0008EB3\236625 C:\[u]0[/u]0008EB3\281843 C:\[u]0[/u]0008EB3\303218 C:\[u]0[/u]0008EB3\324625 C:\[u]0[/u]0008EB3\346265 C:\[u]0[/u]0008EB3\368281 C:\[u]0[/u]0008EB3\388468 C:\[u]0[/u]0008EB3\408203 C:\[u]0[/u]0008EB3\427953 C:\[u]0[/u]0008EB3\447687 C:\[u]0[/u]0008EB3\467984 C:\[u]0[/u]0008EB3\510171 C:\[u]0[/u]0008EB3\531015 C:\[u]0[/u]0008EB3\551265 C:\[u]0[/u]0008EB3\571562 C:\[u]0[/u]0008EB3\591859 C:\[u]0[/u]0008EB3\612109 C:\[u]0[/u]0008EB3\631718 C:\[u]0[/u]0008EB3\654078 C:\[u]0[/u]0008EB3\679578 C:\[u]0[/u]0008EB3\705718 C:\[u]0[/u]0008EB3\727375 C:\[u]0[/u]0008EB3\748296 C:\[u]0[/u]0008EB3\769203 C:\[u]0[/u]0008EB3\790843 C:\[u]0[/u]0008EB3\814343 C:\[u]0[/u]0008EB3\837359 C:\[u]0[/u]0008EB3\858906 C:\[u]0[/u]0008EB3\879187 C:\[u]0[/u]0008EB3\900250 C:\[u]0[/u]0008EB3\920531 C:\[u]0[/u]0008F01 C:\[u]0[/u]0009039 C:\[u]0[/u]0009039\127531 C:\[u]0[/u]0009039\149890 C:\[u]0[/u]0009039\170140 C:\[u]0[/u]0009039\214906 C:\[u]0[/u]0009039\235609 C:\[u]0[/u]0009039\256421 C:\[u]0[/u]0009039\278328 C:\[u]0[/u]0009039\299500 C:\[u]0[/u]0009039\318796 C:\[u]0[/u]0009039\338062 C:\[u]0[/u]0009039\357328 C:\[u]0[/u]0009039\376593 C:\[u]0[/u]0009039\395937 C:\[u]0[/u]0009039\437500 C:\[u]0[/u]0009039\457671 C:\[u]0[/u]0009039\477296 C:\[u]0[/u]0009039\500421 C:\[u]0[/u]0009039\521343 C:\[u]0[/u]0009039\541531 C:\[u]0[/u]0009039\561062 C:\[u]0[/u]0009039\580625 C:\[u]0[/u]0009039\603015 C:\[u]0[/u]0009039\623187 C:\[u]0[/u]0009039\642765 C:\[u]0[/u]0009039\662359 C:\[u]0[/u]0009039\685890 C:\[u]0[/u]0009039\707406 C:\[u]0[/u]0009039\731671 C:\[u]0[/u]0009039\754453 C:\[u]0[/u]0009039\775281 C:\[u]0[/u]0009039\795484 C:\[u]0[/u]0009039\818562 C:\[u]0[/u]0009039\839343 C:\[u]0[/u]019548E C:\[u]0[/u]019548E\[u]0[/u]01955A8 C:\[u]0[/u]02C5AAC C:\[u]0[/u]02C5AAC\2906804 C:\[u]0[/u]02C5AAC\2971093 C:\[u]0[/u]02C5AAC\2993812 C:\[u]0[/u]02C5AAC\3013953 C:\[u]0[/u]02C5AAC\3034390 C:\[u]0[/u]02C5AAC\3053953 C:\[u]0[/u]02EBD26 C:\[u]0[/u]031424A C:\[u]0[/u]03143F0 C:\WINNT\system32\aliens.dll C:\WINNT\system32\aliensk.exe C:\WINNT\system32\debug.exe C:\WINNT\system32\fmcvxy.dll C:\WINNT\system32\fmcvxy.dll.LoG C:\WINNT\system32\sgdewg.dll C:\WINNT\system32\wcnonpe.dll C:\WINNT\system32\wcnonpek.exe C:\WINNT\system32\wklsdd.dll C:\WINNT\system32\wklsdd.dll.LoG C:\WINNT\system32\wyrsdj.dll C:\WINNT\system32\zgtwfx.dll C:\WINNT\system32\zsdgff.dll . ((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 ))))))))))))))))))))))))))))))) . 2008-08-01 21:33 . 2008-08-01 21:33 d--hs---- C:\[u]0[/u]084BA07 2008-08-01 21:33 . 2008-08-01 21:33 d--hs---- C:\[u]0[/u]084B8DE 2008-08-01 21:32 . 2008-08-01 21:32 d--hs---- C:\[u]0[/u]083068A 2008-08-01 17:48 . 2008-08-01 17:48 d--h----- C:\WINNT\PIF 2008-07-31 17:40 . 2008-07-31 17:40 d-------- C:\Deckard 2008-07-30 22:07 . 2008-07-30 22:43 d--h----- C:\WINNT\system32\GroupPolicy 2008-07-30 21:16 . 2008-07-31 20:12 d-------- C:\Program Files\a-squared Anti-Malware 2008-07-30 20:01 . 2008-07-30 20:01 d-------- C:\Program Files\Trend Micro 2008-07-17 17:30 . 2008-06-14 01:10 272,128 -----c--- C:\WINNT\system32\dllcache\bthport.sys 2008-07-02 21:34 . 2008-07-02 21:36 139,264 --a------ C:\WINNT\War3Unin.exe 2008-07-02 21:34 . 2008-07-02 22:15 97,595 --a------ C:\WINNT\War3Unin.dat 2008-07-02 21:34 . 2008-07-02 21:36 2,829 --a------ C:\WINNT\War3Unin.pif . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-01 09:25 --------- d-----w C:\Program Files\FlashGet 2008-08-01 09:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent 2008-08-01 06:08 4,224 ----a-w C:\WINNT\system32\drivers\beep.sys 2008-07-31 10:29 --------- d-----w C:\Program Files\Warcraft III 2008-07-30 10:43 --------- d-----w C:\Program Files\free-downloads.net 2008-07-30 10:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7 2008-07-30 08:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-07-30 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation 2008-06-29 03:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SPORE Creature Creator 2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINNT\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\drivers\tcpip6.sys 2008-06-17 11:07 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-17 11:07 --------- d-----w C:\Program Files\Electronic Arts 2008-06-17 06:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Realtime Soft 2008-06-17 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles 2008-06-13 13:10 272,128 ------w C:\WINNT\system32\drivers\bthport.sys 2007-09-16 19:53 56 --sh--r C:\WINNT\system32\C680CC8D45.sys 2007-09-16 19:53 3,350 --sha-w C:\WINNT\system32\KGyGaAvL.sys . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\WINNT\system32\GroupPolicy ---- 2008-07-30 22:08 190 --a------ C:\WINNT\system32\GroupPolicy\User\Registry.pol 2008-07-30 22:08 156 --a------ C:\WINNT\system32\GroupPolicy\gpt.ini 2008-07-30 22:07 81 ---h----- C:\WINNT\system32\GroupPolicy\Adm\admfiles.ini 2007-07-30 19:02 50726 --a------ C:\WINNT\system32\GroupPolicy\Adm\wuau.adm 2006-10-03 01:43 2402550 --a------ C:\WINNT\system32\GroupPolicy\Adm\inetres.adm 2006-04-25 10:10 69612 --a------ C:\WINNT\system32\GroupPolicy\Adm\wmplayer.adm 2004-07-17 22:54 1744202 --a------ C:\WINNT\system32\GroupPolicy\Adm\system.adm 2004-07-17 11:42 40282 --a------ C:\WINNT\system32\GroupPolicy\Adm\conf.adm ((((((((((((((((((((((((((((( snapshot@2008-07-31_20.01.08.96 ))))))))))))))))))))))))))))))))))))))))) . - 2008-07-31 07:56:27 16,384 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat + 2008-08-01 07:09:33 16,384 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat - 2008-07-31 07:56:27 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-08-01 07:09:33 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-07-31 05:51:02 4,224 -c--a-w C:\WINNT\system32\dllcache\beep.sys + 2008-08-01 06:08:35 4,224 -c--a-w C:\WINNT\system32\dllcache\beep.sys - 2008-07-31 07:56:46 211,432 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin + 2008-08-01 09:37:33 211,427 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin + 2008-08-01 09:35:44 16,384 ----atw C:\WINNT\temp\Perflib_Perfdata_778.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 00:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PHIME2002ASync"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168] "PHIME2002A"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168] "NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [2007-12-05 00:41 8523776] "nwiz"="nwiz.exe" [2007-12-05 00:41 1626112 C:\WINNT\system32\nwiz.exe] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINNT\KHALMNPR.Exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 07:10 219136] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}"= "C:\WINNT\system32\wyrsdj.dll" [BU] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=wcnonpe.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll "msacm.l3fhg"= mp3fhg.acm "VIDC.X264"= x264vfw.dll "VIDC.HFYU"= huffyuv.dll "msacm.iac2"= C:\WINDOWS\system32\iac25_32. ax "vidc.i263"= i263_32.drv "VIDC.YV12"= yv12vfw.dll "msacm.divxa32"= divxa32.acm "VIDC.VP40"= vp4vfw.dll "VIDC.DRAW"= DVIDEO.DLL "VIDC.MSUD"= msulvc05.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 relog_ap [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\Warcraft III\\war3.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"= "C:\\Program Files\\Warcraft III\\Warcraft III.exe"= "C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"= "C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"= "C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NeroMediaHome.exe"= "C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NMMediaServer.exe"= "C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"= "C:\\Program Files\\TVersity\\Media Server\\TVersity.exe"= "C:\\Program Files\\FlashGet\\FlashGet.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "C:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"= R2 NwSapAgent;SAP Agent;C:\WINNT\system32\svchost.exe [2004-08-04 00:56] R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2007-10-18 11:12] R3 ha20x2k;Creative 20X HAL Driver;C:\WINNT\system32\drivers\ha20x2k.sys [2006-05-24 15:40] S3 cpuz126;cpuz126;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cpuz.sys [] S3 FUCKALLGUARD;FUCKALLGUARD;C:\[u]0[/u]010927E\[u]0[/u]0109286 [] S3 NPF;NetGroup Packet Filter Driver;C:\WINNT\system32\drivers\npf.sys [2005-08-03 09:10] S3 SaiH8000;SaiH8000;C:\WINNT\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25] S3 UltraMonMirror;UltraMonMirror;C:\WINNT\system32\DRIVERS\UltraMonMirror.sys [] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-01 21:39:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\FUCKALLGUARD] "ImagePath"="\??\C:\[u]0[/u]010927E\[u]0[/u]0109286" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINNT\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-08-01 21:42:20 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-01 09:42:18 ComboFix2.txt 2008-08-01 07:14:08 ComboFix3.txt 2008-07-31 10:42:43 ComboFix4.txt 2008-07-31 08:02:17 Pre-Run: 43,079,176,192 bytes free Post-Run: 43,062,149,120 bytes free 339 --- E O F --- 2008-07-31 06:44:19