ComboFix 08-07-29.1 - Administrator 2008-08-02 10:57:56.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1570 [GMT 12:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Downloads\Adobe Acrobat Reader 7.0 Professional Multilanguage + Keygenerator.zip
C:\Old C\Desktop\kf151.zip
C:\Old C\Desktop\kf151\keyfinder.exe
C:\WINNT\system32\evenst.dll
F:\Administrator\Local Settings\Temp\apbarSp.Speedbit.exe
F:\Downloads\VA_11.exe
F:\keyfinder\keyfinder.exe
F:\uT\Net.Meter.v3.1.build.267.Incl.Patch-iNViSiBLE\NetMeterSetup.exe
H:\Desk\revPackageV1.3.zip
H:\Desk\va21.exe
H:\H\˙desk˙˙˙\va21beta.exe
I:\Downloads\180072.exe
I:\Downloads\59253.exe
I:\Downloads\DFX Audio Enhancer 8.350 and 8.352 for winamp + Key.rar
I:\Downloads\DFX Audio Enhancer 8.350 and 8.352 for winamp + Key\DFX Audio Enhancer 8.350 and 8.352 for winamp + Key\dfxInstall-Winamp.exe
I:\Downloads\kf151.zip
I:\Downloads\manga\kf151\keyfinder.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\[u]0[/u]083068A
C:\[u]0[/u]084B8DE
C:\[u]0[/u]084BA07
C:\Downloads\Adobe Acrobat Reader 7.0 Professional Multilanguage + Keygenerator.zip
C:\Old C\Desktop\kf151.zip
C:\Old C\Desktop\kf151\keyfinder.exe
C:\WINNT\system32\evenst.dll
F:\Administrator\Local Settings\Temp\apbarSp.Speedbit.exe
F:\Downloads\VA_11.exe
F:\keyfinder\keyfinder.exe
F:\uT\Net.Meter.v3.1.build.267.Incl.Patch-iNViSiBLE\NetMeterSetup.exe
H:\Desk\revPackageV1.3.zip
H:\Desk\va21.exe
I:\Downloads\180072.exe
I:\Downloads\59253.exe
I:\Downloads\DFX Audio Enhancer 8.350 and 8.352 for winamp + Key.rar
I:\Downloads\DFX Audio Enhancer 8.350 and 8.352 for winamp + Key\DFX Audio Enhancer 8.350 and 8.352 for winamp + Key\dfxInstall-Winamp.exe
I:\Downloads\kf151.zip
I:\Downloads\manga\kf151\keyfinder.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_FUCKALLGUARD
((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.
2008-08-02 05:32 . 2008-08-02 05:33 250 --a------ C:\WINNT\gmer.ini
2008-08-01 21:48 . 2008-08-01 21:48
d-------- C:\WINNT\system32\Kaspersky Lab
2008-08-01 21:48 . 2008-08-01 21:48 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-01 17:48 . 2008-08-01 17:48 d--h----- C:\WINNT\PIF
2008-07-31 17:40 . 2008-07-31 17:40 d-------- C:\Deckard
2008-07-30 22:07 . 2008-07-30 22:43 d--h----- C:\WINNT\system32\GroupPolicy
2008-07-30 21:16 . 2008-07-31 20:12 d-------- C:\Program Files\a-squared Anti-Malware
2008-07-30 20:01 . 2008-07-30 20:01 d-------- C:\Program Files\Trend Micro
2008-07-17 17:30 . 2008-06-14 01:10 272,128 -----c--- C:\WINNT\system32\dllcache\bthport.sys
2008-07-02 21:34 . 2008-07-02 21:36 139,264 --a------ C:\WINNT\War3Unin.exe
2008-07-02 21:34 . 2008-07-02 22:15 97,595 --a------ C:\WINNT\War3Unin.dat
2008-07-02 21:34 . 2008-07-02 21:36 2,829 --a------ C:\WINNT\War3Unin.pif
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 22:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-08-01 09:25 --------- d-----w C:\Program Files\FlashGet
2008-08-01 06:08 4,224 ----a-w C:\WINNT\system32\drivers\beep.sys
2008-07-31 10:29 --------- d-----w C:\Program Files\Warcraft III
2008-07-30 10:43 --------- d-----w C:\Program Files\free-downloads.net
2008-07-30 10:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-07-30 08:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-30 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2008-06-29 03:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SPORE Creature Creator
2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINNT\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\drivers\tcpip6.sys
2008-06-17 11:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 11:07 --------- d-----w C:\Program Files\Electronic Arts
2008-06-17 06:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Realtime Soft
2008-06-17 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-13 13:10 272,128 ------w C:\WINNT\system32\drivers\bthport.sys
2007-09-16 19:53 56 --sh--r C:\WINNT\system32\C680CC8D45.sys
2007-09-16 19:53 3,350 --sha-w C:\WINNT\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-07-31_20.01.08.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-01 17:32:41 884,736 ----a-w C:\WINNT\gmer.dll
+ 2008-04-17 09:13:02 811,008 ----a-w C:\WINNT\gmer.exe
- 2008-07-31 07:56:27 16,384 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-01 09:35:23 16,384 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat
- 2008-07-31 07:56:27 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-01 09:35:23 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-31 05:51:02 4,224 -c--a-w C:\WINNT\system32\dllcache\beep.sys
+ 2008-08-01 06:08:35 4,224 -c--a-w C:\WINNT\system32\dllcache\beep.sys
+ 2008-08-01 17:32:41 85,969 ----a-w C:\WINNT\system32\drivers\gmer.sys
- 2008-07-31 07:56:46 211,432 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin
+ 2008-08-01 23:01:33 211,426 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin
+ 2005-05-24 00:27:16 213,048 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 03:47:20 94,208 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 03:49:54 950,272 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-08-01 23:01:47 16,384 ----atw C:\WINNT\temp\Perflib_Perfdata_780.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [2007-12-05 00:41 8523776]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.06\RivaTuner.exe" [2007-10-31 06:05 2650112]
"nwiz"="nwiz.exe" [2007-12-05 00:41 1626112 C:\WINNT\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINNT\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 07:10 219136]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}"= "C:\WINNT\system32\wyrsdj.dll" [BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wcnonpe.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.iac2"= C:\WINDOWS\system32\iac25_32. ax
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm
"VIDC.VP40"= vp4vfw.dll
"VIDC.DRAW"= DVIDEO.DLL
"VIDC.MSUD"= msulvc05.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Warcraft III\\war3.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"=
"C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NeroMediaHome.exe"=
"C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NMMediaServer.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"C:\\Program Files\\TVersity\\Media Server\\TVersity.exe"=
"C:\\Program Files\\FlashGet\\FlashGet.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"=
R2 NwSapAgent;SAP Agent;C:\WINNT\system32\svchost.exe [2004-08-04 00:56]
R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2007-10-18 11:12]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINNT\system32\drivers\ha20x2k.sys [2006-05-24 15:40]
S3 cpuz126;cpuz126;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cpuz.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINNT\system32\drivers\npf.sys [2005-08-03 09:10]
S3 SaiH8000;SaiH8000;C:\WINNT\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25]
S3 UltraMonMirror;UltraMonMirror;C:\WINNT\system32\DRIVERS\UltraMonMirror.sys []
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 11:01:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-02 11:05:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-01 23:05:32
ComboFix2.txt 2008-08-01 09:42:21
ComboFix3.txt 2008-08-01 07:14:08
ComboFix4.txt 2008-07-31 10:42:43
ComboFix5.txt 2008-08-01 22:57:36
Pre-Run: 43,071,868,928 bytes free
Post-Run: 43,061,706,752 bytes free
214 --- E O F --- 2008-07-31 06:44:19