ComboFix 08-07-29.1 - Administrator 2008-08-02 10:57:56.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1570 [GMT 12:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt * Created a new restore point FILE :: C:\Downloads\Adobe Acrobat Reader 7.0 Professional Multilanguage + Keygenerator.zip C:\Old C\Desktop\kf151.zip C:\Old C\Desktop\kf151\keyfinder.exe C:\WINNT\system32\evenst.dll F:\Administrator\Local Settings\Temp\apbarSp.Speedbit.exe F:\Downloads\VA_11.exe F:\keyfinder\keyfinder.exe F:\uT\Net.Meter.v3.1.build.267.Incl.Patch-iNViSiBLE\NetMeterSetup.exe H:\Desk\revPackageV1.3.zip H:\Desk\va21.exe H:\H\˙desk˙˙˙\va21beta.exe I:\Downloads\180072.exe I:\Downloads\59253.exe I:\Downloads\DFX Audio Enhancer 8.350 and 8.352 for winamp + Key.rar I:\Downloads\DFX Audio Enhancer 8.350 and 8.352 for winamp + Key\DFX Audio Enhancer 8.350 and 8.352 for winamp + Key\dfxInstall-Winamp.exe I:\Downloads\kf151.zip I:\Downloads\manga\kf151\keyfinder.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\[u]0[/u]083068A C:\[u]0[/u]084B8DE C:\[u]0[/u]084BA07 C:\Downloads\Adobe Acrobat Reader 7.0 Professional Multilanguage + Keygenerator.zip C:\Old C\Desktop\kf151.zip C:\Old C\Desktop\kf151\keyfinder.exe C:\WINNT\system32\evenst.dll F:\Administrator\Local Settings\Temp\apbarSp.Speedbit.exe F:\Downloads\VA_11.exe F:\keyfinder\keyfinder.exe F:\uT\Net.Meter.v3.1.build.267.Incl.Patch-iNViSiBLE\NetMeterSetup.exe H:\Desk\revPackageV1.3.zip H:\Desk\va21.exe I:\Downloads\180072.exe I:\Downloads\59253.exe I:\Downloads\DFX Audio Enhancer 8.350 and 8.352 for winamp + Key.rar I:\Downloads\DFX Audio Enhancer 8.350 and 8.352 for winamp + Key\DFX Audio Enhancer 8.350 and 8.352 for winamp + Key\dfxInstall-Winamp.exe I:\Downloads\kf151.zip I:\Downloads\manga\kf151\keyfinder.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_FUCKALLGUARD ((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 ))))))))))))))))))))))))))))))) . 2008-08-02 05:32 . 2008-08-02 05:33 250 --a------ C:\WINNT\gmer.ini 2008-08-01 21:48 . 2008-08-01 21:48 d-------- C:\WINNT\system32\Kaspersky Lab 2008-08-01 21:48 . 2008-08-01 21:48 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-08-01 17:48 . 2008-08-01 17:48 d--h----- C:\WINNT\PIF 2008-07-31 17:40 . 2008-07-31 17:40 d-------- C:\Deckard 2008-07-30 22:07 . 2008-07-30 22:43 d--h----- C:\WINNT\system32\GroupPolicy 2008-07-30 21:16 . 2008-07-31 20:12 d-------- C:\Program Files\a-squared Anti-Malware 2008-07-30 20:01 . 2008-07-30 20:01 d-------- C:\Program Files\Trend Micro 2008-07-17 17:30 . 2008-06-14 01:10 272,128 -----c--- C:\WINNT\system32\dllcache\bthport.sys 2008-07-02 21:34 . 2008-07-02 21:36 139,264 --a------ C:\WINNT\War3Unin.exe 2008-07-02 21:34 . 2008-07-02 22:15 97,595 --a------ C:\WINNT\War3Unin.dat 2008-07-02 21:34 . 2008-07-02 21:36 2,829 --a------ C:\WINNT\War3Unin.pif . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-01 22:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent 2008-08-01 09:25 --------- d-----w C:\Program Files\FlashGet 2008-08-01 06:08 4,224 ----a-w C:\WINNT\system32\drivers\beep.sys 2008-07-31 10:29 --------- d-----w C:\Program Files\Warcraft III 2008-07-30 10:43 --------- d-----w C:\Program Files\free-downloads.net 2008-07-30 10:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7 2008-07-30 08:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-07-30 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Corporation 2008-06-29 03:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SPORE Creature Creator 2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINNT\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\drivers\tcpip6.sys 2008-06-17 11:07 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-17 11:07 --------- d-----w C:\Program Files\Electronic Arts 2008-06-17 06:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Realtime Soft 2008-06-17 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles 2008-06-13 13:10 272,128 ------w C:\WINNT\system32\drivers\bthport.sys 2007-09-16 19:53 56 --sh--r C:\WINNT\system32\C680CC8D45.sys 2007-09-16 19:53 3,350 --sha-w C:\WINNT\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-07-31_20.01.08.96 ))))))))))))))))))))))))))))))))))))))))) . + 2008-08-01 17:32:41 884,736 ----a-w C:\WINNT\gmer.dll + 2008-04-17 09:13:02 811,008 ----a-w C:\WINNT\gmer.exe - 2008-07-31 07:56:27 16,384 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat + 2008-08-01 09:35:23 16,384 ----a-w C:\WINNT\system32\config\systemprofile\Cookies\index.dat - 2008-07-31 07:56:27 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-08-01 09:35:23 32,768 ----a-w C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-07-31 05:51:02 4,224 -c--a-w C:\WINNT\system32\dllcache\beep.sys + 2008-08-01 06:08:35 4,224 -c--a-w C:\WINNT\system32\dllcache\beep.sys + 2008-08-01 17:32:41 85,969 ----a-w C:\WINNT\system32\drivers\gmer.sys - 2008-07-31 07:56:46 211,432 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin + 2008-08-01 23:01:33 211,426 ----a-w C:\WINNT\system32\inetsrv\MetaBase.bin + 2005-05-24 00:27:16 213,048 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 03:47:20 94,208 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 03:49:54 950,272 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll + 2008-08-01 23:01:47 16,384 ----atw C:\WINNT\temp\Perflib_Perfdata_780.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 00:56 15360] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PHIME2002ASync"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168] "PHIME2002A"="C:\WINNT\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168] "NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [2007-12-05 00:41 8523776] "RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.06\RivaTuner.exe" [2007-10-31 06:05 2650112] "nwiz"="nwiz.exe" [2007-12-05 00:41 1626112 C:\WINNT\system32\nwiz.exe] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINNT\KHALMNPR.Exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 07:10 219136] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}"= "C:\WINNT\system32\wyrsdj.dll" [BU] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=wcnonpe.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll "msacm.l3fhg"= mp3fhg.acm "VIDC.X264"= x264vfw.dll "VIDC.HFYU"= huffyuv.dll "msacm.iac2"= C:\WINDOWS\system32\iac25_32. ax "vidc.i263"= i263_32.drv "VIDC.YV12"= yv12vfw.dll "msacm.divxa32"= divxa32.acm "VIDC.VP40"= vp4vfw.dll "VIDC.DRAW"= DVIDEO.DLL "VIDC.MSUD"= msulvc05.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 relog_ap [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\Warcraft III\\war3.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"= "C:\\Program Files\\Warcraft III\\Warcraft III.exe"= "C:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"= "C:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"= "C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NeroMediaHome.exe"= "C:\\Program Files\\Nero\\Nero8\\Nero MediaHome\\NMMediaServer.exe"= "C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"= "C:\\Program Files\\TVersity\\Media Server\\TVersity.exe"= "C:\\Program Files\\FlashGet\\FlashGet.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "C:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"= R2 NwSapAgent;SAP Agent;C:\WINNT\system32\svchost.exe [2004-08-04 00:56] R2 sbbotdi;sbbotdi;C:\PROGRA~1\SPEEDB~1\sbbotdi.sys [2007-10-18 11:12] R3 ha20x2k;Creative 20X HAL Driver;C:\WINNT\system32\drivers\ha20x2k.sys [2006-05-24 15:40] S3 cpuz126;cpuz126;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cpuz.sys [] S3 NPF;NetGroup Packet Filter Driver;C:\WINNT\system32\drivers\npf.sys [2005-08-03 09:10] S3 SaiH8000;SaiH8000;C:\WINNT\system32\DRIVERS\SaiH8000.sys [2004-07-30 10:25] S3 UltraMonMirror;UltraMonMirror;C:\WINNT\system32\DRIVERS\UltraMonMirror.sys [] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-02 11:01:59 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINNT\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-08-02 11:05:34 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-01 23:05:32 ComboFix2.txt 2008-08-01 09:42:21 ComboFix3.txt 2008-08-01 07:14:08 ComboFix4.txt 2008-07-31 10:42:43 ComboFix5.txt 2008-08-01 22:57:36 Pre-Run: 43,071,868,928 bytes free Post-Run: 43,061,706,752 bytes free 214 --- E O F --- 2008-07-31 06:44:19