ComboFix 08-02.03.1 - Osama Zulfiqar 2008-02-03 6:54:35.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.466 [GMT 5:00]
Running from: D:\Documents and Settings\Osama Zulfiqar\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\WINDOWS\autorun.inf
D:\WINDOWS\system32\amvo0.dll
D:\WINDOWS\system32\amvo1.dll
----- BITS: Possible infected sites -----
hxxp://msgr.dlservice.microsoft.com
.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.
2008-02-03 00:13 . 2008-02-03 00:13 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-02-03 00:13 . 2008-02-03 00:13 <DIR> d-------- D:\Documents and Settings\Osama Zulfiqar\Application Data\SUPERAntiSpyware.com
2008-02-03 00:13 . 2008-02-03 00:13 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-03 00:06 . 2008-02-03 00:06 <DIR> d-------- D:\Program Files\Trend Micro
2008-02-02 23:09 . 2008-02-02 23:09 <DIR> d-------- D:\Program Files\Lavasoft
2008-02-02 23:09 . 2008-02-02 23:09 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-02 02:30 . 2008-02-02 02:30 <DIR> d--hs---- D:\FOUND.159
2008-01-31 12:53 . 2008-01-31 12:53 <DIR> d--hs---- D:\FOUND.158
2008-01-30 23:57 . 2008-01-30 23:57 <DIR> d--hs---- D:\FOUND.157
2008-01-30 00:57 . 2008-01-30 00:57 <DIR> d--hs---- D:\FOUND.156
2008-01-25 20:02 . 2008-01-25 20:02 <DIR> d--hs---- D:\FOUND.155
2008-01-23 00:00 . 2008-01-23 00:00 <DIR> d--hs---- D:\FOUND.154
2008-01-22 20:05 . 2008-01-22 20:05 <DIR> d--hs---- D:\FOUND.153
2008-01-22 14:52 . 2008-01-22 14:52 <DIR> d--hs---- D:\FOUND.152
2008-01-18 04:44 . 2008-01-18 04:44 <DIR> d-------- D:\Program Files\Neoretix
2008-01-18 03:48 . 2008-01-18 03:48 <DIR> d-------- D:\WINDOWS\system32\Kaspersky Lab
2008-01-18 03:48 . 2008-01-18 03:48 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-18 03:48 . 2007-11-07 18:51 229,621 -rahs---- D:\WINDOWS\Funny UST Scandal.exe
2008-01-18 03:42 . 2008-01-18 03:42 <DIR> d-------- D:\log
2008-01-18 01:14 . 2008-01-18 01:14 <DIR> d--hs---- D:\FOUND.151
2008-01-16 22:25 . 2008-01-16 22:25 <DIR> d--hs---- D:\FOUND.150
2008-01-16 08:35 . 2007-11-07 18:51 229,621 -rahs---- D:\Funny UST Scandal.avi.exe
2008-01-15 00:04 . 2008-01-15 00:04 <DIR> d--hs---- D:\FOUND.149
2008-01-14 21:48 . 2008-01-14 21:48 <DIR> d--hs---- D:\FOUND.148
2008-01-12 02:42 . 2008-01-12 02:42 <DIR> d-------- D:\Program Files\MSECache
2008-01-11 20:06 . 2008-01-11 20:06 <DIR> d--hs---- D:\FOUND.147
2008-01-11 16:41 . 2008-01-11 16:41 <DIR> d--hs---- D:\FOUND.146
2008-01-10 20:01 . 2008-01-10 20:01 <DIR> d--hs---- D:\FOUND.145
2008-01-10 02:37 . 2008-01-10 02:37 <DIR> d-------- D:\Documents and Settings\Osama Zulfiqar\Application Data\FrostWire
2008-01-10 02:19 . 2007-09-24 23:31 69,632 --a------ D:\WINDOWS\system32\javacpl.cpl
2008-01-10 02:06 . 2008-01-10 02:06 <DIR> d-------- D:\Program Files\FrostWire
2008-01-09 19:59 . 2008-01-09 19:59 <DIR> d--hs---- D:\FOUND.144
2008-01-06 19:56 . 2008-01-06 19:56 <DIR> d-------- D:\Program Files\Powerbullet
2008-01-06 19:11 . 2007-01-13 09:45 172,032 --a------ D:\WINDOWS\system32\igfxres.dll
2008-01-06 17:46 . 2008-01-06 17:46 <DIR> d--hs---- D:\FOUND.143
2008-01-06 17:38 . 2008-01-06 17:38 <DIR> d--hs---- D:\FOUND.142
2008-01-06 17:00 . 2008-01-06 17:01 <DIR> d-------- D:\Documents and Settings\Osama Zulfiqar\Application Data\Serious Magic
2008-01-06 16:58 . 2008-01-06 16:58 <DIR> d-------- D:\Program Files\Serious Magic
2008-01-06 16:58 . 2008-01-06 16:58 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Serious Magic
2008-01-06 15:54 . 2008-01-06 15:54 <DIR> d--hs---- D:\FOUND.141
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 10:20 32 --sha-w D:\WINDOWS\system32\drivers\fidbox.idx
2008-02-02 10:20 32 --sha-w D:\WINDOWS\system32\drivers\fidbox.dat
2008-01-30 02:41 573,440 ------w D:\WINDOWS\Internet Logs\xDB29.tmp
2008-01-30 02:41 1,843,200 ------w D:\WINDOWS\Internet Logs\xDB2A.tmp
2008-01-22 10:40 13,824 ------w D:\WINDOWS\Internet Logs\xDB28.tmp
2008-01-18 04:34 286,720 ------w D:\WINDOWS\Internet Logs\xDB27.tmp
2008-01-17 03:53 1,056,768 ------w D:\WINDOWS\Internet Logs\xDB26.tmp
2008-01-16 11:49 10,398,241 ------w D:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-12 08:58 35,712 ----a-w D:\Documents and Settings\Osama Zulfiqar\Application Data\GDIPFONTCACHEV1.DAT
2007-12-21 21:40 63,488 ------w D:\WINDOWS\Internet Logs\xDB24.tmp
2007-12-21 21:40 1,843,200 ------w D:\WINDOWS\Internet Logs\xDB25.tmp
2007-12-20 14:57 92,672 ------w D:\WINDOWS\Internet Logs\xDB22.tmp
2007-12-20 14:57 1,843,200 ------w D:\WINDOWS\Internet Logs\xDB23.tmp
2007-12-18 03:31 589,824 ------w D:\WINDOWS\Internet Logs\xDB20.tmp
2007-12-18 03:31 1,843,200 ------w D:\WINDOWS\Internet Logs\xDB21.tmp
2007-12-14 06:32 12,632 ----a-w D:\WINDOWS\system32\lsdelete.exe
2007-12-11 18:40 --------- d-----w D:\Program Files\PictureDesk
2007-12-11 04:45 401,408 ------w D:\WINDOWS\Internet Logs\xDB1E.tmp
2007-12-11 04:45 1,835,008 ------w D:\WINDOWS\Internet Logs\xDB1F.tmp
2007-12-10 13:18 --------- d-----w D:\Documents and Settings\All Users\Application Data\Bluetooth
2007-12-07 13:20 46,592 ------w D:\WINDOWS\Internet Logs\xDB1C.tmp
2007-12-07 13:20 1,563,648 ------w D:\WINDOWS\Internet Logs\xDB1D.tmp
2007-12-07 12:52 --------- d-----w D:\Program Files\My-Proxy
2007-12-06 21:57 409,600 ------w D:\WINDOWS\Internet Logs\xDB1A.tmp
2007-12-06 21:57 1,556,992 ------w D:\WINDOWS\Internet Logs\xDB1B.tmp
2007-11-28 16:29 1,540,608 ------w D:\WINDOWS\Internet Logs\xDB19.tmp
2007-11-25 02:39 178,688 ------w D:\WINDOWS\Internet Logs\xDB17.tmp
2007-11-25 02:39 1,534,464 ------w D:\WINDOWS\Internet Logs\xDB18.tmp
2007-11-19 14:27 286,720 ------w D:\WINDOWS\Internet Logs\xDB16.tmp
2007-11-17 22:58 376,832 ------w D:\WINDOWS\Internet Logs\xDB14.tmp
2007-11-17 22:58 1,516,544 ------w D:\WINDOWS\Internet Logs\xDB15.tmp
2007-11-07 21:36 47,104 ------w D:\WINDOWS\Internet Logs\xDB12.tmp
2007-11-07 21:36 1,498,112 ------w D:\WINDOWS\Internet Logs\xDB13.tmp
2007-11-06 22:31 331,264 ------w D:\WINDOWS\Internet Logs\xDB10.tmp
2007-11-06 22:31 1,494,528 ------w D:\WINDOWS\Internet Logs\xDB11.tmp
2007-10-29 08:52 1,470,464 ------w D:\WINDOWS\Internet Logs\xDBF.tmp
2007-10-28 23:51 70,656 ------w D:\WINDOWS\Internet Logs\xDBD.tmp
2007-10-28 23:51 1,469,440 ------w D:\WINDOWS\Internet Logs\xDBE.tmp
2007-10-28 12:00 1,465,344 ------w D:\WINDOWS\Internet Logs\xDBC.tmp
2007-10-28 12:00 1,137,152 ------w D:\WINDOWS\Internet Logs\xDBB.tmp
2007-10-20 09:17 306,176 ------w D:\WINDOWS\Internet Logs\xDB9.tmp
2007-10-20 09:17 1,439,232 ------w D:\WINDOWS\Internet Logs\xDBA.tmp
2007-10-18 09:08 532,480 ------w D:\WINDOWS\Internet Logs\xDB8.tmp
2007-10-16 06:08 925,696 ------w D:\WINDOWS\Internet Logs\xDB6.tmp
2007-10-16 06:08 1,423,872 ------w D:\WINDOWS\Internet Logs\xDB7.tmp
2007-10-12 19:36 1,458,176 ------w D:\WINDOWS\Internet Logs\xDB4.tmp
2007-10-12 19:36 1,420,800 ------w D:\WINDOWS\Internet Logs\xDB5.tmp
2007-10-10 10:52 1,414,656 ------w D:\WINDOWS\Internet Logs\xDB3.tmp
2007-10-06 22:21 363,520 ------w D:\WINDOWS\Internet Logs\xDB1.tmp
2007-10-06 22:21 1,401,344 ------w D:\WINDOWS\Internet Logs\xDB2.tmp
2007-10-05 11:30 523,264 ------w D:\WINDOWS\Internet Logs\xDB1AF.tmp
2007-10-05 11:30 1,389,056 ------w D:\WINDOWS\Internet Logs\xDB1B0.tmp
2007-10-02 06:44 21,495,305 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_02_11_34_21_full.dmp.zip
2007-10-02 06:37 120,320 ------w D:\WINDOWS\Internet Logs\xDB39D.tmp
2007-10-02 04:30 138,089 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_02_03_40_06_small.dmp.zip
2007-10-02 04:30 115,140 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_02_03_37_00_small.dmp.zip
2007-10-02 04:30 112,650 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_02_03_41_17_small.dmp.zip
2007-10-02 04:30 106,886 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_02_03_38_37_small.dmp.zip
2007-10-01 22:41 1,355,776 ------w D:\WINDOWS\Internet Logs\xDB250.tmp
2007-10-01 22:40 24,064 ------w D:\WINDOWS\Internet Logs\xDB24A.tmp
2007-10-01 22:40 1,355,776 ------w D:\WINDOWS\Internet Logs\xDB24B.tmp
2007-10-01 22:38 27,648 ------w D:\WINDOWS\Internet Logs\xDB242.tmp
2007-10-01 22:38 1,355,776 ------w D:\WINDOWS\Internet Logs\xDB243.tmp
2007-10-01 22:37 1,339,392 ------w D:\WINDOWS\Internet Logs\xDB23E.tmp
2007-10-01 16:20 112,583 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_01_19_38_28_small.dmp.zip
2007-10-01 10:39 20,698,146 ------w D:\WINDOWS\Internet Logs\vsmon_on_demand_2007_10_01_13_48_04_full.dmp.zip
2007-10-01 10:39 113,319 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_01_13_47_03_small.dmp.zip
2007-10-01 10:39 106,375 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_01_13_44_58_small.dmp.zip
2007-10-01 08:40 110,088 ------w D:\WINDOWS\Internet Logs\vsmon_2nd_2007_10_01_13_39_33_small.dmp.zip
2007-09-30 18:19 251,904 ------w D:\WINDOWS\Internet Logs\xDB11C.tmp
2006-11-23 16:01 94,744 ----a-w D:\Program Files\grid32.ocx
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"Runonce"="D:\WINDOWS\smss.exe" [ ]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="D:\WINDOWS\System32\taskswitch.exe" [2002-03-19 17:30 45632]
"NVCLOCK"="nvclock.dll" [2003-04-14 06:59 81920 D:\WINDOWS\system32\nvclock.dll]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 09:29 579072]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 10:24 86016 D:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-10-11 13:33 2807808 D:\WINDOWS\ALCWZRD.EXE]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2004-09-30 10:35 4603904]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2004-09-30 10:35 86016]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:25 6731312]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54 919016]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2005-11-10 15:31 155648]
"IgfxTray"="D:\WINDOWS\system32\igfxtray.exe" [2007-01-13 09:47 131072]
"HotKeysCmds"="D:\WINDOWS\system32\hkcmd.exe" [2007-01-13 09:47 163840]
"Persistence"="D:\WINDOWS\system32\igfxpers.exe" [2007-01-13 09:46 135168]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 16:32 219136]
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
lsass.exe [2007-11-07 18:51:42 229621]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLogon]
srvc.dll
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=D:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=D:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 Detect.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 Detect.lnk
backup=D:\WINDOWS\pss\PCSuiteForNokia6600 Detect.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^PCSuiteForNokia6600 TS.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\PCSuiteForNokia6600 TS.lnk
backup=D:\WINDOWS\pss\PCSuiteForNokia6600 TS.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinIRXHelper.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinIRXHelper.lnk
backup=D:\WINDOWS\pss\WinIRXHelper.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 D:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
D:\WINDOWS\system32\amvo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 22:56 15360 D:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2004-08-24 13:30 986624 D:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
--a------ 2007-03-16 07:51 715888 D:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--------- 2005-01-07 17:07 61952 D:\WINDOWS\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 09:47 163840 D:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipTray.exe]
--a------ 2004-06-11 16:04 1226752 C:\Program Files\Intel\IDU\iptray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveMonitor]
--a------ 2004-09-23 14:19 477696 D:\Program Files\MSI\Live Update 3\LMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 D:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-ra------ 2001-07-09 14:50 155648 D:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application]
--a------ 2003-12-19 11:38 425984 D:\Program Files\Common Files\Nokia\Tools\NclTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-09-30 10:35 921600 D:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2004-08-17 16:04 148992 D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-11-10 15:31 155648 D:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonicFocus]
D:\Program Files\Sonic Focus\SFIGUI\\SFIGUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2003-09-05 06:59 878080 D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2005-01-24 19:58 81920 D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-25 08:35 68856 D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-08-24 17:37 2539520 D:\Program Files\Veoh Networks\Veoh\VeohClient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Core Kernel Update]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Win32Kernel"=2 (0x2)
"BlueSoleil Hid Service"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WINLOGON"=2 (0x2)
"usnjsvc"=3 (0x3)
"Tenable Nessus"=2 (0x2)
"SPTISRV"=3 (0x3)
"sdk"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=2 (0x2)
"Diskeeper"=2 (0x2)
"Bonjour Service"=2 (0x2)
"aawservice"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"NVSvc"=2 (0x2)
"gusvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"New.net Startup"=rundll32 D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
R0 d343bus;d343bus;D:\WINDOWS\system32\DRIVERS\d343bus.sys [2003-12-15 18:46]
R0 d343port;d343port;D:\WINDOWS\system32\DRIVERS\d343port.sys [2003-12-15 17:29]
R2 osaio;osaio;D:\WINDOWS\system32\drivers\osaio.sys [2004-06-01 15:28]
R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;D:\WINDOWS\system32\DRIVERS\n100325.sys [2001-08-17 12:11]
R3 VGAUTI;VGAUTI;D:\WINDOWS\System32\DRIVERS\VGAUTI.sys [2005-01-17 11:51]
R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);D:\WINDOWS\system32\DRIVERS\zebrceb.sys [2006-02-01 13:01]
S3 BTNetFilter;Bluetooth Network Filter;D:\WINDOWS\system32\drivers\BTNetFilter.sys [2004-12-16 16:32]
S3 Cap7134;ASUS TV7134 WDM Video Capture;D:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-07-18 14:17]
S3 dump_wmimmc;dump_wmimmc;E:\games\softnyx\GunboundWC\GameGuard\dump_wmimmc.sys []
S3 Intels51;Intel® 536EP Modem;D:\WINDOWS\system32\DRIVERS\Intels51.sys [2003-05-22 20:44]
S3 MEMSWEEP2;MEMSWEEP2;D:\WINDOWS\system32\SophosMEMSWEEP.SYS []
S3 NPF;Netgroup Packet Filter;D:\WINDOWS\system32\drivers\packet.sys [2004-09-21 18:18]
S3 PhTVTune;ASUS WDM TV Tuner;D:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-07-18 07:23]
S3 tap0801;TAP-Win32 Adapter V8;D:\WINDOWS\system32\DRIVERS\tap0801.sys [2006-10-01 17:37]
S3 XDva028;XDva028;D:\WINDOWS\system32\XDva028.sys []
S4 Remote Reader Machine;Remote Reader Machine;"D:\WINDOWS\system32\ssmc.exe" []
S4 sdk;Microsoft sdk core;"D:\WINDOWS\lsass.exe" []
S4 Tenable Nessus;Tenable Nessus;"D:\Program Files\Tenable\Nessus\nessusd.exe" [2007-07-27 16:01]
S4 Win32Kernel;Win32 Kernel Update;"D:\WINDOWS\win32host.exe" []
S4 Windows Idle Process;Windows Idle Process;"D:\WINDOWS\system32\smsc.exe" []
S4 WINLOGON;Windows NT Logon Application;"D:\WINDOWS\system\winlogon.exe" []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bb01b58-ac87-11da-9421-00508b0d65a7}]
\Shell\Auto\command - sxs.exe
\Shell\AutoRun\command - D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46aa3c8a-ed00-11db-ad4e-000e509ec26c}]
\Shell\AutoRun\command - D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52ee5d18-e711-11db-ad25-000e509ec26c}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{658c365c-f4e5-11db-ad7a-000e509ec26c}]
\Shell\AutoRun\command - K:\h.cmd
\Shell\explore\Command - K:\h.cmd
\Shell\open\Command - K:\h.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a69ac6ce-e764-11db-ad28-000e509ec26c}]
\Shell\AutoRun\command - J:\RavMon.exe
\Shell\explore\Command - J:\RavMon.exe -e
\Shell\open\Command - J:\RavMon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7c58b78-158d-11db-9667-000e509ec26c}]
\Shell\AutoRun\command - G:\m1t8ta.com
\Shell\explore\Command - G:\m1t8ta.com
\Shell\open\Command - G:\m1t8ta.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa87b154-0d19-11dc-ae31-000e509ec26c}]
\Shell\AutoRun\command - J:\RavMon.exe
\Shell\explore\Command - J:\RavMon.exe -e
\Shell\open\Command - J:\RavMon.exe
*Newly Created Service* - AAWSERVICE
*Newly Created Service* - SASDIFSV
*Newly Created Service* - SASENUM
*Newly Created Service* - SASKUTIL
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 06:58:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-03 7:00:13
ComboFix-quarantined-files.txt 2008-02-03 02:00:10
ComboFix2.txt 2007-10-19 19:18:50
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:20 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Intel\IDU\IDUServ.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\taskswitch.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\ALCWZRD.EXE
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\SpeedFan\speedfan.exe
D:\Program Files\FlashGet\flashget.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8080;http=localhost:8080;https=localhost:8080;socks=localhost:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - D:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - D:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Runonce] D:\WINDOWS\smss.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: lsass.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Program Files\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.symentec.com
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1193170030343
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B69DC2AE-6054-4C62-B830-4398B1C1F8FB}: NameServer = 203.135.0.70,203.135.1.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2B02338-6DF7-4587-A631-692DBD6DA5EB}: NameServer = 4.2.2.5,4.2.2.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe
--
End of file - 10102 bytes