ComboFix 08-04-10.9 - SaM WaI 2008-04-11 18:09:38.1 - NTFSx86
Running from: C:\Program Files\Firefox Download\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\SaM WaI\Application Data\macromedia\Flash Player\#SharedObjects\BWWHGQRR\www.broadcaster.com
C:\Documents and Settings\SaM WaI\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\SaM WaI\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\{3465C~1
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\NPF
((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.
2008-04-09 16:32 . 2008-04-10 13:54 <DIR> d-------- C:\Program Files\COMODO
2008-04-09 16:32 . 2008-04-10 13:54 <DIR> d-------- C:\Documents and Settings\SaM WaI\Application Data\Comodo
2008-04-09 16:32 . 2008-04-10 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-04-05 15:18 . 2008-04-05 16:10 <DIR> d-------- C:\Program Files\Wolfenstein - Enemy Territory
2008-04-03 17:45 . 2008-04-03 17:45 0 -ra------ C:\logwmemory.bin
2008-04-03 17:43 . 2008-04-04 12:59 <DIR> d-------- C:\Program Files\Soldat
2008-04-03 17:43 . 2008-04-03 17:43 <DIR> d-------- C:\Documents and Settings\SaM WaI\Application Data\Soldat
2008-04-03 00:26 . 2008-04-03 00:26 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-04-02 07:21 . 2008-04-08 16:01 <DIR> d-------- C:\Documents and Settings\SaM WaI\Application Data\AVG7
2008-04-02 07:21 . 2008-04-02 07:21 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-02 07:20 . 2008-04-02 07:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 07:20 . 2008-04-03 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-29 13:17 . 2008-04-01 16:40 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-29 13:16 . 2008-04-01 16:39 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-22 09:54 . 2008-04-01 16:28 <DIR> d-------- C:\Program Files\Call of Duty Dawnville Demo
2008-03-18 16:44 . 2007-10-30 18:20 360,064 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
2008-03-18 16:44 . 2007-10-30 18:20 360,064 --a------ C:\WINDOWS\system32\dllcache\tcpip.sys.ORIGINAL
2008-03-18 16:42 . 2008-03-18 16:42 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-03-18 16:17 . 2008-03-18 16:17 <DIR> d-------- C:\Program Files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 17:05 --------- d-----w C:\Program Files\Firefox Download
2008-04-11 07:49 --------- d-----w C:\Program Files\Xfire
2008-04-10 20:08 --------- d-----w C:\Documents and Settings\SaM WaI\Application Data\Xfire
2008-04-01 15:41 --------- d-----w C:\Program Files\ESET
2008-03-18 15:44 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-03-18 15:42 --------- d-----w C:\Program Files\BitComet
2008-03-18 15:36 --------- d-----w C:\Program Files\Gpotato
2008-03-10 19:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-09 17:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-03-08 17:03 --------- d-----w C:\Documents and Settings\SaM WaI\Application Data\teamspeak2
2008-02-28 18:29 --------- d-----w C:\Program Files\Windows Live
2008-02-26 12:33 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-26 12:20 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-26 12:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-23 17:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-23 17:47 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-21 17:39 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-02-20 21:46 --------- d-----w C:\Program Files\Sony
2008-02-06 20:32 43,040 ----a-w C:\Documents and Settings\SaM WaI\Application Data\GDIPFONTCACHEV1.DAT
2007-11-27 10:05 22,328 ----a-w C:\Documents and Settings\SaM WaI\Application Data\PnkBstrK.sys
2007-11-05 20:53 23,582,974 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_11_03_10_33_10_full.dmp.zip
2007-05-04 16:24 105,860 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_04_23_16_43_14_small.dmp.zip
2005-10-25 12:20 56 --sh--r C:\WINDOWS\system32\093E353CB6.sys
2007-10-06 16:21 11,480 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-04 00:02 3,868,960 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-04 00:02 222,240 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.
------- Sigcheck -------
2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 09:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 12:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-03-18 16:44 360064 8283a4d489b207991efdc8328733d0bc C:\WINDOWS\system32\dllcache\tcpip.sys
2008-03-18 16:44 360064 8283a4d489b207991efdc8328733d0bc C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-02 07:20 579072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-02 07:20 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe]
--a------ 2003-05-06 10:28 72192 C:\Program Files\VoyagerTest\fts.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 16:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-11-10 00:22 497240 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
--a------ 2007-04-12 00:50 947200 C:\Documents and Settings\SaM WaI\Desktop\Ares.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 09:00 110592 C:\WINDOWS\system32\bthprops.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boots Insert Detect]
C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
--------- 2003-08-19 13:47 16384 C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]
--------- 2003-06-28 16:10 1658965 C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-11-01 16:46 2553264 C:\Program Files\Internet Download Manager\IDMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-04-21 11:28 286720 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAAgent]
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"helpsvc"=2 (0x2)
"BthServ"=2 (0x2)
"AresChatServer"=3 (0x3)
"AOLService"=2 (0x2)
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Documents and Settings\\SaM WaI\\Desktop\\Ares.exe"=
"C:\\Program Files\\Sierra\\Empire Earth II\\EE2.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26846:TCP"= 26846:TCP:BitComet 26846 TCP
"26846:UDP"= 26846:UDP:BitComet 26846 UDP
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS [2003-09-25 17:52]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 13:10]
S3 lanusb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys [2003-08-15 13:56]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\A4.tmp []
S3 PsSdk30;PsSdk30;C:\WINDOWS\system32\Drivers\PsSdk30.drv []
S3 XDva028;XDva028;C:\WINDOWS\system32\XDva028.sys []
.
Contents of the 'Scheduled Tasks' folder
"2007-10-23 18:17:51 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 18:21:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\A4.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
.
**************************************************************************
.
Completion time: 2008-04-11 18:26:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-11 17:26:17
Pre-Run: 3,739,693,056 bytes free
Post-Run: 3,735,310,336 bytes free
.
2008-02-13 07:27:54 --- E O F ---
HIJACKTHIS:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:38:02, on 11/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\Belkinwcui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....031/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15034/CTPID.cab
O20 - AppInit_DLLs:
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 3364 bytes