ComboFix 08-06-20.4 - Stylix 2008-06-25 16:31:01.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.75 [GMT 4.5:30]
Running from: C:\Documents and Settings\Stylix\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Stylix\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Stylix\Application Data\ShoppingReport
C:\Documents and Settings\Stylix\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Stylix\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Stylix\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Stylix\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Stylix\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Stylix\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Stylix\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Uninst.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.
2008-06-25 16:03 . 2008-06-25 16:03 <DIR> d-------- C:\logs
2008-06-25 09:52 . 2008-06-25 09:52 <DIR> d-------- C:\Documents and Settings\Stylix\Application Data\DNA
2008-06-25 07:23 . 2008-06-25 07:23 <DIR> d--hs---- C:\FOUND.002
2008-06-25 01:29 . 2008-06-25 01:29 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-06-24 00:13 . 2008-06-24 00:13 <DIR> d-------- C:\Program Files\uTorrent
2008-06-23 23:47 . 2008-06-23 23:47 <DIR> d-------- C:\Program Files\DNA
2008-06-23 23:26 . 2008-06-23 23:26 <DIR> d-------- C:\Documents and Settings\Stylix\Application Data\uTorrent
2008-06-23 21:21 . 2008-06-23 21:21 <DIR> d-------- C:\Documents and Settings\Stylix\Application Data\vlc
2008-06-23 17:19 . 2008-06-23 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Launcher
2008-06-23 11:21 . 2008-06-23 11:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Graboid Inc
2008-06-23 11:19 . 2008-06-23 11:19 <DIR> d-------- C:\Documents and Settings\Stylix\Application Data\MozillaControl
2008-06-23 11:18 . 2008-06-23 11:18 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-23 11:18 . 2008-06-23 11:18 <DIR> d-------- C:\Program Files\Mozilla ActiveX Control v1.7.12
2008-06-23 11:18 . 2008-06-23 11:18 <DIR> d-------- C:\Program Files\Graboid
2008-06-22 21:56 . 2003-07-16 12:14 31,744 --a------ C:\WINDOWS\system32\E_DCINST.DLL
2008-06-22 21:55 . 2003-05-29 00:01 91,648 --a------ C:\WINDOWS\system32\E_SAGSET.DLL
2008-06-22 21:55 . 2003-12-10 00:13 76,054 --a------ C:\WINDOWS\system32\EBPMON24.DLL
2008-06-22 21:55 . 2003-05-21 01:27 64,000 --a------ C:\WINDOWS\system32\ECBTEG.DLL
2008-06-22 21:55 . 2000-06-07 00:01 34,304 --a------ C:\WINDOWS\system32\EBPCHP.DLL
2008-06-22 21:28 . 2001-09-04 01:04 182 --a------ C:\WINDOWS\system32\EBPPORT4.DAT
2008-06-22 21:26 . 2008-06-22 21:26 <DIR> d-------- C:\Program Files\EPSON
2008-06-22 21:06 . 2008-06-22 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-06-22 19:14 . 2008-06-22 19:14 91,373 --a------ C:\WINDOWS\EPSTPLOG.BAK
2008-06-22 19:01 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-06-21 14:59 . 2008-06-21 14:59 <DIR> d-------- C:\Program Files\Common Files\Real
2008-06-19 22:34 . 2008-06-19 22:34 <DIR> d--hs---- C:\FOUND.001
2008-06-18 21:23 . 2008-06-18 21:23 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-18 17:52 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-18 17:51 . 2008-06-18 17:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-18 17:30 . 2008-04-23 08:05 6,068,224 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-18 17:30 . 2007-04-17 14:02 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-18 17:30 . 2007-03-08 09:40 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-18 17:30 . 2008-04-23 08:05 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-18 17:30 . 2008-04-23 08:05 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-18 17:30 . 2008-04-23 08:05 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-18 17:30 . 2008-04-23 08:05 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-18 17:30 . 2008-04-23 08:05 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-18 17:30 . 2008-04-22 12:32 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-18 16:34 . 2008-06-18 16:34 <DIR> d-------- C:\Documents and Settings\Stylix\Incomplete
2008-06-18 16:33 . 2008-06-18 16:33 <DIR> d-------- C:\Program Files\LimeWireTurbo
2008-06-18 16:33 . 2008-06-18 16:33 <DIR> d-------- C:\Documents and Settings\Stylix\Application Data\LimeWireTurbo
2008-06-17 11:09 . 2008-06-17 11:09 <DIR> d--h----- C:\WINDOWS\PIF
2008-06-17 10:58 . 2008-06-17 10:58 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-17 10:58 . 1999-02-16 20:49 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-06-17 10:58 . 2004-07-14 15:26 152,848 --a------ C:\WINDOWS\system32\COMDLG32.OCX
2008-06-17 10:58 . 2005-02-04 10:21 40,960 --a------ C:\WINDOWS\system32\FxHorizBtn.ocx
2008-06-17 10:58 . 2003-03-06 10:43 36,864 --a------ C:\WINDOWS\system32\FxPanel.ocx
2008-06-17 10:58 . 2000-06-13 00:00 2,493 --a------ C:\WINDOWS\system32\COMCTL32.DEP
2008-06-16 14:37 . 2008-06-16 14:37 <DIR> d-------- C:\Program Files\Chikka Messenger
2008-06-16 14:37 . 2008-06-16 14:37 <DIR> d-------- C:\Documents and Settings\Stylix\ChikkaDefault
2008-06-14 10:26 . 2008-06-14 10:26 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2008-06-14 10:26 . 2008-06-14 10:26 <DIR> d-------- C:\Program Files\Replay Media Catcher
2008-06-14 09:39 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-14 09:38 . 2008-06-14 09:38 <DIR> d-------- C:\Program Files\Java
2008-06-14 09:32 . 2008-06-14 09:32 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-14 09:28 . 2008-06-14 09:28 <DIR> d-------- C:\Documents and Settings\Stylix\.limewire
2008-06-14 07:17 . 2008-06-14 07:17 <DIR> d-------- C:\Documents and Settings\Stylix\Application Data\Yahoo!
2008-06-14 07:08 . 2008-06-14 07:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-14 07:05 . 2008-06-14 07:05 <DIR> d-------- C:\Program Files\Yahoo!
2008-06-05 14:48 . 2008-06-18 20:50 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-06-02 02:58 . 2008-06-02 02:58 <DIR> d-------- C:\Documents and Settings\Stylix\Application Data\CyberLink
2008-06-02 02:58 . 2008-06-02 02:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-30 15:14 . 2008-05-30 15:14 <DIR> d--hs---- C:\FOUND.000
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-21 10:29 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-05-24 05:22 --------- d-----w C:\Program Files\CyberLink
2008-05-24 05:19 --------- d-----w C:\Documents and Settings\Stylix\Application Data\Ahead
2008-05-24 05:15 --------- d-----w C:\Program Files\Nero
2008-05-24 05:15 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-24 05:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-22 08:02 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 08:02 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.
------- Sigcheck -------
2008-01-22 01:08 360704 a11391be25035570ae4b8970920f2c74 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{100EB1FD-D03E-47FD-81F3-EE91287F9465}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-06-23 23:47 289088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-06 16:08 1443072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"EPSON Stylus C45 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE" [2004-01-14 02:00 99840]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-04-23 08:05 124928 C:\WINDOWS\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKLM\~\startupfolder\C:^Documents and Settings^Stylix^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Stylix\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Stylix^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Stylix\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kava]
C:\WINDOWS\system32\kavo.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Java\\jre1.6.0_05\\BIN\\javaw.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13352:TCP"= 13352:TCP:BitComet 13352 TCP
"13352:UDP"= 13352:UDP:BitComet 13352 UDP
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-06 16:09]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52985fc2-0034-11dd-8c81-00012e0d10cd}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL nircmd.exe execmd CALL batexe\progstart.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{730182dc-0255-11dd-8ee9-806d6172696f}]
\Shell\AutoRun\command - F:\uuhgt.bat
\Shell\explore\Command - F:\uuhgt.bat
\Shell\open\Command - F:\uuhgt.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e42c78a4-0133-11dd-9378-00012e0d10cd}]
\Shell\Auto\command - transmit.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL transmit.exe
\Shell\explore\command - transmit.exe
\Shell\open\command - transmit.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e42c78a5-0133-11dd-9378-00012e0d10cd}]
\Shell\Auto\command - F:\transmit.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL transmit.exe
\Shell\explore\command - F:\transmit.exe
\Shell\open\command - F:\transmit.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e611a0aa-0254-11dd-937d-00012e0d10cd}]
\Shell\Auto\command - F:\transmit.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL transmit.exe
\Shell\explore\command - F:\transmit.exe
\Shell\open\command - F:\transmit.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 16:32:07
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
C:\WINDOWS\EXPLORER.EXE [1624] 0xFFB11730
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-25 16:32:28
ComboFix-quarantined-files.txt 2008-06-25 12:02:28
Pre-Run: 11,865,669,632 bytes free
Post-Run: 11,838,046,208 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
211