ComboFix 08-10-04.02 - abcd 10/05/2008 0:30:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1025.18.584 [GMT 3:00]
Running from: C:\Documents and Settings\abcd\??? ??????\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\agsaame.dll
C:\WINDOWS\system32\ALOAudioFile2.dll
C:\WINDOWS\system32\ALOAVIFile.dll
C:\WINDOWS\system32\ALOQuickTimeFile.dll
C:\WINDOWS\system32\ALOVideoCoreM.dll
C:\WINDOWS\system32\ALOWMAFile2.dll
C:\WINDOWS\system32\kakle.dll
C:\WINDOWS\system32\winitn.dll
.
((((((((((((((((((((((((( Files Created from 2008-09-04 to 2008-10-04 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-04 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-10-04 21:33 679,968 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-10-04 21:33 6,548 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-10-04 21:33 23,152 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-04 21:33 2,422,816 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-23 23:14 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-23 12:47 --------- d-----w C:\Program Files\GordianKnot
2008-09-23 12:47 --------- d-----w C:\Program Files\Gabest
2008-09-23 12:44 --------- d-----w C:\Program Files\DivXCodec
2008-09-23 11:49 --------- d-----w C:\Program Files\Google
2008-09-23 00:08 --------- d-----w C:\Program Files\Nokia
2008-09-23 00:08 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-09-23 00:08 --------- d-----w C:\Program Files\Common Files\Nokia
2008-09-19 21:51 --------- d-----w C:\Documents and Settings\abcd\Application Data\PC Suite
2008-09-17 14:32 64,801 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2008-09-17 14:32 6,104 ----a-w C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-09-17 11:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Memo Drive Vc Log
2008-09-17 11:19 --------- d-----w C:\Program Files\Circle Developement
2008-09-17 11:16 --------- d-----w C:\Documents and Settings\abcd\Application Data\beepbaitwindow
2008-09-14 10:36 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-09-12 10:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-12 10:48 --------- d-----w C:\Program Files\MSXML 4.0
2008-09-12 10:48 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-09-01 13:23 --------- d-----w C:\Documents and Settings\abcd\Application Data\Nero
2008-09-01 13:20 --------- d-----w C:\Program Files\Common Files\Nero
2008-09-01 13:19 --------- d-----w C:\Program Files\Nero
2008-09-01 13:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-09-01 13:05 --------- d-----w C:\Program Files\AskTBar
2008-09-01 09:34 --------- d-----w C:\Documents and Settings\abcd\Application Data\MakeUpPilot
2008-08-21 18:30 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-08-21 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-08-15 08:31 --------- d-----w C:\Program Files\Ozone
2008-08-14 20:06 --------- d-----w C:\Program Files\Sketch Master
2008-08-13 09:29 --------- d-----w C:\Program Files\VerbAce
2008-08-06 22:31 --------- d-----w C:\Documents and Settings\abcd\Application Data\Ahead
2008-08-06 16:35 96,976 ----a-w C:\WINDOWS\system32\drivers\klin.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0A94B116-4504-4e26-AB05-E61E474AA38B}"= "C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL" [07/02/2008 01:11 AM 61440]
"{9CB65206-89C4-402c-BA80-02D8C59F9B1D}"= "C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" [09/01/2008 04:05 PM 57344]
[HKEY_CLASSES_ROOT\clsid\{0a94b116-4504-4e26-ab05-e61e474aa38b}]
[HKEY_CLASSES_ROOT\clsid\{9cb65206-89c4-402c-ba80-02d8c59f9b1d}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [07/17/2008 03:36 PM 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 07:24 PM 1694208]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" [06/17/2008 04:00 PM 1249280]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" [08/11/2008 08:31 AM 1124352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [05/11/2007 01:21 PM 472632]
"PTHOSTTR"="C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [01/09/2007 03:52 PM 145184]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [04/20/2008 10:36 PM 1499136]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM 31016]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [05/08/2007 04:24 PM 54840]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [06/08/2008 09:31 AM 2221352]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [05/23/2007 11:00 AM 192512]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [04/25/2008 06:21 PM 201992]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 12:56 AM 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\english\\setup.exe"=
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP
oVoo TCP port 443
"443:UDP"= 443:UDP
oVoo UDP port 443
"37674:TCP"= 37674:TCP
oVoo TCP port 37674
"37674:UDP"= 37674:UDP
oVoo UDP port 37674
"37675:UDP"= 37675:UDP
oVoo UDP port 37675
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [01/29/2008 06:29 PM 32784]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [03/13/2008 07:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [03/25/2008 08:07 PM 24592]
R3 tapvpn;TAP VPN Adapter;C:\WINDOWS\system32\DRIVERS\tapvpn.sys [12/16/2006 11:37 PM 27136]
S3 Com4QLBEx;Com4QLBEx;C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [02/07/2008 10:23 AM 193840]
S3 PAC207;VideoCAM GE111;C:\WINDOWS\system32\DRIVERS\pfc027.sys [04/08/2005 10:46 AM 162176]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0621e8e4-644f-11dd-ada4-001a73acc4dd}]
\Shell\AutoRun\command - krg62.cmd
\Shell\explore\Command - krg62.cmd
\Shell\open\Command - krg62.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0621e8e5-644f-11dd-ada4-001a73acc4dd}]
\Shell\AutoRun\command - krg62.cmd
\Shell\explore\Command - krg62.cmd
\Shell\open\Command - krg62.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B6FCE1BB-E534-292B-0083-A53D15BBB8BA}]
C:\DOCUME~1\abcd\LOCALS~1\Temp\Rar$EX00.172\crack Microsoft Office 2007.exe
.
s of the 'Scheduled Tasks' folder
2008-10-04 C:\WINDOWS\Tasks\AE61A599918A5EF1.job
- c:\docume~1\abcd\applic~1\beepba~1\Face byte rule.exe []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-BearShare - C:\Program Files\BearShare\BearShare.exe
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = about:blank
O8 -: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 -: Save Flash with Flash Catcher - C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
O8 -: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 -: ت&صدير إلى Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 -: {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
O9 -: {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm -
O16 -: Microsoft XML Parser for Java -
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {3C8E8DD8-D86A-4E6D-AF37-AB3CA7FDF8CD} - hxxp://75.126.0.69/imscp/talkc38.cab
C:\WINDOWS\Downloaded Program Files\talkc38.inf
C:\WINDOWS\Downloaded Program Files\IMSConf38.dll
O16 -: {6924091F-CD97-41E1-B1D4-D9079409D413} - hxxp://75.126.0.69/imscp/talka.cab
C:\WINDOWS\Downloaded Program Files\talk.inf
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\mfc42.dll
C:\WINDOWS\system32\olepro32.dll
C:\WINDOWS\Downloaded Program Files\imcv1.dll
C:\WINDOWS\Downloaded Program Files\IMSInfo.dll
O16 -: {8C159DFD-DC9C-4077-B3B6-114A8D64B6D2} - hxxp://ksa1.emkanat.com:1999/cp/files/talk3.cab
C:\WINDOWS\Downloaded Program Files\talk.inf
C:\Program Files\LtUcx\1003\c0.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\mfc42.dll
C:\WINDOWS\system32\olepro32.dll
C:\WINDOWS\Downloaded Program Files\Authenticatedll.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-10-05 00:37:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [1844]
??\C:\WINDOWS\system32\csrss.exe [1892]
??\C:\WINDOWS\system32\winlogon.exe [1916]
C:\WINDOWS\system32\services.exe [1960]
C:\WINDOWS\system32\lsass.exe [1972]
C:\WINDOWS\system32\svchost.exe [260]
C:\WINDOWS\system32\svchost.exe [320]
C:\WINDOWS\System32\svchost.exe [360]
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [384]
C:\WINDOWS\system32\svchost.exe [416]
C:\WINDOWS\system32\svchost.exe [760]
C:\WINDOWS\System32\WLTRYSVC.EXE [1092]
C:\WINDOWS\System32\bcmwltry.exe [1104]
C:\WINDOWS\system32\spoolsv.exe [1152]
C:\WINDOWS\system32\agrsmsvc.exe [1268]
C:\Program Files\Norton GoBack\GBPoll.exe [1320]
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [1352]
C:\Program Files\Common Files\LightScribe\LSSrvc.exe [1380]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [1412]
C:\WINDOWS\system32\IoctlSvc.exe [1716]
C:\WINDOWS\System32\PAStiSvc.exe [1976]
C:\WINDOWS\system32\svchost.exe [508]
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [588]
C:\WINDOWS\Explorer.EXE [880]
C:\WINDOWS\System32\alg.exe [1780]
C:\WINDOWS\system32\wscntfy.exe [2076]
C:\WINDOWS\system32\CF24137.exe [2852]
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [3968]
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE [4040]
C:\WINDOWS\system32\wbem\wmiprvse.exe [232]
C:\WINDOWS\system32\WLTRAY.exe [856]
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [1488]
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [1544]
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2140]
C:\WINDOWS\system32\ctfmon.exe [1040]
C:\Program Files\Messenger\msmsgs.exe [1024]
C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe [1484]
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe [1004]
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2996]
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE [3552]
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [3648]
C:\Program Files\Norton GoBack\GBTray.exe [968]
C:\Program Files\PC Connectivity Solution\Transports\NclBCBTSrv.exe [2364]
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe [2536]
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe [2584]
C:\Program Files\internet explorer\iexplore.exe [3376]
C:\WINDOWS\system32\wuauclt.exe [980]
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe [2160]
C:\WINDOWS\system32\wbem\wmiprvse.exe [1444]
C:\ComboFix\catchme.cfexe [2384]
.
**************************************************************************
.
Completion time: 10/05/2008 0:41:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-04 21:41:16
Pre-Run: 57,858,691,072 bytes free
Post-Run: 58,717,908,992 bytes free
238 --- E O F --- 2008-09-12 10:52:50
.png)
.png)
