White_Insane
2008-04-16, 11:54
Hi all i just need a lil bit of help since i don't know what should i correctly put in CFScript.txt file from my log created by combofix.exe
LOG:
ComboFix 08-04-15.1 - White_Insane 2008-04-16 11:26:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1670 [GMT 2:00]
Running from: C:\Documents and Settings\White_Insane\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\windows\pskt.ini
C:\windows\system32\cphgybur.dll
C:\windows\system32\fccaBQKB.dll
C:\windows\system32\khfDuTnk.dll
C:\WINDOWS\system32\knTuDfhk.ini
C:\WINDOWS\system32\knTuDfhk.ini2
C:\WINDOWS\system32\rubyghpc.ini
C:\windows\system32\tgippexe.dll
.
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.
2008-04-14 04:26 . 2008-04-16 11:06 101,100 --a------ C:\WINDOWS\BM8769d605.xml
2008-04-13 16:09 . 2008-04-13 16:09 <DIR> d-------- C:\Program Files\TGTSoft
2008-04-08 15:52 . 2008-04-08 16:01 <DIR> d-------- C:\Miranda IM
2008-04-07 17:02 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-04-07 17:02 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-07 17:02 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-04-06 17:15 . 2008-04-07 10:57 <DIR> d-------- C:\Documents and Settings\White_Insane\Application Data\WorldShift Open Beta
2008-03-31 13:53 . 2008-03-31 13:53 <DIR> d-------- C:\Documents and Settings\White_Insane\Application Data\Sierra Entertainment
2008-03-31 13:49 . 2008-03-31 13:49 <DIR> d-------- C:\WINDOWS\85EBB28365AF4C539EBE7C0A232762F7.TMP
2008-03-25 14:20 . 2008-03-25 14:20 <DIR> d-------- C:\Documents and Settings\White_Insane\Application Data\cYo
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 09:22 41,533,216 --sha-w C:\windows\system32\drivers\fidbox.dat
2008-04-16 09:11 --------- d-----w C:\Documents and Settings\White_Insane\Application Data\uTorrent
2008-04-16 00:20 98,816 ----a-w C:\windows\Internet Logs\xDB1B.tmp
2008-04-16 00:20 569,828 --sha-w C:\windows\system32\drivers\fidbox.idx
2008-04-16 00:20 206,204 --sha-w C:\windows\system32\drivers\fidbox2.idx
2008-04-16 00:20 2,091,808 --sha-w C:\windows\system32\drivers\fidbox2.dat
2008-04-16 00:11 51,200 ----a-w C:\windows\Internet Logs\xDB1A.tmp
2008-04-15 23:57 187,904 ----a-w C:\windows\Internet Logs\xDB19.tmp
2008-04-15 23:33 4,419,072 ----a-w C:\windows\Internet Logs\xDB18.tmp
2008-04-15 23:33 2,904,576 ----a-w C:\windows\Internet Logs\xDB17.tmp
2008-04-15 22:33 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-04-15 22:24 512 ----a-w C:\ScanSectorLog.dat
2008-04-13 23:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 11:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 14:11 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-29 13:34 --------- d-----w C:\Documents and Settings\White_Insane\Application Data\FileZilla
2008-03-27 13:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-22 00:36 --------- d-----w C:\Documents and Settings\White_Insane\Application Data\Skype
2008-03-11 23:55 --------- d-----w C:\Documents and Settings\White_Insane\Application Data\Vso
2008-03-06 10:14 17,675,032 ----a-w C:\windows\Internet Logs\vsmon_on_demand_2008_01_08_19_39_02_full.dmp.zip
2008-02-18 00:32 --------- d-----w C:\Documents and Settings\White_Insane\Application Data\GetRightToGo
2008-01-08 18:38 1,076,736 ----a-w C:\windows\Internet Logs\xDBA14.tmp
2007-10-24 19:02 4,371,968 ----a-w C:\windows\Internet Logs\xDBF69.tmp
2007-10-24 12:44 4,305,243 ----a-w C:\windows\Internet Logs\vsmon_on_demand_2007_10_24_11_13_52_full.dmp.zip
2007-10-24 09:13 4,358,144 ----a-w C:\windows\Internet Logs\xDB23.tmp
2007-09-17 19:30 2,707,456 ----a-w C:\windows\Internet Logs\xDB16.tmp
2007-09-08 12:45 2,839,552 ----a-w C:\windows\Internet Logs\xDB15.tmp
2007-08-03 23:15 429,056 ----a-w C:\windows\Internet Logs\xDB3C.tmp
2007-07-27 12:07 141,824 ----a-w C:\windows\Internet Logs\xDB277.tmp
2007-07-24 17:22 124,928 ----a-w C:\windows\Internet Logs\xDB85.tmp
2007-07-23 07:50 94,720 ----a-w C:\windows\Internet Logs\xDB580.tmp
2007-07-23 07:50 9,216 ----a-w C:\windows\Internet Logs\xDB14.tmp
2007-07-22 09:06 2,518,016 ----a-w C:\windows\Internet Logs\xDB252.tmp
2007-06-27 12:07 3,845,120 ----a-w C:\windows\Internet Logs\xDB13.tmp
2007-05-23 17:12 2,656,768 ----a-w C:\windows\Internet Logs\xDB12.tmp
2007-05-20 14:48 3,480,064 ----a-w C:\windows\Internet Logs\xDB11.tmp
2007-05-19 02:04 3,436,544 ----a-w C:\windows\Internet Logs\xDB10.tmp
2007-04-23 21:49 2,555,392 ----a-w C:\windows\Internet Logs\xDBF.tmp
2007-04-13 18:29 2,514,944 ----a-w C:\windows\Internet Logs\xDBE.tmp
2007-04-13 18:29 1,267,712 ----a-w C:\windows\Internet Logs\xDBD.tmp
2007-04-07 09:50 2,462,720 ----a-w C:\windows\Internet Logs\xDBC.tmp
2007-04-07 09:50 101,888 ----a-w C:\windows\Internet Logs\xDBB.tmp
2007-04-06 19:59 264,192 ----a-w C:\windows\Internet Logs\xDBA.tmp
2007-04-04 22:30 2,541,056 ----a-w C:\windows\Internet Logs\xDB9.tmp
2007-03-30 10:30 2,345,984 ----a-w C:\windows\Internet Logs\xDB8.tmp
2007-03-28 00:38 2,329,088 ----a-w C:\windows\Internet Logs\xDB7.tmp
2007-03-20 18:38 2,243,072 ----a-w C:\windows\Internet Logs\xDB6.tmp
2007-03-20 18:38 1,610,240 ----a-w C:\windows\Internet Logs\xDB5.tmp
2007-03-15 19:47 2,218,496 ----a-w C:\windows\Internet Logs\xDB4.tmp
2007-03-12 23:47 2,782,208 ----a-w C:\windows\Internet Logs\xDB2.tmp
2007-03-12 23:47 2,177,536 ----a-w C:\windows\Internet Logs\xDB3.tmp
2007-03-09 18:54 2,002,944 ----a-w C:\windows\Internet Logs\xDB1.tmp
2005-12-23 15:13 108 --sha-r C:\windows\neoqaz2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\Program Files 2\RocketDock\RocketDock.exe" [2007-08-21 10:27 495616]
"µTorrent"="C:\Program Files 2\uTorrent\utorrent 1.6.1.exe" [2007-03-02 01:03 177152]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 20:31 1372160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 22:41 94208]
"DiskeeperSystray"="C:\Program Files 2\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38 221184]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-03-04 18:56:27 688128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=C:\windows\pss\Windows Desktop Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless LAN Utility.lnk]
backup=C:\WINDOWS\pss\Wireless LAN Utility.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^White_Insane^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\64view]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\845ae599]
C:\windows\system32\cphgybur.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8769d605]
C:\windows\system32\tgippexe.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CursorXP]
--a------ 2005-01-19 17:44 140288 C:\Program Files 2\CursorXP\CursorXP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 12:48 157592 C:\Program Files 2\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\default software style team]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a------ 2001-11-29 02:00 28672 C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-01-23 16:44 101136 C:\WINDOWS\KHALMNPR.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\windows\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-29 00:43 8466432 C:\windows\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-06-29 00:43 81920 C:\windows\system32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRTCLK]
-ra------ 2003-12-30 11:44 24576 C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerMenu]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 20:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-02-23 00:31 25388584 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-04 20:09 77824 C:\Program Files\Java\jre1.6.0\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TopDesk]
C:\Program Files 2\TopDesk\topdesk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\UpdReg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
--a------ 2007-12-29 00:53 219952 C:\Program Files\uTorrent\uTorrent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VGAUtil]
--a------ 2004-09-17 14:32 552960 C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2002-07-02 11:56 24576 C:\WINDOWS\system32\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"IDriverT"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"DynDNS_Updater_Service"=2 (0x2)
"ose"=3 (0x3)
"NMIndexingService"=3 (0x3)
"usnjsvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"PnkBstrA"=2 (0x2)
"idsvc"=3 (0x3)
"UPS"=3 (0x3)
"SCardSvr"=3 (0x3)
"ImapiService"=3 (0x3)
"WLSetupSvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files 2\\uTorrent\\utorrent 1.6.1.exe"=
R0 Ndis3pkt;NDIS3PKT Driver for NAT32 (Windows 2000/XP Version);C:\windows\system32\DRIVERS\ndis3pkt.sys [2004-02-22 04:21]
S2 CX88XBAR;MSI 8606 Crossbar;C:\windows\system32\drivers\CX88XBar.SYS [2003-03-19 13:50]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\windows\system32\DRIVERS\FA312nd5.sys [2001-08-17 14:12]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\windows\system32\NSNDIS5.SYS [2004-03-24 04:12]
S4 DynDNS_Updater_Service;DynDNS Updater Service;C:\Program Files 2\DynDNS Updater\DynDNS.exe []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a1c2d1a-b8ae-11dc-a3b0-000acd04e687}]
\Shell\Auto\command - AdobeR.exe e
\Shell\AutoRun\command - C:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL
.
Contents of the 'Scheduled Tasks' folder
"2008-04-16 09:00:00 C:\windows\Tasks\B536D8C39F354E8F.job"
- c:\docume~1\white_~1\applic~1\nurbfo~1\Optionmodetray.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 11:30:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files 2\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-04-16 11:33:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-16 09:33:04
ComboFix2.txt 2008-04-16 00:01:45
Pre-Run: 1,588,097,024 bytes free
Post-Run: 1,574,072,320 bytes free
LOG:
ComboFix 08-04-15.1 - White_Insane 2008-04-16 11:26:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1670 [GMT 2:00]
Running from: C:\Documents and Settings\White_Insane\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\windows\pskt.ini
C:\windows\system32\cphgybur.dll
C:\windows\system32\fccaBQKB.dll
C:\windows\system32\khfDuTnk.dll
C:\WINDOWS\system32\knTuDfhk.ini
C:\WINDOWS\system32\knTuDfhk.ini2
C:\WINDOWS\system32\rubyghpc.ini
C:\windows\system32\tgippexe.dll
.
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.
2008-04-14 04:26 . 2008-04-16 11:06 101,100 --a------ C:\WINDOWS\BM8769d605.xml
2008-04-13 16:09 . 2008-04-13 16:09 <DIR> d-------- C:\Program Files\TGTSoft
2008-04-08 15:52 . 2008-04-08 16:01 <DIR> d-------- C:\Miranda IM
2008-04-07 17:02 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-04-07 17:02 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-07 17:02 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-04-06 17:15 . 2008-04-07 10:57 <DIR> d-------- C:\Documents and Settings\White_Insane\Application Data\WorldShift Open Beta
2008-03-31 13:53 . 2008-03-31 13:53 <DIR> d-------- C:\Documents and Settings\White_Insane\Application Data\Sierra Entertainment
2008-03-31 13:49 . 2008-03-31 13:49 <DIR> d-------- C:\WINDOWS\85EBB28365AF4C539EBE7C0A232762F7.TMP
2008-03-25 14:20 . 2008-03-25 14:20 <DIR> d-------- C:\Documents and Settings\White_Insane\Application Data\cYo
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 09:22 41,533,216 --sha-w C:\windows\system32\drivers\fidbox.dat
2008-04-16 09:11 --------- d-----w C:\Documents and Settings\White_Insane\Application Data\uTorrent
2008-04-16 00:20 98,816 ----a-w C:\windows\Internet Logs\xDB1B.tmp
2008-04-16 00:20 569,828 --sha-w C:\windows\system32\drivers\fidbox.idx
2008-04-16 00:20 206,204 --sha-w C:\windows\system32\drivers\fidbox2.idx
2008-04-16 00:20 2,091,808 --sha-w C:\windows\system32\drivers\fidbox2.dat
2008-04-16 00:11 51,200 ----a-w C:\windows\Internet Logs\xDB1A.tmp
2008-04-15 23:57 187,904 ----a-w C:\windows\Internet Logs\xDB19.tmp
2008-04-15 23:33 4,419,072 ----a-w C:\windows\Internet Logs\xDB18.tmp
2008-04-15 23:33 2,904,576 ----a-w C:\windows\Internet Logs\xDB17.tmp
2008-04-15 22:33 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-04-15 22:24 512 ----a-w C:\ScanSectorLog.dat
2008-04-13 23:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-31 11:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 14:11 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-29 13:34 --------- d-----w C:\Documents and Settings\White_Insane\Application Data\FileZilla
2008-03-27 13:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-22 00:36 --------- d-----w C:\Documents and Settings\White_Insane\Application Data\Skype
2008-03-11 23:55 --------- d-----w C:\Documents and Settings\White_Insane\Application Data\Vso
2008-03-06 10:14 17,675,032 ----a-w C:\windows\Internet Logs\vsmon_on_demand_2008_01_08_19_39_02_full.dmp.zip
2008-02-18 00:32 --------- d-----w C:\Documents and Settings\White_Insane\Application Data\GetRightToGo
2008-01-08 18:38 1,076,736 ----a-w C:\windows\Internet Logs\xDBA14.tmp
2007-10-24 19:02 4,371,968 ----a-w C:\windows\Internet Logs\xDBF69.tmp
2007-10-24 12:44 4,305,243 ----a-w C:\windows\Internet Logs\vsmon_on_demand_2007_10_24_11_13_52_full.dmp.zip
2007-10-24 09:13 4,358,144 ----a-w C:\windows\Internet Logs\xDB23.tmp
2007-09-17 19:30 2,707,456 ----a-w C:\windows\Internet Logs\xDB16.tmp
2007-09-08 12:45 2,839,552 ----a-w C:\windows\Internet Logs\xDB15.tmp
2007-08-03 23:15 429,056 ----a-w C:\windows\Internet Logs\xDB3C.tmp
2007-07-27 12:07 141,824 ----a-w C:\windows\Internet Logs\xDB277.tmp
2007-07-24 17:22 124,928 ----a-w C:\windows\Internet Logs\xDB85.tmp
2007-07-23 07:50 94,720 ----a-w C:\windows\Internet Logs\xDB580.tmp
2007-07-23 07:50 9,216 ----a-w C:\windows\Internet Logs\xDB14.tmp
2007-07-22 09:06 2,518,016 ----a-w C:\windows\Internet Logs\xDB252.tmp
2007-06-27 12:07 3,845,120 ----a-w C:\windows\Internet Logs\xDB13.tmp
2007-05-23 17:12 2,656,768 ----a-w C:\windows\Internet Logs\xDB12.tmp
2007-05-20 14:48 3,480,064 ----a-w C:\windows\Internet Logs\xDB11.tmp
2007-05-19 02:04 3,436,544 ----a-w C:\windows\Internet Logs\xDB10.tmp
2007-04-23 21:49 2,555,392 ----a-w C:\windows\Internet Logs\xDBF.tmp
2007-04-13 18:29 2,514,944 ----a-w C:\windows\Internet Logs\xDBE.tmp
2007-04-13 18:29 1,267,712 ----a-w C:\windows\Internet Logs\xDBD.tmp
2007-04-07 09:50 2,462,720 ----a-w C:\windows\Internet Logs\xDBC.tmp
2007-04-07 09:50 101,888 ----a-w C:\windows\Internet Logs\xDBB.tmp
2007-04-06 19:59 264,192 ----a-w C:\windows\Internet Logs\xDBA.tmp
2007-04-04 22:30 2,541,056 ----a-w C:\windows\Internet Logs\xDB9.tmp
2007-03-30 10:30 2,345,984 ----a-w C:\windows\Internet Logs\xDB8.tmp
2007-03-28 00:38 2,329,088 ----a-w C:\windows\Internet Logs\xDB7.tmp
2007-03-20 18:38 2,243,072 ----a-w C:\windows\Internet Logs\xDB6.tmp
2007-03-20 18:38 1,610,240 ----a-w C:\windows\Internet Logs\xDB5.tmp
2007-03-15 19:47 2,218,496 ----a-w C:\windows\Internet Logs\xDB4.tmp
2007-03-12 23:47 2,782,208 ----a-w C:\windows\Internet Logs\xDB2.tmp
2007-03-12 23:47 2,177,536 ----a-w C:\windows\Internet Logs\xDB3.tmp
2007-03-09 18:54 2,002,944 ----a-w C:\windows\Internet Logs\xDB1.tmp
2005-12-23 15:13 108 --sha-r C:\windows\neoqaz2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\Program Files 2\RocketDock\RocketDock.exe" [2007-08-21 10:27 495616]
"µTorrent"="C:\Program Files 2\uTorrent\utorrent 1.6.1.exe" [2007-03-02 01:03 177152]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 20:31 1372160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 22:41 94208]
"DiskeeperSystray"="C:\Program Files 2\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 17:38 221184]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-03-04 18:56:27 688128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=C:\windows\pss\Windows Desktop Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless LAN Utility.lnk]
backup=C:\WINDOWS\pss\Wireless LAN Utility.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^White_Insane^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\64view]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\845ae599]
C:\windows\system32\cphgybur.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8769d605]
C:\windows\system32\tgippexe.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CursorXP]
--a------ 2005-01-19 17:44 140288 C:\Program Files 2\CursorXP\CursorXP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 12:48 157592 C:\Program Files 2\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\default software style team]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a------ 2001-11-29 02:00 28672 C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-01-23 16:44 101136 C:\WINDOWS\KHALMNPR.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\windows\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-29 00:43 8466432 C:\windows\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-06-29 00:43 81920 C:\windows\system32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRTCLK]
-ra------ 2003-12-30 11:44 24576 C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerMenu]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 20:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-02-23 00:31 25388584 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-04 20:09 77824 C:\Program Files\Java\jre1.6.0\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TopDesk]
C:\Program Files 2\TopDesk\topdesk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\UpdReg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
--a------ 2007-12-29 00:53 219952 C:\Program Files\uTorrent\uTorrent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VGAUtil]
--a------ 2004-09-17 14:32 552960 C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2002-07-02 11:56 24576 C:\WINDOWS\system32\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"IDriverT"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"DynDNS_Updater_Service"=2 (0x2)
"ose"=3 (0x3)
"NMIndexingService"=3 (0x3)
"usnjsvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"PnkBstrA"=2 (0x2)
"idsvc"=3 (0x3)
"UPS"=3 (0x3)
"SCardSvr"=3 (0x3)
"ImapiService"=3 (0x3)
"WLSetupSvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files 2\\uTorrent\\utorrent 1.6.1.exe"=
R0 Ndis3pkt;NDIS3PKT Driver for NAT32 (Windows 2000/XP Version);C:\windows\system32\DRIVERS\ndis3pkt.sys [2004-02-22 04:21]
S2 CX88XBAR;MSI 8606 Crossbar;C:\windows\system32\drivers\CX88XBar.SYS [2003-03-19 13:50]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\windows\system32\DRIVERS\FA312nd5.sys [2001-08-17 14:12]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\windows\system32\NSNDIS5.SYS [2004-03-24 04:12]
S4 DynDNS_Updater_Service;DynDNS Updater Service;C:\Program Files 2\DynDNS Updater\DynDNS.exe []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a1c2d1a-b8ae-11dc-a3b0-000acd04e687}]
\Shell\Auto\command - AdobeR.exe e
\Shell\AutoRun\command - C:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL
.
Contents of the 'Scheduled Tasks' folder
"2008-04-16 09:00:00 C:\windows\Tasks\B536D8C39F354E8F.job"
- c:\docume~1\white_~1\applic~1\nurbfo~1\Optionmodetray.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 11:30:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files 2\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-04-16 11:33:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-16 09:33:04
ComboFix2.txt 2008-04-16 00:01:45
Pre-Run: 1,588,097,024 bytes free
Post-Run: 1,574,072,320 bytes free