ComboFix 08-12-21.02 - Haze 2008-12-21 17:50:53.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.287 [GMT -5:00]
Running from: c:\documents and settings\Haze\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Haze\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Haze\Application Data\inst.exe
c:\documents and settings\Haze\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\qmdispatch.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\gngpiv.dll
c:\windows\system32\iinjnsfk.dll
c:\windows\system32\imcyntgj.dll
c:\windows\system32\iqtijkrk.dll
c:\windows\system32\ivwywolt.dll
c:\windows\system32\jduisyri.dll
c:\windows\system32\ljJYRJbb.dll
c:\windows\system32\lkhrid.dll
c:\windows\system32\Lmponnpo.ini
c:\windows\system32\Lmponnpo.ini2
c:\windows\system32\ltefqbvh.dll
c:\windows\system32\mlwisajx.dll
c:\windows\system32\nmbadpaa.dll
c:\windows\system32\ojklny.dll
c:\windows\system32\opnnopmL.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\tuvUKEwu.dll
c:\windows\system32\ucqkoj.dll
c:\windows\system32\udawvuom.dll
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vqfomt.dll
c:\windows\system32\vurirgon.dll
c:\windows\system32\xleokmqm.dll
c:\windows\system32\ycuxlska.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_OREANS32
-------\Service_oreans32
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.
2008-12-21 13:22 . 2008-12-21 13:22 120 --ahs---- c:\windows\system32\tlowywvi.ini
2008-12-20 17:13 . 2008-12-20 17:13 120 --ahs---- c:\windows\system32\mouvwadu.ini
2008-12-20 13:09 . 2008-12-20 13:09 <DIR> d-------- c:\program files\Alwil Software
2008-12-19 17:12 . 2008-12-19 17:12 120 --ahs---- c:\windows\system32\mqmkoelx.ini
2008-12-18 06:46 . 2008-12-18 06:46 120 --ahs---- c:\windows\system32\jgtnycmi.ini
2008-12-08 20:06 . 2008-12-20 21:41 <DIR> d-------- c:\program files\Steam
2008-12-08 15:34 . 2008-12-08 15:35 481 --a------ c:\windows\system32\de.bat
2008-12-04 06:47 . 2008-12-04 06:50 <DIR> d-------- c:\program files\Wise Registry Cleaner 3 Pro
2008-12-03 23:20 . 2008-12-03 23:20 <DIR> d-------- c:\program files\VS Revo Group
2008-12-03 22:57 . 2008-12-03 22:57 361,600 --a------ c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 22:44 --------- d-----w c:\documents and settings\Haze\Application Data\SiteAdvisor
2008-12-20 22:41 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-19 00:03 --------- d-----w c:\program files\QMacro
2008-12-13 13:40 --------- d-----w c:\documents and settings\Haze\Application Data\uTorrent
2008-12-09 00:36 --------- d-----w c:\documents and settings\Haze\Application Data\Vso
2008-12-07 13:44 --------- d-----w c:\program files\mIRC
2008-12-04 03:57 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS
2008-11-28 00:27 --------- d-----w c:\program files\Viewpoint
2008-11-15 18:06 --------- d-----w c:\program files\Common Files\Adobe
2008-11-11 00:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-11 00:23 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-10 02:41 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 23:50 --------- d-----w c:\program files\GSC 2.00
2008-11-09 02:38 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-09 02:37 --------- d-----w c:\program files\SpywareBlaster
2008-11-04 00:52 --------- d-----w c:\program files\PeerGuardian2
2008-11-03 19:29 --------- d-----w c:\documents and settings\Haze\Application Data\Red Alert 3
2008-11-02 16:44 --------- d-----w c:\program files\Electronic Arts
2008-10-29 23:20 --------- d-----w c:\program files\Sword of The New World
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-09-02 00:11 94,208 ----a-w c:\documents and settings\Haze\Application Data\ezplay.sys
2008-09-02 00:11 47,360 ----a-w c:\documents and settings\Haze\Application Data\pcouffin.sys
2008-01-15 02:35 22,328 ----a-w c:\documents and settings\Haze\Application Data\PnkBstrK.sys
2006-12-26 00:23 81,920 ----a-w c:\documents and settings\Haze\Application Data\ezpinst.exe
.
------- Sigcheck -------
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 05:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 01:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2008-12-03 22:57 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\dllcache\TCPIP.SYS
2008-12-03 22:57 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 221184]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"AtiPTA"="atiptaxx.exe" [2005-06-28 c:\windows\system32\atiptaxx.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=vqfomt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, snapapi32.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\VIA\RAID\via raid tool.lnk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrust PestPatrol Active Protection]
none [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GLSetIT32
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 c:\progra~1\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 10:29 50736 c:\program files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
--a------ 2004-02-02 17:13 954368 c:\program files\ASUS\SmartDoctor\SmartDoctor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
--a------ 2005-11-22 17:38 221184 c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExtremeTWRF]
--a------ 2008-01-14 08:44 45056 c:\windows\system32\extwrf.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 00:31 208952 c:\windows\ime\imjp8_1\imjpmig.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 16:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 00:31 59392 c:\windows\system32\IME\PINTLGNT\imscinst.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 14:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
--a------ 2005-09-18 18:40 1421824 c:\program files\PeerGuardian2\pg2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 00:32 455168 c:\windows\system32\IME\TINTLGNT\tintsetp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 00:32 455168 c:\windows\system32\IME\TINTLGNT\tintsetp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 c:\program files\Java\jre1.6.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TvServerQuery]
--a------ 2008-07-21 22:45 73728 c:\program files\x2\x2 Server Query\TVServerQuery.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-07 13:08 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-06-28 21:05 344064 c:\windows\system32\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2008-01-13 15:30 1818624 c:\windows\Mixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 c:\windows\system32\P17.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PtiuPbmd]
--a------ 2003-01-15 14:41 24576 c:\windows\system32\ptipbm.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
--a------ 2003-07-16 02:34 1323008 c:\windows\system32\TCAUDIAG.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
R0 viasraid;viasraid;c:\windows\system32\DRIVERS\viasraid.sys [2004-12-01 77056]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-20 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-20 20560]
R2 tcaicchg;tcaicchg;\??\c:\windows\System32\tcaicchg.sys [2000-06-06 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\DRIVERS\TCAITDI.sys [2001-09-03 19534]
S3 ATIXPGAA;ATIXPGAA;\??\c:\program files\ASUS\SmartDoctor\ATIXPGAA.SYS [2003-10-29 11776]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys []
S3 NTProcDrv;Process creation detector for NT.;\??\d:\downloaded shit\1.19\NtProcDrv.sys []
S3 SaiH0109;SaiH0109;c:\windows\system32\DRIVERS\SaiH0109.sys [2005-12-31 55936]
S3 SaiU0109;SaiU0109;c:\windows\system32\DRIVERS\SaiU0109.sys [2005-12-31 19456]
S3 Video3D;ASUS Video3D Service;c:\windows\system32\Drivers\Video3D.sys []
S3 XDva028;XDva028;\??\c:\windows\System32\XDva028.sys []
S3 XDva031;XDva031;\??\c:\windows\System32\XDva031.sys []
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys []
S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys []
S3 XDva119;XDva119;\??\c:\windows\system32\XDva119.sys []
S3 XDva121;XDva121;\??\c:\windows\system32\XDva121.sys []
S3 XDva132;XDva132;\??\c:\windows\system32\XDva132.sys []
S3 XDva134;XDva134;\??\c:\windows\system32\XDva134.sys []
S3 XDva158;XDva158;\??\c:\windows\system32\XDva158.sys []
S3 XDva164;XDva164;\??\c:\windows\system32\XDva164.sys []
S3 XDva167;XDva167;\??\c:\windows\system32\XDva167.sys []
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys []
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e18ef05e-77a3-11dd-ad87-000ea67471ed}]
\Shell\AutoRun\command - h:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - h:\system\viewer\FlipVideoforPC.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{5db781f0-dc46-40de-acbe-3dd2388f3887} - c:\windows\system32\vqfomt.dll
BHO-{6A6085BE-D9AD-4F2B-9EDE-E90FDD4FAD20} - c:\windows\system32\opnnopmL.dll
BHO-{799FA50F-FE27-4B70-BC09-A1DEABA1B24D} - (no file)
ShellExecuteHooks-{799FA50F-FE27-4B70-BC09-A1DEABA1B24D} - (no file)
Notify-mlJDurQI - (no file)
MSConfigStartUp-6c0a9762 - c:\windows\system32\imcyntgj.dll
MSConfigStartUp-RUNDLL32 - c:\windows\TEMP\rundll32.exe
MSConfigStartUp-SService - c:\windows\TEMP\EXPLORER.EXE
MSConfigStartUp-System Restore - c:\windows\TEMP\EXPLORER.EXE
MSConfigStartUp-ctfmon - (no file)
MSConfigStartUp-gcasDtServ - gcasDtServ.exe
MSConfigStartUp-igndlm - (no file)
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL =
hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
c:\windows\Downloaded Program Files\UniInstallerLicense.htm - c:\windows\Downloaded Program Files\UniInstallerGui.xml
c:\windows\Downloaded Program Files\UniInstallerTop.bmp
c:\windows\Downloaded Program Files\UniInstallerBottom.bmp
c:\windows\Downloaded Program Files\UniInstaller.dll
c:\windows\Downloaded Program Files\UniInet.dll
O16 -: {02AA9E0F-B4EB-4BE9-A769-FD09543FEEC2}
hxxp://www.sexyads.net/members/voice-installer.cabc:\windows\Downloaded Program Files\UniInstaller.inf
c:\windows\Downloaded Program Files\A18X.ocx - O16 -: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33}
hxxp://www.albatross18.com/cabs/A18X.ocxc:\windows\nxpm.ocx - O16 -: {2931566C-B8A6-46C5-BF4D-E6AB9251E953}
hxxp://www.nexon.co.jp/JP/f/ActiveX/Public/nxpm.cabc:\windows\Downloaded Program Files\nxpm.inf
c:\windows\Downloaded Program Files\mainstrings.txt - c:\windows\Downloaded Program Files\pestscan.ini
c:\windows\Downloaded Program Files\ppctl.dll
c:\windows\Downloaded Program Files\pestscanx.ocx
O16 -: {56393399-041A-4650-94C7-13DFCB1F4665}
hxxp://pcpitstop.com/pestscan/pestscan.cabc:\windows\Downloaded Program Files\pestscanx.inf
c:\windows\Downloaded Program Files\mabiwebframe.dll - O16 -: {7623BE59-D4CF-4379-ABC4-B39E11854D66}
hxxp://avatar.mabinogi.jp/3drender/rend ... 07.4.4.cabc:\windows\Downloaded Program Files\mabiweb.inf
c:\windows\Downloaded Program Files\nislib.dll - c:\windows\Downloaded Program Files\nisx.dll
O16 -: {77B4BB82-C2AD-4BF8-A1A2-795605604CA8}
hxxp://d-fighter.nefficient.co.kr/samsu ... er/dis.cabc:\windows\System32\ENetLauncher.ocx - O16 -: {ADCC68D4-AAEA-4338-817D-1F261D9FB759}
hxxp://www.dragongemworld.com/Active_X/ENetLauncher.cabc:\windows\Downloaded Program Files\ENetLauncher.inf
c:\windows\System32\msvcrt.dll - c:\windows\System32\mfc42.dll
c:\windows\System32\olepro32.dll
c:\windows\System32\ILKmpihc.dll
O16 -: {B45E969D-924F-4C83-ACF3-38CDD115AA2C}
hxxps://www.isaackorea.net/update/ilkactx.cabc:\windows\Downloaded Program Files\ILKmpihc.inf
c:\windows\System32\mfc42.dll - c:\windows\System32\msvcrt.dll
c:\windows\System32\olepro32.dll
c:\windows\Downloaded Program Files\TricksterActiveX.lic
c:\windows\Downloaded Program Files\TricksterActiveX.ocx
O16 -: {CEA3052D-65B9-44E2-A501-5E14024BC66F}
hxxp://www.tricksteronline.com/control/ ... ctiveX.cabc:\windows\Downloaded Program Files\TricksterActiveX.inf
c:\windows\System32\mfc42.dll - O16 -: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D}
hxxp://www.gamengame.com/KALogoutComponent.cabc:\windows\Downloaded Program Files\KALogoutComponent.inf
c:\windows\Downloaded Program Files\iaplayer.dll - O16 -: {DB7BF79A-FC51-4B5A-92BC-A65731174380}
hxxp://www.instantaction.com/download/iaplayer.cabc:\windows\Downloaded Program Files\cab.inf
FF - ProfilePath - c:\documents and settings\Haze\Application Data\Mozilla\Firefox\Profiles\8aaml5t5.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.myspace.com/FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Haze\Application Data\Mozilla\Firefox\Profiles\8aaml5t5.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
ATTENTION: FIREFOX POLICES IS IN FORCE c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-12-21 17:56:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-12-21 17:58:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-21 22:58:37
Pre-Run: 8,841,969,664 bytes free
Post-Run: 8,955,424,768 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /usepmtimer /NoExecute=OptIn
334 --- E O F --- 2008-12-10 01:13:17
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:43 PM, on 12/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Findme.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -
http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cabO16 - DPF: {02AA9E0F-B4EB-4BE9-A769-FD09543FEEC2} (UniInstaller Class) -
http://www.sexyads.net/members/voice-installer.cabO16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cabO16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) -
http://www.albatross18.com/cabs/A18X.ocxO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) -
http://pcpitstop.com/internet/pcpConnCheck.cabO16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) -
http://www.nexon.co.jp/JP/f/ActiveX/Public/nxpm.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
http://www.fileplanet.com/fpdlmgr/cabs/ ... 1.2.76.cabO16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) -
https://www.e-games.com.my/com/EGamesPlugin.cabO16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) -
http://pcpitstop.com/pestscan/pestscan.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/windows ... 0231545154O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) -
http://housecall65.trendmicro.com/house ... hcImpl.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004 ... scan53.cabO16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) -
http://avatar.mabinogi.jp/3drender/rend ... 07.4.4.cabO16 - DPF: {77B4BB82-C2AD-4BF8-A1A2-795605604CA8} (CNeoInstallShieldX Object) -
http://d-fighter.nefficient.co.kr/samsu ... er/dis.cabO16 - DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} (ENetLauncher Control) -
http://www.dragongemworld.com/Active_X/ENetLauncher.cabO16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) -
https://www.isaackorea.net/update/ilkactx.cabO16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) -
http://www.tricksteronline.com/control/ ... ctiveX.cabO16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) -
http://www.gamengame.com/KALogoutComponent.cabO16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) -
http://www.instantaction.com/download/iaplayer.cabO16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) -
http://driveragent.com/files/driveragent.cabO20 - AppInit_DLLs: vqfomt.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
--
End of file - 7370 bytes