ComboFix 09-04-19.05 - Arcagully 04/19/2009 19:37.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1647 [GMT 2:00] Running from: c:\documents and settings\Arcagully\Desktop\ComboFix.exe AV: avast! antivirus 4.8.1335 [VPS 090419-0] *On-access scanning disabled* (Updated) * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013 c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini c:\windows\IE4 Error Log.txt . ((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 ))))))))))))))))))))))))))))))) . 2009-04-19 10:58 . 2009-04-19 10:58 -------- d-----w C:\rsit 2009-03-26 17:11 . 2001-08-17 21:36 5632 ----a-w c:\windows\system32\ptpusb.dll 2009-03-26 17:11 . 2004-08-03 23:56 159232 ----a-w c:\windows\system32\ptpusd.dll 2009-03-26 17:11 . 2004-08-03 21:58 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys 2009-03-26 17:11 . 2004-08-03 21:58 15104 ----a-w c:\windows\system32\drivers\usbscan.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-17 20:09 . 2009-01-08 17:34 -------- d-----w c:\program files\DC++ 2009-04-17 20:06 . 2009-02-26 23:09 -------- d-----w c:\documents and settings\Arcagully\Application Data\Skype 2009-04-17 15:41 . 2009-02-26 23:15 -------- d-----w c:\documents and settings\Arcagully\Application Data\skypePM 2009-04-06 10:03 . 2009-04-06 09:49 -------- d-----w c:\program files\Warblade 2009-04-04 09:14 . 2009-04-04 09:14 -------- d-----w c:\program files\ReflexiveArcade 2009-03-20 12:25 . 2009-01-08 17:45 68109 ----a-w c:\windows\War3Unin.dat 2009-02-26 23:17 . 2009-02-26 23:17 60416 ----a-w c:\windows\ALCFDRTM.EXE 2009-02-26 23:09 . 2009-02-26 23:09 -------- d-----w c:\program files\Skype 2009-02-26 23:09 . 2009-02-26 23:08 -------- d-----w c:\documents and settings\All Users\Application Data\Skype 2009-02-26 23:09 . 2009-02-26 23:09 -------- d-----w c:\program files\Common Files\Skype 2009-02-26 22:07 . 2009-02-26 22:07 -------- d-----w c:\program files\MSN Messenger 2009-02-25 13:28 . 2009-02-25 13:28 -------- d-----w c:\program files\Alwil Software 2009-02-08 13:27 . 2009-02-08 13:27 45056 ----a-w c:\windows\NCUNINST.EXE 2009-01-08 17:31 . 2009-01-08 17:31 12328 ----a-w c:\documents and settings\Arcagully\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-01-24 19:2009-01-29 23:42 33:58 . c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2006-01-24 7094272] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-24 30192] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208] "SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-01-09 65536] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-01-24 30192] S1 aswSP;avast! Self Protection; [x] S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{166eebb0-dd7e-11dd-9f7f-806d6172696f}] \Shell\AutoOpen\command - .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85c871d0-2524-11de-b3f7-000ea67c01db}] \Shell\AutoOpen\command - .\MSOCache\90000804-6000-11D3-8CFE-0150048383C0\KB915866.exe \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C0\KB915866.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f164d18a-0682-11de-b3c1-000ea67c01db}] \Shell\AutoRun\command - e:\driver\usb\autorun.exe \Shell\open\command - e:\driver\usb\autorun.exe . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyServer = proxy1.bg.wi:3128 uInternet Settings,ProxyOverride = 10.5.*; *.bg.wi; uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s FF - ProfilePath - c:\documents and settings\Arcagully\Application Data\Mozilla\Firefox\Profiles\aacbdux7.default\ FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-19 19:40 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\rundll32.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-04-19 19:41 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-19 17:41 Pre-Run: 29,114,966,016 bytes free Post-Run: 29,111,242,752 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 120