There's a folder in my computer that everytime i open it i keep getting this error :
If i don't click on "close message" I can browse the folder. but if i click on it, I get this : ( I made a pic of all)
It is the first time i see such thing. And it happens ONLY in that folder. (G:\incoming)
I've run ComboFix, and hijackthis After the combofix.
Can anyone tell me what is this and how do i fix it?
ComboFix log :
ComboFix 08-08-12.01 - Alborz 2008-08-13 22:25:18.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.981.1033.18.2920 [GMT 4.5:30]
Running from: F:\Softwares\ComboFix & Friends\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.
2008-08-12 10:31 . 2008-08-12 10:31 <DIR> d-------- E:\Documents and Settings\Alborz\Application Data\ImgBurn
2008-08-10 21:30 . 2004-10-12 14:40 2,255,360 --a------ E:\WINDOWS\system32\libavcodec.dll
2008-08-10 21:30 . 2004-10-12 14:46 1,761,280 --a------ E:\WINDOWS\system32\ffdshow.ax
2008-08-10 21:30 . 2004-10-05 16:16 395,776 --a------ E:\WINDOWS\system32\libmplayer.dll
2008-08-10 21:30 . 2004-10-12 14:42 262,144 --a------ E:\WINDOWS\system32\TomsMoComp_ff.dll
2008-08-10 21:30 . 2003-04-03 00:17 172,032 --a------ E:\WINDOWS\system32\ac3filter.ax
2008-08-10 21:30 . 2004-10-04 01:50 112,640 --a------ E:\WINDOWS\system32\libmpeg2_ff.dll
2008-08-10 21:30 . 2008-08-12 15:06 54,156 --ah----- E:\WINDOWS\QTFont.qfn
2008-08-10 21:30 . 2008-08-10 21:30 1,409 --a------ E:\WINDOWS\QTFont.for
2008-08-10 18:55 . 2008-08-10 18:55 <DIR> d--h----- E:\WINDOWS\PIF
2008-08-02 15:54 . 2007-07-12 22:33 87,552 --a------ E:\WINDOWS\system32\cpwmon2k.dll
2008-08-02 15:53 . 2008-08-02 15:53 <DIR> d-------- E:\Program Files\GPLGS
2008-07-24 11:41 . 2008-08-02 15:53 <DIR> d-------- E:\Program Files\Acro Software
2008-07-23 00:32 . 2008-07-23 01:21 <DIR> d-------- E:\Documents and Settings\Alborz\Application Data\Hamachi
2008-07-23 00:32 . 2008-07-23 00:32 25,280 --a------ E:\WINDOWS\system32\drivers\hamachi.sys
2008-07-22 05:12 . 2008-07-22 05:12 42,320 --a------ E:\WINDOWS\system32\xfcodec.dll
2008-07-17 11:48 . 2008-07-17 11:48 <DIR> d-------- E:\Documents and Settings\Alborz\Application Data\TmpRecentIcons
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 16:25 --------- d-----w E:\Documents and Settings\Alborz\Application Data\FileZilla
2008-08-13 08:48 --------- d-----w E:\Documents and Settings\Alborz\Application Data\MySQL
2008-08-13 06:09 --------- d-----w E:\Documents and Settings\Alborz\Application Data\uTorrent
2008-08-12 08:11 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-11 19:19 --------- d-----w E:\Documents and Settings\Alborz\Application Data\Xfire
2008-08-10 17:43 6,006 -csha-w E:\WINDOWS\system32\KGyGaAvL.sys
2008-07-31 12:40 --------- d---a-w E:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 17:58 --------- d-----w E:\Documents and Settings\Alborz\Application Data\IcoFX
2008-07-04 10:54 --------- d-----w E:\Program Files\Common Files\Adobe
2008-07-04 10:54 --------- d-----w E:\Documents and Settings\Alborz\Application Data\AdobeUM
2007-08-09 07:55 8 --sh--r E:\WINDOWS\system32\85FC424469.sys
.
------- Sigcheck -------
2004-09-01 12:30 359040 7b11118b078b88f87183fe69eda43137 E:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-09-01 12:30 15360]
"IECheck"="E:\WINDOWS\IECheck.exe" [2005-11-17 20:40 108544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-09-01 12:30 208952]
"PHIME2002ASync"="E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 12:30 455168]
"PHIME2002A"="E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 12:30 455168]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2008-01-08 22:23 8523776]
"RemoteControl"="f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"VirtualCloneDrive"="f:\Program Files\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 17:51 94208]
"CloneCDTray"="f:\Program Files\CloneCD\CloneCDTray.exe" [2005-05-19 18:17 57344]
"ISUSPM Startup"="E:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2007-09-24 11:41 282624]
"NeroFilterCheck"="E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"NBKeyScan"="E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 10:51 1836328]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2008-01-08 22:23 81920]
"nwiz"="nwiz.exe" [2008-01-08 22:23 1626112 E:\WINDOWS\system32\nwiz.exe]
"FmctrlTray"="Fmctrl.EXE" [2001-11-06 16:57 270336 E:\WINDOWS\system32\fmctrl.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-09-01 12:30 15360]
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm
"VIDC.ACDV"= ACDV.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm
"msacm.l3codec"= l3codecp.acm
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"E:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"E:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Program Files\\wa\\WA.exe"=
"F:\\Program Files\\Yahoo! Messenger\\YahooMessenger.exe"=
"F:\\Program Files\\Yahoo! Messenger\\YServer.exe"=
R1 Cinemsup;Cinemsup;E:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 08:10]
R2 Apache2.2;Apache2.2;E:\Program Files\Apache2.2\bin\httpd.exe [2007-09-05 09:59]
R2 MySQL5;MySQL5;E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt --defaults-file=E:\Program Files\MySQL\MySQL Server 5.0\my.ini MySQL5 []
R3 gameport;Genius SM-Live Series PCI Joystick;E:\WINDOWS\system32\DRIVERS\fmjoy.sys [2001-10-31 10:11]
R3 SKYNET;TechniSat DVB-PC TV Star PCI;E:\WINDOWS\system32\DRIVERS\SkyNET.SYS [2006-03-14 05:52]
R3 wdm_fm801;Genius SM-Live Series PCI Audio (WDM);E:\WINDOWS\system32\drivers\fm801.sys [2001-08-17 01:30]
S1 rxp;rxp;E:\WINDOWS\system32\drivers\rxp.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b3e0f2a-35e3-11dd-aa6b-00d0d714a718}]
\Shell\Auto\command - sunny.exe
\Shell\AutoRun\command - E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sunny.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{660b21a9-4989-11dc-a765-00d0d714a718}]
\Shell\AutoRun\command - P:\autorun.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - E:\Documents and Settings\Alborz\Application Data\Mozilla\Firefox\Profiles\a58asg4q.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 22:26:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="E:/mysql/bin/mysqld-nt.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="E:/mysql/bin/mysqld-nt.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL5]
"ImagePath"="\"E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"E:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL5"
.
Completion time: 2008-08-13 22:26:46
ComboFix-quarantined-files.txt 2008-08-13 17:56:33
ComboFix2.txt 2008-08-12 08:43:48
Pre-Run: 65,810,497,536 bytes free
Post-Run: 65,942,835,200 bytes free
136
Hijackthis log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:22, on 2008-08-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\VirtualCloneDrive\VCDDaemon.exe
E:\WINDOWS\system32\Fmctrl.EXE
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Apache2.2\bin\httpd.exe
E:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
E:\Program Files\Apache2.2\bin\httpd.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PSIService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\FileZilla Client\filezilla.exe
E:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\notepad.exe
F:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - E:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - f:\Program Files\FLV Downloader\MoyeaCth.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - f:\PROGRA~1\LONGMA~1\LAD001PE\setup\qf\IEHelp.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - E:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "f:\Program Files\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [CloneCDTray] "f:\Program Files\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "E:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IECheck] E:\WINDOWS\IECheck.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - f:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - f:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{33DECB99-D7B7-4170-B79D-8D7848592871}: NameServer = 81.12.74.3 62.220.100.201
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE40051E-E6D6-4EA2-B283-08CDF7E28DB4}: NameServer = 217.218.127.104,4.2.2.4
O23 - Service: Apache2.2 - Apache Software Foundation - E:\Program Files\Apache2.2\bin\httpd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - F:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: MySql - Unknown owner - E:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: MySQL5 - Unknown owner - E:\Program.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - E:\WINDOWS\system32\PSIService.exe
--
End of file - 7770 bytes
If i don't click on "close message" I can browse the folder. but if i click on it, I get this : ( I made a pic of all)
It is the first time i see such thing. And it happens ONLY in that folder. (G:\incoming)
I've run ComboFix, and hijackthis After the combofix.
Can anyone tell me what is this and how do i fix it?
ComboFix log :
ComboFix 08-08-12.01 - Alborz 2008-08-13 22:25:18.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.981.1033.18.2920 [GMT 4.5:30]
Running from: F:\Softwares\ComboFix & Friends\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.
2008-08-12 10:31 . 2008-08-12 10:31 <DIR> d-------- E:\Documents and Settings\Alborz\Application Data\ImgBurn
2008-08-10 21:30 . 2004-10-12 14:40 2,255,360 --a------ E:\WINDOWS\system32\libavcodec.dll
2008-08-10 21:30 . 2004-10-12 14:46 1,761,280 --a------ E:\WINDOWS\system32\ffdshow.ax
2008-08-10 21:30 . 2004-10-05 16:16 395,776 --a------ E:\WINDOWS\system32\libmplayer.dll
2008-08-10 21:30 . 2004-10-12 14:42 262,144 --a------ E:\WINDOWS\system32\TomsMoComp_ff.dll
2008-08-10 21:30 . 2003-04-03 00:17 172,032 --a------ E:\WINDOWS\system32\ac3filter.ax
2008-08-10 21:30 . 2004-10-04 01:50 112,640 --a------ E:\WINDOWS\system32\libmpeg2_ff.dll
2008-08-10 21:30 . 2008-08-12 15:06 54,156 --ah----- E:\WINDOWS\QTFont.qfn
2008-08-10 21:30 . 2008-08-10 21:30 1,409 --a------ E:\WINDOWS\QTFont.for
2008-08-10 18:55 . 2008-08-10 18:55 <DIR> d--h----- E:\WINDOWS\PIF
2008-08-02 15:54 . 2007-07-12 22:33 87,552 --a------ E:\WINDOWS\system32\cpwmon2k.dll
2008-08-02 15:53 . 2008-08-02 15:53 <DIR> d-------- E:\Program Files\GPLGS
2008-07-24 11:41 . 2008-08-02 15:53 <DIR> d-------- E:\Program Files\Acro Software
2008-07-23 00:32 . 2008-07-23 01:21 <DIR> d-------- E:\Documents and Settings\Alborz\Application Data\Hamachi
2008-07-23 00:32 . 2008-07-23 00:32 25,280 --a------ E:\WINDOWS\system32\drivers\hamachi.sys
2008-07-22 05:12 . 2008-07-22 05:12 42,320 --a------ E:\WINDOWS\system32\xfcodec.dll
2008-07-17 11:48 . 2008-07-17 11:48 <DIR> d-------- E:\Documents and Settings\Alborz\Application Data\TmpRecentIcons
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 16:25 --------- d-----w E:\Documents and Settings\Alborz\Application Data\FileZilla
2008-08-13 08:48 --------- d-----w E:\Documents and Settings\Alborz\Application Data\MySQL
2008-08-13 06:09 --------- d-----w E:\Documents and Settings\Alborz\Application Data\uTorrent
2008-08-12 08:11 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-11 19:19 --------- d-----w E:\Documents and Settings\Alborz\Application Data\Xfire
2008-08-10 17:43 6,006 -csha-w E:\WINDOWS\system32\KGyGaAvL.sys
2008-07-31 12:40 --------- d---a-w E:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 17:58 --------- d-----w E:\Documents and Settings\Alborz\Application Data\IcoFX
2008-07-04 10:54 --------- d-----w E:\Program Files\Common Files\Adobe
2008-07-04 10:54 --------- d-----w E:\Documents and Settings\Alborz\Application Data\AdobeUM
2007-08-09 07:55 8 --sh--r E:\WINDOWS\system32\85FC424469.sys
.
------- Sigcheck -------
2004-09-01 12:30 359040 7b11118b078b88f87183fe69eda43137 E:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-09-01 12:30 15360]
"IECheck"="E:\WINDOWS\IECheck.exe" [2005-11-17 20:40 108544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-09-01 12:30 208952]
"PHIME2002ASync"="E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 12:30 455168]
"PHIME2002A"="E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 12:30 455168]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2008-01-08 22:23 8523776]
"RemoteControl"="f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"VirtualCloneDrive"="f:\Program Files\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 17:51 94208]
"CloneCDTray"="f:\Program Files\CloneCD\CloneCDTray.exe" [2005-05-19 18:17 57344]
"ISUSPM Startup"="E:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2007-09-24 11:41 282624]
"NeroFilterCheck"="E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"NBKeyScan"="E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 10:51 1836328]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2008-01-08 22:23 81920]
"nwiz"="nwiz.exe" [2008-01-08 22:23 1626112 E:\WINDOWS\system32\nwiz.exe]
"FmctrlTray"="Fmctrl.EXE" [2001-11-06 16:57 270336 E:\WINDOWS\system32\fmctrl.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-09-01 12:30 15360]
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm
"VIDC.ACDV"= ACDV.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm
"msacm.l3codec"= l3codecp.acm
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"E:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"E:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Program Files\\wa\\WA.exe"=
"F:\\Program Files\\Yahoo! Messenger\\YahooMessenger.exe"=
"F:\\Program Files\\Yahoo! Messenger\\YServer.exe"=
R1 Cinemsup;Cinemsup;E:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 08:10]
R2 Apache2.2;Apache2.2;E:\Program Files\Apache2.2\bin\httpd.exe [2007-09-05 09:59]
R2 MySQL5;MySQL5;E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt --defaults-file=E:\Program Files\MySQL\MySQL Server 5.0\my.ini MySQL5 []
R3 gameport;Genius SM-Live Series PCI Joystick;E:\WINDOWS\system32\DRIVERS\fmjoy.sys [2001-10-31 10:11]
R3 SKYNET;TechniSat DVB-PC TV Star PCI;E:\WINDOWS\system32\DRIVERS\SkyNET.SYS [2006-03-14 05:52]
R3 wdm_fm801;Genius SM-Live Series PCI Audio (WDM);E:\WINDOWS\system32\drivers\fm801.sys [2001-08-17 01:30]
S1 rxp;rxp;E:\WINDOWS\system32\drivers\rxp.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b3e0f2a-35e3-11dd-aa6b-00d0d714a718}]
\Shell\Auto\command - sunny.exe
\Shell\AutoRun\command - E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sunny.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{660b21a9-4989-11dc-a765-00d0d714a718}]
\Shell\AutoRun\command - P:\autorun.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - E:\Documents and Settings\Alborz\Application Data\Mozilla\Firefox\Profiles\a58asg4q.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 22:26:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="E:/mysql/bin/mysqld-nt.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="E:/mysql/bin/mysqld-nt.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL5]
"ImagePath"="\"E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"E:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL5"
.
Completion time: 2008-08-13 22:26:46
ComboFix-quarantined-files.txt 2008-08-13 17:56:33
ComboFix2.txt 2008-08-12 08:43:48
Pre-Run: 65,810,497,536 bytes free
Post-Run: 65,942,835,200 bytes free
136
Hijackthis log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:22, on 2008-08-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\VirtualCloneDrive\VCDDaemon.exe
E:\WINDOWS\system32\Fmctrl.EXE
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Apache2.2\bin\httpd.exe
E:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
E:\Program Files\Apache2.2\bin\httpd.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PSIService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\FileZilla Client\filezilla.exe
E:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\notepad.exe
F:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - E:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - f:\Program Files\FLV Downloader\MoyeaCth.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - f:\PROGRA~1\LONGMA~1\LAD001PE\setup\qf\IEHelp.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - E:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "f:\Program Files\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [CloneCDTray] "f:\Program Files\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "E:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IECheck] E:\WINDOWS\IECheck.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - f:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - f:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{33DECB99-D7B7-4170-B79D-8D7848592871}: NameServer = 81.12.74.3 62.220.100.201
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE40051E-E6D6-4EA2-B283-08CDF7E28DB4}: NameServer = 217.218.127.104,4.2.2.4
O23 - Service: Apache2.2 - Apache Software Foundation - E:\Program Files\Apache2.2\bin\httpd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - F:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: MySql - Unknown owner - E:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: MySQL5 - Unknown owner - E:\Program.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - E:\WINDOWS\system32\PSIService.exe
--
End of file - 7770 bytes
Last edited: