ComboFix 08-02.05.3 - Robleh 2008-02-04 20:55:23.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.219 [GMT -5:00]
Running from: C:\Documents and Settings\Robleh\Desktop\Combo-Fix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1201822711.old
C:\Program Files\WinBudget\bin\crap.1201826177.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\matrix.dll.1201826175.old
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
----- BITS: Possible infected sites -----
hxxp://www.download.windowsupdate.com
hxxp://sus.cc.uottawa.ca
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_NPF
-------\NPF
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.
2008-02-04 20:49 . 2008-02-05 04:16
d-------- C:\ComboFix[1]
2008-02-02 21:44 . 2008-02-02 21:44 dr-h----- C:\$VAULT$.AVG
2008-02-02 21:00 . 2008-02-02 21:00 d-------- C:\Documents and Settings\Robleh\Application Data\AVG7
2008-02-02 21:00 . 2008-02-02 21:00 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-02 21:00 . 2008-02-02 21:00 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 21:00 . 2008-02-02 21:00 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-02 18:08 . 2008-02-02 18:09 311,591 --a------ C:\Program Files\AntiRootkit.zip
2008-02-02 12:16 . 2008-02-02 12:16 d--hs---- C:\FOUND.004
2008-02-01 15:36 . 2008-02-01 15:37 d-------- C:\Program Files\Trend Micro
2008-02-01 15:36 . 2008-02-01 15:36 812,344 --a------ C:\Program Files\HJTInstall.exe
2008-02-01 01:49 . 2008-02-01 01:49 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-01 01:49 . 2008-02-02 19:00 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-01 01:49 . 2008-02-02 19:00 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-01 01:49 . 2008-02-02 19:00 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-31 19:24 . 2008-01-31 19:25 d-------- C:\WINDOWS\SxsCaPendDel
2008-01-30 21:50 . 2008-01-30 21:50 d-------- C:\WINDOWS\system32\bak
2008-01-30 21:50 . 2008-01-30 21:50 d-------- C:\WINDOWS\bak
2008-01-14 20:52 . 2008-01-14 20:52 d--hs---- C:\FOUND.003
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 14:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-15 10:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 23:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-12-28 00:02 --------- d-----w C:\Program Files\Photo Viewer
2007-12-11 22:34 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 22:34 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-12-05 17:07 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 17:07 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-05 17:07 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 17:07 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 03:51 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-05 03:51 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2007-10-29 06:08 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 32,768 2005-05-19 22:09:52 C:\WINDOWS\bak\RUNXMLPL.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe
----a-w 94,208 2005-08-24 17:50:30 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 77,824 2005-08-24 17:47:18 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 114,688 2005-08-24 17:51:12 C:\WINDOWS\system32\bak\igfxpers.exe
----a-w 59,392 2004-08-04 10:00:00 C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe
----a-w 59,392 2004-08-04 10:00:00 C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe
----a-w 455,168 2004-08-04 10:00:00 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE
----a-w 455,168 2004-08-04 10:00:00 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe
----a-w 208,952 2004-08-04 10:00:00 C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE
----a-w 208,952 2004-08-04 10:00:00 C:\WINDOWS\ime\imjp8_1\imjpmig.exe
----a-w 249,856 2005-08-11 21:30:30 C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
----a-w 81,920 2005-08-11 21:30:30 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe
----a-w 32,768 2004-11-03 01:24:46 C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe
----a-w 102,490 2005-02-04 16:12:58 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe
----a-w 708,698 2005-02-04 16:11:48 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
----a-w 39,792 2007-10-11 00:51:56 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 579,072 2008-02-03 02:03:44 C:\Program Files\Grisoft\AVG7\bak\avgcc.exe
----a-w 14,864 2008-02-05 01:29:30 C:\Program Files\Grisoft\AVG7\avgcc.exe
----a-w 32,768 2005-07-25 18:36:40 C:\Program Files\Launch Manager\bak\LaunchAp.exe
----a-w 69,632 2006-04-20 16:26:56 C:\Program Files\Launch Manager\bak\HotkeyApp.exe
----a-w 20,480 2003-09-16 19:28:26 C:\Program Files\Launch Manager\bak\CtrlVol.exe
----a-w 241,664 2005-07-25 15:45:00 C:\Program Files\Launch Manager\bak\OSDCtrl.exe
----a-w 86,016 2006-04-20 14:23:58 C:\Program Files\Launch Manager\bak\Wbutton.exe
----a-w 132,496 2007-09-25 06:11:36 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe
----a-w 282,624 2006-11-21 21:01:34 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 2,462,208 2005-10-24 21:45:32 C:\Acer\Empowering Technology\bak\admtray.exe
----a-w 212,992 2005-11-11 00:09:24 C:\Acer\Empowering Technology\ePower\bak\epm-dm.exe
----a-w 14,864 2008-02-05 01:29:30 C:\Acer\Empowering Technology\ePower\epm-dm.exe
----a-w 397,312 2006-01-24 23:00:08 C:\Acer\Empowering Technology\eRecovery\bak\Monitor.exe
----a-w 69,632 2005-12-27 20:50:28 C:\Acer\Empowering Technology\eDataSecurity\bak\eDSloader.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 77824 C:\WINDOWS\SOUNDMAN.EXE]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 11:04 3084288]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-04 20:29 14864]
"epm-dm"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2008-02-04 20:29 14864]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-02 21:00 219136]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="cmd.exe" [2004-08-04 05:00 388608 C:\WINDOWS\system32\cmd.exe]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Robleh^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Robleh\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
*Newly Created Service* - COMHOST
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 21:05:27
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\acer\Empowering Technology\ePower\bak\epm-dm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2008-02-04 21:11:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 02:11:00