ComboFix 08-02.05.3 - Robleh 2008-02-04 20:55:23.1 - [color=red][b]FAT32[/b][/color]x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.219 [GMT -5:00] Running from: C:\Documents and Settings\Robleh\Desktop\Combo-Fix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Program Files\WinBudget C:\Program Files\WinBudget\bin\crap.1201822711.old C:\Program Files\WinBudget\bin\crap.1201826177.old C:\Program Files\WinBudget\bin\matrix.dat C:\Program Files\WinBudget\bin\matrix.dll C:\Program Files\WinBudget\bin\matrix.dll.1201826175.old C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\packet.dll C:\WINDOWS\system32\pthreadVC.dll C:\WINDOWS\system32\WanPacket.dll C:\WINDOWS\system32\wpcap.dll ----- BITS: Possible infected sites ----- hxxp://www.download.windowsupdate.com hxxp://sus.cc.uottawa.ca . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_NPF -------\NPF ((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 ))))))))))))))))))))))))))))))) . 2008-02-04 20:49 . 2008-02-05 04:16 d-------- C:\ComboFix[1] 2008-02-02 21:44 . 2008-02-02 21:44 dr-h----- C:\$VAULT$.AVG 2008-02-02 21:00 . 2008-02-02 21:00 d-------- C:\Documents and Settings\Robleh\Application Data\AVG7 2008-02-02 21:00 . 2008-02-02 21:00 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2008-02-02 21:00 . 2008-02-02 21:00 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-02-02 21:00 . 2008-02-02 21:00 d-------- C:\Documents and Settings\All Users\Application Data\avg7 2008-02-02 18:08 . 2008-02-02 18:09 311,591 --a------ C:\Program Files\AntiRootkit.zip 2008-02-02 12:16 . 2008-02-02 12:16 d--hs---- C:\FOUND.004 2008-02-01 15:36 . 2008-02-01 15:37 d-------- C:\Program Files\Trend Micro 2008-02-01 15:36 . 2008-02-01 15:36 812,344 --a------ C:\Program Files\HJTInstall.exe 2008-02-01 01:49 . 2008-02-01 01:49 d-------- C:\WINDOWS\system32\ActiveScan 2008-02-01 01:49 . 2008-02-02 19:00 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-02-01 01:49 . 2008-02-02 19:00 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-02-01 01:49 . 2008-02-02 19:00 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-31 19:24 . 2008-01-31 19:25 d-------- C:\WINDOWS\SxsCaPendDel 2008-01-30 21:50 . 2008-01-30 21:50 d-------- C:\WINDOWS\system32\bak 2008-01-30 21:50 . 2008-01-30 21:50 d-------- C:\WINDOWS\bak 2008-01-14 20:52 . 2008-01-14 20:52 d--hs---- C:\FOUND.003 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-15 14:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat 2008-01-15 10:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf 2008-01-12 23:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys 2007-12-28 00:02 --------- d-----w C:\Program Files\Photo Viewer 2007-12-11 22:34 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-12-11 22:34 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-12-05 17:07 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF 2007-12-05 17:07 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL 2007-12-05 17:07 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-12-05 17:07 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2007-12-05 03:51 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2007-12-05 03:51 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf 2007-10-29 06:08 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 32,768 2005-05-19 22:09:52 C:\WINDOWS\bak\RUNXMLPL.exe ----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe ----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe ----a-w 94,208 2005-08-24 17:50:30 C:\WINDOWS\system32\bak\igfxtray.exe ----a-w 77,824 2005-08-24 17:47:18 C:\WINDOWS\system32\bak\hkcmd.exe ----a-w 114,688 2005-08-24 17:51:12 C:\WINDOWS\system32\bak\igfxpers.exe ----a-w 59,392 2004-08-04 10:00:00 C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe ----a-w 59,392 2004-08-04 10:00:00 C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe ----a-w 455,168 2004-08-04 10:00:00 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE ----a-w 455,168 2004-08-04 10:00:00 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe ----a-w 208,952 2004-08-04 10:00:00 C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE ----a-w 208,952 2004-08-04 10:00:00 C:\WINDOWS\ime\imjp8_1\imjpmig.exe ----a-w 249,856 2005-08-11 21:30:30 C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe ----a-w 81,920 2005-08-11 21:30:30 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe ----a-w 32,768 2004-11-03 01:24:46 C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe ----a-w 102,490 2005-02-04 16:12:58 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe ----a-w 708,698 2005-02-04 16:11:48 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe ----a-w 39,792 2007-10-11 00:51:56 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe ----a-w 579,072 2008-02-03 02:03:44 C:\Program Files\Grisoft\AVG7\bak\avgcc.exe ----a-w 14,864 2008-02-05 01:29:30 C:\Program Files\Grisoft\AVG7\avgcc.exe ----a-w 32,768 2005-07-25 18:36:40 C:\Program Files\Launch Manager\bak\LaunchAp.exe ----a-w 69,632 2006-04-20 16:26:56 C:\Program Files\Launch Manager\bak\HotkeyApp.exe ----a-w 20,480 2003-09-16 19:28:26 C:\Program Files\Launch Manager\bak\CtrlVol.exe ----a-w 241,664 2005-07-25 15:45:00 C:\Program Files\Launch Manager\bak\OSDCtrl.exe ----a-w 86,016 2006-04-20 14:23:58 C:\Program Files\Launch Manager\bak\Wbutton.exe ----a-w 132,496 2007-09-25 06:11:36 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe ----a-w 282,624 2006-11-21 21:01:34 C:\Program Files\QuickTime\bak\qttask.exe ----a-w 2,462,208 2005-10-24 21:45:32 C:\Acer\Empowering Technology\bak\admtray.exe ----a-w 212,992 2005-11-11 00:09:24 C:\Acer\Empowering Technology\ePower\bak\epm-dm.exe ----a-w 14,864 2008-02-05 01:29:30 C:\Acer\Empowering Technology\ePower\epm-dm.exe ----a-w 397,312 2006-01-24 23:00:08 C:\Acer\Empowering Technology\eRecovery\bak\Monitor.exe ----a-w 69,632 2005-12-27 20:50:28 C:\Acer\Empowering Technology\eDataSecurity\bak\eDSloader.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168] "SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 77824 C:\WINDOWS\SOUNDMAN.EXE] "Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 11:04 3084288] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-04 20:29 14864] "epm-dm"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2008-02-04 20:29 14864] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-02 21:00 219136] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="cmd.exe" [2004-08-04 05:00 388608 C:\WINDOWS\system32\cmd.exe] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Robleh^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=C:\Documents and Settings\Robleh\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 05:00 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe *Newly Created Service* - COMHOST . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-04 21:05:27 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Acer\Empowering Technology\admServ.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Windows Media Player\WMPNetwk.exe C:\acer\Empowering Technology\ePower\bak\epm-dm.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE . ************************************************************************** . Completion time: 2008-02-04 21:11:04 - machine was rebooted ComboFix-quarantined-files.txt 2008-02-05 02:11:00