ComboFix 08-02.05.3 - Robleh 2008-02-05 23:54:51.2 - [color=red][b]FAT32[/b][/color]x86 Running from: C:\Documents and Settings\Robleh\Desktop\Combo-Fix.exe [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\WinBudget C:\Program Files\WinBudget\bin\matrix.dll C:\Program Files\WinBudget\bin\tempzor . ((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 ))))))))))))))))))))))))))))))) . 2008-02-04 20:49 . 2008-02-05 04:16 d-------- C:\ComboFix[1] 2008-02-04 20:49 . 2004-08-04 05:00 388,608 --a------ C:\kmd.exe 2008-02-02 21:44 . 2008-02-02 21:44 dr-h----- C:\$VAULT$.AVG 2008-02-02 21:00 . 2008-02-02 21:00 d-------- C:\Documents and Settings\Robleh\Application Data\AVG7 2008-02-02 21:00 . 2008-02-02 21:00 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2008-02-02 21:00 . 2008-02-02 21:00 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-02-02 21:00 . 2008-02-02 21:00 d-------- C:\Documents and Settings\All Users\Application Data\avg7 2008-02-02 18:08 . 2008-02-02 18:09 311,591 --a------ C:\Program Files\AntiRootkit.zip 2008-02-02 12:16 . 2008-02-02 12:16 d--hs---- C:\FOUND.004 2008-02-01 15:36 . 2008-02-01 15:37 d-------- C:\Program Files\Trend Micro 2008-02-01 15:36 . 2008-02-01 15:36 812,344 --a------ C:\Program Files\HJTInstall.exe 2008-02-01 01:49 . 2008-02-01 01:49 d-------- C:\WINDOWS\system32\ActiveScan 2008-02-01 01:49 . 2008-02-02 19:00 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-02-01 01:49 . 2008-02-02 19:00 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-02-01 01:49 . 2008-02-02 19:00 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-31 19:24 . 2008-01-31 19:25 d-------- C:\WINDOWS\SxsCaPendDel 2008-01-30 21:50 . 2008-01-30 21:50 d-------- C:\WINDOWS\system32\bak 2008-01-30 21:50 . 2008-01-30 21:50 d-------- C:\WINDOWS\bak 2008-01-14 20:52 . 2008-01-14 20:52 d--hs---- C:\FOUND.003 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-15 14:54 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat 2008-01-15 10:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf 2008-01-12 23:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys 2007-12-28 00:02 --------- d-----w C:\Program Files\Photo Viewer 2007-12-11 22:34 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-12-11 22:34 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-12-05 17:07 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL 2007-10-29 06:08 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 32,768 2005-05-19 22:09:52 C:\WINDOWS\bak\RUNXMLPL.exe ----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\bak\ctfmon.exe ----a-w 15,360 2004-08-04 10:00:00 C:\WINDOWS\system32\ctfmon.exe ----a-w 94,208 2005-08-24 17:50:30 C:\WINDOWS\system32\bak\igfxtray.exe ----a-w 77,824 2005-08-24 17:47:18 C:\WINDOWS\system32\bak\hkcmd.exe ----a-w 114,688 2005-08-24 17:51:12 C:\WINDOWS\system32\bak\igfxpers.exe ----a-w 59,392 2004-08-04 10:00:00 C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe ----a-w 59,392 2004-08-04 10:00:00 C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe ----a-w 455,168 2004-08-04 10:00:00 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE ----a-w 455,168 2004-08-04 10:00:00 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe ----a-w 208,952 2004-08-04 10:00:00 C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE ----a-w 208,952 2004-08-04 10:00:00 C:\WINDOWS\ime\imjp8_1\imjpmig.exe ----a-w 249,856 2005-08-11 21:30:30 C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe ----a-w 81,920 2005-08-11 21:30:30 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe ----a-w 32,768 2004-11-03 01:24:46 C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe ----a-w 102,490 2005-02-04 16:12:58 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe ----a-w 708,698 2005-02-04 16:11:48 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe ----a-w 39,792 2007-10-11 00:51:56 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe ----a-w 32,768 2005-07-25 18:36:40 C:\Program Files\Launch Manager\bak\LaunchAp.exe ----a-w 69,632 2006-04-20 16:26:56 C:\Program Files\Launch Manager\bak\HotkeyApp.exe ----a-w 20,480 2003-09-16 19:28:26 C:\Program Files\Launch Manager\bak\CtrlVol.exe ----a-w 241,664 2005-07-25 15:45:00 C:\Program Files\Launch Manager\bak\OSDCtrl.exe ----a-w 86,016 2006-04-20 14:23:58 C:\Program Files\Launch Manager\bak\Wbutton.exe ----a-w 132,496 2007-09-25 06:11:36 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe ----a-w 282,624 2006-11-21 21:01:34 C:\Program Files\QuickTime\bak\qttask.exe ----a-w 2,462,208 2005-10-24 21:45:32 C:\Acer\Empowering Technology\bak\admtray.exe ----a-w 397,312 2006-01-24 23:00:08 C:\Acer\Empowering Technology\eRecovery\bak\Monitor.exe ----a-w 69,632 2005-12-27 20:50:28 C:\Acer\Empowering Technology\eDataSecurity\bak\eDSloader.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168] "SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 77824 C:\WINDOWS\SOUNDMAN.EXE] "Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 11:04 3084288] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ] "epm-dm"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-10 19:09 212992] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-02 21:00 219136] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="cmd.exe" [2004-08-04 05:00 388608 C:\WINDOWS\system32\cmd.exe] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Robleh^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=C:\Documents and Settings\Robleh\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 05:00 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27] R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20] R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10] R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08] R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58] R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57] S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys [] S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34] *Newly Created Service* - COMHOST . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-05 23:57:33 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-02-05 23:58:03 ComboFix-quarantined-files.txt 2008-02-06 04:58:02 ComboFix2.txt 2008-02-05 02:11:06