ComboFix 08-03-24.1 - The Boss 2008-03-24 20:30:22.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2430 [GMT -5:00] Running from: C:\Documents and Settings\The Boss\Desktop\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\The Boss\Application Data\YMBOLS~1 C:\Documents and Settings\The Boss\My Documents\DOBE~1 C:\Documents and Settings\The Boss\My Documents\DOBE~1\?dobe\ C:\WINDOWS\default.htm C:\WINDOWS\TEMP\salm.exe ----- BITS: Possible infected sites ----- hxxp://80.93.48.74 . ((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 ))))))))))))))))))))))))))))))) . 2008-03-24 20:16 . 2008-03-24 20:16 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-03-24 20:16 . 2008-03-24 20:16 d-------- C:\Documents and Settings\The Boss\Application Data\Malwarebytes 2008-03-24 20:16 . 2008-03-24 20:16 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-03-24 15:16 . 2008-03-24 15:16 3,304 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-03-24 10:45 . 2008-03-24 10:45 d-------- C:\Documents and Settings\The Boss\Application Data\PC Tools 2008-03-24 10:45 . 2008-03-24 10:45 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-24 10:44 . 2008-03-24 10:44 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc 2008-03-24 08:36 . 2008-03-24 08:36 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-03-24 05:59 . 2008-03-24 10:44 d-------- C:\Program Files\Spyware Doctor 2008-03-24 05:59 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys 2008-03-24 05:59 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys 2008-03-24 05:59 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys 2008-03-24 05:59 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys 2008-03-24 04:16 . 2008-03-24 04:16 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2008-03-23 22:26 . 2004-12-28 08:29 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic 2008-03-23 22:26 . 2004-12-28 08:29 d-------- C:\Documents and Settings\Administrator\Application Data\Creative 2008-03-23 15:16 . 2008-03-23 15:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-23 15:16 . 2008-03-23 15:16 1,409 --a------ C:\WINDOWS\QTFont.for 2008-03-03 00:16 . 2008-03-03 00:16 d-------- C:\Documents and Settings\Teacher\Application Data\Leadertech . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-25 01:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-03-24 23:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-03-24 20:15 1,306,533 ----a-w C:\SmitfraudFix.exe 2008-03-24 16:15 --------- d-----w C:\Program Files\Trend Micro 2008-03-24 15:46 --------- d-----w C:\Documents and Settings\The Boss\Application Data\Lavasoft 2008-03-24 15:44 --------- d-----w C:\Program Files\Lavasoft 2008-03-24 13:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-03-22 20:49 86,528 ----a-w C:\WINDOWS\SYSTEM32\VACFix.exe 2008-03-21 00:04 --------- d-----w C:\Program Files\Common Files\Adobe 2008-03-20 23:33 --------- d-----w C:\Documents and Settings\The Boss\Application Data\Download Manager 2008-03-15 22:16 82,432 ----a-w C:\WINDOWS\SYSTEM32\IEDFix.exe 2008-03-07 02:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf 2008-03-07 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys 2008-03-07 02:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat 2008-03-03 05:16 --------- d-----w C:\Documents and Settings\Teacher\Application Data\Sonic 2008-02-24 00:00 --------- d-----w C:\Documents and Settings\The Boss\Application Data\Creative 2008-02-22 23:41 107,888 ----a-w C:\WINDOWS\SYSTEM32\CmdLineExt.dll 2008-02-22 23:41 --------- d--h--r C:\Documents and Settings\The Boss\Application Data\SecuROM 2005-11-19 00:17 32 ----a-r C:\Documents and Settings\All Users\hash.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184] "CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54 57344] "ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-11-30 10:35 49152] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-23 22:39 155648] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816] "osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 02:11 771704] "mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 13:03 53248] "nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048] C:\Documents and Settings\The Boss\Start Menu\Programs\Startup\ HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2002-08-09 16:36:20 299008] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 23:07:32 81920] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] --a------ 2006-01-17 13:03 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray] --a------ 2006-01-17 13:03 135168 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask] c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"= "C:\\Program Files\\Windows Media Player\\wmplayer.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.10.0-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"= "C:\\WINDOWS\\SYSTEM32\\RUNDLL32.EXE"= "C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader "6112:TCP"= 6112:TCP:Blizzard Downloader R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47] R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40] R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2007-06-17 20:27] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9b4dcf8-1493-11dc-8e2c-00038a000015}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2007-02-17 18:34:14 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DGFRPF61-The Boss).job" - c:\program files\mcafee.com\vso\mcmnhdlr.exe "2008-03-25 01:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - The Boss.job" - C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK: . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-24 20:32:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-03-24 20:32:31 ComboFix-quarantined-files.txt 2008-03-25 01:32:28 . 2008-03-13 08:01:40 --- E O F ---