ComboFix 08-03-24.1 - The Boss 2008-03-24 20:30:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2430 [GMT -5:00]
Running from: C:\Documents and Settings\The Boss\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\The Boss\Application Data\YMBOLS~1
C:\Documents and Settings\The Boss\My Documents\DOBE~1
C:\Documents and Settings\The Boss\My Documents\DOBE~1\?dobe\
C:\WINDOWS\default.htm
C:\WINDOWS\TEMP\salm.exe
----- BITS: Possible infected sites -----
hxxp://80.93.48.74
.
((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.
2008-03-24 20:16 . 2008-03-24 20:16
d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-24 20:16 . 2008-03-24 20:16 d-------- C:\Documents and Settings\The Boss\Application Data\Malwarebytes
2008-03-24 20:16 . 2008-03-24 20:16 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-24 15:16 . 2008-03-24 15:16 3,304 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-03-24 10:45 . 2008-03-24 10:45 d-------- C:\Documents and Settings\The Boss\Application Data\PC Tools
2008-03-24 10:45 . 2008-03-24 10:45 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-24 10:44 . 2008-03-24 10:44 d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-03-24 08:36 . 2008-03-24 08:36 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-24 05:59 . 2008-03-24 10:44 d-------- C:\Program Files\Spyware Doctor
2008-03-24 05:59 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2008-03-24 05:59 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2008-03-24 05:59 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2008-03-24 05:59 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2008-03-24 04:16 . 2008-03-24 04:16 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-03-23 22:26 . 2004-12-28 08:29 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-23 22:26 . 2004-12-28 08:29 d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-03-23 15:16 . 2008-03-23 15:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-23 15:16 . 2008-03-23 15:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-03 00:16 . 2008-03-03 00:16 d-------- C:\Documents and Settings\Teacher\Application Data\Leadertech
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 01:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-24 23:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-24 20:15 1,306,533 ----a-w C:\SmitfraudFix.exe
2008-03-24 16:15 --------- d-----w C:\Program Files\Trend Micro
2008-03-24 15:46 --------- d-----w C:\Documents and Settings\The Boss\Application Data\Lavasoft
2008-03-24 15:44 --------- d-----w C:\Program Files\Lavasoft
2008-03-24 13:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 20:49 86,528 ----a-w C:\WINDOWS\SYSTEM32\VACFix.exe
2008-03-21 00:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 23:33 --------- d-----w C:\Documents and Settings\The Boss\Application Data\Download Manager
2008-03-15 22:16 82,432 ----a-w C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-03-07 02:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 02:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-03 05:16 --------- d-----w C:\Documents and Settings\Teacher\Application Data\Sonic
2008-02-24 00:00 --------- d-----w C:\Documents and Settings\The Boss\Application Data\Creative
2008-02-22 23:41 107,888 ----a-w C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2008-02-22 23:41 --------- d--h--r C:\Documents and Settings\The Boss\Application Data\SecuROM
2005-11-19 00:17 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12 221184]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54 57344]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-11-30 10:35 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-23 22:39 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 02:11 771704]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 13:03 53248]
"nwiz"="nwiz.exe" [2007-09-17 01:07 1626112 C:\WINDOWS\SYSTEM32\nwiz.exe]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
C:\Documents and Settings\The Boss\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2002-08-09 16:36:20 299008]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 23:07:32 81920]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2006-01-17 13:03 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-01-17 13:03 135168 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.10.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"C:\\WINDOWS\\SYSTEM32\\RUNDLL32.EXE"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2007-06-17 20:27]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9b4dcf8-1493-11dc-8e2c-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2007-02-17 18:34:14 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DGFRPF61-The Boss).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-03-25 01:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - The Boss.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 20:32:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-24 20:32:31
ComboFix-quarantined-files.txt 2008-03-25 01:32:28
.
2008-03-13 08:01:40 --- E O F ---