ComboFix 08-04-13.3 - Bill 2008-04-14 20:23:23.1 - NTFSx86 Running from: C:\Documents and Settings\Bill\Desktop\plg\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\Bill\Start Menu\Programs\Internet Speed Monitor C:\Documents and Settings\Bill\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk C:\Documents and Settings\Bill\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk C:\Program Files\CPV C:\Program Files\CPV\CPV8.dll C:\Program Files\ISM C:\Program Files\ISM\ism.exe C:\Program Files\ISM\Uninstall.exe C:\Program Files\MyWay C:\Program Files\NewMediaCodec C:\Program Files\NewMediaCodec\install.ico C:\Program Files\NewMediaCodec\Uninstall.exe C:\Program Files\PC-Cleaner C:\Program Files\PC-Cleaner\PC-Cleaner.db C:\Program Files\PC-Cleaner\pccleaner.pkg C:\Program Files\PC-Cleaner\program.info C:\Program Files\QdrDrive C:\Program Files\QdrDrive\QdrDrive15.dll C:\Program Files\QdrDrive\qdrloader.exe C:\Program Files\QdrModule C:\Program Files\QdrModule\dicy.gz C:\Program Files\QdrModule\kwdy.gz C:\Program Files\QdrModule\pckr.dat C:\Program Files\QdrModule\QdrModule15.exe C:\Program Files\QdrPack C:\Program Files\QdrPack\dicts.gz C:\Program Files\QdrPack\QdrPack15.exe C:\Program Files\QdrPack\trgts.gz C:\Program Files\Temporary C:\WINDOWS\123messenger.per C:\WINDOWS\2020search.dll C:\WINDOWS\2020search2.dll C:\WINDOWS\apphelp32.dll C:\WINDOWS\asferror32.dll C:\WINDOWS\asycfilt32.dll C:\WINDOWS\athprxy32.dll C:\WINDOWS\ati2dvaa32.dll C:\WINDOWS\ati2dvag32.dll C:\WINDOWS\audiosrv32.dll C:\WINDOWS\autodisc32.dll C:\WINDOWS\avifile32.dll C:\WINDOWS\avisynthex32.dll C:\WINDOWS\aviwrap32.dll C:\WINDOWS\bjam.dll C:\WINDOWS\bokja.exe C:\WINDOWS\browserad.dll C:\WINDOWS\cdsm32.dll C:\WINDOWS\changeurl_30.dll C:\WINDOWS\conf.inf C:\WINDOWS\dat.txt C:\WINDOWS\didduid.ini C:\WINDOWS\ky.sxc C:\WINDOWS\lfn.exe C:\WINDOWS\licencia.txt C:\WINDOWS\msa64chk.dll C:\WINDOWS\msapasrc.dll C:\WINDOWS\mscon.sio C:\WINDOWS\mspphe.dll C:\WINDOWS\mssvr.exe C:\WINDOWS\ntnut.exe C:\WINDOWS\PerfInfo C:\WINDOWS\pskt.ini C:\WINDOWS\saiemod.dll C:\WINDOWS\shdocpe.dll C:\WINDOWS\shdocpl.dll C:\WINDOWS\smdat32m.sys C:\WINDOWS\stcloader.exe C:\WINDOWS\swin32.dll C:\WINDOWS\SYSTEM32\[u]0[/u]00080.exe C:\WINDOWS\SYSTEM32\[u]0[/u]00090.exe C:\WINDOWS\system32\ddcYpmkh.dll C:\WINDOWS\system32\drivers\fad.sys C:\WINDOWS\SYSTEM32\ELRYJRqr.ini C:\WINDOWS\SYSTEM32\ELRYJRqr.ini2 C:\WINDOWS\system32\iaqlybcn.dll C:\WINDOWS\system32\jqdoqsmn.dll C:\WINDOWS\SYSTEM32\ncbylqai.ini C:\WINDOWS\system32\nciyaixp.dll C:\WINDOWS\SYSTEM32\pkbprthi.ini C:\WINDOWS\system32\rqRJYRLE.dll C:\WINDOWS\system32\udpgscvq.dll C:\WINDOWS\system32\winfrun32.bin C:\WINDOWS\system32\wmsdkns.exe C:\WINDOWS\telefonos.txt C:\WINDOWS\textos.txt C:\WINDOWS\voiceip.dll C:\WINDOWS\winsb.dll C:\WINDOWS\winself.exe ----- BITS: Possible infected sites ----- hxxp://80.93.48.74 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MSSysInterv1 -------\MSSysInterv1 ((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 ))))))))))))))))))))))))))))))) . 2008-04-14 19:49 . 2008-04-14 19:49 d--hs---- C:\found.002 2008-04-14 17:20 . 2008-04-14 17:24 d-------- C:\Program Files\RcvSystem 2008-04-14 14:39 . 2008-04-14 14:39 38,400 -ra------ C:\WINDOWS\mrofinu72.exe 2008-04-13 14:53 . 2008-04-14 17:19 101,091 --a------ C:\WINDOWS\BMff304efc.xml 2008-04-13 01:04 . 2008-04-14 20:23 1,908 --a------ C:\WINDOWS\SYSTEM32\default.htm 2008-04-13 00:46 . 2008-04-13 00:46 d-------- C:\WINDOWS\cuawsppw 2008-04-13 00:46 . 2008-04-13 00:46 d-------- C:\Documents and Settings\All Users\Application Data\pajgpkhw 2008-04-13 00:46 . 2008-04-13 00:46 196,096 --a------ C:\WINDOWS\dkzobqdi.dll 2008-04-13 00:46 . 2008-04-13 00:46 98,304 --a------ C:\WINDOWS\SYSTEM32\tuvodsxg.exe 2008-04-13 00:46 . 2008-04-13 00:46 70,144 --a------ C:\WINDOWS\twdsdcfa.dll 2008-04-13 00:46 . 2008-04-13 00:46 70,144 --a------ C:\Documents and Settings\All Users\Application Data\sjcrgfyj.dll 2008-04-13 00:44 . 2008-04-13 00:44 397 --a------ C:\WINDOWS\SYSTEM32\LC22.tmp 2008-04-13 00:44 . 2008-04-13 00:44 397 --a------ C:\WINDOWS\SYSTEM32\LA3E.tmp 2008-04-13 00:44 . 2008-04-13 00:44 397 --a------ C:\WINDOWS\SYSTEM32\L879.tmp 2008-04-13 00:44 . 2008-04-13 00:44 397 --a------ C:\WINDOWS\SYSTEM32\L675.tmp 2008-04-08 15:33 . 2008-04-08 12:33 68,096 --a------ C:\WINDOWS\b155.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-15 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-04-04 02:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-03-07 05:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf 2008-03-07 05:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys 2008-03-07 05:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat . ------- Sigcheck ------- 2005-03-01 16:36 1955840 62c353c0449fd961ef7814973fc2fd30 C:\WINDOWS\Driver Cache\I386\ntkrnlpa.exe 2004-08-03 21:58 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ntkrnlpa.exe 2005-03-01 16:36 1955840 62c353c0449fd961ef7814973fc2fd30 C:\WINDOWS\SYSTEM32\ntkrnlpa.exe 2005-03-01 17:33 2040832 a15a2ee0be2f71fc1752a05660b8ebdc C:\WINDOWS\Driver Cache\I386\ntoskrnl.exe 2004-08-03 22:19 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ntoskrnl.exe 2005-03-01 17:33 2040832 a15a2ee0be2f71fc1752a05660b8ebdc C:\WINDOWS\SYSTEM32\ntoskrnl.exe . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db41de82-1dd1-11b2-b7fd-fbaf280c36b9}] 2008-04-13 00:46 70144 --a------ C:\WINDOWS\twdsdcfa.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 15:18 1670144] "RealPlayer"="%APP_PATH::RealPlay.exe%\realplay.exe" [ ] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 11:11 68856] "EPSON Stylus CX7000F Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBKA.exe" [2006-05-22 05:00 139264] "QdrModule15"="C:\Program Files\QdrModule\QdrModule15.exe" [ ] "QdrPack15"="C:\Program Files\QdrPack\QdrPack15.exe" [ ] "ieamxshm"="C:\WINDOWS\system32\tuvodsxg.exe" [2008-04-13 00:46 98304] "ychzrbse"="C:\WINDOWS\system32\qtqzmtmt.exe" [2008-04-14 20:39 90112] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 21:19 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 21:07 114688] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-05 22:04 114741] "StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 22:01 155648] "DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05 323584] "ProDsl.exe"="ProDsl.exe" [2001-10-03 16:59 118784 C:\WINDOWS\PRODSL.EXE] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-06-18 17:14 98304] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-06-18 18:47 180269] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 01:50 155648] "tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [2002-04-24 17:37 1544192] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03 36975] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816] "ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2007-08-21 13:05 73728] "RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-01-27 13:39 1179648] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-05-10 05:12:24 24576] Norton GoBack.lnk - C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe [2005-11-14 08:24:04 861872] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "B1Z0P48K0b"= C:\Documents and Settings\All Users\Application Data\pajgpkhw\pchupodk.exe R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 17:09] R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 17:09] R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38] R3 PRO2100W;Intel(R) PRO/DSL 2100 Modem - PPP;C:\WINDOWS\System32\DRIVERS\p21c2kW.sys [2001-10-04 17:12] S3 SQTECH913D;913D Camera;C:\WINDOWS\System32\Drivers\Capt913D.sys [2006-12-21 10:52] *Newly Created Service* - COMHOST . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-14 20:39:02 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe . ************************************************************************** . Completion time: 2008-04-14 20:50:30 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-15 04:50:03 Pre-Run: 18,927,992,832 bytes free Post-Run: 18,898,391,040 bytes free