ComboFix 08-06-07.3 - FL 2008-06-07 22:50:11.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2035 [GMT -4:00] Running from: C:\Documents and Settings\FL\Desktop\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\WINDOWS\Downloaded Program Files\ODCTOOLS C:\WINDOWS\system32\adzgalore-remove.exe C:\WINDOWS\system32\Cache C:\WINDOWS\system32\cpmsky-uninst.exe C:\WINDOWS\system32\nsi266.dll C:\WINDOWS\system32\nsl67.dll C:\WINDOWS\system32\nsw8E.dll ----- BITS: Possible infected sites ----- hxxp://WWSMS01 hxxp://USSMS01 . ((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 ))))))))))))))))))))))))))))))) . 2008-06-07 22:52 . 2008-06-07 22:52 53,248 --a------ C:\Temp\catchme.dll 2008-06-05 18:06 . 2008-06-07 22:52 d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0002 2008-06-05 18:05 . 2008-06-07 22:52 d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0000 2008-06-05 15:53 . 2008-06-05 15:53 98,304 --a------ C:\Documents and Settings\FL\ProcessInfoWIN_10_130_1_93.dll 2008-06-05 15:37 . 2008-06-05 15:37 98,304 --a------ C:\Documents and Settings\FL\ProcessInfoWIN_10_144_1_93.dll 2008-06-05 12:44 . 2008-02-08 20:08 61,555 --a------ C:\WINDOWS\system32\jpicpl32.cpl 2008-06-05 10:41 . 2008-06-05 10:42 d-------- C:\Documents and Settings\FL\.SunDownloadManager 2008-06-04 17:31 . 2008-06-04 17:31 372,736 --a------ C:\WINDOWS\system32\AppShare-6-7-4.dll 2008-06-04 17:03 . 2008-06-04 17:03 208 --a------ C:\WINDOWS\system32\EACuninstbbbbbbbbbbbb.xml 2008-06-04 17:01 . 2006-05-09 17:31 32,837 --------- C:\WINDOWS\system32\exthook.dll 2008-06-04 17:01 . 2006-05-09 17:47 24,521 --a------ C:\WINDOWS\system32\drivers\eacfilt.sys 2008-06-04 16:44 . 2008-06-04 16:44 208 --a------ C:\WINDOWS\system32\EACuninstbbbbbbbbbbb.xml 2008-06-04 16:43 . 2006-05-09 17:46 155,216 --a------ C:\WINDOWS\system32\drivers\ipsecw2k.sys 2008-05-30 15:52 . 2008-05-30 15:52 d-------- C:\Converted 2008-05-30 15:45 . 2008-05-30 15:48 d-------- C:\Program Files\SoundTaxi 2008-05-30 15:45 . 2008-03-13 16:10 506,496 --a------ C:\WINDOWS\system32\SndTDriverV32.sys 2008-05-30 15:45 . 2008-03-13 16:10 506,496 --a------ C:\WINDOWS\system32\drivers\SndTDriverV32.sys 2008-05-30 15:45 . 2008-03-12 14:35 184,320 --a------ C:\WINDOWS\system32\snmvtsvc.exe 2008-05-30 15:45 . 2008-03-13 16:10 10,936 --a------ C:\WINDOWS\system32\MovRVDrv32.dll 2008-05-30 15:45 . 2008-03-13 16:10 3,993 --a------ C:\WINDOWS\system32\SndTDriverV32.inf 2008-05-30 15:45 . 2008-03-13 16:10 3,768 --a------ C:\WINDOWS\system32\MovRVDrv32.sys 2008-05-30 15:45 . 2008-03-13 16:10 3,768 --a------ C:\WINDOWS\system32\drivers\MovRVDrv32.sys 2008-05-30 15:45 . 2008-03-13 16:10 2,618 --a------ C:\WINDOWS\system32\MovRVDrv32.inf 2008-05-29 00:39 . 2008-05-29 01:20 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-05-18 19:08 . 2008-05-18 19:08 d-------- C:\Documents and Settings\FL\Application Data\TuneUp Software 2008-05-18 19:08 . 2008-05-18 19:08 354,560 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe 2008-05-18 19:08 . 2008-04-04 14:51 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll 2008-05-18 19:07 . 2008-05-18 19:07 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\TuneUp Software 2008-05-18 19:06 . 2008-05-18 19:09 d-------- C:\Program Files\TuneUp Utilities 2008 2008-05-18 14:08 . 2008-05-18 14:08 32 --a------ C:\WINDOWS\WININIT.INI 2008-05-18 14:06 . 2008-05-18 14:06 d-------- C:\Program Files\Sonic 2008-05-16 21:29 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-05-16 21:29 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-05-16 08:54 . 2008-05-16 08:54 d-------- C:\Program Files\PCXViewer 2008-05-15 18:54 . 2008-05-15 18:54 98,304 --a------ C:\Documents and Settings\FL\ProcessInfoWIN_57_251_249_195.dll 2008-05-15 18:36 . 2008-05-15 18:36 98,304 --a------ C:\Documents and Settings\FL\ProcessInfoWIN_57_251_249_198.dll 2008-05-12 08:56 . 2008-02-15 11:12 206,256 --a------ C:\WINDOWS\system32\idmmbc.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-08 02:48 --------- d-----w C:\Documents and Settings\FL\Application Data\DMCache 2008-06-07 16:40 --------- d-----w C:\Documents and Settings\FL\Application Data\Juniper Networks 2008-06-06 00:57 --------- d-----w C:\Program Files\YPOPs 2008-06-05 17:56 98,304 ----a-w C:\Documents and Settings\FL\ProcessInfoWIN.dll 2008-06-05 17:30 --------- d-----w C:\Program Files\Symantec AntiVirus 2008-06-05 17:28 --------- d-----w C:\Program Files\Password Safe 2008-06-05 16:45 --------- d-----w C:\Program Files\Java 2008-06-04 21:31 242,200 ----a-w C:\WINDOWS\java\Packages\PJ71NVV3.ZIP 2008-06-04 21:03 --------- d-----w C:\Program Files\Nortel Networks 2008-06-04 20:57 16,000 ----a-w C:\WINDOWS\system32\drivers\eqdrv5.sys 2008-06-04 20:41 --------- d-----w C:\Program Files\Equant 2008-05-29 04:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-05-22 12:29 --------- d-----w C:\Documents and Settings\FL\Application Data\IDM 2008-05-18 23:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-05-18 23:02 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware 2008-05-18 18:07 --------- d-----w C:\Program Files\Common Files\Sonic Shared 2008-05-16 00:19 --------- d-----w C:\Documents and Settings\FL\Application Data\AdobeUM 2008-05-10 02:57 --------- d-----w C:\Program Files\Internet Download Manager 2008-05-08 13:55 --------- d-----w C:\Documents and Settings\FL\Application Data\Apple Computer 2008-05-08 00:30 --------- d-----w C:\Program Files\ISS 2008-05-05 13:44 --------- d-----w C:\Program Files\Orca 2008-05-01 19:06 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help 2008-05-01 17:27 80,512 ----a-w C:\WINDOWS\system32\drivers\isskboep.sys 2008-05-01 17:27 548,864 ----a-w C:\WINDOWS\system32\msvcp80.dll 2008-05-01 17:27 50,163 ----a-w C:\WINDOWS\system32\drivers\RapDrv.sys 2008-05-01 17:27 205,938 ----a-w C:\WINDOWS\system32\drivers\Blackcat.sys 2008-05-01 14:27 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates 2008-05-01 14:26 --------- d-----w C:\Program Files\Network Associates 2008-05-01 14:26 --------- d-----w C:\Program Files\Common Files\Network Associates 2008-05-01 14:25 --------- d-----w C:\Program Files\McAfee 2008-05-01 14:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee 2008-04-14 19:59 --------- d-----w C:\Program Files\j2 Messenger 4.2 2008-04-14 19:59 --------- d-----w C:\Documents and Settings\FL\Application Data\j2 Messenger 2008-04-14 19:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\j2 Messenger 4.2 Setup 2008-04-12 02:13 --------- d-----w C:\Program Files\Gadwin Systems 2008-04-09 09:02 --------- d-----w C:\Program Files\Eyeball 2008-04-04 15:57 316,928 ----a-w C:\WINDOWS\system32\SICLT32.EXE 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-13 18:05 202,323 ----a-w C:\WINDOWS\system32\atasnt40.dll 2008-03-20 17:50 44,360 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll 2008-03-20 17:50 107,936 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{994B5FB4-0103-44A6-B6B3-C73572B362BC}] 2008-02-06 13:21 233472 --a------ C:\WINDOWS\system32\nsf165.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-11-30 04:51 3897040] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184] "IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-05-12 09:03 2594224] "TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [2008-04-22 14:17 154880] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:00 110592 C:\WINDOWS\system32\bthprops.cpl] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-14 17:07 94208] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-14 17:08 118784] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-04-16 11:24 819200] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-04-16 11:22 970752] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14 53408] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 01:40 124656] "McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-11-08 15:38 136512] "ShStatEXE"="c:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 08:00 98304] "Network Associates Error Reporting Service"="c:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_17\bin\jusched.exe" [2008-02-08 20:08 32881] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360] "Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-11-30 04:51 3897040] C:\Documents and Settings\FL\Start Menu\Programs\Startup\ Password Safe.lnk - C:\Program Files\Password Safe\pwsafe.exe [2007-11-25 16:28:36 1470464] YPOPs.lnk - C:\Program Files\YPOPs\YPOPs.exe [2008-01-08 10:22:00 1331200] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-09-24 09:53:10 25214] Proventia Desktop Agent.lnk - C:\Program Files\ISS\Proventia Desktop\blackice.exe [2008-05-07 20:30:50 2179072] TunnelGuard Tray Monitor.lnk - C:\WINDOWS\Installer\{5650A422-0789-473F-B2C7-6C3D10CC9FFB}\Icon079d381e2.exe [2008-05-15 19:06:41 8192] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime "Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.vbs" "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" "j2 4.2"="C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" /R "igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Nortel Networks\\Extranet.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\NetMeeting\\conf.exe"= "D:\\FLaburthe Documents\\My Docs - Perso\\My Software\\FTPServer.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"= "C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamUI.exe"= "C:\\Program Files\\SopCast\\SopCast.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\TVAnts\\Tvants.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Program Files\\Nortel\\IP Softphone 2050\\i2050.exe"= "C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= R1 Neofltr;Neoteris TDI Filter - Layered Version;C:\WINDOWS\system32\drivers\Neofltr.sys [2005-03-10 17:47] R2 APSMDrv;Intranet Server Client Software Usage driver;C:\WINDOWS\system32\DRIVERS\APSMDrv.sys [2003-04-02 09:53] R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2007-04-13 03:50] R2 i2050QoSSvc;Nortel IP Softphone 2050 QoS;"C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe" [2007-12-24 17:36] R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20] R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 06:00] R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2006-05-09 17:47] R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-05-09 17:46] R3 MovRVDrv32;MovRVDrv32;C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2008-03-13 16:10] R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2008-03-13 16:10] R3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-18 19:08] S0 black;black;C:\WINDOWS\system32\drivers\BlackCat.sys [2008-05-01 13:27] S2 VPatch;ISS Buffer Overflow Exploit Prevention;"C:\Program Files\ISS\Proventia Desktop\vpatch.exe" [2008-05-01 13:27] S3 APSINV;APSINV;C:\WINDOWS\system32\DRIVERS\APSINV.SYS [2004-11-10 20:07] S3 GTF32BUS;GT F32 BUS;C:\WINDOWS\system32\DRIVERS\gtf32bus.sys [2007-07-11 01:11] S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-07-11 01:11] S3 GTSCSER;GT SC SER;C:\WINDOWS\system32\DRIVERS\gtscser.sys [2007-07-11 01:11] S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-05-09 17:46] S3 MakoNT;MakoNT;C:\WINDOWS\system32\drivers\isskboep.sys [2008-05-01 13:27] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-28 20:01] S3 P1171VID;Creative WebCam Notebook #2;C:\WINDOWS\system32\DRIVERS\P1171Vid.sys [2004-03-19 01:00] S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2007-04-13 03:50] S3 rap;rap;C:\WINDOWS\system32\drivers\RapDrv.sys [2008-05-01 13:27] S3 SoundMovieServer;SoundMovieServer;"C:\WINDOWS\system32\snmvtsvc.exe" [2008-03-12 14:35] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp *Newly Created Service* - CATCHME *Newly Created Service* - ENTDRV51 . Contents of the 'Scheduled Tasks' folder "2008-06-08 02:00:00 C:\WINDOWS\Tasks\Maintenance en 1 clic.job" - C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-07 22:52:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-06-07 22:56:16 ComboFix-quarantined-files.txt 2008-06-08 02:55:10 Pre-Run: 4,070,034,944 bytes free Post-Run: 4,182,185,984 bytes free 223 --- E O F --- 2008-04-21 18:30:46