ComboFix 08-06-12.2 - C.A. Kyle 2008-06-14 14:26:41.1 - NTFSx86 Running from: C:\Documents and Settings\C.A. Kyle\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\C.A. Kyle\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\salesmonitor C:\Documents and Settings\Marc Kyle\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Documents and Settings\Nina Kyle\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Program Files\oemji C:\Redemption.ECF C:\WINDOWS\system32\ipv6monr.dll C:\WINDOWS\update.exe . ((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 ))))))))))))))))))))))))))))))) . 2008-06-14 09:08 . 2008-06-14 09:08 d-------- C:\WINDOWS\LastGood 2008-06-14 08:14 . 2008-06-14 08:14 d-------- C:\Program Files\Trend Micro 2008-06-13 20:07 . 2008-06-13 20:08 d-------- C:\Program Files\CCleaner 2008-06-13 16:38 . 2008-06-13 16:38 691,545 --a------ C:\WINDOWS\unins000.exe 2008-06-13 16:38 . 2008-06-13 16:38 2,546 --a------ C:\WINDOWS\unins000.dat 2008-06-13 05:46 . 2008-06-13 05:46 d-------- C:\Program Files\Lavasoft 2008-06-13 05:46 . 2008-06-13 05:46 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-13 05:46 . 2008-06-13 05:48 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-13 05:35 . 2008-06-13 05:36 d-------- C:\Program Files\Google 2008-06-13 05:35 . 2008-06-14 08:17 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater 2008-06-12 18:13 . 2002-10-17 19:09 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2008-06-12 18:13 . 2008-06-12 18:13 d-------- C:\Documents and Settings\Administrator 2008-06-11 17:40 . 2008-04-14 06:01 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys 2008-06-11 17:37 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouhid.sys 2008-06-11 17:37 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\mouhid.sys 2008-06-11 17:36 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys 2008-06-11 17:36 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hidusb.sys 2008-06-10 09:32 . 2004-08-04 02:08 26,496 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\usbstor.sys 2008-06-02 20:13 . 2008-06-14 09:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-06-02 20:13 . 2008-06-14 08:55 1,409 --a------ C:\WINDOWS\QTFont.for 2008-06-01 15:49 . 2008-06-01 15:49 d-------- C:\Documents and Settings\All Users\Application Data\HotSync 2008-06-01 15:48 . 2008-06-01 15:44 53,248 --a------ C:\WINDOWS\PalmDevC.dll 2008-06-01 15:48 . 2008-06-01 15:44 16,694 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PalmUSBD.sys 2008-06-01 15:47 . 2008-06-13 05:32 d-------- C:\Program Files\Palm 2008-06-01 15:44 . 2008-06-01 15:44 d-------- C:\Documents and Settings\Randy Kyle\Application Data\HotSync 2008-05-21 17:34 . 2008-04-22 23:16 6,066,176 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll 2008-05-21 17:34 . 2007-04-17 04:32 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat 2008-05-21 17:34 . 2007-03-08 00:10 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui 2008-05-21 17:34 . 2008-04-22 23:16 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll 2008-05-21 17:34 . 2008-04-22 23:16 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll 2008-05-21 17:34 . 2008-04-22 23:16 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll 2008-05-21 17:34 . 2008-04-22 23:16 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll 2008-05-21 17:34 . 2008-04-22 23:16 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll 2008-05-21 17:34 . 2008-04-22 02:39 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe 2008-05-21 17:27 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll 2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe 2008-05-14 16:47 . 2008-05-14 16:47 d-------- C:\Program Files\DellSupport . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-14 13:53 --------- d-----w C:\Program Files\Common Files\Adobe 2008-06-14 13:32 --------- d-----w C:\Program Files\Yahoo! 2008-06-14 13:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-14 13:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-14 13:26 --------- d-----w C:\Program Files\Common Files\AOL 2008-06-14 13:24 --------- d-----w C:\Program Files\Pure Networks 2008-06-14 13:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2008-06-14 13:22 --------- d-----w C:\Documents and Settings\C.A. Kyle\Application Data\AOL 2008-06-13 21:31 --------- d-----w C:\Program Files\Common Files\PrivacyConductor 2008-06-13 10:32 --------- d-----w C:\Program Files\Modem Helper 2008-06-13 10:32 --------- d-----w C:\Program Files\Microsoft Picture It! 2002 2008-06-13 10:32 --------- d-----w C:\Program Files\dwyco2 2008-06-13 10:32 --------- d-----w C:\Program Files\Creative 2008-06-13 10:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-06-01 20:44 53,248 ----a-w C:\WINDOWS\SYSTEM32\palmdevc.dll 2008-05-30 21:14 --------- d-----w C:\Documents and Settings\Nina Kyle\Application Data\Gtek 2008-05-21 22:15 --------- d--h--w C:\Documents and Settings\Randy Kyle\Application Data\GTek 2008-05-15 14:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell 2008-05-15 14:30 --------- d--h--w C:\Documents and Settings\C.A. Kyle\Application Data\GTek 2008-05-14 21:47 --------- d--h--w C:\Documents and Settings\Marion Kyle\Application Data\GTek 2008-05-14 21:47 --------- d-----w C:\Documents and Settings\Marc Kyle\Application Data\Gtek 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll 2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll 2008-04-29 16:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 16:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 16:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys 2008-04-24 03:16 3,591,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll 2008-04-22 07:40 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe 2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe 2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll 2008-04-14 11:01 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll 2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys 2002-12-25 10:41 64 -c--a-w C:\Program Files\dwyco.log . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58A5A572-74DA-4413-9E46-18B694024907}] 2001-08-18 06:00 99840 --a------ C:\WINDOWS\System32\CTL3DV.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-13 05:35 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 22:41 28738] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 03:59 122880 C:\WINDOWS\BCMSMMSG.exe] "diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 01:01 135264] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-11-20 17:16 77824] "VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 18:02 122880] "VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50 163840] "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-08-27 11:00 245760] "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2003-08-21 18:10 180224] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-08 10:32 180269] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2002-10-17 19:06:39 45056] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm "VIDC.SP54"= SP5X_32.DLL "VIDC.SP55"= SP5X_32.DLL "VIDC.SP56"= SP5X_32.DLL "VIDC.SP57"= SP5X_32.DLL "VIDC.SP58"= SP5X_32.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"= "C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"= *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder "2008-06-14 19:00:18 C:\WINDOWS\Tasks\McAfee.com Update Check (CUPCAKE-C.A. Kyle).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.ex - C:\PROGRA~1\mcafee.com\agen "2008-06-14 19:31:00 C:\WINDOWS\Tasks\McAfee.com Update Check (CUPCAKE-Marc Kyle).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.ex - C:\PROGRA~1\mcafee.com\agen "2008-06-14 19:32:00 C:\WINDOWS\Tasks\McAfee.com Update Check (CUPCAKE-Marion Kyle).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.ex - C:\PROGRA~1\mcafee.com\agent "2008-06-14 19:32:00 C:\WINDOWS\Tasks\McAfee.com Update Check (CUPCAKE-Nina Kyle).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.ex - C:\PROGRA~1\mcafee.com\agen "2008-06-14 19:28:00 C:\WINDOWS\Tasks\McAfee.com Update Check (CUPCAKE-Randy Kyle).job" - C:\PROGRA~1\mcafee.com\agent\mcupdate.ex - C:\PROGRA~1\mcafee.com\agent "2008-06-14 17:55:00 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-14 14:30:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bpwofrnq] "ImagePath"="system32\drivers\fbxqvegz.dat" . Completion time: 2008-06-14 14:32:39 ComboFix-quarantined-files.txt 2008-06-14 19:32:32 Pre-Run: 71,788,838,912 bytes free Post-Run: 71,859,712,000 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 182 --- E O F --- 2008-06-11 23:15:44