ComboFix 08-06-30.2 - chunk 2008-07-01 19:47:45.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.651 [GMT -5:00] Running from: C:\Documents and Settings\chunk\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\chunk\Desktop\WinXP_EN_HOM_BF.EXE * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\chunk\Application Data\ShoppingReport C:\Documents and Settings\chunk\Application Data\ShoppingReport\cs\Config.xml C:\Documents and Settings\chunk\Application Data\ShoppingReport\cs\db\Aliases.dbs C:\Documents and Settings\chunk\Application Data\ShoppingReport\cs\db\Sites.dbs C:\Documents and Settings\chunk\Application Data\ShoppingReport\cs\dwld\WhiteList.xip C:\Documents and Settings\chunk\Application Data\ShoppingReport\cs\report\aggr_storage.xml C:\Documents and Settings\chunk\Application Data\ShoppingReport\cs\report\send_storage.xml C:\Documents and Settings\chunk\Application Data\ShoppingReport\cs\res2\WhiteList.dbs C:\Documents and Settings\chunk\Application Data\WNSXS~1 C:\Documents and Settings\chunk\Application Data\WNSXS~1\W?nSxS\ C:\Documents and Settings\chunk\Start Menu\Programs\Startup\Deewoo.lnk C:\Documents and Settings\chunk\Start Menu\Programs\Startup\DW_Start.lnk C:\Documents and Settings\LocalService\Application Data\NetMon C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt C:\Program Files\Common Files\Yazzle1396OinUninstaller.exe C:\Program Files\network monitor C:\Program Files\outerinfo C:\Program Files\outerinfo\FF\chrome.manifest C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt C:\Program Files\outerinfo\FF\install.rdf C:\Program Files\outlook C:\Program Files\outlook\v.tmp C:\Program Files\ShoppingReport C:\Program Files\ShoppingReport\Uninst.exe C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\temp\tn3 C:\WINDOWS\accesss.exe C:\WINDOWS\astctl32.ocx C:\WINDOWS\avpcc.dll C:\WINDOWS\clrssn.exe C:\WINDOWS\cookies.ini C:\WINDOWS\cpan.dll C:\WINDOWS\ctfmon32.exe C:\WINDOWS\ctrlpan.dll C:\WINDOWS\default.htm C:\WINDOWS\directx32.exe C:\WINDOWS\dnsrelay.dll C:\WINDOWS\editpad.exe C:\WINDOWS\explore.exe C:\WINDOWS\explorer32.exe C:\WINDOWS\funniest.exe C:\WINDOWS\funny.exe C:\WINDOWS\gfmnaaa.dll C:\WINDOWS\helpcvs.exe C:\WINDOWS\iedll.exe C:\WINDOWS\iexplorer.exe C:\WINDOWS\inetinf.exe C:\WINDOWS\internet.exe C:\WINDOWS\loader.exe C:\WINDOWS\msconfd.dll C:\WINDOWS\msspi.dll C:\WINDOWS\mssys.exe C:\WINDOWS\msupdate.exe C:\WINDOWS\mswsc10.dll C:\WINDOWS\mswsc20.dll C:\WINDOWS\mtwirl32.dll C:\WINDOWS\notepad32.exe C:\WINDOWS\olehelp.exe C:\WINDOWS\qttasks.exe C:\WINDOWS\quicken.exe C:\WINDOWS\rundll16.exe C:\WINDOWS\rundll32.vbe C:\WINDOWS\searchword.dll C:\WINDOWS\sistem.exe C:\WINDOWS\svchost32.exe C:\WINDOWS\svcinit.exe C:\WINDOWS\systeem.exe C:\WINDOWS\system32\atmtd.dll C:\WINDOWS\system32\atmtd.dll._ C:\WINDOWS\system32\bszip.dll C:\WINDOWS\system32\cmd.com C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\drivers\seriall.sys C:\WINDOWS\system32\f10 C:\WINDOWS\system32\hljwugsf.bin C:\WINDOWS\system32\icroso~1.net C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\msnav32.ax C:\WINDOWS\system32\netstat.com C:\WINDOWS\system32\ojqrvmod.ini C:\WINDOWS\system32\ojqrvmod.ini2 C:\WINDOWS\system32\ojqrvmod.tmp C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\ping.com C:\WINDOWS\system32\PXbIRXbc.ini C:\WINDOWS\system32\PXbIRXbc.ini2 C:\WINDOWS\system32\regedit.com C:\WINDOWS\system32\taskkill.com C:\WINDOWS\system32\tasklist.com C:\WINDOWS\system32\tracert.com C:\WINDOWS\system32\winpfz33.sys C:\WINDOWS\system32\zxdnt3d.cfg C:\WINDOWS\systemcritical.exe C:\WINDOWS\time.exe C:\WINDOWS\uninstall_nmon.vbs C:\WINDOWS\users32.exe C:\WINDOWS\waol.exe C:\WINDOWS\win32e.exe C:\WINDOWS\win64.exe C:\WINDOWS\winajbm.dll C:\WINDOWS\window.exe C:\WINDOWS\winmgnt.exe C:\WINDOWS\x.exe C:\WINDOWS\xplugin.dll C:\WINDOWS\xxxvideo.hta C:\WINDOWS\y.exe C:\WINDOWS\Y2h1bms\ C:\WINDOWS\Y2h1bms\\sZ1YvAP.vbs ----- BITS: Possible infected sites ----- hxxp://exteel.patcher.ncsoft.com . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CMDSERVICE -------\Legacy_NETWORK_MONITOR -------\Legacy_SERIALL -------\Service_cmdService -------\Service_Network Monitor -------\Service_seriall ((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 ))))))))))))))))))))))))))))))) . 2008-06-30 23:38 . 2008-06-30 23:44 d-------- C:\Program Files\Free Easy Burner 2008-06-30 18:26 . 2008-06-30 18:26 d-------- C:\Documents and Settings\chunk\Program Files 2008-06-30 14:25 . 2008-07-01 12:36 d--h----- C:\$AVG8.VAULT$ 2008-06-30 14:18 . 2008-06-30 20:59 d-------- C:\WINDOWS\system32\drivers\Avg 2008-06-30 14:18 . 2008-06-30 14:18 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys 2008-06-30 14:18 . 2008-06-30 14:18 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys 2008-06-30 14:18 . 2008-06-30 14:18 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll 2008-06-30 14:17 . 2008-06-30 14:17 d-------- C:\Program Files\AVG 2008-06-30 14:17 . 2008-06-30 14:17 d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-06-30 14:00 . 2008-06-30 15:20 d-------- C:\Program Files\Common Files\Symantec Shared 2008-06-30 13:55 . 2008-07-01 19:46 3,086 --a------ C:\WINDOWS\system32\wpdsm.dat 2008-06-30 13:55 . 2008-07-01 19:46 2,946 --a------ C:\WINDOWS\system32\wuauserv.dat 2008-06-30 13:55 . 2008-07-01 19:46 2,946 --a------ C:\WINDOWS\system32\msv1x0.dat 2008-06-30 13:55 . 2008-07-01 19:45 0 --a------ C:\WINDOWS\system32\ds16gcs.dat 2008-06-30 13:49 . 2008-06-30 13:49 110,592 --a------ C:\index.tmp 2008-06-30 13:49 . 2008-07-01 19:52 13,523 --a------ C:\WINDOWS\system32\kbdinbzn.dat 2008-06-30 13:49 . 2008-07-01 19:52 2,002 --a------ C:\WINDOWS\system32\battvj.dat 2008-06-30 13:49 . 2008-07-01 19:52 487 --a------ C:\WINDOWS\system32\ltkrnc1n.dat 2008-06-30 13:49 . 2008-06-30 13:55 295 --a------ C:\WINDOWS\system32\mdmxsdw.dat 2008-06-30 13:49 . 2008-07-01 19:50 0 --a------ C:\WINDOWS\system32\cluskpij.dat 2008-06-30 13:46 . 2008-06-30 13:46 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico 2008-06-30 13:36 . 2008-06-30 15:10 d-------- C:\WINDOWS\system32\xsir 2008-06-30 13:36 . 2008-06-30 15:10 d-------- C:\WINDOWS\system32\vec3 2008-06-30 13:36 . 2008-06-30 15:09 d-------- C:\WINDOWS\system32\modtrux07 2008-06-30 13:36 . 2008-06-30 15:07 d-------- C:\WINDOWS\system32\bam 2008-06-30 13:36 . 2008-06-30 13:36 d-------- C:\Temp\syschk3 2008-06-30 13:36 . 2008-07-01 19:48 d-------- C:\Temp 2008-06-29 10:43 . 2008-07-01 11:39 d-------- C:\Program Files\Norton Security Scan 2008-06-23 11:18 . 2008-06-23 11:18 d-------- C:\Documents and Settings\chunk\dwhelper 2008-06-22 13:52 . 2008-06-22 13:52 d-------- C:\Program Files\Guitar Pro 5 2008-06-22 13:15 . 2008-07-01 18:16 d-------- C:\Documents and Settings\chunk\Application Data\LimeWire 2008-06-17 18:57 . 2008-06-29 10:43 d-------- C:\WINDOWS\system32\Adobe 2008-06-11 12:50 . 2008-06-13 08:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 12:50 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-05 18:28 . 2008-06-05 18:28 d-------- C:\Program Files\Disney 2008-06-03 22:17 . 2008-06-03 22:17 268 --ah----- C:\sqmdata19.sqm 2008-06-03 22:17 . 2008-06-03 22:17 244 --ah----- C:\sqmnoopt19.sqm 2008-06-03 18:04 . 2008-06-03 18:04 268 --ah----- C:\sqmdata18.sqm 2008-06-03 18:04 . 2008-06-03 18:04 244 --ah----- C:\sqmnoopt18.sqm 2008-06-03 11:53 . 2008-06-03 11:53 268 --ah----- C:\sqmdata17.sqm 2008-06-03 11:53 . 2008-06-03 11:53 244 --ah----- C:\sqmnoopt17.sqm 2008-06-03 09:13 . 2008-06-03 09:13 268 --ah----- C:\sqmdata16.sqm 2008-06-03 09:13 . 2008-06-03 09:13 244 --ah----- C:\sqmnoopt16.sqm 2008-06-02 15:08 . 2008-07-01 19:49 268 --ah----- C:\sqmdata15.sqm 2008-06-02 15:08 . 2008-07-01 19:49 244 --ah----- C:\sqmnoopt15.sqm 2008-06-02 08:15 . 2008-07-01 12:41 244 --ah----- C:\sqmnoopt14.sqm 2008-06-02 08:15 . 2008-07-01 12:41 232 --ah----- C:\sqmdata14.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-02 00:49 --------- d-----w C:\Documents and Settings\chunk\Application Data\DNA 2008-07-01 03:54 --------- d-----w C:\Program Files\MSN Games 2008-07-01 03:44 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-27 06:42 --------- d-----w C:\Program Files\9Dragons 2008-06-22 03:29 --------- d-----w C:\Documents and Settings\chunk\Application Data\CyberLink 2008-06-21 16:32 --------- d-----w C:\Program Files\Warcraft III 2008-05-29 23:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles 2008-05-28 15:52 --------- d-----w C:\Program Files\NCSoft 2008-05-27 17:22 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-27 17:17 --------- d-----w C:\Documents and Settings\chunk\Application Data\GetRightToGo 2008-05-19 18:29 2,829 ----a-w C:\WINDOWS\War3Unin.pif 2008-05-19 18:29 126,976 ----a-w C:\WINDOWS\War3Unin.exe 2008-05-17 22:19 --------- d-----w C:\Program Files\Windows Live 2008-05-16 01:37 --------- d-----w C:\Program Files\BOTS 2008-05-11 09:05 --------- d-----w C:\Documents and Settings\chunk\Application Data\funkitron 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-08 01:47 --------- d-----w C:\Program Files\Infogrames Interactive 2008-05-04 18:35 --------- d-----w C:\Program Files\The Learning Company 2008-05-04 13:13 --------- d-----w C:\Program Files\Common Files\INCA Shared 2008-05-04 01:56 --------- d-----w C:\Program Files\Acclaim 2008-05-03 03:46 6,554,496 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mdmxsdw] @="{B20618AD-1319-1471-8409-99253002EE83}" [HKEY_CLASSES_ROOT\CLSID\{B20618AD-1319-1471-8409-99253002EE83}] 2002-12-11 12:49 94208 --a------ C:\WINDOWS\system32\mdmxsdw.dIl [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 20:45 289088] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 19:55 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 19:51 118784] "SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-08-18 17:52 135168] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 02:42 32768] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-30 14:17 1177368] "SoundMan"="SOUNDMAN.EXE" [2004-05-14 19:47 67072 C:\WINDOWS\SOUNDMAN.EXE] "nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe] C:\Documents and Settings\chunk\Start Menu\Programs\Startup\ PowerReg Scheduler V3.exe [2008-02-23 11:03:54 225280] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\DNA\\btdna.exe"= "C:\\Program Files\\THQ\\Titan Quest Immortal Throne\\Tqit.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Warcraft III\\Warcraft III.exe"= "C:\\Program Files\\Warcraft III\\War3.exe"= "C:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "C:\\Documents and Settings\\All Users\\Documents\\My Music\\Audicity\\Lime\\LimeWire\\LimeWire.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-30 14:18] R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-30 14:17] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-30 14:17] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-30 14:18] R3 SunkFilt32;Alcor Micro Corp - 3233;C:\WINDOWS\System32\Drivers\sunkfilt32.sys [2004-08-18 18:44] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05225899-0878-11d9-8b9b-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe . Contents of the 'Scheduled Tasks' folder "2008-07-02 00:19:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE "2008-06-29 15:43:17 C:\WINDOWS\Tasks\Norton Security Scan.job" - C:\Program Files\Norton Security Scan\Nss.exe . - - - - ORPHANS REMOVED - - - - BHO-{100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll BHO-{8C469C45-77DA-2E50-FD34-7BA2E3EA1A97} - C:\WINDOWS\system32\psjo.dll BHO-{A6C7DA00-F223-40FE-B3C2-6DC702F22163} - C:\WINDOWS\system32\cbXRIbXP.dll BHO-{F30B1B0B-C305-414E-A4FF-AC93A08DE0AC} - C:\WINDOWS\system32\awtuuUnK.dll WebBrowser-{E1BACF55-35E1-4E47-9247-2D48660E5545} - (no file) HKCU-Run-ecfb24ff - C:\WINDOWS\system32\domvrqjo.dll HKCU-Run-Power2GoExpress - (no file) HKLM-Run-ecfb24ff - C:\WINDOWS\system32\domvrqjo.dll ShellExecuteHooks-{F30B1B0B-C305-414E-A4FF-AC93A08DE0AC} - C:\WINDOWS\system32\awtuuUnK.dll Notify-awtuuUnK - awtuuUnK.dll ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-01 19:51:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\AVG\AVG8\avgrsx.exe . ************************************************************************** . Completion time: 2008-07-01 19:56:38 - machine was rebooted [chunk] ComboFix-quarantined-files.txt 2008-07-02 00:56:31 Pre-Run: 25,212,653,568 bytes free Post-Run: 25,201,913,856 bytes free WinXP_EN_HOM_BF.EXE [boot loader] default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional Edition" /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 305 --- E O F --- 2008-06-21 08:00:42