ComboFix 08-08-23.03 - Owner 2008-08-24 19:03:25.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.417 [GMT -5:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE :: C:\WINDOWS\system32\2skhXl62.exe C:\WINDOWS\system32\2skhXl62.exe.a_a C:\WINDOWS\system32\mH2C8QV5.exe C:\WINDOWS\system32\mH2C8QV5.exe.a_a . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[2].txt C:\WINDOWS\system32\2skhXl62.exe C:\WINDOWS\system32\2skhXl62.exe.a_a C:\WINDOWS\system32\M8k4u21x.dll C:\WINDOWS\system32\mH2C8QV5.exe C:\WINDOWS\system32\mH2C8QV5.exe.a_a . ((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 ))))))))))))))))))))))))))))))) . 2008-08-21 21:13 . 2008-08-21 21:27 d-------- C:\WINDOWS\system32\CatRoot_bak 2008-08-18 21:54 . 2008-08-24 12:28 82,434 --a------ C:\WINDOWS\system32\mH2C8QV5.exe_ 2008-08-17 16:40 . 2008-08-17 16:40 d-------- C:\Program Files\Bazooka Scanner 2008-08-17 14:46 . 2008-08-17 14:46 d-------- C:\Program Files\Trend Micro 2008-08-14 22:38 . 2008-05-01 09:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-10 14:10 . 2008-08-10 14:10 d-------- C:\Documents and Settings\Owner\Application Data\Amazon 2008-08-10 14:09 . 2008-08-10 14:09 d-------- C:\Program Files\Amazon 2008-07-30 20:38 . 2008-07-30 20:38 512 --a------ C:\drmHeader.bin . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-24 15:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-08-20 17:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Stamps.com Internet Postage 2008-08-19 03:08 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-08-17 16:52 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-08-17 16:27 --------- d-----w C:\Program Files\Spyware Doctor 2008-08-16 01:37 --------- d-----w C:\Program Files\Windows Defender 2008-08-10 19:43 --------- d-----w C:\Program Files\Incomplete 2008-08-10 19:41 --------- d-----w C:\Program Files\LimeWire 2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-29 00:53 --------- d-----w C:\Program Files\Stamps.com Internet Postage 2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-08 21:48 90,112 ----a-w C:\WINDOWS\DUMP40e1.tmp 2006-08-10 18:03 774,144 ----a-w C:\Program Files\RngInterstitial.dll 2004-03-11 18:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2006-10-10 02:09 56 --sh--r C:\WINDOWS\system32\123DB469C0.sys . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 624,248 2007-05-11 03:46:20 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak\Acrotray.exe ----a-w 620,152 2006-10-23 04:24:02 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe ----a-w 40,048 2007-05-11 08:06:32 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe ----a-w 39,792 2008-01-12 04:16:38 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe ----a-w 339,968 2004-08-25 18:52:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe ----a-w 270,336 2003-04-01 22:41:42 C:\Program Files\ATI Technologies\ATI HydraVision\bak\HydraDM.exe ----a-w 2,321,600 2007-06-14 18:22:01 C:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe ----a-r 2,321,600 2007-03-01 16:37:52 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe ----a-w 81,920 2005-08-11 21:30:30 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe ----a-w 81,920 2005-08-11 21:30:30 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe ----a-w 249,856 2005-08-11 21:30:30 C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe ----a-w 249,856 2005-08-11 21:30:30 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe ----a-w 221,184 2006-08-10 17:10:14 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\bak\RoxWatchTray9.exe ----a-w 110,592 2003-08-19 06:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe ----a-w 1,193,472 2007-05-02 19:12:48 C:\Program Files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe ----a-w 32,768 2003-11-01 00:42:40 C:\Program Files\CyberLink DVD Solution\PowerDVD\bak\PDVDServ.exe ----a-w 257,088 2007-05-26 17:45:54 C:\Program Files\iTunes\bak\iTunesHelper.exe ----a-w 257,088 2007-05-26 17:45:54 C:\Program Files\iTunes\iTunesHelper.exe ----a-w 132,496 2007-09-25 06:11:35 C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe ----a-w 282,624 2007-04-27 14:41:54 C:\Program Files\QuickTime\bak\qttask.exe ----a-w 1,116,920 2006-07-31 14:00:00 C:\Program Files\Roxio\Drag-to-Disc\bak\DrgToDsc.exe ----a-w 102,400 2006-08-14 06:07:00 C:\Program Files\Roxio\Media Experience\bak\DMXLauncher.exe ----a-w 373,760 2007-05-02 19:13:12 C:\Program Files\TiVo\Desktop\bak\TiVoNotify.exe ----a-w 1,463,296 2007-05-02 19:14:38 C:\Program Files\TiVo\Desktop\bak\TiVoServer.exe ----a-w 866,584 2006-11-04 00:20:12 C:\Program Files\Windows Defender\bak\MSASCui.exe ----a-w 866,584 2006-11-04 00:20:12 C:\Program Files\Windows Defender\MSASCui.exe ----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe ----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\ctfmon.exe ----a-w 126,976 2005-10-19 13:59:12 C:\WINDOWS\system32\bak\hkcmd.exe ----a-w 155,648 2005-10-19 13:59:14 C:\WINDOWS\system32\bak\igfxtray.exe ----a-w 155,648 2006-01-12 22:40:44 C:\WINDOWS\system32\bak\NeroCheck.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] "Power2GoExpress"="" [N/A] "Aim6"="" [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LoadMSvcmm"="C:\WINDOWS\system32\msvcmm32.exe" [N/A] "Auto EPSON Stylus Photo R200 Series on DGWV3P71"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 03:00 99840] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 16:30 249856] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45 257088] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-06-02 17:21:06 113664] Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-21 16:13:02 124400] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.I420"= i263_32.drv "midi1"= xgusb.cpl "vidc.i263"= i263_32.drv "msacm.imc"= imc32.acm "msacm.clmp3enc"= C:\PROGRA~1\CYBERL~2\Power2Go\CLMP3Enc.ACM [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\javaw.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Microsoft Office\\Office\\FRONTPG.EXE"= "C:\\StubInstaller.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\BitTorrent\\btdownloadgui.exe"= "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 03:00] R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-01 20:06] R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56] R2 TivoBeacon2;TiVo Beacon;C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2007-05-02 14:12] R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38] . Contents of the 'Scheduled Tasks' folder 2008-05-08 C:\WINDOWS\Tasks\EasyShare Registration Task.job - C:\WINDOWS\system32\rundll32.exe [2004-08-04 02:56] 2008-08-24 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-24 19:07:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\Ati2evxx.dll . Completion time: 2008-08-24 19:08:26 ComboFix-quarantined-files.txt 2008-08-25 00:08:13 ComboFix2.txt 2008-08-24 22:21:55 Pre-Run: 3,743,571,968 bytes free Post-Run: 3,749,474,304 bytes free 170 --- E O F --- 2008-08-20 21:46:36