ComboFix 08-09-24.11 - Ange 2008-09-26 20:09:56.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.125 [GMT -4:00] Running from: C:\Documents and Settings\Ange\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Ange\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINDOWS\system32\drivers\Cyber02Hide.Sys C:\WINDOWS\system32\drivers\Cyber02Hide.sys C:\WINDOWS\system32\drivers\klfga.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\drivers\Cyber02Hide.Sys C:\WINDOWS\system32\drivers\klfga.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CYBER02HIDE -------\Legacy_KLFGA -------\Service_Cyber02Hide -------\Service_klfga ((((((((((((((((((((((((( Files Created from 2008-08-27 to 2008-09-27 ))))))))))))))))))))))))))))))) . 2008-09-26 15:35 . 2008-09-26 15:43 d-------- C:\HaxFix 2008-09-26 15:35 . 2008-09-26 15:35 484,942 --a------ C:\HaxFix.exe 2008-09-21 20:40 . 2008-09-21 20:40 d-------- C:\WINDOWS\system32\Service 2008-09-20 14:29 . 2008-09-20 14:29 d-------- C:\Documents and Settings\Stevo\Application Data\Malwarebytes 2008-09-18 16:04 . 2008-09-18 16:04 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-09-18 16:04 . 2008-09-18 16:04 d-------- C:\Documents and Settings\Ange\Application Data\Malwarebytes 2008-09-18 16:04 . 2008-09-18 16:04 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-18 16:04 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-18 16:04 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-18 16:03 . 2008-09-18 16:03 d-------- C:\Program Files\Common Files\Download Manager 2008-09-18 14:23 . 2008-09-18 14:23 d-------- C:\Program Files\Lavasoft 2008-09-18 14:23 . 2008-09-18 14:27 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-09-11 20:22 . 2008-09-11 20:09 144,912 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2008-09-11 20:22 . 2008-09-11 20:09 50,192 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys 2008-09-11 20:22 . 2008-09-11 20:09 49,680 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys 2008-09-11 20:13 . 2007-08-22 10:16 46,456 -ra------ C:\WINDOWS\system32\exitwx.exe 2008-09-11 20:13 . 2008-09-11 20:13 619 --a------ C:\moffice.lnk 2008-09-11 20:09 . 2008-09-11 20:09 1,195,448 --a------ C:\WINDOWS\system32\drivers\vsapint.sys 2008-09-11 20:09 . 2008-09-11 20:09 661,808 --a------ C:\WINDOWS\system32\UfWSC.cpl 2008-09-11 20:09 . 2008-09-11 20:09 334,352 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys 2008-09-11 20:09 . 2008-09-11 20:09 205,328 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys 2008-09-11 20:09 . 2008-09-11 20:09 80,400 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys 2008-09-11 20:09 . 2008-09-11 20:09 36,368 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys 2008-09-11 20:07 . 2008-09-11 20:19 d-------- C:\WINDOWS\SxsCaPendDel 2008-09-11 17:43 . 2008-09-11 19:52 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard 2008-09-11 17:40 . 2008-09-11 17:40 d-------- C:\Program Files\Common Files\iS3 2008-09-11 17:40 . 2008-09-11 20:06 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla! 2008-09-11 12:35 . 2008-09-11 12:53 16,384 --a------ C:\WINDOWS\DCEBoot.exe 2008-09-11 09:55 . 2008-09-11 11:49 d-------- C:\Documents and Settings\Ange\.housecall6.6 2008-09-10 21:50 . 2008-09-25 08:34 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro 2008-09-10 21:26 . 2008-09-10 21:26 d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM 2008-09-10 20:11 . 2008-09-18 16:49 d-------- C:\WINDOWS\system32\inf 2008-09-07 21:23 . 2008-09-07 21:23 d-------- C:\Program Files\My Company Name 2008-08-30 15:51 . 2008-09-26 20:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-08-30 15:51 . 2008-08-30 15:51 1,409 --a------ C:\WINDOWS\QTFont.for 2008-08-29 21:33 . 2008-08-29 22:12 d-------- C:\WINDOWS\system32\CatRoot_bak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-27 00:21 --------- d-----w C:\Program Files\lg_fwupdate 2008-09-18 21:02 --------- d-----w C:\Program Files\Trend Micro 2008-09-06 01:49 --------- d-----w C:\Program Files\Sonic 2008-08-03 02:34 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-07-31 01:03 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-31 01:03 --------- d-----w C:\Program Files\Shoppers Hotline 2008-05-31 03:46 64,640 ----a-w C:\Documents and Settings\Ange\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( snapshot@2008-09-25_ 9.24.11.37 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-04 11:00:00 50,688 ----a-w C:\WINDOWS\system32\smss.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 20480] "MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2000-07-19 176183] "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] "DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168] "LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [X] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 114688] "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-08-01 610304] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-12 26112] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 127035] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "EEventManager"="C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-10-12 102400] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928] "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832] "LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2008-06-07 249856] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208] "InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328] "UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-09-11 970808] "SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 C:\WINDOWS\stsystra.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-09-11 497008] C:\Documents and Settings\Ange\Start Menu\Programs\Startup\ Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-12-25 344064] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-12 24576] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-10-22 806912] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-26 20:21:59 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\WLTRYSVC.EXE C:\WINDOWS\system32\BCMWLTRY.EXE C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\Program Files\Trend Micro\Internet Security\TmPfw.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\WLTRAY.EXE C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2008-09-26 20:28:00 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-27 00:27:49 ComboFix2.txt 2008-09-25 13:25:06 Pre-Run: 9,813,372,928 bytes free Post-Run: 10,027,962,368 bytes free 174 --- E O F --- 2008-09-10 19:43:03