ComboFix 08-08-30.03 - Evil 2008-08-31 16:17:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.701 [GMT -5:00]
Running from: C:\Documents and Settings\Evil\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\#SharedObjects\QESZNN2X\bin.clearspring.com
C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\#SharedObjects\QESZNN2X\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\#SharedObjects\QESZNN2X\interclick.com
C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\#SharedObjects\QESZNN2X\interclick.com\ud.sol
C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Evil\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Evil\Application Data\rhcce4j0er2e
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\Program Files\Inet Delivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\Program Files\rhcce4j0er2e
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\hosts
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\system32\akttzn.exe
C:\WINDOWS\system32\anticipator.dll
C:\WINDOWS\system32\awtoolb.dll
C:\WINDOWS\system32\bdn.com
C:\WINDOWS\system32\blphc9e4j0er2e.scr
C:\WINDOWS\system32\bsva-egihsg52.exe
C:\WINDOWS\system32\dpcproxy.exe
C:\WINDOWS\system32\emesx.dll
C:\WINDOWS\system32\h@tkeysh@@k.dll
C:\WINDOWS\system32\hoproxy.dll
C:\WINDOWS\system32\hxiwlgpm.dat
C:\WINDOWS\system32\hxiwlgpm.exe
C:\WINDOWS\system32\medup012.dll
C:\WINDOWS\system32\medup020.dll
C:\WINDOWS\system32\msgp.exe
C:\WINDOWS\system32\msnbho.dll
C:\WINDOWS\system32\mssecu.exe
C:\WINDOWS\system32\msvchost.exe
C:\WINDOWS\system32\mtr2.exe
C:\WINDOWS\system32\mwin32.exe
C:\WINDOWS\system32\netode.exe
C:\WINDOWS\system32\newsd32.exe
C:\WINDOWS\system32\pphc9e4j0er2e.exe
C:\WINDOWS\system32\ps1.exe
C:\WINDOWS\system32\psof1.exe
C:\WINDOWS\system32\psoft1.exe
C:\WINDOWS\system32\regc64.dll
C:\WINDOWS\system32\regm64.dll
C:\WINDOWS\system32\Rundl1.exe
C:\WINDOWS\system32\smp
C:\WINDOWS\system32\smp\msrc.exe
C:\WINDOWS\system32\sncntr.exe
C:\WINDOWS\system32\ssurf022.dll
C:\WINDOWS\system32\ssvchost.com
C:\WINDOWS\system32\ssvchost.exe
C:\WINDOWS\system32\sysreq.exe
C:\WINDOWS\system32\taack.dat
C:\WINDOWS\system32\taack.exe
C:\WINDOWS\system32\temp#01.exe
C:\WINDOWS\system32\thun.dll
C:\WINDOWS\system32\thun32.dll
C:\WINDOWS\system32\VBIEWER.OCX
C:\WINDOWS\system32\vbsys2.dll
C:\WINDOWS\system32\vcatchpi.dll
C:\WINDOWS\system32\winlogonpc.exe
C:\WINDOWS\system32\winsystem.exe
C:\WINDOWS\system32\WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-31 )))))))))))))))))))))))))))))))
.
2008-08-30 18:05 . 2008-08-30 18:05 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-30 17:06 . 2008-08-30 17:06 74 --a------ C:\WINDOWS\st_affiliate.ini
2008-08-30 16:04 . 2008-08-30 16:29 <DIR> d-------- C:\Program Files\SAV
2008-08-30 16:04 . 2008-08-30 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yncxkzwr
2008-08-30 16:04 . 2008-08-30 16:04 115,204 --a------ C:\WINDOWS\system32\msxml71.dll
2008-08-30 16:04 . 2008-08-30 16:04 90,112 --a------ C:\WINDOWS\system32\qtubynul.exe
2008-08-29 22:48 . 2008-08-29 22:48 0 --a------ C:\Documents and Settings\Evil\jagex_runescape_preferences.dat
2008-08-29 22:47 . 2008-08-29 22:47 <DIR> d-------- C:\WINDOWS\Sun
2008-08-29 22:47 . 2008-08-29 22:47 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-08-19 22:49 . 2008-08-19 22:57 <DIR> d-------- C:\Program Files\PokerStars
2008-07-21 23:33 . 2008-07-21 23:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NeoEdge Networks
2008-07-21 23:02 . 2008-07-21 23:02 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-19 11:04 . 2008-08-31 16:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-18 15:48 . 2008-07-19 11:30 <DIR> d-------- C:\Program Files\GameSpy Arcade
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 14:49 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-20 02:51 351,541 ----a-w C:\WINDOWS\java\Packages\VJ9NF9JX.ZIP
2008-07-28 04:18 440,816 ----a-w C:\WINDOWS\java\Packages\P75JLNDF.ZIP
2008-07-18 21:01 491,040 ----a-w C:\WINDOWS\java\Packages\GE9NPZZT.ZIP
2008-07-05 06:10 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-05 06:10 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-05-24 03:27 487,105 ----a-w C:\WINDOWS\java\Packages\QW8LNFPV.ZIP
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2004-04-23 14:28 77824]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-12 19:56 68856]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 13:57 1103480]
"shappwin"="C:\WINDOWS\system32\qtubynul.exe" [2008-08-30 16:04 90112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 09:49 1235736]
"SoundMan"="SOUNDMAN.EXE" [2005-10-04 15:12 90112 C:\WINDOWS\soundman.exe]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"GQT7qr190e"="C:\Documents and Settings\All Users\Application Data\yncxkzwr\qtyvqpcb.exe" [2008-08-30 16:04 65536]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Exif Launcher.lnk - D:\Program Files\FinePixViewer\QuickDCF.exe [2006-06-02 18:07:18 200704]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\Steam\\SteamApps\\highliter\\day of defeat source\\hl2.exe"=
"E:\\Program Files\\Steam\\SteamApps\\highliter\\counter-strike\\hl.exe"=
"E:\\Program Files\\Steam\\SteamApps\\highliter\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"E:\\Program Files\\EVE Test\\EVE\\bin\\ExeFile.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 09:49]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 09:49]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 09:49]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-05 01:10]
R2 ETDrv;ETDrv;C:\WINDOWS\system32\drivers\ETDrv.sys [2003-08-07 12:39]
S3 MarkFun_NT;MarkFun_NT;C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\markfun.w32 [2003-04-15 11:16]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
HKCU-Run-Steam - (no file)
HKLM-Run-lphc9e4j0er2e - C:\WINDOWS\system32\lphc9e4j0er2e.exe
HKLM-Run-SMrhcce4j0er2e - C:\Program Files\rhcce4j0er2e\rhcce4j0er2e.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Evil\Application Data\Mozilla\Firefox\Profiles\f6dh42wb.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\IGN\Download Manager\npfpdlm.dll
FF -: plugin - d:\Program Files\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - d:\Program Files\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - d:\Program Files\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - d:\Program Files\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - d:\Program Files\QuickTime\Plugins\npqtplugin5.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-08-31 16:23:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarkFun_NT]
"ImagePath"="\??\C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\markfun.w32"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-31 16:26:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-31 21:26:13
Pre-Run: 7,929,675,776 bytes free
Post-Run: 7,969,239,040 bytes free
209