ComboFix 08-02-25.3 - Mads 2008-02-29 14:24:46.2 - [color=red][b]FAT32[/b][/color]x86 Microsoft Windows XP Professional 5.1.2600.2.1252.47.1033.18.338 [GMT 1:00] Running from: C:\Documents and Settings\Mads\My Documents\ComboFix.exe Command switches used :: C:\Documents and Settings\Mads\My Documents\CFScript.txt..txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE :: C:\WINDOWS\system32\WindowsXP.exe C:\WINDOWS\winsystem.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\WindowsXP.exe C:\WINDOWS\winsystem.exe . ((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-29 ))))))))))))))))))))))))))))))) . 2008-02-29 14:23 . 2008-02-29 14:23 d-------- C:\ComboFix[1] 2008-02-29 14:10 . 2008-02-29 14:10 d--hs---- C:\FOUND.007 2008-02-28 16:54 . 2008-02-28 16:54 d-------- C:\Program Files\SUPERAntiSpyware 2008-02-28 16:54 . 2008-02-28 16:54 d-------- C:\Documents and Settings\Madzy\Application Data\SUPERAntiSpyware.com 2008-02-28 16:54 . 2008-02-28 16:54 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-02-28 15:08 . 2008-02-28 02:16 d-------- C:\SDFix 2008-02-28 14:55 . 2008-02-28 14:55 d-------- C:\Program Files\SDFix 2008-02-28 13:33 . 2008-02-28 13:33 d-------- C:\Program Files\Trend Micro 2008-02-28 10:23 . 2008-02-29 14:11 9,051 --a------ C:\WINDOWS\system32\Config.MPF 2008-02-28 10:22 . 2008-02-28 10:22 d-------- C:\Program Files\SiteAdvisor 2008-02-28 10:22 . 2008-02-28 10:22 d-------- C:\Documents and Settings\Madzy\Application Data\SiteAdvisor 2008-02-28 10:22 . 2008-02-28 10:22 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor 2008-02-28 10:22 . 2008-02-28 10:22 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-02-28 10:21 . 2008-02-28 10:21 d-------- C:\Program Files\McAfee.com 2008-02-28 10:21 . 2008-02-28 10:21 d-------- C:\Program Files\McAfee 2008-02-28 10:21 . 2008-02-28 10:21 d-------- C:\Program Files\Common Files\McAfee 2008-02-28 10:21 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys 2008-02-28 10:21 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys 2008-02-28 10:21 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys 2008-02-28 10:21 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys 2008-02-28 10:21 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys 2008-02-28 10:21 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys 2008-02-28 10:18 . 2008-02-28 10:18 d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2008-02-28 10:17 . 2008-02-28 10:17 d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2008-02-26 18:07 . 2008-02-26 18:07 d-------- C:\Program Files\Windows Live 2008-02-26 18:07 . 2008-02-26 18:07 d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller 2008-02-26 18:07 . 2008-02-26 18:07 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-02-09 10:28 . 2008-02-09 10:28 6,144 --ahs---- C:\WINDOWS\Thumbs.db 2008-02-08 14:29 . 2008-02-08 14:29 111 --a------ C:\WINDOWS\musicmaker.INI 2008-02-08 14:22 . 2003-04-18 16:29 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll 2008-02-08 14:21 . 2008-02-08 14:21 d-------- C:\Program Files\Common Files\MAGIX Shared 2008-02-08 14:20 . 2008-02-08 14:20 d-------- C:\WINDOWS\system32\MAGIX 2008-02-08 14:20 . 2002-09-21 00:33 1,089,536 --a------ C:\WINDOWS\system32\ROBOEX32.DLL 2008-02-08 14:20 . 2006-07-05 11:21 638,976 --a------ C:\WINDOWS\system32\mgxoschk.dll 2008-02-08 14:20 . 1998-10-15 17:28 85,504 --a------ C:\WINDOWS\system32\HtmlWH.dll 2008-02-08 14:20 . 1999-01-28 14:44 49,152 --a------ C:\WINDOWS\system32\INETWH32.dll 2008-02-08 14:20 . 2008-02-08 14:21 5,729 --a------ C:\WINDOWS\mgxoschk.ini 2008-02-08 09:17 . 2008-02-08 09:17 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-02-08 09:16 . 2008-02-08 09:16 d-------- C:\Program Files\Common Files\Wise Installation Wizard . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-01 11:43 370,176 ----a-w C:\WINDOWS\sys.exe 2008-01-22 19:27 22,547 ----a-w C:\WINDOWS\system32\winabc.sys 2008-01-18 11:47 370,176 ----a-w C:\WINDOWS\sys30.exe 2008-01-14 17:29 223,232 ----a-w C:\WINDOWS\sysss.exe 2008-01-11 17:26 --------- d-----w C:\Program Files\VirtualDJ 2008-01-09 17:07 9,348 ----a-w C:\cc_20080109_1807.reg 2008-01-09 17:06 336,353 ----a-w C:\cc_20080109_1806.reg 2008-01-06 19:53 --------- d-----w C:\Documents and Settings\Madzy\Application Data\Teleca 2008-01-06 19:48 --------- d-----w C:\Documents and Settings\Madzy\Application Data\Sony Ericsson 2008-01-06 19:47 --------- d-----w C:\Program Files\Sony Ericsson 2008-01-06 19:47 --------- d-----w C:\Program Files\Common Files\Teleca Shared 2008-01-06 19:47 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared 2008-01-06 19:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca 2008-01-06 19:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson 2007-12-14 15:31 201,728 ----a-w C:\WINDOWS\system32\Yamaha R1 Screensaver.scr 2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2007-03-12 17:57 87,608 ----a-w C:\Documents and Settings\Madzy\Application Data\ezpinst.exe 2007-03-12 17:57 47,360 ----a-w C:\Documents and Settings\Madzy\Application Data\pcouffin.sys 2006-12-25 13:38 251 ----a-w C:\Program Files\wt3d.ini 2007-06-13 11:23 370,176 --sh--r C:\WINDOWS\system32\wkatzyl.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360] "Intec Service Drivers"="winsystem.exe" [] "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-26 17:35 1481968] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "Intec Service Drivers"="winsystem.exe" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168] "Intranet"="WindowsXP.exe" [] "Intec Service Drivers"="winsystem.exe" [] "ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 12:11 421888] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 22:57 36640] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "Intranet"="WindowsXP.exe" [] "Intec Service Drivers"="winsystem.exe" [] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360] C:\Documents and Settings\Madzy\Start Menu\Programs\Startup\ Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 23:34:48 3746856] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveSearch"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC] --a------ 2006-05-30 12:11 421888 C:\Acer\Empowering Technology\ePower\ePower_DMC.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] C:\Program Files\MSN Messenger\MsnMsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-11-07 17:36 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Messenger\\MSMSGS.EXE"= "C:\\Program Files\\BitLord\\BitLord.exe"= "C:\\WINDOWS\\System32\\dpnsvr.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Valve\\czero.exe"= "C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"= "C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= R0 viaagp;VIA AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\viaagp.sys [2004-08-03 23:07] S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;C:\WINDOWS\system32\eLock2BurnerLockDriver.sys [] S2 eLock2FSCTLDriver;eLock2FSCTLDriver;C:\WINDOWS\system32\eLock2FSCTLDriver.sys [] S3 gUSBSTOi;gUSBSTOi;C:\DOCUME~1\Madzy\LOCALS~1\Temp\gUSBSTOi.sys [] S3 Isacpedcqf;Isacpedcqf;C:\WINDOWS\system32\drivers\MSKSSRV.sys [2004-08-03 22:58] *Newly Created Service* - SITEADVISOR_SERVICE . Contents of the 'Scheduled Tasks' folder "2008-02-23 09:28:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-12-25 15:19:30 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe "2008-02-23 17:35:52 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job" - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe "2008-02-28 09:21:42 C:\WINDOWS\Tasks\McQcTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe "2008-02-28 09:21:42 C:\WINDOWS\Tasks\McDefragTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe' . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-29 14:26:26 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-02-29 14:26:50 ComboFix-quarantined-files.txt 2008-02-29 13:26:48 ComboFix2.txt 2008-02-28 14:57:02 . 2008-02-26 21:36:48 --- E O F ---