Tech Support Forum - View Single Post

Robbyj717 · 06-17-2008, 01:33 PM

ComboFix 08-06-16.5 - Owner 2008-06-17 14:12:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2041 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\My Documents\MANTEC~1
C:\Program Files\icroso~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\lfn.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\portsv.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cxvhxoks.dll
C:\WINDOWS\system32\dwwucsvr.ini
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\kgubutaw.ini
C:\WINDOWS\system32\KRqBeMoq.ini
C:\WINDOWS\system32\KRqBeMoq.ini2
C:\WINDOWS\system32\lopopuju.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\nvfweblw.dll
C:\WINDOWS\system32\tvuuioqx.dll
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\xqoiuuvt.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-17 12:38 . 2008-06-17 12:38 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-16 21:50 . 2008-06-16 21:50 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-16 20:58 . 2008-04-14 06:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 03:47 . 2008-06-09 03:47 <DIR> d-------- C:\Deckard
2008-06-09 03:33 . 2008-06-09 03:33 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-09 02:29 . 2008-06-09 02:29 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-09 02:29 . 2008-06-09 02:29 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-06-09 01:49 . 2008-06-09 01:49 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-09 01:31 . 2004-05-12 06:29 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-09 01:31 . 2004-05-13 00:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-09 01:31 . 2004-05-12 07:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-09 01:31 . 2008-06-09 01:31 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-09 01:22 . 2008-06-08 21:55 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-09 00:58 . 2008-06-17 13:05 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-09 00:58 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-09 00:58 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-09 00:58 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-09 00:58 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-08 23:54 . 2008-06-08 21:55 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-08 22:37 . 2008-06-16 21:49 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-08 21:56 . 2008-06-08 21:55 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-08 21:56 . 2008-06-08 21:55 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-08 21:56 . 2008-06-08 21:55 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-08 21:56 . 2008-06-08 21:55 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-08 21:56 . 2008-06-08 21:55 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-08 21:56 . 2008-06-08 21:55 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-08 21:56 . 2008-06-09 01:38 880 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-08 21:31 . 2008-06-17 14:18 6,224 --a------ C:\WINDOWS\system32\Config.MPF
2008-06-08 21:22 . 2008-06-08 21:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-06-08 21:21 . 2008-06-08 21:33 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-06-08 21:21 . 2008-06-09 02:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-06-08 21:21 . 2008-06-08 21:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-08 21:19 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-06-08 21:17 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-06-08 21:17 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-06-08 21:17 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-06-08 21:17 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-06-08 21:17 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-06-08 21:16 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-06-08 21:15 . 2008-06-08 21:15 <DIR> d-------- C:\Program Files\McAfee.com
2008-06-08 21:15 . 2008-06-09 01:06 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-06-08 21:14 . 2008-06-09 01:42 <DIR> d-------- C:\Program Files\McAfee
2008-06-08 21:08 . 2008-06-09 00:16 <DIR> d-------- C:\WINDOWS\system32\5076
2008-06-08 21:08 . 2008-06-08 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-04 21:13 . 2008-06-16 20:55 117 --a------ C:\WINDOWS\BMaf8893fe.xml
2008-06-04 16:18 . 2008-06-04 16:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-04 16:18 . 2008-06-04 16:18 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-04 16:09 . 2008-06-04 16:09 401,972 --a------ C:\WINDOWS\system32\g3.exe
2008-06-04 11:47 . 2008-06-04 11:47 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-04 11:36 . 2008-06-08 23:33 <DIR> d-------- C:\WINDOWS\system32\Vco1
2008-06-04 11:36 . 2008-06-09 02:01 <DIR> d-------- C:\WINDOWS\system32\sTMP
2008-06-04 11:36 . 2008-06-09 02:01 <DIR> d-------- C:\WINDOWS\system32\fIE
2008-06-04 11:36 . 2008-06-09 02:00 <DIR> d-------- C:\WINDOWS\system32\Dev3
2008-06-04 11:36 . 2008-06-08 23:15 <DIR> d-------- C:\WINDOWS\system32\a053
2008-06-04 11:36 . 2008-06-08 23:15 <DIR> d-------- C:\WINDOWS\system32\6026c

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 19:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-09 02:13 --------- d-----w C:\Program Files\Symantec
2008-06-09 02:13 --------- d-----w C:\Program Files\Norton AntiVirus
2008-06-09 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-05 14:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-13 19:05 --------- d-----w C:\Program Files\World of Warcraft
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-11 02:27 3,884 ----a-w C:\WINDOWS\viassary-hp.reg
2008-01-13 16:12 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-06-12 06:17 0 ----a-w C:\Documents and Settings\Owner\ignorelist.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F632550A-A855-4203-983A-0C2362C98401}]
C:\WINDOWS\system32\qoMeBqRK.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6145\SiteAdv.exe" [2007-06-21 15:06 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 Alpham;Ideazon Merc Composite Keyboard Driver;C:\WINDOWS\system32\DRIVERS\Alpham.sys [2005-12-04 13:55]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-09 02:16:12 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-06-09 02:16:11 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-06-03 01:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 14:18:50
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6145\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\gearsec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\SiteAdvisor\6145\SAService.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-06-17 14:22:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-17 19:22:04

Pre-Run: 115,792,863,232 bytes free
Post-Run: 115,772,567,552 bytes free

175 --- E O F --- 2008-06-17 02:51:20

06-17-2008, 01:33 PM	#10 (permalink)
Robbyj717 Registered User Join Date: Jan 2008 Posts: 20 OS: windows xp	Re: Suspected malware ComboFix 08-06-16.5 - Owner 2008-06-17 14:12:33.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2041 [GMT -5:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Owner\My Documents\MANTEC~1 C:\Program Files\icroso~1 C:\WINDOWS\cookies.ini C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\lfn.exe C:\WINDOWS\mainms.vpi C:\WINDOWS\portsv.exe C:\WINDOWS\pskt.ini C:\WINDOWS\system32\cxvhxoks.dll C:\WINDOWS\system32\dwwucsvr.ini C:\WINDOWS\system32\gside.exe C:\WINDOWS\system32\kgubutaw.ini C:\WINDOWS\system32\KRqBeMoq.ini C:\WINDOWS\system32\KRqBeMoq.ini2 C:\WINDOWS\system32\lopopuju.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe C:\WINDOWS\system32\nvfweblw.dll C:\WINDOWS\system32\tvuuioqx.dll C:\WINDOWS\system32\winpfz33.sys C:\WINDOWS\system32\xqoiuuvt.ini . ((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 ))))))))))))))))))))))))))))))) . 2008-06-17 12:38 . 2008-06-17 12:38 <DIR> d-------- C:\WINDOWS\ERUNT 2008-06-16 21:50 . 2008-06-16 21:50 118 --a------ C:\WINDOWS\system32\MRT.INI 2008-06-16 20:58 . 2008-04-14 06:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-09 03:47 . 2008-06-09 03:47 <DIR> d-------- C:\Deckard 2008-06-09 03:33 . 2008-06-09 03:33 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-09 02:29 . 2008-06-09 02:29 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2008-06-09 02:29 . 2008-06-09 02:29 1,152 --a------ C:\WINDOWS\system32\windrv.sys 2008-06-09 01:49 . 2008-06-09 01:49 <DIR> d-------- C:\Program Files\Enigma Software Group 2008-06-09 01:31 . 2004-05-12 06:29 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS 2008-06-09 01:31 . 2004-05-13 00:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2008-06-09 01:31 . 2004-05-12 07:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView 2008-06-09 01:31 . 2008-06-09 01:31 <DIR> d-------- C:\Documents and Settings\Administrator 2008-06-09 01:22 . 2008-06-08 21:55 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2008-06-09 00:58 . 2008-06-17 13:05 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-06-09 00:58 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2008-06-09 00:58 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2008-06-09 00:58 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2008-06-09 00:58 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2008-06-08 23:54 . 2008-06-08 21:55 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-06-08 22:37 . 2008-06-16 21:49 1,374 --a------ C:\WINDOWS\imsins.BAK 2008-06-08 21:56 . 2008-06-08 21:55 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-06-08 21:56 . 2008-06-08 21:55 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-06-08 21:56 . 2008-06-08 21:55 86,528 --a------ C:\WINDOWS\system32\VACFix.exe 2008-06-08 21:56 . 2008-06-08 21:55 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe 2008-06-08 21:56 . 2008-06-08 21:55 82,944 --a------ C:\WINDOWS\system32\404Fix.exe 2008-06-08 21:56 . 2008-06-08 21:55 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-06-08 21:56 . 2008-06-09 01:38 880 --a------ C:\WINDOWS\system32\tmp.reg 2008-06-08 21:31 . 2008-06-17 14:18 6,224 --a------ C:\WINDOWS\system32\Config.MPF 2008-06-08 21:22 . 2008-06-08 21:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor 2008-06-08 21:21 . 2008-06-08 21:33 <DIR> d-------- C:\Program Files\SiteAdvisor 2008-06-08 21:21 . 2008-06-09 02:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SiteAdvisor 2008-06-08 21:21 . 2008-06-08 21:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-06-08 21:19 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll 2008-06-08 21:17 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys 2008-06-08 21:17 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys 2008-06-08 21:17 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys 2008-06-08 21:17 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys 2008-06-08 21:17 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys 2008-06-08 21:16 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys 2008-06-08 21:15 . 2008-06-08 21:15 <DIR> d-------- C:\Program Files\McAfee.com 2008-06-08 21:15 . 2008-06-09 01:06 <DIR> d-------- C:\Program Files\Common Files\McAfee 2008-06-08 21:14 . 2008-06-09 01:42 <DIR> d-------- C:\Program Files\McAfee 2008-06-08 21:08 . 2008-06-09 00:16 <DIR> d-------- C:\WINDOWS\system32\5076 2008-06-08 21:08 . 2008-06-08 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2008-06-04 21:13 . 2008-06-16 20:55 117 --a------ C:\WINDOWS\BMaf8893fe.xml 2008-06-04 16:18 . 2008-06-04 16:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-06-04 16:18 . 2008-06-04 16:18 1,409 --a------ C:\WINDOWS\QTFont.for 2008-06-04 16:09 . 2008-06-04 16:09 401,972 --a------ C:\WINDOWS\system32\g3.exe 2008-06-04 11:47 . 2008-06-04 11:47 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico 2008-06-04 11:36 . 2008-06-08 23:33 <DIR> d-------- C:\WINDOWS\system32\Vco1 2008-06-04 11:36 . 2008-06-09 02:01 <DIR> d-------- C:\WINDOWS\system32\sTMP 2008-06-04 11:36 . 2008-06-09 02:01 <DIR> d-------- C:\WINDOWS\system32\fIE 2008-06-04 11:36 . 2008-06-09 02:00 <DIR> d-------- C:\WINDOWS\system32\Dev3 2008-06-04 11:36 . 2008-06-08 23:15 <DIR> d-------- C:\WINDOWS\system32\a053 2008-06-04 11:36 . 2008-06-08 23:15 <DIR> d-------- C:\WINDOWS\system32\6026c . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-17 19:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-09 02:13 --------- d-----w C:\Program Files\Symantec 2008-06-09 02:13 --------- d-----w C:\Program Files\Norton AntiVirus 2008-06-09 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-06-05 14:11 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-13 19:05 --------- d-----w C:\Program Files\World of Warcraft 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-04-11 02:27 3,884 ----a-w C:\WINDOWS\viassary-hp.reg 2008-01-13 16:12 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2006-06-12 06:17 0 ----a-w C:\Documents and Settings\Owner\ignorelist.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F632550A-A855-4203-983A-0C2362C98401}] C:\WINDOWS\system32\qoMeBqRK.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6145\SiteAdv.exe" [2007-06-21 15:06 36640] "McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992] "ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= R3 Alpham;Ideazon Merc Composite Keyboard Driver;C:\WINDOWS\system32\DRIVERS\Alpham.sys [2005-12-04 13:55] . Contents of the 'Scheduled Tasks' folder "2008-06-09 02:16:12 C:\WINDOWS\Tasks\McDefragTask.job" - c:\program files\mcafee\mqc\QcConsol.exe' "2008-06-09 02:16:11 C:\WINDOWS\Tasks\McQcTask.job" - c:\program files\mcafee\mqc\QcConsol.exe "2008-06-03 01:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job" - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK: . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-17 14:18:50 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\SiteAdvisor\6145\saHook.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\gearsec.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\McAfee\MSK\msksrver.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\SiteAdvisor\6145\SAService.exe C:\PROGRA~1\McAfee.com\Agent\mcagent.exe C:\PROGRA~1\McAfee\MSC\mcuimgr.exe . ************************************************************************ . Completion time: 2008-06-17 14:22:11 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-17 19:22:04 Pre-Run: 115,792,863,232 bytes free Post-Run: 115,772,567,552 bytes free 175 --- E O F --- 2008-06-17 02:51:20