ComboFix 08-12-11.04 - Administrator 2008-12-12 13:31:48.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.166 [GMT -8:00]
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users.WINDOWS\Application Data\svhost.exe
c:\documents and settings\Michael.MICHAEL-AF67F2D\Application Data\FunWebProducts
c:\documents and settings\Michael.MICHAEL-AF67F2D\Application Data\FunWebProducts\Data\Michael\avatar.dat
c:\documents and settings\Michael.MICHAEL-AF67F2D\Application Data\FunWebProducts\purasi.exe
c:\documents and settings\Michael.MICHAEL-AF67F2D\Application Data\gadcom
c:\documents and settings\Michael.MICHAEL-AF67F2D\Application Data\gadcom\losi.exe
c:\documents and settings\Michael.MICHAEL-AF67F2D\Application Data\GetModule
c:\documents and settings\Michael.MICHAEL-AF67F2D\Application Data\GetModule\dicik.gz
c:\documents and settings\Michael.MICHAEL-AF67F2D\Application Data\GetModule\kwdik.gz
c:\documents and settings\Michael.MICHAEL-AF67F2D\Application Data\GetModule\ofadik.gz
c:\documents and settings\Michael.MICHAEL-AF67F2D\Application Data\GetModule\xeros.exe
c:\documents and settings\Michael.MICHAEL-AF67F2D\Application Data\Google\spcffwl.dll
c:\documents and settings\Michael.MICHAEL-AF67F2D\Cookies\ajisuna.sys
c:\documents and settings\Michael.MICHAEL-AF67F2D\Cookies\coje.ban
c:\documents and settings\Michael.MICHAEL-AF67F2D\Cookies\dagiwameja.lib
c:\documents and settings\Michael.MICHAEL-AF67F2D\Cookies\efygihowed.vbs
c:\documents and settings\Michael.MICHAEL-AF67F2D\Cookies\wicega.scr
c:\documents and settings\Michael.MICHAEL-AF67F2D\Cookies\yhajezun._dl
c:\documents and settings\Michael.MICHAEL-AF67F2D\Cookies\ynumaforeb.scr
c:\documents and settings\NetworkService\Application Data\NetMon
c:\documents and settings\NetworkService\Application Data\NetMon\domains.txt
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\0079EAA1.urr
c:\program files\FunWebProducts\Shared\0123C50D.dat
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\GetModule
c:\program files\GetModule\GetModule31.exe
c:\program files\GetPack
c:\program files\GetPack\dictame.gz
c:\program files\GetPack\GetPack26.exe
c:\program files\GetPack\trgtame.gz
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\001603EC.bin
c:\program files\MyWebSearch\bar\Cache\00160489.bin
c:\program files\MyWebSearch\bar\Cache\00160600.bin
c:\program files\MyWebSearch\bar\Cache\00160729.bin
c:\program files\MyWebSearch\bar\Cache\00702876
c:\program files\MyWebSearch\bar\Cache\0119B32C
c:\program files\MyWebSearch\bar\Cache\0119B6E5.bin
c:\program files\MyWebSearch\bar\Cache\0119B7CF.bin
c:\program files\MyWebSearch\bar\Cache\0119B9A4.bin
c:\program files\MyWebSearch\bar\Cache\0119BD0F.bin
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\fse
c:\temp\fse\tmpZTF.log
c:\windows\system32\AaGhOnnn.ini
c:\windows\system32\AaGhOnnn.ini2
c:\windows\system32\awtqppnO.dll
c:\windows\system32\cngesrow.dll
c:\windows\system32\drivers\TDSSpqxt.sys
c:\windows\system32\f02WtR
c:\windows\system32\fxopbxibeiodleu.dll
c:\windows\system32\nnnOhGaA.dll
c:\windows\system32\oifkkdwi.dll
c:\windows\system32\qqmcgk.dll
c:\windows\system32\TDSScfgb.log
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSnuxh.log
c:\windows\system32\TDSSoeqh.dll
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSosvn.dll
c:\windows\system32\TDSSpaxt.dat
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.log
c:\windows\system32\tkzzpn.dll
c:\windows\system32\uleluyko.dll
c:\windows\system32\uxbfktnt.dll
c:\windows\system32\wpv081228549770.cpx
c:\windows\system32\ydqkjrmgtybb.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.
2008-12-12 13:29 . 2008-12-12 13:29
2008-12-12 13:18 . 2008-12-12 13:19
2008-12-08 23:53 . 2008-12-08 23:53
2008-12-08 21:12 . 2008-12-08 21:12 158,208 --a------ c:\windows\system32\ndpppuyn.exe
2008-12-08 21:06 . 2008-12-08 21:07 1,525,316 --ahs---- c:\windows\system32\iwdkkfio.ini
2008-12-07 23:44 . 2008-12-07 23:44
2008-12-07 23:43 . 2008-12-07 23:43
2008-12-07 23:40 . 2008-12-07 23:40
2008-12-07 23:31 . 2008-12-07 23:31
2008-12-07 23:24 . 2008-12-08 21:01
2008-12-07 23:05 . 2008-12-07 23:05
2008-12-07 21:48 . 2008-12-07 21:48
2008-12-07 21:43 . 2008-12-07 21:43
2008-12-07 21:43 . 2008-12-07 21:43
2008-12-07 14:23 . 2008-12-07 14:23
2008-12-07 11:42 . 2008-12-07 11:42 1,479,822 --ahs---- c:\windows\system32\tntkfbxu.ini
2008-12-07 10:36 . 2008-12-07 23:40
2008-12-07 10:34 . 2008-12-07 10:35 4,729,188 --a------ c:\windows\system32\TGKO
2008-12-07 10:32 . 2008-12-07 10:32
2008-12-07 10:31 . 2008-12-07 10:32
2008-12-07 02:55 . 2008-12-07 02:55
2008-12-07 02:35 . 2008-12-07 14:38
2008-12-06 23:22 . 2008-12-08 21:05
2008-12-06 23:22 . 2008-12-07 23:32
2008-12-06 12:25 . 2008-12-06 12:25 118 --a------ c:\windows\system32\MRT.INI
2008-12-06 12:10 . 2008-12-06 12:10 53,948 --a------ c:\windows\system32\cont_globaladsolution-remove.exe
2008-12-06 12:10 . 2008-12-06 12:10 53,938 --a------ c:\windows\system32\cont_adsoftinc-remove.exe
2008-12-06 12:10 . 2008-12-06 12:10 15,683 --a------ c:\windows\zexe.dll
2008-12-06 12:09 . 2008-12-06 12:09
2008-12-06 12:09 . 2008-12-06 12:09 47,596 --a------ c:\windows\system32\qpsjsgmggkc.exe
2008-11-13 17:21 . 2008-11-13 17:21 19,669 --a------ c:\windows\system32\axofadega.db
2008-11-13 17:21 . 2008-11-13 17:21 18,968 --a------ c:\windows\azimefumiz.vbs
2008-11-13 17:21 . 2008-11-13 17:21 18,720 --a------ c:\windows\system32\tavyqu.db
2008-11-13 17:21 . 2008-11-13 17:21 18,669 --a------ c:\documents and settings\All Users.WINDOWS\Application Data\qyzifomuk.reg
2008-11-13 17:21 . 2008-11-13 17:21 18,646 --a------ c:\windows\exywumoh.dll
2008-11-13 17:21 . 2008-11-13 17:21 18,308 --a------ c:\documents and settings\All Users.WINDOWS\Application Data\afemeb.sys
2008-11-13 17:21 . 2008-11-13 17:21 13,428 --a------ c:\program files\Common Files\ycut.vbs
2008-11-13 17:21 . 2008-11-13 17:21 12,498 --a------ c:\documents and settings\Michael.MICHAEL-AF67F2D\Application Data\owix.sys
2008-11-13 17:21 . 2008-11-13 17:21 11,355 --a------ c:\windows\badubuqil.dl
2008-11-13 17:21 . 2008-11-13 17:21 10,903 --a------ c:\windows\yzyc.bin
2008-11-13 17:18 . 2008-12-07 09:44
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 07:37 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-07 07:36 --------- d-----w c:\program files\Norton Security Scan
2008-11-14 01:21 15,895 ----a-w c:\program files\Common Files\ovyvujym.ban
2008-11-14 01:21 10,350 ----a-w c:\program files\Common Files\utoby.dl
2008-11-07 19:05 30 ----a-w c:\documents and settings\Michael.MICHAEL-AF67F2D\jagex_runescape_preferences.dat
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 02:47 160496 --a------ c:\program files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2004-08-12 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“dla”=“c:\windows\system32\dla\tfswctrl.exe” [2004-08-13 122939]
“UpdateManager”=“c:\program files\Common Files\Sonic\Update Manager\sgtray.exe” [2004-01-07 110592]
“igfxtray”=“c:\windows\system32\igfxtray.exe” [2006-06-06 94208]
“igfxhkcmd”=“c:\windows\system32\hkcmd.exe” [2006-06-06 77824]
“igfxpers”=“c:\windows\system32\igfxpers.exe” [2006-06-06 118784]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2008-07-19 78008]
“SunJavaUpdateSched”=“c:\program files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 132496]
“MSConfig”=“c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe” [2004-08-12 158208]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”=karna.dat tkzzpn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“UpdatesDisableNotify”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“c:\Documents and Settings\All Users.WINDOWS\Application Data\NexonUS\NGM\NGM.exe”=
“c:\nexon\Combat Arms\CombatArms.exe”= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
“c:\nexon\Combat Arms\Engine.exe”= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-04 78416]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-04 20560]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;“c:\program files\McAfee\SiteAdvisor\McSACore.exe” [2008-12-07 206096]
.
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\awtqppnO.dll
BHO-{72A1BD2D-317A-A86A-D630-0CD03B546BBB} - c:\windows\system32\ydqkjrmgtybb.dll
BHO-{920D8004-903F-4FE7-B010-F01D47F2A265} - c:\windows\system32\nnnOhGaA.dll
BHO-{C585E466-C32C-7A8F-B2AA-BAC3B50C0257} - c:\windows\system32\fxopbxibeiodleu.dll
BHO-{f75c8d47-bd00-4f01-8b6c-08a166544038} - c:\windows\system32\tkzzpn.dll
Toolbar-{07B18EA9-A523-4961-B6BB-170DE4475CCA} - c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
HKLM-Run-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\awtqppnO.dll
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.google.com
O16 -: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
c:\windows\Downloaded Program Files\zylomgamesplayer.dll - O16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B}
hxxp://game01.zylom.com/activex/zylomgamesplayer.cab
c:\windows\Downloaded Program Files\ZylomGamesPlayer.inf
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 14:01:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Restore\rstrui.exe
.
**************************************************************************
.
Completion time: 2008-12-12 14:05:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-12 22:05:39
Pre-Run: 14,652,956,672 bytes free
Post-Run: 15,048,286,208 bytes free
255 — E O F — 2008-12-07 06:54:20