ComboFix 08-03-17.1 - Compaq_Owner 2008-03-19 16:29:38.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510 [GMT -4:00] Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 ))))))))))))))))))))))))))))))) . 2008-03-19 16:22 . 2008-03-19 16:22 d-------- C:\Program Files\ERUNT 2008-03-19 00:25 . 2008-03-19 00:25 d-------- C:\_OTMoveIt 2008-03-16 14:49 . 2008-03-16 14:49 d-------- C:\Program Files\zango 2008-03-16 12:39 . 2008-03-16 13:14 d-------- C:\Program Files\180search assistant 2008-03-16 11:54 . 2008-03-16 14:49 d-------- C:\Documents and Settings\All Users\Application Data\Rabio 2008-03-16 11:52 . 2008-03-19 00:23 d-------- C:\Program Files\Bat 2008-03-16 11:51 . 2008-03-16 11:51 90,544 --a------ C:\WINDOWS\system32\mgmrwmrv.exe 2008-03-16 11:51 . 2008-03-16 11:51 4 --a------ C:\WINDOWS\system32\winfrun32.bin 2008-03-08 19:16 . 2008-03-08 19:17 d-------- C:\Program Files\Macrogaming 2008-02-24 09:32 . 2008-02-24 09:32 401 --a------ C:\WINDOWS\system32\L5342.tmp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-19 20:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-03-18 17:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-03-15 21:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-06 01:48 --------- d-----w C:\Program Files\MSN Games 2008-03-02 00:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Oberon Games 2008-02-25 21:25 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\iWin 2008-02-24 03:11 --------- d-----w C:\Program Files\AIM6 2008-02-24 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-02-24 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2008-02-24 03:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads 2008-02-23 02:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft 2008-02-23 00:13 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Wildfire 2008-02-09 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Go Go Gourmet 2008-02-09 00:43 --------- d-----w C:\Program Files\Hidden Expedition Titanic 2008-02-07 13:02 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-07 12:52 --------- d-----w C:\Program Files\EA GAMES 2008-02-07 12:48 --------- d-----w C:\Program Files\Nick Arcade 2008-02-07 12:11 --------- d-----w C:\Program Files\Common Files\Adobe 2008-02-01 15:12 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\PlayFirst 2008-02-01 15:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst 2008-01-28 23:18 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Oberon Games 2008-01-20 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak 2008-01-20 00:11 --------- d-----w C:\Program Files\KODAK 2008-01-20 00:10 --------- d-----w C:\Program Files\Common Files\KODAK 2007-03-04 19:39 75,191,600 ----a-w C:\Program Files\MCF_Ravenhearst-setup.exe 2005-03-23 03:37 10,311 ----a-w C:\Program Files\uninstal.log 2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf 2001-09-20 05:01 3,619,770 ----a-w C:\Program Files\BFR-IT.exe 2001-09-20 04:35 6,598 ----a-w C:\Program Files\readme.txt . ((((((((((((((((((((((((((((( snapshot@2008-03-16_15.10.28.81 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\erdnt\3-19-2008\ERDNT.EXE + 2008-03-19 20:24:33 6,909,952 ----a-w C:\WINDOWS\erdnt\3-19-2008\Users\[u]0[/u]0000001\NTUSER.DAT + 2008-03-19 20:24:33 151,552 ----a-w C:\WINDOWS\erdnt\3-19-2008\Users\[u]0[/u]0000002\UsrClass.dat - 2008-03-16 16:06:48 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-03-16 19:12:18 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-03-16 16:06:49 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-03-16 19:12:18 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360] "Yahoo! Pager"="~C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ] "BellesBeautyBoutiqueSetup.exe"="C:\DOWNLO~1\BELLES~1.exe" [ ] "Aim6"="~C:\Program Files\AIM6\aim6.exe" [ ] "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248] "SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2008-01-02 21:15 103712] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736] "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 23:02 61440] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 23:43 233472] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 09:03 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 08:59 126976] "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe] "PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 23:13 98304] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776] "nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664] "CmUsbSound"="cmcnfgu.cpl" [] "C-Media Mixer"="Mixer.exe" [2002-01-28 04:16 1228800 C:\WINDOWS\mixer.exe] "PLNRNote"="C:\Program Files\SierraHome\Hallmark Card Studio Special Edition\Planner\PLNRNote.exe" [2004-11-23 08:24 30720] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 22:22 26248] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712] "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59 224248] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2008-01-02 21:15 103712] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-01 00:04:27 113664] Compaq Connections.lnk - C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-08-09 04:59:58 16423] hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 02:06:58 28672] officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-04-06 01:37:38 147456] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\Red Storm Entertainment\\RavenShield\\system\\RavenShield.exe"= "C:\\Program Files\\ubi.com\\Core\\GS4.exe"= "C:\\WINDOWS\\system32\\java.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38] S3 cmudau;C-Media USB Sound Interface;C:\WINDOWS\system32\drivers\cmudau.sys [2004-08-18 03:26] *Newly Created Service* - COMHOST . Contents of the 'Scheduled Tasks' folder "2008-03-15 00:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Compaq_Owner.job" - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK: . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-19 16:34:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-03-19 16:35:28 ComboFix-quarantined-files.txt 2008-03-19 20:35:08 ComboFix2.txt 2008-03-18 01:21:22 ComboFix3.txt 2008-03-16 19:11:03 . 2008-03-12 07:02:07 --- E O F ---