ComboFix 08-03-26.3 - A Laptop 2008-04-07 20:45:59.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.544 [GMT 8:00] Running from: C:\Documents and Settings\A Laptop\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 ))))))))))))))))))))))))))))))) . 2008-04-07 01:37 . 2008-04-07 14:20 d-------- C:\Program Files\Lightside - Legend Ragnarok 2008-03-29 10:02 . 2008-03-29 10:02 d-------- C:\Program Files\ERUNT 2008-03-26 00:31 . 2008-03-26 17:39 d-------- C:\Program Files\Valve 2008-03-23 19:49 . 2008-03-23 19:49 d-------- C:\Program Files\Trend Micro 2008-03-19 16:44 . 2008-04-07 00:06 d-------- C:\Program Files\Tales of Pirates Online 2008-03-18 22:02 . 2008-03-18 22:02 d-------- C:\Program Files\7-Zip 2008-03-17 16:36 . 2007-09-06 20:47 1,011 -rahs---- C:\WINDOWS\system32\peanut.vbs 2008-03-17 16:36 . 2007-09-06 20:47 1,011 -rahs---- C:\peanut.vbs 2008-03-17 16:36 . 2007-09-06 19:34 532 -rahs---- C:\WINDOWS\system32\peanut.reg 2008-03-17 16:36 . 2007-09-06 19:34 532 -rahs---- C:\peanut.reg 2008-03-12 18:20 . 2008-03-12 18:20 d-------- C:\Program Files\Foxit Software 2008-03-11 16:36 . 2008-03-11 17:14 246 --a------ C:\WINDOWS\phedit.ini 2008-03-11 16:12 . 2008-03-11 19:20 d-------- C:\Program Files\VCW VicMan's Photo Editor . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-07 11:43 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-04-07 10:08 --------- d-----w C:\Documents and Settings\A Laptop\Application Data\uTorrent 2008-04-07 08:54 --------- d-----w C:\Program Files\AlienGUIse 2008-04-06 17:33 --------- d-----w C:\Documents and Settings\A Laptop\Application Data\AVG7 2008-04-06 14:12 --------- d-----w C:\Documents and Settings\A Laptop\Application Data\MegauploadToolbar 2008-04-01 05:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-03-27 08:30 --------- d-----w C:\Program Files\eMule0.48a 2008-03-25 16:30 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-25 14:38 --------- d-----w C:\Program Files\Warcraft III 2008-03-25 01:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-03-23 07:47 --------- d-----w C:\Program Files\Norton SystemWorks 2008-03-23 05:49 --------- d-----w C:\Program Files\CoOffice Tools 2008-03-23 05:49 --------- d-----w C:\Program Files\CoOffice Server 2008-03-12 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-03-12 10:19 --------- d-----w C:\Program Files\Common Files\Adobe 2008-03-12 06:13 --------- d-----w C:\Program Files\SIERRA 2008-02-28 01:25 --------- d-----w C:\Documents and Settings\Guest\Application Data\AVG7 2008-02-26 16:45 --------- d-----w C:\Documents and Settings\Guest\Application Data\Thunderbird 2008-02-26 14:46 --------- d-----w C:\Documents and Settings\Guest\Application Data\Yahoo! 2008-02-26 13:12 --------- d-----w C:\Documents and Settings\Guest\Application Data\Apple Computer 2008-02-26 12:59 --------- d-----w C:\Documents and Settings\Guest\Application Data\MEGAUPLOADTOOLBAR 2008-02-26 12:59 --------- d-----w C:\Documents and Settings\Guest\Application Data\Intel 2008-02-16 13:46 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7 2008-02-16 13:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2008-02-16 08:49 --------- d-----w C:\Program Files\uTorrent 2008-02-09 15:06 --------- d-----w C:\Program Files\SopCast 2008-02-07 12:27 --------- d-----w C:\Program Files\Common Files\INCA Shared 2007-09-06 11:34 532 --sha-r C:\WINDOWS\system32\peanut.reg 2007-09-06 12:47 1,011 --sha-r C:\WINDOWS\system32\peanut.vbs . ((((((((((((((((((((((((((((( snapshot@2008-03-28_21.20.23.29 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-20 04:02:28 163,328 ----a-w C:\WINDOWS\erdnt\3-29-2008\ERDNT.EXE + 2008-03-29 02:03:11 5,210,112 ----a-w C:\WINDOWS\erdnt\3-29-2008\Users\[u]0[/u]0000001\NTUSER.DAT + 2008-03-29 02:03:12 217,088 ----a-w C:\WINDOWS\erdnt\3-29-2008\Users\[u]0[/u]0000002\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-11-06 19:51 3810544] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 20:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 08:39 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 08:36 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 08:40 118784] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe] "RTHDCPL"="RTHDCPL.EXE" [2006-01-11 17:23 15961088 C:\WINDOWS\RTHDCPL.exe] "KTPWare"="C:\Program Files\Elantech\ktp.exe" [2005-10-27 11:50 512000] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 12:37 667718] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41 602182] "EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-11-28 11:47 569413] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-11-18 14:21 100056] "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 11:42 58728] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-16 21:45 579072] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [2004-09-10 10:12 132248] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-16 21:46 219136] C:\Documents and Settings\Guest\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB] C:\Program Files\AlienGUIse\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=wbsys.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\eMule0.48a\\emule.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Shareaza\\Shareaza.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\Asiasoft Online\\GrandChase\\main.exe"= "C:\\Program Files\\Aptana\\Aptana Studio\\jre\\bin\\javaw.exe"= "C:\\Program Files\\LeechFTP\\Leechftp.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Valve\\hl.exe"= "C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-07-29 03:33] R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-07-29 04:13] R3 Ktp;Elantech Touchpad;C:\WINDOWS\system32\DRIVERS\Ktp.sys [2005-11-28 19:33] S2 Apache2.2;Apache2.2;"C:\xampp\apache\bin\apache.exe" -k runservice [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C] \Shell\AutoRun\command - cb.bat \Shell\explore\Command - cb.bat \Shell\open\Command - cb.bat [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22a12928-95a2-11dc-90c6-0013023fb6ea}] \Shell\AutoRun\command - E:\cb.bat \Shell\explore\Command - E:\cb.bat \Shell\open\Command - E:\cb.bat [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71c1fdbc-9afa-11dc-90cb-0013023fb6ea}] \Shell\AutoRun\command - E:\gjn2pjlw.exe \Shell\explore\Command - E:\gjn2pjlw.exe \Shell\open\Command - E:\gjn2pjlw.exe . Contents of the 'Scheduled Tasks' folder "2008-03-27 07:15:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-03-29 15:03:43 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - A Laptop.job" - C:\PROGRA~1\NORTON~1\NORTON~3\Navw32.exeh/task: "2008-03-15 04:00:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job" - C:\Program Files\Norton SystemWorks\OBC.exe "2008-04-06 16:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job" - C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-07 20:49:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-04-07 20:49:56 ComboFix-quarantined-files.txt 2008-04-07 12:49:47 ComboFix2.txt 2008-03-28 13:20:45 Pre-Run: 4,444,844,032 bytes free Post-Run: 4,470,956,032 bytes free . 2008-03-12 16:23:11 --- E O F ---