ComboFix 08-04-11.5 - winroot 2008-04-11 15:31:20.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1670 [GMT -7:00] Running from: C:\Documents and Settings\winroot\Desktop\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\winroot\Desktopblackbird.jpg C:\Documents and Settings\winroot\DesktopEditorFKWP1.5.exe C:\Documents and Settings\winroot\DesktopEditorFKWP2.0.exe C:\Documents and Settings\winroot\Desktopfilemanagerclient.exe C:\Documents and Settings\winroot\Desktopfkwp1.5.exe C:\Documents and Settings\winroot\Desktopfkwp2.0.exe C:\Documents and Settings\winroot\Desktopfwebd.exe C:\Documents and Settings\winroot\DesktopFWebdEditor.exe C:\Documents and Settings\winroot\DesktopTrojan.Win32.BlackBird.exe C:\Documents and Settings\winroot\Desktopvirii C:\WINDOWS\system32\Cache C:\WINDOWS\system32\KQprAJlm.ini C:\WINDOWS\system32\KQprAJlm.ini2 C:\WINDOWS\system32\melraeaw.ini C:\WINDOWS\system32\mlJArpQK.dll C:\WINDOWS\system32\repair~1.dll C:\WINDOWS\system32\waearlem.dll C:\WINDOWS\Web\def.htm . ((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 ))))))))))))))))))))))))))))))) . 2008-04-11 15:19 . 2008-04-11 15:19 3,648 --a------ C:\WINDOWS\system32\unadckml.dll 2008-04-11 15:05 . 2008-04-11 15:05 0 --a------ C:\WINDOWS\nsreg.dat 2008-04-11 12:27 . 2008-04-11 12:27 d-------- C:\WINDOWS\resources 2008-04-11 12:20 . 2008-04-11 12:20 2,200 --a------ C:\WINDOWS\system32\tmp.reg 2008-04-11 10:00 . 2008-04-11 10:09 d-------- C:\Program Files\XoftSpySE 2008-04-11 07:43 . 2008-04-11 07:43 d--h----- C:\WINDOWS\system32\GroupPolicy 2008-04-10 14:22 . 2008-04-11 10:39 d-------- C:\Program Files\Enigma Software Group 2008-04-10 14:01 . 2008-04-10 14:01 d-------- C:\Program Files\Trend Micro 2008-04-10 13:44 . 2008-04-10 13:44 206 --a------ C:\WINDOWS\system32\MRT.INI 2008-04-10 13:09 . 2008-04-10 13:09 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-04-10 09:55 . 2008-04-10 10:27 d-------- C:\Program Files\Windows Defender 2008-04-09 15:56 . 2008-04-10 16:03 d-------- C:\Program Files\PC Registry Cleaner 2008-04-09 14:04 . 2008-04-10 10:32 d-------- C:\Program Files\CA Yahoo! Anti-Spy 2008-04-09 14:03 . 2008-04-10 10:32 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2008-04-09 14:02 . 2008-04-10 10:32 d-------- C:\Program Files\Yahoo! . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-24 19:34 --------- d-----w C:\Program Files\Microsoft Money Plus 2008-03-10 14:38 --------- d-----w C:\Program Files\Java 2008-03-05 16:06 --------- d-----w C:\Program Files\Clever Age 2005-05-09 16:57 63,056 -c--a-w C:\Documents and Settings\winroot\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MoneyInsights"="C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnyinsit.exe" [2008-02-19 10:07 502800] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-01-23 03:17 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-01-23 03:05 114688] "vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-20 22:21 90112] "Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1425f87-de4d-11dc-891b-0002e351494a}] \Shell\AutoRun\command - E:\.\MigWiz\migsetup.exe . Contents of the 'Scheduled Tasks' folder "2008-04-11 09:25:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2008-04-11 09:15:07 C:\WINDOWS\Tasks\SpyHunter Scanner.job" - C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe "2008-04-11 22:37:15 C:\WINDOWS\Tasks\XoftSpySE 2.job" - C:\Program Files\XoftSpySE\XoftSpy.exe "2008-04-11 17:00:38 C:\WINDOWS\Tasks\XoftSpySE.job" - C:\Program Files\XoftSpySE\XoftSpy.exe . ************************************************************************** catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-11 15:37:42 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\System32\NavLogon.dll . ------------------------ Other Running Processes ------------------------ . C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe . ************************************************************************** . Completion time: 2008-04-11 15:41:18 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-11 22:40:59 Pre-Run: 26,619,482,112 bytes free Post-Run: 26,547,748,864 bytes free . 2008-04-11 20:52:11 --- E O F ---