ComboFix 08-05-24.1 - Ty 2008-05-26 20:29:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.164 [GMT -4:00]
Running from: C:\Documents and Settings\Ty\Desktop\geekstogo\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ty\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Document\Tyler\Local Settings\Application Data\Microsoft\Messenger\tyler_johnston182@hotmail.com\SharingMetadata\fitzy__7@hotmail.com\DFSR\Staging\CS{F78A4C01-59CA-B906-B83F-EB4F9CC3D36D}\29\29-{2B~1.FRX
C:\Documents and Settings\Ty\Desktop\packed PI\Lukes\Logitech Private Edition 1.1.2.exe
C:\Documents and Settings\Ty\Desktop\packed PI\Lukes\Logitech Private Webcam Servers INC.zip
C:\Documents and Settings\Ty\Desktop\RATs\Pi_2.3.2_Unpacked\UnPacked Poison Ivy 2.3.2.exe
C:\Documents and Settings\Ty\Desktop\RATs\Pi_2.3.2_Unpacked_protocol_.rar
C:\Documents and Settings\Ty\Desktop\RATs\Sub7 v2.1.5 Legends.zip
C:\Documents and Settings\Tyler\My Documents\Downloads\Hillbilly Love Song.exe
C:\Documents and Settings\Tyler\My Documents\Downloads\Hot Chick Plays With Pussy! Webcam [Live Stream].exe
C:\Documents and Settings\Tyler\My Documents\Downloads\Limewire PRO.exe
C:\Documents and Settings\Tyler\My Documents\Downloads\Rapidshare Premium Acount Generator.exe
C:\Documents and Settings\Tyler\My Documents\Downloads\Rockband for PC.exe
C:\Documents and Settings\Tyler\My Documents\Downloads\Two girls guzzling cum and taking anal.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Document\Tyler\Local Settings\Application Data\Microsoft\Messenger\tyler_johnston182@hotmail.com\SharingMetadata\fitzy__7@hotmail.com\DFSR\Staging\CS{F78A4C01-59CA-B906-B83F-EB4F9CC3D36D}\29\29-{2B~1.FRX
C:\Documents and Settings\Ty\Desktop\packed PI\Lukes\Logitech Private Edition 1.1.2.exe
C:\Documents and Settings\Ty\Desktop\packed PI\Lukes\Logitech Private Webcam Servers INC.zip
C:\Documents and Settings\Ty\Desktop\RATs\Pi_2.3.2_Unpacked\UnPacked Poison Ivy 2.3.2.exe
C:\Documents and Settings\Ty\Desktop\RATs\Pi_2.3.2_Unpacked_protocol_.rar
C:\Documents and Settings\Ty\Desktop\RATs\Sub7 v2.1.5 Legends.zip
C:\Documents and Settings\Tyler\My Documents\Downloads\Hillbilly Love Song.exe
C:\Documents and Settings\Tyler\My Documents\Downloads\Hot Chick Plays With Pussy! Webcam [Live Stream].exe
C:\Documents and Settings\Tyler\My Documents\Downloads\Limewire PRO.exe
C:\Documents and Settings\Tyler\My Documents\Downloads\Rapidshare Premium Acount Generator.exe
C:\Documents and Settings\Tyler\My Documents\Downloads\Rockband for PC.exe
C:\Documents and Settings\Tyler\My Documents\Downloads\Two girls guzzling cum and taking anal.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NAVAPSVC
-------\Service_navapsvc
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.
2008-05-25 13:51 . 2008-05-25 13:51
d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-25 13:51 . 2008-05-25 13:51 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-25 13:24 . 2008-05-25 13:24 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 13:24 . 2008-05-25 13:24 d-------- C:\Documents and Settings\Ty\Application Data\Malwarebytes
2008-05-25 13:24 . 2008-05-25 13:24 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 13:24 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-25 13:24 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 09:00 . 2008-05-25 09:00 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-25 08:55 . 2008-05-25 08:55 d-------- C:\Documents and Settings\Ty\Application Data\Lavasoft
2008-05-25 08:48 . 2008-05-25 08:48 d-------- C:\SavedPetz
2008-05-24 21:06 . 2008-05-24 21:06 d-------- C:\Documents and Settings\Ty\Application Data\Uniblue
2008-05-22 21:48 . 2008-05-24 21:41 d-------- C:\Documents and Settings\Administrator
2008-05-17 21:54 . 2008-05-24 21:35 d-------- C:\Program Files\Common Files\Adobe
2008-05-10 15:42 . 2008-05-10 15:42 d-------- C:\Documents and Settings\Ty\Application Data\PenProtect
2008-05-10 10:55 . 2008-05-10 10:55 d-------- C:\Documents and Settings\Ty\Incomplete
2008-05-10 10:55 . 2008-05-11 00:52 d-------- C:\Documents and Settings\Ty\Application Data\LimeWire
2008-05-10 09:41 . 2008-05-21 18:35 d-------- C:\Program Files\Obsidium Software Protection System
2008-05-07 22:36 . 2008-05-07 22:36 140,096 --a------ C:\WINDOWS\system32\comdlg32.ocx
2008-05-07 21:23 . 2008-05-07 21:23 0 --a------ C:\WINDOWS\game.INI
2008-05-06 19:10 . 2008-05-06 19:10 d-------- C:\WINDOWS\BBSTORE
2008-05-06 19:10 . 2008-05-06 19:13 d-------- C:\Program Files\The Learning Company
2008-05-06 19:10 . 2008-05-06 19:10 0 --a------ C:\WINDOWS\SETUP32.INI
2008-05-05 23:36 . 2008-05-07 22:36 389,120 ---hs---- C:\WINDOWS\system32\actskn43.ocx
2008-05-05 23:36 . 2008-05-05 23:36 147,456 --a------ C:\WINDOWS\system32\XTab.ocx
2008-05-04 20:56 . 2008-05-04 20:56 d-------- C:\WINDOWS\Sun
2008-05-03 19:05 . 2008-05-03 19:05 d--h----- C:\WINDOWS\PIF
2008-05-03 15:04 . 2008-05-03 15:04 d-------- C:\Program Files\Hex Workshop
2008-04-29 05:26 . 2008-05-03 13:50 d-------- C:\Documents and Settings\Ty\workspace
2008-04-29 05:25 . 2008-04-29 05:25 d-------- C:\Program Files\Sun
2008-04-29 05:25 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-29 05:22 . 2008-04-29 05:22 d-------- C:\Program Files\Common Files\Java
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 20:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-25 13:44 --------- d-----w C:\Program Files\FlashGet
2008-05-25 12:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-25 01:33 --------- d-----w C:\Program Files\ArtMoney
2008-05-25 01:30 --------- d-----w C:\Program Files\No-IP
2008-04-29 09:25 --------- d-----w C:\Program Files\Java
2008-04-21 00:01 --------- d-----w C:\Program Files\SuperScan
2008-04-19 01:14 --------- d-----w C:\Program Files\THQ
2008-04-17 01:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 22:43 --------- d-----w C:\Program Files\IRCPlus
2008-04-14 22:33 --------- d-----w C:\Documents and Settings\Ty\Application Data\Ventrilo
2008-04-14 21:55 --------- d-----w C:\Documents and Settings\Ty\Application Data\mIRC
2008-04-14 21:53 --------- d-----w C:\Program Files\mIRC
2008-04-12 20:51 --------- d-----w C:\Documents and Settings\Ty\Application Data\Apple Computer
2008-04-12 20:50 --------- d-----w C:\Documents and Settings\Ty\Application Data\vlc
2008-04-12 03:31 --------- d-----w C:\Documents and Settings\abc\Application Data\ATI
2008-04-03 07:14 --------- d-----w C:\Documents and Settings\Ty\Application Data\ATI
2008-04-01 21:31 --------- d-----w C:\Program Files\MSN Messenger
.
((((((((((((((((((((((((((((( snapshot@2008-05-25_10.56.19.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 14:46:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-27 00:34:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 10:58 16264192 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 23:22 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 23:23 34504]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"@"="" []
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\mIRC\\WangScript\\mirc.exe"=
"C:\\Games\\Shaiya\\Updater.exe"=
"C:\\Program Files\\IRCPlus\\IRCPlus.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Documents and Settings\\Ty\\Desktop\\New Folder\\winmx354b4.exe"=
"C:\\Documents and Settings\\Ty\\Desktop\\eclipse-java-europa-winter-win32\\eclipse\\eclipse.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
S2 IRCPlus;IRCPlus;C:\Program Files\IRCPlus\IRCPlus.exe [1999-10-17 21:46]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2ED6983B-328F-E271-B6B8-A5F09F42CBA8}]
C:\WINDOWS\system32:msnmsgr.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 02:31:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-17 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-05-27 00:37:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 20:35:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-05-26 20:40:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-27 00:40:51
ComboFix2.txt 2008-05-25 16:50:54
ComboFix3.txt 2008-05-25 14:57:53
Pre-Run: 5,410,246,656 bytes free
Post-Run: 5,419,773,952 bytes free
184 --- E O F --- 2008-05-16 01:33:55