ComboFix 08-05-24.1 - Ty 2008-05-26 20:29:24.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.164 [GMT -4:00] Running from: C:\Documents and Settings\Ty\Desktop\geekstogo\ComboFix.exe Command switches used :: C:\Documents and Settings\Ty\Desktop\CFScript.txt * Created a new restore point FILE :: C:\Document\Tyler\Local Settings\Application Data\Microsoft\Messenger\tyler_johnston182@hotmail.com\SharingMetadata\fitzy__7@hotmail.com\DFSR\Staging\CS{F78A4C01-59CA-B906-B83F-EB4F9CC3D36D}\29\29-{2B~1.FRX C:\Documents and Settings\Ty\Desktop\packed PI\Lukes\Logitech Private Edition 1.1.2.exe C:\Documents and Settings\Ty\Desktop\packed PI\Lukes\Logitech Private Webcam Servers INC.zip C:\Documents and Settings\Ty\Desktop\RATs\Pi_2.3.2_Unpacked\UnPacked Poison Ivy 2.3.2.exe C:\Documents and Settings\Ty\Desktop\RATs\Pi_2.3.2_Unpacked_protocol_.rar C:\Documents and Settings\Ty\Desktop\RATs\Sub7 v2.1.5 Legends.zip C:\Documents and Settings\Tyler\My Documents\Downloads\Hillbilly Love Song.exe C:\Documents and Settings\Tyler\My Documents\Downloads\Hot Chick Plays With Pussy! Webcam [Live Stream].exe C:\Documents and Settings\Tyler\My Documents\Downloads\Limewire PRO.exe C:\Documents and Settings\Tyler\My Documents\Downloads\Rapidshare Premium Acount Generator.exe C:\Documents and Settings\Tyler\My Documents\Downloads\Rockband for PC.exe C:\Documents and Settings\Tyler\My Documents\Downloads\Two girls guzzling cum and taking anal.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Document\Tyler\Local Settings\Application Data\Microsoft\Messenger\tyler_johnston182@hotmail.com\SharingMetadata\fitzy__7@hotmail.com\DFSR\Staging\CS{F78A4C01-59CA-B906-B83F-EB4F9CC3D36D}\29\29-{2B~1.FRX C:\Documents and Settings\Ty\Desktop\packed PI\Lukes\Logitech Private Edition 1.1.2.exe C:\Documents and Settings\Ty\Desktop\packed PI\Lukes\Logitech Private Webcam Servers INC.zip C:\Documents and Settings\Ty\Desktop\RATs\Pi_2.3.2_Unpacked\UnPacked Poison Ivy 2.3.2.exe C:\Documents and Settings\Ty\Desktop\RATs\Pi_2.3.2_Unpacked_protocol_.rar C:\Documents and Settings\Ty\Desktop\RATs\Sub7 v2.1.5 Legends.zip C:\Documents and Settings\Tyler\My Documents\Downloads\Hillbilly Love Song.exe C:\Documents and Settings\Tyler\My Documents\Downloads\Hot Chick Plays With Pussy! Webcam [Live Stream].exe C:\Documents and Settings\Tyler\My Documents\Downloads\Limewire PRO.exe C:\Documents and Settings\Tyler\My Documents\Downloads\Rapidshare Premium Acount Generator.exe C:\Documents and Settings\Tyler\My Documents\Downloads\Rockband for PC.exe C:\Documents and Settings\Tyler\My Documents\Downloads\Two girls guzzling cum and taking anal.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NAVAPSVC -------\Service_navapsvc ((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 ))))))))))))))))))))))))))))))) . 2008-05-25 13:51 . 2008-05-25 13:51 d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-05-25 13:51 . 2008-05-25 13:51 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-05-25 13:24 . 2008-05-25 13:24 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-25 13:24 . 2008-05-25 13:24 d-------- C:\Documents and Settings\Ty\Application Data\Malwarebytes 2008-05-25 13:24 . 2008-05-25 13:24 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-05-25 13:24 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-05-25 13:24 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-05-25 09:00 . 2008-05-25 09:00 d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2008-05-25 08:55 . 2008-05-25 08:55 d-------- C:\Documents and Settings\Ty\Application Data\Lavasoft 2008-05-25 08:48 . 2008-05-25 08:48 d-------- C:\SavedPetz 2008-05-24 21:06 . 2008-05-24 21:06 d-------- C:\Documents and Settings\Ty\Application Data\Uniblue 2008-05-22 21:48 . 2008-05-24 21:41 d-------- C:\Documents and Settings\Administrator 2008-05-17 21:54 . 2008-05-24 21:35 d-------- C:\Program Files\Common Files\Adobe 2008-05-10 15:42 . 2008-05-10 15:42 d-------- C:\Documents and Settings\Ty\Application Data\PenProtect 2008-05-10 10:55 . 2008-05-10 10:55 d-------- C:\Documents and Settings\Ty\Incomplete 2008-05-10 10:55 . 2008-05-11 00:52 d-------- C:\Documents and Settings\Ty\Application Data\LimeWire 2008-05-10 09:41 . 2008-05-21 18:35 d-------- C:\Program Files\Obsidium Software Protection System 2008-05-07 22:36 . 2008-05-07 22:36 140,096 --a------ C:\WINDOWS\system32\comdlg32.ocx 2008-05-07 21:23 . 2008-05-07 21:23 0 --a------ C:\WINDOWS\game.INI 2008-05-06 19:10 . 2008-05-06 19:10 d-------- C:\WINDOWS\BBSTORE 2008-05-06 19:10 . 2008-05-06 19:13 d-------- C:\Program Files\The Learning Company 2008-05-06 19:10 . 2008-05-06 19:10 0 --a------ C:\WINDOWS\SETUP32.INI 2008-05-05 23:36 . 2008-05-07 22:36 389,120 ---hs---- C:\WINDOWS\system32\actskn43.ocx 2008-05-05 23:36 . 2008-05-05 23:36 147,456 --a------ C:\WINDOWS\system32\XTab.ocx 2008-05-04 20:56 . 2008-05-04 20:56 d-------- C:\WINDOWS\Sun 2008-05-03 19:05 . 2008-05-03 19:05 d--h----- C:\WINDOWS\PIF 2008-05-03 15:04 . 2008-05-03 15:04 d-------- C:\Program Files\Hex Workshop 2008-04-29 05:26 . 2008-05-03 13:50 d-------- C:\Documents and Settings\Ty\workspace 2008-04-29 05:25 . 2008-04-29 05:25 d-------- C:\Program Files\Sun 2008-04-29 05:25 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-04-29 05:22 . 2008-04-29 05:22 d-------- C:\Program Files\Common Files\Java . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-26 20:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-05-25 13:44 --------- d-----w C:\Program Files\FlashGet 2008-05-25 12:48 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-25 01:33 --------- d-----w C:\Program Files\ArtMoney 2008-05-25 01:30 --------- d-----w C:\Program Files\No-IP 2008-04-29 09:25 --------- d-----w C:\Program Files\Java 2008-04-21 00:01 --------- d-----w C:\Program Files\SuperScan 2008-04-19 01:14 --------- d-----w C:\Program Files\THQ 2008-04-17 01:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-04-14 22:43 --------- d-----w C:\Program Files\IRCPlus 2008-04-14 22:33 --------- d-----w C:\Documents and Settings\Ty\Application Data\Ventrilo 2008-04-14 21:55 --------- d-----w C:\Documents and Settings\Ty\Application Data\mIRC 2008-04-14 21:53 --------- d-----w C:\Program Files\mIRC 2008-04-12 20:51 --------- d-----w C:\Documents and Settings\Ty\Application Data\Apple Computer 2008-04-12 20:50 --------- d-----w C:\Documents and Settings\Ty\Application Data\vlc 2008-04-12 03:31 --------- d-----w C:\Documents and Settings\abc\Application Data\ATI 2008-04-03 07:14 --------- d-----w C:\Documents and Settings\Ty\Application Data\ATI 2008-04-01 21:31 --------- d-----w C:\Program Files\MSN Messenger . ((((((((((((((((((((((((((((( snapshot@2008-05-25_10.56.19.87 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-25 14:46:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-27 00:34:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2006-09-12 10:58 16264192 C:\WINDOWS\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 23:22 50880] "ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 23:23 34504] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "@"="" [] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\mIRC\\WangScript\\mirc.exe"= "C:\\Games\\Shaiya\\Updater.exe"= "C:\\Program Files\\IRCPlus\\IRCPlus.exe"= "C:\\Program Files\\mIRC\\mirc.exe"= "C:\\Documents and Settings\\Ty\\Desktop\\New Folder\\winmx354b4.exe"= "C:\\Documents and Settings\\Ty\\Desktop\\eclipse-java-europa-winter-win32\\eclipse\\eclipse.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\VentSrv\\ventrilo_srv.exe"= S2 IRCPlus;IRCPlus;C:\Program Files\IRCPlus\IRCPlus.exe [1999-10-17 21:46] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2ED6983B-328F-E271-B6B8-A5F09F42CBA8}] C:\WINDOWS\system32:msnmsgr.exe . Contents of the 'Scheduled Tasks' folder "2008-05-21 02:31:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-05-17 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job" - C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca "2008-05-27 00:37:00 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-26 20:35:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\UAService7.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe C:\Program Files\Messenger\msmsgs.exe . ************************************************************************** . Completion time: 2008-05-26 20:40:55 - machine was rebooted ComboFix-quarantined-files.txt 2008-05-27 00:40:51 ComboFix2.txt 2008-05-25 16:50:54 ComboFix3.txt 2008-05-25 14:57:53 Pre-Run: 5,410,246,656 bytes free Post-Run: 5,419,773,952 bytes free 184 --- E O F --- 2008-05-16 01:33:55