ComboFix 08-08-04.09 - Lynn Bodin 2008-08-06 8:40:55.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.597 [GMT -5:00] Running from: C:\Documents and Settings\Lynn Bodin\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Lynn Bodin\Desktop\CFScript.txt * Created a new restore point FILE :: C:\Documents and Settings\Lynn Bodin\My Documents\DVD Solutions\U_DVDFabPlatinumVer[1].4.0.5.5.zip C:\Program Files\DVDFab Platinum 4\All.Fengtao.Software.Universal.Patch.1.01-ICU.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\catchme.exe C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\CatchMe.log C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\MovedFiles\[u]0[/u]7272008_200908.log C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\MovedFiles\[u]0[/u]7272008_200908\C_Documents and Settings\All Users\Application Data\Mode Rule 64 Inter\hole blue.exe C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\MovedFiles\[u]0[/u]7272008_200908\C_Documents and Settings\Andy\Application Data\loud cool bat\Idlenoun.exe C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\MovedFiles\[u]0[/u]7272008_200908\C_Documents and Settings\Andy\Application Data\loud cool bat\lxgnvcnz.exe C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\MovedFiles\[u]0[/u]7272008_200908\C_Documents and Settings\Andy\Local Settings\Temp\{9527A496-5DF9-412A-ADC7-168BA5379CA6}\[u]0[/u]x0409.ini C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\MovedFiles\[u]0[/u]7272008_200908\C_Documents and Settings\Andy\Local Settings\Temp\{9527A496-5DF9-412A-ADC7-168BA5379CA6}\setup.ini C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\MovedFiles\[u]0[/u]7272008_200908\C_Documents and Settings\Andy\Local Settings\Temp\193629705\Builder.dll C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\MovedFiles\[u]0[/u]7272008_200908\C_Documents and Settings\Andy\Local Settings\Temp\IadHide3.dll C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\MovedFiles\[u]0[/u]7272008_200908\C_Documents and Settings\Andy\Local Settings\Temp\Setup.INI C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\MovedFiles\[u]0[/u]7272008_200908\C_Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\MovedFiles\[u]0[/u]7272008_200908\C_WINDOWS\tasks\wrSpySweeperTrialSweep.job C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\MovedFiles\[u]0[/u]7272008_200908\C_WINDOWS\temp\JET9AB9.tmp C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\MovedFiles\scanit_results.txt C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\OTScanIt.exe C:\Documents and Settings\Lynn Bodin\Desktop\spy programs\OTScanIt\OTScanIt.Txt C:\Documents and Settings\Lynn Bodin\My Documents\DVD Solutions\U_DVDFabPlatinumVer[1].4.0.5.5.zip C:\Program Files\DVDFab Platinum 4\All.Fengtao.Software.Universal.Patch.1.01-ICU.exe . ((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 ))))))))))))))))))))))))))))))) . 2008-08-05 16:20 . 2008-08-05 16:20 d-------- C:\Program Files\Trend Micro 2008-08-05 14:01 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2008-08-05 14:01 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys 2008-08-05 09:17 . 2008-08-05 10:43 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-05 09:17 . 2008-08-05 09:17 d-------- C:\Documents and Settings\Lynn Bodin\Application Data\Malwarebytes 2008-08-05 09:17 . 2008-08-05 09:17 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-05 09:17 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-05 09:17 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-05 09:12 . 2008-08-05 09:12 d-------- C:\Program Files\Java 2008-08-05 09:12 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-07-09 13:35 . 2008-07-09 13:38 d-------- C:\Backup drive c 2008-07-09 12:37 . 2008-07-09 13:31 d-------- C:\Program Files\Norton Ghost 2008-07-09 09:25 . 2008-07-09 09:49 d-------- C:\WINDOWS\system32\CatRoot_bak 2008-07-08 14:50 . 2008-07-08 14:50 d-------- C:\Documents and Settings\All Users\Application Data\vsosdk 2008-07-08 13:36 . 2008-08-06 08:41 d-------- C:\Program Files\DVDFab Platinum 4 2008-07-08 13:36 . 2008-07-08 14:17 d-------- C:\Documents and Settings\Lynn Bodin\Application Data\Vso 2008-07-08 13:36 . 2008-07-08 13:36 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2008-07-08 13:36 . 2008-07-08 13:36 47,360 --a------ C:\Documents and Settings\Lynn Bodin\Application Data\pcouffin.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-06 09:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-08-05 05:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-07-30 22:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys 2008-07-30 22:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf 2008-07-30 22:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat 2008-07-09 18:30 --------- d-----w C:\Documents and Settings\Lynn Bodin\Application Data\Symantec 2008-07-07 23:28 --------- d-----w C:\Program Files\Symantec 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll 2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys 2008-05-19 01:01 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL 2008-05-18 17:11 577,536 ----a-w C:\WINDOWS\system32\user32.dll 2008-05-18 17:11 577,536 ----a-w C:\WINDOWS\system32\dllcache\user32.dll 2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys 2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-07 04:55 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "\\STUDY\EPSON Stylus Photo R260 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE" [2006-05-19 04:00 139264] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512] "hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 00:58 458752] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-18 03:00 7585792] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-18 03:00 86016] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 00:01 761946] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 23:55 102400] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 18:30 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 18:30 81920] "Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 18:02 40960] "RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23 1187840] "\\STUDY\EPSON Stylus Photo R220 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 05:00 98304] "Auto EPSON Stylus Photo R220 Series (Copy 1) on STUDY"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 05:00 98304] "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-17 20:13 98304] "PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 01:26 406016] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 17:47 51048] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-06 22:49 718704] "Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-09-09 19:09 1537648] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "nwiz"="nwiz.exe" [2006-08-18 03:00 1617920 C:\WINDOWS\system32\nwiz.exe] "MsmqIntCert"="mqrt.dll" [2007-07-06 07:46 177152 C:\WINDOWS\system32\mqrt.dll] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-01 19:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 11:39:30 73728] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.MJPG"= Pvmjpg30.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\system32\\mqsvc.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Avid\\Avid Liquid 7\\Program\\RM.exe"= "C:\\Program Files\\Avid\\Avid Liquid 7\\Program\\StudioU.mod"= R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-25 17:47] S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys [2006-06-06 15:39] S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae58f950-4e36-11dd-84ab-001636713474}] \Shell\AutoRun\command - "F:\Install FreeAgent Tools.exe" /run *Newly Created Service* - COMHOST . Contents of the 'Scheduled Tasks' folder 2008-07-08 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Lynn Bodin.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 06:05] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-06 08:44:01 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????