*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"qfrw"="c:\progra~1\COMMON~1\qfrw\qfrwm.exe" [2006-07-19 9216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2007-07-31 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\
0autocheck autochk *
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Cesar Ramos^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Cesar Ramos\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:podmena
R3 vgadrv;vgadrv;c:\windows\system32\drivers\vgadrv.sys [3/17/2006 10:04 AM 8078]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva011;XDva011;\??\c:\windows\system32\XDva011.sys --> c:\windows\system32\XDva011.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
podmena REG_MULTI_SZ podmena
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-06-13 c:\windows\Tasks\Norton Security Scan for Cesar Ramos.job
- c:\program files\Norton Security Scan\Nss.exe [2009-03-13 02:04]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-PaSystem - c:\program files\pasystem\pasystem.exe
HKU-Default-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKU-Default-Run-kell - c:\program files\Manson\liser.exe
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://gamespot.com/uSearchMigratedDefaultURL =
hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}uInternet Connection Wizard,ShellNext = iexplore
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Cesar Ramos\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: DirectAnimation Java Classes -
file://c:\windows\Java\classes\dajava.cabDPF: Microsoft XML Parser for Java -
file://c:\windows\Java\classes\xmldso.cabDPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} -
hxxp://www.nintendowifi.com/troubleshooting/usbaptest.cabFF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-06-13 19:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETkawqjntt]
"imagepath"="\systemroot\system32\drivers\SKYNETmnmoxjxb.sys"
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys]
"imagepath"="\systemroot\system32\drivers\UACgjjgyqkjurislly.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1390067357-688789844-1060284298-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETkawqjntt]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\SKYNETmnmoxjxb.sys"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\UACgjjgyqkjurislly.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2848)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\CF8045.exe
c:\progra~1\COMMON~1\qfrw\qfrwa.exe
.
**************************************************************************
.
Completion time: 2009-06-14 19:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-14 02:36
Pre-Run: 21,630,681,088 bytes free
Post-Run: 22,976,507,904 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
273 --- E O F --- 2009-06-10 10:56