.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-17 16:30 . 2009-02-08 09:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-17 16:11 . 2009-06-17 16:11 9538 ----a-w- c:\windows\system32\2101backd9o5z978.dll
2009-06-17 16:03 . 2009-04-02 15:04 -------- d-----w- c:\documents and settings\AMEER\Application Data\HPAppData
2009-06-17 15:23 . 2009-01-19 22:23 -------- d-----w- c:\program files\Games
2009-06-16 21:02 . 2009-03-27 07:28 157401 ----a-w- c:\windows\hpoins27.dat
2009-06-16 20:59 . 2009-01-21 09:33 -------- d-----w- c:\program files\BitComet
2009-06-16 17:00 . 2009-06-12 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-06-16 17:00 . 2009-06-16 17:00 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-16 17:00 . 2009-06-16 17:00 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-16 16:59 . 2009-06-12 21:38 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-06-16 16:59 . 2009-06-16 16:59 -------- d-----w- c:\program files\Windows Sidebar
2009-06-16 06:23 . 2008-07-08 18:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-16 06:07 . 2009-06-16 05:55 -------- d-----w- c:\documents and settings\AMEER\Application Data\DAEMON Tools Lite
2009-06-16 06:03 . 2009-06-16 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-06-16 05:55 . 2009-06-16 05:55 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-15 20:00 . 2008-07-08 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-15 19:56 . 2008-07-08 18:02 -------- d-----w- c:\program files\Microsoft Works
2009-06-12 20:48 . 2009-01-22 16:34 -------- d-----w- c:\documents and settings\AMEER\Application Data\LimeWire
2009-06-10 14:51 . 2009-01-22 12:30 -------- d-----w- c:\program files\Java
2009-05-31 15:40 . 2009-02-21 11:03 -------- d-----w- c:\program files\GameHouse
2009-05-27 16:15 . 2009-01-19 04:47 583312 ----a-w- c:\documents and settings\AMEER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-21 10:33 . 2009-01-22 12:31 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-17 19:30 . 2009-05-17 19:30 4059 ----a-w- c:\windows\system32\25791not-a-v9rus65z.bin
2009-05-14 15:49 . 2009-05-14 15:49 4227 ----a-w- c:\windows\system32\20434not-a-5irzs293.bin
2009-05-14 07:38 . 2009-05-14 07:38 4640 ----a-w- c:\windows\system32\29a5ste95939z.dll
2009-05-12 02:06 . 2009-05-12 02:06 11613 ----a-w- c:\windows\system32\5694downloa5erz484.dll
2009-05-11 14:44 . 2009-05-11 14:44 4689 ----a-w- c:\windows\system32\77e2t5reat20z739.dll
2009-05-07 15:32 . 2008-04-15 03:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 07:00 . 2009-05-06 07:00 8727 ----a-w- c:\windows\system32\7540spy295z.bin
2009-05-04 16:27 . 2009-05-04 16:27 -------- d-----w- c:\documents and settings\AMEER\Application Data\ThemesCreator
2009-05-02 21:48 . 2009-05-02 21:48 10488 ----a-w- c:\windows\system32\95z4th5eat10259.dll
2009-05-02 16:23 . 2009-05-02 16:23 -------- d-----w- c:\program files\Sony Ericsson
2009-05-02 16:00 . 2009-04-03 19:42 -------- d-----w- c:\program files\MySpace
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-05-01 08:21 . 2009-05-01 08:21 12800 ----a-w- c:\windows\system32\17z959py5e3.exe
2009-04-30 20:14 . 2009-04-30 20:14 1893936 ----a-w- c:\documents and settings\AMEER\Application Data\MySpace\Toolbar\Installers\MySpaceToolbar_Setup_1.0.32.5.exe
2009-04-29 04:56 . 2008-04-15 03:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2008-04-15 03:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-28 04:29 . 2009-04-28 04:29 7066 ----a-w- c:\windows\system32\3556spywaz925365.dll
2009-04-17 12:26 . 2008-04-15 03:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 05:56 . 2009-04-16 05:56 8253 ----a-w- c:\windows\system32\7ebf9py5are632z.dll
2009-04-15 14:51 . 2008-04-15 03:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 05:00 . 2009-04-14 05:00 17846 ----a-w- c:\windows\system32\z9985vi5us52.dll
2009-04-13 21:17 . 2009-04-13 21:17 937128 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-08 13:29 . 2009-04-08 13:29 1202 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-04-07 11:33 . 2009-04-07 11:33 1892856 ----a-w- c:\documents and settings\AMEER\Application Data\MySpace\Toolbar\Installers\MySpaceToolbar_Setup_1.0.32.0.exe
2009-04-06 08:17 . 2009-04-06 08:17 2784 ----a-w- c:\windows\system32\2857zvirus149.exe
2009-04-01 15:04 . 2009-04-01 15:04 152576 ----a-w- c:\documents and settings\AMEER\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-28 19:48 . 2009-03-28 19:48 16852 ----a-w- c:\windows\system32\655z9ownloader1898.dll
2009-03-28 17:02 . 2009-03-28 17:02 17370 ----a-w- c:\windows\system32\9c58stzal50.dll
2009-03-25 23:43 . 2009-03-25 23:43 10497 ----a-w- c:\windows\system32\2z088not-a9v5rus4e1.exe
2009-03-23 22:41 . 2009-03-23 22:41 9485 ----a-w- c:\windows\system32\6661not-9-virzs50b.exe
2009-03-20 19:42 . 2009-01-22 10:47 129712 ---ha-w- c:\windows\system32\mlfcache.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"Athan"="c:\program files\Athan\Athan.exe" [2009-01-18 1081344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2009-04-26 111928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
c:\documents and settings\AMEER\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-3-1 3444008]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Games\\Counter-Strike 1.6\\hl.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Games\\Battlefield Vietnam\\bfvietnam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18823:TCP"= 18823:TCP:BitComet 18823 TCP
"18823:UDP"= 18823:UDP:BitComet 18823 UDP
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"26456:TCP"= 26456:TCP:BitComet 26456 TCP
"26456:UDP"= 26456:UDP:BitComet 26456 UDP
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\
0300000.087\SymEFA.sys [6/16/2009 5:59 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\
0300000.087\BHDrvx86.sys [6/16/2009 5:59 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\
0300000.087\cchpx86.sys [6/16/2009 5:59 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSXpx86.sys [6/16/2009 6:10 PM 276344]
R2 N360;Norton 360;c:\program files\Norton 360\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [6/16/2009 5:59 PM 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/13/2009 1:11 AM 101936]
S2 EraserSvc10910;Symantec Eraser Service;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [6/12/2009 10:38 PM 115560]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [5/21/2008 9:11 AM 96856]
S3 wxpSvc;webcamXP Service;c:\program files\wLite\wService.exe /startedbyscm:5053B757-40E35B3B-webcamSRV --> c:\program files\wLite\wService.exe [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2009-06-16 c:\windows\Tasks\WebReg HP Deskjet F2200 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2007-10-14 20:40]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Messenger (Yahoo!) - ~c:\program files\Yahoo!\Messenger\YahooMessenger.exe
HKCU-Run-msnmsgr - ~c:\program files\Windows Live\Messenger\msnmsgr.exe
HKCU-Run-AdobeBridge - (no file)
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.com/uSearchMigratedDefaultURL =
hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7uInternet Connection Wizard,ShellNext =
hxxp://www.yahoo.com/uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) =
hxxp://my.rd.yahoo.com/customize/ycomp/defaults/su/*http://my.yahoo.comIE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-06-17 20:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
msnmsgr = ~"c:\program files\Windows Live\Messenger\msnmsgr.exe" /background?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1"
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wxpSvc]
"ImagePath"="c:\program files\wLite\wService.exe /startedbyscm:5053B757-40E35B3B-webcamSRV"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2800)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\docume~1\AMEER\LOCALS~1\temp\RtkBtMnt.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-17 20:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-17 19:12
Pre-Run: 38,726,746,112 bytes free
Post-Run: 38,636,965,888 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
752 --- E O F --- 2009-06-15 20:00