and part 2:
((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.
2008-12-13 18:04 . 2008-12-13 18:13
d-------- C:\ComboFix
2008-12-13 18:02 . 2008-12-13 18:02 d--hs---- C:\RECYCLER
2008-12-13 16:36 . 2008-12-13 16:36 d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-13 15:16 . 2008-12-13 15:16 drahs---- C:\cmdcons
2008-12-13 15:14 . 2008-12-13 18:10 d-------- C:\Qoobox
2008-12-13 14:54 . 2008-12-13 14:55 d-------- C:\Avenger
2008-12-12 21:11 . 939,053,056 C:\hiberfil.sys
2008-12-11 21:38 . 2008-12-11 21:40 d-------- c:\documents and settings\Owner\Application Data\Uniblue
2008-12-11 21:37 . 2008-12-11 21:37 d-------- c:\program files\Uniblue
2008-12-11 19:09 . 2008-12-11 19:09 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-11 19:09 . 2008-12-11 19:09 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-11 19:09 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-11 19:09 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 19:07 . 2006-06-30 23:30 d-------- c:\documents and settings\Administrator.REDDWARF\WINDOWS
2008-12-11 19:07 . 2007-11-09 22:13 d-------- c:\documents and settings\Administrator.REDDWARF\Application Data\Symantec
2008-12-11 19:07 . 2007-11-20 16:50 d-------- c:\documents and settings\Administrator.REDDWARF\Application Data\Spare Backup
2008-12-11 19:07 . 2007-11-09 22:11 d-------- c:\documents and settings\Administrator.REDDWARF\Application Data\SampleView
2008-12-11 19:07 . 2008-05-17 16:17 d-------- c:\documents and settings\Administrator.REDDWARF\Application Data\Gtek
2008-12-11 19:07 . 2008-12-11 19:07 d-------- c:\documents and settings\Administrator.REDDWARF
2008-12-11 14:36 . 2007-07-03 11:53 24,576 --a------ c:\windows\system32\BAZLib.dll
2008-12-11 14:26 . 2008-12-11 14:26 d-------- c:\documents and settings\All Users\Application Data\Ascentive
2008-12-11 14:03 . 2008-12-11 19:50 d-------- c:\program files\Ascentive
2008-12-11 14:03 . 2008-05-16 10:41 208,896 --a------ c:\windows\system32\ConTest.dll
2008-12-11 14:03 . 2008-08-20 17:44 45,056 --a------ c:\windows\system32\CreateLog.dll
2008-12-11 14:03 . 2007-07-03 11:48 36,864 --a------ c:\windows\system32\ascbalon.dll
2008-12-11 14:03 . 2007-07-03 11:48 20,480 --a------ c:\windows\system32\SysRestore.dll
2008-12-05 20:22 . 2008-12-05 20:22 d-------- c:\program files\Symantec
2008-12-05 20:22 . 2008-12-05 20:22 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-05 20:22 . 2008-12-05 20:22 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-05 20:22 . 2008-12-05 20:22 35,888 -ra------ c:\windows\system32\drivers\SymIM.sys
2008-12-05 20:22 . 2008-12-05 20:22 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-05 20:22 . 2008-12-05 20:22 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2008-12-05 20:21 . 2008-12-05 20:21 d-------- c:\windows\system32\drivers\NIS
2008-12-05 20:21 . 2008-12-05 20:21 d-------- c:\program files\Windows Sidebar
2008-12-05 20:21 . 2008-12-05 20:21 d-------- c:\program files\Norton Internet Security
2008-12-05 20:21 . 2008-12-05 20:22 d-------- c:\documents and settings\All Users\Application Data\Norton
2008-12-05 20:16 . 2008-12-05 20:21 d-------- c:\program files\NortonInstaller
2008-12-05 20:16 . 2008-12-05 20:16 d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-04 21:44 . 2008-12-04 22:00 d-------- c:\program files\Browser Hijack Recover
2008-12-04 21:44 . 2008-12-04 21:44 0 --a------ c:\windows\system32\8104297.jun
2008-12-04 21:05 . 2008-12-04 21:05 0 --a------ c:\windows\nsreg.dat
2008-12-03 19:49 . 2008-12-11 19:52 d--h----- C:\Config.Msi
2008-12-03 14:39 . 2008-12-03 19:48 d-------- c:\program files\Windows Live Safety Center
2008-12-01 20:22 . 2008-12-01 20:22 d-------- c:\program files\Webroot
2008-12-01 20:22 . 2008-12-01 20:22 d-------- c:\documents and settings\Owner\Application Data\Webroot
2008-12-01 20:22 . 2008-12-01 20:22 d-------- c:\documents and settings\All Users\Application Data\Webroot
2008-12-01 20:22 . 2008-11-13 17:11 1,553,272 --a------ c:\windows\WRSetup.dll
2008-12-01 16:02 . 2008-12-01 16:02 d-------- c:\program files\Windows Defender
2008-12-01 08:37 . 2008-12-01 08:37 d-------- c:\program files\Microsoft Silverlight
2008-12-01 07:27 . 2008-12-01 07:27 d-------- c:\program files\Safer Networking
2008-12-01 07:23 . 2008-12-12 20:35 2,154 --a------ c:\windows\system32\ssmute.ini
2008-12-01 06:58 . 2008-12-01 06:58 d-------- c:\documents and settings\Owner\Application Data\AdwareAlert
2008-11-16 20:59 . 2008-11-16 20:59 d-------- C:\NVIDIA
2008-11-16 20:59 . 2008-11-16 20:59 d-------- C:\NVIDIA
2008-11-16 20:59 . 2008-10-07 13:33 201,157 --a------ c:\windows\system32\nvapps.nvb
2008-11-16 20:48 . 2008-11-16 20:48 d-------- c:\program files\SystemRequirementsLab
2008-11-16 15:40 . 2008-10-24 05:21 455,296 --a--c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-16 15:39 . 2008-09-04 11:15 1,106,944 --a--c--- c:\windows\system32\dllcache\msxml3.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 19:39 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2008-12-12 03:43 --------- d-----w c:\program files\Slingo Quest Hawaii
2008-12-12 03:43 --------- d-----w c:\program files\eBay
2008-12-12 01:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-12 00:49 --------- d-----w c:\documents and settings\Owner\Application Data\mIRC
2008-12-12 00:05 --------- d-----w c:\program files\mIRC
2008-12-10 03:13 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-06 02:24 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-06 02:23 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-04 02:23 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-01 14:12 --------- d-----w c:\program files\Google
2008-12-01 13:58 --------- d-----w c:\program files\Philips
2008-12-01 13:58 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-12 22:02 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2008-11-12 22:02 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys
2008-11-10 06:12 --------- d-----w c:\program files\ICQ6
2008-11-04 23:17 --------- d-----w c:\program files\WinAce
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-02 16:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-06-04 21:30 0 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2007-11-10 04:36 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-12-13_15.27.24.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-14 00:12:01 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_224.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-06 50528]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam_w32ded.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Outspark\\Blackshot\\System\\BlackShot.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1001000.021\SYMEFA.SYS [2008-12-05 309296]
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\NIS\1001000.021\BHDrvx86.sys [2008-12-05 255536]
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\NIS\1001000.021\ccHPx86.sys [2008-12-05 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081210.002\IDSxpx86.sys [2008-12-13 274808]
R2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-05 99376]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\DRIVERS\el575nd5.sys [2006-06-30 69692]
S3 XDva207;XDva207;\??\c:\windows\system32\XDva207.sys []
S3 XDva208;XDva208;\??\c:\windows\system32\XDva208.sys []
.
Contents of the 'Scheduled Tasks' folder
2008-12-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
2008-12-13 c:\windows\Tasks\Norton Internet Security - Owner - Full System Scan.job
- c:\program files\Norton Internet Security\Engine\16.1.0.33\Navw32.exe [2008-12-05 20:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title =
uInternet Settings,ProxyOverride =
c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd
c:\windows\Downloaded Program Files\OberonGameHost.dll - O16 -: {D0C0F75C-683A-4390-A791-1ACFD5599AB8}
hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
c:\windows\Downloaded Program Files\OberonGameHost_dbg.inf
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgi2uebm.default\
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 18:10:22
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
.
**************************************************************************
.
Completion time: 2008-12-13 18:15:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-14 00:15:42
ComboFix2.txt 2008-12-13 21:28:04
Pre-Run: 119,532,777,472 bytes free
Post-Run: 119,496,990,720 bytes free
353 --- E O F --- 2008-12-12 19:51:59