ComboFix 08-02-11.2 - Owner 2008-02-11 13:41:32.2 - NTFSx86 Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 ))))))))))))))))))))))))))))))) . 2008-02-11 07:06 . 2008-02-11 07:06 d-------- C:\Documents and Settings\Owner\Application Data\System Tweaker 2008-02-10 11:21 . 2008-02-10 11:21 606 --a------ C:\NCO_BHO.reg 2008-02-10 10:14 . 2004-08-04 07:56 388,608 --a------ C:\kmd.exe 2008-02-10 10:10 . 2008-02-10 10:10 1,593,889 --a------ C:\ComboFix.exe 2008-02-06 21:28 . 2008-02-06 21:29 d-------- C:\Program Files\iTunes 2008-02-06 21:28 . 2008-02-06 21:28 d-------- C:\Program Files\iPod 2008-01-29 21:22 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys 2008-01-29 21:22 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat 2008-01-29 21:22 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf 2008-01-15 16:54 . 2002-07-05 13:51 170,496 --a------ C:\WINDOWS\system32\msfl651.dll 2008-01-14 23:05 . 2008-01-15 16:57 d-------- C:\Program Files\EODData . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-11 13:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-02-11 13:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-02-11 07:05 --------- d-----w C:\Program Files\Uniblue 2008-02-10 08:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Uniblue 2008-02-09 17:51 --------- d-----w C:\Program Files\SPAMfighter 2008-02-09 12:19 --------- d-----w C:\Program Files\ErrorSmart 2008-02-09 12:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\ErrorSmart 2008-02-08 07:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\AntiSpyware 2008-02-06 21:20 --------- d-----w C:\Program Files\QuickTime 2008-01-10 22:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\dtv 2008-01-09 11:46 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF 2008-01-09 11:46 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-01-09 11:46 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2008-01-09 11:46 --------- d-----w C:\Program Files\Symantec 2008-01-09 11:39 --------- d-----w C:\Program Files\Norton Internet Security 2008-01-08 18:18 214,600 ----a-w C:\Documents and Settings\Owner\Application Data\ngUninstaller.exe 2008-01-08 18:18 --------- d-----w C:\Documents and Settings\Owner\Application Data\Trading Applications 2008-01-08 11:06 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-07 20:33 --------- d-----w C:\Program Files\Common Files\SWF Studio 2008-01-07 18:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nirvana Systems 2008-01-07 17:48 --------- d-----w C:\Program Files\Common Files\Business Objects 2008-01-07 17:47 --------- d-----w C:\Program Files\Nirvana 2008-01-04 15:52 --------- d-----w C:\Program Files\Ashampoo 2008-01-04 15:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\ashampoo 2007-12-29 13:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\Professional 2007-12-28 12:12 --------- d-----w C:\Program Files\[u]0[/u]Spam.com Express 2007-12-28 12:10 --------- d-----w C:\Program Files\Common Files\Download Manager 2007-12-22 00:06 --------- d-----w C:\Program Files\Opera . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-07-14 21:35 1961984] "Ashampoo Magical Optimizer Taskplaner"="C:\PROGRA~1\Ashampoo\ASHAMP~4\AMO_TA~1.exe" [2006-05-05 13:40 1244160] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 21:35 68856] "FreeMem Pro"="C:\Program Files\FreeMem Professional\fmempro.exe" [2004-10-07 00:29 708704] "AntiSpyware"="C:\Program Files\AntiSpywareApp\AntiSpyware.exe" [2007-10-12 13:00 19555576] "EPSON Stylus C44 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-12-10 03:06 75776] "UIWatcher"="C:\Program Files\Ashampoo\Ashampoo UnInstaller Platinum 2\UIWatcher.exe" [2007-07-09 14:13 1741168] "Windows Registry Repair Pro"="C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe" [2005-09-08 19:49 1363968] "Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 08:58 1885464] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "0Spam.com Express"="C:\Program Files\[u]0[/u]Spam.com Express\Express.exe" [2004-12-14 19:07 70144] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 07:59 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 07:59 126976] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "mspwr"="C:\WINDOWS\system32\PuXpMan.exe" [2004-06-12 18:51 102400] "PwrUpTweakMe"="C:\WINDOWS\system32\PuXpTwks.exe" [2004-06-12 18:51 45056] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792] "EPSON Stylus C44 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-12-10 03:06 75776] "0Spam.com Express"="C:\Program Files\[u]0[/u]Spam.com Express\Express.exe" [2004-12-14 19:07 70144] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59 115816] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 07:11 771704] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2005-02-12 13:53:24 962663] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 0 (0x0) "NoFileAssociate"= 0 (0x0) "NoUserNameInStartMenu"= 1 (0x1) R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 06:01] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5177addf-5155-11da-85fb-000d5652f522}] \shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L" *Newly Created Service* - COMHOST . Contents of the 'Scheduled Tasks' folder "2008-02-11 07:39:36 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job" - C:\Program Files\AntiSpywareApp\AntiSpyware.exe - C:\Program Files\AntiSpywareApp "2008-02-06 19:44:26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-02-11 07:50:37 C:\WINDOWS\Tasks\EasyShare Registration RunOnce Task.job" - C:\WINDOWS\system32\rundll32.exe "2008-02-10 11:28:13 C:\WINDOWS\Tasks\EasyShare Registration Task.job" - C:\WINDOWS\system32\rundll32.exe?C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\Registration_7.5.30.2.sxt _RegistrationOffer@16 "2008-01-19 13:09:36 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job" - C:\Program Files\ErrorSmart\ErrorSmart.ex - C:\Program Files\ErrorSmart "2008-01-19 13:08:31 C:\WINDOWS\Tasks\Norton Internet Security Online - Run Full System Scan - Owner.job" - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK: . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-11 13:51:06 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKCU\Software\Microsoft\Windows\CurrentVersion\Run EPSON Stylus C44 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /M "Stylus C44"??????< ??????????.? ?b(??|????????????????YB~8 ?????????????? ????????????????????YB~???? ???????????D???????????X?C~???? ???????j?C~ ??????????????|??????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180] -> C:\WINDOWS\system32\POP3Intercept_lsp.dll . Completion time: 2008-02-11 13:58:02 ComboFix2.txt 2008-02-10 10:42:14 . 2008-01-09 09:18:53 --- E O F ---