c:\windows\Modules\adapter.dll
c:\windows\Modules\audiocap.dll
c:\windows\Modules\c2c.dll
c:\windows\Modules\c2s.dll
c:\windows\Modules\cdkeys.dll
c:\windows\Modules\dos.dll
c:\windows\Modules\filemanager.dll
c:\windows\Modules\firefox.dll
c:\windows\Modules\installedapps.dll
c:\windows\Modules\keylogger.dll
c:\windows\Modules\listprocesses.dll
c:\windows\Modules\listwindows.dll
c:\windows\Modules\main.dll
c:\windows\Modules\miscspy.dll
c:\windows\Modules\pass.dll
c:\windows\Modules\portredir.dll
c:\windows\Modules\power.dll
c:\windows\Modules\proxy.dll
c:\windows\Modules\registry.dll
c:\windows\Modules\screencap.dll
c:\windows\Modules\search.dll
c:\windows\Modules\services.dll
c:\windows\Modules\sniffer.dll
c:\windows\Modules\sysinfo.dll
c:\windows\Modules\webcam.dll
.
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 12:13 --------- d-----w c:\documents and settings\billy crystal\Application Data\Skype
2008-11-11 11:47 --------- d-----w c:\documents and settings\billy crystal\Application Data\skypePM
2008-11-11 11:40 27,648 ----a-w c:\windows\system32\zlib.dll
2008-11-10 17:09 --------- d-----w c:\program files\trend micro
2007-07-27 05:45 47,360 ----a-w c:\documents and settings\billy crystal\Application Data\pcouffin.sys
2006-08-15 17:33 202 ----a-w c:\program files\Shortcut to CD Drive.lnk
.
((((((((((((((((((((((((((((( snapshot@2008-11-10_ 8.53.36.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 14:59:10 3,080,568 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2007-02-11 11:26:32 3,080,512 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-11-10 16:51:44 53,166 ----a-w c:\windows\system32\perfc009.dat
+ 2007-02-11 11:28:51 53,166 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-10 16:51:44 380,918 ----a-w c:\windows\system32\perfh009.dat
+ 2007-02-11 11:28:51 380,918 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-11 11:43:56 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_254.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2007-07-26 1209584]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-21 7561216]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2007-07-29 136600]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 c:\windows\system32\CHDAudPropShortcut.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= c:\progra~1\REPLAY~1\iac25_32.ax
"vidc.iv50"= c:\progra~1\REPLAY~1\ir50_32.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Pavilion Webcam Tray Icon.lnk]
backup=c:\windows\pss\HP Pavilion Webcam Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk]
backup=c:\windows\pss\MiniEYE-MiniREAD Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickShelf.lnk]
backup=c:\windows\pss\QuickShelf.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^billy crystal^Start Menu^Programs^StartUp^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"usnsvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [ ]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-11-11 09:45:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???0S????????@???????@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-11 9:46:21
ComboFix-quarantined-files.txt 2008-11-11 17:45:45
ComboFix2.txt 2008-11-11 12:04:52
ComboFix3.txt 2008-11-11 11:48:55
ComboFix4.txt 2008-11-10 17:00:15
ComboFix5.txt 2008-11-11 17:39:49
Pre-Run: 18,915,287,040 bytes free
Post-Run: 18,950,156,288 bytes free
1126