ComboFix 08-01-14.3 - mmathise 2008-01-14  8:06:36.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1314 [GMT 1:00]
Running from: C:\Documents and Settings\mmathise\Desktop\ComboFix.exe
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\images.zip

.
(((((((((((((((((((((((((   Files Created from 2007-12-14 to 2008-01-14  )))))))))))))))))))))))))))))))
.

2008-01-14 08:05 . 2000-08-31 08:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2008-01-11 15:58 . 2008-01-11 15:58	36,864	-r-hs----	C:\WINDOWS\ntmngr.exe
2008-01-11 11:04 . 2008-01-11 11:04	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-11 10:46 . 2008-01-11 10:46	<DIR>	d--------	C:\Documents and Settings\mmathise\.DownloadManager
2008-01-08 15:21 . 2008-01-08 15:21	<DIR>	d--------	C:\Program Files\del.icio.us
2008-01-08 08:22 . 2008-01-14 07:51	<DIR>	d--------	C:\Program Files\Google
2007-12-25 01:12 . 2007-12-25 01:12	<DIR>	d--------	C:\Program Files\Red Kawa
2007-12-25 01:12 . 2007-12-25 01:12	<DIR>	d--------	C:\Program Files\AviSynth 2.5
2007-12-24 20:48 . 2008-01-14 00:00	<DIR>	d--------	C:\Games
2007-12-24 15:51 . 2007-12-24 15:51	<DIR>	d--------	C:\Documents and Settings\mmathise\Application Data\Apple Computer
2007-12-24 15:51 . 2008-01-13 23:48	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2007-12-24 15:51 . 2007-12-24 15:51	1,409	--a------	C:\WINDOWS\QTFont.for
2007-12-24 15:50 . 2007-12-24 15:50	<DIR>	d--------	C:\Program Files\QuickTime
2007-12-24 15:50 . 2007-12-24 15:51	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-19 17:48 . 2007-12-19 17:48	268	--ah-----	C:\sqmdata17.sqm
2007-12-19 17:48 . 2007-12-19 17:48	244	--ah-----	C:\sqmnoopt17.sqm
2007-12-17 23:43 . 2007-12-17 23:43	268	--ah-----	C:\sqmdata16.sqm
2007-12-17 23:43 . 2007-12-17 23:43	244	--ah-----	C:\sqmnoopt16.sqm
2007-12-17 16:51 . 2007-12-17 16:51	268	--ah-----	C:\sqmdata15.sqm
2007-12-17 16:51 . 2007-12-17 16:51	244	--ah-----	C:\sqmnoopt15.sqm
2007-12-16 22:26 . 2007-12-16 22:26	268	--ah-----	C:\sqmdata14.sqm
2007-12-16 22:26 . 2007-12-16 22:26	244	--ah-----	C:\sqmnoopt14.sqm
2007-12-14 11:51 . 2007-12-14 11:51	<DIR>	d--------	C:\WINDOWS\uninstall\Capgemini PowerPoint Flag Templates
2007-12-14 11:51 . 2007-12-14 11:51	<DIR>	d--------	C:\WINDOWS\uninstall
2007-12-14 11:50 . 2007-12-14 11:50	<DIR>	d--------	C:\TEMP\Capgemini
2007-12-14 11:50 . 2007-12-14 11:50	<DIR>	d--------	C:\TEMP
2007-12-14 11:50 . 2007-12-14 11:50	<DIR>	d--------	C:\Program Files\Templates & Tools

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 07:13	---------	d-----w	C:\Program Files\Symantec AntiVirus
2008-01-13 23:00	---------	d-----w	C:\Program Files\PokerStars
2008-01-11 10:04	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-01-09 08:15	---------	d-----w	C:\Program Files\Clue
2008-01-09 06:11	---------	d-----w	C:\Documents and Settings\mmathise\Application Data\uTorrent
2008-01-05 16:19	---------	d-----w	C:\Program Files\uTorrent
2007-11-24 12:00	---------	d-----w	C:\Program Files\Java
2007-11-18 22:39	---------	d-----w	C:\Documents and Settings\mmathise\Application Data\Move Networks
2007-11-07 09:26	721,920	----a-w	C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-27 16:40	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:07 15360]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [ ]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"scheduler_monitor"="C:\Program Files\ReaConverter 5.0 Pro\init_scheduler.exe" [2007-06-15 10:17 27136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 13:17 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 13:16 512000]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"TPTRAY"="C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE" [2006-10-02 00:55 50176]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-12-10 18:36 536576]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 09:19 94208]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 17:33 48800]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-05-27 21:06 85744]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-11-29 01:30 243248]
"TP4EX"="tp4ex.exe" [2005-10-17 00:11 65536 C:\WINDOWS\system32\TP4EX.exe]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-02-02 01:01 120368]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 18:11 925696]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-07 00:06 716800]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-09-15 08:53 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-09-15 08:50 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-09-15 08:54 118784]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-12-25 09:34 409600]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-12-25 09:29 110592]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 01:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 01:50 81920]
"Protect Tray"="C:\Program Files\Pointsec\P95tray.exe" [2006-09-18 15:58 356352]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 12:27 222208]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 02:07 15360]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 11:40 4167376]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 16:15 1634304]

C:\Documents and Settings\mmathise\Start Menu\Programs\Startup\
SSO - Agent.lnk - C:\Documents and Settings\mmathise\Application Data\Microsoft\Installer\{C071507B-0536-4BDF-BB94-5CC2FD060092}\_1f5b221e.exe [2007-08-22 14:17:33]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-18 17:38:40]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-07-13 03:02:01]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-02-05 10:31:48]
Program Neighborhood Agent.lnk - C:\Program Files\Citrix\ICA Client\pnagent.exe [2005-11-29 15:16:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 2005-07-06 08:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-11-30 19:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\[u]0[/u]\[u]0[/u]]
"Script"=AddToLocalGroup.cmd

R0 prot_2k;prot_2k;C:\WINDOWS\system32\drivers\prot_2k.sys [2006-09-12 18:29]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 08:27]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2006-01-12 23:33]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2004-10-25 05:15]
R2 Pointsec;Pointsec;C:\WINDOWS\system32\PROT_SRV.EXE [2006-09-18 15:35]
R2 Pointsec_agent;Pointsec update agent;C:\WINDOWS\system32\pagents.exe [2006-09-18 15:24]
R2 Pointsec_start;Pointsec service start;C:\WINDOWS\system32\PSTARTSR.EXE [2006-09-18 15:43]
R2 VPatch;ISS Buffer Overflow Exploit Prevention;C:\Program Files\ISS\Proventia Desktop\VPatch.exe [2007-10-12 07:31]
R3 MakoNT;MakoNT;C:\WINDOWS\system32\drivers\isskboep.sys [2007-10-12 07:32]
R3 rap;rap;C:\WINDOWS\system32\drivers\RapDrv.sys [2007-10-12 07:32]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2006-07-20 06:00]
R4 black;black;C:\WINDOWS\system32\drivers\BlackCat.sys [2007-10-12 07:32]
S3 GemPCExp;GemPCExp;C:\WINDOWS\system32\Drivers\GemPCExp.sys [2006-03-27 15:21]
S3 GPCCARD;GPCCARD;C:\WINDOWS\system32\DRIVERS\GPCCARD.sys [2006-06-09 22:42]
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2004-06-27 01:50]
S3 rcp_service;ReaConverter scheduler service;C:\Program Files\ReaConverter 5.0 Pro\rcp_scheduler.exe [2007-10-15 16:11]
S3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2006-12-08 18:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d9f72f5-d6b8-11db-9851-806d6172696f}]
\Shell\AutoRun\command - D:\launch.bat

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 08:14:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcSvcStub.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcLocSettings.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\ACHelper.dll
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-01-14  8:16:51 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-14 07:16:46
.
2008-01-11 15:26:01	--- E O F ---