Combofix Report:
ComboFix 08-04-13.3 - Dan Marsden 2008-04-14 22:20:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.550 [GMT 1:00]
Running from: C:\Documents and Settings\Dan Marsden\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dan Marsden\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!FILE ::
C:\DOCUME~1\LIZMAR~1\LOCALS~1\Temp\hgGXPGWo.dll
C:\DOCUME~1\LIZMAR~1\LOCALS~1\Temp\iifdcAtQ.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\adkxmsjw
C:\Documents and Settings\All Users\Application Data\cqaitcsw
C:\Documents and Settings\All Users\Application Data\gzilhwor
C:\Documents and Settings\All Users\Application Data\ivovujuj
C:\Documents and Settings\All Users\Application Data\ivovujuj\ehalibwp.exe
C:\Documents and Settings\All Users\Application Data\qvstcfcv
C:\Documents and Settings\All Users\Application Data\snrqjuij
C:\Documents and Settings\All Users\Application Data\svcekfyw
C:\Documents and Settings\All Users\Application Data\svovtssw
C:\Documents and Settings\All Users\Application Data\vdhcmalu
C:\Documents and Settings\All Users\Application Data\ywwhsccb
.
((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.
2008-04-13 17:47 . 2008-04-13 17:47 <DIR> d-------- C:\Program Files\CCleaner
2008-04-13 12:15 . 2008-04-13 12:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-13 11:58 . 2008-04-13 12:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-13 11:57 . 2008-04-13 12:15 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-13 11:57 . 2008-04-13 12:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-04-13 11:57 . 2005-10-24 08:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-13 11:57 . 2008-04-13 12:15 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-13 11:50 . 2008-04-13 11:50 12,252,879 --------- C:\avg7qt.dat
2008-04-13 11:24 . 2008-04-13 11:24 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-12 17:29 . 2008-04-12 17:50 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-04-12 17:29 . 2008-04-12 17:29 <DIR> d-------- C:\Documents and Settings\Dan Marsden\Application Data\PC Tools
2008-04-12 17:29 . 2008-04-13 18:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 17:29 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-04-12 17:29 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-04-12 17:29 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-04-12 17:29 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-04-01 18:26 . 2008-04-01 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2008-04-01 18:25 . 2008-04-01 18:25 <DIR> d-------- C:\Program Files\Last.fm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 15:39 --------- d-----w C:\Documents and Settings\Liz Marsden\Application Data\AVG7
2008-04-13 12:58 --------- d-----w C:\Documents and Settings\Dan Marsden\Application Data\AVG7
2008-04-10 21:19 28,134 ----a-w C:\Documents and Settings\Liz Marsden\Application Data\wklnhst.dat
2008-04-01 17:26 --------- d-----w C:\Program Files\iTunes
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-01-29 22:01 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2008-01-29 22:01 0 ---ha-w C:\Documents and Settings\Dan Marsden\hpothb07.dat
2008-01-17 16:47 92,248 ----a-w C:\Documents and Settings\Dan Marsden\Application Data\GDIPFONTCACHEV1.DAT
2007-12-23 18:51 92,248 ----a-w C:\Documents and Settings\Liz Marsden\Application Data\GDIPFONTCACHEV1.DAT
2007-10-25 10:58 1,588 ----a-w C:\Documents and Settings\Dan Marsden\Application Data\wklnhst.dat
2005-10-19 10:21 8 --sh--r C:\WINDOWS\system32\C72AA29016.sys
2005-10-19 10:21 4,704 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-04-13_19.00.08.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-13 15:29:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 20:23:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 08:15 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-22 23:21 7282688]
"nwiz"="nwiz.exe" [2005-09-22 23:21 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2005-09-22 23:21 86016 C:\WINDOWS\system32\nvmctray.dll]
"RTHDCPL"="RTHDCPL.EXE" [2005-08-18 15:20 14820864 C:\WINDOWS\RTHDCPL.EXE]
"CmUCRRun"="C:\WINDOWS\system32\CmUCReye.exe" [2005-10-12 14:44 241664]
"MedionVFD"="C:\Program Files\Medion Info Display\MdionLCM.exe" [2005-10-11 17:11 126976]
"CHotkey"="mHotkey.exe" [2004-06-03 21:07 549376 C:\WINDOWS\mHotkey.exe]
"ledpointer"="CNYHKey.exe" [2003-07-21 22:28 5577216 C:\WINDOWS\CNYHKey.exe]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 13:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-08 08:38 496752]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 14:17 78960]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-24 08:13 180269]
"AntivirusRegistration"="C:\Program Files\CA\Etrust Antivirus\Register.exe" [2005-08-22 23:05 258048]
"RemoteControl"="C:\Program Files\Home Cinema\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"PCMService"="C:\Program Files\Home Cinema\PowerCinema\PCMService.exe" [2005-10-28 22:53 139264]
"InstantOn"="C:\Program Files\CyberLink\PowerCinema Linux\ion_install.exe" [2005-09-22 14:19 93640]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2006-11-08 20:03 323216]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2007-03-08 18:50 3770536]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-11 11:57 579072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-10 18:44 219136]
C:\Documents and Settings\Dan Marsden\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-04-01 18:25:52 106496]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 19:21:38 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 19:11:12 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\AOL 9.0\\AOL.exe"=
"C:\\Program Files\\AOL 9.0\\WAOL.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLACSD.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDIAL.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\NetMeeting\\Conf.exe"=
"C:\\Program Files\\Ahead\\Nero MediaHome\\NeroMediaHome.exe"=
"C:\\Program Files\\Home Cinema\\PowerCinema\\PowerCinema.exe"=
"C:\\Program Files\\Home Cinema\\PowerCinema\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=
"C:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2005-10-17 14:52]
R3 CMISTOR;CMIUCR.SYS CM220 Card Reader Driver;C:\WINDOWS\system32\DRIVERS\cmiucr.SYS [2005-10-04 18:37]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83ce4260-d5f8-11db-8d94-0012bf5226f7}]
\Shell\AutoRun\command - K:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 18:31:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-04-26 17:38:48 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1168799733.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-04-14 22:22:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-14 22:23:19
ComboFix-quarantined-files.txt 2008-04-14 21:23:17
ComboFix2.txt 2008-04-13 18:00:22
Pre-Run: 103,232,212,992 bytes free
Post-Run: 103,218,995,200 bytes free
.
2008-04-10 21:45:25 --- E O F ---