Hi,
Sorry it's taken a couple of days, I've been swamped with work.
This has all been done and the recovery console installed correctl, the log as requested:
ComboFix 08-05-01.3 - Luke 2008-05-09 14:05:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.619 [GMT 1:00]
Running from: C:\Documents and Settings\Luke\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Luke\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active
FILE ::
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\wserving.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Kontiki
C:\Documents and Settings\All Users\Application Data\Kontiki\error.log
C:\Documents and Settings\All Users\Application Data\Kontiki\error2.log
C:\Documents and Settings\All Users\Application Data\Kontiki\kservice.mdmp
C:\Documents and Settings\All Users\Application Data\Kontiki\zdata.db
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\wserving.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AFINDING
-------\Legacy_WSERVING
-------\Service_AFinding
-------\Service_WServing
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.
2008-05-06 11:04 . 2008-05-06 11:04 <DIR> d-------- C:\_OTMoveIt
2008-05-05 13:49 . 2008-05-05 13:49 221,184 --a------ C:\WINDOWS\SnoopFreeUI.exe
2008-05-05 13:49 . 2008-05-05 13:49 90,112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe
2008-05-05 13:49 . 2008-05-05 13:49 45,056 --a------ C:\WINDOWS\SnoopFreeDll.dll
2008-05-05 13:49 . 2008-05-05 13:49 9,472 --a------ C:\WINDOWS\system32\drivers\SnopFree.sys
2008-05-05 13:10 . 2008-05-05 13:10 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-05 13:09 . 2008-05-05 13:09 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-05 12:15 . 2008-05-05 12:15 <DIR> d-------- C:\Deckard
2008-04-27 19:29 . 2008-04-27 19:29 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-04-27 19:21 . 2008-04-27 19:21 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-04-27 19:20 . 2008-05-04 14:24 <DIR> d-------- C:\Program Files\Xfire
2008-04-27 19:20 . 2008-05-08 21:53 <DIR> d-------- C:\Documents and Settings\Luke\Application Data\Xfire
2008-04-26 13:08 . 2008-04-26 13:10 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-23 13:04 . 1998-05-18 03:06 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-04-23 12:23 . 2008-04-23 12:51 <DIR> d-------- C:\Program Files\Rockstar Games
2008-04-22 23:29 . 2008-04-22 23:29 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 17:23 --------- d-----w C:\Program Files\Last.fm
2008-05-06 11:53 --------- d-----w C:\Documents and Settings\Luke\Application Data\uTorrent
2008-04-23 11:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-07 20:59 --------- d-----w C:\Program Files\DMW Scanner 3
2008-03-31 11:55 --------- d-----w C:\Program Files\Ultime Pack Maps DMW
2008-03-29 14:42 --------- d-----w C:\Documents and Settings\Luke\Application Data\teamspeak2
2008-03-27 21:21 --------- d-----w C:\Program Files\Special
2008-03-19 15:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4
2008-03-11 19:47 --------- d-----w C:\Program Files\Real
2008-03-11 19:47 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-11 19:47 --------- d-----w C:\Program Files\Common Files\Real
2008-03-09 16:54 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-09 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-03-09 16:45 --------- d-----w C:\Program Files\Autodesk
2008-03-09 15:17 --------- d-----w C:\Program Files\MagicISO
.
((((((((((((((((((((((((((((( snapshot@2008-05-06_11.17.37.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-05 12:53:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 13:08:21 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-05-06 10:16:50 53,248 ----a-w C:\WINDOWS\TEMP\catchme.dll
+ 2008-05-09 13:08:48 53,248 ----a-w C:\WINDOWS\TEMP\catchme.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-16 15:14 949376]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-11 20:47 185896]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26 368706]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"SnoopFreeUI"="SnoopFreeUI.exe" [2008-05-05 13:49 221184 C:\WINDOWS\SnoopFreeUI.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2007-04-27 13:10 18744 C:\WINDOWS\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Luke^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Luke\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-03-01 00:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 16:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2007-08-28 13:00 531272 C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2007-12-19 21:13 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DmwClient]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-20 08:05 217088 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 15:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WServing"=2 (0x2)
"Serv-U"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"Bonjour Service"=2 (0x2)
"AFinding"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\RhinoSoft.com\\Serv-U\\ServUDaemon.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\MagicISO\\MagicISO.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"6129:TCP"= 6129:TCP:DameWare Mini Remote Control Service
"139:TCP"= 139:TCP:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:192.168.0.0/255.255.255.0,217.155.119.160/255.255.255.240:Enabled:@xpsp2res.dll,-22002
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;C:\WINDOWS\system32\DRIVERS\dwvkbd.sys [2007-02-15 17:00]
R2 ASFIPmon;Broadcom ASF IP Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service []
R3 DwMirror;DwMirror;C:\WINDOWS\system32\DRIVERS\DamewareMini.sys [2007-02-07 17:00]
S4 Serv-U;Serv-U FTP Server;C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe [2006-06-12 09:10]
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-05-09 14:08:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\SnoopFreeSvc.exe
C:\WINDOWS\system32\DWRCST.EXE
.
**************************************************************************
.
Completion time: 2008-05-09 14:14:39 - machine was rebooted [Luke]
ComboFix-quarantined-files.txt 2008-05-09 13:14:33
ComboFix2.txt 2008-05-06 10:18:00
Pre-Run: 4,176,113,664 bytes free
Post-Run: 4,106,907,648 bytes free
183 --- E O F --- 2008-05-01 10:24:16