Thanks again, have done as requested. Combofix could not download the
recovery console, but it continued to scan. The log is as follows:
ComboFix 08-11-12.01 - Deb 2008-11-14 17:01:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.614 [GMT 10:00]
Running from: c:\documents and settings\Deb\Desktop\Malware detection\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Dcads Advanced Toolbar
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\_005445_.tmp.dll
c:\windows\system32\_005446_.tmp.dll
c:\windows\system32\_005447_.tmp.dll
c:\windows\system32\_005448_.tmp.dll
c:\windows\system32\_005455_.tmp.dll
c:\windows\system32\_005456_.tmp.dll
c:\windows\system32\_005457_.tmp.dll
c:\windows\system32\_005459_.tmp.dll
c:\windows\system32\_005460_.tmp.dll
c:\windows\system32\_005463_.tmp.dll
c:\windows\system32\_005464_.tmp.dll
c:\windows\system32\_005466_.tmp.dll
c:\windows\system32\_005467_.tmp.dll
c:\windows\system32\_005468_.tmp.dll
c:\windows\system32\_005470_.tmp.dll
c:\windows\system32\_005473_.tmp.dll
c:\windows\system32\_005474_.tmp.dll
c:\windows\system32\_005478_.tmp.dll
c:\windows\system32\_005479_.tmp.dll
c:\windows\system32\_005481_.tmp.dll
c:\windows\system32\_005484_.tmp.dll
c:\windows\system32\_005486_.tmp.dll
c:\windows\system32\_005487_.tmp.dll
c:\windows\system32\_005488_.tmp.dll
c:\windows\system32\_005489_.tmp.dll
c:\windows\system32\_005492_.tmp.dll
c:\windows\system32\_005493_.tmp.dll
c:\windows\system32\_005494_.tmp.dll
c:\windows\system32\_005495_.tmp.dll
c:\windows\system32\_005496_.tmp.dll
c:\windows\system32\_005501_.tmp.dll
c:\windows\system32\_005503_.tmp.dll
c:\windows\system32\_007854_.tmp.dll
c:\windows\system32\_007855_.tmp.dll
c:\windows\system32\_007856_.tmp.dll
c:\windows\system32\_007857_.tmp.dll
c:\windows\system32\_007864_.tmp.dll
c:\windows\system32\_007865_.tmp.dll
c:\windows\system32\_007866_.tmp.dll
c:\windows\system32\_007867_.tmp.dll
c:\windows\system32\_007869_.tmp.dll
c:\windows\system32\_007870_.tmp.dll
c:\windows\system32\_007873_.tmp.dll
c:\windows\system32\_007874_.tmp.dll
c:\windows\system32\_007876_.tmp.dll
c:\windows\system32\_007877_.tmp.dll
c:\windows\system32\_007878_.tmp.dll
c:\windows\system32\_007880_.tmp.dll
c:\windows\system32\_007883_.tmp.dll
c:\windows\system32\_007884_.tmp.dll
c:\windows\system32\_007888_.tmp.dll
c:\windows\system32\_007889_.tmp.dll
c:\windows\system32\_007891_.tmp.dll
c:\windows\system32\_007894_.tmp.dll
c:\windows\system32\_007896_.tmp.dll
c:\windows\system32\_007897_.tmp.dll
c:\windows\system32\_007898_.tmp.dll
c:\windows\system32\_007899_.tmp.dll
c:\windows\system32\_007900_.tmp.dll
c:\windows\system32\_007903_.tmp.dll
c:\windows\system32\_007904_.tmp.dll
c:\windows\system32\_007905_.tmp.dll
c:\windows\system32\_007906_.tmp.dll
c:\windows\system32\_007907_.tmp.dll
c:\windows\system32\_007912_.tmp.dll
c:\windows\system32\_007914_.tmp.dll
c:\windows\system32\dcads-remove.exe
c:\windows\system32\superiorads-uninst.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 )))))))))))))))))))))))))))))))
.
2008-11-09 13:11 . 2008-11-14 16:54 <DIR> d-------- c:\documents and settings\Deb\Application Data\Free Download Manager
2008-11-09 13:11 . 2008-11-09 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2008-11-09 13:10 . 2008-11-09 13:11 <DIR> d-------- c:\program files\Free Download Manager
2008-11-07 11:50 . 2008-11-13 07:02 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-07 11:50 . 2008-11-07 11:50 1,409 --a------ c:\windows\QTFont.for
2008-10-29 11:24 . 2008-10-29 11:26 <DIR> d-------- c:\program files\
SEO Elite 4
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 03:22 --------- d-----w c:\program files\Reply Email Automator Setup
2008-11-13 03:22 --------- d-----w c:\program files\Real Link Finder
2008-11-13 03:22 --------- d-----w c:\program files\PopCap Games
2008-11-13 03:00 --------- d-----w c:\program files\LimeWire
2008-11-12 08:56 --------- d-----w c:\program files\Keyword Elite
2008-11-12 00:56 99,856 ----a-w c:\windows\system32\drivers\cmdguard.sys
2008-11-12 00:56 31,504 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2008-11-12 00:55 143,096 ----a-w c:\windows\system32\guard32.dll
2008-11-10 12:31 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-10 05:38 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-09 02:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-05 00:20 --------- d-----w c:\program files\SpywareGuard
2008-10-21 04:42 --------- d-----w c:\program files\Java
2008-10-10 23:06 --------- d-----w c:\program files\FreeRIP3
2008-10-10 23:05 --------- d-----w c:\documents and settings\All Users\Application Data\FreeRIP
2008-10-05 22:02 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-05 11:22 --------- d-----w c:\documents and settings\Deb\Application Data\DataCast
2008-10-05 11:21 --------- d-----w c:\documents and settings\Deb\Application Data\InstallShield
2008-10-05 05:14 65,024 ----a-w c:\windows\IFinst26.exe
2008-10-05 05:14 --------- d-----w c:\program files\Lame MP3 Codec
2008-10-05 05:13 --------- d-----w c:\program files\XviD
2008-10-05 05:12 --------- d-----w c:\program files\Samsung
2008-10-05 05:12 --------- d-----w c:\program files\MarkAny
2008-10-03 02:31 4 ----a-w C:\results.bin
2008-10-02 03:12 --------- d-----w c:\documents and settings\Deb\Application Data\Lavasoft
2008-09-15 11:57 1,846,016 ------w c:\windows\system32\win32k.sys
2008-08-30 20:31 91,712 ----a-w c:\documents and settings\Deb\Application Data\GDIPFONTCACHEV1.DAT
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:00 2,180,352 ------w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ------w c:\windows\system32\ntkrnlpa.exe
2008-07-11 04:11 48,367,896 ----a-w c:\program files\avg_free_stf_en_8_138a1332.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2008-11-06 1797880]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"MAAgent"="c:\program files\MarkAny\ContentSafer\MAAgent.exe" [2007-01-30 57344]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2008-11-06 1797880]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 c:\windows\soundman.exe]
c:\documents and settings\Deb\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 192512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= jl_mjpg2.drv
[HKLM\~\startupfolder\C:^Documents and Settings^Deb^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
--a------ 2007-12-31 23:05 2449455 c:\program files\Free Download Manager\fdm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
--a------ 2007-02-23 16:32 126976 c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Keyword Elite\\Keyword Elite.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
NETSVCS REQUIRES REPAIRS - current entries shown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
Contents of the 'Scheduled Tasks' folder
2008-11-14 c:\windows\Tasks\AB6923F99122D6D1.job
- c:\docume~1\deb\applic~1\byteho~1\data skip license.exe []
2008-11-14 c:\windows\Tasks\Ad-Aware SE Personal.job
- c:\progra~1\Lavasoft\AD-AWA~1\Ad-Aware.exe []
2008-11-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2008-11-14 c:\windows\Tasks\Spybot - Search & Destroy.job
- c:\progra~1\SPYBOT~1\SpybotSD.exe [2008-01-28 11:43]
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-RunServices-ssymsne - valuex.exe
Notify-dimsntfy - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about
:blank
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
O8 -: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
O8 -: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
O8 -: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-11-14 17:07:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\progra~1\AVG\AVG8\avgwdsvc.exe
c:\program files\COMODO\Firewall\cmdagent.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgemc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
c:\program files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2008-11-14 17:20:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-14 07:20:31
Pre-Run: 97,555,017,728 bytes free
Post-Run: 97,447,825,408 bytes free
227 --- E O F --- 2008-11-13 00:12:52