The computer had AVG installed in it, but I never received a notice of a Trojan. A co-worker used my computer while I was on vacay, and for some reason felt the need to unload the firewall I suppose.
Here's the log.
ComboFix 08-12-07.01 - user 2008-12-08 9:58:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.147 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\user\Application Data\Google\ggqjh22510678.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.
2008-12-05 12:47 . 2008-12-05 12:47 <DIR> d-------- c:\program files\Advanced System Optimizer
2008-12-05 12:47 . 2008-12-05 12:47 <DIR> d-------- c:\documents and settings\user\Application Data\Systweak
2008-12-05 10:07 . 2008-12-05 12:30 <DIR> d-------- c:\documents and settings\user\Application Data\F-Secure
2008-12-05 10:02 . 2008-06-19 04:18 59,808 --a------ c:\windows\system32\drivers\fsdfw.sys
2008-12-05 10:02 . 2008-06-19 04:18 29,824 --a------ c:\windows\system32\drivers\fsndis5.sys
2008-12-05 10:01 . 2008-12-05 10:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\fssg
2008-12-05 10:00 . 2008-12-05 10:01 <DIR> d-------- c:\program files\F-Secure
2008-12-05 10:00 . 2008-12-05 10:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\F-Secure
2008-12-04 18:15 . 2008-12-04 18:15 250 --a------ c:\windows\gmer.ini
2008-12-04 17:57 . 2008-12-04 17:57 <DIR> d-------- c:\windows\ERUNT
2008-12-04 17:56 . 2008-12-04 18:12 <DIR> d-------- c:\documents and settings\Administrator
2008-12-04 17:37 . 2008-12-04 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-04 17:04 . 2008-12-04 18:08 <DIR> d-------- C:\SDFix
2008-12-04 16:47 . 2008-12-04 16:47 <DIR> d-------- c:\program files\Lavasoft
2008-12-04 16:47 . 2008-12-04 16:47 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-04 16:47 . 2008-12-04 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-04 16:36 . 2008-12-04 16:36 73,728 --a------ c:\windows\system32\TDSSwxprjkwc.0ll
2008-12-04 16:35 . 2008-12-04 16:35 35,840 --a------ c:\windows\system32\TDSSyoaqtvub.0ll
2008-12-03 15:09 . 2008-12-03 15:09 <DIR> d-------- c:\windows\system32\Adobe
2008-12-03 15:09 . 2008-11-24 14:01 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-12-03 15:09 . 2008-11-24 14:01 348,160 --a------ c:\windows\system32\msvcr71.dll
2008-11-21 14:08 . 2004-08-03 23:07 59,264 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2008-11-21 14:08 . 2004-08-03 23:07 59,264 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2008-11-21 14:07 . 2008-11-21 14:07 <DIR> d-------- c:\program files\Common Files\logishrd
2008-11-21 14:07 . 2004-08-04 00:56 90,624 --a------ c:\windows\system32\kswdmcap.ax
2008-11-21 14:07 . 2004-08-04 00:56 90,624 --a--c--- c:\windows\system32\dllcache\kswdmcap.ax
2008-11-21 14:07 . 2004-08-04 00:56 61,952 --a------ c:\windows\system32\kstvtune.ax
2008-11-21 14:07 . 2004-08-04 00:56 61,952 --a--c--- c:\windows\system32\dllcache\kstvtune.ax
2008-11-21 14:07 . 2004-08-04 00:56 53,760 --a------ c:\windows\system32\vfwwdm32.dll
2008-11-21 14:07 . 2004-08-04 00:56 53,760 --a--c--- c:\windows\system32\dllcache\vfwwdm32.dll
2008-11-21 14:07 . 2004-08-04 00:56 43,008 --a------ c:\windows\system32\ksxbar.ax
2008-11-21 14:07 . 2004-08-04 00:56 43,008 --a--c--- c:\windows\system32\dllcache\ksxbar.ax
2008-11-21 14:07 . 2004-08-04 00:56 28,672 --a------ c:\windows\system32\vidcap.ax
2008-11-21 14:07 . 2004-08-04 00:56 28,672 --a--c--- c:\windows\system32\dllcache\vidcap.ax
2008-11-10 22:46 . 2004-03-09 03:00 1,081,616 --a------ c:\windows\system32\mscomctl.ocx
2008-11-10 14:53 . 2008-11-10 14:53 2,306,113 --a------ c:\windows\system32\GPhotos.scr
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 15:06 --------- d-----w c:\documents and settings\user\Application Data\OpenOffice.org2
2008-12-04 23:12 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-04 22:14 --------- d-----w c:\program files\Vuze
2008-11-24 20:29 --------- d-----w c:\documents and settings\user\Application Data\Azureus
2008-11-18 21:58 --------- d-----w c:\program files\Yahoo!
2008-11-18 21:58 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-08 17:16 --------- d-----w c:\program files\Google
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-21 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2008-06-19 182936]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2008-06-19 895584]
c:\documents and settings\user\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2008-12-05 59808]
R1 F-Secure HIPS;F-Secure HIPS;\??\c:\program files\F-Secure\HIPS\fshs.sys [2008-12-05 70752]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2008-12-05 72288]
S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2008-12-05 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2008-12-05 25184]
*Newly Created Service* - F-SECURE_HIPS
*Newly Created Service* - F-SECURE_NETWORK_REQUEST_BROKER
*Newly Created Service* - FSAUA
*Newly Created Service* - FSBL
*Newly Created Service* - FSDFWD
*Newly Created Service* - FSFW
*Newly Created Service* - FSMA
*Newly Created Service* - PROCEXP90
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2008-12-08 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-21 09:29]
2008-12-08 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\F-Secure\ANTI-V~1\fsav.exe [2008-06-19 04:18]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-vidxhp - c:\documents and settings\user\Application Data\Google\ggqjh22510678.exe
.
------- Supplementary Scan -------
.
uStart Page =
https://email.secureserver.net/login...licrecords.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\windows\Downloaded Program Files\WBEtoolsAX.dll - O16 -: Web-Based Email Tools
hxxp://email.secureserver.net/Download.CAB
c:\windows\Downloaded Program Files\OSDA69D.OSD
FireFox -: Profile - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\pxq3d9es.default\
FF -: plugin - c:\documents and settings\user\Application Data\Mozilla\plugins\npgoogletalk.dll
FF -: plugin - c:\documents and settings\user\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Google\Picasa3\npPicasa3.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-12-08 09:59:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(684)
c:\program files\F-Secure\FWES\Program\fsdc.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
- - - - - - - > 'lsass.exe'(740)
c:\program files\F-Secure\FSPS\program\FSLSP.DLL
c:\program files\F-Secure\FWES\Program\fsdc.dll
- - - - - - - > 'csrss.exe'(660)
c:\program files\F-Secure\FWES\Program\fsdc.dll
.
Completion time: 2008-12-08 10:00:35
ComboFix-quarantined-files.txt 2008-12-08 15:00:01
Pre-Run: 21,084,909,568 bytes free
Post-Run: 21,557,714,944 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
183 --- E O F --- 2008-11-13 08:01:43