ComboFix 08-04-20.5 - Boo 2008-04-26 12:28:07.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1079 [GMT -4:00] Running from: C:\Documents and Settings\Boo\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Boo\Desktop\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE :: C:\Documents and Settings\All Users\Application Data\obcxubst.dll C:\WINDOWS\mainms.vpi C:\WINDOWS\megavid.cdt C:\WINDOWS\muotr.so C:\WINDOWS\njqzpir.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\obcxubst.dll C:\WINDOWS\mainms.vpi C:\WINDOWS\megavid.cdt C:\WINDOWS\mgwwgmke C:\WINDOWS\mgwwgmke\1.png C:\WINDOWS\mgwwgmke\2.png C:\WINDOWS\mgwwgmke\3.png C:\WINDOWS\mgwwgmke\4.png C:\WINDOWS\mgwwgmke\5.png C:\WINDOWS\mgwwgmke\6.png C:\WINDOWS\mgwwgmke\7.png C:\WINDOWS\mgwwgmke\8.png C:\WINDOWS\mgwwgmke\9.png C:\WINDOWS\mgwwgmke\bottom-rc.gif C:\WINDOWS\mgwwgmke\config.png C:\WINDOWS\mgwwgmke\content.png C:\WINDOWS\mgwwgmke\download.gif C:\WINDOWS\mgwwgmke\frame-bg.gif C:\WINDOWS\mgwwgmke\frame-bottom-left.gif C:\WINDOWS\mgwwgmke\frame-h1bg.gif C:\WINDOWS\mgwwgmke\head.png C:\WINDOWS\mgwwgmke\icon.png C:\WINDOWS\mgwwgmke\indexwp.html C:\WINDOWS\mgwwgmke\main.css C:\WINDOWS\mgwwgmke\memory-prots.png C:\WINDOWS\mgwwgmke\net.png C:\WINDOWS\mgwwgmke\pc-mag.gif C:\WINDOWS\mgwwgmke\pc.gif C:\WINDOWS\mgwwgmke\poloska1.png C:\WINDOWS\mgwwgmke\poloska2.png C:\WINDOWS\mgwwgmke\poloska3.png C:\WINDOWS\mgwwgmke\promowp1.html C:\WINDOWS\mgwwgmke\promowp2.html C:\WINDOWS\mgwwgmke\promowp3.html C:\WINDOWS\mgwwgmke\promowp4.html C:\WINDOWS\mgwwgmke\promowp5.html C:\WINDOWS\mgwwgmke\reg.png C:\WINDOWS\mgwwgmke\repair.png C:\WINDOWS\mgwwgmke\scr-1.png C:\WINDOWS\mgwwgmke\scr-2.png C:\WINDOWS\mgwwgmke\start.png C:\WINDOWS\mgwwgmke\styles.css C:\WINDOWS\mgwwgmke\Thumbs.db C:\WINDOWS\mgwwgmke\top-rc.gif C:\WINDOWS\mgwwgmke\vline.gif C:\WINDOWS\mgwwgmke\wp.png C:\WINDOWS\muotr.so . ((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 ))))))))))))))))))))))))))))))) . 2008-04-23 18:07 . 2008-04-23 18:11 d-------- C:\fixwareout 2008-04-22 03:08 . 2008-04-22 03:08 d-------- C:\_OTMoveIt 2008-04-21 11:43 . 2008-04-21 12:18 82,380 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS 2008-04-21 11:42 . 2008-04-21 11:42 d-------- C:\Documents and Settings\Boo\Application Data\Malwarebytes 2008-04-21 11:41 . 2008-04-21 11:42 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-04-21 11:41 . 2008-04-21 11:41 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-04-21 10:57 . 2008-04-21 10:57 d-------- C:\Documents and Settings\Boo\Application Data\Grisoft 2008-04-21 10:57 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-04-21 10:52 . 2008-04-21 10:52 d-------- C:\Program Files\Trend Micro 2008-04-21 08:42 . 2008-04-21 12:03 d-------- C:\Program Files\Easy SpyRemover 2008-04-20 22:13 . 2008-04-21 04:52 d-------- C:\Documents and Settings\Boo\.housecall6.6 2008-04-20 17:31 . 2008-04-20 17:31 d-------- C:\Program Files\Panda Security 2008-04-20 14:43 . 2004-02-05 07:04 d-------- C:\Documents and Settings\Administrator.BOO\WINDOWS 2008-04-20 14:43 . 2004-02-05 07:15 d-------- C:\Documents and Settings\Administrator.BOO\Application Data\Symantec 2008-04-20 14:43 . 2004-02-05 10:10 d-------- C:\Documents and Settings\Administrator.BOO\Application Data\Roxio 2008-04-20 14:43 . 2004-02-05 06:59 d-------- C:\Documents and Settings\Administrator.BOO\Application Data\InterTrust 2008-04-20 14:43 . 2008-04-26 01:02 1,024 --ah----- C:\Documents and Settings\Administrator.BOO\ntuser.dat.LOG 2008-04-20 14:42 . 2008-04-20 14:43 d-------- C:\Documents and Settings\Administrator.BOO 2008-04-18 13:33 . 2008-04-18 13:33 d-------- C:\Program Files\e frontier . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-26 00:58 --------- d-----w C:\Documents and Settings\Boo\Application Data\uTorrent 2008-04-25 14:04 --------- d-----w C:\Program Files\Common Files\DAZ 2008-04-21 18:54 --------- d-----w C:\Documents and Settings\Boo\Application Data\AVG7 2008-04-21 15:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-04-21 09:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-04-20 18:10 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-04-20 18:08 --------- d-----w C:\Program Files\Advanced System Optimizer 2008-04-20 15:08 --------- d-----w C:\Documents and Settings\Boo\Application Data\Poser 7 2008-04-20 09:16 --------- d-----w C:\Program Files\World of Warcraft 2008-03-16 17:05 --------- d-----w C:\Program Files\Java 2008-02-26 15:06 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-26 15:06 --------- d-----w C:\Program Files\Mattel 2007-02-14 16:02 189 ----a-w C:\Program Files\INSTALL.LOG 2007-02-04 21:24 476,752 ----a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe 2007-10-06 20:45 88 --sh--r C:\WINDOWS\system32\3ACC9FF1C0.sys 2006-04-27 16:17 56 --sh--r C:\WINDOWS\system32\4AC073B96B.sys 2006-05-13 20:15 88 --sh--r C:\WINDOWS\system32\6BB973C04A.sys 2007-02-04 21:25 88 --sh--r C:\WINDOWS\system32\81D3610708.sys 2007-10-06 20:53 10,386 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-04-22_18.53.21.28 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-22 22:38:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-26 16:34:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 15:29 7561216] "nwiz"="nwiz.exe" [2006-03-09 15:29 1519616 C:\WINDOWS\system32\nwiz.exe] "nForce Tray Options"="sstray.exe" [2003-09-02 21:25 73728 C:\WINDOWS\system32\sstray.exe] "CHotkey"="zHotkey.exe" [2003-06-03 15:01 496640 C:\WINDOWS\zHotkey.exe] "Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-11-19 23:32 139264] "type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 19:45 114688] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 19:41 163840] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "SoundMan"="SOUNDMAN.EXE" [2004-02-26 04:53 65024 C:\WINDOWS\SOUNDMAN.EXE] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 02:10 579584] "NvMediaCenter"="NvMCTray.dll" [2006-03-09 15:29 86016 C:\WINDOWS\system32\nvmctray.dll] "C-Media Mixer"="Mixer.exe" [2002-10-15 19:00 1818624 C:\WINDOWS\mixer.exe] "Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 06:04 57344] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 02:10 219136] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoRecentDocsNetHood"= 01000000 [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk] backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk] backup=C:\WINDOWS\pss\officejet 6100.lnkCommon Startup path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BarbieGirlsTray] --a------ 2007-03-14 22:59 24576 C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader] --a------ 2007-08-16 12:00 531272 C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1] --a------ 2004-01-22 10:59 151552 C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series] --a------ 2004-01-16 06:04 57344 C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] ---hs---- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] --------- 2005-04-08 19:43 1953792 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] --a------ 2006-05-20 06:13 188416 C:\Program Files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2006-09-01 16:57 282624 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regscan] C:\WINDOWS\system32\regscan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE] -----c--- 2002-02-04 23:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral] --a------ 2003-07-15 16:38 319488 C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] --a--c--- 2004-01-09 20:01 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility] --a--c--- 2003-05-01 22:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\DiskTrix\\UltimateDefrag\\UDefrag.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"= "C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"= "C:\\Program Files\\utorrent\\utorrent.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"= "C:\\Program Files\\Common Files\\PocketSoft\\RTPatch\\AutoRTP\\artpschd.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "23443:TCP"= 23443:TCP:C:\\Program Files\\utorrent\\utorrent.exe "40347:TCP"= 40347:TCP:PORT_40347 "35135:TCP"= 35135:TCP:PORT_35135 "32294:TCP"= 32294:TCP:PORT_32294 "25181:TCP"= 25181:TCP:PORT_25181 "38365:TCP"= 38365:TCP:PORT_38365 "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 S1 njqzpir;njqzpir;C:\WINDOWS\njqzpir.sys [] S3 AKDWC20ET;Creation Station;C:\WINDOWS\system32\Drivers\csvid.sys [2007-05-18 19:20] S3 FXDRV;FXDRV;E:\Fxdrv.sys [] S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys [] S3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\PRISMUSB.sys [2003-04-10 06:43] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea2671c4-a984-11dc-a384-00016cd5895b}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL http://www.mgae.com/keylauncher/?code=3654333801431060 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef15997a-908b-11da-b7d8-806d6172696f}] \Shell\AutoRun\command - J:\Installer.exe . Contents of the 'Scheduled Tasks' folder "2007-03-31 12:39:46 C:\WINDOWS\Tasks\Defrag Job #00.job" - C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe "2007-04-02 06:51:34 C:\WINDOWS\Tasks\Defrag Job #01.job" - C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe "2008-04-19 10:19:26 C:\WINDOWS\Tasks\Defrag Job #02.job" - C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe "2007-02-13 23:25:03 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1163460007.job" - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe:-I . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-26 12:35:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\Program Files\Common Files\DAZ\House of Mog Ruith : Interior_Uninstall.log 522 bytes hidden from API scan completed successfully hidden files: 1 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PSIService.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\rundll32.exe . ************************************************************************** . Completion time: 2008-04-26 12:50:59 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-26 16:50:38 ComboFix2.txt 2008-04-23 22:37:15 ComboFix3.txt 2008-04-22 22:53:51 Pre-Run: 42,286,608,384 bytes free Post-Run: 42,517,524,480 bytes free 270