ComboFix 08-05-12.1 - Joel Blom 2008-05-13 15:04:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.484 [GMT -4:00]
Running from: C:\Documents and Settings\Joel Blom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Joel Blom\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Joel Blom\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\MCX1\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pqstv.bak1
C:\WINDOWS\system32\pqstv.ini
C:\WINDOWS\system32\pqstv.ini2
C:\WINDOWS\system32\pqstv.tmp
C:\WINDOWS\system32\qpqss.bak1
C:\WINDOWS\system32\qpqss.tmp
.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.
2008-05-09 17:18 . 2008-05-09 17:18 <DIR> d-------- C:\Program Files\Sun
2008-05-09 15:58 . 2008-05-09 15:58 <DIR> d-------- C:\Deckard
2008-05-09 15:41 . 2008-05-09 15:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-09 15:41 . 2008-05-09 15:41 <DIR> d-------- C:\Documents and Settings\Joel Blom\Application Data\Malwarebytes
2008-05-09 15:41 . 2008-05-09 15:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-09 15:41 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-09 15:41 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 19:31 . 2008-05-06 19:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-06 14:24 . 2008-05-06 14:23 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-06 14:24 . 2008-05-06 14:24 2,545 --a------ C:\WINDOWS\unins000.dat
2008-05-06 14:06 . 2008-05-13 15:03 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-05-06 14:06 . 2008-05-06 14:06 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-05-06 14:06 . 2008-05-06 14:06 <DIR> d-------- C:\Documents and Settings\Joel Blom\Application Data\PC Tools
2008-05-06 14:06 . 2008-05-06 14:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-05-06 14:06 . 2008-04-10 15:14 159,880 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-05-06 14:06 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-06 14:06 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-06 14:06 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-06 14:06 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-06 12:33 . 2008-05-06 12:33 <DIR> d-------- C:\Program Files\AVG
2008-05-06 08:35 . 2008-05-06 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-06 08:35 . 2008-05-06 08:35 45,568 --a------ C:\WINDOWS\system32\avgfwdx.dll
2008-05-06 08:35 . 2008-05-06 08:35 22,528 --a------ C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-05-05 10:28 . 2008-05-11 20:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-05 10:28 . 2008-05-05 10:28 1,409 --a------ C:\WINDOWS\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 19:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-12 23:59 --------- d-----w C:\Program Files\Transcode360
2008-05-12 00:05 9,708 ----a-w C:\Documents and Settings\Joel Blom\Application Data\wklnhst.dat
2008-05-11 16:33 --------- d-----w C:\Program Files\LimeWire
2008-05-11 13:27 --------- d-----w C:\Documents and Settings\Joel Blom\Application Data\Azureus
2008-05-09 21:44 --------- d-----w C:\Program Files\Google
2008-05-09 21:17 --------- d-----w C:\Program Files\Java
2008-05-06 19:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-06 18:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-06 17:57 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-05-06 11:40 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-05-05 20:46 --------- d-----w C:\Program Files\Lx_cats
2008-05-05 20:46 --------- d-----w C:\Program Files\Dl_cats
2008-04-19 19:47 --------- d-----w C:\Program Files\World of Warcraft
2008-04-17 22:05 --------- d-----w C:\Program Files\Azureus
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-15 00:50 --------- d-----w C:\Program Files\Ventrilo
2008-03-15 00:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-05-02 19:24 85,448 ----a-w C:\Documents and Settings\Joel Blom\Application Data\GDIPFONTCACHEV1.DAT
2008-02-01 23:31 88 --sh--r C:\WINDOWS\system32\EC23C2A86A.sys
2008-02-01 23:32 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 22:29 389120]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-06 07:40 1481968]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 11:00 282624 C:\WINDOWS\stsystra.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41 45056]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]
"DLCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2005-09-08 14:56 73728]
"dlcgmon.exe"="C:\Program Files\Dell AIO 810\dlcgmon.exe" [2005-10-21 11:42 425984]
"Transcode360"="C:\Program Files\Transcode360\Transcode360Tray.exe" [2006-05-02 13:01 192512]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-25 20:25 155648]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 15:49 1121280]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 13:47 73728]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 21:01 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 21:50 1603152]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 17:32 126976]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 19:55:40 18432]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 17:51 192512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-05-01 19:31 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\MSN Messenger\\msrr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Transcode360\\Transcode360Tray.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\muzapp.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"16889:TCP"= 16889:TCP:Bittorrent
"16890:TCP"= 16890:TCP:Azureus
"16890:UDP"= 16890:UDP:Azureus
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-04-10 15:14]
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 19:55]
R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-06 08:35]
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-05-06 08:35]
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 06:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 15:07:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCGCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
LXCFCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-13 15:08:38
ComboFix-quarantined-files.txt 2008-05-13 19:08:23
Pre-Run: 126,090,149,888 bytes free
Post-Run: 126,058,831,872 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
186 --- E O F --- 2008-05-13 07:01:12