I am not sure why it would say it was run 5 times...i clicked it once...wierd.
ComboFix 09-03-02.03 - Sylverkitti 2009-03-03 19:51:31.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.535 [GMT -6:00]
Running from: c:\documents and settings\Sylverkitti\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sylverkitti\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\system32\jesuk.sys
c:\windows\system32\mocugyk.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_JESUKDRIVER
-------\Legacy_MOCUGYKDRIVER
-------\Service_JesukDriver
-------\Service_MocugykDriver
((((((((((((((((((((((((( Files Created from 2009-02-04 to 2009-03-04 )))))))))))))))))))))))))))))))
.
2009-03-03 18:07 . 2009-03-03 18:07 <DIR> d-------- C:\_OTMoveIt
2009-03-02 04:47 . 2009-03-02 04:47 <DIR> d-------- c:\program files\Java
2009-03-02 04:47 . 2009-03-02 04:47 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-02 02:55 . 2009-03-02 02:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-28 04:18 . 2009-02-28 04:18 <DIR> d-------- c:\program files\EwisoftWeb
2009-02-28 04:18 . 2009-02-28 04:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\EwisoftWeb
2009-02-21 17:28 . 2009-02-21 17:28 <DIR> d-------- c:\program files\Memcorp
2009-02-20 13:50 . 2009-02-20 13:50 <DIR> d-------- c:\program files\Common Files\SWF Studio
2009-02-19 05:09 . 2009-02-19 05:14 <DIR> d-------- c:\program files\Folder Marker
2009-02-11 19:41 . 2009-02-11 19:41 <DIR> d-------- c:\documents and settings\Sylverkitti\Application Data\Yahoo!
2009-02-11 19:41 . 2009-02-12 23:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-02-11 19:40 . 2009-02-11 19:41 <DIR> d-------- c:\program files\Yahoo!
2009-02-08 17:26 . 2009-02-08 17:26 <DIR> d-------- c:\program files\GrandmasterChess
2009-02-05 20:33 . 2009-02-05 20:33 <DIR> d--hs---- c:\documents and settings\Sylverkitti\IECompatCache
2009-02-05 20:31 . 2009-02-05 20:31 <DIR> d--hs---- c:\documents and settings\Sylverkitti\IETldCache
2009-02-05 18:19 . 2009-03-02 19:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-04 01:54 --------- d-----w c:\documents and settings\Sylverkitti\Application Data\WTablet
2009-03-02 10:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-02 00:45 --------- d-----w c:\documents and settings\Sylverkitti\Application Data\FrostWire
2009-03-01 00:27 --------- d-----w c:\program files\Lx_cats
2009-02-25 22:44 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-25 22:44 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-25 22:44 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-19 11:39 --------- d-----w c:\program files\Bee Icons
2009-02-12 23:32 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-12 01:40 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-11 16:46 --------- d-----w c:\program files\Google
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-29 06:05 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-29 05:13 --------- d-----w c:\documents and settings\Sylverkitti\Application Data\RecoveryInfo
2009-01-24 02:33 --------- d-----w c:\program files\Common Files\xing shared
2009-01-24 02:33 --------- d-----w c:\program files\Common Files\Real
2009-01-24 02:32 --------- d-----w c:\program files\Real
2009-01-20 10:18 --------- d-----w c:\program files\iMoneysoft
2009-01-17 21:48 --------- d-----w c:\program files\Uconomix
2009-01-17 05:05 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-17 05:05 --------- d-----w c:\program files\Qwest
2009-01-17 05:04 --------- d-----w c:\documents and settings\Sylverkitti\Application Data\InstallShield
2009-01-16 18:35 --------- d-----w c:\program files\Curvy3D
2009-01-14 11:18 --------- d-----w c:\program files\Common Files\Adobe
2009-01-14 01:47 --------- d-----w c:\program files\PDFZilla
2009-01-10 17:20 --------- d-----w c:\program files\BFG
2009-01-10 10:48 --------- d-----w c:\program files\CoffeeCup Software
2009-01-07 01:53 --------- d-----w c:\program files\Edraw Max
2009-01-05 02:50 --------- d-----w c:\program files\MusicIP
2009-01-05 02:43 --------- d-----w c:\program files\MSXML 4.0
2009-01-05 02:43 --------- d-----w c:\program files\Citrix
2009-01-05 02:43 --------- d-----w c:\program files\AvailaSoft
2008-12-04 03:44 25,600 ----a-w c:\documents and settings\Sylverkitti\usbsermptxp.sys
2008-12-04 03:44 22,768 ----a-w c:\documents and settings\Sylverkitti\usbsermpt.sys
2007-11-30 12:01 4,890,632 ----a-w c:\program files\NapsterPlugin3205.exe
2007-11-27 08:45 32,279,040 ----a-w c:\program files\dell_support_center.msi
2007-05-25 04:23 56 --sh--r c:\windows\system32\F8D855B7D7.sys
2007-05-25 04:23 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-03-03_18.27.48.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-04 01:54:20 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_31c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-11 1739264]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-24 1510640]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-25 1601304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-02 148888]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-24 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-25 16:44 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \
0[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
--a------ 2009-01-20 10:00 1451248 c:\program files\CCleaner\CCleaner.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-10-24 22:25 133104 c:\documents and settings\Sylverkitti\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 10:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 10:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
--a------ 2009-02-11 10:19 399504 c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-09-15 05:53 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-01-23 20:32 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2009-02-04 16:57 4363504 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"EA Core"=c:\program files\Electronic Arts\EADM\Core.exe -silent
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-09-21 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-02 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-06-02 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-02-29 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-02-29 55024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-10 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-10 298264]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-05-27 1373480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S2 DVDRIVER;DVdriver;c:\windows\system32\drivers\dvdriver.sys [2007-12-21 30296]
S2 gupdate1c987f0bc4cae14;Google Update Service (gupdate1c987f0bc4cae14);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 133104]
S3 PortlUSB;PortlUSB;c:\windows\system32\drivers\YH-925.sys [2008-02-13 7552]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys --> c:\windows\system32\DRIVERS\rt2870.sys [?]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-01-12 44928]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{284b41dd-ccdc-11dd-9fb7-001320bc3e08}]
\Shell\AutoRun\command - E:\start.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-03-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe []
2009-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []
2009-03-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-05 18:19]
2009-03-04 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 18:20]
2009-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-692654395-3000326154-1624883120-1006.job
- c:\documents and settings\Sylverkitti\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-24 22:25]
2009-02-27 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe []
2009-03-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 17:38]
.
.
------- Supplementary Scan -------
.
uStart Page =
https://www.ocwencustomers.com/home.cfmuSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
TCP: {F1AC1131-1A94-4922-82BE-EC2D80A6CCA7} = 205.171.3.65,205.171.2.65
FF - ProfilePath - c:\documents and settings\Sylverkitti\Application Data\Mozilla\Firefox\Profiles\uzfbhp9e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.GoodSearch.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\Sylverkitti\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-03-03 19:54:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16?
?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-692654395-3000326154-1624883120-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(736)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-03 19:58:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-04 01:58:49
ComboFix2.txt 2009-03-04 00:29:11
ComboFix3.txt 2009-01-25 07:20:56
Pre-Run: 131,702,693,888 bytes free
Post-Run: 131,687,944,192 bytes free
234 --- E O F --- 2009-02-25 03:01:05