ComboFix 08-07-22.4 - stibloms 2008-07-23 21:18:12.1 - NTFSx86 Running from: C:\Documents and Settings\stibloms\Skrivebord\ComboFix.exe [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr1.dat C:\WINDOWS\cookies.ini C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\pskt.ini C:\WINDOWS\system32\AutoRun.inf C:\WINDOWS\system32\LRuxaGgh.ini C:\WINDOWS\system32\LRuxaGgh.ini2 C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mdm.exe C:\WINDOWS\system32\vmlxegoh.dll C:\WINDOWS\system32\vydmmtyw.dll C:\WINDOWS\system32\wfioim.dll C:\WINDOWS\system32\wytmmdyv.ini ----- BITS: Possible infected sites ----- . ((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 ))))))))))))))))))))))))))))))) . 2008-07-23 17:49 . 2008-07-23 17:49 d-------- C:\Programfiler\SUPERAntiSpyware 2008-07-23 17:49 . 2008-07-23 17:49 d-------- C:\Documents and Settings\stibloms\Programdata\SUPERAntiSpyware.com 2008-07-23 17:49 . 2008-07-23 17:49 d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-07-23 17:48 . 2008-07-23 17:48 d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-07-21 20:55 . 2008-07-21 20:55 d-------- C:\Programfiler\Avira 2008-07-21 20:55 . 2008-07-21 20:55 d-------- C:\Documents and Settings\All Users\Programdata\Avira 2008-07-21 19:16 . 2008-07-22 20:23 44,122 ---hs---- C:\WINDOWS\system32\dgvtrsrw.ini 2008-07-21 19:13 . 2008-07-23 20:24 110,415 --a------ C:\WINDOWS\BMb389ad53.xml 2008-07-20 23:56 . 2008-07-21 19:14 414 --a------ C:\WINDOWS\system32\fixwxosa.ini 2008-07-06 23:41 . 2008-07-06 23:41 354 --a------ C:\WINDOWS\system32\ttvcgtcc.ini 2008-07-01 10:33 . 2005-07-01 10:37 d-------- C:\Documents and Settings\stibloms\Programdata\Dealio 2008-07-01 10:28 . 1998-06-17 01:00 516,173 --a------ C:\WINDOWS\system32\MSVCP60D.DLL 2008-07-01 10:28 . 1998-06-24 02:00 164,144 --a------ C:\WINDOWS\system32\COMCT232.OCX 2008-07-01 10:27 . 2008-07-01 10:28 d-------- C:\Programfiler\Free Audio Pack . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-23 19:17 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared 2008-07-23 18:55 --------- d-----w C:\Documents and Settings\stibloms\Programdata\ZoomBrowser EX 2008-07-23 18:12 --------- d-----w C:\Documents and Settings\All Users\Programdata\ZoomBrowser 2008-07-21 22:09 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-07-21 22:07 --------- d-----w C:\Programfiler\Gamenext 2008-07-15 17:22 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP 2008-06-12 19:40 --------- d-----w C:\Programfiler\Macromedia . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 14:44 68856] "updateMgr"="C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 15:53 307200] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2003-11-19 18:56 110592] "SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2003-11-19 18:56 512000] "TPKMAPHELPER"="C:\Programfiler\ThinkPad\Utilities\TpKmapAp.exe" [2003-10-24 08:39 897024] "TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-03-10 19:10 94208] "BMMLREF"="C:\Programfiler\ThinkPad\Utilities\BMMLREF.EXE" [2003-12-25 10:36 20480] "BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2003-12-25 10:36 393728] "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 11:04 208896] "ATIPTA"="C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-25 22:00 344064] "IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-03-19 21:12 90112] "BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-12-25 10:36 106496] "ProxyHostTrayIcon"="C:\Programfiler\Funk Software\Proxy Host\phtray.exe" [2004-02-08 17:32 230544] "D211STRT.EXE"="C:\Programfiler\Nokia\Nokia D211\D211STRT.EXE" [2002-08-28 13:27 24576] "PCSuiteTrayApplication"="C:\Programfiler\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-03-22 10:39 167936] "DataLayer"="C:\Programfiler\Fellesfiler\PCSuite\DataLayer\DataLayer.exe" [2005-03-31 10:30 1106944] "ACTray"="C:\Programfiler\ThinkPad\ConnectUtilities\ACTray.exe" [2006-01-31 23:19 409600] "ACWLIcon"="C:\Programfiler\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-01-31 23:12 98304] "Share-to-Web Namespace Daemon"="C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11 57344] "ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2005-10-04 13:42 48752] "vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-11-15 14:28 85744] "Connect Update Agent"="C:\Programfiler\Telenor\Mobilt Kontor\AutoUpdateSrv.exe" [2006-03-30 17:19 462848] "HP Software Update"="C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152] "au"="C:\Programfiler\Dealio\DealioAU.exe" [2008-05-26 19:50 595296] "SearchSettings"="C:\Programfiler\Search Settings\SearchSettings.exe" [2008-06-12 16:57 991584] "avgnt"="C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401] "BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 02:03 380416 C:\WINDOWS\system32\irprops.cpl] "TpShocks"="TpShocks.exe" [2005-11-07 12:14 106496 C:\WINDOWS\system32\TpShocks.exe] "TP4EX"="tp4ex.exe" [2002-09-04 10:05 53248 C:\WINDOWS\system32\TP4EX.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 02:03 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ HP Digital Imaging Monitor.lnk - C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520] hp psc 1000 series.lnk - C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38 147456] hpoddt01.exe.lnk - C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672] Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLogonScripts"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDesktopCleanupWizard"= 1 (0x1) "NoThumbnailCache"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun] "1"= gpedit.msc "2"= gpmc.msc "3"= poledit.exe "4"= secpol.msc "5"= sysdm.cpl [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify] 2006-01-31 23:13 32768 C:\Programfiler\ThinkPad\ConnectUtilities\ACNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\APS\\Tools\\LAN-Monitor\\APS59monitor.exe"= "C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"= "C:\\Programfiler\\MSN Messenger\\livecall.exe"= "C:\\Programfiler\\BitLord\\BitLord.exe"= "C:\\wamp\\bin\\apache\\apache2.2.8\\bin\\httpd.exe"= R0 D211MC;Nokia D211 Management;C:\WINDOWS\system32\drivers\D211MC.sys [2002-08-28 13:21] R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2005-11-30 16:58] R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 10:27] R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2006-01-13 01:33] R1 oxmf;OXPCI Bus enumerator;C:\WINDOWS\system32\DRIVERS\oxmf.sys [2004-03-23 17:02] R1 oxser;OX16C95x Serial port driver;C:\WINDOWS\system32\DRIVERS\oxser.sys [2004-03-23 17:02] R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 13:18] R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-12-25 10:36] R2 D211CTL;Nokia D211;C:\Programfiler\Nokia\Nokia D211\D211CTL.exe [2002-08-28 13:23] R2 ibmfilter;ibmfilter;C:\WINDOWS\System32\drivers\ibmfilter.sys [2004-03-19 21:05] R3 Oxmfuf;Filter driver for OX16PCI954 ports;C:\WINDOWS\system32\DRIVERS\oxmfuf.sys [2004-03-23 17:02] S3 AM5211;11b/g Wireless LAN Mini PCI Adapter Service;C:\WINDOWS\system32\DRIVERS\am5211.sys [] S3 D211MDM;Nokia D211 GSM Modem Driver;C:\WINDOWS\system32\DRIVERS\D211MDM.sys [2002-08-28 13:22] S3 D211NIC;Nokia D211 radio card;C:\WINDOWS\system32\DRIVERS\D211NIC.sys [2002-08-28 13:21] S3 GTF32BUS;GT F32 BUS;C:\WINDOWS\system32\DRIVERS\gtf32bus.sys [2005-09-01 18:54] S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2005-09-01 18:54] S3 GTSCSER;GT SC SER;C:\WINDOWS\system32\DRIVERS\gtscser.sys [2005-08-29 16:45] S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [] S3 wampapache;wampapache;c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe [2008-01-18 01:37] S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe wampmysqld [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder "2008-02-18 19:58:51 C:\WINDOWS\Tasks\BMMTask.job" - C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE "2007-01-07 16:38:20 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1129390372.job" - C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I "2008-07-21 19:56:10 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1167166550.job" - C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I "2006-02-10 12:00:25 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Programfiler\Symantec\LiveUpdate\NDETECT.EXE . - - - - ORPHANS REMOVED - - - - URLSearchHooks-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file) BHO-{31C70563-2338-4A46-9416-FF9C3C92E8E0} - C:\WINDOWS\system32\hgGaxuRL.dll BHO-{623c73bd-5e36-4dee-a47c-a3ff7c7f13ab} - C:\WINDOWS\system32\ftvltb.dll HKCU-Run-ibmmessages - C:\Programfiler\IBM\Messages By IBM\ibmmessages.exe HKCU-Run-IBM RecordNow! - (no file) HKLM-Run-b0ba9ecf - C:\WINDOWS\system32\vydmmtyw.dll HKLM-Run-BMb389ad53 - C:\WINDOWS\system32\vmlxegoh.dll Notify-byXRhICs - byXRhICs.dll . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Search Page = hxxp://www.google.com R0 -: HKCU-Main,Start Page = hxxp://norwegian.toggle.com/index.php?rvs=hompag R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie O8 -: Compare Prices with &Dealio - C:\Documents and Settings\stibloms\Programdata\Dealio\kb127\res\DealioSearch.html O16 -: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} - hxxp://asp09.photoprintit.de/microsite/5026/defaults/activex/ImageUploader3.cab C:\WINDOWS\Downloaded Program Files\ImageUploader_3.inf C:\WINDOWS\Downloaded Program Files\ImageUploader_3.ocx ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-23 21:33:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\Programfiler\ThinkPad\ConnectUtilities\AcSvcStub.dll -> C:\Programfiler\ThinkPad\ConnectUtilities\AcLocSettings.dll -> C:\Programfiler\ThinkPad\ConnectUtilities\ACHelper.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\ati2evxx.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe C:\Programfiler\Symantec Client Security\Symantec Client Firewall\ISSVC.exe C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Programfiler\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Programfiler\Symantec Client Security\Symantec AntiVirus\DefWatch.exe C:\Programfiler\IBM\IBM Rapid Restore Ultra\rrpcsb.exe C:\Programfiler\Symantec Client Security\Symantec AntiVirus\SavRoam.exe C:\Programfiler\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe C:\Programfiler\Symantec Client Security\Symantec Client Firewall\SymSPort.exe C:\WINDOWS\system32\TPHDEXLG.exe C:\WINDOWS\system32\TpKmpSvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\Programfiler\Funk Software\Proxy Host\Ph32Svc.exe C:\Programfiler\ThinkPad\ConnectUtilities\AcSvc.exe C:\Programfiler\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\acs.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\rundll32.exe C:\Programfiler\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Programfiler\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\FELLES~1\PCSuite\Services\SERVIC~1.EXE C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe . ************************************************************************** . Completion time: 2008-07-23 21:41:37 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-23 19:41:23 Pre-Run: 2,214,510,592 byte ledig Post-Run: 2,372,419,584 byte ledig 237