ComboFix 08-08-19.02 - ' 2008-08-20 20:15:19.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.299 [GMT 2:00] Running from: C:\Documents and Settings\'\Skrivebord\ComboFix.exe * Created a new restore point * Resident AV is active [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . [i] ADS - svchost.exe: deleted 68 bytes in 1 streams. [/i] ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\'\Programdata\inst.exe C:\WINDOWS\system32\__c00143D5.dat C:\WINDOWS\system32\__c0025EB6.dat C:\WINDOWS\system32\__c004D0F.exe C:\WINDOWS\system32\__c009EE91.dat C:\WINDOWS\system32\__c00C0122.dat C:\WINDOWS\system32\~.exe . ((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 ))))))))))))))))))))))))))))))) . 2008-08-20 18:42 . 2008-08-20 18:42 d-------- C:\Programfiler\SUPERAntiSpyware 2008-08-20 18:42 . 2008-08-20 18:42 d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-08-20 18:42 . 2008-08-20 18:42 d-------- C:\Documents and Settings\'\Programdata\SUPERAntiSpyware.com 2008-08-20 18:42 . 2008-08-20 18:42 d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-08-19 18:48 . 2008-08-19 18:48 d-------- C:\WINDOWS\McAfee.com 2008-08-19 16:04 . 2008-08-20 19:36 d--hs---- C:\Documents and Settings\'\Siste 2008-08-12 20:40 . 2008-08-20 20:13 d-------- C:\Documents and Settings\'\Skrivebord 2008-07-21 22:12 . 2008-08-10 02:45 d-------- C:\WINDOWS\system32\CatRoot_bak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-20 16:47 --------- d-----w C:\Documents and Settings\'\Programdata\uTorrent 2008-08-20 16:39 --------- d-----w C:\Programfiler\DC++ 2008-08-19 20:29 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy 2008-08-19 18:09 --------- d-----w C:\Programfiler\Java 2008-08-19 17:57 --------- d-----w C:\Programfiler\ESET 2008-08-19 15:45 --------- d-----w C:\Documents and Settings\'\Programdata\OpenOffice.org2 2008-08-18 08:21 --------- d-----w C:\Documents and Settings\'\Programdata\dvdcss 2008-08-14 17:40 --------- d-----w C:\Programfiler\Spybot - Search & Destroy 2008-08-12 09:35 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-08-11 02:40 --------- d-----w C:\Programfiler\eMule 2008-07-10 10:04 --------- d-----w C:\Programfiler\Steam 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2007-12-28 13:58 47,360 ----a-w C:\Documents and Settings\'\Programdata\pcouffin.sys 2007-02-22 16:51 81,920 ----a-w C:\Documents and Settings\'\Programdata\ezpinst.exe . ------- Sigcheck ------- 2007-06-13 15:24 3195904 6bf38cb195b260dff81a1ba41510a05b C:\WINDOWS\explorer.exe 2007-06-13 15:12 1033216 1a8e8cace017e1b143de91e11987ed39 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe 2004-08-04 22:00 3194880 462b7771cfe9b3ed979263bd66c9d626 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe 2008-04-14 18:22 1033728 8059c34b6f4758f678e975665eadfd87 C:\WINDOWS\SoftwareDistribution\Download\6b87f018d0fb69e9c5ccb760afc4cb7b\explorer.exe 2007-06-13 15:24 3195904 6bf38cb195b260dff81a1ba41510a05b C:\WINDOWS\system32\dllcache\explorer.exe 2008-04-14 18:23 111616 c0b59be000b7cedbf84a88f958e492db C:\WINDOWS\SoftwareDistribution\Download\6b87f018d0fb69e9c5ccb760afc4cb7b\wuauclt.exe 2007-07-30 19:19 71000 c8d27565f1835b5c4848183572e375ab C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 71000 c8d27565f1835b5c4848183572e375ab C:\WINDOWS\system32\dllcache\wuauclt.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776] "nod32kui"="C:\Programfiler\Eset\nod32kui.exe" [2007-03-08 16:51 949376] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 18:07 61952 C:\WINDOWS\system32\HdAShCut.exe] "RTHDCPL"="RTHDCPL.EXE" [2005-09-22 00:36 14854144 C:\WINDOWS\RTHDCPL.exe] "nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 22:00 15360] C:\Documents and Settings\GuitarMan\Start-meny\Programmer\Oppstart\ RocketDock.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe [2006-05-14 22:47:48 344064] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\DC++\\DCPlusPlus.exe"= "C:\\Programfiler\\Last.fm\\LastFM.exe"= "C:\\Programfiler\\Steam\\steamapps\\ivar91\\counter-strike\\hl.exe"= "C:\\Programfiler\\Steam\\steamapps\\ivar91\\day of defeat\\hl.exe"= "C:\\Programfiler\\Steam\\steamapps\\ivar91\\condition zero\\hl.exe"= "C:\\Programfiler\\Steam\\steamapps\\ivar91\\counter-strike source\\hl2.exe"= "C:\\Programfiler\\Steam\\steamapps\\ivar91\\half-life 2 deathmatch\\hl2.exe"= "C:\\Programfiler\\Steam\\steamapps\\ivar91\\day of defeat source\\hl2.exe"= "C:\\Programfiler\\Mozilla Firefox\\firefox.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"= "C:\\Programfiler\\MSN Messenger\\livecall.exe"= "C:\\Programfiler\\VideoLAN\\VLC\\vlc.exe"= "C:\\Programfiler\\eMule\\emule.exe"= "C:\\Programfiler\\Steam\\steam.exe"= "C:\\Programfiler\\Fellesfiler\\AOL\\Loader\\aolload.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] ":UDP"= ':UDP:AdminWorks UDP Port ":TCP"= '':TCP:AdminWorks TCP Port R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-03-08 16:38] R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:21] R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46] R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58] R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-03-31 12:32] S3 Acer ODDSpeedControl;Acer ODDSpeedControl;C:\Acer\Empowering Technology\eAcoustics\Driver\speedcontrol.exe [2005-02-15 09:02] S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:33] S3 PortRW;PortRW;C:\WINDOWS\system32\Drivers\PortRW.sys [2003-08-15 15:57] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \Shell\AutoRun\command - G:\Setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] \Shell\AutoRun\command - I:\autorun.exe *Newly Created Service* - INT15.SYS . - - - - ORPHANS REMOVED - - - - Notify-__c00143D5 - C:\WINDOWS\system32\__c00143D5.dat . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\'\Programdata\Mozilla\Firefox\Profiles\8244p0lf.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.vg.no/ FF -: plugin - C:\Programfiler\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - C:\Programfiler\Mozilla Firefox\plugins\npagent.dll . . ------- File Associations (Beta) ------- . JSEFile=NOTEPAD.EXE %1 VBEFile=NOTEPAD.EXE %1 VBSFile=NOTEPAD.EXE %1 . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-20 20:20:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\MouseHook2.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\WudfHost.exe C:\WINDOWS\ATKKBService.exe C:\Acer\Empowering Technology\awServ.exe C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe C:\Programfiler\ESET\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\oodag.exe C:\WINDOWS\system32\wscntfy.exe C:\Acer\Empowering Technology\eRecovery\Monitor.exe . ************************************************************************** . Completion time: 2008-08-20 20:25:47 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-20 18:25:35 Pre-Run: 16,800,591,872 byte ledig Post-Run: 16,874,369,024 byte ledig 169 --- E O F --- 2008-07-21 20:30:27