ComboFix 08-08-21.02 - Administrator 2008-08-22 15:22:09.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.447 [GMT 2:00] Running from: C:\Documents and Settings\Administrator\Skrivebord\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\x64 C:\xcrashdump.dat D:\Autorun.inf D:\RECYCLER\Desktop.ini D:\RECYCLER\Folder.htt D:\RECYCLER\Protect.ed D:\RECYCLER\Warning.bmp . ((((((((((((((((((((((((( Files Created from 2008-07-22 to 2008-08-22 ))))))))))))))))))))))))))))))) . 2008-08-22 15:03 . 2008-08-22 15:03 dr-h----- C:\Documents and Settings\Administrator\Siste 2008-08-22 14:54 . 2008-08-22 14:54 d-------- C:\Programfiler\CCleaner 2008-08-22 09:38 . 2008-08-22 09:57 d-------- C:\WINDOWS\system32\CatRoot_bak 2008-08-19 11:09 . 2008-08-22 15:26 118,784 --a------ C:\WINDOWS\system32\chg.exe 2008-08-18 11:30 . 2008-08-18 11:31 d-------- C:\Programfiler\RogueRemover FREE 2008-08-13 09:22 . 2008-05-01 16:34 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-12 12:50 . 2008-08-12 12:50 d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-08-12 12:49 . 2008-08-12 12:49 d-------- C:\Programfiler\SUPERAntiSpyware 2008-08-12 12:49 . 2008-08-12 12:49 d-------- C:\Documents and Settings\Administrator\Programdata\SUPERAntiSpyware.com 2008-08-12 12:48 . 2008-08-12 12:48 d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-18 17:08 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys 2008-07-18 17:08 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys 2008-07-18 16:51 1,195,448 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-02 13:44 68856] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 04:00 15360] "OE"="C:\Programfiler\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-09-27 00:04 315392] "MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-21 12:48 98304] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-21 12:50 86016] "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-21 12:47 81920] "PTHOSTTR"="C:\Programfiler\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-06-08 14:02 131072] "atchk"="C:\Programfiler\Intel\AMT\atchk.exe" [2007-01-10 06:21 404288] "PDF Complete"="C:\Programfiler\PDF Complete\pdfsty.exe" [2007-04-13 09:44 331552] "SDMSSplash"="C:\Programfiler\HP_SDMS\SDMSSplash\launcher.exe" [2006-03-10 00:53 86016] "SetRefresh"="C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 20:01 525824] "CognizanceTS"="C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 21:12 17920] "Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2006-05-12 12:50 1138688] "Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-31 14:44 761856] "Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-04-24 10:42 888832] "pccguide.exe"="C:\Programfiler\Trend Micro\Internet Security 2007\pccguide.exe" [2006-09-29 07:49 3112960] "RTHDCPL"="RTHDCPL.EXE" [2006-07-04 17:26 16250880 C:\WINDOWS\RTHDCPL.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 04:00 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2006-06-07 21:26 40448 C:\Programfiler\HPQ\IAM\Bin\AsWlnPkg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN] 2006-04-07 06:00 434176 C:\WINDOWS\system32\IfxWlxEN.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\SMINST\\Scheduler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R1 PersonalSecureDrive;PersonalSecureDrive;C:\WINDOWS\system32\drivers\psd.sys [2006-04-07 06:46] R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2006-03-02 04:00] R2 atchksrv;Intel(R) AMT System Status Service;C:\Programfiler\Intel\AMT\atchksrv.exe [2007-01-10 06:21] R2 LMS;Intel(R) Active Management Technology LMS Service;C:\Programfiler\Intel\AMT\LMS.exe [2006-12-06 14:12] R2 pdfcDispatcher;PDF Document Manager;C:\Programfiler\PDF Complete\pdfsvc.exe [2007-04-13 09:44] R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2006-04-25 18:26] S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 03:39] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Cognizance REG_MULTI_SZ ASChannel [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cf7088c-7c82-11dc-9dcb-001b78c0e2aa}] \Shell\AutoRun\command - F:\LaunchU3.exe -a . - - - - ORPHANS REMOVED - - - - Notify-NavLogon - (no file) . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.eadmin.no/default.asp?fid=1000 R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 O8 -: E&ksporter til Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-22 15:26:43 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\Documents and Settings\Administrator\Programdata\Microsoft\Crypto\RSA\S-1-5-21-2876697355-3310298577-1413538919-500\6e22962ad96ee7c69ddc940aa08e0512_70efed2a-38da-41c7-a37b-688454502cd0 55 bytes scan completed successfully hidden files: 1 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher] "ImagePath"="C:\Programfiler\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService" . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\dllhost.exe C:\Programfiler\HPQ\IAM\Bin\asghost.exe C:\WINDOWS\system32\IFXSPMGT.exe C:\WINDOWS\system32\IFXTCS.exe C:\Programfiler\Fellesfiler\InterVideo\RegMgr\iviRegMgr.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\Programfiler\ProtectTools\Embedded Security Software\PSDsrvc.EXE C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\Programfiler\Hewlett-Packard\Shared\hpqwmiex.exe C:\Programfiler\ProtectTools\Embedded Security Software\PSDrt.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE . ************************************************************************** . Completion time: 2008-08-22 15:29:23 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-22 13:29:17 Pre-Run: 56,447,320,064 byte ledig Post-Run: 56,380,149,760 byte ledig 140 --- E O F --- 2008-08-21 17:37:42