ComboFix 08-08-27.01 - Berg 2008-08-27 21:27:04.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.681 [GMT 2:00] Running from: C:\Documents and Settings\Berg\Skrivebord\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008 C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008\Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008\License Agreement.lnk C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008\Register Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start-meny\Programmer\Antivirus XP 2008\Uninstall.lnk C:\Documents and Settings\Berg\Cookies\berg@2o7[1].txt C:\Documents and Settings\Berg\Cookies\berg@ad.yieldmanager[1].txt C:\Documents and Settings\Berg\Cookies\berg@advertising[2].txt C:\Documents and Settings\Berg\Cookies\berg@date.ventivmedia[1].txt C:\Documents and Settings\Berg\Cookies\berg@stl.p.a1.traceworks[2].txt C:\Documents and Settings\Berg\Cookies\berg@www.nettkatalogen[3].txt C:\Documents and Settings\Berg\Programdata\macromedia\Flash Player\#SharedObjects\C5R4T7FN\bin.clearspring.com C:\Documents and Settings\Berg\Programdata\macromedia\Flash Player\#SharedObjects\C5R4T7FN\bin.clearspring.com\clearspring.sol C:\Documents and Settings\Berg\Programdata\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com C:\Documents and Settings\Berg\Programdata\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\system32\a.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV -------\Service_tdssserv ((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 ))))))))))))))))))))))))))))))) . 2008-08-27 21:12 . 2008-08-27 21:12 d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-08-27 21:12 . 2008-08-27 21:12 d-------- C:\Documents and Settings\Berg\Programdata\Malwarebytes 2008-08-27 21:12 . 2008-08-27 21:12 d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-08-27 21:12 . 2008-08-17 15:04 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-27 21:12 . 2008-08-17 15:04 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-27 20:33 . 2008-08-27 20:33 0 --a------ C:\WINDOWS\system32\2A.tmp 2008-08-27 20:14 . 2008-08-27 20:14 0 --a------ C:\WINDOWS\system32\8A.tmp 2008-08-27 20:07 . 2008-08-27 20:07 d-------- C:\Documents and Settings\LocalService\Mine dokumenter 2008-08-27 16:49 . 2008-08-27 16:49 d-------- C:\Programfiler\Avira 2008-08-27 16:49 . 2008-08-27 16:49 d-------- C:\Documents and Settings\All Users\Programdata\Avira 2008-08-13 18:38 . 2008-08-13 18:38 d-------- C:\Programfiler\Windows Media Connect 2 2008-08-13 18:37 . 2008-08-13 18:37 d-------- C:\WINDOWS\system32\drivers\UMDF 2008-08-13 18:37 . 2008-08-13 18:37 d-------- C:\662b7e376d1b71d52bc3ffa8e424e4 2008-08-13 18:37 . 2008-08-13 18:38 d-------- C:\45313c7784a0fcde62167ab0d05c . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-01 13:00 --------- d-----w C:\Programfiler\Norton Security Scan . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360] "MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352] "AdobeUpdater"="C:\Programfiler\Fellesfiler\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 20:58 7581696] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 20:58 86016] "DAEMON Tools-1033"="C:\Programfiler\D-Tools\daemon.exe" [2004-08-22 17:05 81920] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-04-27 09:41 282624] "iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2007-06-01 16:51 257088] "Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712] "Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "avgnt"="C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497] "nwiz"="nwiz.exe" [2006-07-20 20:58 1519616 C:\WINDOWS\system32\nwiz.exe] "Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 15:36 57344 C:\WINDOWS\system32\ICO.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ HP Pavilion Webcam Tray Icon.lnk - C:\Programfiler\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2008-02-09 18:16:03 102400] Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360] Philips SNU5600 Wireless USB Adapter.lnk - C:\Programfiler\philips\Philips SNU5600 Wireless USB Adapter Utility\PHUSBBGMonitor.exe [2006-06-01 14:28:36 466944] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"= "C:\\Programfiler\\MSN Messenger\\livecall.exe"= "C:\\Programfiler\\iTunes\\iTunes.exe"= R3 CPWGU(Philips);Philips SNU5600 Wireless USB Adapter 11b/g(Philips);C:\WINDOWS\system32\DRIVERS\CPWGU.sys [2007-05-29 18:30] S3 cxbu0wdm;CardMan 3x21;C:\WINDOWS\system32\DRIVERS\cxbu0wdm.sys [2005-02-01 11:49] . Contents of the 'Scheduled Tasks' folder 2008-06-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Programfiler\Apple Software Update\SoftwareUpdate.exe [2007-01-10 15:42] 2008-08-01 C:\WINDOWS\Tasks\Norton Security Scan.job - C:\Programfiler\Norton Security Scan\Nss.exe [2007-04-19 22:42] . - - - - ORPHANS REMOVED - - - - Notify-WgaLogon - (no file) . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.startsiden.no/ O8 -: E&ksporter til Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-27 21:31:19 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\scardsvr.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\Hewlett-Packard\Shared\hpqWmiEx.exe C:\WINDOWS\system32\rundll32.exe C:\Programfiler\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Programfiler\iPod\bin\iPodService.exe C:\Programfiler\Hewlett-Packard\Shared\HpqToaster.exe . ************************************************************************** . Completion time: 2008-08-27 21:34:04 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-27 19:34:01 Pre-Run: 112,215,040,000 byte ledig Post-Run: 113,251,749,888 byte ledig 136 --- E O F --- 2008-08-16 20:52:00