ComboFix 08-08-30.01 - Lars Kjetil Myrstad 2008-08-30 22:16:38.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.490 [GMT 2:00] Running from: C:\Documents and Settings\Lars Kjetil Myrstad\Desktop\ComboFix.exe * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\PCHealthCenter C:\Program Files\PCHealthCenter\[u]0[/u].gif C:\Program Files\PCHealthCenter\1.gif C:\Program Files\PCHealthCenter\1.ico C:\Program Files\PCHealthCenter\2.gif C:\Program Files\PCHealthCenter\2.ico C:\Program Files\PCHealthCenter\3.gif C:\Program Files\PCHealthCenter\5.exe . ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 ))))))))))))))))))))))))))))))) . 2008-08-30 22:20 . 2008-08-30 22:21 d-------- C:\Program Files\PCHealthCenter 2008-08-30 22:20 . 2008-08-30 22:20 1,223,100 --a------ C:\WINDOWS\system32\vixofkvm.exe 2008-08-30 22:20 . 2008-08-30 22:20 81,920 --a------ C:\WINDOWS\system32\zsbsxcrg.exe 2008-08-30 21:38 . 2008-08-30 21:38 1,223,100 --a------ C:\WINDOWS\system32\utwxqbid.exe 2008-08-30 21:38 . 2008-08-30 21:38 94,208 --a------ C:\WINDOWS\system32\otgjwbij.exe 2008-08-30 21:12 . 2008-08-30 21:12 94,208 --a------ C:\WINDOWS\system32\neletspe.exe 2008-08-29 19:30 . 2008-08-29 19:30 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-29 19:30 . 2008-08-29 19:30 d-------- C:\Documents and Settings\Lars Kjetil Myrstad\Application Data\Malwarebytes 2008-08-29 19:30 . 2008-08-29 19:30 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-29 19:30 . 2008-08-17 15:04 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-29 19:30 . 2008-08-17 15:04 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-29 17:12 . 2008-08-29 17:12 d-------- C:\Program Files\Enigma Software Group 2008-08-29 15:11 . 2008-08-29 15:11 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-08-29 15:05 . 2008-08-29 15:05 d-------- C:\Program Files\avbjzde 2008-08-29 15:05 . 2008-08-29 15:05 d-------- C:\Documents and Settings\All Users\Application Data\wlkpknml 2008-08-21 22:24 . 2008-08-21 22:24 d-------- C:\Program Files\FotoKnudsen FotoBok 2008-08-21 22:24 . 2008-08-21 22:24 d-------- C:\Documents and Settings\All Users\Application Data\FotoKnudsen FotoBok 2008-08-21 13:08 . 2008-05-01 16:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll 2008-07-18 20:38 . 2008-07-18 20:38 587,264 --a------ C:\WINDOWS\WLXPGSS.SCR 2008-07-17 18:09 . 2008-07-17 18:09 d-------- C:\Program Files\FMS 2008-07-07 22:32 . 2008-07-07 22:32 253,952 --------- C:\WINDOWS\system32\dllcache\es.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-30 08:12 --------- d-----w C:\Program Files\Common Files\Adobe 2008-08-30 08:11 --------- d-----w C:\Documents and Settings\Lars Kjetil Myrstad\Application Data\AdobeUM 2008-08-29 13:11 --------- d-----w C:\Program Files\Lavasoft 2008-08-29 13:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-08-28 19:36 --------- d-----w C:\Documents and Settings\Linn Eidem\Application Data\AdobeUM 2008-07-31 21:36 --------- d-----w C:\Documents and Settings\Lars Kjetil Myrstad\Application Data\uTorrent 2007-03-06 20:50 768 ----a-w C:\Program Files\SDMV11DIVES.TPS 2007-03-06 20:50 768 ----a-w C:\Program Files\SDMV10SIMPR.TPS 2007-03-06 20:50 768 ----a-w C:\Program Files\SDMV10PROF.TPS 2007-03-06 20:50 1,280 ----a-w C:\Program Files\SDMV13SIMDIVE.TPS 2008-03-02 10:21 56 --sh--r C:\WINDOWS\system32\D23E61BF04.sys 2008-03-02 10:21 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-08-29_16.26.04.89 ))))))))))))))))))))))))))))))))))))))))) . + 2008-08-30 08:13:26 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A71000000002}\SC_Reader.exe + 2008-08-30 20:19:53 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_154.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24 20480] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184] "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 17:20 356352] "smartweb"="C:\WINDOWS\system32\neletspe.exe" [2008-08-30 21:12 94208] "UtilWeb"="C:\WINDOWS\system32\otgjwbij.exe" [2008-08-30 21:38 94208] "UiSrv"="C:\WINDOWS\system32\zsbsxcrg.exe" [2008-08-30 22:20 81920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ShowLOMControl"="1 (0x1)" [X] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 19:56 761947] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-06 11:45 839680] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 20:05 1117184] "basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 17:21 169328] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 15:18 995328] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 15:13 1101824] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41 45056] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 21:29 49152] "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 22:35 397312 C:\WINDOWS\stsystra.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run] "xiWK5tFO9j"="C:\Documents and Settings\All Users\Application Data\wlkpknml\whatapiv.exe" [2008-08-29 15:05 65536] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 18:46:00 1724416] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-05 23:17:56 24576] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "stren"= {0491FE2F-4EA6-9304-4080-06F944FDDC0F} - C:\Program Files\avbjzde\stren.dll [2008-08-29 15:05 110592] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37] R2 Basics Service;Basics Service;C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [2007-10-09 17:21] R2 NgVpnMgr;Aventail VPN Client;C:\WINDOWS\system32\ngvpnmgr.exe [2007-08-01 19:04] R3 NgLog;Aventail VPN Logging;C:\WINDOWS\system32\DRIVERS\nglog.sys [2007-08-01 19:02] R3 NgVpn;Aventail VPN Adapter;C:\WINDOWS\system32\DRIVERS\ngvpn.sys [2007-08-01 19:03] S3 cxbu0wdm;CardMan 3x21;C:\WINDOWS\system32\DRIVERS\cxbu0wdm.sys [2006-07-11 12:03] S3 NgFilter;Aventail VPN Filter;C:\WINDOWS\system32\DRIVERS\ngfilter.sys [2007-08-01 19:03] S3 NgWfp;Aventail VPN Callout;C:\WINDOWS\system32\DRIVERS\ngwfp.sys [2007-08-01 19:03] S3 SiBulk;SiBulk;C:\WINDOWS\system32\drivers\SiBulk.sys [2004-06-18 20:23] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dacb0090-7e76-11dc-8ef6-0015c5068919}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-08-30 C:\WINDOWS\Tasks\Se etter oppdateringer for Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20] . - - - - ORPHANS REMOVED - - - - HKCU-Run-WebSmart - C:\WINDOWS\system32\ubahgdgp.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Lars Kjetil Myrstad\Application Data\Mozilla\Firefox\Profiles\sysgg1ig.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.startsiden.no/ FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-30 22:20:49 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\scardsvr.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe C:\WINDOWS\system32\vixofkvm.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe . ************************************************************************** . Completion time: 2008-08-30 22:25:00 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-30 20:24:50 ComboFix2.txt 2008-08-29 14:26:36 Pre-Run: 12,938,391,552 bytes free Post-Run: 12,953,350,144 bytes free 184 --- E O F --- 2008-08-21 21:50:05