ComboFix 08-08-30.01 - Lars Kjetil Myrstad 2008-08-31 0:53:57.5 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.528 [GMT 2:00] Running from: C:\Documents and Settings\Lars Kjetil Myrstad\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Lars Kjetil Myrstad\Desktop\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\wlkpknml C:\Documents and Settings\All Users\Application Data\wlkpknml\whatapiv.exe C:\Program Files\avbjzde C:\Program Files\avbjzde\stren.dll C:\Program Files\PCHealthCenter C:\Program Files\PCHealthCenter\[u]0[/u].exe C:\Program Files\PCHealthCenter\[u]0[/u].gif C:\Program Files\PCHealthCenter\1.exe C:\Program Files\PCHealthCenter\1.gif C:\Program Files\PCHealthCenter\1.ico C:\Program Files\PCHealthCenter\2.exe C:\Program Files\PCHealthCenter\2.gif C:\Program Files\PCHealthCenter\2.ico C:\Program Files\PCHealthCenter\3.exe C:\Program Files\PCHealthCenter\3.gif C:\Program Files\PCHealthCenter\4.exe C:\Program Files\PCHealthCenter\5.exe C:\Program Files\PCHealthCenter\7.exe C:\WINDOWS\system32\ezuzmxaj.exe C:\WINDOWS\system32\neletspe.exe C:\WINDOWS\system32\otgjwbij.exe C:\WINDOWS\system32\utwxqbid.exe C:\WINDOWS\system32\uvidyvet.exe C:\WINDOWS\system32\vixofkvm.exe C:\WINDOWS\system32\zsbsxcrg.exe . ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 ))))))))))))))))))))))))))))))) . 2008-08-31 00:02 . 2008-08-31 00:02 1,223,100 --a------ C:\WINDOWS\system32\ujarslid.exe 2008-08-31 00:02 . 2008-08-31 00:02 81,920 --a------ C:\WINDOWS\system32\mjkzcpsx.exe 2008-08-30 23:52 . 2008-08-30 23:52 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes 2008-08-30 23:52 . 2008-01-09 00:19 d-------- C:\Documents and Settings\Administrator\Application Data\Intel 2008-08-30 23:52 . 2006-04-05 23:24 d-------- C:\Documents and Settings\Administrator\Application Data\Corel 2008-08-30 23:52 . 2006-04-05 23:20 d-------- C:\Documents and Settings\Administrator\Application Data\ATI 2008-08-30 23:52 . 2008-08-30 23:52 d-------- C:\Documents and Settings\Administrator 2008-08-30 23:23 . 2008-08-30 23:23 1,223,100 --a------ C:\WINDOWS\system32\xarmhyvk.exe 2008-08-30 23:23 . 2008-08-30 23:23 81,920 --a------ C:\WINDOWS\system32\hwzmlcds.exe 2008-08-29 19:30 . 2008-08-29 19:30 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-29 19:30 . 2008-08-29 19:30 d-------- C:\Documents and Settings\Lars Kjetil Myrstad\Application Data\Malwarebytes 2008-08-29 19:30 . 2008-08-29 19:30 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-29 19:30 . 2008-08-17 15:04 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-29 19:30 . 2008-08-17 15:04 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-29 17:12 . 2008-08-29 17:12 d-------- C:\Program Files\Enigma Software Group 2008-08-29 15:11 . 2008-08-29 15:11 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-08-21 22:24 . 2008-08-21 22:24 d-------- C:\Program Files\FotoKnudsen FotoBok 2008-08-21 22:24 . 2008-08-21 22:24 d-------- C:\Documents and Settings\All Users\Application Data\FotoKnudsen FotoBok 2008-08-21 13:08 . 2008-05-01 16:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll 2008-07-18 20:38 . 2008-07-18 20:38 587,264 --a------ C:\WINDOWS\WLXPGSS.SCR 2008-07-17 18:09 . 2008-07-17 18:09 d-------- C:\Program Files\FMS 2008-07-07 22:32 . 2008-07-07 22:32 253,952 --------- C:\WINDOWS\system32\dllcache\es.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-30 08:12 --------- d-----w C:\Program Files\Common Files\Adobe 2008-08-30 08:11 --------- d-----w C:\Documents and Settings\Lars Kjetil Myrstad\Application Data\AdobeUM 2008-08-29 13:11 --------- d-----w C:\Program Files\Lavasoft 2008-08-29 13:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-08-28 19:36 --------- d-----w C:\Documents and Settings\Linn Eidem\Application Data\AdobeUM 2008-07-31 21:36 --------- d-----w C:\Documents and Settings\Lars Kjetil Myrstad\Application Data\uTorrent 2007-03-06 20:50 768 ----a-w C:\Program Files\SDMV11DIVES.TPS 2007-03-06 20:50 768 ----a-w C:\Program Files\SDMV10SIMPR.TPS 2007-03-06 20:50 768 ----a-w C:\Program Files\SDMV10PROF.TPS 2007-03-06 20:50 1,280 ----a-w C:\Program Files\SDMV13SIMDIVE.TPS 2008-03-02 10:21 56 --sh--r C:\WINDOWS\system32\D23E61BF04.sys 2008-03-02 10:21 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-08-30_23.26.08.64 ))))))))))))))))))))))))))))))))))))))))) . + 2008-08-30 22:57:00 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_140.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24 20480] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184] "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 17:20 356352] "uihlpapi"="C:\WINDOWS\system32\hwzmlcds.exe" [2008-08-30 23:23 81920] "ApiCfgSet"="C:\WINDOWS\system32\mjkzcpsx.exe" [2008-08-31 00:02 81920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ShowLOMControl"="1 (0x1)" [X] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 19:56 761947] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-06 11:45 839680] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920] "basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 17:21 169328] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 15:18 995328] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 15:13 1101824] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41 45056] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 21:29 49152] "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 22:35 397312 C:\WINDOWS\stsystra.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 18:46:00 1724416] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-05 23:17:56 24576] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37] R2 Basics Service;Basics Service;C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [2007-10-09 17:21] R2 NgVpnMgr;Aventail VPN Client;C:\WINDOWS\system32\ngvpnmgr.exe [2007-08-01 19:04] R3 NgLog;Aventail VPN Logging;C:\WINDOWS\system32\DRIVERS\nglog.sys [2007-08-01 19:02] R3 NgVpn;Aventail VPN Adapter;C:\WINDOWS\system32\DRIVERS\ngvpn.sys [2007-08-01 19:03] S3 cxbu0wdm;CardMan 3x21;C:\WINDOWS\system32\DRIVERS\cxbu0wdm.sys [2006-07-11 12:03] S3 NgFilter;Aventail VPN Filter;C:\WINDOWS\system32\DRIVERS\ngfilter.sys [2007-08-01 19:03] S3 NgWfp;Aventail VPN Callout;C:\WINDOWS\system32\DRIVERS\ngwfp.sys [2007-08-01 19:03] S3 SiBulk;SiBulk;C:\WINDOWS\system32\drivers\SiBulk.sys [2004-06-18 20:23] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dacb0090-7e76-11dc-8ef6-0015c5068919}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-08-30 C:\WINDOWS\Tasks\Se etter oppdateringer for Windows Live Toolbar.job - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20] . - - - - ORPHANS REMOVED - - - - HKCU-Run-smartweb - C:\WINDOWS\system32\neletspe.exe HKCU-Run-UtilWeb - C:\WINDOWS\system32\otgjwbij.exe HKCU-Run-UiSrv - C:\WINDOWS\system32\zsbsxcrg.exe HKCU-Run-HlpWebApi - C:\WINDOWS\system32\uvidyvet.exe HKLM-Run-MSKDetectorExe - C:\Program Files\McAfee\SpamKiller\MSKDetct.exe HKLM-Explorer_Run-xiWK5tFO9j - C:\Documents and Settings\All Users\Application Data\wlkpknml\whatapiv.exe SSODL-stren-{0491FE2F-4EA6-9304-4080-06F944FDDC0F} - C:\Program Files\avbjzde\stren.dll ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-31 00:57:25 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\scardsvr.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe . ************************************************************************** . Completion time: 2008-08-31 1:01:43 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-30 23:01:38 ComboFix2.txt 2008-08-30 22:00:28 ComboFix3.txt 2008-08-30 21:26:33 ComboFix4.txt 2008-08-30 20:25:01 Pre-Run: 14,804,549,632 bytes free Post-Run: 14,793,498,624 bytes free 198 --- E O F --- 2008-08-21 21:50:05