ComboFix 08-09-05.02 - Eivind Berg 2008-09-07 1:27:36.3 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1044.18.1132 [GMT 2:00] Running from: C:\Users\Eivind Berg\Desktop\ComboFix.exe Command switches used :: C:\Users\Eivind Berg\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\ProgramData\lqvcnufs C:\ProgramData\lqvcnufs\zqtubidw.exe C:\ProgramData\SrvUtilDb C:\ProgramData\SrvUtilDb\hqbwrufw.exe C:\ProgramData\StrSmartApi C:\ProgramData\StrSmartApi\dutwzcru.exe C:\Users\All Users\SrvUtilDb C:\Users\All Users\SrvUtilDb\hqbwrufw.exe C:\Users\All Users\StrSmartApi C:\Users\All Users\StrSmartApi\dutwzcru.exe C:\Windows\MEMORY.DMP\ . ((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 ))))))))))))))))))))))))))))))) . 2008-09-07 00:51 . 2008-09-07 00:51 d-------- C:\Users\All Users\ActSysWin 2008-09-07 00:51 . 2008-09-07 00:51 d-------- C:\ProgramData\ActSysWin 2008-09-06 23:57 . 2008-09-06 23:57 d-------- C:\Program Files\Trend Micro 2008-09-06 23:45 . 2008-09-06 23:45 340,126,845 --a------ C:\Windows\MEMORY.DMP 2008-09-06 19:55 . 2008-09-06 19:55 d-------- C:\Users\Eivind Berg\AppData\Roaming\Malwarebytes 2008-09-06 19:55 . 2008-09-06 19:55 d-------- C:\Users\All Users\Malwarebytes 2008-09-06 19:55 . 2008-09-06 19:55 d-------- C:\ProgramData\Malwarebytes 2008-09-06 19:55 . 2008-09-06 19:55 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-09-06 19:55 . 2008-09-02 00:16 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys 2008-09-06 19:55 . 2008-09-02 00:16 17,200 --a------ C:\Windows\System32\drivers\mbam.sys 2008-08-27 08:39 . 2008-07-19 07:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll 2008-08-27 08:39 . 2008-07-19 05:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll 2008-08-27 08:39 . 2008-07-19 07:10 53,448 --a------ C:\Windows\System32\wuauclt.exe 2008-08-27 08:39 . 2008-07-19 07:10 45,768 --a------ C:\Windows\System32\wups2.dll 2008-08-27 08:29 . 2008-07-19 07:09 563,912 --a------ C:\Windows\System32\wuapi.dll 2008-08-27 08:29 . 2008-07-19 05:44 83,456 --a------ C:\Windows\System32\wudriver.dll 2008-08-27 08:29 . 2008-07-19 07:10 36,552 --a------ C:\Windows\System32\wups.dll 2008-08-27 08:19 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll 2008-08-27 08:19 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe 2008-08-16 03:07 . 2008-07-16 03:32 2,048 --a------ C:\Windows\System32\tzres.dll 2008-08-13 09:06 . 2008-06-27 03:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb 2008-08-13 09:06 . 2008-06-27 06:15 827,392 --a------ C:\Windows\System32\wininet.dll 2008-08-13 08:59 . 2008-06-19 05:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL 2008-08-13 08:56 . 2008-04-18 07:48 269,312 --a------ C:\Windows\System32\es.dll 2008-08-13 08:49 . 2008-04-10 07:12 738,304 --a------ C:\Windows\System32\inetcomm.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-05 13:00 --------- d-----w C:\Program Files\Norton Security Scan 2008-08-23 19:28 173,385 ----a-w C:\Users\Eivind Berg\AppData\Roaming\nvModes.dat 2008-08-20 17:20 --------- d-----w C:\ProgramData\Symantec 2008-08-17 01:02 --------- d-----w C:\ProgramData\Microsoft Help 2008-08-16 01:03 --------- d-----w C:\Program Files\Windows Mail 2008-08-16 01:02 --------- d-----w C:\Program Files\Microsoft Works 2008-08-13 06:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-07-28 15:35 --------- d-----w C:\ProgramData\Apple 2008-07-28 15:35 --------- d-----w C:\Program Files\Apple Software Update 2008-07-10 22:48 --------- d-----w C:\Users\Eivind Berg\AppData\Roaming\BearShare 2008-07-08 21:51 --------- d-----w C:\Program Files\Runtime Software 2008-07-08 17:58 --------- d-----w C:\Program Files\Recuva 2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll 2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll 2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll 2008-06-09 19:56 174 --sha-w C:\Program Files\desktop.ini 2008-06-09 19:20 82,432 ----a-w C:\Windows\System32\axaltocm.dll 2008-06-09 19:20 101,888 ----a-w C:\Windows\System32\ifxcardm.dll 2007-08-21 10:40 27,335 ----a-w C:\Users\Skole\AppData\Roaming\nvModes.dat 2007-10-26 11:05 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat 2007-10-26 11:05 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat 2007-10-26 11:05 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat . ((((((((((((((((((((((((((((( snapshot@2008-09-06_23.51.11.53 ))))))))))))))))))))))))))))))))))))))))) . - 2008-09-06 21:43:42 2,484 ----a-w C:\Windows\bthservsdp.dat + 2008-09-06 23:20:08 2,484 ----a-w C:\Windows\bthservsdp.dat + 2008-09-06 23:21:36 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2008-09-06 23:21:36 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2008-09-06 21:46:13 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT + 2008-09-06 23:24:46 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT + 2008-09-06 23:24:46 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 - 2008-09-06 21:46:13 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT + 2008-09-06 23:25:39 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT + 2008-09-06 23:25:39 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 - 2008-09-06 21:19:41 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2008-09-06 23:26:46 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2008-09-06 21:19:41 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2008-09-06 23:26:46 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2008-09-06 21:19:41 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2008-09-06 23:26:46 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2008-08-30 18:56:09 104,940 ----a-w C:\Windows\System32\perfc009.dat + 2008-09-06 23:29:36 104,940 ----a-w C:\Windows\System32\perfc009.dat - 2008-08-30 18:56:09 80,524 ----a-w C:\Windows\System32\perfc014.dat + 2008-09-06 23:29:36 80,524 ----a-w C:\Windows\System32\perfc014.dat - 2008-08-30 18:56:09 595,506 ----a-w C:\Windows\System32\perfh009.dat + 2008-09-06 23:29:36 595,506 ----a-w C:\Windows\System32\perfh009.dat - 2008-08-30 18:56:09 460,234 ----a-w C:\Windows\System32\perfh014.dat + 2008-09-06 23:29:36 460,234 ----a-w C:\Windows\System32\perfh014.dat - 2008-08-30 18:51:24 9,214 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3063860826-2862599839-3869518605-1000_UserData.bin + 2008-09-06 23:26:21 9,590 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3063860826-2862599839-3869518605-1000_UserData.bin - 2008-08-30 18:51:23 78,722 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2008-09-06 23:26:20 78,722 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin - 2008-08-30 18:51:21 44,192 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2008-09-06 23:26:18 44,628 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920] "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 125952] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856] "SUPERAntiSpyware"="C:\Rense pcen\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 1510640] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] "ActSysWin"="C:\ProgramData\ActSysWin\litydile.exe" [2008-09-07 94208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NokiaMServer"="C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer" [X] "SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 729088] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392] "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872] "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-04-23 176128] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744] "HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696] "hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776] "WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128] "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152] "CognizanceTS"="c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [2003-12-22 17920] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-05-01 86016] "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-05-01 8429568] "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-05-01 81920] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 C:\Windows\RtHDVCpl.exe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Launcher"="C:\Windows\SMINST\launcher.exe" [2006-11-07 44128] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 719664] Nokia Nseries PC Suite.lnk - C:\Program Files\Nokia\NNPCS\RunLauncher.exe [2008-01-14 679936] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Rense pcen\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Rense pcen\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=APSHook.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UacDisableNotify"=dword:00000001 "InternetSettingsDisableNotify"=dword:00000001 "AutoUpdateDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{3816BB05-8398-408C-B811-5E6612A7577D}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone) "{4435D09C-670B-4760-877C-66533AA0FD9F}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play "{56624B7F-B0B7-4DB9-9AB7-5DBE5A9019FF}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program "{A466AD06-042F-44E5-BF49-4E2BFE9322C9}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{2BB1F976-1079-4296-ABF4-7E27B253A6CF}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071009.001\IDSvix86.sys [2007-09-13 180272] R2 ASBroker;Logon Session Broker;C:\Windows\System32\svchost.exe [2008-01-19 21504] R2 ASChannel;Local Communication Channel;C:\Windows\System32\svchost.exe [2008-01-19 21504] R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-01-19 554616] R3 btwaudio;Bluetooth-lydenhet;C:\Windows\system32\drivers\btwaudio.sys [2007-01-02 78128] R3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2007-01-02 80688] R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-01-02 16560] R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 38200] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs REG_MULTI_SZ BthServ Cognizance REG_MULTI_SZ ASBroker ASChannel *Newly Created Service* - COMHOST . Contents of the 'Scheduled Tasks' folder . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-07 01:30:38 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-09-07 1:32:10 ComboFix-quarantined-files.txt 2008-09-06 23:32:06 ComboFix2.txt 2008-09-06 22:35:23 ComboFix3.txt 2008-09-06 21:52:49 Pre-Run: 103,601,315,840 byte ledig Post-Run: 103,567,216,640 byte ledig 208 --- E O F --- 2008-09-02 17:44:47