ComboFix 08-09-05.02 - Eivind Berg 2008-09-07 1:27:36.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1044.18.1132 [GMT 2:00]
Running from: C:\Users\Eivind Berg\Desktop\ComboFix.exe
Command switches used :: C:\Users\Eivind Berg\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ProgramData\lqvcnufs
C:\ProgramData\lqvcnufs\zqtubidw.exe
C:\ProgramData\SrvUtilDb
C:\ProgramData\SrvUtilDb\hqbwrufw.exe
C:\ProgramData\StrSmartApi
C:\ProgramData\StrSmartApi\dutwzcru.exe
C:\Users\All Users\SrvUtilDb
C:\Users\All Users\SrvUtilDb\hqbwrufw.exe
C:\Users\All Users\StrSmartApi
C:\Users\All Users\StrSmartApi\dutwzcru.exe
C:\Windows\MEMORY.DMP\
.
((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))
.
2008-09-07 00:51 . 2008-09-07 00:51
d-------- C:\Users\All Users\ActSysWin
2008-09-07 00:51 . 2008-09-07 00:51 d-------- C:\ProgramData\ActSysWin
2008-09-06 23:57 . 2008-09-06 23:57 d-------- C:\Program Files\Trend Micro
2008-09-06 23:45 . 2008-09-06 23:45 340,126,845 --a------ C:\Windows\MEMORY.DMP
2008-09-06 19:55 . 2008-09-06 19:55 d-------- C:\Users\Eivind Berg\AppData\Roaming\Malwarebytes
2008-09-06 19:55 . 2008-09-06 19:55 d-------- C:\Users\All Users\Malwarebytes
2008-09-06 19:55 . 2008-09-06 19:55 d-------- C:\ProgramData\Malwarebytes
2008-09-06 19:55 . 2008-09-06 19:55 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-06 19:55 . 2008-09-02 00:16 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-06 19:55 . 2008-09-02 00:16 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-27 08:39 . 2008-07-19 07:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-27 08:39 . 2008-07-19 05:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-27 08:39 . 2008-07-19 07:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-27 08:39 . 2008-07-19 07:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-27 08:29 . 2008-07-19 07:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-27 08:29 . 2008-07-19 05:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-27 08:29 . 2008-07-19 07:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-27 08:19 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-27 08:19 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-16 03:07 . 2008-07-16 03:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-13 09:06 . 2008-06-27 03:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-13 09:06 . 2008-06-27 06:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-13 08:59 . 2008-06-19 05:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-13 08:56 . 2008-04-18 07:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-13 08:49 . 2008-04-10 07:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 13:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-23 19:28 173,385 ----a-w C:\Users\Eivind Berg\AppData\Roaming\nvModes.dat
2008-08-20 17:20 --------- d-----w C:\ProgramData\Symantec
2008-08-17 01:02 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-16 01:03 --------- d-----w C:\Program Files\Windows Mail
2008-08-16 01:02 --------- d-----w C:\Program Files\Microsoft Works
2008-08-13 06:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-28 15:35 --------- d-----w C:\ProgramData\Apple
2008-07-28 15:35 --------- d-----w C:\Program Files\Apple Software Update
2008-07-10 22:48 --------- d-----w C:\Users\Eivind Berg\AppData\Roaming\BearShare
2008-07-08 21:51 --------- d-----w C:\Program Files\Runtime Software
2008-07-08 17:58 --------- d-----w C:\Program Files\Recuva
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-09 19:56 174 --sha-w C:\Program Files\desktop.ini
2008-06-09 19:20 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-06-09 19:20 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2007-08-21 10:40 27,335 ----a-w C:\Users\Skole\AppData\Roaming\nvModes.dat
2007-10-26 11:05 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-10-26 11:05 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-10-26 11:05 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-09-06_23.51.11.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-06 21:43:42 2,484 ----a-w C:\Windows\bthservsdp.dat
+ 2008-09-06 23:20:08 2,484 ----a-w C:\Windows\bthservsdp.dat
+ 2008-09-06 23:21:36 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-06 23:21:36 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-09-06 21:46:13 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-06 23:24:46 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-06 23:24:46 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-09-06 21:46:13 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-06 23:25:39 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-06 23:25:39 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-09-06 21:19:41 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-06 23:26:46 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-06 21:19:41 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-06 23:26:46 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-06 21:19:41 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-06 23:26:46 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-30 18:56:09 104,940 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-06 23:29:36 104,940 ----a-w C:\Windows\System32\perfc009.dat
- 2008-08-30 18:56:09 80,524 ----a-w C:\Windows\System32\perfc014.dat
+ 2008-09-06 23:29:36 80,524 ----a-w C:\Windows\System32\perfc014.dat
- 2008-08-30 18:56:09 595,506 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-06 23:29:36 595,506 ----a-w C:\Windows\System32\perfh009.dat
- 2008-08-30 18:56:09 460,234 ----a-w C:\Windows\System32\perfh014.dat
+ 2008-09-06 23:29:36 460,234 ----a-w C:\Windows\System32\perfh014.dat
- 2008-08-30 18:51:24 9,214 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3063860826-2862599839-3869518605-1000_UserData.bin
+ 2008-09-06 23:26:21 9,590 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3063860826-2862599839-3869518605-1000_UserData.bin
- 2008-08-30 18:51:23 78,722 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-06 23:26:20 78,722 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-30 18:51:21 44,192 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-06 23:26:18 44,628 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 125952]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"SUPERAntiSpyware"="C:\Rense pcen\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 1510640]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"ActSysWin"="C:\ProgramData\ActSysWin\litydile.exe" [2008-09-07 94208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 729088]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-04-23 176128]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"CognizanceTS"="c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [2003-12-22 17920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-05-01 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-05-01 8429568]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-05-01 81920]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 C:\Windows\RtHDVCpl.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="C:\Windows\SMINST\launcher.exe" [2006-11-07 44128]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 719664]
Nokia Nseries PC Suite.lnk - C:\Program Files\Nokia\NNPCS\RunLauncher.exe [2008-01-14 679936]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Rense pcen\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Rense pcen\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3816BB05-8398-408C-B811-5E6612A7577D}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{4435D09C-670B-4760-877C-66533AA0FD9F}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{56624B7F-B0B7-4DB9-9AB7-5DBE5A9019FF}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{A466AD06-042F-44E5-BF49-4E2BFE9322C9}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2BB1F976-1079-4296-ABF4-7E27B253A6CF}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071009.001\IDSvix86.sys [2007-09-13 180272]
R2 ASBroker;Logon Session Broker;C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 ASChannel;Local Communication Channel;C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2007-01-19 554616]
R3 btwaudio;Bluetooth-lydenhet;C:\Windows\system32\drivers\btwaudio.sys [2007-01-02 78128]
R3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2007-01-02 80688]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-01-02 16560]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 38200]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
Cognizance REG_MULTI_SZ ASBroker ASChannel
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 01:30:38
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-07 1:32:10
ComboFix-quarantined-files.txt 2008-09-06 23:32:06
ComboFix2.txt 2008-09-06 22:35:23
ComboFix3.txt 2008-09-06 21:52:49
Pre-Run: 103,601,315,840 byte ledig
Post-Run: 103,567,216,640 byte ledig
208 --- E O F --- 2008-09-02 17:44:47