ComboFix 08-11-07.01 - JULIE ARNTZEN 2008-11-09 14:58:22.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.560 [GMT 1:00] Running from: c:\program files\ComboFix.exe * Created a new restore point * Resident AV is active [COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR] . [color=purple]The following files were disabled during the run:[/color] c:\norman\nvc\bin\Niphk.dll ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\ieupdates.exe.tmp C:\xcrashdump.dat D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NSESVC -------\Service_nsesvc ((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 ))))))))))))))))))))))))))))))) . 2008-11-09 14:49 . 2008-11-09 14:49 3,043,976 -ra------ c:\program files\ComboFix.exe 2008-11-09 14:31 . 2008-11-09 14:31 d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-09 14:31 . 2008-11-09 14:31 d-------- c:\documents and settings\JULIE ARNTZEN\Programdata\Malwarebytes 2008-11-09 14:31 . 2008-11-09 14:31 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-09 14:31 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-09 14:31 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-09 13:49 . 2008-11-09 13:49 d-------- c:\program files\CCleaner 2008-11-09 13:47 . 2008-11-09 13:48 893,096 --a------ c:\program files\ccsetup213_slim.exe 2008-11-08 22:39 . 2008-11-08 22:39 d-------- c:\documents and settings\Gjest\Programdata\SUPERAntiSpyware.com 2008-11-08 22:00 . 2008-11-08 22:00 d-------- c:\windows\system32\scripting 2008-11-08 22:00 . 2008-11-08 22:00 d-------- c:\windows\system32\en 2008-11-08 22:00 . 2008-11-08 22:00 d-------- c:\windows\system32\bits 2008-11-08 22:00 . 2008-11-08 22:00 d-------- c:\windows\l2schemas 2008-11-08 21:54 . 2008-11-08 22:01 d-------- c:\windows\ServicePackFiles 2008-11-08 21:26 . 2008-11-08 21:26 d-------- c:\program files\NetWaiting 2008-11-08 21:10 . 2007-08-13 18:54 33,792 --a------ c:\windows\system32\dllcache\custsat.dll 2008-11-08 21:02 . 2008-11-08 21:21 d-------- C:\88f1f6033b263b9e34 2008-11-08 19:56 . 2008-04-14 01:12 412,160 --------- c:\windows\system32\photometadatahandler.dll 2008-11-08 19:55 . 2008-04-14 01:12 1,737,856 --------- c:\windows\system32\mtxparhd.dll 2008-11-08 19:54 . 2008-04-14 01:11 397,312 --------- c:\windows\system32\mmcex.dll 2008-11-08 19:54 . 2008-04-14 01:11 184,320 --------- c:\windows\system32\microsoft.managementconsole.dll 2008-11-08 19:54 . 2008-04-14 01:11 106,496 --------- c:\windows\system32\mmcfxcommon.dll 2008-11-08 19:54 . 2008-04-14 01:11 61,440 --------- c:\windows\system32\kmsvc.dll 2008-11-08 19:54 . 2008-04-14 01:11 37,376 --------- c:\windows\system32\l2gpstore.dll 2008-11-08 19:54 . 2008-04-14 01:12 33,792 --------- c:\windows\system32\mmcperf.exe 2008-11-08 19:54 . 2008-04-14 01:09 6,144 --------- c:\windows\system32\kbdpash.dll 2008-11-08 19:54 . 2008-04-14 01:09 6,144 --------- c:\windows\system32\kbdnepr.dll 2008-11-08 19:54 . 2008-04-14 01:09 6,144 --------- c:\windows\system32\kbdiultn.dll 2008-11-08 19:54 . 2008-04-14 01:09 6,144 --------- c:\windows\system32\kbdbhc.dll 2008-11-08 19:52 . 2008-04-14 01:11 1,888,992 --------- c:\windows\system32\ati3duag.dll 2008-11-08 19:51 . 2008-04-14 01:11 136,192 --------- c:\windows\system32\aaclient.dll 2008-11-08 19:51 . 2008-04-14 01:11 4,255 --------- c:\windows\system32\drivers\adv01nt5.dll 2008-11-08 19:51 . 2008-04-14 01:11 3,967 --------- c:\windows\system32\drivers\adv02nt5.dll 2008-11-08 19:51 . 2008-04-14 01:11 3,775 --------- c:\windows\system32\drivers\adv11nt5.dll 2008-11-08 19:51 . 2008-04-14 01:11 3,711 --------- c:\windows\system32\drivers\adv09nt5.dll 2008-11-08 19:51 . 2008-04-14 01:11 3,647 --------- c:\windows\system32\drivers\adv07nt5.dll 2008-11-08 19:51 . 2008-04-14 01:11 3,615 --------- c:\windows\system32\drivers\adv05nt5.dll 2008-11-08 19:51 . 2008-04-14 01:11 3,135 --------- c:\windows\system32\drivers\adv08nt5.dll 2008-11-08 19:01 . 2008-08-14 11:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe 2008-11-08 19:01 . 2008-08-14 11:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-11-08 19:01 . 2008-08-14 10:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-11-08 19:01 . 2008-08-14 10:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe 2008-11-08 19:01 . 2008-09-15 13:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys 2008-11-08 19:01 . 2008-09-08 11:41 333,824 --------- c:\windows\system32\dllcache\srv.sys 2008-11-08 19:00 . 2008-10-15 17:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-08 20:26 --------- d-----w c:\program files\CONEXANT 2008-11-08 19:45 --------- d-----w c:\documents and settings\Gjest\Programdata\This Hide Hold 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys 2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 68856] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 458752] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-18 86016] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-01 761946] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-11 102400] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840] "Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 40960] "RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840] "Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072] "Norman ZANDA"="c:\norman\Npm\bin\ZLH.EXE" [2008-06-02 273520] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-10-08 221184] "close surf mail dupe"="c:\documents and settings\All Users\Application Data\Tick Find Close Surf\Knob Blue.exe" [2008-11-09 6693888] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "nwiz"="nwiz.exe" [2006-08-18 c:\windows\system32\nwiz.exe] "MsmqIntCert"="mqrt.dll" [2008-04-14 c:\windows\system32\mqrt.dll] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Photosmart Premier Hurtigstart.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728] Hurtigstart for Adobe Reader.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= c:\windows\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= R2 Ndiskio;Ndiskio;c:\norman\Nse\bin\NDISKIO.SYS [2007-01-02 20448] R3 NvcMFlt;NvcMFlt;c:\windows\system32\DRIVERS\nvcw32mf.sys [2008-09-02 19512] R3 nvcoas;Norman Virus Control on-access component;c:\norman\Nvc\bin\nvcoas.exe [2008-04-29 183352] R3 NVCScheduler;Norman Virus Control Scheduler;c:\norman\Nvc\BIN\NVCSCHED.EXE [2008-03-11 146488] S3 nvcfsr;nvcfsr;c:\norman\Nvc\bin\nvcfsr.sys [2007-01-09 6712] S3 nvcoafl51;nvcoafl51;c:\norman\Nvc\bin\nvcoafl51.sys [2007-01-09 30264] S3 nvcoaft51;nvcoaft51;c:\norman\Nvc\bin\nvcoaft51.sys [2007-01-09 129848] S3 nvcoarc51;nvcoarc51;c:\norman\Nvc\bin\nvcoarc51.sys [2007-01-09 23224] S3 SE30bus;Sony Ericsson Device 048 Driver driver (WDM);c:\windows\system32\DRIVERS\SE30bus.sys [2006-05-01 61600] S3 SE30mdfl;Sony Ericsson Device 048 USB WMC Modem Filter;c:\windows\system32\DRIVERS\SE30mdfl.sys [2006-05-01 9360] S3 SE30mdm;Sony Ericsson Device 048 USB WMC Modem Driver;c:\windows\system32\DRIVERS\SE30mdm.sys [2006-05-01 97184] S3 SE30mgmt;Sony Ericsson Device 048 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\SE30mgmt.sys [2006-05-01 88688] S3 se30nd5;Sony Ericsson Device 048 USB Ethernet Emulation SEMC48 (NDIS);c:\windows\system32\DRIVERS\se30nd5.sys [2006-05-01 18704] S3 SE30obex;Sony Ericsson Device 048 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\SE30obex.sys [2006-05-01 86560] S3 se30unic;Sony Ericsson Device 048 USB Ethernet Emulation SEMC48 (WDM);c:\windows\system32\DRIVERS\se30unic.sys [2006-05-01 90800] . Contents of the 'Scheduled Tasks' folder 2008-11-09 c:\windows\Tasks\AC311416918A8BE6.job - c:\docume~1\juliea~1\progra~1\thishi~1\Lies 4 browse.exe [] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Grim Link - c:\docume~1\JULIEA~1\PROGRA~1\THISHI~1\less roam.exe HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe Notify-6e9971d6382 - c:\windows\system32\__c00A3CEC.dat . ------- Supplementary Scan ------- . R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NB_NO&c=64&bd=pavilion&pf=laptop R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s O8 -: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-09 15:10:17 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????