ComboFix 08-05-12.1 - Sverre 2008-05-14 21:28:03.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.208 [GMT 2:00] Running from: C:\Antispam\ComboFix.exe Command switches used :: C:\Antispam\CFScript * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE :: C:\WINDOWS\BM432a413a.xml C:\WINDOWS\system32\dkuthgmn.exe C:\WINDOWS\system32\ibkqhhrk.exe C:\WINDOWS\system32\igemvemt.exe C:\WINDOWS\system32\kbvjmmfg.exe C:\WINDOWS\system32\smawbmkx.exe C:\WINDOWS\system32\ttduenxn.exe C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Programfiler\ErrorSmart C:\Programfiler\ErrorSmart\DataBase.ref C:\Programfiler\ErrorSmart\ErrorSmart.exe C:\Programfiler\ErrorSmart\ErrorSmart.url C:\Programfiler\ErrorSmart\RegCleaner.dll C:\Programfiler\ErrorSmart\TCL.dll C:\Programfiler\ErrorSmart\zlib.dll C:\WINDOWS\BM432a413a.xml C:\WINDOWS\system32\215651 C:\WINDOWS\system32\892267 C:\WINDOWS\system32\dkuthgmn.exe C:\WINDOWS\system32\ibkqhhrk.exe C:\WINDOWS\system32\igemvemt.exe C:\WINDOWS\system32\kbvjmmfg.exe C:\WINDOWS\system32\smawbmkx.exe C:\WINDOWS\system32\ttduenxn.exe C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job . ((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 ))))))))))))))))))))))))))))))) . 2008-05-13 21:35 . 2008-05-13 21:35 d-------- C:\Programfiler\SUPERAntiSpyware 2008-05-13 21:35 . 2008-05-13 21:35 d-------- C:\Documents and Settings\Sverre\Programdata\SUPERAntiSpyware.com 2008-05-13 21:35 . 2008-05-13 21:35 d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-05-13 21:29 . 2008-05-14 21:23 dr-h----- C:\Documents and Settings\Sverre\Siste 2008-05-13 21:28 . 2008-05-13 21:28 d-------- C:\Programfiler\CCleaner 2008-05-13 21:25 . 2008-05-14 21:27 d-------- C:\Antispam 2008-04-21 17:16 . 2008-05-13 22:12 d-------- C:\Programfiler\UltraVNC 2008-04-21 16:34 . 2008-04-21 16:34 d-------- C:\Programfiler\Lavasoft 2008-04-21 16:34 . 2008-04-21 16:34 d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft 2008-04-21 16:33 . 2008-05-13 21:34 d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-04-17 17:45 . 2008-04-17 17:45 dr------- C:\Documents and Settings\LocalService\Favoritter 2008-04-17 17:05 . 2008-04-17 17:07 d-------- C:\Documents and Settings\Sverre\Programdata\ErrorSmart . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-14 18:12 --------- d-----w C:\Programfiler\Symantec AntiVirus 2008-04-09 06:39 4,904 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP 2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-01 13:05 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-02-26 20:03 48,768 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL 2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll . ((((((((((((((((((((((((((((( snapshot@2008-05-13_22.56.46.31 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-13 20:48:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-14 18:08:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360] "swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-06 23:47 68856] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 18:07 61952 C:\WINDOWS\system32\HdAShCut.exe] "ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2006-11-21 18:38 52840] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-03-14 20:49 125632] "HP Software Update"="c:\Programfiler\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28 49152] "HP Component Manager"="C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38 241664] "Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "zBrowser Launcher"="C:\Programfiler\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33 892928] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ HP Digital Imaging Monitor.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 06:19:24 237568] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\UltraVNC\\vncviewer.exe"= "C:\\Programfiler\\Internet Explorer\\iexplore.exe"= "C:\\Programfiler\\UltraVNC\\winvnc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R2 uvnc_service;uvnc_service;"C:\Programfiler\UltraVNC\WinVNC.exe" -service [] *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-14 21:30:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-05-14 21:32:21 ComboFix-quarantined-files.txt 2008-05-14 19:32:15 ComboFix2.txt 2008-05-13 20:57:19 Pre-Run: 25,830,330,368 byte ledig Post-Run: 25,800,527,872 byte ledig 121 --- E O F --- 2008-04-09 01:03:08