ComboFix 08-11-26.03 - Administrator 2008-11-26 21:46:23.1 - NTFSx86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.245 [GMT 1:00] Running from: c:\documents and settings\Administrator\Skrivebord\ComboFix.exe [COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Morten H\Favoritter\plug&play.lnk c:\documents and settings\Morten H\Mine dokumenter\plug&play.lnk c:\documents and settings\Morten H\Programdata\Microsoft\Internet Explorer\Quick Launch\plug&play.lnk c:\documents and settings\Morten H\Start-meny\plug&play.lnk c:\windows\IE4 Error Log.txt . ((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 ))))))))))))))))))))))))))))))) . 2008-11-26 21:30 . 2008-11-26 21:30 d-------- c:\documents and settings\Administrator\Programdata\Lavasoft 2008-11-26 21:18 . 2008-11-26 21:18 d-------- c:\programfiler\Malwarebytes' Anti-Malware 2008-11-26 21:18 . 2008-11-26 21:18 d-------- c:\documents and settings\All Users\Programdata\Malwarebytes 2008-11-26 21:18 . 2008-11-26 21:18 d-------- c:\documents and settings\Administrator\Programdata\Malwarebytes 2008-11-26 21:18 . 2008-10-22 16:34 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-26 21:18 . 2008-10-22 16:34 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-26 21:07 . 2008-11-26 21:18 d-a------ c:\documents and settings\All Users\Programdata\TEMP 2008-11-26 21:06 . 2008-11-26 21:08 d-------- c:\programfiler\Spyware Doctor 2008-11-26 21:06 . 2008-11-26 21:06 d-------- c:\documents and settings\Administrator\Programdata\PC Tools 2008-11-26 21:06 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys 2008-11-26 21:06 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys 2008-11-26 21:06 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys 2008-11-26 21:06 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys 2008-11-26 20:37 . 2005-11-03 06:49 dr------- c:\documents and settings\Administrator\Start-meny 2008-11-26 20:37 . 2005-11-03 06:49 d--h----- c:\documents and settings\Administrator\Skrivere 2008-11-26 20:37 . 2008-11-26 21:35 d-------- c:\documents and settings\Administrator\Skrivebord 2008-11-26 20:37 . 2005-11-03 06:01 dr-h----- c:\documents and settings\Administrator\Siste 2008-11-26 20:37 . 2008-11-26 21:30 dr-h----- c:\documents and settings\Administrator\Programdata 2008-11-26 20:37 . 2005-11-03 06:01 dr------- c:\documents and settings\Administrator\Mine dokumenter 2008-11-26 20:37 . 2005-11-03 05:53 d--h----- c:\documents and settings\Administrator\Maler 2008-11-26 20:37 . 2008-11-26 21:47 d--h----- c:\documents and settings\Administrator\Lokale innstillinger 2008-11-26 20:37 . 2005-11-03 06:01 dr------- c:\documents and settings\Administrator\Favoritter 2008-11-26 20:37 . 2005-11-03 06:49 d--h----- c:\documents and settings\Administrator\AndrMask 2008-11-26 20:37 . 2008-11-26 20:37 d-------- c:\documents and settings\Administrator 2008-11-24 22:54 . 2008-11-26 21:24 d-------- c:\programfiler\XLGuarder . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-13 10:48 --------- d-----w c:\programfiler\Fellesfiler\Symantec Shared 2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 13:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-09-15 15:42 1,846,016 ----a-w c:\windows\system32\win32k.sys 2008-09-04 16:46 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-08-26 08:30 826,368 ----a-w c:\windows\system32\wininet.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 339968] "SynTPLpr"="c:\programfiler\Synaptics\SynTP\SynTPLpr.exe" [2005-08-01 98393] "SynTPEnh"="c:\programfiler\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 688217] "LaunchAp"="c:\launch manager\LaunchAp.exe" [2005-03-30 32768] "HotkeyApp"="c:\launch manager\HotkeyApp.exe" [2005-05-02 57344] "LMgrVolOSD"="c:\launch manager\OSD.exe" [2005-03-16 204800] "LMgrOSD"="c:\launch manager\OSDCtrl.exe" [2004-10-11 245760] "Wbutton"="c:\launch manager\Wbutton.exe" [2005-04-18 81920] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "CtrlVol"="c:\launch manager\CtrlVol.exe" [2003-09-16 20480] "SunJavaUpdateSched"="c:\programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "ccApp"="c:\programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2006-04-25 53408] "SoundMan"="SOUNDMAN.EXE" [2005-08-01 c:\windows\SOUNDMAN.EXE] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "DJSNetCN"="c:\programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe" [2005-11-01 54928] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\ hp psc 1000 series.lnk - c:\programfiler\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 147456] hpoddt01.exe.lnk - c:\programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 28672] Hurtigstart for Adobe Reader.lnk - c:\programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Programfiler\\Messenger\\msmsgs.exe"= "f:\\StubInstaller.exe"= "f:\\Internett\\LimeWire\\LimeWire.exe"= "c:\\Programfiler\\MSN Messenger\\msnmsgr.exe"= "c:\\Programfiler\\MSN Messenger\\livecall.exe"= S1 Hotkey;Hotkey;c:\windows\system32\drivers\Hotkey.sys [2005-11-03 9867] S1 mailKmd;mailKmd; [] S1 Wbutton;Wbutton;c:\windows\system32\drivers\Wbutton.sys [] S2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;"c:\programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-10-04 100032] S3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2005-11-03 200192] *Newly Created Service* - COMHOST *Newly Created Service* - IKFILESEC *Newly Created Service* - IKSYSFLT *Newly Created Service* - IKSYSSEC *Newly Created Service* - PROCEXP90 *Newly Created Service* - SDAUXSERVICE *Newly Created Service* - SDCORESERVICE . Contents of the 'Scheduled Tasks' folder 2008-07-13 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1202239707.job - c:\programfiler\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52] 2008-08-22 c:\windows\Tasks\Norton AntiVirus - Kjør fullstendig systemsøk - Morten H.job - c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-02-05 08:03] 2008-11-25 c:\windows\Tasks\Se etter oppdateringer for Windows Live Toolbar.job - c:\programfiler\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20] . - - - - ORPHANS REMOVED - - - - HKLM-Run-WinampAgent - f:\multimedia\Winamp\Winampa.exe . ------- Supplementary Scan ------- . c:\windows\Downloaded Program Files\weblibrary.dll - O16 -: {650BD90A-FC66-4302-894D-861AD9527010} (local) c:\windows\Downloaded Program Files\ceondownloadcenter.dll - O16 -: {A326EB76-4AC1-4295-B0CC-59BFB5B4200E} hxxp://husdyrweb.no/appeon/weblibrary_ax/ceondownloadcenter.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-26 21:47:47 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CtrlVol = c:\launch manager\CtrlVol.exe???????8???????H???T??????|x??|????q??|?j?wQj?w????????,??? ???|???????????\??????|????????h?????@?&??????????????s???????s???sx??s@??????????????|h??sl??????????s?????????????????C?sc"?sx??s???????w??@?N'?s?>9?-6@??>9???????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(484) c:\windows\system32\Ati2evxx.dll . Completion time: 2008-11-26 21:48:47 ComboFix-quarantined-files.txt 2008-11-26 20:48:28 Pre-Run: 22 267 273 216 byte ledig Post-Run: 22,587,940,864 byte ledig 153 --- E O F --- 2008-11-13 11:19:30