ComboFix 08-03-25.4 - Feoras 2008-03-27 22:22:32.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.995 [GMT 0:00] Running from: C:\Documents and Settings\Feoras\Desktop\Combo-Fix.exe [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 ))))))))))))))))))))))))))))))) . 2008-03-27 19:11 . 2008-03-27 19:11 d-------- C:\Documents and Settings\Feoras\Application Data\TrojanHunter 2008-03-27 17:45 . 2008-03-27 17:45 d-------- C:\Program Files\TrojanHunter 5.0 2008-03-27 08:40 . 2008-03-27 08:40 d-------- C:\Program Files\MSXML 4.0 2008-03-22 22:28 . 2008-03-27 18:16 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-03-22 22:12 . 2008-03-10 13:19 57,424 --a------ C:\WINDOWS\system32\drivers\aswSP.sys 2008-03-22 22:12 . 2008-03-10 13:21 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys 2008-03-22 21:46 . 2008-03-10 13:26 1,141,112 --a------ C:\WINDOWS\system32\aswBoot.exe 2008-03-22 21:46 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx 2008-03-22 21:46 . 2008-03-10 13:14 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2008-03-22 21:46 . 2008-03-10 13:21 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2008-03-22 21:46 . 2008-01-17 16:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2008-03-22 21:46 . 2008-03-10 13:16 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2008-03-22 21:46 . 2008-03-10 13:16 26,752 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2008-03-22 21:46 . 2008-03-10 13:17 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2008-03-22 21:27 . 2008-03-22 21:27 d-------- C:\BagleFix 2008-03-22 16:32 . 2008-03-22 16:33 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-03-22 16:31 . 2008-03-22 16:31 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-03-22 15:11 . 2008-03-27 07:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2008-03-22 15:06 . 2008-03-22 15:11 d-------- C:\Documents and Settings\Feoras\.housecall6.6 2008-03-15 21:55 . 2007-06-19 09:51 99,112 -ra------ C:\WINDOWS\system32\drivers\s816mgmt.sys 2008-03-15 21:55 . 2007-06-19 09:51 97,704 -ra------ C:\WINDOWS\system32\drivers\s816unic.sys 2008-03-15 21:55 . 2007-06-19 09:51 21,928 -ra------ C:\WINDOWS\system32\drivers\s816nd5.sys 2008-03-15 21:55 . 2007-06-19 09:51 9,768 -ra------ C:\WINDOWS\system32\drivers\s816cr.sys 2008-03-15 21:54 . 2007-06-19 09:51 107,304 -ra------ C:\WINDOWS\system32\drivers\s816mdm.sys 2008-03-15 21:54 . 2007-06-19 09:51 97,320 -ra------ C:\WINDOWS\system32\drivers\s816obex.sys 2008-03-15 21:54 . 2007-06-19 09:51 81,832 -ra------ C:\WINDOWS\system32\drivers\s816bus.sys 2008-03-15 21:54 . 2007-06-19 09:51 13,864 -ra------ C:\WINDOWS\system32\drivers\s816mdfl.sys 2008-03-15 21:54 . 2007-06-19 09:51 11,176 -ra------ C:\WINDOWS\system32\drivers\s816whnt.sys 2008-03-15 21:54 . 2007-06-19 09:51 11,176 -ra------ C:\WINDOWS\system32\drivers\s816wh.sys 2008-03-15 21:54 . 2007-06-19 09:51 11,176 -ra------ C:\WINDOWS\system32\drivers\s816cmnt.sys 2008-03-15 21:54 . 2007-06-19 09:51 11,176 -ra------ C:\WINDOWS\system32\drivers\s816cm.sys 2008-03-15 17:10 . 2008-03-15 17:11 d-------- C:\WINDOWS\system32\temp 2008-03-13 05:14 . 2008-03-15 21:55 d-------- C:\Documents and Settings\Feoras\Application Data\Teleca 2008-03-13 05:03 . 2008-03-13 05:03 d-------- C:\Program Files\Sony Ericsson 2008-03-13 05:01 . 2008-03-13 05:03 d-------- C:\Program Files\Common Files\Teleca Shared 2008-03-13 05:01 . 2008-03-13 05:01 d-------- C:\Program Files\Common Files\Sony Ericsson Shared 2008-03-13 05:01 . 2008-03-13 05:01 d-------- C:\Documents and Settings\Feoras\Application Data\Sony Ericsson 2008-03-13 04:59 . 2008-03-13 05:01 d-------- C:\Documents and Settings\All Users\Application Data\Teleca 2008-03-13 04:59 . 2008-03-13 05:01 d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson 2008-03-11 19:51 . 2008-03-11 19:51 d-------- C:\Program Files\Burn4Free Toolbar 2008-03-11 19:51 . 2008-03-11 19:51 232,034 --a------ C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_7937.exe 2008-03-11 10:58 . 2006-03-01 10:25 8,704 --a------ C:\WINDOWS\system32\drivers\ggsemc.sys 2008-03-01 20:18 . 2008-03-01 21:43 d-------- C:\Documents and Settings\Feoras\Application Data\Anvil Studio 2008-03-01 20:18 . 1998-06-24 00:00 198,456 --a------ C:\WINDOWS\system32\MCI32.OCX 2008-03-01 20:18 . 1997-07-19 16:01 192,784 --a------ C:\WINDOWS\system32\TABCTL32.OCX 2008-03-01 20:18 . 1997-07-19 16:00 129,808 --a------ C:\WINDOWS\system32\COMDLG32.OCX 2008-03-01 20:18 . 2002-01-05 02:18 84,992 --a------ C:\WINDOWS\system32\atl70.dll 2008-03-01 20:18 . 2002-06-06 01:01 29,696 --a------ C:\WINDOWS\system32\asutl8.dll 2008-03-01 11:59 . 2008-03-27 17:28 d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2008-02-29 04:14 . 2008-02-29 04:14 223,744 --a------ C:\WINDOWS\system32\b4fm.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-27 22:03 17,408 ----a-w C:\WINDOWS\system32\drivers\USBCRFT.SYS 2008-03-27 22:03 --------- d-----w C:\Documents and Settings\Feoras\Application Data\Hamachi 2008-03-27 08:52 --------- d-----w C:\Program Files\Java 2008-03-27 08:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-03-19 06:12 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-03-08 23:41 --------- d-----w C:\Documents and Settings\Feoras\Application Data\Skype 2008-03-08 21:37 --------- d-----w C:\Documents and Settings\Feoras\Application Data\skypePM 2008-02-20 09:29 --------- d-----w C:\Documents and Settings\Feoras\Application Data\Winff 2008-02-16 11:12 --------- d-----w C:\Documents and Settings\Feoras\Application Data\.emacs.d 2008-02-10 18:40 --------- d-----w C:\Documents and Settings\Feoras\Application Data\Nero 2008-02-10 18:39 --------- d-----w C:\Program Files\Common Files\Nero 2008-02-10 18:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero 2008-02-07 14:20 --------- d-----w C:\Documents and Settings\Feoras\Application Data\dvdcss 2008-02-05 22:39 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys 2008-02-03 10:26 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2008-02-03 10:25 --------- d-----w C:\Program Files\Skype 2008-02-03 10:25 --------- d-----w C:\Program Files\Common Files\Skype 2008-02-03 10:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype 2008-01-27 20:50 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-01-27 20:50 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2008-01-27 19:40 5,248 ----a-w C:\WINDOWS\system32\drivers\vim.sys 2008-01-26 16:55 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe 2008-01-18 19:32 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-01-16 19:23 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll . ((((((((((((((((((((((((((((( snapshot_2008-03-27_17.21.01.64 ))))))))))))))))))))))))))))))))))))))))) . + 2008-03-27 22:02:48 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_220.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}] 2008-03-11 19:51 806912 --a------ C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll" [2008-03-11 19:51 806912] [HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll [2008-03-11 19:51 806912] [HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872] "H/PC Connection Agent"="E:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360] "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [ ] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208] "SpybotSD TeaTimer"="e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112] "Sony Ericsson PC Suite"="E:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 08:16 528384] "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136] "NBKeyScan"="E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160] "Lexmark X6100 Series"="C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 02:01 57344] "Keyboard Status"="C:\PROGRA~1\Medion\KeyStat\KeyStat.exe" [2005-01-25 11:03 411648] "GrooveMonitor"="E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648] "Dit"="Dit.exe" [2004-07-20 18:18 90112 C:\WINDOWS\Dit.exe] "Cmaudio"="cmicnfg.cpl" [] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792] "THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2008-02-08 11:22 1047712] "avast!"="e:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-10 13:22 79224] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360] C:\Documents and Settings\Feoras\Start Menu\Programs\Startup\ hamachi.lnk - E:\Program Files\Hamachi\hamachi.exe [2008-02-05 22:27:11 624416] Ryanair Bargains 1.0.lnk - E:\Program Files\Ryanair Bargains\1.0\RyanairBargains.exe [2008-02-13 12:34:44 1289216] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-06-15 17:47:10 1208320] RaConfig2500.lnk - C:\Program Files\RALINK\RT2500 USB Wireless LAN Card\Installer\WINXP\RaConfig2500.exe [2008-01-16 07:46:37 528384] Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "E:\\Program Files\\GRISOFT\\AVG7\\avgamsvr.exe"= "E:\\Program Files\\GRISOFT\\AVG7\\avgemc.exe"= "E:\Program Files\Microsoft ActiveSync\rapimgr.exe"= E:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "E:\Program Files\Microsoft ActiveSync\wcescomm.exe"= E:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "E:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= E:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "E:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "E:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "E:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "E:\\Program Files\\NetSupport Manager\\client32.exe"= "E:\\Program Files\\NetSupport Manager\\PCICTLUI.EXE"= "E:\\Program Files\\NetSupport Manager\\pcideply.exe"= "E:\\Program Files\\NetSupport Manager\\PCISA.EXE"= "E:\\Program Files\\NetSupport Manager\\pciscrui.exe"= "E:\\Program Files\\NetSupport Manager\\runscrip.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-10 13:19] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-10 13:21] R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2004-10-06 13:10] R3 AtiHdmiService;ATI Function Driver for HDMI Service;C:\WINDOWS\system32\drivers\AtiHdmi.sys [2007-07-20 18:40] R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2005-05-12 14:39] S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-03-27 22:03] S3 s816bus;Sony Ericsson Device 816 driver (WDM);C:\WINDOWS\system32\DRIVERS\s816bus.sys [2007-06-19 09:51] S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s816mdfl.sys [2007-06-19 09:51] S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s816mdm.sys [2007-06-19 09:51] S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s816mgmt.sys [2007-06-19 09:51] S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);C:\WINDOWS\system32\DRIVERS\s816nd5.sys [2007-06-19 09:51] S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s816obex.sys [2007-06-19 09:51] S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);C:\WINDOWS\system32\DRIVERS\s816unic.sys [2007-06-19 09:51] S3 vim;vim;C:\WINDOWS\system32\drivers\vim.sys [2008-01-27 19:40] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-27 22:23:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\AVP] "ImagePath"="\"e:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe\" -r" -- [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\kl1] "ImagePath"="system32\drivers\kl1.sys" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\klif] "ImagePath"="\??\C:\WINDOWS\system32\drivers\klif.sys" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\klim5] "ImagePath"="system32\DRIVERS\klim5.sys" . Completion time: 2008-03-27 22:24:20 ComboFix-quarantined-files.txt 2008-03-27 22:24:18 ComboFix2.txt 2008-03-27 17:22:18 ComboFix3.txt 2008-03-27 08:20:27 . 2008-03-27 08:46:37 --- E O F ---