ComboFix 08-07-04.6 - Eva 2008-07-06 1:08:34.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1053.18.282 [GMT 2:00] Running from: C:\Users\Eva\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Windows\Downloaded Program Files\setup.inf . ((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-05 23:08 --------- d-----w C:\Program Files\ESET 2008-07-05 20:42 --------- d-----w C:\Program Files\Windows Live Safety Center 2008-07-05 19:18 --------- d-----w C:\ProgramData\Avira 2008-07-05 19:14 512,096 ----a-w C:\Windows\system32\drivers\amon.sys 2008-07-05 19:14 298,104 ----a-w C:\Windows\System32\imon.dll 2008-07-05 19:14 15,424 ----a-w C:\Windows\system32\drivers\nod32drv.sys 2008-07-04 22:02 --------- d-----w C:\Program Files\Sim File Maid 2 2008-07-04 20:27 --------- d-----w C:\Program Files\EA GAMES 2008-07-04 17:05 45,056 ----a-w C:\Windows\System32\acovcnt.exe 2008-07-04 16:12 0 ----a-w C:\ntuser.dat 2008-07-04 07:27 --------- d-----w C:\Program Files\LEGO Software 2008-07-04 07:25 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-04 07:24 --------- d-----w C:\Program Files\Common Files\AVSMedia 2008-07-04 07:24 --------- d-----w C:\Program Files\AVS4YOU 2008-07-02 18:30 --------- d-----w C:\Program Files\A8GSdsApp 2008-06-29 09:12 --------- d-----w C:\ProgramData\AVS4YOU 2008-06-28 21:04 --------- d-----w C:\Program Files\SOFTWIN 2008-06-26 20:22 --------- d-----w C:\Program Files\Sony 2008-06-26 20:21 --------- d-----w C:\Program Files\Vstplugins 2008-06-26 17:06 --------- d-----w C:\Program Files\THQ 2008-06-26 17:05 --------- d-----w C:\Users\Eva\AppData\Roaming\InstallShield 2008-06-23 14:51 --------- d-----w C:\Program Files\Nordic Softsales 2008-06-21 09:13 --------- d-----w C:\Program Files\Betsson Poker 2008-06-15 09:19 --------- d-----w C:\Program Files\Maxis 2008-06-14 09:29 --------- d-----w C:\Program Files\SpeedFan 2008-06-05 17:22 --------- d-----w C:\Program Files\Ubi Soft 2008-05-27 17:10 --------- d-----w C:\Users\Eva\AppData\Roaming\Systenance 2008-05-27 17:05 2,560 ----a-w C:\Windows\_MSRSTRT.EXE 2008-05-27 16:46 --------- d-----w C:\ProgramData\Microsoft Help 2008-05-23 12:42 --------- d-----w C:\Users\Eva\AppData\Roaming\Publish Providers 2008-05-23 12:38 --------- d-----w C:\Users\Eva\AppData\Roaming\Sony 2008-05-23 12:34 --------- d-----w C:\Program Files\Sony Setup 2008-05-21 15:18 --------- d-----w C:\ProgramData\phenomedia 2008-05-13 20:07 --------- d-----w C:\ProgramData\Lavasoft 2008-05-13 20:06 --------- d-----w C:\Program Files\Lavasoft 2008-05-13 20:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-05-10 19:54 --------- d-----w C:\Users\Eva\AppData\Roaming\mIRC 2006-11-02 12:50 174 --sha-w C:\Program Files\desktop.ini . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-11-02 14:35 1196032] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 21:35 90112] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-17 13:53 171464] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 11:31 630784] "ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 17:27 61440] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-23 07:27 815104] "ASUSTPE"="C:\Windows\system32\ASUSTPE.exe" [2006-12-13 00:06 106496] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 19:30 517768] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 21:16 286720] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-07-05 21:14 949376] "RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 11:07 4390912 C:\Windows\RtHDVCpl.exe] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-01-13 14:07:06 118784] [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup backupExtension=.CommonStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Camera ScreenSaver] --a------ 2007-10-18 19:21 37232 C:\Windows\ASScrProlog.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Screen Saver Protector] --a------ 2007-10-18 19:21 33136 C:\Windows\ASScrPro.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] --a------ 2007-03-26 20:42 1057328 C:\Program Files\Nero\Nero 7\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-26 21:12 161328 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerForPhone] --a------ 2007-01-16 00:17 778240 C:\Program Files\PowerForPhone\PowerForPhone.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] --a------ 2007-10-10 07:28 36352 C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] --a------ 2007-10-18 18:41 1006264 C:\Program Files\Windows Defender\MSASCui.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UacDisableNotify"=dword:00000001 "InternetSettingsDisableNotify"=dword:00000001 "AutoUpdateDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{AD257559-67CB-419A-988C-064E5B8A8F39}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{0D0B7190-50F9-4D4B-9027-7E1346101DB5}"= Profile=Public|C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "{E099F628-F5D9-40F9-A227-9262DC8F0252}"= Disabled:C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "TCP Query User{3F81FB4C-C4C3-470F-A15D-6972F576BB2E}C:\\program files\\dc++\\dcplusplus.exe"= UDP:C:\program files\dc++\dcplusplus.exe:DC++ "UDP Query User{ADABEF65-0A47-4190-8512-893FE63BE0D9}C:\\program files\\dc++\\dcplusplus.exe"= TCP:C:\program files\dc++\dcplusplus.exe:DC++ "TCP Query User{CACCC67C-045A-4BBC-8701-921E78274938}C:\\program files\\mirc\\mirc.exe"= UDP:C:\program files\mirc\mirc.exe:mIRC "UDP Query User{56B7A122-22B9-4562-82C3-DC22788D95FB}C:\\program files\\mirc\\mirc.exe"= TCP:C:\program files\mirc\mirc.exe:mIRC "TCP Query User{C7E6FEB9-E85C-4626-8F3E-6D3F502236A3}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{81866429-B2CF-4537-90FB-41F38ED03CAE}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer "TCP Query User{F2C8454E-DE71-4621-8745-CAF16A22D385}C:\\program files\\dc++\\dcplusplus.exe"= UDP:C:\program files\dc++\dcplusplus.exe:DC++ "UDP Query User{2E8A0363-D818-4065-91E3-7ED93206F99E}C:\\program files\\dc++\\dcplusplus.exe"= TCP:C:\program files\dc++\dcplusplus.exe:DC++ "TCP Query User{B645A11A-1EDE-4DAB-AE77-D3BF097A348A}C:\\users\\eva\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= UDP:C:\users\eva\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe "UDP Query User{A4A12411-F3C0-4FE5-B2F4-66A4C29F6A61}C:\\users\\eva\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= TCP:C:\users\eva\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;C:\Windows\System32\StkCSrv.exe [2007-02-07 20:44] R3 Atc002;NDIS Miniport Driver for Attansic L2 Fast Ethernet Controller;C:\Windows\system32\DRIVERS\L260x86.sys [2006-12-13 20:00] R3 RTSTOR;USB Mass Storage Device;C:\Windows\system32\drivers\RTSTOR.SYS [2007-01-11 03:18] R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;C:\Windows\system32\Drivers\StkCMini.sys [2007-02-13 14:41] S3 s816bus;Sony Ericsson Device 816 driver (WDM);C:\Windows\system32\DRIVERS\s816bus.sys [2007-06-19 09:51] S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;C:\Windows\system32\DRIVERS\s816mdfl.sys [2007-06-19 09:51] S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;C:\Windows\system32\DRIVERS\s816mdm.sys [2007-06-19 09:51] S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);C:\Windows\system32\DRIVERS\s816mgmt.sys [2007-06-19 09:51] S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);C:\Windows\system32\DRIVERS\s816nd5.sys [2007-06-19 09:51] S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;C:\Windows\system32\DRIVERS\s816obex.sys [2007-06-19 09:51] S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);C:\Windows\system32\DRIVERS\s816unic.sys [2007-06-19 09:51] *Newly Created Service* - CATCHME [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static] msiexec /fums {6173A4FC-D42D-69A6-52CA-A30496389760} /qb . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-06 01:12:26 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-07-06 1:13:37 ComboFix-quarantined-files.txt 2008-07-05 23:13:33 Det går inte att hitta meddelandetexten för meddelandenumret 0x2379 i meddelandefilen för Application. Post-Run: 22,549,262,336 byte ledigt 151 --- E O F --- 2007-11-19 14:42:08