Thank you for your time!!! btw congratulations on your 5000 post!
I uninstalled spybot, avg, adaware yesterday morning...
I used the fresh copy of combofix... it told me i had the whisler rootkit and it needed to restart my pc...
After restart, it started again and this is the log file:
ComboFix 10-07-31.01 - user_name 04-08-2010 7:35.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.781 [GMT 2:00]
Running from: c:\documents and settings\user_name\Desktop\wCFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
.
2010-08-02 19:20 . 2010-08-02 19:20 -------- d-----w- c:\documents and settings\user_name\Application Data\Malwarebytes
2010-08-02 19:19 . 2010-08-02 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-02 16:31 . 2010-08-02 16:31 -------- d-----w- C:\$AVG8.VAULT$
2010-08-02 15:58 . 2009-06-30 07:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-08-02 15:57 . 2010-08-02 15:57 -------- d-----w- c:\program files\Panda Security
2010-07-29 19:56 . 2010-07-29 19:56 -------- d-----w- c:\documents and settings\user_name\Local Settings\Application Data\Sunbelt Software
2010-07-29 19:53 . 2010-08-03 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-29 16:50 . 2010-07-29 16:50 -------- d-----w- c:\program files\Rockstar Games
2010-07-28 19:53 . 2010-08-03 05:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-28 19:53 . 2010-08-03 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 05:38 . 2008-12-30 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-08-02 18:37 . 2010-01-04 17:46 -------- d-----w- c:\program files\FLV Player
2010-08-02 08:24 . 2009-04-24 05:27 -------- d-----w- c:\documents and settings\user_name\Application Data\Skype
2010-08-02 07:44 . 2009-04-24 05:28 -------- d-----w- c:\documents and settings\user_name\Application Data\skypePM
2010-07-29 16:35 . 2008-12-30 17:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-22 18:00 . 2010-06-15 18:32 -------- d-----w- c:\program files\PokerStars
.
((((((((((((((((((((((((((((( SnapShot@2010-08-02_08.40.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-04 05:35 . 2010-08-04 05:35 16384 c:\windows\temp\Perflib_Perfdata_200.dat
+ 2004-08-04 12:00 . 2010-08-04 05:39 59842 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-08-02 07:48 59842 c:\windows\system32\perfc009.dat
- 2008-12-30 17:02 . 2010-08-02 08:21 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-08-02 20:27 . 2010-08-04 05:32 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-30 17:02 . 2010-08-02 08:21 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 17:02 . 2010-08-04 05:32 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-30 17:02 . 2010-08-04 05:32 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-30 17:02 . 2010-08-02 08:21 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 12:00 . 2010-08-04 05:39 395768 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-08-02 07:48 395768 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/2/2010 5:58 PM 28552]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [12/30/2008 7:23 PM 191092]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [12/30/2008 7:23 PM 6100]
.
.
------- Supplementary Scan -------
.
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user_name\Application Data\Mozilla\Firefox\Profiles\0s6m9rdq.default\
FF - prefs.js: browser.startup.homepage -
www.google.com
FF - plugin: c:\program files\Canon\APU\npCCBPLFirefox.dll
FF - plugin: c:\program files\Canon\ZoomBrowser EX\Program\NPCIG.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2010-08-04 07:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-04 07:41:23
ComboFix-quarantined-files.txt 2010-08-04 05:41
ComboFix2.txt 2010-08-03 05:48
Pre-Run: 6.441.439.232 bytes free
Post-Run: 6.468.571.136 bytes free
- - End Of File - - 4C37EFEC7FEA2210D9A6AFFA651FA55B