ComboFix 10-03-23.04 - Terje 24.03.2010 16:18:31.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.696 [GMT 1:00] Running from: c:\documents and settings\Terje\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\eSellerateEngine.dll c:\windows\system32\winlogon.bak . ((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-24 14:38 . 2009-10-22 21:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-03-24 13:57 . 2009-08-17 16:49 -------- d-----w- c:\documents and settings\Terje\Application Data\vlc . ------- Sigcheck ------- [-] 2006-12-04 . 6225F14B8CE08CCBA8B25AD27843C674 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SkinClock"="j:\program files\Clock Tray Skins\ClockTraySkins.exe" [2007-08-05 448768] "Eraser"="j:\program files\Eraser\eraser.exe" [2007-12-22 916240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Bluetooth Connection Assistant"="LBTWIZ.EXE -silent" [X] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "OpwareSE4"="e:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400] "Adobe Photo Downloader"="e:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752] "RemoteControl8"="j:\program files\CyberLink\PowerDVD8\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240] "PDVD8LanguageShortcut"="j:\program files\CyberLink\PowerDVD8\PowerDVD8\Language\Language.exe" [2007-12-14 50472] "BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-10-02 91432] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "WD Button Manager"="WDBtnMgr.exe" [2009-08-15 143360] "SetIcon"="\Program Files\WDC\SetIcon.exe" [2004-01-30 46080] "PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ AutoStart IR.lnk - j:\program files\WinTV\Ir.exe [2007-1-14 102455] BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 561213] Logitech SetPoint.lnk - j:\setpoint\SetPoint.exe [2009-3-30 809488] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= "j:\easy synchronization\shellexecutehook.dll" [2005-10-05 69632] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-11-07 14:41 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk backup=c:\windows\pss\BTTray.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Hurtigstart for Adobe Reader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Hurtigstart for Adobe Reader.lnk backup=c:\windows\pss\Hurtigstart for Adobe Reader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Terje^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\Terje\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] 2004-08-04 12:00 110592 ----a-w- c:\windows\system32\bthprops.cpl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] 2004-08-04 12:00 15360 -c----w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy Synchronization] 2005-10-05 10:00 53248 ----a-w- j:\easy synchronization\LogitechEasySync.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] 2003-09-01 10:52 376912 ----a-w- j:\program files\Microsoft ActiveSync\WCESCOMM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2009-09-27 17:19 13918208 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2009-09-27 17:19 86016 ----a-w- c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck] 2004-03-10 14:26 406016 ----a-w- c:\windows\system32\PSDrvCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetIcon] 2004-01-30 08:03 46080 -c--a-w- c:\program files\WDC\SetIcon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] 2003-03-27 08:34 53248 -c--a-w- c:\windows\SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager] 2009-08-15 21:24 143360 -c--a-w- c:\windows\system32\WDBtnMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "j:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"= "j:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"= "j:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8\\PowerDVD8.exe"= R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};j:\program files\CyberLink\PowerDVD8\PowerDVD8\000.fcl [15.05.2008 11:07 61424] S3 inibtmgr;WD Bridge Controller Driver;c:\windows\system32\drivers\inibtmgr.sys [04.12.2006 19:28 9728] . . ------- Supplementary Scan ------- . IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Send til &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-nwiz - nwiz.exe MSConfigStartUp-Omnipage - j:\program files\ScanSoft\OmniPageSE\opware32.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-24 16:21 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}] "ImagePath"="\??\j:\program files\CyberLink\PowerDVD8\PowerDVD8\000.fcl" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version] "Version"=hex:b9,bb,67,8f,9a,75,2b,ef,09,7c,ec,a3,8e,4a,84,52,3a,55,11,e6,16, 7d,32,51,34,b1,97,6c,d5,ea,8c,bb,65,a5,e8,ec,c3,30,e0,db,ce,1a,d3,48,00,0d,\ [HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version] "Version"=hex:b9,bb,67,8f,9a,75,2b,ef,09,7c,ec,a3,8e,4a,84,52,3a,55,11,e6,16, 7d,32,51,34,b1,97,6c,d5,ea,8c,bb,0d,95,33,62,3c,29,e0,c0,ce,1a,d3,48,00,0d,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(568) c:\program files\common files\logitech\bluetooth\LBTWlgn.dll c:\program files\common files\logitech\bluetooth\LBTServ.dll . Completion time: 2010-03-24 16:23:18 ComboFix-quarantined-files.txt 2010-03-24 15:23 Pre-Run: 8 898 043 904 bytes free Post-Run: 8 864 071 680 bytes free - - End Of File - - A5AEDAC393BDEF3ED28ED9D428763704