ComboFix 08-04-22.5 - Jasiek 2008-04-24 20:05:49.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1390 [GMT 2:00] Running from: C:\Documents and Settings\Jasiek\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\cookies.ini C:\WINDOWS\pskt.ini C:\WINDOWS\system32\lTDKnUtv.ini C:\WINDOWS\system32\lTDKnUtv.ini2 C:\WINDOWS\system32\nnnkLDSI.dll C:\WINDOWS\system32\opnoOFYR.dll C:\WINDOWS\system32\opXEKRqr.ini C:\WINDOWS\system32\opXEKRqr.ini2 C:\WINDOWS\system32\oYHRuBeg.ini C:\WINDOWS\system32\oYHRuBeg.ini2 C:\WINDOWS\system32\pmnkIBRl.dll C:\WINDOWS\system32\rBHjQXyb.ini C:\WINDOWS\system32\rBHjQXyb.ini2 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6TO4 -------\Service_6to4 ((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 ))))))))))))))))))))))))))))))) . 2008-04-24 19:16 . 2008-04-24 19:16 1,509,099 --ahs---- C:\WINDOWS\system32\ysibxgtt.ini 2008-04-24 19:13 . 2008-04-24 19:13 272,384 --a------ C:\WINDOWS\system32\byXQjHBr.dll_old 2008-04-24 17:30 . 2008-04-24 17:30 2008-04-24 17:30 . 2008-04-24 17:31 2008-04-24 17:29 . 2008-04-24 17:29 2008-04-24 16:11 . 2008-04-24 16:11 1,503,948 --ahs---- C:\WINDOWS\system32\ajifqxoc.ini 2008-04-23 22:22 . 2008-04-24 00:15 1,540,617 --ahs---- C:\WINDOWS\system32\jcskbppr.ini 2008-04-23 16:26 . 2008-04-23 16:14 691,545 --a------ C:\WINDOWS\unins000.exe 2008-04-23 16:26 . 2008-04-23 16:26 2,540 --a------ C:\WINDOWS\unins000.dat 2008-04-23 15:57 . 2008-04-23 17:00 1,540,677 --ahs---- C:\WINDOWS\system32\qxrlfide.ini 2008-04-22 15:22 . 2008-04-23 13:18 1,541,397 --ahs---- C:\WINDOWS\system32\qlwfoban.ini 2008-04-21 14:45 . 2008-04-22 15:20 1,540,857 --ahs---- C:\WINDOWS\system32\krxyokrq.ini 2008-04-21 14:43 . 2008-04-21 14:43 1,540,737 --ahs---- C:\WINDOWS\system32\cersivxa.ini 2008-04-21 02:43 . 2008-04-21 14:37 1,540,677 --ahs---- C:\WINDOWS\system32\nsipnvrw.ini 2008-04-21 02:40 . 2008-04-24 16:08 109,738 --a------ C:\WINDOWS\BM37c7d2cd.xml 2008-04-14 16:43 . 2008-04-14 16:43 2008-04-14 16:43 . 2008-04-18 14:06 218 --ah----- C:\WINDOWS\sysreg.dat 2008-04-12 15:25 . 2008-04-20 19:34 2008-04-10 14:06 . 2008-04-10 14:06 2008-04-10 14:06 . 2008-04-10 14:06 2008-04-10 14:04 . 2008-04-10 14:05 2008-04-08 17:47 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-04-06 19:23 . 2008-04-09 20:20 2008-04-06 19:23 . 2008-04-06 19:23 737,280 --a------ C:\WINDOWS\iun6002.exe 2008-04-05 10:50 . 2008-04-05 10:50 2008-04-05 10:47 . 2008-04-05 10:47 2008-04-04 00:13 . 2008-04-04 00:13 2008-04-03 23:57 . 2008-04-03 23:57 2008-04-03 23:10 . 2008-04-03 23:37 2008-04-03 23:10 . 2008-04-03 23:10 2008-03-30 13:49 . 2008-03-30 14:03 71,275,856 --a------ C:\Program Files\sapi.exe 2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx 2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts 2008-03-26 21:27 . 2008-03-26 21:27 2008-03-26 21:25 . 2008-04-03 23:36 417,371 —h----- C:\treeinfo.wc . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-24 18:08 --------- d-----w C:\Documents and Settings\Jasiek\Application Data\Skype 2008-04-23 14:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search Destroy 2008-04-23 14:29 --------- d-----w C:\Program Files\Spybot - Search Destroy 2008-04-22 14:07 --------- d-----w C:\Program Files\Opera 2008-04-22 13:42 --------- d-----w C:\Documents and Settings\Jasiek\Application Data\uTorrent 2008-04-21 00:40 --------- d-----w C:\Documents and Settings\Jasiek\Application Data\Wave Systems Corp 2008-04-09 18:24 --------- d–h--w C:\Program Files\InstallShield Installation Information 2008-04-08 15:47 --------- d-----w C:\Program Files\Java 2008-04-03 19:23 --------- d-----w C:\Documents and Settings\Jasiek\Application Data\Hamachi 2008-04-03 16:00 --------- d-----w C:\Documents and Settings\Jasiek\Application Data\Nokia Multimedia Player 2008-04-03 15:54 --------- d-----w C:\Documents and Settings\Jasiek\Application Data\PC Suite 2008-03-23 10:04 --------- d-----w C:\Documents and Settings\Jasiek\Application Data\COWON 2008-03-22 20:36 --------- d-----w C:\Program Files\KLC 2008-03-22 00:23 --------- d-----w C:\Program Files\Common Files\Adobe 2008-03-21 16:32 --------- d-----w C:\Documents and Settings\Jasiek\Application Data\Notepad++ 2008-03-21 16:01 --------- d-----w C:\Program Files\Notepad++ 2008-03-20 21:19 --------- d-----w C:\Program Files\SopCast 2008-03-20 19:06 --------- d-----w C:\Program Files\7-Zip 2008-03-20 18:57 --------- d-----w C:\Program Files\DivX 2008-03-20 18:56 --------- d-----w C:\Program Files\AC3Filter 2008-03-20 17:33 --------- d-----w C:\Program Files\SkanerOnline 2008-03-20 12:48 --------- d-----w C:\Program Files\MoorHunt 2008-03-14 00:50 --------- d-----w C:\Program Files\Budzik 2008-03-13 19:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\SRS Labs 2008-03-13 13:05 --------- d-----w C:\Documents and Settings\Jasiek\Application Data\TVU networks 2008-03-13 12:53 --------- d-----w C:\Program Files\TVUPlayer 2008-03-13 12:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU networks 2008-03-08 21:44 --------- d-----w C:\Documents and Settings\Jasiek\Application Data\Temp 2008-03-05 18:15 --------- d-----w C:\Documents and Settings\Jasiek\Application Data\GanymedeNet 2008-03-04 01:48 5,997 ----a-w C:\WINDOWS\BricoPackFoldersDelete.cmd 2008-03-04 01:38 23,108 ----a-w C:\WINDOWS\BricoPackUninst.cmd 2008-03-03 22:42 --------- d-----w C:\Program Files\Unlocker 2008-03-03 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-03-03 16:08 --------- d-----w C:\Program Files\WinFast 2008-03-03 16:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems 2008-03-03 13:40 --------- d-----w C:\Program Files\Common Files\Ulead Systems 2008-03-01 19:51 --------- d-----w C:\Documents and Settings\Jasiek\Application Data\Ahead 2008-03-01 19:45 --------- d-----w C:\Documents and Settings\Jasiek\Application Data\Nero 2008-03-01 19:44 --------- d-----w C:\Program Files\Common Files\Nero 2008-03-01 19:43 --------- d-----w C:\Program Files\Nero 2008-03-01 19:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero 2008-02-29 11:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite 2008-02-28 10:02 --------- d-----w C:\Program Files\SmartSound Software Inc 2008-02-27 17:54 --------- d-----w C:\Program Files\Giant Disk Cleaner 2008-02-25 13:38 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-02-24 17:56 --------- d—a-w C:\Documents and Settings\All Users\Application Data\TEMP . ------- Sigcheck ------- 2006-01-09 20:02 662016 dde9597a3311748c1519444e2bc147bd C:\WINDOWS$hf_mig$\KB912945\SP2QFE\wininet.dll 2007-06-26 16:35 665600 e1a3dd68b5380b360a7310a64d9bb188 C:\WINDOWS$hf_mig$\KB937143\SP2QFE\wininet.dll 2007-10-11 07:57 666112 80d660a49e0d118144423099b2a9f5da C:\WINDOWS$hf_mig$\KB942615\SP2QFE\wininet.dll 2007-12-07 02:44 666112 085a7c37f9c6ede1ba870b7dbec06399 C:\WINDOWS$hf_mig$\KB944533\SP2QFE\wininet.dll 2007-06-26 16:09 658944 184e47c8f7b331025e6dc92740db188f C:\WINDOWS$NtUninstallKB942615$\wininet.dll 2007-10-11 08:13 659456 2005ad86a22aee68e21ee59f9ccb77f2 C:\WINDOWS$NtUninstallKB944533$\wininet.dll 2007-12-07 03:07 693248 ee1c211d5ec67192884fcf050ab13d63 C:\WINDOWS\ServicePackFiles\i386\wininet.dll 2007-12-07 03:07 659456 57d1b5150cf6331fac6b3e04c1fcb966 C:\WINDOWS\system32\wininet.dll 2007-12-07 03:07 659456 57d1b5150cf6331fac6b3e04c1fcb966 C:\WINDOWS\system32\dllcache\wininet.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE~\Browser Helper Objects{57452FB1-9B65-4AAA-A2B9-9FDF5803830F}] C:\WINDOWS\system32\vtUnKDTl.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{5806DD89-D54C-455A-AE12-666D6A0C14C7}] C:\WINDOWS\system32\geBuRHYo.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{E3E368E1-ECF1-46C3-847D-F310FC19E013}] C:\WINDOWS\system32\byXQjHBr.dll [HKEY_LOCAL_MACHINE~\Browser Helper Objects{EE5A1465-1E73-4784-8F63-45983FDF0DB8}] [HKEY_LOCAL_MACHINE~\Browser Helper Objects{F0E81C80-199F-446E-9788-98123EE28C56}] C:\WINDOWS\system32\rqRKEXpo.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “AQQ”=“C:\PROGRA~1\WapSter\AQQ\AQQ.exe” [2007-02-28 14:18 2351864] “DAEMON Tools”=“C:\Program Files\DAEMON Tools\daemon.exe” [2007-08-16 13:24 167368] “Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-07-02 18:10 23237416] “NVIDIA nTune”=“C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” [2007-09-04 20:25 81920] “SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search Destroy\TeaTimer.exe” [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2007-05-31 23:50 8429568] “NVHotkey”=“nvHotkey.dll” [2007-05-31 23:50 67584 C:\WINDOWS\system32\nvhotkey.dll] “NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2007-05-31 23:50 81920] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 04:25 144784] “Dell QuickSet”=“C:\Program Files\Dell\QuickSet\quickset.exe” [2007-05-14 22:23 1191936] “Document Manager”=“C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe” [2007-01-30 23:32 102400] “SecureUpgrade”=“C:\Program Files\Wave Systems Corp\SecureUpgrade.exe” [2007-01-22 19:53 212992] “Broadcom Wireless Manager UI”=“C:\WINDOWS\system32\WLTRAY.exe” [2007-10-09 12:17 2183168] “PDVDDXSrv”=“C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe” [2006-10-21 01:23 118784] “CorelDRAW Graphics Suite 11b”=“C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe” [2003-11-25 14:39 729088] “WinFast Schedule”=“C:\Program Files\WinFast\WFTVFM\WFWIZ.exe” [2007-05-22 11:14 405504] “UnlockerAssistant”=“C:\Program Files\Unlocker\UnlockerAssistant.exe” [2006-09-07 19:19 15872] “34f4e151”=“C:\WINDOWS\system32\ttgxbisy.dll” [] “FinePrint Dyspozytor v5”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe” [2006-01-12 16:37 491520] “BM37c7d2cd”=“C:\WINDOWS\system32\dmuaukxd.dll” [] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2007-12-01 01:26 15360] “Nokia.PCSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2007-06-19 11:17 1241088] “Picasa Media Detector”=“C:\Program Files\Picasa2\PicasaMediaDetector.exe” [2007-10-23 23:18 443968] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [1/12/2007 4:43:46 AM 2150400] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [12/1/2007 6:33:27 PM 50688] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “ForceClassicControlPanel”= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnoOFYR] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] “AppInit_DLLs”=wxvault.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] “vidc.ffds”= C:\Program Files\ffdshow\ffdshow.ax [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 wvauth [HKLM~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM~\startupfolder\C:^Documents and Settings^Jasiek^Start Menu^Programs^Startup^ctfmon.exe] path=C:\Documents and Settings\Jasiek\Start Menu\Programs\Startup\ctfmon.exe backup=C:\WINDOWS\pss\ctfmon.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] --a------ 2007-12-22 09:23 221568 C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] --a------ 2007-04-16 05:49 159744 C:\Program Files\Apoint\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2007-09-20 16:35 202024 C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] --a------ 2004-07-28 00:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] --a------ 2004-07-28 00:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KADxMain] --a------ 2006-11-02 22:05 282624 C:\WINDOWS\system32\KADxMain.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] --a------ 2007-09-20 10:51 1836328 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 16:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2007-05-31 23:50 1626112 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] --a------ 2007-06-18 16:10 271360 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] --a------ 2007-08-07 02:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] --a------ 2006-08-17 17:00 1116920 C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp] --a------ 2007-02-19 07:26 303104 C:\WINDOWS\stsystra.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SRS Audio Sandbox] C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler] --a------ 2007-09-25 16:03 93208 C:\Program Files\Logitech\Gaming Software\LWEMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] “AntiVirusDisableNotify”=dword:00000001 “UpdatesDisableNotify”=dword:00000001 [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile] “EnableFirewall”= 0 (0x0) [HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] “%windir%\system32\sessmgr.exe”= “C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtPSS.exe”= “C:\Program Files\WapSter\AQQ\AQQ.exe”= “C:\PROGRA~1\WapSter\AQQ\AQQ.exe”= “C:\Program Files\uTorrent\uTorrent.exe”= “%windir%\Network Diagnostic\xpnetdiag.exe”= “C:\Program Files\iTunes\iTunes.exe”= “C:\Program Files\Skype\Phone\Skype.exe”= R0 PBADRV;PBADRV;C:\WINDOWS\system32\DRIVERS\PBADRV.sys [2006-08-28 23:00] R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 18:35] R1 VD_FileDisk;VD_FileDisk;C:\WINDOWS\system32\drivers\VD_FileDisk.sys [2006-01-13 15:00] R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;“C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe” -service [] R2 Wave UCSPlus;Wave UCSPlus;C:\WINDOWS\system32\dllhost.exe [2007-12-01 01:26] R3 DXEC01;DXEC01;C:\WINDOWS\system32\drivers\dxec01.sys [2006-11-02 20:32] R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 17:55] S2 PD91Agent;PD91Agent;“C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe” [] S3 SecureStorageService;SecureStorageService;“C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe” [2007-01-30 05:59] S3 WFUSBIILE;WinFast PalmTop/Novo TV Pro Video;C:\WINDOWS\system32\drivers\wfremora.sys [2006-12-29 11:59] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0df0d58f-ce9f-11dc-9c47-001d09a92f5e}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe \Shell\Open(0)\command - G:\Recycled\ctfmon.exe . Contents of the ‘Scheduled Tasks’ folder “2008-04-10 08:57:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job” - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-24 20:14:14 Windows 5.1.2600 Service Pack 3, v.3264 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet004\Services\6to4] “ServiceDll”="%SystemRoot%\System32\6to4svc.dll" . Completion time: 2008-04-24 20:21:01 ComboFix-quarantined-files.txt 2008-04-24 18:20:35 Pre-Run: 22,716,747,776 bytes free Post-Run: 22,722,088,960 bytes free 271 — E O F — 2008-04-11 11:54:14 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:26:08, on 2008-04-24 Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\StacSV.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe C:\Program Files\Wave Systems Corp\SecureUpgrade.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\WinFast\WFTVFM\WFWIZ.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe C:\PROGRA~1\WapSter\AQQ\AQQ.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Spybot - Search Destroy\TeaTimer.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Apoint\ApMsgFwd.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\WINDOWS\Integrator.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=enclient=del … bd=4071201 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.pl/search?q=%s R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=enclient=del … bd=4071201 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-SD IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search Destroy\SDHelper.dll O2 - BHO: (no name) - {57452FB1-9B65-4AAA-A2B9-9FDF5803830F} - C:\WINDOWS\system32\vtUnKDTl.dll (file missing) O2 - BHO: (no name) - {5806DD89-D54C-455A-AE12-666D6A0C14C7} - C:\WINDOWS\system32\geBuRHYo.dll (file missing) O2 - BHO: SACert Class - {740FE5FB-65F1-46C5-9E54-A19C8A8D7AC2} - C:\WINDOWS\system32\SoftAheadCert.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O2 - BHO: (no name) - {E3E368E1-ECF1-46C3-847D-F310FC19E013} - C:\WINDOWS\system32\byXQjHBr.dll (file missing) O2 - BHO: (no name) - {F0E81C80-199F-446E-9788-98123EE28C56} - C:\WINDOWS\system32\rqRKEXpo.dll (file missing) O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” O4 - HKLM…\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM…\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe O4 - HKLM…\Run: [secureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe O4 - HKLM…\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM…\Run: [PDVDDXSrv] “C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe” O4 - HKLM…\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title=“CorelDRAW Graphics Suite 12” /date=050508 serial=DR12WEX-1504397-KTY lang=EN O4 - HKLM…\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe O4 - HKLM…\Run: [unlockerAssistant] “C:\Program Files\Unlocker\UnlockerAssistant.exe” O4 - HKLM…\Run: [34f4e151] rundll32.exe “C:\WINDOWS\system32\ttgxbisy.dll”,b O4 - HKLM…\Run: [FinePrint Dyspozytor v5] “C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe” /source=HKLM O4 - HKLM…\Run: [bM37c7d2cd] Rundll32.exe “C:\WINDOWS\system32\dmuaukxd.dll”,s O4 - HKCU…\Run: [AQQ] C:\PROGRA~1\WapSter\AQQ\AQQ.exe O4 - HKCU…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [NVIDIA nTune] “C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS\S-1-5-18…\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User ‘SYSTEM’) O4 - HKUS\S-1-5-18…\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O4 - Startup: Apoint.lnk = C:\Program Files\Apoint\Apoint.exe O4 - Startup: Battery Doubler.lnk = C:\Program Files\Dachshund Software\Battery Doubler\Battery Doubler.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search Destroy\SDHelper.dll O9 - Extra ‘Tools’ menuitem: Spybot - Search Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso … 3901584859 O17 - HKLM\System\CCS\Services\Tcpip…{4B0E1F2A-AEB5-4785-AFEF-994EF259FF6B}: NameServer = 192.168.0.1,195.255.180.2 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Urzadzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) O23 - Service: Usluga iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PD91Agent - Unknown owner - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe (file missing) O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE – End of file - 11682 bytes