29 Sie 2008, 22:21
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:07:30, on 2008-08-29
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programy\Avast\aswUpdSv.exe
C:\Programy\Avast\ashServ.exe
C:\Programy\ZoneAlarm\zlclient.exe
C:\Programy\Avast\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Programy\DAEMON Tools Lite\daemon.exe
C:\Programy\Gadu-Gadu\gg.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Programy\Avast\ashMaiSv.exe
C:\Programy\Avast\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Przemek\Pulpit\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programy\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\Programy\Avast\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programy\Adobe Reader\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Programy\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1219588770\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programy\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programy\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Programy\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\Programy\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programy\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7417CBCC-9430-4A76-AB23-EB1784BEBBFD}: NameServer = 217.30.137.200,217.30.137.200
O17 - HKLM\System\CS1\Services\Tcpip\..\{7417CBCC-9430-4A76-AB23-EB1784BEBBFD}: NameServer = 217.30.137.200,217.30.137.200
O17 - HKLM\System\CS2\Services\Tcpip\..\{7417CBCC-9430-4A76-AB23-EB1784BEBBFD}: NameServer = 217.30.137.200,217.30.137.200
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programy\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programy\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programy\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programy\Avast\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 4602 bytes
29 Sie 2008, 23:09
29 Sie 2008, 23:23
30 Sie 2008, 12:22
ComboFix 08-08-29.02 - Przemek 2008-08-30 12:00:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.92 [GMT 2:00]
Running from: C:\Documents and Settings\Przemek\Pulpit\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Przemek\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\vsdatant.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_VSDATANT
-------\Service_vsdatant
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.
2008-08-26 23:37 . 2008-08-26 23:38 <DIR> d-------- C:\Documents and Settings\Przemek\Dane aplikacji\Tibia
2008-08-25 16:12 . 2008-06-14 20:01 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-08-25 16:12 . 2008-06-14 20:01 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-25 16:10 . 2008-08-25 16:10 <DIR> d-------- C:\Documents and Settings\Przemek\Dane aplikacji\Gadu-Gadu
2008-08-24 21:32 . 2008-08-26 12:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-08-24 21:32 . 2005-02-25 05:36 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-24 16:43 . 2008-08-25 16:48 <DIR> d-------- C:\Documents and Settings\Przemek\Dane aplikacji\AOL
2008-08-24 16:42 . 2008-08-24 16:42 <DIR> d-------- C:\Program Files\Viewpoint
2008-08-24 16:42 . 2008-08-24 16:42 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2008-08-24 16:42 . 2008-08-24 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Viewpoint
2008-08-24 16:40 . 2003-01-10 23:13 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
2008-08-24 16:39 . 2008-08-24 16:42 <DIR> d-------- C:\Program Files\Common Files\aolshare
2008-08-24 16:39 . 2008-08-25 16:32 <DIR> d-------- C:\Program Files\Common Files\aol
2008-08-24 16:39 . 2008-08-24 16:44 <DIR> d-------- C:\Program Files\AOL 9.0
2008-08-24 16:39 . 2008-08-26 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\AOL
2008-08-24 16:23 . 2008-08-24 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\AOL Downloads
2008-08-23 21:03 . 2008-08-23 21:03 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-08-23 21:03 . 2008-08-23 21:10 163,712 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2008-08-23 20:40 . 2008-08-23 20:44 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-08-23 20:20 . 2008-08-23 20:20 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-23 20:18 . 2008-08-23 20:18 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-23 20:13 . 2008-08-25 16:26 <DIR> d-------- C:\Documents and Settings\Przemek\Gadu-Gadu
2008-08-23 20:08 . 2008-08-23 20:08 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-08-23 20:07 . 2008-08-23 20:07 <DIR> d-------- C:\Documents and Settings\Przemek\Dane aplikacji\skypePM
2008-08-23 20:02 . 2008-08-23 20:11 <DIR> d-------- C:\Documents and Settings\Przemek\Dane aplikacji\Skype
2008-08-23 20:01 . 2008-08-23 20:01 <DIR> d-------- C:\Program Files\Skype
2008-08-23 20:01 . 2008-08-23 20:01 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-08-23 20:00 . 2008-08-23 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Skype
2008-08-23 19:53 . 2008-08-23 19:53 1,169 --a------ C:\WINDOWS\mozver.dat
2008-08-23 19:46 . 2008-08-23 19:46 <DIR> d-------- C:\Program Files\DAEMON Tools Toolbar
2008-08-23 19:41 . 2008-08-23 19:41 <DIR> d-------- C:\Documents and Settings\Przemek\Dane aplikacji\DAEMON Tools
2008-08-23 19:41 . 2008-08-23 19:41 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-08-23 19:24 . 2008-08-23 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\OrbNetworks
2008-08-23 19:23 . 2008-08-23 19:24 <DIR> d-------- C:\Program Files\Winamp Remote
2008-08-23 19:17 . 2008-08-26 14:06 <DIR> d-------- C:\Documents and Settings\Przemek\Dane aplikacji\Winamp
2008-08-23 19:07 . 2008-08-23 19:07 <DIR> d-------- C:\Program Files\NAPI-PROJEKT
2008-08-23 16:59 . 2008-08-23 17:00 <DIR> d-------- C:\WINDOWS\system32\MsDtc
2008-08-23 16:58 . 2004-08-03 23:01 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2008-08-23 16:58 . 2004-08-04 00:44 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 10:11 2,093,088 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-30 10:08 32,168 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-25 14:56 2,784,256 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-08-25 14:56 1,474,048 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-08-25 14:06 35,144,365 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_08_24_21_18_00_full.dmp.zip
2008-08-24 19:33 1,456,128 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-08-23 16:58 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\MailFrontier
2008-08-23 16:02 --------- d-----w C:\Documents and Settings\Przemek\Dane aplikacji\MailFrontier
2008-08-23 15:58 --------- d-----w C:\Program Files\ZoneAlarmSB
2008-08-23 15:36 --------- d-----w C:\Documents and Settings\Przemek\Dane aplikacji\Ahead
2008-08-23 15:34 --------- d-----w C:\Program Files\Nero
2008-08-23 15:34 --------- d-----w C:\Program Files\Common Files\Ahead
2008-08-23 15:20 --------- d-----w C:\Program Files\SiS7012
2008-08-23 15:20 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-23 15:06 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-23 15:02 --------- d-----w C:\Program Files\Usługi online
2008-07-25 08:34 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-07-25 08:34 683,520 ----a-w C:\WINDOWS\system32\divx.dll
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:41 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-12 18:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS\system32\quartz.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44 15360]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 03:54 507904]
"DAEMON Tools Lite"="C:\Programy\DAEMON Tools Lite\daemon.exe" [2008-08-08 14:11 490952]
"Gadu-Gadu"="C:\Programy\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-08 11:06 94208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Programy\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"BootSkin Startup Jobs"="C:\Programy\BootSkin\BootSkin.exe" [2004-04-26 16:21 270336]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:44 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\aol\\1219588770\\ee\\aolsoftware.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2003-04-08 09:56]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Przemek\Dane aplikacji\Mozilla\Firefox\Profiles\i5wwleed.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-30 12:09:48
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programy\Avast\aswUpdSv.exe
C:\Programy\Avast\ashServ.exe
C:\Program Files\Common Files\aol\acs\AOLacsd.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programy\Avast\ashMaiSv.exe
C:\Programy\Avast\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-30 12:13:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-30 10:13:20
Pre-Run: 11,633,360,896 bajtów wolnych
Post-Run: 11,645,067,264 bajt˘w wolnych
155 --- E O F --- 2008-08-26 10:51:24
30 Sie 2008, 12:30
File::
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB1.tmp
30 Sie 2008, 13:24
30 Sie 2008, 13:30
30 Sie 2008, 16:33
30 Sie 2008, 17:00
30 Sie 2008, 17:42