HiJack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:56:11, on 2008-08-10
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 3693 bytes
ComboFix:
ComboFix 08-08-09.06 - Strzelec 2008-08-10 19:29:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.44 [GMT 2:00]
Running from: C:\Documents and Settings\Strzelec\Pulpit\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Strzelec\Dane aplikacji\install.dat
C:\Documents and Settings\Strzelec\Dane aplikacji\rhcp7sj0epea
C:\Program Files\rhcp7sj0epea
C:\WINDOWS\htunistock.dll
C:\WINDOWS\nmcuninstall.exe
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\1.txt
C:\WINDOWS\system32\2.tmp
C:\WINDOWS\system32\2.txt
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\system32\9.tmp
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\msdrives
C:\WINDOWS\system32\pphct7sj0epea.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASC3550U
-------\Legacy_DRIVERPP
-------\Service_driverpp
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.
2008-08-10 19:22 . 2008-08-10 19:22 <DIR> d----c--- C:\Program Files\Trend Micro
2008-08-01 22:21 . 2008-08-10 19:37 109,150 --a--c--- C:\WINDOWS\system32\drivers\9cd5e1c0.sys
2008-07-27 08:27 . 2008-07-27 08:29 94,208 --a--c--- C:\WINDOWS\system32\98.tmp
2008-07-27 08:27 . 2008-07-27 08:28 94,208 --a--c--- C:\WINDOWS\system32\97.tmp
2008-07-27 08:27 . 2008-07-27 08:28 94,208 --a--c--- C:\WINDOWS\system32\96.tmp
2008-07-27 08:27 . 2008-07-27 08:27 94,208 --a--c--- C:\WINDOWS\system32\95.tmp
2008-07-27 08:27 . 2008-07-27 08:27 94,208 --a--c--- C:\WINDOWS\system32\94.tmp
2008-07-27 08:10 . 2008-07-27 08:10 94,208 --a--c--- C:\WINDOWS\system32\34.tmp
2008-07-27 08:02 . 2008-07-27 08:02 94,208 --a--c--- C:\WINDOWS\system32\20.tmp
2008-07-27 07:59 . 2008-07-27 08:00 94,208 --a--c--- C:\WINDOWS\system32\1D.tmp
2008-07-27 07:59 . 2008-07-27 08:00 94,208 --a--c--- C:\WINDOWS\system32\1C.tmp
2008-07-27 07:59 . 2008-07-27 07:59 94,208 --a--c--- C:\WINDOWS\system32\1B.tmp
2008-07-24 01:45 . 2008-07-26 20:07 94,208 --a--c--- C:\WINDOWS\system32\17.tmp
2008-07-24 01:45 . 2008-07-26 20:07 94,208 --a--c--- C:\WINDOWS\system32\16.tmp
2008-07-24 01:45 . 2008-07-26 20:07 94,208 --a--c--- C:\WINDOWS\system32\15.tmp
2008-07-24 01:45 . 2008-07-26 20:07 94,208 --a--c--- C:\WINDOWS\system32\14.tmp
2008-07-24 01:45 . 2008-07-25 10:16 94,208 --a--c--- C:\WINDOWS\system32\12.tmp
2008-07-24 01:45 . 2008-07-26 04:01 94,208 --a--c--- C:\WINDOWS\system32\11.tmp
2008-07-24 01:45 . 2008-07-24 21:04 94,208 --a--c--- C:\WINDOWS\system32\10.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 17:16 --------- dc----w C:\Documents and Settings\Strzelec\Dane aplikacji\Skype
2008-08-10 17:15 --------- dc----w C:\Documents and Settings\Strzelec\Dane aplikacji\skypePM
2008-08-10 17:14 --------- dc--a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-08-08 11:31 --------- dc----w C:\Program Files\Spyware Doctor
2008-07-24 18:59 --------- dc----w C:\Program Files\Winamp Toolbar
2008-07-12 20:35 --------- dc----w C:\Documents and Settings\Strzelec\Dane aplikacji\XnView
2008-06-20 10:45 360,320 -c--a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 -c--a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 -c--a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 18:01 273,024 -c----w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 19:22 81,288 -c--a-w C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-28 18:00 32 -c--a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2007-12-23 16:16 165 -c-ha-w C:\Documents and Settings\Strzelec\hpothb07.dat
2006-04-23 20:42 485 -c--a-w C:\Program Files\iPod.pcast
2006-04-22 21:55 5,316,176 -c--a-w C:\Program Files\msjavx86.exe
2006-04-21 23:06 243,512 -c--a-w C:\Program Files\jre-1_5_0_06-windows-i586-p-iftw.exe
2006-04-21 22:12 243,512 -c--a-w C:\Program Files\kerio-pf-4.0.14-en-win.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-30 17:17 22058792]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-10 21:33 155648]
"SoundMan"="SOUNDMAN.EXE" [2002-09-27 08:44 47104 C:\WINDOWS\SOUNDMAN.EXE]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
??????????????????????? [?]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
??????????????????????? [?]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\istray]
--a--c--- 2008-07-16 09:16 1166216 C:\Program Files\Spyware Doctor\pctsTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Onet.pl AutoUpdate]
--a--c--- 2005-07-27 11:59 260096 C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PublishPDF]
--a--c--- 2003-08-06 18:33 28672 C:\WINDOWS\PublishPDF\ppdfload.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-04-10 21:33 155648 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
S3 PD1030VID;Creative WebCam Pro;C:\WINDOWS\system32\DRIVERS\P1030Vid.sys [2002-05-21 03:00]
.
Contents of the 'Scheduled Tasks' folder
2007-07-28 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1167680034.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 01:52]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-Registry Cleaner - C:\Program Files\Registry Cleaner Trial\Regclean.exe
MSConfigStartUp-SsAAD - C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
MSConfigStartUp-SunServer - C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
MSConfigStartUp-WinampAgent - C:\Program Files\Winamp\winampa.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Strzelec\Dane aplikacji\Mozilla\Firefox\Profiles\x2nhgvj0.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.wp.pl/
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 19:35:49
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\9cd5e1c0]
"ImagePath"="\SystemRoot\System32\drivers\9cd5e1c0.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-08-10 19:44:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-10 17:43:52
Pre-Run: 1,807,753,216 bajtów wolnych
Post-Run: 1,964,896,256 bajt˘w wolnych
157 --- E O F --- 2008-07-08 22:20:49
