ComboFix 08-07-23.4 - STACJA 2008-07-24 12:36:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.84 [GMT 2:00]
Running from: C:\Documents and Settings\STACJA\Pulpit\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\Program Files\Common Files\vcclient
C:\Program Files\Common Files\vcclient\ClientUpdater.bat
C:\Program Files\Common Files\vcclient\ICSharpCode.SharpZipLib.dll
C:\Program Files\Common Files\vcclient\VCClient.exe.config
C:\Program Files\Common Files\vcclient\VCUpdate.exe
C:\Program Files\Common Files\vcclient\VCUpdate.exe.config
C:\Program Files\Common Files\vcclient\Version.txt
C:\Program Files\winupdates
C:\Program Files\winupdates\a.zip
C:\WINDOWS.0\desktop.html
C:\WINDOWS.0\hosts
C:\WINDOWS.0\secure32.html
C:\WINDOWS.0\system32\bszip.dll
C:\WINDOWS.0\system32\ckvo.exe
C:\WINDOWS.0\system32\ckvo0.dll
C:\WINDOWS.0\system32\cmd.com
C:\WINDOWS.0\system32\guard.tmp
C:\WINDOWS.0\system32\netstat.com
C:\WINDOWS.0\system32\ping.com
C:\WINDOWS.0\system32\regedit.com
C:\WINDOWS.0\system32\svcp.csv
C:\WINDOWS.0\system32\taskkill.com
C:\WINDOWS.0\system32\tasklist.com
C:\WINDOWS.0\system32\tracert.com
C:\WINDOWS.0\system32\winsub.xml
C:\WINDOWS.0\system32\zlbw.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.
2008-07-24 12:30 . 2008-07-24 12:30
2008-07-24 12:30 . 2008-07-24 12:30
2008-07-24 12:30 . 2008-07-24 12:30 17,408 --a------ C:\WINDOWS.0\system32\drivers\pxark.sys
2008-07-24 06:58 . 2008-07-24 06:57 117,946 -r-hs---- C:\g2pfnid.com
2008-07-23 08:13 . 2008-07-24 06:57 77,312 -r-hs---- C:\WINDOWS.0\system32\ckvo1.dll
2008-07-07 12:20 . 2008-07-07 12:20 10,257 --a------ C:\SP__DZIELCZE_GOSPODASTWO_ROLNE_W_BRUSACH_ZUS_2008-06.kdu
2008-07-01 10:00 . 2008-07-24 10:25
2008-06-27 08:11 . 2008-07-16 09:03
2008-06-27 08:11 . 2008-06-27 08:11 56 --ah----- C:\WINDOWS.0\system32\ezsidmv.dat
2008-06-27 08:09 . 2008-07-24 10:25
2008-06-26 12:55 . 2008-06-26 12:55
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 10:42 262,144 —ha-w C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT
2008-07-24 10:42 262,144 —ha-w C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT
2008-07-24 10:42 262,144 —ha-w C:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT
2008-07-24 10:42 262,144 —ha-w C:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT
2008-07-24 10:19 --------- d-----w C:\Documents and Settings\STACJA\Dane aplikacji\InsERT GT
2008-07-24 08:22 --------- d-----w C:\Program Files\Gadu-Gadu
2008-07-24 05:37 --------- d-----w C:\Program Files\WeatherCast
2008-07-18 07:30 --------- d-----w C:\Documents and Settings\STACJA\Dane aplikacji\AdobeUM
2008-07-15 13:05 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.0\Dane aplikacji\InsERT
2008-06-20 17:42 246,784 ----a-w C:\WINDOWS.0\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS.0\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS.0\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS.0\system32\drivers\tcpip6.sys
2008-06-14 18:01 273,024 ------w C:\WINDOWS.0\system32\drivers\bthport.sys
2008-06-04 12:25 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-31 19:09 55,104 ----a-r C:\WINDOWS.0\system32\w95scm.DLL
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS.0\system32\quartz.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS.0\system32\ctfmon.exe” [2004-08-04 09:44 15360]
“WeatherCast”=“C:\Program Files\WeatherCast\Weather.exe” [2004-02-19 12:17 132096]
“Orb”=“C:\Program Files\Winamp Remote\bin\OrbTray.exe” [2007-12-18 03:02 471040]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 18:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2003-12-12 11:31 335872]
“AdaptecDirectCD”=“C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe” [2003-03-26 11:15 684032]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-05-16 01:19 79224]
“Samsung PanelMgr”=“C:\WINDOWS.0\Samsung\PanelMgr\ssmmgr.exe” [2006-08-16 05:10 503808]
“WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [2007-12-20 17:16 37376]
“SoundMan”=“SOUNDMAN.EXE” [2003-12-18 08:00 64512 C:\WINDOWS.0\SOUNDMAN.EXE]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS.0\System32\CTFMON.EXE” [2004-08-04 09:44 15360]
C:\Documents and Settings\All Users.WINDOWS.0\Menu Start\Programy\Autostart\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-10-06 01:00:00 111376]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 16:23:32 74308]
Uruchamianie pakietu Office.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-10-06 01:00:00 51984]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
–a------ 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusDisableNotify”=dword:00000001
“AntiVirusOverride”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“C:\Program Files\Winamp Remote\bin\Orb.exe”=
“C:\Program Files\Winamp Remote\bin\OrbTray.exe”=
“C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe”=
R0 pxark;pxark;C:\WINDOWS.0\system32\drivers\pxark.sys [2008-07-24 12:30]
R1 aswSP;avast! Self Protection;C:\WINDOWS.0\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS.0\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-07-24 12:30]
R2 MSSQL$INSERTGT;MSSQL$INSERTGT;C:\Program Files\Microsoft SQL Server\MSSQL$INSERTGT\Binn\sqlservr.exe [2002-12-17 16:26]
R2 SVKP;SVKP;C:\WINDOWS.0\system32\SVKP.sys [2005-09-19 09:39]
R3 usbscan;Sterownik skanera USB;C:\WINDOWS.0\system32\DRIVERS\usbscan.sys [2004-08-04 07:58]
S3 MTK;Media Technology Kernel Driver;C:\WINDOWS.0\system32\Drivers\mtk.sys []
S3 SQLAgent$INSERTGT;SQLAgent$INSERTGT;C:\Program Files\Microsoft SQL Server\MSSQL$INSERTGT\Binn\sqlagent.EXE [2002-12-17 16:23]
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS.0\system32\DRIVERS\USBSTOR.SYS [2004-08-04 09:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{35e44e00-997c-11da-90fd-4d6564696130}]
\Shell\AutoRun\command - C:\WINDOWS.0\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{91d8bcfa-f8a8-11db-92cd-4d6564696130}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{a39fcbcb-3b7c-11dd-942f-000feac705da}]
\Shell\AutoRun\command - 1nkbd8h.bat
\Shell\explore\Command - 1nkbd8h.bat
\Shell\open\Command - 1nkbd8h.bat
.
-
-
-
- ORPHANS REMOVED - - - -
-
-
HKCU-Run-kamsoft - C:\WINDOWS.0\system32\ckvo.exe
HKLM-Run-BearShare - C:\BearShare\BearShare.exe
MSConfigStartUp-aupd - C:\WINDOWS.0\system32\sywsvcs.exe
MSConfigStartUp-BearShare - C:\BearShare\BearShare.exe
MSConfigStartUp-CU1 - C:\Program Files\Common Files\VCClient\VCClient.exe
MSConfigStartUp-CU2 - C:\Program Files\Common Files\VCClient\VCMain.exe
MSConfigStartUp-drsmartloadb - c:\drsmartloadb.exe
MSConfigStartUp-PayTime - C:\WINDOWS.0\system32\paytime.exe
MSConfigStartUp-Services - C:\WINDOWS.0\system32\17.tmp
MSConfigStartUp-Windows installer - C:\winstall.exe
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.onet.pl/
R0 -: HKLM-Main,Local Page = c:\secure32.html
R0 -: HKLM-Main,Start Page = c:\secure32.html
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: Winamp Toolbar Search - C:\Documents and Settings\All Users.WINDOWS.0\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O17 -: HKLM\CCS\Interface{01F0EC93-1E7F-4C49-8CA0-1DA730982406}: NameServer = 194.204.159.1,194.204.152.34
O16 -: DirectAnimation Java Classes - file://C:\WINDOWS.0\Java\classes\dajava.cab
C:\WINDOWS.0\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS.0\Java\classes\xmldso.cab
C:\WINDOWS.0\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A41} - hxxps://www.pekaobiznes24.pl/components … XPEKAO.cab
C:\WINDOWS.0\Downloaded Program Files\SignActivXPEKAO.ocx
O16 -: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} - hxxp://www.bph.pl/static/demo/demo_seza … ActivX.cab
C:\WINDOWS.0\Downloaded Program Files\SignActivX.ocx
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 12:43:45
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-07-24 12:52:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-24 10:52:42
Pre-Run: 66,262,102,016 bajtów wolnych
Post-Run: 66,695,610,368 bajt˘w wolnych
182 — E O F — 2008-07-09 12:01:15