Logfile of HijackThis v1.99.1
Scan saved at 21:35, on 2007-06-21
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Winkov.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Messenger\msmsgsgmw.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Karol\USTAWI~1\Temp\Rar$EX00.922\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://google.bearshare.com/pl/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Winkov - Unknown owner - C:\WINDOWS\System32\Winkov.exe
"Silent Runners.vbs", revision R50,
http://www.silentrunners.org/Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" [file not found]
"BearShare" = ""C:\Program Files\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "&Do osób..."
-> {HKLM...CLSID} = "&Do osób..."
\InProcServer32\(Default) = "C:\Program Files\Outlook Express\wabfind.dll" [file not found]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Karol\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"
ComboFix 07-06-18.2 - C:\Documents and Settings\Karol\Pulpit\ComboFix.exe
"Karol" - 2007-06-21 21:41:36 NTFS
((((((((((((((((((((((((( Files Created from 2007-05-21 to 2007-06-21 )))))))))))))))))))))))))))))))
2007-06-21 20:46 10,240 --a------ C:\Program Files\Fkq1.exe
2007-06-21 18:38 10,240 --a------ C:\Program Files\JftF.exe
2007-06-21 18:34 10,240 --a------ C:\Program Files\Fj1.exe
2007-06-21 17:56 10,240 --a------ C:\Program Files\DyeC.exe
2007-06-21 17:55 10,240 --a------ C:\Program Files\Vzz1.exe
2007-06-20 15:17 <DIR> d-------- C:\Program Files\7-Zip
2007-06-19 17:21 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-18 22:41 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-18 22:41 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji
2007-06-18 22:41 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty
2007-06-18 22:36 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-17 18:07 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-06-17 18:07 <DIR> d-------- C:\Program Files\EA GAMES
2007-06-17 15:13 <DIR> d-------- C:\Program Files\Volleyball Manager
2007-06-06 08:06 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-06 08:06 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-06 08:05 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-06 08:05 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-06-06 08:05 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-06-06 08:05 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-06 08:03 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-05 22:20 4 --a------ C:\WINDOWS\system32\proc625010911.bin
2007-06-05 22:20 <DIR> d-------- C:\DOCUME~1\Karol\DANEAP~1\GanymedeNet
2007-06-03 18:51 <DIR> d-------- C:\Program Files\GSC Game World
2007-06-01 12:40 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-01 08:14 <DIR> d-------- C:\Program Files\AC3Filter
2007-06-01 08:08 <DIR> d-------- C:\Program Files\BearShare
2007-06-01 08:08 <DIR> d-------- C:\My Downloads
2007-05-23 19:19 <DIR> d-------- C:\WINDOWS\Cache
2007-05-22 18:25 <DIR> d-------- C:\Program Files\EA SPORTS
2007-05-22 18:23 292,864 --a------ C:\WINDOWS\system32\ddraw.dll
2007-05-22 18:23 24,064 --a------ C:\WINDOWS\system32\ddrawex.dll
2007-05-22 18:22 98,816 --a------ C:\WINDOWS\system32\dmstyle.dll
2007-05-22 18:22 974,848 --a------ C:\WINDOWS\system32\dxdiag.exe
2007-05-22 18:22 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-05-22 18:22 80,896 --a------ C:\WINDOWS\system32\dpvsetup.exe
2007-05-22 18:22 76,800 --a------ C:\WINDOWS\system32\dmscript.dll
2007-05-22 18:22 733,184 --a------ C:\WINDOWS\system32\qedwipes.dll
2007-05-22 18:22 7,424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2007-05-22 18:22 667,648 --a------ C:\WINDOWS\system32\dinput8.dll
2007-05-22 18:22 64,512 --a------ C:\WINDOWS\system32\amstream.dll
2007-05-22 18:22 58,368 --a------ C:\WINDOWS\system32\dmcompos.dll
2007-05-22 18:22 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-05-22 18:22 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2007-05-22 18:22 5,248 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2007-05-22 18:22 491,520 --a------ C:\WINDOWS\system32\dsdmoprp.dll
2007-05-22 18:22 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2007-05-22 18:22 470,528 --a------ C:\WINDOWS\system32\qdvd.dll
2007-05-22 18:22 47,104 --a------ C:\WINDOWS\system32\wstdecod.dll
2007-05-22 18:22 46,592 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-05-22 18:22 4,608 --a------ C:\WINDOWS\system32\drivers\mspqm.sys
2007-05-22 18:22 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-05-22 18:22 4,096 --a------ C:\WINDOWS\system32\drivers\swenum.sys
2007-05-22 18:22 381,952 --a------ C:\WINDOWS\system32\dpvoice.dll
2007-05-22 18:22 354,816 --a------ C:\WINDOWS\system32\psisdecd.dll
2007-05-22 18:22 34,304 --a------ C:\WINDOWS\system32\mciqtz32.dll
2007-05-22 18:22 33,280 --a------ C:\WINDOWS\system32\dmloader.dll
2007-05-22 18:22 324,096 --a------ C:\WINDOWS\system32\mswebdvd.dll
2007-05-22 18:22 316,928 --a------ C:\WINDOWS\system32\qdv.dll
2007-05-22 18:22 27,136 --a------ C:\WINDOWS\system32\dmband.dll
2007-05-22 18:22 257,024 --a------ C:\WINDOWS\system32\qcap.dll
2007-05-22 18:22 19,968 --a------ C:\WINDOWS\system32\dpvacm.dll
2007-05-22 18:22 186,880 --a------ C:\WINDOWS\system32\dsdmo.dll
2007-05-22 18:22 181,248 --a------ C:\WINDOWS\system32\dmime.dll
2007-05-22 18:22 18,944 --a------ C:\WINDOWS\system32\encapi.dll
2007-05-22 18:22 18,688 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2007-05-22 18:22 18,432 --a------ C:\WINDOWS\system32\dswave.dll
2007-05-22 18:22 16,896 --a------ C:\WINDOWS\system32\msyuv.dll
2007-05-22 18:22 16,384 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2007-05-22 18:22 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2007-05-22 18:22 14,976 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2007-05-22 18:22 132,608 --a------ C:\WINDOWS\system32\devenum.dll
2007-05-22 18:22 130,304 --a------ C:\WINDOWS\system32\drivers\ks.sys
2007-05-22 18:22 13,312 --a------ C:\WINDOWS\system32\msdmo.dll
2007-05-22 18:22 122,880 --a------ C:\WINDOWS\system32\dmusic.dll
2007-05-22 18:22 112,128 --a------ C:\WINDOWS\system32\dpvvox.dll
2007-05-22 18:22 11,392 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
2007-05-22 18:22 100,864 --a------ C:\WINDOWS\system32\dmsynth.dll
2007-05-22 18:22 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys
2007-05-22 18:22 10,496 --a------ C:\WINDOWS\system32\drivers\dxapi.sys
2007-05-22 18:22 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2007-05-22 18:22 1,962,496 --a------ C:\WINDOWS\system32\quartz.dll
2007-05-22 18:22 1,798,144 --a------ C:\WINDOWS\system32\qedit.dll
2007-05-22 18:22 1,769,472 --a------ C:\WINDOWS\system32\dxdiagn.dll
2007-05-22 18:22 1,703,936 --a------ C:\WINDOWS\system32\d3d9.dll
2007-05-22 18:22 1,230,336 --a------ C:\WINDOWS\system32\msvidctl.dll
2007-05-22 18:22 1,201,152 --a------ C:\WINDOWS\system32\d3d8.dll
2007-05-22 18:22 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-05-22 18:21 8,192 --a------ C:\WINDOWS\system32\d3d8thk.dll
2007-05-22 18:21 797,184 --a------ C:\WINDOWS\system32\d3dim700.dll
2007-05-22 18:21 79,360 --a------ C:\WINDOWS\system32\dpwsockx.dll
2007-05-22 18:21 77,824 --a------ C:\WINDOWS\system32\dpmodemx.dll
2007-05-22 18:21 723,968 --a------ C:\WINDOWS\system32\dpnet.dll
2007-05-22 18:21 68,096 --a------ C:\WINDOWS\system32\dpnhupnp.dll
2007-05-22 18:21 648,704 --a------ C:\WINDOWS\system32\dinput.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-21 18:58:06 -------- d-----w C:\DOCUME~1\Karol\DANEAP~1\Skype
2007-06-19 17:49:33 67,078 ----a-w C:\WINDOWS\system32\perfc015.dat
2007-06-19 17:49:33 435,978 ----a-w C:\WINDOWS\system32\perfh015.dat
2007-06-13 19:27:40 2,320 ----a-w C:\WINDOWS\mozver.dat
2007-06-03 16:51:45 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-23 17:08:54 -------- d-----w C:\Program Files\Gadu-Gadu
2007-05-22 15:59:24 -------- d-----w C:\Program Files\Messenger
2007-05-18 20:54:46 93,602 --sha-r C:\WINDOWS\system32\Winkov.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"SoundMan"="SOUNDMAN.EXE" []
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-08-01 17:04]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 18:32]
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer,
http://www.gmer.netRootkit scan 2007-06-21 21:42:49
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-21 21:43:14
C:\ComboFix2.txt ... 2007-06-20 20:04
C:\ComboFix3.txt ... 2007-06-19 17:29
--- E O F ---