Oto moje logi, z góry dziękuje.

ComboFix 08-04-22.5 - _przemek_ 2008-04-23 19:07:24.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.2889 [GMT 2:00]

Running from: C:\Documents and Settings_przemek_\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings_przemek_\Pulpit\CFScript.log

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Autorun.inf

C:\WINDOWS\system32\amvo0.dll

C:\WINDOWS\system32\amvo1.dll

D:\Autorun.inf

E:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))

.

2008-04-23 18:50 . 2008-04-23 18:50

2008-04-23 18:48 . 2008-04-23 18:48

2008-04-23 18:48 . 2008-04-23 18:58

2008-04-23 18:25 . 2008-04-23 18:35

2008-04-23 00:15 . 2008-04-23 00:18

2008-04-23 00:15 . 2008-02-01 17:07 18,487 --a------ C:\WINDOWS\system32\Ntaccess.sys

2008-04-23 00:15 . 2004-07-23 16:09 13,368 --a------ C:\WINDOWS\system32\FlashVxd.vxd

2008-04-23 00:15 . 2008-01-31 17:18 9,216 --a------ C:\WINDOWS\system32\drivers\FlashSys.sys

2008-04-23 00:02 . 2008-04-23 00:19

2008-04-22 23:59 . 1998-10-02 19:00 327,168 --a------ C:\WINDOWS\IsUninst.exe

2008-04-22 19:12 . 2008-04-22 19:12

2008-04-22 17:31 . 2008-04-22 17:31

2008-04-22 17:07 . 2007-07-09 15:11 584,192 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll

2008-04-22 17:01 . 2008-04-22 23:15

2008-04-22 17:01 . 2008-04-22 17:01 45 --a------ C:\WINDOWS\system32\initdebug.nfo

2008-04-21 23:06 . 2008-04-23 19:05

2008-04-21 21:48 . 2008-04-21 21:48

2008-04-21 21:34 . 2008-04-21 21:34

2008-04-21 21:34 . 2008-04-21 21:34

2008-04-21 21:33 . 2008-04-21 21:33

2008-04-21 21:31 . 2008-04-21 21:34

2008-04-21 21:10 . 2008-04-21 21:10

2008-04-21 20:58 . 2008-04-21 21:10

2008-04-21 20:58 . 2008-04-21 20:58

2008-04-21 20:58 . 2008-04-21 20:58

2008-04-21 20:58 . 2008-04-21 20:58

2008-04-21 20:58 . 2008-04-21 20:58

2008-04-21 20:57 . 2008-04-21 21:08

2008-04-21 20:57 . 2008-04-21 21:05

2008-04-21 20:55 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img

2008-04-21 20:55 . 2004-08-04 00:44 11,776 --------- C:\WINDOWS\system32\spnpinst.exe

2008-04-21 20:55 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig

2008-04-21 20:55 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat

2008-04-21 20:38 . 2005-10-21 00:30 1,092,608 --a------ C:\WINDOWS\system32\esent.dll

2008-04-21 18:41 . 2008-04-21 00:24 104,925 -r-hs---- C:\dwvo.cmd

2008-04-21 18:40 . 2008-04-21 18:40

2008-04-21 18:40 . 2008-04-22 18:46

2008-04-21 18:39 . 2004-08-04 09:44 351,232 --a------ C:\WINDOWS\system32\winhttp.dll

2008-04-21 18:39 . 2004-08-04 09:44 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll

2008-04-21 18:39 . 2004-08-04 09:43 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll

2008-04-21 18:39 . 2004-08-04 09:43 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll

2008-04-21 18:38 . 2008-04-21 18:38

2008-04-21 18:38 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll

2008-04-21 18:38 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll

2008-04-21 18:38 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll

2008-04-21 18:38 . 2004-07-09 08:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll

2008-04-21 18:38 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll

2008-04-21 18:38 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe

2008-04-21 18:38 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll

2008-04-21 18:38 . 2008-04-21 18:38 1,024 --ah----- C:\Documents and Settings\Default User\NtUser.dat.LOG

2008-04-21 18:36 . 2008-04-21 18:36

2008-04-21 18:36 . 2008-04-21 18:36

2008-04-21 18:35 . 2008-04-21 18:35

2008-04-21 18:35 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll

2008-04-21 18:35 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll

2008-04-21 18:35 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl

2008-04-21 18:35 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll

2008-04-21 18:35 . 2004-08-03 14:04 187,160 --a------ C:\WINDOWS\system32\wuaueng1.dll

2008-04-21 18:35 . 2004-08-03 14:03 170,264 --a------ C:\WINDOWS\system32\wuauclt1.exe

2008-04-21 18:35 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll

2008-04-21 18:34 . 2008-04-21 20:49

2008-04-21 18:34 . 2008-04-23 19:06 769 --a------ C:\WINDOWS\wincmd.ini

2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\UC.PIF

2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\RAR.PIF

2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\PKZIP.PIF

2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\PKUNZIP.PIF

2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\NOCLOSE.PIF

2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\LHA.PIF

2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\ARJ.PIF

2008-04-21 18:33 . 2008-04-21 18:33

2008-04-21 18:33 . 2008-04-21 18:33

2008-04-21 18:33 . 2008-04-21 18:33 282,624 --a------ C:\WINDOWS\system32\dfxg11.dll.bak

2008-04-21 18:33 . 2008-04-21 18:33 282,624 --a------ C:\WINDOWS\system32\dfxg11.dll

2008-04-21 18:32 . 2008-04-22 18:59

2008-04-21 18:32 . 2008-04-22 19:17 95 --a------ C:\WINDOWS\winamp.ini

2008-04-21 02:03 . 2008-04-21 00:11 261 --a------ C:\WINDOWS\system32$winnt$.inf

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-21 18:57 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-04-21 16:38 --------- d-----w C:\Program Files\Common Files\Ahead

2008-04-21 16:38 --------- d-----w C:\Program Files\Ahead

2008-04-20 22:32 --------- d-----w C:\Program Files\ZoneAlarmSB

2008-04-20 22:31 --------- d-----w C:\Program Files\Zone Labs

2008-04-20 22:31 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\MailFrontier

2008-04-20 22:29 --------- d-----w C:\Program Files\ffdshow

2008-04-20 22:28 --------- d-----w C:\Program Files\OCCT

2008-04-20 22:24 315,392 ----a-w C:\WINDOWS\HideWin.exe

2008-04-20 22:24 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-04-20 22:24 --------- d-----w C:\Program Files\Realtek

2008-04-20 22:20 --------- d-----w C:\Program Files\Opera

2008-04-20 22:14 --------- d-----w C:\Program Files\ATI Technologies

2008-04-20 22:09 --------- d-----w C:\Program Files\microsoft frontpage

2008-04-20 22:07 --------- d-----w C:\Program Files\Usługi online

2008-04-20 13:43 103,885 --sh–r C:\mug0sd.cmd

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-13 21:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe

2008-03-13 21:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]

2008-04-21 00:32 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

“{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}”= “C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL” [2008-04-21 00:32 262144]

[HKEY_CLASSES_ROOT\clsid{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“RTHDCPL”=“RTHDCPL.EXE” [2007-10-12 10:33 16384512 C:\WINDOWS\RTHDCPL.exe]

“ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2008-03-13 23:11 919016]

“WinampAgent”=“C:\Program Files\Winamp\Winampa.exe” []

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]

“LiveMonitor”=“C:\Program Files\MSI\Live Update 3\LMonitor.exe” [2008-03-14 11:41 498176]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 09:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusOverride”=dword:00000001

“FirewallOverride”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{6f3dfe42-0f35-11dd-8205-806d6172696f}]

\Shell\AutoRun\command - D:\vqv.exe

\Shell\explore\Command - D:\vqv.exe

\Shell\open\Command - D:\vqv.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{6f3dfe43-0f35-11dd-8205-806d6172696f}]

\Shell\AutoRun\command - E:\vqv.exe

\Shell\explore\Command - E:\vqv.exe

\Shell\open\Command - E:\vqv.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{6f3dfe45-0f35-11dd-8205-806d6172696f}]

\Shell\AutoRun\command - C:\vqv.exe

\Shell\explore\Command - C:\vqv.exe

\Shell\open\Command - C:\vqv.exe

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-23 19:07:47

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-23 19:08:09

ComboFix-quarantined-files.txt 2008-04-23 17:08:06

Pre-Run: 12,785,672,192 bajtów wolnych

Post-Run: 12,958,568,448 bajtów wolnych

174 — E O F — 2008-04-22 16:48:08

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

C:\dwvo.cmd

C:\mug0sd.cmd


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2]

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

ComboFix 08-04-22.5 - _przemek_ 2008-04-23 21:55:52.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.2469 [GMT 2:00]

Running from: C:\Documents and Settings_przemek_\Pulpit\ComboFix.exe

Command switches used :: C:\Documents and Settings_przemek_\Pulpit\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

FILE ::

C:\dwvo.cmd

C:\mug0sd.cmd

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\dwvo.cmd

C:\mug0sd.cmd

.

((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))

.

2008-04-23 19:42 . 2008-04-23 19:43

2008-04-23 18:50 . 2008-04-23 18:50

2008-04-23 18:48 . 2008-04-23 18:48

2008-04-23 18:48 . 2008-04-23 18:58

2008-04-23 18:25 . 2008-04-23 19:50

2008-04-23 00:15 . 2008-04-23 00:18

2008-04-23 00:15 . 2008-02-01 17:07 18,487 --a------ C:\WINDOWS\system32\Ntaccess.sys

2008-04-23 00:15 . 2004-07-23 16:09 13,368 --a------ C:\WINDOWS\system32\FlashVxd.vxd

2008-04-23 00:15 . 2008-01-31 17:18 9,216 --a------ C:\WINDOWS\system32\drivers\FlashSys.sys

2008-04-23 00:02 . 2008-04-23 00:19

2008-04-22 23:59 . 1998-10-02 19:00 327,168 --a------ C:\WINDOWS\IsUninst.exe

2008-04-22 19:12 . 2008-04-22 19:12

2008-04-22 17:31 . 2008-04-22 17:31

2008-04-22 17:07 . 2007-07-09 15:11 584,192 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll

2008-04-22 17:01 . 2008-04-23 20:10

2008-04-22 17:01 . 2008-04-22 17:01 45 --a------ C:\WINDOWS\system32\initdebug.nfo

2008-04-21 23:06 . 2008-04-23 21:55

2008-04-21 21:48 . 2008-04-21 21:48

2008-04-21 21:34 . 2008-04-21 21:34

2008-04-21 21:34 . 2008-04-21 21:34

2008-04-21 21:33 . 2008-04-21 21:33

2008-04-21 21:31 . 2008-04-21 21:34

2008-04-21 21:10 . 2008-04-21 21:10

2008-04-21 20:58 . 2008-04-21 21:10

2008-04-21 20:58 . 2008-04-23 21:29

2008-04-21 20:58 . 2008-04-23 21:29

2008-04-21 20:58 . 2008-04-21 20:58

2008-04-21 20:58 . 2008-04-21 20:58

2008-04-21 20:57 . 2008-04-21 21:08

2008-04-21 20:57 . 2008-04-21 21:05

2008-04-21 20:55 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img

2008-04-21 20:55 . 2004-08-04 00:44 11,776 --------- C:\WINDOWS\system32\spnpinst.exe

2008-04-21 20:55 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig

2008-04-21 20:55 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat

2008-04-21 20:38 . 2005-10-21 00:30 1,092,608 --a------ C:\WINDOWS\system32\esent.dll

2008-04-21 18:40 . 2008-04-21 18:40

2008-04-21 18:40 . 2008-04-22 18:46

2008-04-21 18:39 . 2004-08-04 09:44 351,232 --a------ C:\WINDOWS\system32\winhttp.dll

2008-04-21 18:39 . 2004-08-04 09:44 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll

2008-04-21 18:39 . 2004-08-04 09:43 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll

2008-04-21 18:39 . 2004-08-04 09:43 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll

2008-04-21 18:38 . 2008-04-21 18:38

2008-04-21 18:38 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll

2008-04-21 18:38 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll

2008-04-21 18:38 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll

2008-04-21 18:38 . 2004-07-09 08:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll

2008-04-21 18:38 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll

2008-04-21 18:38 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe

2008-04-21 18:38 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll

2008-04-21 18:38 . 2008-04-21 18:38 1,024 --ah----- C:\Documents and Settings\Default User\NtUser.dat.LOG

2008-04-21 18:36 . 2008-04-21 18:36

2008-04-21 18:36 . 2008-04-21 18:36

2008-04-21 18:35 . 2008-04-21 18:35

2008-04-21 18:35 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll

2008-04-21 18:35 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll

2008-04-21 18:35 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl

2008-04-21 18:35 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll

2008-04-21 18:35 . 2004-08-03 14:04 187,160 --a------ C:\WINDOWS\system32\wuaueng1.dll

2008-04-21 18:35 . 2004-08-03 14:03 170,264 --a------ C:\WINDOWS\system32\wuauclt1.exe

2008-04-21 18:35 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll

2008-04-21 18:34 . 2008-04-21 20:49

2008-04-21 18:34 . 2008-04-23 21:18 769 --a------ C:\WINDOWS\wincmd.ini

2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\UC.PIF

2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\RAR.PIF

2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\PKZIP.PIF

2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\PKUNZIP.PIF

2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\NOCLOSE.PIF

2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\LHA.PIF

2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\ARJ.PIF

2008-04-21 18:33 . 2008-04-21 18:33

2008-04-21 18:33 . 2008-04-21 18:33

2008-04-21 18:33 . 2008-04-21 18:33 282,624 --a------ C:\WINDOWS\system32\dfxg11.dll.bak

2008-04-21 18:33 . 2008-04-21 18:33 282,624 --a------ C:\WINDOWS\system32\dfxg11.dll

2008-04-21 18:32 . 2008-04-22 18:59

2008-04-21 18:32 . 2008-04-22 19:17 95 --a------ C:\WINDOWS\winamp.ini

2008-04-21 02:03 . 2008-04-21 00:11 261 --a------ C:\WINDOWS\system32$winnt$.inf

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-23 19:12 1,417,728 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp

2008-04-23 18:05 1,416,192 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp

2008-04-21 18:57 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-04-21 16:38 --------- d-----w C:\Program Files\Common Files\Ahead

2008-04-21 16:38 --------- d-----w C:\Program Files\Ahead

2008-04-20 22:32 --------- d-----w C:\Program Files\ZoneAlarmSB

2008-04-20 22:31 --------- d-----w C:\Program Files\Zone Labs

2008-04-20 22:31 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\MailFrontier

2008-04-20 22:29 --------- d-----w C:\Program Files\ffdshow

2008-04-20 22:28 --------- d-----w C:\Program Files\OCCT

2008-04-20 22:24 315,392 ----a-w C:\WINDOWS\HideWin.exe

2008-04-20 22:24 --------- d–h--w C:\Program Files\InstallShield Installation Information

2008-04-20 22:24 --------- d-----w C:\Program Files\Realtek

2008-04-20 22:20 --------- d-----w C:\Program Files\Opera

2008-04-20 22:14 --------- d-----w C:\Program Files\ATI Technologies

2008-04-20 22:09 --------- d-----w C:\Program Files\microsoft frontpage

2008-04-20 22:07 --------- d-----w C:\Program Files\Usługi online

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-13 21:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe

2008-03-13 21:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]

2008-04-21 00:32 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

“{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}”= “C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL” [2008-04-21 00:32 262144]

[HKEY_CLASSES_ROOT\clsid{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“RTHDCPL”=“RTHDCPL.EXE” [2007-10-12 10:33 16384512 C:\WINDOWS\RTHDCPL.exe]

“ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2008-03-13 23:11 919016]

“WinampAgent”=“C:\Program Files\Winamp\Winampa.exe” []

“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 09:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

“AntiVirusOverride”=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

“DisableMonitoring”=dword:00000001

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

“EnableFirewall”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

“%windir%\system32\sessmgr.exe”=

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-23 21:56:33

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-23 21:57:02

ComboFix-quarantined-files.txt 2008-04-23 19:56:59

ComboFix2.txt 2008-04-23 17:56:39

Pre-Run: 14,514,888,704 bajtów wolnych

Post-Run: 14,530,719,744 bajtów wolnych

161 — E O F — 2008-04-22 16:48:08

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16&t=213350

LOG Ok