Oto moje logi, z góry dziękuje.
ComboFix 08-04-22.5 - _przemek_ 2008-04-23 19:07:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.2889 [GMT 2:00]
Running from: C:\Documents and Settings_przemek_\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings_przemek_\Pulpit\CFScript.log
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
D:\Autorun.inf
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.
2008-04-23 18:50 . 2008-04-23 18:50
2008-04-23 18:48 . 2008-04-23 18:48
2008-04-23 18:48 . 2008-04-23 18:58
2008-04-23 18:25 . 2008-04-23 18:35
2008-04-23 00:15 . 2008-04-23 00:18
2008-04-23 00:15 . 2008-02-01 17:07 18,487 --a------ C:\WINDOWS\system32\Ntaccess.sys
2008-04-23 00:15 . 2004-07-23 16:09 13,368 --a------ C:\WINDOWS\system32\FlashVxd.vxd
2008-04-23 00:15 . 2008-01-31 17:18 9,216 --a------ C:\WINDOWS\system32\drivers\FlashSys.sys
2008-04-23 00:02 . 2008-04-23 00:19
2008-04-22 23:59 . 1998-10-02 19:00 327,168 --a------ C:\WINDOWS\IsUninst.exe
2008-04-22 19:12 . 2008-04-22 19:12
2008-04-22 17:31 . 2008-04-22 17:31
2008-04-22 17:07 . 2007-07-09 15:11 584,192 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-22 17:01 . 2008-04-22 23:15
2008-04-22 17:01 . 2008-04-22 17:01 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-04-21 23:06 . 2008-04-23 19:05
2008-04-21 21:48 . 2008-04-21 21:48
2008-04-21 21:34 . 2008-04-21 21:34
2008-04-21 21:34 . 2008-04-21 21:34
2008-04-21 21:33 . 2008-04-21 21:33
2008-04-21 21:31 . 2008-04-21 21:34
2008-04-21 21:10 . 2008-04-21 21:10
2008-04-21 20:58 . 2008-04-21 21:10
2008-04-21 20:58 . 2008-04-21 20:58
2008-04-21 20:58 . 2008-04-21 20:58
2008-04-21 20:58 . 2008-04-21 20:58
2008-04-21 20:58 . 2008-04-21 20:58
2008-04-21 20:57 . 2008-04-21 21:08
2008-04-21 20:57 . 2008-04-21 21:05
2008-04-21 20:55 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2008-04-21 20:55 . 2004-08-04 00:44 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-04-21 20:55 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-04-21 20:55 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-04-21 20:38 . 2005-10-21 00:30 1,092,608 --a------ C:\WINDOWS\system32\esent.dll
2008-04-21 18:41 . 2008-04-21 00:24 104,925 -r-hs---- C:\dwvo.cmd
2008-04-21 18:40 . 2008-04-21 18:40
2008-04-21 18:40 . 2008-04-22 18:46
2008-04-21 18:39 . 2004-08-04 09:44 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-04-21 18:39 . 2004-08-04 09:44 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-04-21 18:39 . 2004-08-04 09:43 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-04-21 18:39 . 2004-08-04 09:43 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-04-21 18:38 . 2008-04-21 18:38
2008-04-21 18:38 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-04-21 18:38 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-04-21 18:38 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-04-21 18:38 . 2004-07-09 08:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-04-21 18:38 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-04-21 18:38 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-04-21 18:38 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-04-21 18:38 . 2008-04-21 18:38 1,024 --ah----- C:\Documents and Settings\Default User\NtUser.dat.LOG
2008-04-21 18:36 . 2008-04-21 18:36
2008-04-21 18:36 . 2008-04-21 18:36
2008-04-21 18:35 . 2008-04-21 18:35
2008-04-21 18:35 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-04-21 18:35 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-04-21 18:35 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-04-21 18:35 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-04-21 18:35 . 2004-08-03 14:04 187,160 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-04-21 18:35 . 2004-08-03 14:03 170,264 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-04-21 18:35 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-04-21 18:34 . 2008-04-21 20:49
2008-04-21 18:34 . 2008-04-23 19:06 769 --a------ C:\WINDOWS\wincmd.ini
2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\UC.PIF
2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\RAR.PIF
2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\LHA.PIF
2008-04-21 18:34 . 2005-02-02 06:51 545 --a------ C:\WINDOWS\ARJ.PIF
2008-04-21 18:33 . 2008-04-21 18:33
2008-04-21 18:33 . 2008-04-21 18:33
2008-04-21 18:33 . 2008-04-21 18:33 282,624 --a------ C:\WINDOWS\system32\dfxg11.dll.bak
2008-04-21 18:33 . 2008-04-21 18:33 282,624 --a------ C:\WINDOWS\system32\dfxg11.dll
2008-04-21 18:32 . 2008-04-22 18:59
2008-04-21 18:32 . 2008-04-22 19:17 95 --a------ C:\WINDOWS\winamp.ini
2008-04-21 02:03 . 2008-04-21 00:11 261 --a------ C:\WINDOWS\system32$winnt$.inf
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 18:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-21 16:38 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-21 16:38 --------- d-----w C:\Program Files\Ahead
2008-04-20 22:32 --------- d-----w C:\Program Files\ZoneAlarmSB
2008-04-20 22:31 --------- d-----w C:\Program Files\Zone Labs
2008-04-20 22:31 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\MailFrontier
2008-04-20 22:29 --------- d-----w C:\Program Files\ffdshow
2008-04-20 22:28 --------- d-----w C:\Program Files\OCCT
2008-04-20 22:24 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-20 22:24 --------- d–h--w C:\Program Files\InstallShield Installation Information
2008-04-20 22:24 --------- d-----w C:\Program Files\Realtek
2008-04-20 22:20 --------- d-----w C:\Program Files\Opera
2008-04-20 22:14 --------- d-----w C:\Program Files\ATI Technologies
2008-04-20 22:09 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-20 22:07 --------- d-----w C:\Program Files\Usługi online
2008-04-20 13:43 103,885 --sh–r C:\mug0sd.cmd
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 21:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-13 21:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE~\Browser Helper Objects{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-04-21 00:32 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}”= “C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL” [2008-04-21 00:32 262144]
[HKEY_CLASSES_ROOT\clsid{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“RTHDCPL”=“RTHDCPL.EXE” [2007-10-12 10:33 16384512 C:\WINDOWS\RTHDCPL.exe]
“ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2008-03-13 23:11 919016]
“WinampAgent”=“C:\Program Files\Winamp\Winampa.exe” []
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]
“LiveMonitor”=“C:\Program Files\MSI\Live Update 3\LMonitor.exe” [2008-03-14 11:41 498176]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 09:44 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusOverride”=dword:00000001
“FirewallOverride”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
“DisableMonitoring”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{6f3dfe42-0f35-11dd-8205-806d6172696f}]
\Shell\AutoRun\command - D:\vqv.exe
\Shell\explore\Command - D:\vqv.exe
\Shell\open\Command - D:\vqv.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{6f3dfe43-0f35-11dd-8205-806d6172696f}]
\Shell\AutoRun\command - E:\vqv.exe
\Shell\explore\Command - E:\vqv.exe
\Shell\open\Command - E:\vqv.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{6f3dfe45-0f35-11dd-8205-806d6172696f}]
\Shell\AutoRun\command - C:\vqv.exe
\Shell\explore\Command - C:\vqv.exe
\Shell\open\Command - C:\vqv.exe
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 19:07:47
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-23 19:08:09
ComboFix-quarantined-files.txt 2008-04-23 17:08:06
Pre-Run: 12,785,672,192 bajtów wolnych
Post-Run: 12,958,568,448 bajtów wolnych
174 — E O F — 2008-04-22 16:48:08