Powracajacy mzjzwthc.sys - tr/rootkit.gen

[mirekg1963]

Witam ! Niedawno razem walczyliśmy z paskudztwem jak w temacie. Wydawało mi się że walka była wygrana, a tu administrator mojej sieci(kilka bloków) straszy mnie że odetnie mnie od netu bo coś o 6.00 wysyłam jakieś pakiety czy coś i radził żebym Combofixem potraktował komp. Chciałem się najpierw Was poradzić Log z OTL

Kod: Zaznacz wszystko

OTL logfile created on: 2010-03-03 20:18:37 - Run 2
OTL by OldTimer - Version 3.1.32.0     Folder = C:\Documents and Settings\Magda\Pulpit
Windows XP Home Edition Dodatek Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

510,00 Mb Total Physical Memory | 221,00 Mb Available Physical Memory | 43,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 79,00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68,36 Gb Total Space | 18,42 Gb Free Space | 26,94% Space Free | Partition Type: NTFS
Drive D: | 80,68 Gb Total Space | 80,50 Gb Free Space | 99,78% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DOM1
Current User Name: Magda
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2010-03-03 20:03:05 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Magda\Pulpit\OTL.exe
PRC - [2009-07-21 13:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009-05-13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009-03-02 12:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008-04-14 18:21:16 | 001,035,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


[color=#E56717]========== Modules (SafeList) ==========[/color]

MOD - [2010-03-03 20:03:05 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Magda\Pulpit\OTL.exe


[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV - [2009-07-21 13:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009-05-13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009-02-25 14:15:00 | 000,593,920 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2006-10-26 23:47:54 | 000,065,824 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)


[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - [2009-11-25 11:19:02 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009-10-13 16:21:41 | 000,279,712 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2009-10-13 16:21:40 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2009-05-11 09:12:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009-03-30 09:33:07 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009-02-25 23:58:57 | 003,565,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009-02-13 11:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008-09-04 05:28:22 | 000,019,968 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2008-09-04 05:27:54 | 000,024,832 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2008-09-04 05:27:28 | 000,013,056 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2008-08-20 18:58:58 | 000,044,944 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008-04-13 17:39:16 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008-04-13 17:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006-06-27 10:42:14 | 003,972,672 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2006-03-02 13:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2005-11-03 15:40:07 | 000,063,488 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfvfs02.sys -- (sfvfs02) StarForce Protection VFS Driver (version 2.x)
DRV - [2005-09-30 05:52:22 | 000,013,056 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005-09-30 05:52:20 | 000,034,048 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005-08-18 09:52:06 | 000,093,568 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2005-08-10 13:44:04 | 000,050,688 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2005-05-16 14:20:39 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2004-08-13 03:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)


[color=#E56717]========== Standard Registry (SafeList) ==========[/color]


[color=#E56717]========== Internet Explorer ==========[/color]


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

[color=#E56717]========== FireFox ==========[/color]

FF - prefs.js..browser.startup.homepage: "www.onet.pl"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010-02-26 11:04:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010-02-26 10:56:51 | 000,000,000 | ---D | M]

[2010-02-26 11:04:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Magda\Dane aplikacji\Mozilla\Extensions
[2010-03-03 19:46:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Magda\Dane aplikacji\Mozilla\Firefox\Profiles\jarmo8u2.default\extensions
[2010-02-26 11:23:40 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Magda\Dane aplikacji\Mozilla\Firefox\Profiles\jarmo8u2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010-02-26 10:56:51 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010-01-16 02:08:36 | 000,002,767 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\allegro-pl.xml
[2010-01-16 02:08:36 | 000,001,406 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\fbc-pl.xml
[2010-01-16 02:08:36 | 000,000,917 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\merlin-pl.xml
[2010-01-16 02:08:36 | 000,000,858 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\pwn-pl.xml
[2010-01-16 02:08:36 | 000,001,183 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-pl.xml
[2010-01-16 02:08:36 | 000,001,683 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wp-pl.xml

O1 HOSTS File: ([2006-03-02 13:00:00 | 000,000,742 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll (BitComet)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (IEPluginBHO Class) - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Documents and Settings\Magda\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll (GG Network S.A.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Pobierz wszystkie VIdeo za pomocą BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: Pobierz wszystko za pomocą BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: Pobierz za pomocą BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O9 - Extra Button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll (BitComet)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc.)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 87.239.176.2 87.239.176.23
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (Moja bieżąca strona główna) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Magda\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Magda\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-03-30 18:45:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2010-03-03 20:03:02 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Magda\Pulpit\OTL.exe
[2010-03-01 19:58:38 | 000,000,000 | ---D | C] -- C:\Program Files\Lavalys
[2010-02-28 15:23:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Magda\Pulpit\na allegro
[2010-02-28 15:23:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Magda\Moje dokumenty\Nowy folder
[2010-02-26 11:04:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Magda\Dane aplikacji\Mozilla
[2010-02-26 11:01:43 | 000,000,000 | ---D | C] -- C:\Program Files\Opera
[2010-02-26 10:56:51 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010-02-25 10:34:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Magda\IECompatCache
[2010-02-23 13:59:36 | 000,018,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cdaudio.sys
[2010-02-18 20:05:19 | 000,000,000 | ---D | C] -- C:\Program Files\YouTube Downloader & Converter
[2010-02-13 21:25:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Magda\Pulpit\muzyka
[2010-02-10 10:44:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Magda\Pulpit\muzyka z torent
[2010-02-06 17:26:35 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2010-02-04 18:11:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Magda\Moje dokumenty\Pobieranie
[2010-01-17 12:53:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft
[2010-01-17 12:51:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Dane aplikacji\Adobe
[2010-01-02 15:56:57 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Dane aplikacji\Microsoft
[2010-01-02 15:56:57 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Dane aplikacji\Microsoft
[2010-01-02 15:56:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft
[2009-07-13 12:38:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Google
[2009-07-13 12:33:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Google

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2010-03-03 20:21:05 | 000,792,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\mzjzwthc.sys
[2010-03-03 20:20:32 | 000,000,462 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{4C12CC7F-DB7E-4530-A105-18D0B547B58C}.job
[2010-03-03 20:18:18 | 000,001,030 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010-03-03 20:18:07 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-03-03 20:18:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-03-03 20:17:16 | 003,407,872 | ---- | M] () -- C:\Documents and Settings\Magda\NTUSER.DAT
[2010-03-03 20:17:16 | 000,000,188 | -HS- | M] () -- C:\Documents and Settings\Magda\ntuser.ini
[2010-03-03 20:17:00 | 000,000,462 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A3F23EA7-4C7C-4650-908F-5A14B6A6E39F}.job
[2010-03-03 20:12:01 | 000,001,034 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010-03-03 20:03:05 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Magda\Pulpit\OTL.exe
[2010-03-03 20:00:24 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Magda\Pulpit\7u79tvxv.exe
[2010-03-01 19:58:40 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Magda\Pulpit\EVEREST Home Edition.lnk
[2010-02-27 10:44:07 | 000,000,726 | ---- | M] () -- C:\Documents and Settings\Magda\Pulpit\BitComet.lnk
[2010-02-26 11:01:47 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\Opera.lnk
[2010-02-26 11:01:47 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\All Users\Dokumenty\Opera.lnk
[2010-02-26 10:56:54 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\Mozilla Firefox.lnk
[2010-02-26 10:56:54 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Dokumenty\Mozilla Firefox.lnk
[2010-02-25 10:07:48 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\Malwarebytes' Anti-Malware.lnk
[2010-02-24 16:00:19 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010-02-24 14:58:07 | 000,000,552 | ---- | M] () -- C:\WINDOWS\win.ini
[2010-02-24 14:58:07 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010-02-24 14:58:07 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010-02-23 20:34:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010-02-18 20:23:07 | 010,118,378 | ---- | M] () -- C:\Documents and Settings\Magda\Pulpit\Wrzuta.pl - Editors - Papillon.flv
[2010-02-18 20:14:08 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Magda\Pulpit\Skrót do Internet.lnk
[2010-02-18 20:05:21 | 000,000,709 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\YouTube Downloader & Converter.lnk
[2010-02-18 16:48:09 | 000,000,023 | ---- | M] () -- C:\WINDOWS\BlendSettings.ini
[2010-02-11 19:47:49 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\Magda\Pulpit\Paint.lnk
[2010-02-10 10:52:44 | 000,003,584 | ---- | M] () -- C:\Documents and Settings\Magda\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-02-09 19:44:01 | 000,001,862 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\SPORE™.lnk
[2010-02-07 09:28:26 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010-02-06 17:26:36 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\Magda\Pulpit\Revo Uninstaller.lnk

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2010-03-03 20:00:22 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Magda\Pulpit\7u79tvxv.exe
[2010-03-01 19:58:40 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Magda\Pulpit\EVEREST Home Edition.lnk
[2010-02-27 10:44:07 | 000,000,726 | ---- | C] () -- C:\Documents and Settings\Magda\Pulpit\BitComet.lnk
[2010-02-26 11:03:07 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\All Users\Dokumenty\Opera.lnk
[2010-02-26 11:01:47 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\Opera.lnk
[2010-02-26 10:58:26 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Dokumenty\Mozilla Firefox.lnk
[2010-02-26 10:56:54 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\Mozilla Firefox.lnk
[2010-02-25 10:33:34 | 000,000,462 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{4C12CC7F-DB7E-4530-A105-18D0B547B58C}.job
[2010-02-25 10:07:48 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\Malwarebytes' Anti-Malware.lnk
[2010-02-23 13:59:39 | 000,792,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\mzjzwthc.sys
[2010-02-21 13:56:34 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Magda\Pulpit\Spybot - Search & Destroy.lnk
[2010-02-18 20:22:20 | 010,118,378 | ---- | C] () -- C:\Documents and Settings\Magda\Pulpit\Wrzuta.pl - Editors - Papillon.flv
[2010-02-18 20:14:08 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Magda\Pulpit\Skrót do Internet.lnk
[2010-02-18 20:05:21 | 000,000,709 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\YouTube Downloader & Converter.lnk
[2010-02-09 19:44:01 | 000,001,862 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\SPORE™.lnk
[2010-02-06 17:26:36 | 000,000,917 | ---- | C] () -- C:\Documents and Settings\Magda\Pulpit\Revo Uninstaller.lnk
[2010-02-04 18:14:17 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Magda\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-01-06 17:25:30 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Magda\Ustawienia lokalne\Dane aplikacji\PUTTY.RND
[2010-01-06 16:54:10 | 000,020,194 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009-10-24 18:55:49 | 000,000,173 | ---- | C] () -- C:\WINDOWS\disney.ini
[2009-10-24 18:55:30 | 000,000,200 | ---- | C] () -- C:\WINDOWS\disneysy.ini
[2009-10-12 12:42:35 | 000,279,712 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2009-10-12 12:42:35 | 000,025,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2009-07-14 16:15:00 | 000,178,432 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009-06-19 19:06:22 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2009-06-19 19:06:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2009-06-19 19:06:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2009-06-19 19:06:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2009-06-19 19:06:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2009-06-19 19:06:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2009-06-07 17:19:58 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009-06-07 17:19:57 | 000,815,104 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009-06-07 17:19:57 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009-06-07 17:19:56 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009-06-07 17:19:55 | 000,084,480 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009-06-07 17:19:55 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009-06-07 16:40:11 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009-05-08 15:24:35 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2009-04-22 12:21:22 | 000,000,206 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009-03-31 15:54:44 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2009-03-30 19:03:03 | 000,143,360 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2009-03-30 18:58:57 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009-03-30 18:58:48 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2009-03-30 18:50:38 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\WLANUTL.dll

[color=#E56717]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:CF778051
< End of report >


i jeszcze z Gmera

Kod: Zaznacz wszystko

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-04 18:13:40
Windows 5.1.2600 Dodatek Service Pack 3
Running: 7u79tvxv.exe; Driver: C:\DOCUME~1\Magda\USTAWI~1\Temp\pxtdapog.sys


---- System - GMER 1.0.15 ----

SSDT     A8A3545E                                                      ZwCreateKey
SSDT     A8A35454                                                      ZwCreateThread
SSDT     A8A35463                                                      ZwDeleteKey
SSDT     A8A3546D                                                      ZwDeleteValueKey
SSDT     A8A35472                                                      ZwLoadKey
SSDT     A8A35440                                                      ZwOpenProcess
SSDT     A8A35445                                                      ZwOpenThread
SSDT     A8A3547C                                                      ZwReplaceKey
SSDT     A8A35477                                                      ZwRestoreKey
SSDT     A8A35468                                                      ZwSetValueKey
SSDT     A8A3544F                                                      ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.pak2    C:\WINDOWS\system32\drivers\mzjzwthc.sys                      entry point in ".pak2" section [0xF82FD3B6]
?        C:\WINDOWS\system32\drivers\mzjzwthc.sys                      Urządzenie podłączone do komputera nie działa.
PAGE     Ntfs.sys                                                      F8128E55 4 Bytes  CALL 8213DC81
.text    C:\WINDOWS\system32\DRIVERS\ati2mtag.sys                      section is writeable [0xF6CB6000, 0x1C5D58, 0xE8000020]
.text    C:\WINDOWS\system32\DRIVERS\atksgt.sys                        section is writeable [0x9F636300, 0x3AF78, 0xE8000020]
.text    C:\WINDOWS\system32\DRIVERS\lirsgt.sys                        section is writeable [0xF8837300, 0x1BCE, 0xE8000020]

---- Devices - GMER 1.0.15 ----

Device   \FileSystem\Ntfs \Ntfs                                        8215D1D0

---- Services - GMER 1.0.15 ----

Service   (*** hidden *** )                                            [BOOT] mzjzwthc                                           <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Services\mzjzwthc@Type          1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\mzjzwthc@Start         0
Reg      HKLM\SYSTEM\CurrentControlSet\Services\mzjzwthc@ErrorControl  0
Reg      HKLM\SYSTEM\CurrentControlSet\Services\mzjzwthc@Group         Boot Bus Extender
Reg      HKLM\SYSTEM\ControlSet003\Services\mzjzwthc@Type              1
Reg      HKLM\SYSTEM\ControlSet003\Services\mzjzwthc@Start             0
Reg      HKLM\SYSTEM\ControlSet003\Services\mzjzwthc@ErrorControl      0
Reg      HKLM\SYSTEM\ControlSet003\Services\mzjzwthc@Group             Boot Bus Extender

---- EOF - GMER 1.0.15 ----


Przed Gmerem użyłem Malwarebytes' i usunąłem jedną infekcję ale chyba niedokładnie. Co to jest ten mzjzwthc.sys??

[wojtas]

zamykam temat rozwiązany na innym forum.