Zamulanie i winesm32 w autostarcie

[sagakama]

Jak w tytule w autostarcie jest winesm32 i nie wiem jak sie tego pozbyć. W menadżerze użycie procka na 100% nawet jak sie nic nie robi, svhost pobiera duży procent. Komp z pewnością nie jest nowy ale do netu daje rade.
Jakby ktoś znający sie na rzeczy mógłby przychylnym okiem na te logi rzucić to bede wdzięczny:
OTL

Kod: Zaznacz wszystko

OTL logfile created on: 2010-03-01 16:59:35 - Run 1
OTL by OldTimer - Version 3.1.32.0     Folder = C:\
Windows XP Professional Edition  (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2600.0000)
Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

255,00 Mb Total Physical Memory | 56,00 Mb Available Physical Memory | 22,00% Memory free
618,00 Mb Paging File | 415,00 Mb Available in Paging File | 67,00% Paging File free
Paging file location(s): c:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 4,88 Gb Total Space | 0,69 Gb Free Space | 14,08% Space Free | Partition Type: FAT32
Drive D: | 9,42 Gb Total Space | 9,42 Gb Free Space | 99,99% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AURELA-3DOIKLEF
Current User Name: Eda
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2010-03-01 16:56:24 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\OTL.exe
PRC - [2009-11-20 19:01:18 | 000,832,296 | ---- | M] (Opera Software) -- C:\Program Files\Opera\opera.exe
PRC - [2001-10-26 17:29:52 | 001,002,496 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001-10-26 17:29:50 | 000,382,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe


[color=#E56717]========== Modules (SafeList) ==========[/color]

MOD - [2010-03-01 16:56:24 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\OTL.exe
MOD - [2001-08-18 07:37:18 | 000,921,088 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll


[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV - [2006-06-05 14:22:34 | 001,129,000 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe -- (SandraTheSrv)
SRV - [2006-06-05 14:18:30 | 000,117,288 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe -- (SandraDataSrv)
SRV - [2005-02-02 04:57:50 | 000,098,304 | --S- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\RadClock.exe -- (RadClock)
SRV - [2004-09-15 21:10:00 | 000,516,096 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2001-10-26 17:29:40 | 000,057,856 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\nwwks.dll -- (NWCWorkstation)
SRV - [2001-10-26 17:29:36 | 000,047,104 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\mspmspsv.dll -- (WmdmPmSp)


[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - File not found [Kernel | Unknown | Running] --  -- (szkgfs)
DRV - File not found [Kernel | Unknown | Running] --  -- (szkg5)
DRV - [2009-04-28 21:20:06 | 000,044,944 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008-09-06 07:49:50 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2006-05-03 18:50:42 | 001,540,608 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006-02-28 22:55:56 | 000,012,032 | ---- | M] () [Kernel | System | Running] -- C:\Program Files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.sys -- (atitray)
DRV - [2004-12-29 22:43:14 | 000,018,492 | --S- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RadProbe.sys -- (RadProbe)
DRV - [2004-06-18 13:47:22 | 000,152,192 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\viaudios.sys -- (VIAudio) Vinyl AC'97 Audio Controller (WDM)
DRV - [2001-08-17 21:54:18 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2001-08-17 21:54:18 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2001-08-17 21:54:14 | 000,084,864 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2001-08-17 21:53:40 | 000,155,648 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwrdr.sys -- (NWRDR)
DRV - [2001-08-17 21:49:56 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001-08-17 20:13:08 | 000,027,165 | ---- | M] (VIA Technologies, Inc.              ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS)
DRV - [2001-07-22 02:41:32 | 000,027,440 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)


[color=#E56717]========== Standard Registry (SafeList) ==========[/color]


[color=#E56717]========== Internet Explorer ==========[/color]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1547161642-1677128483-854245398-1004\S-1-5-21-1547161642-1677128483-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

[color=#E56717]========== FireFox ==========[/color]

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2008-03-23 14:21:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2008-03-23 14:21:26 | 000,000,000 | ---D | M]

[2010-01-15 12:56:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eda\Dane aplikacji\Mozilla\Extensions
[2010-01-15 12:56:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eda\Dane aplikacji\Mozilla\Firefox\Profiles\sl3u6pjy.default\extensions
[2008-03-23 14:21:26 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2006-09-26 13:03:14 | 000,098,304 | ---- | M] (Zylom) -- C:\Program Files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
[2009-11-02 16:14:08 | 000,002,767 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\allegro-pl.xml
[2009-11-02 16:14:08 | 000,001,406 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\fbc-pl.xml
[2009-11-02 16:14:08 | 000,000,917 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\merlin-pl.xml
[2009-11-02 16:14:08 | 000,000,858 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\pwn-pl.xml
[2009-11-02 16:14:08 | 000,001,183 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-pl.xml
[2009-11-02 16:14:08 | 000,001,683 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wp-pl.xml

O1 HOSTS File: ([2001-10-26 15:45:16 | 000,000,742 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\googletoolbar.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\googletoolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx (Microsoft Corporation)
O3 - HKU\S-1-5-21-1547161642-1677128483-854245398-1004\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\googletoolbar.dll (Google Inc.)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [AtiPTA] atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - Startup: C:\Documents and Settings\Eda\Menu Start\Programy\Autostart\winesm32.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-1547161642-1677128483-854245398-1004\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-1547161642-1677128483-854245398-1004\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-1547161642-1677128483-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1547161642-1677128483-854245398-1004_Classes\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-1547161642-1677128483-854245398-1004_Classes\Software\Policies\Microsoft\Internet Explorer\restrictions present
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKU\S-1-5-21-1547161642-1677128483-854245398-1004\..Trusted Domains:   ([]msn in Mój komputer)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\system32\msdxm.ocx (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - logonui.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - WlNotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - wlnotify.dll (Microsoft Corporation)
O24 - Desktop Components:0 (Moja bieżąca strona główna) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Czerwona pustynia.jpg
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Eda\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {35B2861B-2B26-4691-9FF0-09083722C736} - C:\WINDOWS\system32\RadExe.dll ()
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008-03-23 13:49:34 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2010-03-01 16:56:22 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\OTL.exe
[2010-03-01 16:43:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010-03-01 15:55:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\SITEguard
[2010-03-01 15:51:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2010-03-01 15:51:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\STOPzilla!
[2010-03-01 03:43:19 | 017,037,680 | ---- | C] (Microsoft Corporation) -- C:\IE8-WindowsXP-x86-PLK.exe
[2010-02-27 12:52:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eda\Dane aplikacji\Malwarebytes
[2010-02-27 12:52:07 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010-02-27 12:52:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes
[2010-02-27 12:52:02 | 000,018,520 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010-02-27 12:52:02 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010-02-27 12:49:59 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\mbam-setup.exe
[2010-02-27 11:10:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010-02-27 11:07:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\Sun
[2010-02-27 11:05:24 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010-02-27 11:05:24 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010-02-27 11:05:24 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010-02-27 11:05:24 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010-02-27 00:07:12 | 000,000,000 | --SD | C] -- C:\WINDOWS\System32\Microsoft
[2010-02-26 00:00:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eda\Dane aplikacji\Zylom
[2010-02-25 23:47:19 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Eda\UserData
[2010-02-25 16:30:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\Google
[2010-02-25 09:09:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eda\Ustawienia lokalne\Dane aplikacji\Opera
[2010-02-25 09:09:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eda\Dane aplikacji\Opera
[2010-02-25 09:08:38 | 000,000,000 | ---D | C] -- C:\Program Files\Opera
[2010-02-25 07:56:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eda\Dane aplikacji\MSN6
[2010-02-25 07:56:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\MSN6
[2010-02-15 15:44:54 | 000,000,000 | -HSD | C] -- C:\FOUND.003
[2010-02-15 10:40:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010-02-15 10:36:28 | 000,044,032 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msxml3r.dll
[2010-02-15 10:25:44 | 000,027,165 | ---- | C] (VIA Technologies, Inc.              ) -- C:\WINDOWS\System32\drivers\fetnd5.sys
[2010-02-15 10:23:30 | 000,024,661 | ---- | C] (Perle Systems Ltd.) -- C:\WINDOWS\System32\spxcoins.dll
[2010-02-15 10:23:30 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irclass.dll
[2010-02-15 10:02:18 | 000,000,000 | -HSD | C] -- C:\FOUND.002
[2010-01-31 13:24:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eda\Dane aplikacji\Sun
[2010-01-31 13:22:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eda\Dane aplikacji\Macromedia
[2010-01-31 13:21:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eda\Ustawienia lokalne\Dane aplikacji\Google
[2008-03-23 13:55:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft
[2008-03-23 13:55:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft
[2008-03-23 13:36:40 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Dane aplikacji\Microsoft
[2008-03-23 13:36:40 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Dane aplikacji\Microsoft
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2010-03-01 17:00:40 | 000,792,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\nlllx.sys
[2010-03-01 16:56:24 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\OTL.exe
[2010-03-01 16:55:28 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\mbam-setup.exe
[2010-03-01 16:41:40 | 000,007,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010-03-01 16:03:58 | 000,000,116 | ---- | M] () -- C:\WINDOWS\System32\fjhdyfhsn.bat
[2010-03-01 16:02:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-03-01 16:01:36 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\Eda\NTUSER.DAT
[2010-03-01 16:00:50 | 000,000,190 | -HS- | M] () -- C:\Documents and Settings\Eda\ntuser.ini
[2010-03-01 16:00:24 | 000,000,000 | -H-- | M] () -- C:\Documents and Settings\Eda\Ustawienia lokalne\Dane aplikacji\IconCache.db
[2010-03-01 03:55:08 | 017,037,680 | ---- | M] (Microsoft Corporation) -- C:\IE8-WindowsXP-x86-PLK.exe
[2010-02-27 17:30:50 | 000,003,584 | ---- | M] () -- C:\Documents and Settings\Eda\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-02-27 13:57:48 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-02-27 12:52:12 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\Malwarebytes' Anti-Malware.lnk
[2010-02-27 12:43:34 | 000,000,596 | ---- | M] () -- C:\WINDOWS\win.ini
[2010-02-27 12:43:34 | 000,000,246 | ---- | M] () -- C:\WINDOWS\system.ini
[2010-02-27 12:43:34 | 000,000,194 | -HS- | M] () -- C:\boot.ini
[2010-02-27 11:16:12 | 000,002,184 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010-02-27 11:04:58 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010-02-27 11:04:58 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010-02-27 11:04:58 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010-02-27 11:04:58 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010-02-27 11:04:58 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010-02-26 14:41:58 | 002,672,640 | ---- | M] () -- C:\Documents and Settings\Eda\Moje dokumenty\Obrazy od JOLI.pps
[2010-02-26 00:02:04 | 000,000,059 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2010-02-19 01:02:38 | 000,763,990 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010-02-19 01:02:38 | 000,355,486 | ---- | M] () -- C:\WINDOWS\System32\perfh015.dat
[2010-02-19 01:02:38 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010-02-19 01:02:38 | 000,049,492 | ---- | M] () -- C:\WINDOWS\System32\perfc015.dat
[2010-02-19 01:02:38 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010-02-19 00:08:52 | 000,001,843 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2010-02-15 10:40:08 | 000,093,480 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010-02-15 10:38:40 | 000,019,222 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2010-02-15 10:36:04 | 000,025,065 | ---- | M] () -- C:\WINDOWS\System32\wmpscheme.xml
[2010-02-15 10:35:58 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010-02-15 10:35:58 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010-02-15 10:35:56 | 000,299,552 | ---- | M] () -- C:\WINDOWS\WMSysPrx.prx
[2010-02-15 10:35:44 | 000,004,293 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2010-02-15 10:33:52 | 000,000,488 | RH-- | M] () -- C:\WINDOWS\System32\WindowsLogon.manifest
[2010-02-15 10:33:52 | 000,000,488 | RH-- | M] () -- C:\WINDOWS\System32\logonui.exe.manifest
[2010-02-15 10:33:44 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\wuaucpl.cpl.manifest
[2010-02-15 10:33:44 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\WindowsShell.Manifest
[2010-02-15 10:33:44 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\sapi.cpl.manifest
[2010-02-15 10:33:44 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\nwc.cpl.manifest
[2010-02-15 10:33:44 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\ncpa.cpl.manifest
[2010-02-15 10:33:44 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\cdplayer.exe.manifest
[2010-02-15 10:32:22 | 000,023,016 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010-02-15 09:47:40 | 000,670,819 | ---- | M] () -- C:\WINDOWS\setupapi.old
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2010-03-01 16:03:31 | 000,007,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010-03-01 16:02:50 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\LocalService\Dane aplikacji\rbuwzv.dat
[2010-02-27 17:30:48 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Eda\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-02-27 12:52:10 | 000,000,603 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\Malwarebytes' Anti-Malware.lnk
[2010-02-27 00:06:56 | 000,792,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\nlllx.sys
[2010-02-27 00:06:17 | 000,000,116 | ---- | C] () -- C:\WINDOWS\System32\fjhdyfhsn.bat
[2010-02-26 14:41:37 | 002,672,640 | ---- | C] () -- C:\Documents and Settings\Eda\Moje dokumenty\Obrazy od JOLI.pps
[2010-02-15 10:33:51 | 000,000,488 | RH-- | C] () -- C:\WINDOWS\System32\logonui.exe.manifest
[2010-02-15 10:33:42 | 000,000,749 | RH-- | C] () -- C:\WINDOWS\System32\wuaucpl.cpl.manifest
[2010-02-15 10:33:42 | 000,000,749 | RH-- | C] () -- C:\WINDOWS\WindowsShell.Manifest
[2010-02-15 10:33:42 | 000,000,749 | RH-- | C] () -- C:\WINDOWS\System32\sapi.cpl.manifest
[2010-02-15 10:33:42 | 000,000,749 | RH-- | C] () -- C:\WINDOWS\System32\nwc.cpl.manifest
[2010-02-15 10:33:42 | 000,000,749 | RH-- | C] () -- C:\WINDOWS\System32\ncpa.cpl.manifest
[2010-02-15 10:23:13 | 000,008,599 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2010-02-15 10:23:13 | 000,007,382 | ---- | C] () -- C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[2010-02-15 10:23:13 | 000,007,125 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSTSWEB.CAT
[2010-02-15 10:23:12 | 000,808,524 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[2010-02-15 10:23:12 | 000,399,670 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[2010-02-15 10:23:12 | 000,037,509 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MW770.CAT
[2010-02-15 10:23:12 | 000,031,161 | ---- | C] () -- C:\WINDOWS\System32\dllcache\FP4.CAT
[2010-02-15 10:23:12 | 000,013,923 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IMS.CAT
[2010-02-15 10:23:12 | 000,013,497 | ---- | C] () -- C:\WINDOWS\System32\dllcache\HPCRDP.CAT
[2010-02-15 10:23:12 | 000,010,049 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSMSGS.CAT
[2010-02-15 10:23:11 | 001,622,956 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5.CAT
[2010-02-15 10:23:11 | 000,609,642 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5INF.CAT
[2008-06-15 18:01:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Pool.INI
[2008-04-02 19:43:45 | 000,000,094 | -H-- | C] () -- C:\WINDOWS\System32\spv1_WCssg.ini
[2008-03-23 16:22:15 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\UnAudioNT.dll
[2008-03-23 14:50:26 | 000,001,086 | ---- | C] () -- C:\WINDOWS\wincmd.ini
[2008-03-23 14:39:51 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2006-03-31 22:00:35 | 000,000,011 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.ini
[2005-02-02 06:25:14 | 000,118,784 | --S- | C] () -- C:\WINDOWS\System32\RadClkR.dll
[2005-02-02 06:24:36 | 000,528,384 | --S- | C] () -- C:\WINDOWS\System32\RadMnu.dll
[2005-02-02 06:22:28 | 000,442,368 | --S- | C] () -- C:\WINDOWS\System32\Rad.dll
[2005-02-02 04:59:46 | 000,163,909 | --S- | C] () -- C:\WINDOWS\System32\RadType.dll
[2005-02-02 04:59:12 | 000,065,536 | --S- | C] () -- C:\WINDOWS\System32\RadRegs.dll
[2005-02-02 04:58:12 | 000,212,992 | --S- | C] () -- C:\WINDOWS\System32\RadExe.dll
[2005-02-02 04:56:40 | 000,180,224 | --S- | C] () -- C:\WINDOWS\System32\NRad.dll
[2004-12-29 22:43:14 | 000,018,492 | --S- | C] () -- C:\WINDOWS\System32\RadProbe.sys
[2004-12-29 22:43:14 | 000,018,492 | --S- | C] () -- C:\WINDOWS\System32\drivers\RadProbe.sys
[2004-12-19 19:52:48 | 000,061,440 | --S- | C] () -- C:\WINDOWS\System32\RadPlk.dll
[2004-12-07 03:35:10 | 000,061,440 | --S- | C] () -- C:\WINDOWS\System32\RadNlb.dll
[2004-12-07 03:33:24 | 000,065,536 | --S- | C] () -- C:\WINDOWS\System32\RadIta.dll
[2004-12-07 03:33:02 | 000,061,440 | --S- | C] () -- C:\WINDOWS\System32\RadHun.dll
[2004-12-07 03:30:48 | 000,065,536 | --S- | C] () -- C:\WINDOWS\System32\RadFra.dll
[2004-12-07 03:29:02 | 000,061,440 | --S- | C] () -- C:\WINDOWS\System32\RadEsp.dll
[2004-12-07 03:28:32 | 000,061,440 | --S- | C] () -- C:\WINDOWS\System32\RadEnu.dll
[2004-12-07 03:02:02 | 000,053,248 | --S- | C] () -- C:\WINDOWS\System32\OEM.dll
[2004-11-28 00:05:44 | 000,061,440 | --S- | C] () -- C:\WINDOWS\System32\RadDeu.dll
[2002-03-21 15:39:02 | 000,073,728 | R--- | C] () -- C:\WINDOWS\System32\UNACEV2.DLL
[2002-03-21 13:51:52 | 000,503,808 | R--- | C] () -- C:\WINDOWS\System32\lt_xtrans.dll
[2002-03-21 13:51:52 | 000,286,720 | R--- | C] () -- C:\WINDOWS\System32\MrSIDD.dll
[2002-03-21 13:51:52 | 000,163,840 | R--- | C] () -- C:\WINDOWS\System32\lt_common.dll
[2002-03-21 13:51:52 | 000,126,976 | R--- | C] () -- C:\WINDOWS\System32\lt_trans.dll
[2002-03-21 13:51:52 | 000,069,632 | R--- | C] () -- C:\WINDOWS\System32\lt_meta.dll
[2002-03-21 13:51:52 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\lt_encrypt.dll
[2002-03-21 13:51:52 | 000,020,480 | R--- | C] () -- C:\WINDOWS\System32\lt_messagetext.dll
[2002-03-20 22:01:06 | 000,006,688 | R--- | C] () -- C:\WINDOWS\System32\Digita.sys
[2002-03-20 22:00:20 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\TransportUSB.dll
[2002-03-20 22:00:20 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\TransportSerial.dll
[2002-03-20 22:00:20 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\TransportIrDA.dll
[2002-03-20 22:00:20 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\TransportIrCOMM.dll
[2001-07-22 02:41:32 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

[color=#E56717]========== LOP Check ==========[/color]

[2008-04-09 18:46:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Sandlot Games
[2008-04-23 18:24:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Oberon Media
[2008-05-20 18:08:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Zylom
[2008-05-20 18:08:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\JollyBear
[2008-06-06 21:43:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\PlayPond
[2008-06-09 20:30:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\SpinTop Games
[2008-06-21 11:13:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\EA
[2008-06-28 15:47:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\GameBlend
[2008-08-02 11:08:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\TERMINAL Studio
[2008-08-08 17:50:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\HipSoft
[2008-09-06 07:49:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\ACD Systems
[2009-03-06 12:24:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\2DBoy
[2009-04-22 17:06:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\GameHouse
[2009-07-28 16:56:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\FarmFrenzy-PizzaParty
[2009-10-24 11:22:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\PlayFirst
[2010-03-01 15:51:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\STOPzilla!
[2010-03-01 15:55:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\SITEguard
[2010-02-25 09:09:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eda\Dane aplikacji\Opera
[2010-02-26 00:00:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eda\Dane aplikacji\Zylom

[color=#E56717]========== Purity Check ==========[/color]


< End of report >


Gmer

Kod: Zaznacz wszystko

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-01 17:09:31
Windows 5.1.2600
Running: gmer.exe; Driver: C:\DOCUME~1\Eda\USTAWI~1\Temp\kgkoipob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text           ntoskrnl.exe!KeInitializeInterrupt + B79                                                                            804D4F8E 1 Byte  [06]

---- User code sections - GMER 1.0.15 ----

?               C:\WINDOWS\system32\svchost.exe[608]                                                                                image checksum mismatch; time/date stamp mismatch;

---- Kernel code sections - GMER 1.0.15 ----

?               szkg.sys                                                                                                            Nie można odnaleźć określonego pliku. !
?               szkgfs.sys                                                                                                          Nie można odnaleźć określonego pliku. !
?               nlllx.sys                                                                                                           Urządzenie podłączone do komputera nie działa. !
PAGE            Fastfat.sys                                                                                                         F9801F3E 4 Bytes  CALL 817A5651

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegQueryValueExW]              81EC8B55
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup]    000208EC
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner]    57565300
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl]     01B1C033
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor]  000100BE
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!GetTokenInformation]           D1B60F00
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenProcessToken]              F8158488
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenThreadToken]               8AFFFFFE
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetServiceStatus]              80E280D1
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW]   F8058C88
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegCloseKey]                   40FFFFFD
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW]                 D21ADAF6
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW]   E280D98A
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!WideCharToMultiByte]           A0B8B801
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrlenW]                      B60F0040
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcess]             18E2C1D1
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThread]              D18A1089
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW]                DAF604C0
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpW]                      32C9021B
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LCMapStringW]                  DE7C0040
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcpyW]                      C66C2583
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW]     6A000040
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpiW]                     C9335B63
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExitProcess]                   94B81D89
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCommandLineW]               0F410040
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InitializeCriticalSection]     F80D84B6
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcessHeap]                8DFFFFFE
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetErrorMode]                  FFFEF795
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter]   8AD02BFF
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!FreeLibrary]                   D0C28A12
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange]    D0D032C0
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA]                  D0D032C0
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalFree]                     D0D032C0
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcAddress]                32C232C0
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook]          C0B60FC3
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalAlloc]                    B88D0489
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtQuerySecurityObject]            C4E0850C
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlFreeHeap]                      3B410040
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey]                        33C47CCE
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscat]                           00FFBFC9
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscpy]                           918A0000
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlAllocateHeap]                  [004094B8] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCompareUnicodeString]          8024C28A
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitUnicodeString]             C01AD8F6
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitializeSid]                 DA8A1B24
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlLengthRequiredSid]             C332DB02
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthoritySid]               8AF0B60F
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCopySid]                       40C4E099
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid]          D2B60F00
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose]                          E0C1C68B
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor]     C1C23308
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlQueryInformationAcl]           C23308E0
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetAce]                        3308E0C1
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter]      89C233C6
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcslen]                           40C0E081
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlImageNtHeader]                 08C8C100
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize]       C8C10040
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen]         E0818908
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening]      C10040B8
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf]           818908C8
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx]         [0040B4E0] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerListen]                 2674DB84
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW]          0395B60F
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf]             0FFFFFFF
IAT             C:\WINDOWS\system32\svchost.exe[608] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status]             B60FC3B6

---- Devices - GMER 1.0.15 ----

Device          \FileSystem\Fastfat \FatCdrom                                                                                       81756068
Device          \Driver\szkg5 \Device\MSProcess                                                                                     szkg.sys
Device          \FileSystem\Fastfat \Fat                                 

[Okocza]

Daj loga z combofixa ale przed jego użyciem wykasuj jeśli masz programy emulujące napędy

[sagakama]

Log z combofixa:

Kod: Zaznacz wszystko

ComboFix 10-02-28.04 - Eda 2010-03-01  18:11:32.1.1 - FAT32x86
Microsoft Windows XP Professional  5.1.2600.0.1250.48.1045.18.255.74 [GMT 1:00]
Uruchomiony z: C:\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eda\Menu Start\Programy\Autostart\winesm32.exe
c:\windows\system32\ieuinit.inf

c:\windows\system32\qmgr.dll . . . jest zainfekowany!!

.
(((((((((((((((((((((((((   Pliki utworzone od 2010-02-01 do 2010-03-01  )))))))))))))))))))))))))))))))
.

2010-03-01 17:05 . 2010-03-01 17:06   3875634   ----a-r-   C:\ComboFix.exe
2010-03-01 16:04 . 2010-03-01 16:04   284915   ----a-w-   C:\gmer.zip
2010-03-01 15:56 . 2010-03-01 15:56   551424   ----a-w-   C:\OTL.exe
2010-03-01 14:55 . 2010-03-01 14:55   --------   d-----w-   c:\documents and settings\All Users\Dane aplikacji\SITEguard
2010-03-01 14:51 . 2010-03-01 14:51   --------   d-----w-   c:\program files\Common Files\iS3
2010-03-01 14:51 . 2010-03-01 14:51   --------   d-----w-   c:\documents and settings\All Users\Dane aplikacji\STOPzilla!
2010-03-01 02:43 . 2010-03-01 02:55   17037680   ----a-w-   C:\IE8-WindowsXP-x86-PLK.exe
2010-02-27 11:52 . 2010-02-27 11:52   --------   d-----w-   c:\documents and settings\Eda\Dane aplikacji\Malwarebytes
2010-02-27 11:52 . 2010-01-07 15:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-27 11:52 . 2010-02-27 11:52   --------   d-----w-   c:\documents and settings\All Users\Dane aplikacji\Malwarebytes
2010-02-27 11:52 . 2010-02-27 11:52   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-27 11:52 . 2010-01-07 15:07   18520   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-27 10:06 . 2010-02-27 10:06   503808   ----a-w-   c:\documents and settings\Eda\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-58ff3ec7-n\msvcp71.dll
2010-02-27 10:06 . 2010-02-27 10:06   499712   ----a-w-   c:\documents and settings\Eda\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-58ff3ec7-n\jmc.dll
2010-02-27 10:06 . 2010-02-27 10:06   348160   ----a-w-   c:\documents and settings\Eda\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-58ff3ec7-n\msvcr71.dll
2010-02-27 10:06 . 2010-02-27 10:06   61440   ----a-w-   c:\documents and settings\Eda\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-17097d53-n\decora-sse.dll
2010-02-27 10:06 . 2010-02-27 10:06   12800   ----a-w-   c:\documents and settings\Eda\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-17097d53-n\decora-d3d.dll
2010-02-27 10:05 . 2010-02-27 10:04   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-02-26 23:07 . 2010-02-26 23:07   --------   d-s---w-   c:\windows\system32\Microsoft
2010-02-26 23:06 . 2010-03-01 15:03   116   ----a-w-   c:\windows\system32\fjhdyfhsn.bat
2010-02-25 23:00 . 2010-02-25 23:00   --------   d-----w-   c:\documents and settings\Eda\Dane aplikacji\Zylom
2010-02-25 22:47 . 2010-02-25 22:47   --------   d-s---w-   c:\documents and settings\Eda\UserData
2010-02-25 08:09 . 2010-02-25 08:09   --------   d-----w-   c:\documents and settings\Eda\Ustawienia lokalne\Dane aplikacji\Opera
2010-02-25 08:08 . 2010-02-25 08:08   --------   d-----w-   c:\program files\Opera
2010-02-25 06:56 . 2010-02-25 06:57   --------   d-----w-   c:\documents and settings\Eda\Dane aplikacji\MSN6
2010-02-25 06:56 . 2010-02-25 06:57   --------   d-----w-   c:\documents and settings\All Users\Dane aplikacji\MSN6
2010-02-15 14:44 . 2010-02-15 14:44   --------   d-----w-   C:\FOUND.003
2010-02-15 09:36 . 2003-05-21 09:18   44032   ----a-r-   c:\windows\system32\msxml3r.dll
2010-02-15 09:25 . 2001-08-17 19:13   27165   ----a-w-   c:\windows\system32\drivers\fetnd5.sys
2010-02-15 09:23 . 2001-10-26 17:29   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2010-02-15 09:23 . 2001-10-26 17:29   13312   ----a-w-   c:\windows\system32\irclass.dll
2010-02-15 09:02 . 2010-02-15 09:02   --------   d-----w-   C:\FOUND.002
2010-01-31 12:21 . 2010-01-31 12:21   --------   d-----w-   c:\documents and settings\Eda\Ustawienia lokalne\Dane aplikacji\Google

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 15:41 . 2010-03-01 15:03   7000   ----a-w-   c:\windows\system32\drivers\kgpcpy.cfg
2010-03-01 15:02 . 2010-03-01 15:02   12   ----a-w-   c:\documents and settings\LocalService\Dane aplikacji\rbuwzv.dat
2010-02-26 23:05 . 2010-02-26 23:05   16   ----a-w-   c:\windows\system32\config\systemprofile\Dane aplikacji\rbuwzv.dat
2010-02-25 23:02 . 2008-04-06 16:47   59   ----a-w-   c:\windows\popcinfo.dat
2010-02-19 00:02 . 2001-10-26 15:15   49492   ----a-w-   c:\windows\system32\perfc015.dat
2010-02-19 00:02 . 2001-10-26 15:15   355486   ----a-w-   c:\windows\system32\perfh015.dat
2010-02-15 09:34 . 2010-02-15 09:34   80345   ----a-w-   c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2010-02-15 09:32 . 2008-03-23 12:44   23016   ----a-w-   c:\windows\system32\emptyregdb.dat
2010-01-31 07:46 . 2008-03-23 12:28   65536   ----a-w-   c:\windows\DUMPf652.tmp
2010-01-15 11:58 . 2010-01-15 11:58   --------   d-----w-   c:\documents and settings\Eda\Dane aplikacji\Winamp
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2006-02-22 344064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2001-10-26 13312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"= "c:\windows\System32\RadExe.dll" [2005-02-02 212992]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ      msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Eda^Menu Start^Programy^Autostart^winesm32.exe]
path=c:\documents and settings\Eda\Menu Start\Programy\Autostart\winesm32.exe
backup=c:\windows\pss\winesm32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2001-08-02 06:14   1077277   ----a-w-   c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37   37888   ----a-w-   c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=3 (0x3)
"UPS"=3 (0x3)
"Schedule"=2 (0x2)

R1 atitray;atitray;c:\program files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.sys [2005-11-14 12032]

--- Inne Usługi/Sterowniki w Pamięci ---

*Deregistered* - nlllx
.
.
------- Skan uzupełniający -------
.
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
TCP: {6FAFEE68-BF51-4FCE-91E0-3D0274212F1B} = 195.94.214.241,157.25.5.18
FF - ProfilePath - c:\documents and settings\Eda\Dane aplikacji\Mozilla\Firefox\Profiles\sl3u6pjy.default\
FF - plugin: c:\documents and settings\All Users\Dane aplikacji\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
.
- - - - USUNIĘTO PUSTE WPISY - - - -

AddRemove-Amazing Adventures - Around The World - c:\program files\Zylom Games\Amazing Adventures - Around The World\GameInstlr.exe
AddRemove-Build-a-lot - Town of the Year Deluxe - c:\program files\Zylom Games\Build-a-lot - Town of the Year Deluxe\GameInstlr.exe
AddRemove-Fairy Treasure Deluxe - c:\program files\Zylom Games\Fairy Treasure Deluxe\GameInstlr.exe
AddRemove-Interpol - The Trail of Dr. Chaos Deluxe - c:\program files\Zylom Games\Interpol - The Trail of Dr. Chaos Deluxe\GameInstlr.exe
AddRemove-Mortimer Beckett Deluxe - c:\program files\Zylom Games\Mortimer Beckett Deluxe\GameInstlr.exe
AddRemove-Owcze Przygody_is1 - d:\gry\Owcze Przygody\unins000.exe
AddRemove-Poszukiwacze zaginionego kurczaka_is1 - d:\gry\Poszukiwacze zaginionego kurczaka\unins000.exe
AddRemove-XPv3.8.252 - c:\windows\Radeon Omega Drivers v3.8.252



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 18:19
Windows 5.1.2600  FAT NTAPI

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nlllx]

.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(692)
c:\windows\system32\mswsock.dll
c:\windows\System32\wshtcpip.dll
c:\windows\System32\dssenh.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
.
**************************************************************************
.
Czas ukończenia: 2010-03-01  18:22:43 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt  2010-03-01 17:22

Przed: 679 231 488 bajtów wolnych
Po: 671 522 816 bajtów wolnych

WinXP_PL_PRO_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - 9C9C11732DB88E7C83332DDD0A7BEAEA


[wojtas]

pobierz i umieść plik na partycji C
http://www.dlldump.com/download-dll-files_new.php/dllfiles/Q/qmgr.dll/6.6.2600.2180/download.html

Otworz notatnik i wklej w nim to:

File::
c:\windows\system32\fjhdyfhsn.bat
c:\windows\system32\drivers\kgpcpy.cfg
c:\documents and settings\LocalService\Dane aplikacji\rbuwzv.dat
c:\windows\system32\config\systemprofile\Dane aplikacji\rbuwzv.dat
c:\windows\system32\qmgr.dll

FCopy::
c:\qmgr.dll | c:\windows\system32\qmgr.dll

>>Plik>>Zapisz jako... >>> CFScript
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe
-->
Rozpocznie się usuwanie i powstanie log daj go.

[sagakama]

Po tym usuwaniu pojawiły sie jakieś problemy z połączeniem sieciowym i wchodzeniem na różne strony ale po resecie mam wrażenie że wszystko działa poprawnie a użycie procesora przy "nic nierobieniu" spadło do zera...i tak chyba powinno byc daje tego loga:

Kod: Zaznacz wszystko

ComboFix 10-03-01.01 - Eda 2010-03-01  19:17:13.2.1 - FAT32x86
Microsoft Windows XP Professional  5.1.2600.0.1250.48.1045.18.255.95 [GMT 1:00]
Uruchomiony z: C:\ComboFix.exe
Użyto następujących komend :: C:\CFScript.txt.txt

FILE ::
"c:\documents and settings\LocalService\Dane aplikacji\rbuwzv.dat"
"c:\windows\system32\config\systemprofile\Dane aplikacji\rbuwzv.dat"
"c:\windows\system32\drivers\kgpcpy.cfg"
"c:\windows\system32\fjhdyfhsn.bat"
"c:\windows\system32\qmgr.dll"
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Dane aplikacji\rbuwzv.dat
c:\windows\system32\config\systemprofile\Dane aplikacji\rbuwzv.dat
c:\windows\system32\drivers\kgpcpy.cfg
c:\windows\system32\fjhdyfhsn.bat

.
--------------- FCopy ---------------

c:\qmgr.dll --> c:\windows\system32\qmgr.dll
.
(((((((((((((((((((((((((   Pliki utworzone od 2010-02-01 do 2010-03-01  )))))))))))))))))))))))))))))))
.

2010-03-01 18:09 . 2010-03-01 18:09   382464   ------w-   C:\qmgr.dll
2010-03-01 17:05 . 2010-03-01 18:13   3875750   ----a-r-   C:\ComboFix.exe
2010-03-01 16:04 . 2010-03-01 16:04   284915   ----a-w-   C:\gmer.zip
2010-03-01 15:56 . 2010-03-01 15:56   551424   ----a-w-   C:\OTL.exe
2010-03-01 14:55 . 2010-03-01 14:55   --------   d-----w-   c:\documents and settings\All Users\Dane aplikacji\SITEguard
2010-03-01 14:51 . 2010-03-01 14:51   --------   d-----w-   c:\program files\Common Files\iS3
2010-03-01 14:51 . 2010-03-01 14:51   --------   d-----w-   c:\documents and settings\All Users\Dane aplikacji\STOPzilla!
2010-03-01 02:43 . 2010-03-01 02:55   17037680   ----a-w-   C:\IE8-WindowsXP-x86-PLK.exe
2010-02-27 11:52 . 2010-02-27 11:52   --------   d-----w-   c:\documents and settings\Eda\Dane aplikacji\Malwarebytes
2010-02-27 11:52 . 2010-01-07 15:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-27 11:52 . 2010-02-27 11:52   --------   d-----w-   c:\documents and settings\All Users\Dane aplikacji\Malwarebytes
2010-02-27 11:52 . 2010-02-27 11:52   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-27 11:52 . 2010-01-07 15:07   18520   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-27 10:06 . 2010-02-27 10:06   503808   ----a-w-   c:\documents and settings\Eda\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-58ff3ec7-n\msvcp71.dll
2010-02-27 10:06 . 2010-02-27 10:06   499712   ----a-w-   c:\documents and settings\Eda\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-58ff3ec7-n\jmc.dll
2010-02-27 10:06 . 2010-02-27 10:06   348160   ----a-w-   c:\documents and settings\Eda\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-58ff3ec7-n\msvcr71.dll
2010-02-27 10:06 . 2010-02-27 10:06   61440   ----a-w-   c:\documents and settings\Eda\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-17097d53-n\decora-sse.dll
2010-02-27 10:06 . 2010-02-27 10:06   12800   ----a-w-   c:\documents and settings\Eda\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-17097d53-n\decora-d3d.dll
2010-02-27 10:05 . 2010-02-27 10:04   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-02-26 23:07 . 2010-02-26 23:07   --------   d-s---w-   c:\windows\system32\Microsoft
2010-02-25 23:00 . 2010-02-25 23:00   --------   d-----w-   c:\documents and settings\Eda\Dane aplikacji\Zylom
2010-02-25 22:47 . 2010-02-25 22:47   --------   d-s---w-   c:\documents and settings\Eda\UserData
2010-02-25 08:09 . 2010-02-25 08:09   --------   d-----w-   c:\documents and settings\Eda\Ustawienia lokalne\Dane aplikacji\Opera
2010-02-25 08:08 . 2010-02-25 08:08   --------   d-----w-   c:\program files\Opera
2010-02-25 06:56 . 2010-02-25 06:57   --------   d-----w-   c:\documents and settings\Eda\Dane aplikacji\MSN6
2010-02-25 06:56 . 2010-02-25 06:57   --------   d-----w-   c:\documents and settings\All Users\Dane aplikacji\MSN6
2010-02-15 14:44 . 2010-02-15 14:44   --------   d-----w-   C:\FOUND.003
2010-02-15 09:36 . 2003-05-21 09:18   44032   ----a-r-   c:\windows\system32\msxml3r.dll
2010-02-15 09:25 . 2001-08-17 19:13   27165   ----a-w-   c:\windows\system32\drivers\fetnd5.sys
2010-02-15 09:23 . 2001-10-26 17:29   24661   ----a-w-   c:\windows\system32\spxcoins.dll
2010-02-15 09:23 . 2001-10-26 17:29   13312   ----a-w-   c:\windows\system32\irclass.dll
2010-02-15 09:02 . 2010-02-15 09:02   --------   d-----w-   C:\FOUND.002
2010-01-31 12:21 . 2010-01-31 12:21   --------   d-----w-   c:\documents and settings\Eda\Ustawienia lokalne\Dane aplikacji\Google

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 18:09 . 2008-03-23 12:46   382464   ----a-w-   c:\windows\system32\qmgr.dll
2010-02-25 23:02 . 2008-04-06 16:47   59   ----a-w-   c:\windows\popcinfo.dat
2010-02-19 00:02 . 2001-10-26 15:15   49492   ----a-w-   c:\windows\system32\perfc015.dat
2010-02-19 00:02 . 2001-10-26 15:15   355486   ----a-w-   c:\windows\system32\perfh015.dat
2010-02-15 09:34 . 2010-02-15 09:34   80345   ----a-w-   c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2010-02-15 09:32 . 2008-03-23 12:44   23016   ----a-w-   c:\windows\system32\emptyregdb.dat
2010-01-31 07:46 . 2008-03-23 12:28   65536   ----a-w-   c:\windows\DUMPf652.tmp
2010-01-15 11:58 . 2010-01-15 11:58   --------   d-----w-   c:\documents and settings\Eda\Dane aplikacji\Winamp
.

------- Sigcheck -------

[-] 2010-03-01 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\system32\qmgr.dll
[7] 2001-10-26 . CD35DF4A829D44E04B2BC698CC9F216D . 179200 . . [6.0.2600.0] . . c:\windows\ERDNT\cache\qmgr.dll



c:\windows\System32\wscntfy.exe ...  - brak elementu !!
c:\windows\System32\xmlprov.dll ...  - brak elementu !!
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2006-02-22 344064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2001-10-26 13312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"= "c:\windows\System32\RadExe.dll" [2005-02-02 212992]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ      msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Eda^Menu Start^Programy^Autostart^winesm32.exe]
path=c:\documents and settings\Eda\Menu Start\Programy\Autostart\winesm32.exe
backup=c:\windows\pss\winesm32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2001-08-02 06:14   1077277   ----a-w-   c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37   37888   ----a-w-   c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=3 (0x3)
"UPS"=3 (0x3)
"Schedule"=2 (0x2)

R1 atitray;atitray;c:\program files\Radeon Omega Drivers\v3.8.252\ATI Tray Tools\atitray.sys [2005-11-14 12032]

--- Inne Usługi/Sterowniki w Pamięci ---

*Deregistered* - nlllx
.
.
------- Skan uzupełniający -------
.
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
TCP: {6FAFEE68-BF51-4FCE-91E0-3D0274212F1B} = 195.94.214.241,157.25.5.18
FF - ProfilePath - c:\documents and settings\Eda\Dane aplikacji\Mozilla\Firefox\Profiles\sl3u6pjy.default\
FF - plugin: c:\documents and settings\All Users\Dane aplikacji\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 19:23
Windows 5.1.2600  FAT NTAPI

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nlllx]

.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(692)
c:\windows\system32\mswsock.dll
c:\windows\System32\wshtcpip.dll
c:\windows\System32\dssenh.dll
.
Czas ukończenia: 2010-03-01  19:25:16
ComboFix-quarantined-files.txt  2010-03-01 18:25
ComboFix2.txt  2010-03-01 17:22

Przed: 666 411 008 bajtów wolnych
Po: 658 800 640 bajtów wolnych

- - End Of File - - DBD52746CA2FF654CFC1A7C0175DAB2F


Od razu chciałem tak przy okazji zapytać sie jak się przed takim czymś ustrzec na przyszłość i jakbyście mogli jakiegoś antiwirusa polecić...to będe bardzo wdzięczny

[Okocza]

sagakama, Jest ok.

Użyj jeszcze ATF_Cleanera

[wojtas]

prawie ok .. ściągnij

http://www.sendspace.com/file/7b7p83 wypakuj na C

do notatnika wklej :

FCopy::
c:\wscntfy.exe | c:\windows\system32\wscntfy.exe
c:\xmlprov.dll | c:\windows\system32\xmlprov.dll
c:\windows\ERDNT\cache\qmgr.dll | c:\windows\system32qmgr.dll

ta sama procedura co ostatnio

Czynności końcowe :

1.Uruchom OTL z opcji CleanUp
2. wykonaj optymalizację windowsa
3.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem]
4. zrób skan Malwarebytes Anti-Malware (zaktualizuj, usuń co znajdzie )