PC-HELP.CZ

České diskuzní fórum o počítačích
https://pc-help.cnews.cz/

Internet jede ale tak napul.

https://pc-help.cnews.cz/viewtopic.php?f=3&t=43377

Stránka 1 z 5

Internet jede ale tak napul.

Napsal: 06 srp 2009 18:10
od Cerb
Mam zajimavy problem ze dne na den mi prestaly fungovat vsechny programy ktere potrebujou prihlaseni (QIP,Ventrilo,Steam,WoW...) proste se nemuzu nikde prihlasit na strankach ovsem ano.Nepise to ani zadnou chybu vetsinou neco ve stylu unable to connect.Reinstaloval jsem win ale musel jsem tam hodit XP protoze visty se mi ke konci instalace sekly a neslo ani hybat mysi nic nikdy predtim to nedelalo.Projel jsem pc Avastem a CCleanerem taky nic prosim pomoc fakt si nevim rady.Tady davam log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:56 PM, on 8/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Alwil Software\Avast4pro\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4pro\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4pro\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4pro\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\ALWILS~1\AVAST4~1\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\VentriloMix\ventmix.exe
C:\WINDOWS\explorer.exe
D:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\AVAST4~1\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4pro\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4pro\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4pro\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4pro\ashWebSv.exe

--
End of file - 3028 bytes

Re: Internet jede ale tak napul.

Napsal: 06 srp 2009 18:39
od guest
Vítám Tě na PC-Help. Možná kdybys ten log vložil do správné sekce, tak by ses dočkal odpovědi dříve.

Re: Internet jede ale tak napul.

Napsal: 06 srp 2009 18:48
od Cerb
Omlouvam se ale mam problem s internetem tak jsem to dal sel a log jsem tu dal pro jistotu no pro priste se ponaucim :wink: slo by to presunout do spravne sekce?

Re: Internet jede ale tak napul.

Napsal: 06 srp 2009 18:56
od Damned
Doufej že si tě budu pamatovat.
Spusť HJT (HijackThis), vypni prohlížeče, odpoj se od internetu a fixni (spustit HJT, "Do a system scan only",
zatrhnout políčko před hodnotou, zmáčknout "Fix checked" a poté "Ano"):

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
*****************************************************************************************************************************************
Stáhni si Malwarebytes' Anti-Malware
Nainstaluj a spusť ho
- na konci instalace se ujisti že máš zvoleny/zatrhnuty obě možnosti:
Aktualizace Malwarebytes' Anti-Malware a Spustit aplikaci Malwarebytes' Anti-Malware, pokud jo tak klikni na tlačítko konec
- pokud bude nalezena aktualizace, tak se stáhne a nainstaluje
- program se po té spustí a nech vybranou možnost Provést rychlý sken a klikni na tlačítko Skenovat
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Zobrazit výsledky
- pak zvol možnost uložit log a ulož si log na plochu
- po té klikni na tlačítko Exit, objeví se ti hláška tak zvol Ano
(zatím nic nemaž!).
Vlož sem pak obsah toho logu.

Re: Internet jede ale tak napul.

Napsal: 06 srp 2009 23:48
od Cerb
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/6/2009 11:46:13 PM
aaaaaaaaaam-log-2009-08-06 (23-46-08).txt

Scan type: Quick Scan
Objects scanned: 74763
Time elapsed: 1 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.224 85.255.112.64 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6f6a20a3-68da-41b0-81ef-946be714e746}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.224 85.255.112.64 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.224 85.255.112.64 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6f6a20a3-68da-41b0-81ef-946be714e746}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.224 85.255.112.64 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.224 85.255.112.64 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{6f6a20a3-68da-41b0-81ef-946be714e746}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.224 85.255.112.64 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Re: Internet jede ale tak napul.

Napsal: 07 srp 2009 00:07
od Damned
Takže spusť znovu MbAM a dej Scan
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Show Results
- ujistit se že máš zatrhnuté všechny vypsané nálezy a klikni na tlačítko Remove Selected
- když skončí odstraňování tak se ti zobrazí log, tak ho sem dej.
- pak zvol v programu OK a pak program ukonči přes Exit

Vypni rezidentní štít antiviru (pokud máš tak i antispyware).
Stáhni si ComboFix (by sUBs)
nebo ComboFix (subs)
a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

Re: Internet jede ale tak napul.

Napsal: 07 srp 2009 00:39
od Cerb
ComboFix 09-08-06.01 - Administrator 08/07/2009 0:36.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.602 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 )))))))))))))))))))))))))))))))
.

2009-08-07 04:34 . 2009-08-07 04:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-07 04:34 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-07 04:33 . 2009-08-07 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-07 04:33 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-07 04:33 . 2009-08-07 04:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-06 23:02 . 2009-08-06 23:02 -------- d-----w- c:\program files\Trend Micro
2009-08-06 22:51 . 2009-08-06 22:51 -------- d-----w- c:\program files\Common Files\SourceTec
2009-08-06 21:52 . 2003-12-13 05:40 202763 ----a-w- c:\windows\system32\dllcache\uxtheme.dll
2009-08-06 21:48 . 2009-08-06 21:48 -------- d-----w- c:\windows\system32\Lang
2009-08-06 21:44 . 2009-08-06 21:44 -------- d-----w- c:\program files\Realtek
2009-08-06 21:44 . 2009-08-06 21:44 315392 ----a-w- c:\windows\HideWin.exe
2009-08-06 21:44 . 2008-03-05 10:07 520192 ------r- c:\windows\RtlExUpd.dll
2009-08-06 21:44 . 2009-08-06 21:44 -------- dc----w- c:\windows\system32\DRVSTORE
2009-08-06 21:44 . 2006-07-02 03:39 36864 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2009-08-06 21:44 . 2009-08-06 21:44 -------- d-----w- c:\program files\AMD
2009-08-06 21:44 . 2009-08-06 21:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-08-06 21:18 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-06 21:18 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-06 21:18 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-06 21:18 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-06 21:18 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-06 21:18 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-06 21:18 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-06 21:18 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-06 21:17 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 21:44 . 2009-08-06 20:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-06 21:44 . 2009-08-06 20:37 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-06 20:54 . 2009-08-06 20:54 0 ----a-w- c:\windows\nsreg.dat
2009-08-06 20:52 . 2009-08-06 20:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ventrilo
2009-08-06 20:39 . 2009-08-06 20:39 0 ----a-w- c:\windows\ativpsrm.bin
2009-08-06 20:27 . 2009-08-06 20:27 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

------- Sigcheck -------

[-] 2008-09-13 22:22 361600 CBEEBEB899E31EF52B962CB31FC8CA5C c:\windows\system32\drivers\tcpip.sys



.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="d:\progra~1\ALWILS~1\AVAST4~1\ashDisp.exe" [2009-02-05 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/6/2009 4:18 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/6/2009 4:18 PM 20560]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys [6/23/2006 4:02 AM 28160]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-07 00:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-179605362-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,6e,25,9b,4c,72,7a,40,96,a6,4f,\
"3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,6e,25,9b,4c,72,7a,40,96,a6,4f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(21000)
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-08-07 0:38
ComboFix-quarantined-files.txt 2009-08-07 05:38
ComboFix2.txt 2009-08-07 05:34

Pre-Run: 13,792,256,000 bytes free
Post-Run: 13,785,976,832 bytes free

110

Re: Internet jede ale tak napul.

Napsal: 07 srp 2009 02:24
od Damned
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok).
Zkopíruj do něj následující celý text označený zeleně:

File::
c:\windows\system32\emptyregdb.dat
E:\NTGLM7X.sys

Driver::
SetupNTGLM7X;SetupNTGLM7X
SetupNTGLM7X



Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.


Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe
a když se oba soubory překryjí, skript upusť.
Obrázek

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT a popiš chování počítače

Re: Internet jede ale tak napul.

Napsal: 07 srp 2009 13:05
od Cerb
ComboFix 09-08-06.01 - Administrator 08/07/2009 12:54.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.745 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\emptyregdb.dat"
"E:\NTGLM7X.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\emptyregdb.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SETUPNTGLM7X
-------\Service_SetupNTGLM7X


((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 )))))))))))))))))))))))))))))))
.

2009-08-07 05:56 . 2009-08-07 05:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\BSplayer
2009-08-07 04:34 . 2009-08-07 04:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-07 04:34 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-07 04:33 . 2009-08-07 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-07 04:33 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-07 04:33 . 2009-08-07 04:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-06 23:02 . 2009-08-06 23:02 -------- d-----w- c:\program files\Trend Micro
2009-08-06 22:51 . 2009-08-06 22:51 -------- d-----w- c:\program files\Common Files\SourceTec
2009-08-06 21:52 . 2003-12-13 05:40 202763 ----a-w- c:\windows\system32\dllcache\uxtheme.dll
2009-08-06 21:48 . 2009-08-06 21:48 -------- d-----w- c:\windows\system32\Lang
2009-08-06 21:44 . 2009-08-06 21:44 -------- d-----w- c:\program files\Realtek
2009-08-06 21:44 . 2009-08-06 21:44 315392 ----a-w- c:\windows\HideWin.exe
2009-08-06 21:44 . 2008-03-05 10:07 520192 ------r- c:\windows\RtlExUpd.dll
2009-08-06 21:44 . 2009-08-06 21:44 -------- dc----w- c:\windows\system32\DRVSTORE
2009-08-06 21:44 . 2006-07-02 03:39 36864 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2009-08-06 21:44 . 2009-08-06 21:44 -------- d-----w- c:\program files\AMD
2009-08-06 21:44 . 2009-08-06 21:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2009-08-06 21:18 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-06 21:18 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-06 21:18 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-06 21:18 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-06 21:18 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-06 21:18 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-06 21:18 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-06 21:18 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-06 21:17 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-07 05:53 . 2009-08-07 05:53 -------- d-----w- c:\program files\microsoft frontpage
2009-08-06 21:44 . 2009-08-06 20:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-06 21:44 . 2009-08-06 20:37 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-06 20:54 . 2009-08-06 20:54 0 ----a-w- c:\windows\nsreg.dat
2009-08-06 20:52 . 2009-08-06 20:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ventrilo
2009-08-06 20:39 . 2009-08-06 20:39 0 ----a-w- c:\windows\ativpsrm.bin
.

------- Sigcheck -------

[-] 2008-09-13 22:22 361600 CBEEBEB899E31EF52B962CB31FC8CA5C c:\windows\system32\drivers\tcpip.sys



.
((((((((((((((((((((((((((((( SnapShot@2009-08-07_05.33.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-07 17:57 . 2009-08-07 17:57 16384 c:\windows\Temp\Perflib_Perfdata_5fc.dat
+ 2009-08-07 17:45 . 2009-08-07 17:45 16384 c:\windows\Temp\Perflib_Perfdata_5f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="d:\progra~1\ALWILS~1\AVAST4~1\ashDisp.exe" [2009-02-05 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/6/2009 4:18 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/6/2009 4:18 PM 20560]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-07 12:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-179605362-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,6e,25,9b,4c,72,7a,40,96,a6,4f,\
"3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,6e,25,9b,4c,72,7a,40,96,a6,4f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2436)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
d:\program files\Alwil Software\Avast4pro\aswUpdSv.exe
d:\program files\Alwil Software\Avast4pro\ashServ.exe
d:\program files\Alwil Software\Avast4pro\ashMaiSv.exe
d:\program files\Alwil Software\Avast4pro\ashWebSv.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2009-08-07 12:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-07 17:58
ComboFix2.txt 2009-08-07 05:38
ComboFix3.txt 2009-08-07 05:34

Pre-Run: 13,759,811,584 bytes free
Post-Run: 13,709,193,216 bytes free

140





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:28 PM, on 8/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Alwil Software\Avast4pro\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4pro\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\ALWILS~1\AVAST4~1\ashDisp.exe
D:\Program Files\Alwil Software\Avast4pro\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4pro\ashWebSv.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\AVAST4~1\ashDisp.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4pro\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4pro\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4pro\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4pro\ashWebSv.exe
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

--
End of file - 2054 bytes




Chovani pocitace se nijak nezmenilo porad ten stejny problem.Jen nekdy aby mi fungoval internet jako normalni prohlizec tak musim restartovat PC.

Re: Internet jede ale tak napul.

Napsal: 07 srp 2009 18:27
od Damned
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok).
Zkopíruj do něj následující celý text označený zeleně:

Folder::
c:\documents and settings\Administrator\Application Data\BSplayer
C:\Program Files\Webteh

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"=-
"NoSMMyPictures"=-
"NoSMConfigurePrograms"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=-
"ForceClassicControlPanel"=-
"NoResolveTrack"=-
"NoSMMyPictures"=-
"NoSMConfigurePrograms"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"=-




Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.


Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe
a když se oba soubory překryjí, skript upusť.
Obrázek

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu
*****************************************************************************************************************************************
Stáhni si RSIT, klikni na "Continue" a nech ho provést sken.
Za chvíli se vygeneruje log se jménem log.txt (pokud nebude log vygenerován, najdeš jej v C:\rsit\log.txt); jeho obsah mi sem zkopíruj.

Re: Internet jede ale tak napul.

Napsal: 07 srp 2009 19:14
od Cerb
Jeste predtim nez si odepsal tak jsem naformatoval cely HDD nainstalovat novy win v domneni ze se problemy vyresi ale nevyresily doufam ze jsem nenadelal vice skody nez uzitku zjistil jsem ze to co mi zpusobuje tyto problemy je vir DNS changer nedari se mi ho zbavit i kdyz ho v offline modu vymazu pres MBAM tak hned jak zapnu internet tak ho mam zas a kdyz se uz ho zbavim tak mi nejde internet tak dam repair na moje pripojeni internet se sice rozjede ale DNS changer mam zas.Tak jsem davam novy log z MBAM,Combo fix a RSIT.

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

7.8.2009 19:08:34
MBAM_log.txt

Scan type: Quick Scan
Objects scanned: 88239
Time elapsed: 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.224 85.255.112.64 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{758cd463-497d-4e8b-94c2-508262794d3c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.224 85.255.112.64 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.224 85.255.112.64 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{758cd463-497d-4e8b-94c2-508262794d3c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.224 85.255.112.64 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------------------------------------------------------------------------------------------------------------------------------------

info.txt logfile of random's system information tool 1.06 2009-08-07 19:09:31

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
AMD Processor Driver-->C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe -runfromtemp -l0x0009 -removeonly
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_9DE96A29E721D90A.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
QIP 2005 8090-->"D:\Program Files\QIP\unins000.exe"
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
VentriloMIX-->D:\Program Files\VentriloMIX\Uninstal.exe

======System event log======

Computer Name: EXPERIEN-511322
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.

Record Number: 170
Source Name: Service Control Manager
Time Written: 20090807172902.000000+060
Event Type: error
User:

Computer Name: EXPERIEN-511322
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.

Record Number: 169
Source Name: Service Control Manager
Time Written: 20090807172901.000000+060
Event Type: error
User:

Computer Name: EXPERIEN-511322
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.

Record Number: 168
Source Name: Service Control Manager
Time Written: 20090807172742.000000+060
Event Type: error
User:

Computer Name: EXPERIEN-511322
Event Code: 7000
Message: The MSICPL service failed to start due to the following error:
The system cannot find the file specified.


Record Number: 138
Source Name: Service Control Manager
Time Written: 20090807171017.000000+060
Event Type: error
User:

Computer Name: EXPERIEN-511322
Event Code: 7000
Message: The MSICPL service failed to start due to the following error:
The system cannot find the file specified.


Record Number: 137
Source Name: Service Control Manager
Time Written: 20090807171017.000000+060
Event Type: error
User:

=====Application event log=====

Computer Name: EXPERIEN-511322
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 15
Source Name: WinMgmt
Time Written: 20090807163646.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: EXPERIEN-511322
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 14
Source Name: WinMgmt
Time Written: 20090807163646.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: EXPERIEN-511322
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 13
Source Name: WinMgmt
Time Written: 20090807163646.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: EXPERIEN-511322
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 12
Source Name: WinMgmt
Time Written: 20090807163646.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: EXPERIEN-511322
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 11
Source Name: WinMgmt
Time Written: 20090807163644.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=4b02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"DEVMGR_SHOW_DETAILS"=1
"DEVMGR_SHOW_NONPRESENT_DEVICES"=1

-----------------EOF-----------------

------------------------------------------------------------------------------------------------------------------------------------


Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-08-07 19:09:25
Microsoft Windows XP Professional Service Pack 3
System drive C: has 22 GB (89%) free of 25 GB
Total RAM: 1023 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:09:30, on 7.8.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5508)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\trend micro\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3200 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-08-07 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-08-07 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-08-07 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-08-07 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-04-10 16861184]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-08-07 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-02-26 126976]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableCAD"=1
"DisableStatusMessages"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoResolveTrack"=1
"NoResolveSearch"=1
"NoSMConfigurePrograms"=1
"MemCheckBoxInRunDlg"=1
"NoSharedDocuments"=1
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"MemCheckBoxInRunDlg"=
"StartMenuFavorites"=
"Start_ShowMyComputer"=
"Start_ShowMyDocs"=
"Start_ShowMyMusic"=
"Start_ShowRun"=
"Start_ShowSearch"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 3 months======

2009-08-07 19:09:25 ----D---- C:\rsit
2009-08-07 19:09:25 ----D---- C:\Program Files\trend micro
2009-08-07 19:03:39 ----D---- C:\WINDOWS\temp
2009-08-07 19:03:38 ----A---- C:\ComboFix.txt
2009-08-07 18:03:41 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-07 17:51:40 ----D---- C:\Documents and Settings\Administrator\Application Data\Macromedia
2009-08-07 17:51:38 ----D---- C:\Documents and Settings\Administrator\Application Data\Google
2009-08-07 17:51:38 ----D---- C:\Documents and Settings\Administrator\Application Data\Adobe
2009-08-07 17:51:31 ----D---- C:\Program Files\Google
2009-08-07 17:51:31 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
2009-08-07 17:51:21 ----D---- C:\Program Files\NOS
2009-08-07 17:51:21 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\NOS
2009-08-07 17:39:24 ----D---- C:\WINDOWS\system32\xircom
2009-08-07 17:39:24 ----D---- C:\Program Files\xerox
2009-08-07 17:39:24 ----D---- C:\Program Files\microsoft frontpage
2009-08-07 17:34:27 ----A---- C:\WINDOWS\system32\h323log.txt
2009-08-07 17:34:09 ----A---- C:\WINDOWS\system32\hidserv.dll
2009-08-07 17:32:58 ----A---- C:\WINDOWS\system32\usbui.dll
2009-08-07 17:31:45 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-08-07 17:31:44 ----A---- C:\WINDOWS\ODBCINST.INI
2009-08-07 17:31:40 ----RA---- C:\WINDOWS\system32\kbdtuq.dll
2009-08-07 17:31:40 ----RA---- C:\WINDOWS\system32\kbdtuf.dll
2009-08-07 17:31:40 ----RA---- C:\WINDOWS\system32\kbdazel.dll
2009-08-07 17:31:38 ----RA---- C:\WINDOWS\system32\kbdycc.dll
2009-08-07 17:31:38 ----RA---- C:\WINDOWS\system32\kbduzb.dll
2009-08-07 17:31:38 ----RA---- C:\WINDOWS\system32\kbdur.dll
2009-08-07 17:31:38 ----RA---- C:\WINDOWS\system32\kbdtat.dll
2009-08-07 17:31:38 ----RA---- C:\WINDOWS\system32\kbdru1.dll
2009-08-07 17:31:38 ----RA---- C:\WINDOWS\system32\kbdru.dll
2009-08-07 17:31:38 ----RA---- C:\WINDOWS\system32\kbdmon.dll
2009-08-07 17:31:38 ----RA---- C:\WINDOWS\system32\kbdkyr.dll
2009-08-07 17:31:38 ----RA---- C:\WINDOWS\system32\kbdkaz.dll
2009-08-07 17:31:38 ----RA---- C:\WINDOWS\system32\kbdbu.dll
2009-08-07 17:31:38 ----RA---- C:\WINDOWS\system32\kbdblr.dll
2009-08-07 17:31:38 ----RA---- C:\WINDOWS\system32\kbdaze.dll
2009-08-07 17:31:36 ----RA---- C:\WINDOWS\system32\kbdhept.dll
2009-08-07 17:31:36 ----RA---- C:\WINDOWS\system32\kbdhela3.dll
2009-08-07 17:31:36 ----RA---- C:\WINDOWS\system32\kbdhela2.dll
2009-08-07 17:31:36 ----RA---- C:\WINDOWS\system32\kbdhe319.dll
2009-08-07 17:31:36 ----RA---- C:\WINDOWS\system32\kbdhe220.dll
2009-08-07 17:31:36 ----RA---- C:\WINDOWS\system32\kbdhe.dll
2009-08-07 17:31:36 ----RA---- C:\WINDOWS\system32\kbdgkl.dll
2009-08-07 17:31:35 ----RA---- C:\WINDOWS\system32\kbdlv1.dll
2009-08-07 17:31:35 ----RA---- C:\WINDOWS\system32\kbdlv.dll
2009-08-07 17:31:35 ----RA---- C:\WINDOWS\system32\kbdlt1.dll
2009-08-07 17:31:35 ----RA---- C:\WINDOWS\system32\kbdlt.dll
2009-08-07 17:31:35 ----RA---- C:\WINDOWS\system32\kbdest.dll
2009-08-07 17:31:33 ----RA---- C:\WINDOWS\system32\kbdycl.dll
2009-08-07 17:31:33 ----RA---- C:\WINDOWS\system32\kbdsl1.dll
2009-08-07 17:31:33 ----RA---- C:\WINDOWS\system32\kbdsl.dll
2009-08-07 17:31:33 ----RA---- C:\WINDOWS\system32\kbdro.dll
2009-08-07 17:31:33 ----RA---- C:\WINDOWS\system32\kbdpl1.dll
2009-08-07 17:31:33 ----RA---- C:\WINDOWS\system32\kbdpl.dll
2009-08-07 17:31:33 ----RA---- C:\WINDOWS\system32\kbdhu1.dll
2009-08-07 17:31:33 ----RA---- C:\WINDOWS\system32\kbdhu.dll
2009-08-07 17:31:33 ----RA---- C:\WINDOWS\system32\kbdcz2.dll
2009-08-07 17:31:33 ----RA---- C:\WINDOWS\system32\kbdcz1.dll
2009-08-07 17:31:33 ----RA---- C:\WINDOWS\system32\kbdcz.dll
2009-08-07 17:31:33 ----RA---- C:\WINDOWS\system32\kbdcr.dll
2009-08-07 17:31:33 ----RA---- C:\WINDOWS\system32\KBDAL.DLL
2009-08-07 17:31:29 ----A---- C:\WINDOWS\system32\irclass.dll
2009-08-07 17:31:28 ----A---- C:\WINDOWS\system32\spxcoins.dll
2009-08-07 17:31:28 ----A---- C:\WINDOWS\system32\EqnClass.Dll
2009-08-07 17:31:28 ----A---- C:\WINDOWS\system32\dgsetup.dll
2009-08-07 17:31:28 ----A---- C:\WINDOWS\system32\dgrpsetu.dll
2009-08-07 17:31:26 ----N---- C:\WINDOWS\system32\CONFIG.TMP
2009-08-07 17:31:26 ----A---- C:\WINDOWS\TASKMAN.EXE
2009-08-07 17:31:26 ----A---- C:\WINDOWS\system32\batt.dll
2009-08-07 17:31:25 ----A---- C:\WINDOWS\NOTEPAD.EXE
2009-08-07 17:31:22 ----A---- C:\WINDOWS\system32\storprop.dll
2009-08-07 17:31:15 ----ASH---- C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini
2009-08-07 17:30:20 ----D---- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2009-08-07 17:30:16 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-07 17:30:16 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-08-07 17:29:31 ----RA---- C:\WINDOWS\SET8.tmp
2009-08-07 17:29:28 ----RA---- C:\WINDOWS\SET4.tmp
2009-08-07 17:29:26 ----RA---- C:\WINDOWS\SET3.tmp
2009-08-07 17:29:15 ----SD---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft
2009-08-07 17:28:13 ----A---- C:\WINDOWS\setuplog.txt
2009-08-07 17:28:13 ----A---- C:\pmtimer.exe
2009-08-07 17:28:13 ----A---- C:\mute.exe
2009-08-07 17:28:13 ----A---- C:\makePNF.exe
2009-08-07 17:28:13 ----A---- C:\DSPdsblr.exe
2009-08-07 17:28:13 ----A---- C:\DPsFnshr.ini
2009-08-07 17:28:13 ----A---- C:\DPsFnshr.exe
2009-08-07 17:28:13 ----A---- C:\devcon.exe
2009-08-07 17:27:40 ----A---- C:\DriverPack_MassStorage_wnt5_x86-32.ini
2009-08-07 17:27:40 ----A---- C:\DriverPack_CPU_wnt5_x86-32.ini
2009-08-07 17:27:39 ----D---- C:\D
2009-08-07 17:27:36 ----A---- C:\Boot.bak
2009-08-07 17:27:35 ----RASHD---- C:\cmdcons
2009-08-07 17:26:45 ----A---- C:\WINDOWS\zip.exe
2009-08-07 17:26:45 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-07 17:26:45 ----A---- C:\WINDOWS\SWSC.exe
2009-08-07 17:26:45 ----A---- C:\WINDOWS\SWREG.exe
2009-08-07 17:26:45 ----A---- C:\WINDOWS\sed.exe
2009-08-07 17:26:45 ----A---- C:\WINDOWS\PEV.exe
2009-08-07 17:26:45 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-07 17:26:45 ----A---- C:\WINDOWS\grep.exe
2009-08-07 17:26:40 ----D---- C:\WINDOWS\ERDNT
2009-08-07 17:26:38 ----D---- C:\Qoobox
2009-08-07 17:20:34 ----D---- C:\Documents and Settings\Administrator\Application Data\Ventrilo
2009-08-07 17:18:16 ----D---- C:\WINDOWS\system32\Lang
2009-08-07 17:14:32 ----R---- C:\WINDOWS\system32\ChCfg.exe
2009-08-07 17:14:16 ----D---- C:\WINDOWS\system32\RTCOM
2009-08-07 17:14:15 ----A---- C:\WINDOWS\system32\ksuser.dll
2009-08-07 17:14:11 ----R---- C:\WINDOWS\SoundMan.exe
2009-08-07 17:14:10 ----R---- C:\WINDOWS\SkyTel.exe
2009-08-07 17:14:08 ----R---- C:\WINDOWS\RtlUpd.exe
2009-08-07 17:14:03 ----R---- C:\WINDOWS\RTLCPL.exe
2009-08-07 17:13:50 ----R---- C:\WINDOWS\RTHDCPL.exe
2009-08-07 17:13:49 ----R---- C:\WINDOWS\MicCal.exe
2009-08-07 17:13:46 ----R---- C:\WINDOWS\Alcmtr.exe
2009-08-07 17:13:44 ----R---- C:\WINDOWS\alcwzrd.exe
2009-08-07 17:13:43 ----D---- C:\Program Files\Realtek
2009-08-07 17:12:42 ----R---- C:\WINDOWS\RtlExUpd.dll
2009-08-07 17:12:42 ----A---- C:\WINDOWS\HideWin.exe
2009-08-07 17:12:24 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-08-07 17:12:21 ----D---- C:\Program Files\AMD
2009-08-07 17:11:40 ----D---- C:\Documents and Settings\Administrator\Application Data\InstallShield
2009-08-07 17:11:16 ----RA---- C:\WINDOWS\system32\nvusmb.exe
2009-08-07 17:11:15 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-08-07 17:11:09 ----A---- C:\WINDOWS\system32\NVUNINST.EXE
2009-08-07 17:05:31 ----SHD---- C:\WINDOWS\Installer
2009-08-07 17:05:30 ----D---- C:\Program Files\Common Files\ODBC
2009-08-07 17:05:27 ----D---- C:\Program Files\Common Files\SpeechEngines
2009-08-07 17:05:26 ----RD---- C:\Program Files
2009-08-07 17:05:26 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-08-07 17:05:26 ----D---- C:\Program Files\Common Files
2009-08-07 17:03:03 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-07 17:03:03 ----D---- C:\WINDOWS\system32\CatRoot
2009-08-07 17:02:37 ----SHD---- C:\System Volume Information
2009-08-07 17:02:37 ----D---- C:\Documents and Settings
2009-08-07 17:01:43 ----RASH---- C:\boot.ini
2009-08-07 16:57:26 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-08-07 16:57:26 ----RSD---- C:\WINDOWS\Fonts
2009-08-07 16:57:26 ----RD---- C:\WINDOWS\Web
2009-08-07 16:57:26 ----RD---- C:\WINDOWS\Offline Web Pages
2009-08-07 16:57:26 ----HD---- C:\WINDOWS\inf
2009-08-07 16:57:26 ----D---- C:\WINDOWS\WinSxS
2009-08-07 16:57:26 ----D---- C:\WINDOWS\WBEM
2009-08-07 16:57:26 ----D---- C:\WINDOWS\twain_32
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\wins
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\wbem
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\usmt
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\spool
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\ShellExt
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\Setup
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\scripting
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\ras
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\oobe
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\npp
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\mui
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\inetsrv
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\IME
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\icsxml
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\ias
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\export
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\en-US
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\en
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\drivers
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\dhcp
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\config
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\3com_dmi
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\3076
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\2052
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\1054
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\1042
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\1041
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\1037
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\1033
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\1031
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\1028
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32\1025
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system32
2009-08-07 16:57:26 ----D---- C:\WINDOWS\system
2009-08-07 16:57:26 ----D---- C:\WINDOWS\security
2009-08-07 16:57:26 ----D---- C:\WINDOWS\Resources
2009-08-07 16:57:26 ----D---- C:\WINDOWS\repair
2009-08-07 16:57:26 ----D---- C:\WINDOWS\Provisioning
2009-08-07 16:57:26 ----D---- C:\WINDOWS\pchealth
2009-08-07 16:57:26 ----D---- C:\WINDOWS\PeerNet
2009-08-07 16:57:26 ----D---- C:\WINDOWS\Network Diagnostic
2009-08-07 16:57:26 ----D---- C:\WINDOWS\mui
2009-08-07 16:57:26 ----D---- C:\WINDOWS\msapps
2009-08-07 16:57:26 ----D---- C:\WINDOWS\msagent
2009-08-07 16:57:26 ----D---- C:\WINDOWS\Media
2009-08-07 16:57:26 ----D---- C:\WINDOWS\L2Schemas
2009-08-07 16:57:26 ----D---- C:\WINDOWS\java
2009-08-07 16:57:26 ----D---- C:\WINDOWS\ime
2009-08-07 16:57:26 ----D---- C:\WINDOWS\Help
2009-08-07 16:57:26 ----D---- C:\WINDOWS\ehome
2009-08-07 16:57:26 ----D---- C:\WINDOWS\Driver Cache
2009-08-07 16:57:26 ----D---- C:\WINDOWS\Debug
2009-08-07 16:57:26 ----D---- C:\WINDOWS\Cursors
2009-08-07 16:57:26 ----D---- C:\WINDOWS\Connection Wizard
2009-08-07 16:57:26 ----D---- C:\WINDOWS\Config
2009-08-07 16:57:26 ----D---- C:\WINDOWS\AppPatch
2009-08-07 16:57:26 ----D---- C:\WINDOWS\addins
2009-08-07 16:57:26 ----D---- C:\WINDOWS
2009-08-07 16:45:24 ----N---- C:\WINDOWS\system32\ati2sgag.exe
2009-08-07 16:45:15 ----HD---- C:\Program Files\InstallShield Installation Information
2009-08-07 16:45:07 ----D---- C:\Program Files\Common Files\InstallShield
2009-08-07 16:45:04 ----D---- C:\ATI
2009-08-07 16:40:59 ----D---- C:\Documents and Settings\Administrator\Application Data\Identities
2009-08-07 16:40:58 ----HD---- C:\Program Files\Uninstall Information
2009-08-07 16:40:47 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2009-08-07 16:40:47 ----ASH---- C:\Documents and Settings\Administrator\Application Data\desktop.ini
2009-08-07 16:40:44 ----D---- C:\WINDOWS\SoftwareDistribution
2009-08-07 16:40:43 ----D---- C:\WINDOWS\Prefetch
2009-08-07 16:40:42 ----SD---- C:\WINDOWS\system32\Microsoft
2009-08-07 16:40:42 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-07 16:39:22 ----A---- C:\WINDOWS\control.ini
2009-08-07 16:39:22 ----A---- C:\AUTOEXEC.BAT
2009-08-07 16:39:13 ----A---- C:\WINDOWS\OEWABLog.txt
2009-08-07 16:39:09 ----D---- C:\WINDOWS\system32\dllcache
2009-08-07 16:39:09 ----A---- C:\WINDOWS\system32\mapi32.dll
2009-08-07 16:38:23 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2009-08-07 16:38:17 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2009-08-07 16:38:14 ----HD---- C:\Program Files\WindowsUpdate
2009-08-07 16:37:55 ----D---- C:\WINDOWS\system32\DirectX
2009-08-07 16:37:50 ----A---- C:\WINDOWS\system32\atrace.dll
2009-08-07 16:37:48 ----A---- C:\WINDOWS\system32\desktop.ini
2009-08-07 16:37:48 ----A---- C:\WINDOWS\desktop.ini
2009-08-07 16:37:42 ----A---- C:\WINDOWS\system32\nmevtmsg.dll
2009-08-07 16:37:41 ----A---- C:\WINDOWS\system32\acctres.dll
2009-08-07 16:37:40 ----D---- C:\Program Files\Common Files\Services
2009-08-07 16:37:38 ----SD---- C:\WINDOWS\Tasks
2009-08-07 16:37:38 ----A---- C:\WINDOWS\system32\icfgnt5.dll
2009-08-07 16:37:37 ----D---- C:\Program Files\Common Files\MSSoap
2009-08-07 16:37:33 ----D---- C:\WINDOWS\system32\Macromed
2009-08-07 16:37:33 ----D---- C:\WINDOWS\srchasst
2009-08-07 16:37:30 ----A---- C:\WINDOWS\system32\wuweb.dll
2009-08-07 16:37:30 ----A---- C:\WINDOWS\system32\wups.dll
2009-08-07 16:37:30 ----A---- C:\WINDOWS\system32\wucltui.dll
2009-08-07 16:37:30 ----A---- C:\WINDOWS\system32\wuauserv.dll
2009-08-07 16:37:30 ----A---- C:\WINDOWS\system32\wuaueng1.dll
2009-08-07 16:37:30 ----A---- C:\WINDOWS\system32\wuaueng.dll
2009-08-07 16:37:30 ----A---- C:\WINDOWS\system32\wuauclt1.exe
2009-08-07 16:37:30 ----A---- C:\WINDOWS\system32\wuauclt.exe
2009-08-07 16:37:30 ----A---- C:\WINDOWS\system32\wuapi.dll
2009-08-07 16:37:30 ----A---- C:\WINDOWS\system32\bitsprx4.dll
2009-08-07 16:37:29 ----A---- C:\WINDOWS\system32\qmgrprxy.dll
2009-08-07 16:37:29 ----A---- C:\WINDOWS\system32\qmgr.dll
2009-08-07 16:37:29 ----A---- C:\WINDOWS\system32\bitsprx3.dll
2009-08-07 16:37:29 ----A---- C:\WINDOWS\system32\bitsprx2.dll
2009-08-07 16:37:26 ----D---- C:\Program Files\Movie Maker
2009-08-07 16:37:10 ----A---- C:\WINDOWS\system32\safrslv.dll
2009-08-07 16:37:10 ----A---- C:\WINDOWS\system32\safrdm.dll
2009-08-07 16:37:10 ----A---- C:\WINDOWS\system32\safrcdlg.dll
2009-08-07 16:37:09 ----A---- C:\WINDOWS\system32\racpldlg.dll
2009-08-07 16:37:07 ----A---- C:\WINDOWS\system32\fltMc.exe
2009-08-07 16:37:07 ----A---- C:\WINDOWS\system32\fltlib.dll
2009-08-07 16:37:06 ----D---- C:\WINDOWS\system32\Restore
2009-08-07 16:37:06 ----A---- C:\WINDOWS\system32\srsvc.dll
2009-08-07 16:37:06 ----A---- C:\WINDOWS\system32\srrstr.dll
2009-08-07 16:37:06 ----A---- C:\WINDOWS\system32\srclient.dll
2009-08-07 16:37:05 ----A---- C:\WINDOWS\system32\nmmkcert.dll
2009-08-07 16:37:05 ----A---- C:\WINDOWS\system32\msconf.dll
2009-08-07 16:37:05 ----A---- C:\WINDOWS\system32\mnmsrvc.exe
2009-08-07 16:37:05 ----A---- C:\WINDOWS\system32\mnmdd.dll
2009-08-07 16:37:05 ----A---- C:\WINDOWS\system32\isrdbg32.dll
2009-08-07 16:37:05 ----A---- C:\WINDOWS\system32\ils.dll
2009-08-07 16:37:03 ----D---- C:\Program Files\NetMeeting
2009-08-07 16:37:02 ----A---- C:\WINDOWS\system32\msoert2.dll
2009-08-07 16:37:02 ----A---- C:\WINDOWS\system32\msoeacct.dll
2009-08-07 16:37:02 ----A---- C:\WINDOWS\system32\inetres.dll
2009-08-07 16:37:01 ----A---- C:\WINDOWS\system32\inetcomm.dll
2009-08-07 16:37:00 ----D---- C:\Program Files\Outlook Express
2009-08-07 16:37:00 ----A---- C:\WINDOWS\system32\schedsvc.dll
2009-08-07 16:37:00 ----A---- C:\WINDOWS\system32\mstinit.exe
2009-08-07 16:37:00 ----A---- C:\WINDOWS\system32\mstask.dll
2009-08-07 16:36:59 ----A---- C:\WINDOWS\system32\isign32.dll
2009-08-07 16:36:59 ----A---- C:\WINDOWS\system32\inetcfg.dll
2009-08-07 16:36:59 ----A---- C:\WINDOWS\system32\icwphbk.dll
2009-08-07 16:36:59 ----A---- C:\WINDOWS\system32\icwdial.dll
2009-08-07 16:36:54 ----D---- C:\Program Files\Common Files\System
2009-08-07 16:36:53 ----D---- C:\Program Files\Internet Explorer
2009-08-07 16:36:23 ----D---- C:\Program Files\ComPlus Applications
2009-08-07 16:36:21 ----A---- C:\WINDOWS\vbaddin.ini
2009-08-07 16:36:21 ----A---- C:\WINDOWS\vb.ini
2009-08-07 16:36:17 ----D---- C:\WINDOWS\Registration
2009-08-07 16:36:10 ----D---- C:\Program Files\Windows Media Player
2009-08-07 16:36:10 ----D---- C:\Program Files\Online Services
2009-08-07 16:36:04 ----D---- C:\Program Files\Messenger
2009-08-07 16:36:01 ----D---- C:\Program Files\MSN Gaming Zone
2009-08-07 16:36:01 ----A---- C:\WINDOWS\system32\write.exe
2009-08-07 16:35:52 ----A---- C:\WINDOWS\system32\sndvol32.exe
2009-08-07 16:35:52 ----A---- C:\WINDOWS\system32\hticons.dll
2009-08-07 16:35:52 ----A---- C:\WINDOWS\system32\avwav.dll
2009-08-07 16:35:52 ----A---- C:\WINDOWS\system32\avtapi.dll
2009-08-07 16:35:52 ----A---- C:\WINDOWS\system32\avmeter.dll
2009-08-07 16:35:51 ----A---- C:\WINDOWS\system32\winchat.exe
2009-08-07 16:35:45 ----A---- C:\WINDOWS\system32\charmap.exe
2009-08-07 16:35:45 ----A---- C:\WINDOWS\system32\getuname.dll
2009-08-07 16:35:45 ----A---- C:\WINDOWS\system32\calc.exe
2009-08-07 16:35:44 ----A---- C:\WINDOWS\system32\winmine.exe
2009-08-07 16:35:44 ----A---- C:\WINDOWS\system32\sol.exe
2009-08-07 16:35:44 ----A---- C:\WINDOWS\system32\reset.exe
2009-08-07 16:35:44 ----A---- C:\WINDOWS\system32\mshearts.exe
2009-08-07 16:35:44 ----A---- C:\WINDOWS\system32\freecell.exe
2009-08-07 16:35:43 ----A---- C:\WINDOWS\system32\usrlogon.cmd
2009-08-07 16:35:43 ----A---- C:\WINDOWS\system32\tsshutdn.exe
2009-08-07 16:35:43 ----A---- C:\WINDOWS\system32\tslabels.ini
2009-08-07 16:35:43 ----A---- C:\WINDOWS\system32\tskill.exe
2009-08-07 16:35:43 ----A---- C:\WINDOWS\system32\tsdiscon.exe
2009-08-07 16:35:43 ----A---- C:\WINDOWS\system32\tscon.exe
2009-08-07 16:35:43 ----A---- C:\WINDOWS\system32\shadow.exe
2009-08-07 16:35:43 ----A---- C:\WINDOWS\system32\rwinsta.exe
2009-08-07 16:35:43 ----A---- C:\WINDOWS\system32\regini.exe
2009-08-07 16:35:43 ----A---- C:\WINDOWS\system32\rdpcfgex.dll
2009-08-07 16:35:43 ----A---- C:\WINDOWS\system32\qwinsta.exe
2009-08-07 16:35:43 ----A---- C:\WINDOWS\system32\qappsrv.exe
2009-08-07 16:35:43 ----A---- C:\WINDOWS\system32\msg.exe
2009-08-07 16:35:42 ----A---- C:\WINDOWS\system32\msdtcprf.ini
2009-08-07 16:35:42 ----A---- C:\WINDOWS\system32\logoff.exe
2009-08-07 16:35:42 ----A---- C:\WINDOWS\system32\cdmodem.dll
2009-08-07 16:35:37 ----A---- C:\WINDOWS\system32\wmimgmt.msc
2009-08-07 16:35:27 ----D---- C:\Program Files\MSN
2009-08-07 16:35:27 ----A---- C:\WINDOWS\system32\sndrec32.exe
2009-08-07 16:35:27 ----A---- C:\WINDOWS\system32\accwiz.exe
2009-08-07 16:35:26 ----D---- C:\Program Files\Windows NT
2009-08-07 16:35:26 ----A---- C:\WINDOWS\system32\mspaint.exe
2009-08-07 16:35:26 ----A---- C:\WINDOWS\system32\mplay32.exe
2009-08-07 16:35:26 ----A---- C:\WINDOWS\system32\hypertrm.dll
2009-08-07 16:35:26 ----A---- C:\WINDOWS\system32\clipbrd.exe
2009-08-07 16:35:25 ----A---- C:\WINDOWS\system32\tscfgwmi.dll
2009-08-07 16:35:25 ----A---- C:\WINDOWS\system32\spider.exe
2009-08-07 16:35:24 ----A---- C:\WINDOWS\system32\tsgqec.dll
2009-08-07 16:35:24 ----A---- C:\WINDOWS\system32\rhttpaa.dll
2009-08-07 16:35:24 ----A---- C:\WINDOWS\system32\mstscax.dll
2009-08-07 16:35:24 ----A---- C:\WINDOWS\system32\mstsc.exe
2009-08-07 16:35:24 ----A---- C:\WINDOWS\system32\aaclient.dll
2009-08-07 16:35:23 ----A---- C:\WINDOWS\system32\termsrv.dll
2009-08-07 16:35:23 ----A---- C:\WINDOWS\system32\sessmgr.exe
2009-08-07 16:35:23 ----A---- C:\WINDOWS\system32\remotepg.dll
2009-08-07 16:35:23 ----A---- C:\WINDOWS\system32\rdshost.exe
2009-08-07 16:35:23 ----A---- C:\WINDOWS\system32\rdsaddin.exe
2009-08-07 16:35:23 ----A---- C:\WINDOWS\system32\rdpwsx.dll
2009-08-07 16:35:23 ----A---- C:\WINDOWS\system32\rdpsnd.dll
2009-08-07 16:35:23 ----A---- C:\WINDOWS\system32\rdpclip.exe
2009-08-07 16:35:23 ----A---- C:\WINDOWS\system32\rdchost.dll
2009-08-07 16:35:23 ----A---- C:\WINDOWS\system32\qprocess.exe
2009-08-07 16:35:23 ----A---- C:\WINDOWS\system32\icaapi.dll
2009-08-07 16:35:22 ----D---- C:\WINDOWS\system32\MsDtc
2009-08-07 16:35:22 ----A---- C:\WINDOWS\system32\xolehlp.dll
2009-08-07 16:35:22 ----A---- C:\WINDOWS\system32\mtxoci.dll
2009-08-07 16:35:22 ----A---- C:\WINDOWS\system32\msdtcuiu.dll
2009-08-07 16:35:22 ----A---- C:\WINDOWS\system32\msdtctm.dll
2009-08-07 16:35:22 ----A---- C:\WINDOWS\system32\msdtcprx.dll
2009-08-07 16:35:22 ----A---- C:\WINDOWS\system32\msdtclog.dll
2009-08-07 16:35:22 ----A---- C:\WINDOWS\system32\cfgbkend.dll
2009-08-07 16:35:21 ----A---- C:\WINDOWS\system32\mtxlegih.dll
2009-08-07 16:35:21 ----A---- C:\WINDOWS\system32\mtxex.dll
2009-08-07 16:35:21 ----A---- C:\WINDOWS\system32\mtxdm.dll
2009-08-07 16:35:21 ----A---- C:\WINDOWS\system32\msdtc.exe
2009-08-07 16:35:21 ----A---- C:\WINDOWS\system32\dcomcnfg.exe
2009-08-07 16:35:20 ----D---- C:\WINDOWS\system32\Com
2009-08-07 16:35:20 ----A---- C:\WINDOWS\system32\stclient.dll
2009-08-07 16:35:20 ----A---- C:\WINDOWS\system32\comrepl.dll
2009-08-07 16:35:20 ----A---- C:\WINDOWS\system32\comaddin.dll
2009-08-07 16:35:20 ----A---- C:\WINDOWS\system32\colbact.dll
2009-08-07 16:35:20 ----A---- C:\WINDOWS\system32\clbcatex.dll
2009-08-07 16:35:20 ----A---- C:\WINDOWS\system32\catsrvut.dll
2009-08-07 16:35:20 ----A---- C:\WINDOWS\system32\catsrvps.dll
2009-08-07 16:35:20 ----A---- C:\WINDOWS\system32\catsrv.dll
2009-08-07 16:35:19 ----A---- C:\WINDOWS\system32\comuid.dll
2009-08-07 16:35:19 ----A---- C:\WINDOWS\system32\comsvcs.dll
2009-08-07 16:35:19 ----A---- C:\WINDOWS\system32\comsnap.dll
2009-08-07 16:35:19 ----A---- C:\WINDOWS\system32\clbcatq.dll
2009-08-07 16:35:14 ----A---- C:\WINDOWS\system32\servdeps.dll
2009-08-07 16:35:13 ----A---- C:\WINDOWS\system32\mmfutil.dll
2009-08-07 16:35:13 ----A---- C:\WINDOWS\system32\licwmi.dll
2009-08-07 16:35:13 ----A---- C:\WINDOWS\system32\cmprops.dll

======List of files/folders modified in the last 3 months======

2009-08-07 19:03:07 ----A---- C:\WINDOWS\system.ini
2009-08-07 16:39:21 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-06-19 36864]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-05-03 14592]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-02-26 2863616]
R3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-05-03 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-05-03 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-04-17 4707328]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2008-05-03 12160]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-01-03 105856]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-05-03 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-05-03 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-05-03 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-05-03 17152]
S3 GMSIPCI;GMSIPCI; \??\E:\INSTALL\GMSIPCI.SYS []
S3 MSICPL;MSICPL; \??\E:\install4\MSICPL.sys []
S3 NTACCESS;NTACCESS; \??\E:\NTACCESS.sys []
S3 SetupNTGLM7X;SetupNTGLM7X; \??\E:\NTGLM7X.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-02-26 520192]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-02-25 593920]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-07 182768]

-----------------EOF-----------------

Re: Internet jede ale tak napul.

Napsal: 07 srp 2009 19:44
od Damned
Půlka byla za náma. :evil:
Odinstaluj si Firefox a Ventrillo (po odstranění si je dáš znovu).

Spusť HJT (HijackThis), vypni prohlížeče, odpoj se od internetu a fixni (spustit HJT, "Do a system scan only",
zatrhnout políčko před hodnotou, zmáčknout "Fix checked" a poté "Ano"):

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
*****************************************************************************************************************************************
Odinstaluj si starý ComboFix.
Odinstaluj ComboFix.
ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix[mezera]/u

Vypni rezidentní štít antiviru (pokud máš tak i antispyware).
Stáhni si ComboFix (by sUBs)
nebo ComboFix (subs)
a ulož si ho na plochu.

Za chvíli ti sem dám script

Stáhni si T-Cleaner
smaže vše po Combu,SDFixu,Avengeru,MWAVu atd.-stáhneš->spustíš

(pozn.Pokud máš AVG nebo Aviru, před stažením T-Cleaneru a po dobu čištění deaktivuj AVG (i rezidenta, Aviru), následně T-Cleaner smaž a zapni si AVG (Aviru).)
*****************************************************************************************************************************************
Časové pásmo: UTC+02:00
Stránka 1 z 5
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/