isee.exe

[mbe]

Dobry den,

doniesol som na PC USB kluc, na ktorom boli nejake data, a vismol som si ze je na nom vytovreny autorun.inf, v ktorom bol odkaz na RECYCLER/.../isee.exe. Ked som sa ho pokusil zmazat spolu s RECYCLER slozkou, tak sa v priebehu par sekund obnovil. Cez google som zistil, ze to moze suvisiet s problemom vyskakovania okna fijifj.exe. Na C som neobjavil ziadne pozodozrive subory, scan NOD32 nic nanahlasil, podobne ako SpyBot. Ziadne okno fijifj mi nevyskakuje. Napriek tomu sa na USB disku stale vytvaral autorun.inf. V zlozke RECYCLER nebolo nic, aj ked zaberala 56 kb. Tak som teda pouzil podla navodu ComboFix, a zda sa ze to problem odstranilo. Aj tak by som poprosil o kontrolu logu, kedze sa v nom vyskytuje isee.exe (neviem ci bol odstraneny?) :

ComboFix 08-04-01.2 - Krez 2008-04-02 16:07:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.656 [GMT 2:00]
Running from: C:\Documents and Settings\Krez\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\regedit.com
C:\WINDOWS\system32\taskmgr.com
G:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-01 20:56 . 2008-04-01 20:56 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-30 02:47 . 2008-03-30 02:47 <DIR> d-------- C:\WINDOWS\nview
2008-03-30 02:47 . 2008-03-30 02:47 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-03-30 02:47 . 2008-03-24 12:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-03-30 02:47 . 2008-03-24 20:52 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-03-30 02:47 . 2008-03-30 03:08 179,597 --a------ C:\WINDOWS\system32\nvapps.xml
2008-03-30 02:47 . 2008-03-24 20:52 17,937 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-03-30 00:16 . 2008-04-01 13:02 <DIR> d-------- C:\Program Files\Winamp
2008-03-30 00:16 . 2008-03-30 00:16 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2008-03-30 00:16 . 2008-04-02 15:46 95 --a------ C:\WINDOWS\winamp.ini
2008-03-25 01:08 . 2008-03-25 01:08 <DIR> d-------- C:\WINDOWS\system32\Macromed
2008-03-16 22:49 . 2008-03-16 22:49 12,256 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-11 01:50 . 2008-03-29 21:53 <DIR> d-------- C:\Documents and Settings\Krez\Application Data\gtk-2.0
2008-03-11 01:46 . 2008-03-11 02:52 <DIR> d-------- C:\Documents and Settings\Krez\avidemux
2008-03-10 11:34 . 2003-02-28 19:26 172,304 --a------ C:\WINDOWS\system32\jview.exe
2008-03-10 11:34 . 2003-02-28 19:26 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2008-03-10 11:34 . 2003-02-28 19:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2008-03-08 14:39 . 2008-03-08 14:41 <DIR> d-------- C:\Program Files\Web Publish
2008-03-08 14:32 . 1998-06-02 13:05 103,424 --a------ C:\WINDOWS\extrac32.exe
2008-03-08 14:32 . 1998-06-02 13:44 44,544 --a------ C:\WINDOWS\clspack.exe
2008-03-08 11:17 . 2008-03-08 11:17 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-06 21:40 . 2008-03-06 21:40 <DIR> d-------- C:\Documents and Settings\Krez\Application Data\Bullzip
2008-03-06 21:38 . 2008-03-06 21:38 <DIR> d-------- C:\Program Files\Bullzip
2008-03-06 21:38 . 2007-10-13 13:11 200,704 --a------ C:\WINDOWS\system32\bzpdf.dll
2008-03-06 21:38 . 2005-09-08 01:03 86,728 --a------ C:\WINDOWS\system32\msxml6r.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 13:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-02 13:46 --------- d-----w C:\Documents and Settings\Krez\Application Data\uTorrent
2008-04-01 15:46 --------- d-----w C:\Documents and Settings\Krez\Application Data\dvdcss
2008-03-30 16:19 18,920 ----a-w C:\Documents and Settings\Krez\Application Data\GDIPFONTCACHEV1.DAT
2008-03-30 01:38 --------- d-----w C:\Documents and Settings\Krez\Application Data\Launchy
2008-03-28 23:37 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-21 18:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-06 15:46 --------- d-----w C:\Documents and Settings\Krez\Application Data\vlc
2008-03-03 22:52 --------- d-----w C:\Program Files\ICQ6
2008-02-28 20:48 --------- d-----w C:\Documents and Settings\Guest\Application Data\ICQ
2008-02-23 20:52 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-02-20 21:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-20 21:12 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-19 21:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-13 17:41 --------- d-----w C:\Documents and Settings\Krez\Application Data\Miranda
2008-02-08 12:56 --------- d-----w C:\Program Files\ESET
.

------- Sigcheck -------

2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 14:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-01-14 15:45 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-01-14 15:45 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-04-17 22:15 921600]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 11:21 217088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Documents and Settings\Krez\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2007-11-24 19:30:34 552960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"MaxRecentDocs"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-10-14 21:34 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"SoundMan"=SOUNDMAN.EXE
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Skype\\Skype.exe"=

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2005-09-26 11:05]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2005-09-26 11:05]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 14:00]
R3 SbieDrv;SbieDrv;D:\Sandboxie\SbieDrv.sys [2007-04-20 02:21]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{08B0E5C0-4FCB-11CF-AAX5-81C01C608512}]
c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isee.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 16:11:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-02 16:13:25
ComboFix-quarantined-files.txt 2008-04-02 14:13:19
Pre-Run: 6,660,644,864 bytes free
Post-Run: 6,651,781,120 bytes free
.
2008-03-10 09:34:17 --- E O F ---

Poznamky k logu: Instaloval som WinAmp, drivre Nvidia, Bullzip PDF Printer, tcpip.sys mam patchunuty na viac suscasne otvorenych spojeni.

Vdaka.

[Reklama]

[memphisto]

Vítej na fóru PC-HELP.CZ

nedávej prosím logy do kódu.špatně se to čte.edituj svůj příspěvek a na začátku a konci logu umaž [code ][ /code]

[mbe]

okej, upravene

plus prikladam HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:43:04, on 2. 4. 2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Downloads\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: E&xportovať do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - D:\Sandboxie\SbieSvc.exe

--
End of file - 2758 bytes

[Baron Prášil]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

File::
C:\WINDOWS\system32\KGyGaAvL.sys

Folder::
c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{08B0E5C0-4FCB-11CF-AAX5-81C01C608512}]

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.
Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu+nový log z hijackthis+info

[mbe]

oki, tu je log:

ComboFix 08-04-01.2 - Krez 2008-04-03 17:17:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.447 [GMT 2:00]
Running from: C:\Documents and Settings\Krez\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Krez\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\regedit.com
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

2008-04-02 18:08 . 2008-04-02 18:08 0 --a------ C:\23990098.$$$
2008-04-02 17:07 . 2008-04-02 17:07 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-04-01 20:56 . 2008-04-01 20:56 <DIR> d-------- C:\WINDOWS\PIF
2008-03-30 02:47 . 2008-03-30 02:47 <DIR> d-------- C:\WINDOWS\nview
2008-03-30 02:47 . 2008-03-30 02:47 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-03-30 02:47 . 2008-03-24 12:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-03-30 02:47 . 2008-03-24 20:52 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-03-30 02:47 . 2008-03-30 03:08 179,597 --a------ C:\WINDOWS\system32\nvapps.xml
2008-03-30 02:47 . 2008-03-24 20:52 17,937 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-03-30 00:16 . 2008-04-03 10:59 <DIR> d-------- C:\Program Files\Winamp
2008-03-30 00:16 . 2008-03-30 00:16 <DIR> d-------- C:\Documents and Settings\All Users\DRM
2008-03-30 00:16 . 2008-04-02 15:46 95 --a------ C:\WINDOWS\winamp.ini
2008-03-25 01:08 . 2008-03-25 01:08 <DIR> d-------- C:\WINDOWS\system32\Macromed
2008-03-16 22:49 . 2008-03-16 22:49 12,256 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-11 01:50 . 2008-03-29 21:53 <DIR> d-------- C:\Documents and Settings\Krez\Application Data\gtk-2.0
2008-03-11 01:46 . 2008-03-11 02:52 <DIR> d-------- C:\Documents and Settings\Krez\avidemux
2008-03-10 11:34 . 2003-02-28 19:26 172,304 --a------ C:\WINDOWS\system32\jview.exe
2008-03-10 11:34 . 2003-02-28 19:26 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2008-03-10 11:34 . 2003-02-28 19:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2008-03-08 14:39 . 2008-03-08 14:41 <DIR> d-------- C:\Program Files\Web Publish
2008-03-08 14:32 . 1998-06-02 13:05 103,424 --a------ C:\WINDOWS\extrac32.exe
2008-03-08 14:32 . 1998-06-02 13:44 44,544 --a------ C:\WINDOWS\clspack.exe
2008-03-08 11:17 . 2008-03-08 11:17 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-06 21:40 . 2008-03-06 21:40 <DIR> d-------- C:\Documents and Settings\Krez\Application Data\Bullzip
2008-03-06 21:38 . 2008-03-06 21:38 <DIR> d-------- C:\Program Files\Bullzip
2008-03-06 21:38 . 2007-10-13 13:11 200,704 --a------ C:\WINDOWS\system32\bzpdf.dll
2008-03-06 21:38 . 2005-09-08 01:03 86,728 --a------ C:\WINDOWS\system32\msxml6r.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 15:15 --------- d-----w C:\Documents and Settings\Krez\Application Data\uTorrent
2008-04-02 14:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-01 15:46 --------- d-----w C:\Documents and Settings\Krez\Application Data\dvdcss
2008-03-30 16:19 18,920 ----a-w C:\Documents and Settings\Krez\Application Data\GDIPFONTCACHEV1.DAT
2008-03-30 01:38 --------- d-----w C:\Documents and Settings\Krez\Application Data\Launchy
2008-03-21 18:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-06 15:46 --------- d-----w C:\Documents and Settings\Krez\Application Data\vlc
2008-03-03 22:52 --------- d-----w C:\Program Files\ICQ6
2008-02-28 20:48 --------- d-----w C:\Documents and Settings\Guest\Application Data\ICQ
2008-02-23 20:52 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-02-20 21:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-20 21:12 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-19 21:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-13 17:41 --------- d-----w C:\Documents and Settings\Krez\Application Data\Miranda
2008-02-08 12:56 --------- d-----w C:\Program Files\ESET
.

------- Sigcheck -------

2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 14:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-01-14 15:45 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-01-14 15:45 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-04-17 22:15 921600]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 11:21 217088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Documents and Settings\Krez\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2007-11-24 19:30:34 552960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"MaxRecentDocs"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-10-14 21:34 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"SoundMan"=SOUNDMAN.EXE
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Skype\\Skype.exe"=

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2005-09-26 11:05]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2005-09-26 11:05]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 14:00]
R3 SbieDrv;SbieDrv;D:\Sandboxie\SbieDrv.sys [2007-04-20 02:21]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 17:21:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-03 17:22:56
ComboFix-quarantined-files.txt 2008-04-03 15:22:50
ComboFix2.txt 2008-04-02 14:13:27
Pre-Run: 6,555,598,848 bytes free
Post-Run: 6,547,144,704 bytes free
.
2008-03-10 09:34:17 --- E O F ---


HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:26:35, on 3. 4. 2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
D:\Downloads\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: E&xportovať do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - D:\Sandboxie\SbieSvc.exe

--
End of file - 2758 bytes

[Baron Prášil]

fajn

[mbe]

diky moc!

[Baron Prášil]

není zač

//kdyby stejnej trabl,pokračuj tady