Trojsky kon

realko · Příspěvekod **realko** » 01 pro 2008 18:58

dobry den potrebujem pomoc lebo mi vyhadzuje tento subor a nejde nic s nim spravit ani nodom odstranit.
http://www.akakapatama.ccom:88(algor(xtrm.exe
Win32)kryptik.BJ trojsky kon

prikladam log

dakujem

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:46:42, on 1.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\WINDOWS\system32\csrcs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zoznam.sk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft©] C:\WINDOWS\system32\dllcache\iexplore.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6018 bytes

Reklama

Příspěvekod **jaro3** » 01 pro 2008 19:07

Vidím tam spíš červa..

Stáhni si SDFix
- Spusť ho a rozbalí se ti na disk kde je nainstalovaný Windows (typicky to je C:\SDfix)
- Pak restartuj PC do nouzového režimu (zvol možnost: Stav nouze, ne Stav nouze s práci v síti)
- Otevři adresář kde je vybalený SDFix a spusť soubor RunThis.bat tím spustíš program.
* Pak stiskni klávesu Y a pak Enter pro zahájení čistícího procesu.
* Pro dokončení kontroly budeš vyzván ke stisknutí libovolné klávesy a počítač se restartuje.
* Při nabíhání operačního systému se program spustí znovu a dokončí čistící proces. Až se objeví Finish, budeš muset po vyzvání stisknout libovolnou klávesu, tim se ukončí program a zobrazí se ti ikony na ploše
- Když se skončí načítání ikon na ploše, otevře se ti na obrazovce log z SDFix a zároveň ho uloží do adresáře kde je rozbalený SDFix jako soubor Report.txt
Pak sem zkopíruj jeho obsah + nový log z HJT+ mrkni se jestli ti pod Startem nechybí nějaké ikony, zobrazují se ti disky pod Tento počítač....

realko · Příspěvekod **realko** » 21 pro 2008 18:33

tak som to urobil presne podla navodu a tu je vysledok z SDfix a HJT:

SDFix: Version 1.240
Run by hp on ne 21.12.2008 at 18:03

Microsoft Windows XP [Verzia 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\csrcs.exe - Deleted

Folder C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 18:11:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 23 Oct 2008 104,373 ..SHR --- "C:\b.com"
Wed 4 Aug 2004 927,091 A.SHR --- "C:\ejvjuz.exe"
Mon 14 Apr 2008 420,456 A.SHR --- "C:\oaopgf.exe"

Finished!

a tu je hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:27:00, on 21.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zoznam.sk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft©] C:\WINDOWS\system32\dllcache\iexplore.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 6421 bytes
tak dakujem velmi pekne a prajem prijemne vianocne sviatky bez virusov :)

Příspěvekod **jaro3** » 21 pro 2008 19:21

Najdi a smaž: C:\SDFix
Bohužel to není vše.
Vypni rez. ochranu u NOD32.
Stáhni si ComboFix (by sUBs)
a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

realko · Příspěvekod **realko** » 21 pro 2008 22:45

tak tu to je

ComboFix 08-12-21.02 - hp 2008-12-21 22:41:11.4 - NTFSx86
Systém Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1033.18.1023.562 [GMT 1:00]
Running from: c:\documents and settings\hp\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\b.com
c:\windows\system32\AutoRun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 18:00 . 2008-12-21 18:00 <DIR> d-------- c:\windows\ERUNT
2008-12-20 22:24 . 2008-12-20 22:24 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-20 22:24 . 2008-12-20 22:24 1,409 --a------ c:\windows\QTFont.for
2008-12-20 22:06 . 2008-12-20 22:06 <DIR> d-------- C:\N 95 aplikacie
2008-12-20 22:03 . 2008-12-20 22:03 <DIR> d-------- c:\documents and settings\hp\Application Data\AdobeAUM
2008-12-20 22:02 . 2008-12-20 22:02 <DIR> d-------- c:\documents and settings\hp\Application Data\AdobeUM
2008-12-20 21:44 . 2008-12-20 21:44 <DIR> d-------- c:\program files\Common Files\Nokia
2008-12-20 21:44 . 2008-12-20 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nokia
2008-12-20 21:43 . 2008-12-20 21:56 <DIR> d-------- c:\documents and settings\hp\Application Data\Nokia
2008-12-20 21:43 . 2008-12-20 21:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2008-12-20 21:42 . 2008-12-20 21:42 <DIR> d-------- c:\program files\PC Connectivity Solution
2008-12-20 21:42 . 2008-12-20 21:42 <DIR> d-------- c:\program files\Common Files\PCSuite
2008-12-20 21:42 . 2008-12-20 21:42 <DIR> d-------- c:\documents and settings\hp\Application Data\PC Suite
2008-12-20 21:41 . 2008-12-20 21:44 <DIR> d-------- c:\program files\Nokia
2008-12-20 21:41 . 2007-02-22 10:15 90,624 --a------ c:\windows\system32\nmwcdcls.dll
2008-12-16 23:21 . 2008-12-16 23:27 <DIR> dr------- C:\Walk the line 2005
2008-12-16 23:20 . 2008-12-16 23:22 <DIR> d-------- C:\Ostrov
2008-12-16 23:20 . 2008-12-16 23:21 <DIR> d-------- C:\Má mě rád, nemá mě rád
2008-12-16 23:19 . 2008-12-16 23:19 <DIR> d-------- C:\Genesis
2008-12-16 23:17 . 2008-12-16 23:18 <DIR> d-------- C:\lásky jedné plavovlásky
2008-12-16 23:16 . 2008-12-16 23:18 <DIR> d-------- C:\3-iron
2008-12-16 23:15 . 2008-12-16 23:16 <DIR> d-------- C:\Spring, Summer, Fall, Winter... and Spring
2008-12-16 23:15 . 2008-12-16 23:17 <DIR> dr------- C:\requiem for a dream - Darren Aronofsky 2000
2008-12-16 23:13 . 2008-12-16 23:14 <DIR> d-------- C:\Permanent Vacation
2008-12-16 23:13 . 2008-12-16 23:13 <DIR> d-------- C:\Night On Earth
2008-12-14 23:10 . 2008-12-19 12:53 9,216 --a------ c:\windows\system32\sdvk.exe
2008-12-02 18:56 . 2008-04-14 15:01 420,456 -rahs---- C:\oaopgf.exe
2008-12-02 18:56 . 2008-12-02 18:56 0 -rahs---- C:\khr
2008-12-01 18:45 . 2008-12-01 18:45 812,344 --a------ C:\HJTInstall.exe
2008-11-30 00:46 . 2008-12-08 11:32 9,728 --a------ c:\windows\system32\sd4uk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 21:35 --------- d-----w c:\documents and settings\hp\Application Data\DNA
2008-12-21 17:14 --------- d-----w c:\program files\DNA
2008-12-21 16:30 --------- d-----w c:\documents and settings\hp\Application Data\OpenOffice.org2
2008-12-20 20:42 --------- d-----w c:\program files\DIFX
2008-12-15 13:30 --------- d-----w c:\documents and settings\hp\Application Data\U3
2008-12-05 16:17 --------- d-----w c:\documents and settings\hp\Application Data\ICQ
2008-10-27 10:05 --------- d-----w c:\program files\Common Files\Adobe
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-21 23:04 1,222,901 ----a-w C:\mv2p070RC2p.exe
2008-02-17 17:53 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-12-19 14:02 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 14:02 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 14:02 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 14:02 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 14:02 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-11-18 342336]
"ICQ"="c:\program files\ICQ6\ICQ.exe" [2008-09-01 173304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-04-14 949376]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-08-02 3096576]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-12 113664]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-09-13 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2006-07-27 13:44 61952 c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
--a------ 2004-07-14 14:36 57344 c:\windows\system32\ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-07-20 19:58 1519616 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\DRIVERS\sonyhcb.sys [2008-10-11 6097]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-04-14 15424]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2008-09-16 222456]
R3 PSched;QoS Packet Scheduler;c:\windows\system32\DRIVERS\psched.sys [2004-08-04 69120]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\DRIVERS\sonyhcs.sys [2008-10-11 299923]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b0a657-61f5-11dc-b88a-9966d0c157d8}]
\Shell\AutoRun\command - SWSETUP\APPINSTL\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{494b1572-eaa2-11dc-9c1a-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b0f856a-9234-11dc-b926-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85263ece-b2e3-11dc-b999-0016366cd665}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{936e9443-928e-11dc-b927-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{982eaad9-bd4b-11dd-896c-001636cfb45d}]
\Shell\AutoRun\command - yodjhj.exe
\Shell\explore\Command - yodjhj.exe
\Shell\open\Command - yodjhj.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{982eaada-bd4b-11dd-896c-001636cfb45d}]
\Shell\AutoRun\command - yodjhj.exe
\Shell\explore\Command - yodjhj.exe
\Shell\open\Command - yodjhj.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b225f76-09de-11dd-9c76-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d345a886-bc00-11dd-8965-001636cfb45d}]
\Shell\AutoRun\command - E:\b.com
\Shell\explore\Command - E:\b.com
\Shell\open\Command - E:\b.com
.
Contents of the 'Scheduled Tasks' folder

2008-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Microsoft© - c:\windows\system32\dllcache\iexplore.exe
ShellExecuteHooks-{0CD68AC9-FF63-3E61-626B-B663E62F6236} - (no file)
MSConfigStartUp-ICQ Lite - c:\program files\ICQLite\ICQLite.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.zoznam.sk/
uInternet Connection Wizard,ShellNext = iexplore
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\hp\Application Data\Mozilla\Firefox\Profiles\o5geca34.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_result ... id=afex&q=
FF - prefs.js: keyword.enabled - false
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 22:42:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Completion time: 2008-12-21 22:43:12
ComboFix-quarantined-files.txt 2008-12-21 21:42:55
ComboFix2.txt 2008-01-16 17:36:21

Pre-Run: 897 384 448 bytes free
Post-Run: 1,888,841,728 voľných bajtov

190 --- E O F --- 2008-12-21 14:44:39

Příspěvekod **jaro3** » 21 pro 2008 23:21

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
C:\oaopgf.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{982eaad9-bd4b-11dd-896c-001636cfb45d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{982eaada-bd4b-11dd-896c-001636cfb45d}]

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

Pokud toto neznáš:
c:\windows\system32\sdvk.exe
C:\khr
otestuj na Virustotal
Vlož sem výsledky.

realko · Příspěvekod **realko** » 23 pro 2008 00:05

ComboFix 08-12-21.02 - hp 2008-12-22 23:44:51.5 - NTFSx86
Systém Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1033.18.1023.620 [GMT 1:00]
Running from: c:\documents and settings\hp\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\hp\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\oaopgf.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\oaopgf.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-21 18:00 . 2008-12-21 18:00 <DIR> d-------- c:\windows\ERUNT
2008-12-20 22:24 . 2008-12-20 22:24 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-20 22:24 . 2008-12-20 22:24 1,409 --a------ c:\windows\QTFont.for
2008-12-20 22:06 . 2008-12-20 22:06 <DIR> d-------- C:\N 95 aplikacie
2008-12-20 22:03 . 2008-12-20 22:03 <DIR> d-------- c:\documents and settings\hp\Application Data\AdobeAUM
2008-12-20 22:02 . 2008-12-20 22:02 <DIR> d-------- c:\documents and settings\hp\Application Data\AdobeUM
2008-12-20 21:44 . 2008-12-20 21:44 <DIR> d-------- c:\program files\Common Files\Nokia
2008-12-20 21:44 . 2008-12-20 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nokia
2008-12-20 21:43 . 2008-12-20 21:56 <DIR> d-------- c:\documents and settings\hp\Application Data\Nokia
2008-12-20 21:43 . 2008-12-20 21:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2008-12-20 21:42 . 2008-12-20 21:42 <DIR> d-------- c:\program files\PC Connectivity Solution
2008-12-20 21:42 . 2008-12-20 21:42 <DIR> d-------- c:\program files\Common Files\PCSuite
2008-12-20 21:42 . 2008-12-20 21:42 <DIR> d-------- c:\documents and settings\hp\Application Data\PC Suite
2008-12-20 21:41 . 2008-12-20 21:44 <DIR> d-------- c:\program files\Nokia
2008-12-20 21:41 . 2007-02-22 10:15 90,624 --a------ c:\windows\system32\nmwcdcls.dll
2008-12-16 23:21 . 2008-12-16 23:27 <DIR> dr------- C:\Walk the line 2005
2008-12-16 23:20 . 2008-12-16 23:22 <DIR> d-------- C:\Ostrov
2008-12-16 23:20 . 2008-12-16 23:21 <DIR> d-------- C:\Má mě rád, nemá mě rád
2008-12-16 23:19 . 2008-12-16 23:19 <DIR> d-------- C:\Genesis
2008-12-16 23:17 . 2008-12-16 23:18 <DIR> d-------- C:\lásky jedné plavovlásky
2008-12-16 23:16 . 2008-12-16 23:18 <DIR> d-------- C:\3-iron
2008-12-16 23:15 . 2008-12-16 23:16 <DIR> d-------- C:\Spring, Summer, Fall, Winter... and Spring
2008-12-16 23:15 . 2008-12-16 23:17 <DIR> dr------- C:\requiem for a dream - Darren Aronofsky 2000
2008-12-16 23:13 . 2008-12-16 23:14 <DIR> d-------- C:\Permanent Vacation
2008-12-16 23:13 . 2008-12-16 23:13 <DIR> d-------- C:\Night On Earth
2008-12-14 23:10 . 2008-12-19 12:53 9,216 --a------ c:\windows\system32\sdvk.exe
2008-12-02 18:56 . 2008-12-02 18:56 0 -rahs---- C:\khr
2008-12-01 18:45 . 2008-12-01 18:45 812,344 --a------ C:\HJTInstall.exe
2008-11-30 00:46 . 2008-12-08 11:32 9,728 --a------ c:\windows\system32\sd4uk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 22:41 --------- d-----w c:\documents and settings\hp\Application Data\DNA
2008-12-22 21:51 --------- d-----w c:\program files\DNA
2008-12-21 16:30 --------- d-----w c:\documents and settings\hp\Application Data\OpenOffice.org2
2008-12-20 20:42 --------- d-----w c:\program files\DIFX
2008-12-15 13:30 --------- d-----w c:\documents and settings\hp\Application Data\U3
2008-12-05 16:17 --------- d-----w c:\documents and settings\hp\Application Data\ICQ
2008-10-27 10:05 --------- d-----w c:\program files\Common Files\Adobe
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-02-17 17:53 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-12-19 14:02 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 14:02 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 14:02 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 14:02 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 14:02 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-21_22.42.36,06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-21 17:15:44 40,504 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-22 21:55:36 40,504 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-21 17:15:44 312,308 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-22 21:55:36 312,308 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-11-18 342336]
"ICQ"="c:\program files\ICQ6\ICQ.exe" [2008-09-01 173304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-04-14 949376]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-08-02 3096576]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-12 113664]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-09-13 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2006-07-27 13:44 61952 c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
--a------ 2004-07-14 14:36 57344 c:\windows\system32\ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-07-20 19:58 1519616 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\DRIVERS\sonyhcb.sys [2008-10-11 6097]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-04-14 15424]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2008-09-16 222456]
R3 PSched;QoS Packet Scheduler;c:\windows\system32\DRIVERS\psched.sys [2004-08-04 69120]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\DRIVERS\sonyhcs.sys [2008-10-11 299923]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b0a657-61f5-11dc-b88a-9966d0c157d8}]
\Shell\AutoRun\command - SWSETUP\APPINSTL\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{494b1572-eaa2-11dc-9c1a-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b0f856a-9234-11dc-b926-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85263ece-b2e3-11dc-b999-0016366cd665}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{936e9443-928e-11dc-b927-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b225f76-09de-11dd-9c76-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d345a886-bc00-11dd-8965-001636cfb45d}]
\Shell\AutoRun\command - E:\b.com
\Shell\explore\Command - E:\b.com
\Shell\open\Command - E:\b.com
.
Contents of the 'Scheduled Tasks' folder

2008-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.zoznam.sk/
uInternet Connection Wizard,ShellNext = iexplore
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\hp\Application Data\Mozilla\Firefox\Profiles\o5geca34.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_result ... id=afex&q=
FF - prefs.js: keyword.enabled - false
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 23:46:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Completion time: 2008-12-22 23:47:35
ComboFix-quarantined-files.txt 2008-12-22 22:47:23
ComboFix2.txt 2008-12-21 21:43:12
ComboFix3.txt 2008-01-16 17:36:21

Pre-Run: 1 863 933 952 bytes free
Post-Run: 1,849,880,576 voľných bajtov

187 --- E O F --- 2008-12-21 14:44:39

Virustotal vyslekdy :

Antivirus Verze Poslední aktualizace Výsledek
AhnLab-V3 2008.12.22.0 2008.12.22 -
AntiVir 7.9.0.45 2008.12.22 HEUR/Crypted
Authentium 5.1.0.4 2008.12.22 -
Avast 4.8.1281.0 2008.12.21 Win32:Crypt-DGD
AVG 8.0.0.199 2008.12.22 BackDoor.Generic_r.EA
BitDefender 7.2 2008.12.22 -
CAT-QuickHeal 10.00 2008.12.22 -
ClamAV 0.94.1 2008.12.22 -
Comodo 800 2008.12.22 -
DrWeb 4.44.0.09170 2008.12.22 -
eSafe 7.0.17.0 2008.12.21 Suspicious File
eTrust-Vet 31.6.6274 2008.12.22 -
Ewido 4.0 2008.12.22 -
F-Prot 4.4.4.56 2008.12.22 -
F-Secure 8.0.14332.0 2008.12.22 -
Fortinet 3.117.0.0 2008.12.22 -
GData 19 2008.12.22 Win32:Crypt-DGD
Ikarus T3.1.1.45.0 2008.12.22 -
K7AntiVirus 7.10.562 2008.12.22 -
Kaspersky 7.0.0.125 2008.12.22 -
McAfee 5472 2008.12.22 -
McAfee+Artemis 5472 2008.12.22 -
Microsoft 1.4205 2008.12.22 -
NOD32 3712 2008.12.22 -
Norman 5.80.02 2008.12.22 -
Panda 9.0.0.4 2008.12.22 -
PCTools 4.4.2.0 2008.12.22 -
Prevx1 V2 2008.12.22 -
Rising 21.09.02.00 2008.12.22 -
SecureWeb-Gateway 6.7.6 2008.12.22 Heuristic.Crypted
Sophos 4.37.0 2008.12.22 -
Sunbelt 3.2.1809.2 2008.12.22 -
TheHacker 6.3.1.4.195 2008.12.20 -
TrendMicro 8.700.0.1004 2008.12.22 -
VBA32 3.12.8.10 2008.12.22 -
ViRobot 2008.12.22.1530 2008.12.22 -
VirusBuster 4.5.11.0 2008.12.22 -
Rozšiřující informace
File size: 9216 bytes
MD5...: 536328576ce7083b891b794e5183dcbd
SHA1..: 7a3908c0d6cfe94b1e32720129e83fea74d3927a
SHA256: f57e2de67401f034c73b4a04bf615b4f5732050c396edcc08a71d769b1a5223d
SHA512: a8a88967aefcfa7dc2f0021818822fbc59acfe6598bd6d9576e80ebfe3f2897a
975b1523f10f72ec7929c6f0f2ee4b6b176284815d15c0926205f5353e26adcc
ssdeep: 192:pHeJrkrKV0rc01jREh7VQDFikZaD+H85/fXdmOix4/d2fF+lJh/C:pHArk2V
gcdQBiuq+HW/fYOg4/d6kJxC
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40bbb0
timedatestamp.....: 0x493fd2ae (Wed Dec 10 14:31:10 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x29000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x2a000 0x2000 0x1e00 7.72 4ccb884e6c2fcec6c9da212d3ac0bed7
.rsrc 0x2c000 0x1000 0x400 3.16 517051ca8333d9dabdc00bc2314c7bea

( 0 imports )

( 0 exports )
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX
packers (Avast): UPX

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:02:58, on 23.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zoznam.sk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 6296 bytes

realko · Příspěvekod **realko** » 23 pro 2008 00:06

Ten druhy subor co ste mi kazali skontrolovat C:Khr som nenasiel nikde v C: , mam ho hladat inde? dakujem

Příspěvekod **jaro3** » 23 pro 2008 09:36

bude asi skrytý:
Nástroje-Možnosti složky-zobrazovat skryté a systémové soubory..
Už to tam nedávej.

Ještě v CF, postup stejný:

Kód: Vybrat vše

File::
c:\windows\system32\sdvk.exe
C:\khr

vlož znovu log z CF a HJT.

realko · Příspěvekod **realko** » 24 pro 2008 00:50

ComboFix 08-12-21.02 - hp 2008-12-24 0:43:10.6 - NTFSx86
Systém Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1033.18.1023.548 [GMT 1:00]
Running from: c:\documents and settings\hp\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\hp\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\khr
c:\windows\system32\sdvk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\khr
c:\windows\system32\sdvk.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-23 23:38 . 2008-12-23 23:38 <DIR> d-------- c:\windows\Sun
2008-12-23 23:38 . 2008-12-23 23:38 <DIR> d-------- c:\program files\Java
2008-12-23 23:38 . 2008-12-23 23:38 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-23 23:38 . 2008-12-23 23:38 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-21 18:00 . 2008-12-21 18:00 <DIR> d-------- c:\windows\ERUNT
2008-12-20 22:24 . 2008-12-20 22:24 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-20 22:24 . 2008-12-20 22:24 1,409 --a------ c:\windows\QTFont.for
2008-12-20 22:06 . 2008-12-20 22:06 <DIR> d-------- C:\N 95 aplikacie
2008-12-20 22:03 . 2008-12-20 22:03 <DIR> d-------- c:\documents and settings\hp\Application Data\AdobeAUM
2008-12-20 22:02 . 2008-12-20 22:02 <DIR> d-------- c:\documents and settings\hp\Application Data\AdobeUM
2008-12-20 21:44 . 2008-12-20 21:44 <DIR> d-------- c:\program files\Common Files\Nokia
2008-12-20 21:44 . 2008-12-20 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nokia
2008-12-20 21:43 . 2008-12-20 21:56 <DIR> d-------- c:\documents and settings\hp\Application Data\Nokia
2008-12-20 21:43 . 2008-12-20 21:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2008-12-20 21:42 . 2008-12-20 21:42 <DIR> d-------- c:\program files\PC Connectivity Solution
2008-12-20 21:42 . 2008-12-20 21:42 <DIR> d-------- c:\program files\Common Files\PCSuite
2008-12-20 21:42 . 2008-12-20 21:42 <DIR> d-------- c:\documents and settings\hp\Application Data\PC Suite
2008-12-20 21:41 . 2008-12-20 21:44 <DIR> d-------- c:\program files\Nokia
2008-12-20 21:41 . 2007-02-22 10:15 90,624 --a------ c:\windows\system32\nmwcdcls.dll
2008-12-16 23:21 . 2008-12-16 23:27 <DIR> dr------- C:\Walk the line 2005
2008-12-16 23:20 . 2008-12-16 23:22 <DIR> d-------- C:\Ostrov
2008-12-16 23:20 . 2008-12-16 23:21 <DIR> d-------- C:\Má mě rád, nemá mě rád
2008-12-16 23:19 . 2008-12-16 23:19 <DIR> d-------- C:\Genesis
2008-12-16 23:17 . 2008-12-16 23:18 <DIR> d-------- C:\lásky jedné plavovlásky
2008-12-16 23:16 . 2008-12-16 23:18 <DIR> d-------- C:\3-iron
2008-12-16 23:15 . 2008-12-16 23:16 <DIR> d-------- C:\Spring, Summer, Fall, Winter... and Spring
2008-12-16 23:15 . 2008-12-16 23:17 <DIR> dr------- C:\requiem for a dream - Darren Aronofsky 2000
2008-12-16 23:13 . 2008-12-16 23:14 <DIR> d-------- C:\Permanent Vacation
2008-12-16 23:13 . 2008-12-16 23:13 <DIR> d-------- C:\Night On Earth
2008-12-01 18:45 . 2008-12-01 18:45 812,344 --a------ C:\HJTInstall.exe
2008-11-30 00:46 . 2008-12-08 11:32 9,728 --a------ c:\windows\system32\sd4uk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-23 23:44 --------- d-----w c:\documents and settings\hp\Application Data\DNA
2008-12-23 20:44 --------- d-----w c:\program files\DNA
2008-12-21 16:30 --------- d-----w c:\documents and settings\hp\Application Data\OpenOffice.org2
2008-12-20 20:42 --------- d-----w c:\program files\DIFX
2008-12-15 13:30 --------- d-----w c:\documents and settings\hp\Application Data\U3
2008-12-05 16:17 --------- d-----w c:\documents and settings\hp\Application Data\ICQ
2008-10-27 10:05 --------- d-----w c:\program files\Common Files\Adobe
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-02-17 17:53 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-12-19 14:02 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 14:02 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 14:02 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 14:02 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 14:02 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-21_22.42.36,06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-23 22:38:08 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-12-23 22:38:08 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-23 22:38:08 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-12-21 17:15:44 40,504 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-23 20:48:32 40,504 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-21 17:15:44 312,308 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-23 20:48:32 312,308 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-23 22:38:22 16,384 ----atw c:\windows\temp\Perflib_Perfdata_e3c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-11-18 342336]
"ICQ"="c:\program files\ICQ6\ICQ.exe" [2008-09-01 173304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-04-14 949376]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-08-02 3096576]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-12 113664]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-09-13 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2006-07-27 13:44 61952 c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
--a------ 2004-07-14 14:36 57344 c:\windows\system32\ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-07-20 19:58 1519616 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\DRIVERS\sonyhcb.sys [2008-10-11 6097]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-04-14 15424]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2008-09-16 222456]
R3 PSched;QoS Packet Scheduler;c:\windows\system32\DRIVERS\psched.sys [2004-08-04 69120]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\DRIVERS\sonyhcs.sys [2008-10-11 299923]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b0a657-61f5-11dc-b88a-9966d0c157d8}]
\Shell\AutoRun\command - SWSETUP\APPINSTL\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{494b1572-eaa2-11dc-9c1a-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b0f856a-9234-11dc-b926-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85263ece-b2e3-11dc-b999-0016366cd665}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{936e9443-928e-11dc-b927-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b225f76-09de-11dd-9c76-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d345a886-bc00-11dd-8965-001636cfb45d}]
\Shell\AutoRun\command - E:\b.com
\Shell\explore\Command - E:\b.com
\Shell\open\Command - E:\b.com

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2008-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.zoznam.sk/
uInternet Connection Wizard,ShellNext = iexplore
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\hp\Application Data\Mozilla\Firefox\Profiles\o5geca34.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_result ... id=afex&q=
FF - prefs.js: keyword.enabled - false
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 00:45:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Completion time: 2008-12-24 0:45:58
ComboFix-quarantined-files.txt 2008-12-23 23:45:44
ComboFix2.txt 2008-12-22 22:47:36
ComboFix3.txt 2008-12-21 21:43:12
ComboFix4.txt 2008-01-16 17:36:21

Pre-Run: 2 357 972 992 bytes free
Post-Run: 2,368,028,672 voľných bajtov

198 --- E O F --- 2008-12-21 14:44:39

Příspěvekod **jaro3** » 24 pro 2008 07:24

Takže ještě jeden script v CF a mělo by to být vše:

Kód: Vybrat vše

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d345a886-bc00-11dd-8965-001636cfb45d}]

Znovu sem dej log z CF a nový log z HJT.

realko · Příspěvekod **realko** » 24 pro 2008 17:04

ComboFix 08-12-21.02 - hp 2008-12-24 16:56:47.7 - NTFSx86
Systém Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1033.18.1023.647 [GMT 1:00]
Running from: c:\documents and settings\hp\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\hp\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.

2008-12-23 23:38 . 2008-12-23 23:38 <DIR> d-------- c:\windows\Sun
2008-12-23 23:38 . 2008-12-23 23:38 <DIR> d-------- c:\program files\Java
2008-12-23 23:38 . 2008-12-23 23:38 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-23 23:38 . 2008-12-23 23:38 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-21 18:00 . 2008-12-21 18:00 <DIR> d-------- c:\windows\ERUNT
2008-12-20 22:24 . 2008-12-20 22:24 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-20 22:24 . 2008-12-20 22:24 1,409 --a------ c:\windows\QTFont.for
2008-12-20 22:06 . 2008-12-20 22:06 <DIR> d-------- C:\N 95 aplikacie
2008-12-20 22:03 . 2008-12-20 22:03 <DIR> d-------- c:\documents and settings\hp\Application Data\AdobeAUM
2008-12-20 22:02 . 2008-12-20 22:02 <DIR> d-------- c:\documents and settings\hp\Application Data\AdobeUM
2008-12-20 21:44 . 2008-12-20 21:44 <DIR> d-------- c:\program files\Common Files\Nokia
2008-12-20 21:44 . 2008-12-20 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nokia
2008-12-20 21:43 . 2008-12-20 21:56 <DIR> d-------- c:\documents and settings\hp\Application Data\Nokia
2008-12-20 21:43 . 2008-12-20 21:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2008-12-20 21:42 . 2008-12-20 21:42 <DIR> d-------- c:\program files\PC Connectivity Solution
2008-12-20 21:42 . 2008-12-20 21:42 <DIR> d-------- c:\program files\Common Files\PCSuite
2008-12-20 21:42 . 2008-12-20 21:42 <DIR> d-------- c:\documents and settings\hp\Application Data\PC Suite
2008-12-20 21:41 . 2008-12-20 21:44 <DIR> d-------- c:\program files\Nokia
2008-12-20 21:41 . 2007-02-22 10:15 90,624 --a------ c:\windows\system32\nmwcdcls.dll
2008-12-16 23:21 . 2008-12-16 23:27 <DIR> dr------- C:\Walk the line 2005
2008-12-16 23:20 . 2008-12-16 23:22 <DIR> d-------- C:\Ostrov
2008-12-16 23:20 . 2008-12-16 23:21 <DIR> d-------- C:\Má mě rád, nemá mě rád
2008-12-16 23:19 . 2008-12-16 23:19 <DIR> d-------- C:\Genesis
2008-12-16 23:17 . 2008-12-16 23:18 <DIR> d-------- C:\lásky jedné plavovlásky
2008-12-16 23:16 . 2008-12-16 23:18 <DIR> d-------- C:\3-iron
2008-12-16 23:15 . 2008-12-16 23:16 <DIR> d-------- C:\Spring, Summer, Fall, Winter... and Spring
2008-12-16 23:15 . 2008-12-16 23:17 <DIR> dr------- C:\requiem for a dream - Darren Aronofsky 2000
2008-12-16 23:13 . 2008-12-16 23:14 <DIR> d-------- C:\Permanent Vacation
2008-12-16 23:13 . 2008-12-16 23:13 <DIR> d-------- C:\Night On Earth
2008-12-01 18:45 . 2008-12-01 18:45 812,344 --a------ C:\HJTInstall.exe
2008-11-30 00:46 . 2008-12-08 11:32 9,728 --a------ c:\windows\system32\sd4uk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-24 15:51 --------- d-----w c:\program files\DNA
2008-12-24 15:51 --------- d-----w c:\documents and settings\hp\Application Data\DNA
2008-12-21 16:30 --------- d-----w c:\documents and settings\hp\Application Data\OpenOffice.org2
2008-12-20 20:42 --------- d-----w c:\program files\DIFX
2008-12-15 13:30 --------- d-----w c:\documents and settings\hp\Application Data\U3
2008-12-05 16:17 --------- d-----w c:\documents and settings\hp\Application Data\ICQ
2008-10-27 10:05 --------- d-----w c:\program files\Common Files\Adobe
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-02-17 17:53 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-12-19 14:02 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 14:02 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 14:02 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 14:02 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 14:02 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-21_22.42.36,06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-23 22:38:08 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-12-23 22:38:08 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-23 22:38:08 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-12-21 17:15:44 40,504 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-24 15:55:41 40,504 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-21 17:15:44 312,308 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-24 15:55:41 312,308 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-24 15:51:31 16,384 ----atw c:\windows\temp\Perflib_Perfdata_d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-11-18 342336]
"ICQ"="c:\program files\ICQ6\ICQ.exe" [2008-09-01 173304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-04-14 949376]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 472776]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-08-02 3096576]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-12 113664]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-09-13 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2006-07-27 13:44 61952 c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
--a------ 2004-07-14 14:36 57344 c:\windows\system32\ICO.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-07-20 19:58 1519616 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\DRIVERS\sonyhcb.sys [2008-10-11 6097]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-04-14 15424]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2008-09-16 222456]
R3 PSched;QoS Packet Scheduler;c:\windows\system32\DRIVERS\psched.sys [2004-08-04 69120]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\DRIVERS\sonyhcs.sys [2008-10-11 299923]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b0a657-61f5-11dc-b88a-9966d0c157d8}]
\Shell\AutoRun\command - SWSETUP\APPINSTL\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{494b1572-eaa2-11dc-9c1a-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b0f856a-9234-11dc-b926-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85263ece-b2e3-11dc-b999-0016366cd665}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{936e9443-928e-11dc-b927-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b225f76-09de-11dd-9c76-0016366cd665}]
\Shell\AutoRun\command - e:\.\run\autorun.exe
\Shell\open\Command - e:\.\run\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.zoznam.sk/
uInternet Connection Wizard,ShellNext = iexplore
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\hp\Application Data\Mozilla\Firefox\Profiles\o5geca34.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_result ... id=afex&q=
FF - prefs.js: keyword.enabled - false
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 16:58:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Completion time: 2008-12-24 16:59:41
ComboFix-quarantined-files.txt 2008-12-24 15:59:26
ComboFix2.txt 2008-12-23 23:45:59
ComboFix3.txt 2008-12-22 22:47:36
ComboFix4.txt 2008-12-21 21:43:12
ComboFix5.txt 2008-12-24 15:56:15

Pre-Run: 2 350 723 072 bytes free
Post-Run: 2,337,406,976 voľných bajtov

186 --- E O F --- 2008-12-21 14:44:39

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:02:18, on 24.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zoznam.sk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 6980 bytes

Trojsky kon

Trojsky kon

Re: Trojsky kon

Re: Trojsky kon

Re: Trojsky kon

Re: Trojsky kon

Re: Trojsky kon

Re: Trojsky kon

Re: Trojsky kon

Re: Trojsky kon

Re: Trojsky kon

Re: Trojsky kon

Re: Trojsky kon

Kdo je online