Hláška avast(podezřelá zpráva)

[MarekRaušer]

C:\DOCUME~1\MAREK-~1\LOCALS~1\Temp\virus.avi
C:\WINDOWS\system32\config\Antiviru.evt
C:\WINDOWS\system32\pmkjk.dll.ren//PE_Patch.PECompact tagged as "not-a-virus:AdWare.Win32.Virtumonde.fp". Action Taken: No Action Taken.
C:\WINDOWS\system32\virtear.dll
D:\System Volume Information\_restore{F0C79C01-7CDC-43A7-9D77-020558DE46A7}\RP173\A0039124.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
D:\System Volume Information\_restore{F0C79C01-7CDC-43A7-9D77-020558DE46A7}\RP173\A0039135.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
D:\System Volume Information\_restore{F0C79C01-7CDC-43A7-9D77-020558DE46A7}\RP173\A0039145.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
D:\System Volume Information\_restore{F0C79C01-7CDC-43A7-9D77-020558DE46A7}\RP173\A0039155.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
D:\System Volume Information\_restore{F0E7275D-DA30-447A-881F-6F4C338DD477}\RP33\A0017585.exe//PE_Patch.UPX//UPX//stream//data0006 infected by "Trojan-Downloader.Win32.Zlob.axo" Virus! Action Taken: No Action Taken)



Fri Jul 06 11:39:31 2007 => ***** Scanning complete. *****

Fri Jul 06 11:39:31 2007 => Total Objects Scanned: 108317
Fri Jul 06 11:39:31 2007 => Total Critical Objects: 8
Fri Jul 06 11:39:31 2007 => Total Disinfected Objects: 0
Fri Jul 06 11:39:31 2007 => Total Objects Renamed: 0
Fri Jul 06 11:39:31 2007 => Total Deleted Objects: 0
Fri Jul 06 11:39:31 2007 => Total Errors: 11
Fri Jul 06 11:39:31 2007 => Time Elapsed: 01:01:09
Fri Jul 06 11:39:31 2007 => Virus Database Date: 7/6/2007
Fri Jul 06 11:39:31 2007 => Virus Database Count: 358866

Fri Jul 06 11:39:31 2007 => Scan Completed.

Tak tady už to něco našlo.

Tady tabulka z MWAV.

Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.
File C:\WINDOWS\system32\pmkjk.dll.ren//PE_Patch.PECompact tagged as "not-a-virus:AdWare.Win32.Virtumonde.fp". Action Taken: No Action Taken.
File C:\WINDOWS\system32\pmkjk.dll.ren//PE_Patch.PECompact tagged as "not-a-virus:AdWare.Win32.Virtumonde.fp". Action Taken: No Action Taken.
File D:\System Volume Information\_restore{F0C79C01-7CDC-43A7-9D77-020558DE46A7}\RP173\A0039124.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
File D:\System Volume Information\_restore{F0C79C01-7CDC-43A7-9D77-020558DE46A7}\RP173\A0039135.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
File D:\System Volume Information\_restore{F0C79C01-7CDC-43A7-9D77-020558DE46A7}\RP173\A0039145.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
File D:\System Volume Information\_restore{F0C79C01-7CDC-43A7-9D77-020558DE46A7}\RP173\A0039155.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
File D:\System Volume Information\_restore{F0E7275D-DA30-447A-881F-6F4C338DD477}\RP33\A0017585.exe//PE_Patch.UPX//UPX//stream//data0006 infected by "Trojan-Downloader.Win32.Zlob.axo" Virus! Action Taken: No Action Taken.

[Reklama]

[Baron Prášil]

vypni obnovu systému

použij avenger http://www.viry.cz/forum/viewtopic.php?t=19832

a tento skript

Files to delete:
C:\WINDOWS\system32\pmkjk.dll.ren

po restartu použij vundofix http://www.viry.cz/forum/viewtopic.php?t=16634
a pošli z něho log a log z Avengeru

[Ladasan]

mam problem se stejnou vyse uvedenou hlaskou. snazil jsem se postupovat podle navodu a v ramci moznosti. ted se nakaza nijak neprojevuje. muzete se mi prosim mrknout na vysledky a popripade poradit jak dal? dekuji P.G.

Logfile of HijackThis v1.99.1
Scan saved at 2:51:03, on 2.8.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
L:\Office12\GrooveMonitor.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Vlastník\Dokumenty\A Dokumenty\Antiviry\prográmky\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - L:\Office12\GRA8E1~1.DLL
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: &Seznam Lištička - {B71B15CE-3093-459C-B764-AEB2486F2273} - C:\Program Files\Seznam\Listicka\Toolbar.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "L:\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [I&F Viewer toolbar] "C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Přelož do češtiny - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5034
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://L:\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Hledej v &Seznamu - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5033
O8 - Extra context menu item: Hledej v Seznam &Fulltextu - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5035
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - L:\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A6112F2-F9D1-4FBF-A6EC-B67B22915873} (FotoStarUploader Control) - http://foto.droxi.cz/snadno-vlozit-foto ... loader.dll
O16 - DPF: {3190CE28-0B6E-4133-A7D3-87D29CB92120} (ToolbarInetInstall Control) - http://software.seznam.cz/listicka/toolbar.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1320777576
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - L:\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

------------------------------------------------------------------------

MWAV test 01.08.2007 23.00
Soubor C:\WINDOWS\DOWNLO~1\POPCAP~1.DLL indentifikován jako "not-a-virus:Downloader.Win32.PopCap.b". Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\svchost.exe:exe.exe//PE_Patch.UPX//UPX je infikovaný virem Trojan.Win32.Obfuscated.gp !! Provedené akce: Nic nebylo provedeno.
Objekt "grokster Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "grokster Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "downloader-ak Trojan-Downloader" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "smitfraud Browser Hijacker" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "dope wars Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "ace club casino Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "zlob Trojan-Downloader" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "zlob Trojan-Downloader" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "dope wars Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "ace club casino Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "zlob Trojan-Downloader" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "spypal Spyware/Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "savenow Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "mybugfreepc Corrupted Adware/Spyware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "Possible Fujacks-type Worm" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "HijackThis". Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\msdrv1.exe je infikovaný virem Trojan-PSW.Win32.LdPinch.bno !! Provedené akce: Nic nebylo provedeno.
Soubor C:\Documents and Settings\Vlastník\Dokumenty\Crhová L\Dokumenty Luca\Dokumenty\desktop.ini je infikovaný virem VB.CO.Leftover !! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\Downloaded Program Files\popcaploader.dll indentifikován jako "not-a-virus:Downloader.Win32.PopCap.b". Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\msdrv1.exe je infikovaný virem Trojan-PSW.Win32.LdPinch.bno !! Provedené akce: Nic nebylo provedeno.

[fredik]

To Ladasan: Příště si založ prosím tě vlastní téma. Dík.

Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
po zaškrtnutí klikni na tlačítko Fix Checked

Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem klávesy 1
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

+ dej sem nový log z HJT

[Ladasan]

ComboFix 07-08-02.3 - "Vlastnˇk" 2007-08-02 20:14:09.1 [GMT 2:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.True
* Created a new restore point

[i] ADS removed - svchost.exe: deleted 58880 bytes in 1 streams. [/i]
/wow section - STAGE #7C

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\regedit.com
C:\WINDOWS\system32\taskmgr.com


((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))


2007-08-02 20:13 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-01 23:03 <DIR> d-a------ C:\WINDOWS\zts2.exe
2007-08-01 23:03 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-08-01 23:03 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-08-01 23:03 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2007-08-01 23:03 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2007-08-01 23:03 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2007-08-01 21:18 <DIR> d-------- C:\WINDOWS\system32\cs-cz
2007-08-01 21:13 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-08-01 21:13 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-01 20:14 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-08-01 19:44 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-08-01 19:44 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-08-01 19:44 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-08-01 19:43 147,968 --a------ C:\WINDOWS\R.COM
2007-08-01 19:43 137,216 --a------ C:\WINDOWS\system32\T.COM
2007-08-01 19:42 <DIR> d-------- C:\Program Files\CCleaner
2007-08-01 19:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Spybot - Search & Destroy
2007-08-01 19:38 <DIR> d-------- C:\Program Files\Crawler
2007-08-01 19:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Spyware Terminator
2007-08-01 19:37 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-07-31 20:10 58,456 --a------ C:\WINDOWS\system32\msdrv1.exe
2007-07-30 12:06 <DIR> d-------- C:\DOCUME~1\VLASTN~1\DATAAP~1\VSO_HWE
2007-07-30 09:35 47,360 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-07-30 09:35 <DIR> d-------- C:\Program Files\vso
2007-07-30 09:35 <DIR> d-------- C:\DOCUME~1\VLASTN~1\DATAAP~1\Vso
2007-07-27 10:40 <DIR> d-------- C:\Torrent
2007-07-27 10:31 <DIR> d-------- C:\Program Files\uTorrent
2007-07-27 10:31 <DIR> d-------- C:\DOCUME~1\VLASTN~1\DATAAP~1\uTorrent
2007-07-20 19:51 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2007-07-20 19:51 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-02 20:00 --------- d-------- C:\DOCUME~1\VLASTN~1\DATAAP~1\Skype
2007-08-01 13:05 10 --a------ C:\WINDOWS\popcinfo.dat
2007-07-31 20:10 14336 --a--c--- C:\WINDOWS\system32\dllcache\svchost.exe
2007-07-31 20:10 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-07-31 07:27 --------- d-------- C:\DOCUME~1\VLASTN~1\DATAAP~1\FreeCall
2007-07-28 00:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-28 00:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 00:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 00:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 23:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 23:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 23:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-18 14:16 5 --a------ C:\WINDOWS\ddindfefsners.dll
2007-07-14 22:18 --------- d-------- C:\Program Files\Irfan
2007-07-14 22:06 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-07-09 09:11 --------- d-------- C:\DOCUME~1\VLASTN~1\DATAAP~1\bibble
2007-07-09 09:06 --------- d-------- C:\Program Files\AV Vcs 4.0 DIAMOND
2007-07-06 07:57 0 --a------ C:\WINDOWS\system32\dummy.dat
2007-06-25 16:05 --------- d-------- C:\Program Files\FreeCall.com
2007-06-24 19:38 --------- d-------- C:\DOCUME~1\VLASTN~1\DATAAP~1\VoipBuster
2007-06-22 18:40 --------- d-------- C:\Program Files\VoipBuster.com
2007-06-22 09:39 47206 --a------ C:\WINDOWS\system32\perfc005.dat
2007-06-22 09:39 312970 --a------ C:\WINDOWS\system32\perfh005.dat
2007-05-16 17:18 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 17:18 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 17:18 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 17:18 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 17:18 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 17:18 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 11:00 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-04-19 21:20 5632 --ahs---- C:\Program Files\Thumbs.db
--------- C:\Program Files\Krteček 1.9 beta 2
2007-02-05 08:04:53 8,192 --sha-w C:\WINDOWS\o2cLicStore.bin


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [2002-04-11 20:46 C:\WINDOWS\system32\NVATray.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-03-16 01:07]
"ClocX"="C:\Program Files\ClocX\ClocX.exe" [2003-10-20 21:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-14 20:38]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 14:27]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 10:31 C:\WINDOWS\SOUNDMAN.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 00:03]
"GrooveMonitor"="L:\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-01 19:44]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-08-01 20:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 00:49]
"I&F Viewer toolbar"="C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" [2006-10-27 21:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"=C:\Program Files\ICQLite\ICQLite.exe -trayboot

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=NVDESK32.DLL

R0 a347bus;a347bus;C:\WINDOWS\system32\DRIVERS\a347bus.sys
R0 a347scsi;a347scsi;C:\WINDOWS\system32\Drivers\a347scsi.sys
R0 Si3114r5;SiI-3114 SoftRaid 5 Controller;C:\WINDOWS\system32\DRIVERS\Si3114r5.sys
R0 SiFilter;SATALink driver accelerator;C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
R0 SiRemFil;SATALink External Device Filter;C:\WINDOWS\system32\DRIVERS\SiRemFil.sys
R1 DumaNT;NVIDIA Stereo Helper Service;C:\WINDOWS\system32\DRIVERS\dumant.sys
R1 nod32drv;nod32drv;C:\WINDOWS\system32\drivers\nod32drv.sys
R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
R2 ElbyCDIO;ElbyCDIO Driver;C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
R3 ALCXSENS;Service for WDM 3D Audio Driver;C:\WINDOWS\system32\drivers\ALCXSENS.SYS
R3 ElbyDelay;ElbyDelay;C:\WINDOWS\system32\Drivers\ElbyDelay.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys
R3 Pcouffin;Low level access layer for CD devices;C:\WINDOWS\system32\Drivers\Pcouffin.sys
R3 PSched;Pl novaź paket… technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
S2 ADILOADER;General Purpose USB Driver (adildr.sys);C:\WINDOWS\system32\Drivers\adildr.sys
S2 ICF;ICF;C:\WINDOWS\system32\svchost.exe:exe.exe
S3 61883;61883 Unit Device;C:\WINDOWS\system32\DRIVERS\61883.sys
S3 adiusbaw;ADSL USB MODEM WAN ADAPTER;C:\WINDOWS\system32\DRIVERS\adiusbaw.sys
S3 Avc;AVC Device;C:\WINDOWS\system32\DRIVERS\avc.sys
S3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gmfiltr.sys
S3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys
S3 GMSIPCI;GMSIPCI;\??\J:\INSTALL\GMSIPCI.SYS
S3 hidgame;Microsoft Hid to Joystick Port Enabler;C:\WINDOWS\system32\DRIVERS\hidgame.sys
S3 irsir;Microsoft Serial Infrared Driver;C:\WINDOWS\system32\DRIVERS\irsir.sys
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service;L:\Office12\GrooveAuditService.exe
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S3 Nokia USB Generic;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 Nokia USB Modem;Nokia USB Modem;C:\WINDOWS\system32\drivers\nmwcdcm.sys
S3 Nokia USB Phone Parent;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys
S3 Nokia USB Port;Nokia USB Port;C:\WINDOWS\system32\drivers\nmwcdcj.sys
S3 NTACCESS;NTACCESS;\??\J:\NTACCESS.sys
S3 ntgrip;Ovladaź zaýˇzenˇ Gravis GamePort;C:\WINDOWS\system32\drivers\ntgrip.sys
S3 nvax;Service for NVIDIAR nForce(TM) Audio Enumerator;C:\WINDOWS\system32\drivers\nvax.sys
S3 nvnforce;Service for NVIDIAR nForce(TM) Audio;C:\WINDOWS\system32\drivers\nvapu.sys
S3 odserv;Microsoft Office Diagnostics Service;"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE"
S3 SetupNTGLM7X;SetupNTGLM7X;\??\J:\NTGLM7X.sys
S3 usbsermpt;Motorola USB Modem Driver for MPT;C:\WINDOWS\system32\DRIVERS\usbsermpt.sys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Schedule


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
AutoRun\command- J:\Bin\Assetup.exe

*Newly Created Service* - CATCHME

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-02 20:17:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?\xe9?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1\xed?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E6FB1EDA-9235-80F9-B3DD-09419C043B0B}]
"oagljcflejpengffpfgdjkbkablmki"=hex:61,69,6d,68,70,6c,67,6b,69,65,64,66,6c,62,6c,63,6c,6e,6d,65,6c,..
"ianenfiebkbgdggbbi"=hex:69,61,6d,68,63,6a,65,6a,6c,67,67,6d,70,67,6b,6f,6b,67,00,00
"hadmdaonoilocnbb"=hex:69,61,68,67,6e,6e,6b,6f,6c,64,61,6a,70,6e,63,6b,63,67,00,00

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ICF]
"ImagePath"="C:\WINDOWS\system32\svchost.exe:exe.exe"

Completion time: 2007-08-02 20:18:25
C:\ComboFix-quarantined-files.txt ... 2007-08-02 20:18

--- E O F ---

-------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 20:24:15, on 2.8.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Vlastník\Dokumenty\A Dokumenty\Antiviry\prográmky\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - L:\Office12\GRA8E1~1.DLL
O3 - Toolbar: &Seznam Lištička - {B71B15CE-3093-459C-B764-AEB2486F2273} - C:\Program Files\Seznam\Listicka\Toolbar.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "L:\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [I&F Viewer toolbar] "C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Přelož do češtiny - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5034
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://L:\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Hledej v &Seznamu - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5033
O8 - Extra context menu item: Hledej v Seznam &Fulltextu - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5035
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - L:\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A6112F2-F9D1-4FBF-A6EC-B67B22915873} (FotoStarUploader Control) - http://foto.droxi.cz/snadno-vlozit-foto ... loader.dll
O16 - DPF: {3190CE28-0B6E-4133-A7D3-87D29CB92120} (ToolbarInetInstall Control) - http://software.seznam.cz/listicka/toolbar.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1320777576
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - L:\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

[fredik]

Stáhni si SDFix
- Spusť ho a rozbalí se ti na disk kde je nainstalovaný Windows (typicky to je C:\SDfix)
- Pak restartuj PC do nouzového režimu (zvol možnost: Stav nouze, ne Stav nouze s práci v síti)
- Otevři adresář kde je vybalený SDFix a spusť soubor RunThis.bat tím spustíš program.
* Pak stiskni klávesu Y a pak Enter pro zahájení čistícího procesu.
* Pro dokončení kontroly budeš vyzván ke stisknoutí libovolné klávesy a počítač se restartuje.
* Při nabíhání operačního systému se program spustí znovu a dokončí čistící proces. Až se objeví Finish, budeš muset po vyzvání stisknout libovolnou klávesu,
tim se ukončí program a zobrazí se ti ikony na ploše
- Když se skončí načítání ikon na ploše, otevře se ti na obrazovce log z SDFix a zároveň ho uloží do adresáře kde je rozbalený SDFix jako soubor Report.txt
Pak sem zkopíruj jeho obsah + nový log z HJT. Mrknu se pak na to všechno dohromady.

[Ladasan]

SDFix: Version 1.95

Run by Vlastnˇk on p  03.08.2007 at 17:00

Microsoft Windows XP [Verze 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
ICF

ImagePath:
C:\WINDOWS\system32\svchost.exe:exe.exe

ICF - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Call of Duty\\CoDMP.exe"="C:\\Program Files\\Call of Duty\\CoDMP.exe:*:Disabled:CoDMP"
"C:\\Program Files\\Team17\\Worms2\\frontend.exe"="C:\\Program Files\\Team17\\Worms2\\frontend.exe:*:Enabled:Worms 2 Frontend"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ Library"
"L:\\Office12\\OUTLOOK.EXE"="L:\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"L:\\Office12\\GROOVE.EXE"="L:\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"L:\\Office12\\ONENOTE.EXE"="L:\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"="C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe:*:Enabled:VoipBuster"
"C:\\Program Files\\FreeCall.com\\FreeCall\\FreeCall.exe"="C:\\Program Files\\FreeCall.com\\FreeCall\\FreeCall.exe:*:Enabled:FreeCall"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:uTorrent"
"C:\\WINDOWS\\system32\\msdrv1.exe"="C:\\WINDOWS\\system32\\msdrv1.exe:*:Enabled:01721B741506F4F4"
"C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\system32\\svchost.exe:*:Enabled:svchost"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------


Files with Hidden Attributes:

C:\Documents and Settings\Vlastnˇk\Dokumenty\MPtrojky\Pro-Pain\Pro-Pain - Foul Taste of Freedom [1992][SLIPKNOT][www.emwreloaded.com]\Thumbs.db
C:\Program Files\Picasa2\setup.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\Vlastnˇk\Dokumenty\Obr zky\Fotoalbum\2007\Cvicenˇ s Luckou - Akademie\SIV1.tmp

Finished


------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 17:11:10, on 3.8.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
L:\Office12\GrooveMonitor.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe
C:\Documents and Settings\Vlastník\Dokumenty\A Dokumenty\Antiviry\prográmky\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - L:\Office12\GRA8E1~1.DLL
O3 - Toolbar: &Seznam Lištička - {B71B15CE-3093-459C-B764-AEB2486F2273} - C:\Program Files\Seznam\Listicka\Toolbar.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "L:\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [I&F Viewer toolbar] "C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Přelož do češtiny - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5034
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://L:\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Hledej v &Seznamu - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5033
O8 - Extra context menu item: Hledej v Seznam &Fulltextu - res://C:\Program Files\Seznam\Listicka\Toolbar.dll/5035
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - L:\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - L:\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A6112F2-F9D1-4FBF-A6EC-B67B22915873} (FotoStarUploader Control) - http://foto.droxi.cz/snadno-vlozit-foto ... loader.dll
O16 - DPF: {3190CE28-0B6E-4133-A7D3-87D29CB92120} (ToolbarInetInstall Control) - http://software.seznam.cz/listicka/toolbar.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1320777576
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - L:\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

[fredik]

Promiň že jsem neodpověděl dřív, nevychází čas.

Jdi přes Start -> Spustit.. a do volného řádku zkopíruj tento příkaz a potvrď:

catchme -l nul -k C:\WINDOWS\system32\msdrv1.exe

Na ploše se ti vytvoří archiv catchme.zip. Změň název tohoto archivu třeba na dikT.zip a uploadni ho prosím zde: http://www.james008.net/havet/
a vlož ho ještě jako jako přílohu ke svému příspěvku. Díky moc.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Po té smaž manuálně tento soubor:
C:\WINDOWS\system32\msdrv1.exe

Otestuj tento soubor VirusTotall a vlož sem výsledek
C:\WINDOWS\ddindfefsners.dll

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Máš tam dva antiviry, tak si tam nechej jen jeden z nich a ten druhý odinstaluj.
Pro lepší zabezpečení Pc by bylo dobré si doinstalovat firewall, můžeš si vybrat některý zde uvedný nebo některý jiný z odkazu:
Firewally zdarma: Přehled osobních firewallů
Comodo - kvalitní, pokročilý, s mnoha funkcemi, originálně v angličtině, čeština by měla být asi až od verze 3 která by se měl objevit v brzké době
Kerio - přehledný, větší možnosti nastavení, náročnější na systémové prostředky, v češtině
ZoneAlarm - jednoduchý, kompatibilní, nenáročný na systémové prostředky, málo možností nastavení, v angličtině

[Ladasan]

taky toho času moc nemam diky za pomoc

[fredik]

Děkuji za nahráni souboru.

Testovaný soubor je v pořádku a logy také.
Stáhni si T-Cleaner a spusť ho.

No zkus ještě otestovat tento soubor na Virustotal a dej sem výsledek (pro lepší nalezení možná bude potřeba si zapnout zobrazení skrytých souborů a složek)
C:\Documents and Settings\Vlastník\Dokumenty\Crhová L\Dokumenty Luca\Dokumenty\desktop.ini

Pokud nemáš nějaké další problémy tak by to bylo vše (uvidíme podle výsledku).

[Ladasan]

C:\Documents and Settings\Vlastník\Dokumenty\Crhová L\Dokumenty Luca\Dokumenty\desktop.ini
Virustotal - 0 bytes size received / Se ha recibido un archivo vacio

proste ten soubor smazu. a celou nepotrebnou slozku.

Díky za perfektní pomoc.