Nevim si rady pls pomozte- spy.win32@mx (trojan)

[mahinaldi]

Dobrý den,
stale mi nabihaji bublinky s: 'Security Alert: NetWorm-i.Virus@fp' a 'System Alert: Trojan-Spy.win32@mx ' a jine a pise se tam az na ne poklepu a stahnu nejaky software ale vzdy kdyz se chce otevrit ta stranka tak mi naskoci NOD a ja prerusim spojeni. Jednou za asi pet minut mi naskoci okno ze byla nalezena infiltrace a ja smazu nejake vytvorene soubory z oblibenych polozek a z Temporary Internet Files. V Internet Explorer se mi objevil novy toolbar Securyty Toolbar 7.1. Zadny takovy jsem neinstaloval nebo si toho nejsem vedom.
Zde je log z HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:34:33, on 8.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\BearShare\BearShare.exe
C:\WINDOWS\gtwatch.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
E:\Program Files\Tapety 2.01\Tapety.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C1DD717-53B2-485E-A17B-C9977C205E10} - C:\WINDOWS\system32\xxyvsqn.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\obfpovys.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: {ca3fd2d6-bb9c-2208-86e4-b89299bd5f2d} - {d2f5db99-298b-4e68-8022-c9bb6d2df3ac} - C:\WINDOWS\system32\xornrbry.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\obfpovys.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zástupce stránky vlastností sběrnice High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BearShare] "E:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [ec86d030] rundll32.exe "C:\WINDOWS\system32\uhlsciut.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Tapety 2.01.lnk = E:\Program Files\Tapety 2.01\Tapety.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = E:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8587402750
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAB6BC06-31F7-475F-898D-D68AA2260262}: NameServer = 10.11.1.101,10.11.1.1
O20 - Winlogon Notify: obfpovys - C:\WINDOWS\SYSTEM32\obfpovys.dll
O20 - Winlogon Notify: xxyvsqn - C:\WINDOWS\SYSTEM32\xxyvsqn.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8713 bytes

Mam Noda a Avasta a nenasli nic po scanu.
Prosim pomozte, predem dekuji za pomoc

[Reklama]

[fredik]

Vítám tě na fórum

Odinstaluj jeden z antivirů a nechej si tam jen jeden z nich

Stáhni si SDFix
- Spusť ho a rozbalí se ti na disk kde je nainstalovaný Windows (typicky to je C:\SDfix)
- Pak restartuj PC do nouzového režimu (zvol možnost: Stav nouze, ne Stav nouze s práci v síti)
- Otevři adresář kde je vybalený SDFix a spusť soubor RunThis.bat tím spustíš program.
* Pak stiskni klávesu Y a pak Enter pro zahájení čistícího procesu.
* Pro dokončení kontroly budeš vyzván ke stisknoutí libovolné klávesy a počítač se restartuje.
* Při nabíhání operačního systému se program spustí znovu a dokončí čistící proces. Až se objeví Finish, budeš muset po vyzvání stisknout libovolnou klávesu, tim se ukončí program a zobrazí se ti ikony na ploše
- Když se skončí načítání ikon na ploše, otevře se ti na obrazovce log z SDFix a zároveň ho uloží do adresáře kde je rozbalený SDFix jako soubor Report.txt
Pak sem zkopíruj jeho obsah.

Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem klávesy 1
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[mahinaldi]

Tak tady to je doufam ze je to ono:

SDFix: Version 1.114

Run by Mihi on čt 08.11.2007 at 20:32

Microsoft Windows XP [Verze 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 20:40:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"h0"=dword:00000001
"hdf12"=hex:71,4e,2b,b0,94,bc,9b,00,dc,71,2c,20,4d,0b,61,37,a0,35,bc,78,54,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:d7,e3,61,20,56,6b,42,c7,16,42,2a,70,5e,18,4d,75,ba,21,b7,68,e4,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"h0"=dword:00000001
"hdf12"=hex:71,4e,2b,b0,94,bc,9b,00,dc,71,2c,20,4d,0b,61,37,a0,35,bc,78,54,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:d7,e3,61,20,56,6b,42,c7,16,42,2a,70,5e,18,4d,75,ba,21,b7,68,e4,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?\xe9?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1\xed?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"E:\\Program Files\\BearShare\\BearShare.exe"="E:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Thu 8 Nov 2007 6,465 ..SH. --- "C:\WINDOWS\system32\ilnmp.bak1"
Thu 8 Nov 2007 20,640 ..SH. --- "C:\WINDOWS\system32\obfpovys.dllbox"
Sat 1 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 11 Mar 2007 278,528 A..H. --- "C:\Documents and Settings\Mihi\Dokumenty\MŘýenˇ P3a\~WRL0005.tmp"
Sun 25 Mar 2007 285,184 A..H. --- "C:\Documents and Settings\Mihi\Dokumenty\MŘýenˇ P3a\~WRL2352.tmp"
Sun 14 Jan 2007 714,752 A..H. --- "C:\Documents and Settings\Mihi\Dokumenty\MŘýenˇ P3a\~WRL4010.tmp"
Sun 23 Sep 2007 88,064 ...H. --- "C:\Documents and Settings\Mihi\Dokumenty\MŘýenˇ P4a\~WRL4037.tmp"
Thu 8 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Mihi\Local Settings\Temp\ico3.tmp"
Thu 8 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Mihi\Local Settings\Temp\ico4.tmp"
Thu 8 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Mihi\Local Settings\Temp\ico5.tmp"
Thu 8 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Mihi\Local Settings\Temp\ico6.tmp"
Thu 8 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Mihi\Local Settings\Temp\ico7.tmp"
Sun 23 Sep 2007 19,456 ...H. --- "C:\Documents and Settings\Mihi\Data aplikacˇ\Microsoft\Word\~WRL0148.tmp"
Sun 23 Sep 2007 86,016 ...H. --- "C:\Documents and Settings\Mihi\Data aplikacˇ\Microsoft\Word\~WRL1054.tmp"
Sun 23 Sep 2007 45,568 ...H. --- "C:\Documents and Settings\Mihi\Data aplikacˇ\Microsoft\Word\~WRL2379.tmp"
Sun 23 Sep 2007 84,992 ...H. --- "C:\Documents and Settings\Mihi\Data aplikacˇ\Microsoft\Word\~WRL3107.tmp"
Sun 14 Oct 2007 20,480 ...H. --- "C:\Documents and Settings\Mihi\Data aplikacˇ\Microsoft\Word\~WRL3567.tmp"
Wed 14 Sep 2005 4,348 A..H. --- "C:\Documents and Settings\Mihi\Dokumenty\My Music\License Backup\drmv1key.bak"
Mon 16 Oct 2006 20 A..H. --- "C:\Documents and Settings\Mihi\Dokumenty\My Music\License Backup\drmv1lic.bak"
Sat 9 Sep 2006 488 A..H. --- "C:\Documents and Settings\Mihi\Dokumenty\My Music\License Backup\drmv2key.bak"
Mon 16 Oct 2006 1,536 A..H. --- "C:\Documents and Settings\Mihi\Dokumenty\My Music\License Backup\drmv2lic.bak"
Sun 19 Nov 2006 4,348 A..H. --- "C:\Documents and Settings\M ma\Dokumenty\Hudba\Z lohov nˇ licence\drmv1key.bak"
Mon 20 Nov 2006 20 A..H. --- "C:\Documents and Settings\M ma\Dokumenty\Hudba\Z lohov nˇ licence\drmv1lic.bak"
Sun 19 Nov 2006 312 A..H. --- "C:\Documents and Settings\M ma\Dokumenty\Hudba\Z lohov nˇ licence\drmv2key.bak"
Mon 20 Nov 2006 1,536 A..H. --- "C:\Documents and Settings\M ma\Dokumenty\Hudba\Z lohov nˇ licence\drmv2lic.bak"

Finished!

------------------------------------------------------------------------------------------------------

ComboFix 07-11-08.1 - Mihi 2007-11-08 20:46:08.3 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.589 [GMT 1:00]
Running from: C:\Documents and Settings\Mihi\Plocha\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Nabídka Start\Live Safety Center.lnk
C:\Documents and Settings\All Users\Nabídka Start\Online Security Guide.lnk
C:\Documents and Settings\Mihi\Oblíbené položky\Online Security Guide.lnk
C:\Documents and Settings\Mihi\Plocha\Live Safety Center.lnk
C:\Documents and Settings\Mihi\Plocha\Online Security Guide.lnk
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\obfpovys.dllbox
C:\WINDOWS\system32\pmnli.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-08 20:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 20:30 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-07 17:53 <DIR> d-------- C:\Nov  slo§ka
2007-11-07 14:47 79,936 --a------ C:\WINDOWS\system32\xornrbry.dll
2007-11-07 14:44 86,080 --a------ C:\WINDOWS\system32\uhlsciut.dll
2007-11-07 14:41 145,984 --a------ C:\WINDOWS\system32\pwxfkaaf.dll
2007-11-07 14:41 145,984 --a------ C:\WINDOWS\system32\obfpovys.dll
2007-11-07 14:39 71,232 --a------ C:\WINDOWS\system32\bafrfimh.exe
2007-11-06 17:30 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-11-06 17:30 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-11-06 17:30 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-11-06 17:30 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-11-06 17:30 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-11-06 15:24 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-06 15:21 35,328 --a------ C:\WINDOWS\system32\xxyvsqn.dll
2007-11-06 15:21 0 --a------ C:\z.dat
2007-10-26 20:43 <DIR> d-------- C:\Program Files\THQ
2007-10-26 17:20 <DIR> d-------- C:\Program Files\Stormregion
2007-10-24 13:06 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-24 13:06 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-24 13:06 30,336 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-10-19 21:21 <DIR> d-------- C:\Documents and Settings\Mihi\Phone Browser
2007-10-19 12:19 <DIR> d-------- C:\Documents and Settings\Tut\Phone Browser
2007-10-19 12:10 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-10-19 12:10 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-10-19 12:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-19 12:09 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-10-19 12:09 <DIR> d-------- C:\Program Files\Nokia
2007-10-19 12:09 <DIR> d-------- C:\Program Files\DIFX
2007-10-19 12:09 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-10-19 12:09 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-10-19 12:09 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-10-19 12:09 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-10-19 12:09 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-10-19 12:09 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-10-18 14:42 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-10-18 14:42 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-10-11 18:09 <DIR> d-------- C:\Program Files\CS Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 19:54 --------- d-----w C:\Program Files\lg_fwupdate
2007-11-08 19:45 --------- d-----w C:\Program Files\ICQToolbar
2007-11-06 16:31 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2007-11-06 16:31 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2007-11-06 16:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-18 13:00 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-09-16 12:27 --------- d-----w C:\Program Files\Common Files\DirectX
2007-09-16 10:03 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-13 13:14 --------- d-----w C:\Program Files\ICQLite
2007-09-09 15:10 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-09-08 16:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-08 15:59 --------- d-----w C:\Program Files\Sandisk
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-09-04 16:56 164,352 ----a-w C:\WINDOWS\system32\unrar.dll
2007-09-01 08:07 73,728 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C1DD717-53B2-485E-A17B-C9977C205E10}]
2007-11-06 15:21 35328 --a------ C:\WINDOWS\system32\xxyvsqn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-07 14:41 145984 --a------ C:\WINDOWS\system32\obfpovys.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d2f5db99-298b-4e68-8022-c9bb6d2df3ac}]
2007-11-07 14:47 79936 --a------ C:\WINDOWS\system32\xornrbry.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\obfpovys.dll [2007-11-07 14:41 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"Zástupce stránky vlastností sběrnice High Definition Audio"="HDAudPropShortcut.exe" [2004-03-17 14:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 19:27 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 18:06 C:\WINDOWS\ALCWZRD.EXE]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 10:49]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 19:24]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-16 09:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-08-31 20:36]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"BearShare"="E:\Program Files\BearShare\BearShare.exe" [2005-07-14 12:05]
"Gtwatch"="C:\WINDOWS\gtwatch.exe" [2001-08-24 10:18]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 12:20]
"ec86d030"="C:\WINDOWS\system32\uhlsciut.dll" [2007-11-07 14:44]
"RegistryMechanic"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 13:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1C1DD717-53B2-485E-A17B-C9977C205E10}"= C:\WINDOWS\system32\xxyvsqn.dll [2007-11-06 15:21 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\obfpovys]
obfpovys.dll 2007-11-07 14:41 145984 C:\WINDOWS\system32\obfpovys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsqn]
xxyvsqn.dll 2007-11-06 15:21 35328 C:\WINDOWS\system32\xxyvsqn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnli.dll

R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINDOWS\system32\drivers\maestro.sys
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
S1 as6eio;as6eio;C:\WINDOWS\system32\drivers\as6eio.SYS
S3 GT681x;%GrandTechICNameNT%;C:\WINDOWS\system32\DRIVERS\GT681x.SYS
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-24 12:06:53 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 20:55:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 20:57:27 - machine was rebooted
.
--- E O F ---

[fredik]

Doporučil bych ti odinstalovat přes Přidat nebo odebrat program:
BearShare

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Otestuj tento soubor na VirusTotal a dej sem výsledek
C:\WINDOWS\system32\bafrfimh.exe

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

File::
C:\WINDOWS\system32\xornrbry.dll
C:\WINDOWS\system32\obfpovys.dll
C:\WINDOWS\system32\xxyvsqn.dll
C:\WINDOWS\system32\uhlsciut.dll
C:\WINDOWS\system32\pwxfkaaf.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C1DD717-53B2-485E-A17B-C9977C205E10}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d2f5db99-298b-4e68-8022-c9bb6d2df3ac}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ec86d030"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1C1DD717-53B2-485E-A17B-C9977C205E10}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\obfpovys]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsqn]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Zvol možnost Uložit soubor jako, pojmenuj soubor CFScript.txt a zvol Uložit jako typ: Všechny soubory.
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

V následujícím příspěvku sem vlož tyto logy/výsledky:
- výsledek z Virustotal
- log z Combofix
- nový log z HJT

[mahinaldi]

Tady to je... moc dekuju za snahu

Soubor bafrfimh.exe přijatý 2007.11.07 22:57:02 (CET)
Současný stav: Čekejte ... Ve frontě Čekání Testování Dokončeno NENALEZENO ZASTAVENO


Výsledek: 6/32 (18.75%)
Načítám informace ze serveru...
Váš soubor čeká ve frontě na pozici: ___.
Odhadovaný čas začátku mezi ___ a ___ .
Nezavírejte toto okno dokud nebude test dokončen.
Právě testující program byl je zastaven, probíhá čekání na program.
Za chvíli bude proveden další pokus o otestování souboru.
Pokud budete čekat déle než-li pět minut odešlete Váš soubor znovu.
Váš soubor je nyní testován pomocí VirusTotal,
výsledky budou zobrazeny po dokončení.
Formátované Vytisknout výsledky
Váš soubor není platný, nebo neexistuje.
Služba je pozastavena v tuto chvíli, váš soubor čeká na otestování (pozice: ) po nespecifikovanou dobu.

Nyní čekejte na odezvu webu (automatické obnovení), nebo napište email do pole a klikněte na "vyžádat" a systém Vám zašle email s výsledky až bude test hotov.
Email:


Antivirus Verze Poslední aktualizace Výsledek
AhnLab-V3 2007.11.2.1 2007.11.02 -
AntiVir 7.6.0.34 2007.11.07 -
Authentium 4.93.8 2007.11.01 -
Avast 4.7.1074.0 2007.11.06 -
AVG 7.5.0.503 2007.11.06 -
BitDefender 7.2 2007.11.07 Trojan.Fotomoto.F
CAT-QuickHeal 9.00 2007.11.06 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.11.07 -
DrWeb 4.44.0.09170 2007.11.07 -
eSafe 7.0.15.0 2007.10.28 Suspicious File
eTrust-Vet 31.2.5276 2007.11.07 -
Ewido 4.0 2007.11.06 -
FileAdvisor 1 2007.11.07 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.07 -
F-Secure 6.70.13030.0 2007.11.02 -
Ikarus T3.1.1.12 2007.11.07 -
Kaspersky 7.0.0.125 2007.11.02 -
McAfee 5157 2007.11.06 -
Microsoft 1.3007 2007.11.07 -
NOD32v2 2642 2007.11.06 -
Norman 5.80.02 2007.11.06 -
Panda 9.0.0.4 2007.11.06 Suspicious file
Prevx1 V2 2007.11.07 ADWARE.FOTOMOTO.F
Rising 20.16.42.00 2007.11.02 -
Sophos 4.23.0 2007.11.07 -
Sunbelt 2.2.907.0 2007.10.31 -
Symantec 10 2007.11.02 -
TheHacker 6.2.9.118 2007.11.06 -
VBA32 3.12.2.4 2007.11.06 -
VirusBuster 4.3.26:9 2007.11.06 -
Webwasher-Gateway 6.0.1 2007.11.07 Win32.Malware.gen (suspicious)
Rozšiřující informace
File size: 71232 bytes
MD5: dcff90c2374c0715d4649c82e2bf15e5
SHA1: fb88bc4c5b2c2c24fb3661e14b184187bce77136
Prevx info: http://fileinfo.prevx.com/fileinfo.asp? ... 00E4442370

---------------------------------------------------------------------------------------------------------------------------

ComboFix 07-11-08.1 - Mihi 2007-11-08 23:03:14.4 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.549 [GMT 1:00]
Running from: C:\Documents and Settings\Mihi\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mihi\Plocha\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\obfpovys.dll
C:\WINDOWS\system32\pwxfkaaf.dll
C:\WINDOWS\system32\uhlsciut.dll
C:\WINDOWS\system32\xornrbry.dll
C:\WINDOWS\system32\xxyvsqn.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Nabídka Start\Live Safety Center.lnk
C:\Documents and Settings\All Users\Nabídka Start\Online Security Guide.lnk
C:\Documents and Settings\Mihi\Oblíbené položky\Online Security Guide.lnk
C:\Documents and Settings\Mihi\Plocha\Live Safety Center.lnk
C:\Documents and Settings\Mihi\Plocha\Online Security Guide.lnk
C:\WINDOWS\system32\obfpovys.dll
C:\WINDOWS\system32\obfpovys.dllbox
C:\WINDOWS\system32\pwxfkaaf.dll
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\tttss.bak1
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\uhlsciut.dll
C:\WINDOWS\system32\xornrbry.dll
C:\WINDOWS\system32\xxyvsqn.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-08 20:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 20:30 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-07 17:53 <DIR> d-------- C:\Nov  slo§ka
2007-11-07 14:39 71,232 --a------ C:\WINDOWS\system32\bafrfimh.exe
2007-11-06 17:30 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-11-06 17:30 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-11-06 17:30 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-11-06 17:30 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-11-06 17:30 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-11-06 15:24 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-06 15:21 0 --a------ C:\z.dat
2007-10-26 20:43 <DIR> d-------- C:\Program Files\THQ
2007-10-26 17:20 <DIR> d-------- C:\Program Files\Stormregion
2007-10-24 13:06 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-24 13:06 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-24 13:06 30,336 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-10-19 21:21 <DIR> d-------- C:\Documents and Settings\Mihi\Phone Browser
2007-10-19 12:19 <DIR> d-------- C:\Documents and Settings\Tut\Phone Browser
2007-10-19 12:10 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-10-19 12:10 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-10-19 12:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-19 12:09 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-10-19 12:09 <DIR> d-------- C:\Program Files\Nokia
2007-10-19 12:09 <DIR> d-------- C:\Program Files\DIFX
2007-10-19 12:09 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-10-19 12:09 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-10-19 12:09 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-10-19 12:09 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-10-19 12:09 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-10-19 12:09 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-10-18 14:42 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-10-18 14:42 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-10-11 18:09 <DIR> d-------- C:\Program Files\CS Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 22:17 --------- d-----w C:\Program Files\lg_fwupdate
2007-11-08 22:04 --------- d-----w C:\Program Files\ICQToolbar
2007-11-06 16:31 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2007-11-06 16:31 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2007-11-06 16:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-18 13:00 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-09-16 12:27 --------- d-----w C:\Program Files\Common Files\DirectX
2007-09-13 13:14 --------- d-----w C:\Program Files\ICQLite
2007-09-09 15:10 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-09-08 16:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-08 15:59 --------- d-----w C:\Program Files\Sandisk
2007-09-01 08:07 73,728 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-08_20.56.20.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-08 22:09:30 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"Zástupce stránky vlastností sběrnice High Definition Audio"="HDAudPropShortcut.exe" [2004-03-17 14:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 19:27 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 18:06 C:\WINDOWS\ALCWZRD.EXE]
"PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2004-03-02 10:49]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 19:24]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-16 09:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-08-31 20:36]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"BearShare"="E:\Program Files\BearShare\BearShare.exe" []
"Gtwatch"="C:\WINDOWS\gtwatch.exe" [2001-08-24 10:18]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 12:20]
"RegistryMechanic"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 13:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINDOWS\system32\drivers\maestro.sys
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
S1 as6eio;as6eio;C:\WINDOWS\system32\drivers\as6eio.SYS
S3 GT681x;%GrandTechICNameNT%;C:\WINDOWS\system32\DRIVERS\GT681x.SYS
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-24 12:06:53 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 23:17:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 23:18:22 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-08 20:57
.
--- E O F ---

---------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:22:23, on 8.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\gtwatch.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
E:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
E:\Program Files\Tapety 2.01\Tapety.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zástupce stránky vlastností sběrnice High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BearShare] "E:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Tapety 2.01.lnk = E:\Program Files\Tapety 2.01\Tapety.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = E:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8587402750
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAB6BC06-31F7-475F-898D-D68AA2260262}: NameServer = 10.11.1.101,10.11.1.1
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7768 bytes

[mahinaldi]

Už je všechno v pořádku po viru ani stopa, zmizel i ten toolbar. Mockrát vám děkuji nevim co bych si bez vás počal asi bych skončil jako uživatel nově nainstalovyných windows . Jeste jednou moc dekuju s pozdravem Mahinaldi

[fredik]

Smaž ručně tento soubor:
C:\WINDOWS\system32\bafrfimh.exe => kdyby se nezdařilo tak řekni
můžeš taky smazat adresář/složku co si vytvořil SDFix:
C:\SDFix

Pro lepší zabezpečení by bylo dobré si doinstalovat firewall, můžeš si vybrat některý zde uvedený nebo některý jiný z odkazu: Přehled osobních firewallů
Firewally zdarma:
Comodo - kvalitní, pokročilý, s mnoha funkcemi, originálně v angličtině, čeština by měla být asi až od verze 3 která by se měl objevit v brzké době
Kerio - přehledný, větší možnosti nastavení, náročnější na systémové prostředky, v češtině
ZoneAlarm - jednoduchý, kompatibilní, nenáročný na systémové prostředky, málo možností nastavení, v angličtině

Jdi přes Start -> Spustit... a napiš do okna tento příkaz označený modře ComboFix /u (mezi comobofix a / musí být mezera) a dej Ok.

Jinak logy vypadají dobře, pokud nemáš jak říkáš žádné další problémy tak by to bylo vše.

Nemáš za co