nnNedawt.dll

snailx · Příspěvekod **snailx** » 23 dub 2008 20:43

Zdravím,

mám problém se smazáním souboru "nnNedawt.dll" ve složce windows/system32
Antivir ho označí jako soubor napadený wirem Win32/Adware-Virtumonde.
SOFT: NOD32 - plně aktualizován, spywareterminátor 2 - taktéž.
Nedokážu to smazat ani v Safe mode - pořád to hlásí provázanost s jiným softem.V taskmanageru ale nic než systémové věci nevidím.
Ze system32 jsem již odstranil niayknkl.dll a eajwdmyn.dll - tyto dvě dll byli v msconfigu nastaveny po startu PC pro RUN32 a byli bez podpisu, nenavázány na žádný program.

Za každou radu jak se vyhnout reinstalu WIN, předem děkuji.

Přes hledání jsem nic s tímto výrazem nenašel, proto nové téma.

Reklama

Příspěvekod **fredik** » 23 dub 2008 20:54

Vlož sem pro začátek log z HijackThis

snailx · Příspěvekod **snailx** » 23 dub 2008 21:07

Tak tady to je :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:00:41, on 23.4.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\PANKLA~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

O3 - Toolbar: &Crawler lišta - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C11D27A2-4F6D-4F2A-832A-DB0A55966811}: NameServer = 88.146.135.10,213.29.58.9
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: NOD32 Kernel Service (nod32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5270 bytes

Příspěvekod **fredik** » 23 dub 2008 21:38

Před použitím ComboFix vypni rezidentní štít ve Spyware Terminátoru:
Spusť Spywater Terminátora, nahoře klikni na ikonu Rezidentní štít
- program se přepne do okna Natavení rezidentního štítu
- tam na záložce Nastavení štítu zruš zatržení u položky: Aktivovat Rezidentní štít
- klikni dole na tlačítko: Uložit změny
- zavři program

Pak si stáhni ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

snailx · Příspěvekod **snailx** » 24 dub 2008 18:50

ahoj, omlouvam se,drive jsem se k tomu nedostal, pokud se na to mrknete budu rad. diky za vse.

ComboFix 08-04-22.5 - Pan Klapka 2008-04-24 18:32:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.593 [GMT 2:00]
Running from: C:\Documents and Settings\Pan Klapka\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bcdqcxyg.ini
C:\WINDOWS\system32\bpxbqdxb.dll
C:\WINDOWS\system32\ddpuiria.ini
C:\WINDOWS\system32\Desktop_.ini
C:\WINDOWS\system32\gyxcqdcb.dll
C:\WINDOWS\system32\hhekaqwb.ini
C:\WINDOWS\system32\hkTCLkkj.ini
C:\WINDOWS\system32\hkTCLkkj.ini2
C:\WINDOWS\system32\hpfocuwm.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\opnkLDvT.dll
C:\WINDOWS\system32\otwlqnng.dll
C:\WINDOWS\system32\PsvvGfhk.ini
C:\WINDOWS\system32\PsvvGfhk.ini2
C:\WINDOWS\system32\qxvrmopq.dll
C:\WINDOWS\system32\tlilosyx.dll
C:\WINDOWS\system32\TvDLknpo.ini
C:\WINDOWS\system32\TvDLknpo.ini2
C:\WINDOWS\system32\wgfynjlt.ini
C:\WINDOWS\system32\xysolilt.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-23 21:00 . 2008-04-23 21:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 19:19 . 2008-04-23 19:19 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-23 19:19 . 2008-04-24 18:32 1,024 --ah----- C:\Documents and Settings\Administrator\NtUser.dat.LOG
2008-04-22 14:59 . 2008-04-23 19:26 1,541,157 --ahs---- C:\WINDOWS\system32\uymdwjae.ini
2008-04-22 14:54 . 2008-04-22 14:54 1,540,857 --ahs---- C:\WINDOWS\system32\txckybdc.ini
2008-04-20 19:27 . 2008-04-20 19:27 <DIR> d-------- C:\Documents and Settings\Pan Klapka\Application Data\ACD Systems
2008-04-20 19:17 . 2008-04-20 19:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-04-20 19:16 . 2008-04-20 19:17 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-04-20 19:16 . 2008-04-20 19:16 <DIR> d-------- C:\Program Files\ACD Systems
2008-04-20 19:05 . 2008-04-20 19:05 <DIR> d-------- C:\searchplugins
2008-04-20 19:04 . 2008-04-22 14:51 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-04-20 19:04 . 2008-04-24 18:28 <DIR> d-------- C:\Documents and Settings\Pan Klapka\Application Data\Spyware Terminator
2008-04-20 19:04 . 2008-04-21 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-04-20 19:04 . 2008-04-20 19:04 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-04-20 18:26 . 2008-04-20 18:25 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-04-20 18:26 . 2008-04-20 18:25 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-04-20 18:26 . 2008-04-20 18:25 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-20 18:26 . 2008-04-20 18:26 0 --a------ C:\WINDOWS\system32\mapisvc.inf
2008-04-20 18:22 . 2008-04-20 18:44 <DIR> d-------- C:\Program Files\ESET
2008-04-20 11:16 . 2008-04-20 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-20 10:57 . 2008-04-23 12:04 <DIR> d-------- C:\Program Files\Opera
2008-04-19 22:53 . 2008-04-19 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-04-14 09:08 . 2008-04-23 19:17 109,111 --a------ C:\WINDOWS\BMf74747db.xml
2008-04-13 12:22 . 2008-04-13 12:23 2 --a------ C:\-193694488
2008-04-13 12:21 . 2008-04-13 12:21 38,400 --a------ C:\WINDOWS\system32\nnNedawt.dll
2008-04-13 12:19 . 2008-04-13 12:28 <DIR> d-------- C:\Documents and Settings\Pan Klapka\Application Data\Vso
2008-04-13 12:19 . 2008-04-13 12:28 87,608 --a------ C:\Documents and Settings\Pan Klapka\Application Data\inst.exe
2008-04-13 12:19 . 2008-04-13 12:19 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-13 12:19 . 2008-04-13 12:28 47,360 --a------ C:\Documents and Settings\Pan Klapka\Application Data\pcouffin.sys
2008-04-13 12:18 . 2008-04-13 12:18 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-02 08:36 . 2008-04-02 08:38 <DIR> d-------- C:\SierraChart
2008-03-31 12:50 . 2008-03-31 12:50 <DIR> d-------- C:\Documents and Settings\Pan Klapka\Application Data\Notepad++
2008-03-31 09:58 . 2008-04-02 08:28 359 --a------ C:\WINDOWS\SierraChart.INI
2008-03-31 08:51 . 2008-03-31 08:51 <DIR> d-------- C:\Program Files\Foxit Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 11:22 --------- d-----w C:\Program Files\TrueCrypt
2008-03-21 11:20 --------- d-----w C:\Documents and Settings\Pan Klapka\Application Data\TrueCrypt
2008-03-21 11:15 223,424 ----a-w C:\WINDOWS\system32\drivers\truecrypt.sys
2008-03-21 11:13 --------- d-----w C:\Documents and Settings\Pan Klapka\Application Data\uTorrent
2008-03-04 10:56 --------- d-----w C:\Program Files\Microsoft Games
2008-02-25 16:21 --------- d-----w C:\Documents and Settings\Pan Klapka\Application Data\CyberLink
2008-02-19 17:32 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50acfa68-2eb1-471c-b588-e648796375f6}]
C:\WINDOWS\system32\jkkLCTkh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{803f8943-2763-4189-9652-f5f1eb0e8808}]
C:\WINDOWS\system32\khfGvvsP.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B82F29E4-8368-4B14-9C00-5138C0D94034}]
2008-04-13 12:21 38400 --a------ C:\WINDOWS\system32\nnNedawt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2006-10-15 18:41 1694208]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 14:05 486856]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-07-25 03:44 8433664]
"nwiz"="nwiz.exe" [2007-07-25 03:45 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-07-25 03:44 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-25 03:43 16342528 C:\WINDOWS\RTHDCPL.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-25 03:42 827392]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2007-07-25 03:41 752136]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 14:06 40048]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-16 00:54 37376]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-20 18:25 949376]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-04-20 19:04 2957824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B82F29E4-8368-4B14-9C00-5138C0D94034}"= C:\WINDOWS\system32\nnNedawt.dll [2008-04-13 12:21 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnNedawt]
nnNedawt.dll 2008-04-13 12:21 38400 C:\WINDOWS\system32\nnNedawt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMf74747db]
C:\WINDOWS\system32\niayknkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f4747447]
C:\WINDOWS\system32\eajwdmyu.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-04-20 19:04]
R3 Cam5607;Acer Crystal Eye webcam;C:\WINDOWS\system32\Drivers\BisonC07.sys [2007-05-03 12:29]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2007-07-25 03:45]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 18:37:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\nnNedawt.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\DOCUME~1\PANKLA~1\LOCALS~1\temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2008-04-24 18:39:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 16:39:31

Pre-Run: 14,882,713,600 bytes free
Post-Run: 14,825,922,560 bytes free

162

Příspěvekod **El Diablo** » 24 dub 2008 18:55

http://dash.nazory.cz/1176308861-adware ... de-ft.html

http://www.viry.cz/forum/viewtopic.php? ... virtumonde

snailx · Příspěvekod **snailx** » 24 dub 2008 19:25

vundofix.exe nenasel nic, pouzil jsem tedy take Virtumondobegone v nouz. rezimu,
log je zde :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:18:40, on 24.4.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\DOCUME~1\PANKLA~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {50acfa68-2eb1-471c-b588-e648796375f6} - C:\WINDOWS\system32\jkkLCTkh.dll (file missing)
O2 - BHO: (no name) - {803f8943-2763-4189-9652-f5f1eb0e8808} - C:\WINDOWS\system32\khfGvvsP.dll (file missing)
O3 - Toolbar: &Crawler lišta - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C11D27A2-4F6D-4F2A-832A-DB0A55966811}: NameServer = 88.146.135.10,213.29.58.9
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: NOD32 Kernel Service (nod32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6096 bytes

snailx · Příspěvekod **snailx** » 24 dub 2008 19:35

Antivir NOD32 hlasi porad to same :-(

Příspěvekod **fredik** » 24 dub 2008 19:40

To El Diablo:
Nevím že si takové příspěvky neodpustíte, jenom s tím tu děláte zbytečně zmatek...

Nj nediv se ...

Nicméně jsi nevypnul rez. štít ve Spyware Terminátoru!
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
C:\WINDOWS\system32\uymdwjae.ini
C:\WINDOWS\system32\txckybdc.ini
C:\WINDOWS\BMf74747db.xml
C:\-193694488
C:\WINDOWS\system32\nnNedawt.dll
C:\WINDOWS\system32\niayknkl.dll
C:\WINDOWS\system32\eajwdmyu.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50acfa68-2eb1-471c-b588-e648796375f6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{803f8943-2763-4189-9652-f5f1eb0e8808}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B82F29E4-8368-4B14-9C00-5138C0D94034}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B82F29E4-8368-4B14-9C00-5138C0D94034}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnNedawt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMf74747db]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f4747447]

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť
Obrázek

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu

snailx · Příspěvekod **snailx** » 24 dub 2008 20:07

omlouvam se za spyware term.,snad je to tentokrat v poradku. moc si vazim Frediku vasi trpelivosti a vaseho casu, ktereho travite s nami "PC obyc. smrtelniky", tak tady to je:

ComboFix 08-04-22.5 - Pan Klapka 2008-04-24 19:56:53.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.648 [GMT 2:00]
Running from: C:\Documents and Settings\Pan Klapka\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pan Klapka\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\-193694488
C:\WINDOWS\BMf74747db.xml
C:\WINDOWS\system32\eajwdmyu.dll
C:\WINDOWS\system32\niayknkl.dll
C:\WINDOWS\system32\nnNedawt.dll
C:\WINDOWS\system32\txckybdc.ini
C:\WINDOWS\system32\uymdwjae.ini
.

((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 19:03 . 2008-04-24 19:03 <DIR> d-------- C:\VundoFix Backups
2008-04-23 21:00 . 2008-04-23 21:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 19:19 . 2008-04-23 19:19 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-23 19:19 . 2008-04-24 19:14 1,024 --ah----- C:\Documents and Settings\Administrator\NtUser.dat.LOG
2008-04-20 19:27 . 2008-04-20 19:27 <DIR> d-------- C:\Documents and Settings\Pan Klapka\Application Data\ACD Systems
2008-04-20 19:17 . 2008-04-20 19:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-04-20 19:16 . 2008-04-20 19:17 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-04-20 19:16 . 2008-04-20 19:16 <DIR> d-------- C:\Program Files\ACD Systems
2008-04-20 19:05 . 2008-04-20 19:05 <DIR> d-------- C:\searchplugins
2008-04-20 19:04 . 2008-04-22 14:51 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-04-20 19:04 . 2008-04-24 19:52 <DIR> d-------- C:\Documents and Settings\Pan Klapka\Application Data\Spyware Terminator
2008-04-20 19:04 . 2008-04-21 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-04-20 19:04 . 2008-04-20 19:04 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-04-20 18:26 . 2008-04-20 18:25 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-04-20 18:26 . 2008-04-20 18:25 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-04-20 18:26 . 2008-04-20 18:25 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-20 18:26 . 2008-04-20 18:26 0 --a------ C:\WINDOWS\system32\mapisvc.inf
2008-04-20 18:22 . 2008-04-20 18:44 <DIR> d-------- C:\Program Files\ESET
2008-04-20 11:16 . 2008-04-20 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-20 10:57 . 2008-04-23 12:04 <DIR> d-------- C:\Program Files\Opera
2008-04-19 22:53 . 2008-04-19 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-04-13 12:21 . 2008-04-13 12:21 38,400 --a------ C:\WINDOWS\system32\nnNedawt.dll.vir
2008-04-13 12:19 . 2008-04-13 12:28 <DIR> d-------- C:\Documents and Settings\Pan Klapka\Application Data\Vso
2008-04-13 12:19 . 2008-04-13 12:19 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-13 12:19 . 2008-04-13 12:28 47,360 --a------ C:\Documents and Settings\Pan Klapka\Application Data\pcouffin.sys
2008-04-13 12:18 . 2008-04-13 12:18 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-02 08:36 . 2008-04-02 08:38 <DIR> d-------- C:\SierraChart
2008-03-31 12:50 . 2008-03-31 12:50 <DIR> d-------- C:\Documents and Settings\Pan Klapka\Application Data\Notepad++
2008-03-31 09:58 . 2008-04-02 08:28 359 --a------ C:\WINDOWS\SierraChart.INI
2008-03-31 08:51 . 2008-03-31 08:51 <DIR> d-------- C:\Program Files\Foxit Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 11:22 --------- d-----w C:\Program Files\TrueCrypt
2008-03-21 11:20 --------- d-----w C:\Documents and Settings\Pan Klapka\Application Data\TrueCrypt
2008-03-21 11:15 223,424 ----a-w C:\WINDOWS\system32\drivers\truecrypt.sys
2008-03-21 11:13 --------- d-----w C:\Documents and Settings\Pan Klapka\Application Data\uTorrent
2008-03-04 10:56 --------- d-----w C:\Program Files\Microsoft Games
2008-02-25 16:21 --------- d-----w C:\Documents and Settings\Pan Klapka\Application Data\CyberLink
2008-02-19 17:32 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-24_18.39.07.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 16:36:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-24 17:15:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-24 16:29:18 41,170 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-24 17:19:37 41,170 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-24 16:29:18 314,842 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-24 17:19:37 314,842 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2006-10-15 18:41 1694208]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 14:05 486856]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-07-25 03:44 8433664]
"nwiz"="nwiz.exe" [2007-07-25 03:45 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-07-25 03:44 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-25 03:43 16342528 C:\WINDOWS\RTHDCPL.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-25 03:42 827392]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2007-07-25 03:41 752136]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 14:06 40048]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-16 00:54 37376]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-20 18:25 949376]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-04-20 19:04 2957824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-04-20 19:04]
R3 Cam5607;Acer Crystal Eye webcam;C:\WINDOWS\system32\Drivers\BisonC07.sys [2007-05-03 12:29]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2007-07-25 03:45]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 19:57:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-24 19:58:11
ComboFix-quarantined-files.txt 2008-04-24 17:58:06

Pre-Run: 15,068,016,640 bytes free
Post-Run: 15,066,779,648 bytes free

120

Příspěvekod **fredik** » 24 dub 2008 20:49

Vytvoř si nový CFScript a použij ho stejným způsobem jak ten minulý, ale s tím rozdílem, že do něho tenkrát vlož toto:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
C:\WINDOWS\system32\nnNedawt.dll.vir

Pak sem vlož log z ComboFix po jeho proběhnutí + nový log z HJT.

snailx · Příspěvekod **snailx** » 24 dub 2008 22:04

ComboFix 08-04-22.5 - Pan Klapka 2008-04-24 21:58:03.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.648 [GMT 2:00]
Running from: C:\Documents and Settings\Pan Klapka\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pan Klapka\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\nnNedawt.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nnNedawt.dll.vir

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 19:03 . 2008-04-24 19:03 <DIR> d-------- C:\VundoFix Backups
2008-04-23 21:00 . 2008-04-23 21:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 19:19 . 2008-04-23 19:19 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-23 19:19 . 2008-04-24 20:41 1,024 --ah----- C:\Documents and Settings\Administrator\NtUser.dat.LOG
2008-04-20 19:27 . 2008-04-20 19:27 <DIR> d-------- C:\Documents and Settings\Pan Klapka\Application Data\ACD Systems
2008-04-20 19:17 . 2008-04-20 19:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-04-20 19:16 . 2008-04-20 19:17 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-04-20 19:16 . 2008-04-20 19:16 <DIR> d-------- C:\Program Files\ACD Systems
2008-04-20 19:05 . 2008-04-20 19:05 <DIR> d-------- C:\searchplugins
2008-04-20 19:04 . 2008-04-22 14:51 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-04-20 19:04 . 2008-04-24 19:52 <DIR> d-------- C:\Documents and Settings\Pan Klapka\Application Data\Spyware Terminator
2008-04-20 19:04 . 2008-04-21 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-04-20 19:04 . 2008-04-20 19:04 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-04-20 18:26 . 2008-04-20 18:25 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-04-20 18:26 . 2008-04-20 18:25 298,104 --a------ C:\WINDOWS\system32\imon.dll
2008-04-20 18:26 . 2008-04-20 18:25 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-20 18:26 . 2008-04-20 18:26 0 --a------ C:\WINDOWS\system32\mapisvc.inf
2008-04-20 18:22 . 2008-04-20 18:44 <DIR> d-------- C:\Program Files\ESET
2008-04-20 11:16 . 2008-04-20 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-20 10:57 . 2008-04-23 12:04 <DIR> d-------- C:\Program Files\Opera
2008-04-19 22:53 . 2008-04-19 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-04-13 12:19 . 2008-04-13 12:28 <DIR> d-------- C:\Documents and Settings\Pan Klapka\Application Data\Vso
2008-04-13 12:19 . 2008-04-13 12:19 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-13 12:19 . 2008-04-13 12:28 47,360 --a------ C:\Documents and Settings\Pan Klapka\Application Data\pcouffin.sys
2008-04-13 12:18 . 2008-04-13 12:18 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-02 08:36 . 2008-04-02 08:38 <DIR> d-------- C:\SierraChart
2008-03-31 12:50 . 2008-03-31 12:50 <DIR> d-------- C:\Documents and Settings\Pan Klapka\Application Data\Notepad++
2008-03-31 09:58 . 2008-04-02 08:28 359 --a------ C:\WINDOWS\SierraChart.INI
2008-03-31 08:51 . 2008-03-31 08:51 <DIR> d-------- C:\Program Files\Foxit Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 11:22 --------- d-----w C:\Program Files\TrueCrypt
2008-03-21 11:20 --------- d-----w C:\Documents and Settings\Pan Klapka\Application Data\TrueCrypt
2008-03-21 11:15 223,424 ----a-w C:\WINDOWS\system32\drivers\truecrypt.sys
2008-03-21 11:13 --------- d-----w C:\Documents and Settings\Pan Klapka\Application Data\uTorrent
2008-03-04 10:56 --------- d-----w C:\Program Files\Microsoft Games
2008-02-25 16:21 --------- d-----w C:\Documents and Settings\Pan Klapka\Application Data\CyberLink
2008-02-19 17:32 315,392 ----a-w C:\WINDOWS\HideWin.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-24_18.39.07.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 16:36:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-24 17:15:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-24 16:29:18 41,170 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-24 17:19:37 41,170 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-24 16:29:18 314,842 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-24 17:19:37 314,842 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2006-10-15 18:41 1694208]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 14:05 486856]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-07-25 03:44 8433664]
"nwiz"="nwiz.exe" [2007-07-25 03:45 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-07-25 03:44 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-25 03:43 16342528 C:\WINDOWS\RTHDCPL.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-25 03:42 827392]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2007-07-25 03:41 752136]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 14:06 40048]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-16 00:54 37376]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 20:42 32768]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-20 18:25 949376]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-04-20 19:04 2957824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"VIDC.ACDV"= ACDV.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-04-20 19:04]
R3 Cam5607;Acer Crystal Eye webcam;C:\WINDOWS\system32\Drivers\BisonC07.sys [2007-05-03 12:29]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2007-07-25 03:45]
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 21:59:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-24 21:59:58
ComboFix-quarantined-files.txt 2008-04-24 19:59:54

Pre-Run: 15,060,697,088 bytes free
Post-Run: 15,048,990,720 bytes free

117

nnNedawt.dll

nnNedawt.dll

Re: nnNedawt.dll

Re: nnNedawt.dll

Re: nnNedawt.dll

Re: nnNedawt.dll

Re: nnNedawt.dll

Re: nnNedawt.dll

Re: nnNedawt.dll

Re: nnNedawt.dll

Re: nnNedawt.dll

Re: nnNedawt.dll

Re: nnNedawt.dll

Kdo je online