PC bez antiviru, urgentní kontrola, prosím...

[Slender]

Aloha kluci a holky (chodí sem nějaký??)

Veliká prosba. Partnerka v dobré víře stáhla do notesu WinAntivirus pro 2007 a další kupu sraček...

Procházel jsem teď půl hodiny fora, ale jsem z toho lehce zmatený. No hlavně zítra mizím na služebku a potřeboval bych jí to dát do kopy... Můžete pomoct?

Tady je první scan z SSF.

Díky moc,

Mik

SmitFraudFix v2.233

Scan done at 22:07:08,79, Łt 20.05.2008
Run from C:\Documents and Settings\Marketka\Plocha\SmitfraudFix
OS: Microsoft Windows XP [Verze 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{021727B4-9C04-4881-A77E-7123D13F92B6}: NameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{75FF0149-6B6F-4AFF-BDAC-B1ED50A90377}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\..\{021727B4-9C04-4881-A77E-7123D13F92B6}: NameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{75FF0149-6B6F-4AFF-BDAC-B1ED50A90377}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS3\Services\Tcpip\..\{021727B4-9C04-4881-A77E-7123D13F92B6}: NameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{75FF0149-6B6F-4AFF-BDAC-B1ED50A90377}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Tady je SDFix:


SDFix: Version 1.184
Run by Marketka on Łt 20.05.2008 at 23:09

Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\WMS2-2~1.EXE - Deleted
C:\autorun.inf - Deleted



Folder C:\Documents and Settings\All Users\Application Data\SalesMon - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 23:21:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?é?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1í?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\Msmsgs.exe"="C:\\Program Files\\Messenger\\Msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Documents and Settings\\Marketka\\Dokumenty\\ICQ Lite\\367409488\\Kubca_198961746\\sdc203\\StrongDC.exe"="C:\\Documents and Settings\\Marketka\\Dokumenty\\ICQ Lite\\367409488\\Kubca_198961746\\sdc203\\StrongDC.exe:*:Enabled:StrongDC++"
"C:\\Documents and Settings\\Marketka\\Dokumenty\\Administration\\LimeWire\\LimeWire.exe"="C:\\Documents and Settings\\Marketka\\Dokumenty\\Administration\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\ADFC.exe"="C:\\WINDOWS\\system32\\ADFC.exe:*:Enabled:SystemVersion"
"C:\\WINDOWS\\system32\\svchd32.exe"="C:\\WINDOWS\\system32\\svchd32.exe:*:Enabled:SystemVersion"
"C:\\WINDOWS\\system32\\servsq.exe"="C:\\WINDOWS\\system32\\servsq.exe:*:Enabled:SystemVersion"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. The whole world can talk for free."

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 17 Dec 2006 61,985 ..SHR --- "C:\Recycled\ctfmon.exe"
Sun 17 Dec 2006 61,985 ..SHR --- "C:\Recycled\Recycled\ctfmon.exe"
Sat 22 Mar 2008 12,288 ..SHR --- "C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe"
Fri 15 Jun 2007 40,960 A..H. --- "C:\WINDOWS\system32\cnnperf.exe"
Fri 15 Jun 2007 45,056 A..H. --- "C:\WINDOWS\system32\cnnprf32.dll"
Fri 15 Jun 2007 53,248 A..H. --- "C:\WINDOWS\system32\confcnn.dll"
Wed 20 Jun 2007 57,344 A..H. --- "C:\WINDOWS\system32\confksd.dll"
Wed 20 Jun 2007 331,776 A..H. --- "C:\WINDOWS\system32\ksdmgr32.dll"
Wed 20 Jun 2007 40,960 A..H. --- "C:\WINDOWS\system32\ksdperf.exe"
Wed 20 Jun 2007 122,880 A..H. --- "C:\WINDOWS\system32\ksdstat.dll"
Tue 17 Jul 2007 45,056 A..H. --- "C:\WINDOWS\system32\sdperf.exe"
Tue 27 Mar 2007 19,968 ...H. --- "C:\Documents and Settings\Marketka\Dokumenty\M‚moire\Parties\~WRL1856.tmp"
Tue 27 Mar 2007 19,968 A..H. --- "C:\Documents and Settings\Marketka\Dokumenty\tudes\Parties\~WRL1856.tmp"
Sat 5 May 2007 22,528 A..H. --- "C:\Documents and Settings\Marketka\Dokumenty\tudes\st tnice\~WRL3256.tmp"
Thu 14 Feb 2008 20,992 A..H. --- "C:\Documents and Settings\Marketka\Plocha\flash\CHRIS\~WRL0001.tmp"
Sat 5 May 2007 22,528 A..H. --- "C:\Documents and Settings\Marketka\Plocha\flash\st tnice\~WRL3256.tmp"
Tue 27 Mar 2007 19,968 A..H. --- "C:\Documents and Settings\Marketka\Local Settings\Data aplikacˇ\Microsoft\Z pis na CD\tudes\Parties\~WRL1856.tmp"
Sat 5 May 2007 22,528 A..H. --- "C:\Documents and Settings\Marketka\Local Settings\Data aplikacˇ\Microsoft\Z pis na CD\tudes\st tnice\~WRL3256.tmp"

Finished!

... catch me:

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 23:21:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?é?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1í?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

... a nakonec HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:38:54, on 20.5.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\odfwbc22.exe
C:\WINDOWS\System32\odfybc22.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Documents and Settings\Marketka\Nabídka Start\Programy\Po spuštění\ctfmon.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ksddiag] C:\WINDOWS\system32\ksdconf.exe
O4 - HKLM\..\Run: [odfwbc22] C:\WINDOWS\System32\odfwbc22.exe
O4 - HKLM\..\Run: [odfybc22] C:\WINDOWS\System32\odfybc22.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [fcff3dac] rundll32.exe "C:\WINDOWS\system32\pkvaohbq.dll",b
O4 - HKLM\..\Run: [Salestart(1)] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe" dm=http://winantivirus.com ad=http://winantivirus.com sd=http://ulog.winantivirus.com
O4 - HKLM\..\Run: [BMffcc0e30] Rundll32.exe "C:\WINDOWS\system32\lniaumaf.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{021727B4-9C04-4881-A77E-7123D13F92B6}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{021727B4-9C04-4881-A77E-7123D13F92B6}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: confksd.dll ksdstat.dll odfwbcmz22.dll odfybcmz22.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

--
End of file - 5568 bytes

[Reklama]

[fredik]

Vítej na fóru

Stáhni ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

PS: minimálně by ten antivir chtělo doinstalovat.

[Slender]

Ahoj... tady je. BTW, MS IE háže stále spoustu oken... stále to stejné, winantivirus, suspenzorPC.

Jak s tímhle. Notes je taky hrozně pomalý, stále jako by něco brzdilo procesy...

S tím antivirem je to moje blbost, nějak nebyl čas to hodit na novou mašinu. Chjo.

ComboFix 08-05-20.5 - Marketka 2008-05-21 13:07:35.1 - NTFSx86
Running from: C:\Documents and Settings\Marketka\Plocha\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Marketka\Data aplikací\WinAntiVirus Pro 2007
C:\Documents and Settings\Marketka\Data aplikací\WinAntiVirus Pro 2007\avtasks.dat
C:\Documents and Settings\Marketka\Data aplikací\WinAntiVirus Pro 2007\CookieList.dat
C:\Documents and Settings\Marketka\Data aplikací\WinAntiVirus Pro 2007\history.db
C:\Documents and Settings\Marketka\Data aplikací\WinAntiVirus Pro 2007\Logs\update.log
C:\Documents and Settings\Marketka\Data aplikací\WinAntiVirus Pro 2007\Logs\wa7Support.log
C:\Documents and Settings\Marketka\Data aplikací\WinAntiVirus Pro 2007\Logs\winav.log
C:\Documents and Settings\Marketka\Data aplikací\WinAntiVirus Pro 2007\PGE.dat
C:\Program Files\Common Files\winantivirus pro 2007
C:\Program Files\Common Files\winantivirus pro 2007\err.log
C:\Program Files\winantivirus pro 2007
C:\Program Files\winantivirus pro 2007\WAV6COM.old
C:\Recycled\Recycled
C:\Recycled\Recycled\ctfmon.exe
C:\UWA7P
C:\WINDOWS\BMffcc0e30.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\amxemboe.exe
C:\WINDOWS\system32\confcnn.dll
C:\WINDOWS\system32\iiitynwb.dll
C:\WINDOWS\system32\jirdafdh.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mrcccyhr.ini
C:\WINDOWS\system32\oddhwvms.exe
C:\WINDOWS\system32\ohmktnds.dll
C:\WINDOWS\system32\oVCdMnmp.ini
C:\WINDOWS\system32\oVCdMnmp.ini2
C:\WINDOWS\system32\pkvaohbq.dll
C:\WINDOWS\system32\pmnMdCVo.dll
C:\WINDOWS\system32\qbhoavkp.ini
C:\WINDOWS\system32\rhycccrm.dll
C:\WINDOWS\system32\sdntkmho.ini
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\yumdlvxa.exe

----- BITS: Possible infected sites -----

hxxp://au.dőj
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN


((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-21 13:15 . 2008-05-21 13:15 345 --ahs---- C:\WINDOWS\system32\hiOUCJlm.ini2
2008-05-21 13:15 . 2008-05-21 13:15 345 --ahs---- C:\WINDOWS\system32\hiOUCJlm.ini
2008-05-21 13:15 . 2008-05-21 13:15 121 -r-hs---- C:\autorun.inf
2008-05-21 13:14 . 2008-05-21 13:14 370,688 --a------ C:\WINDOWS\system32\mlJCUOih.dll
2008-05-20 23:38 . 2008-05-20 23:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 23:02 . 2008-05-20 23:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-20 22:42 . 2008-05-20 23:24 <DIR> d-------- C:\SDFix
2008-05-20 22:07 . 2008-05-20 22:07 4,166 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-20 14:07 . 2008-05-20 14:10 126,976 --a------ C:\WINDOWS\system32\lniaumaf.dll
2008-05-19 16:33 . 2004-10-07 14:39 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-05-19 16:15 . 2008-05-19 16:15 <DIR> d-------- C:\Program Files\Common Files\SuspenzorPC
2008-05-17 11:56 . 2008-05-17 11:56 57,344 --a------ C:\WINDOWS\system32\vtUolJcb.dll
2008-05-17 11:44 . 2008-05-17 11:44 57,344 --a------ C:\WINDOWS\system32\qoMdAsrS.dll
2008-05-17 11:38 . 2008-05-17 11:38 57,344 --a------ C:\WINDOWS\system32\opnkhiFy.dll
2008-05-17 11:34 . 2008-05-17 11:34 57,344 --a------ C:\WINDOWS\system32\tuvSiIXp.dll
2008-05-17 11:09 . 2008-05-17 11:09 57,344 --a------ C:\WINDOWS\system32\qoMCtSMD.dll
2008-05-17 10:55 . 2008-05-17 10:55 57,344 --a------ C:\WINDOWS\system32\urqPhhHb.dll
2008-05-17 10:52 . 2008-05-17 10:52 57,344 --a------ C:\WINDOWS\system32\vtUonmkl.dll
2008-05-16 21:57 . 2008-05-16 21:57 <DIR> d-------- C:\Program Files\Webteh

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 11:14 83,108 ----a-w C:\WINDOWS\system32\odfybc22.exe
2008-05-21 11:14 83,029 ----a-w C:\WINDOWS\system32\odfwbc22.exe
2008-05-20 11:04 --------- d-----w C:\Program Files\Winamp Remote
2008-04-13 20:37 --------- d-----w C:\Program Files\Java
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{444FC7D1-8F08-4377-B39B-4D75AE0E9F70}]
2008-05-17 10:52 57344 --a------ C:\WINDOWS\system32\vtUonmkl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{477E3281-8C75-408B-B0FF-773F921E1FD6}]
2008-05-21 13:14 370688 --a------ C:\WINDOWS\system32\mlJCUOih.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 14:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-23 00:31 25388584]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:55 5674352]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 22:02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 15:34 16143872 C:\WINDOWS\RTHDCPL.EXE]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 13:34 544768 C:\WINDOWS\sm56hlpr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-04-15 16:13 45056]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2005-11-04 16:05 90112]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2005-09-05 16:55 339968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ksddiag"="C:\WINDOWS\system32\ksdconf.exe" [ ]
"odfwbc22"="C:\WINDOWS\System32\odfwbc22.exe" [2008-05-21 13:14 83029]
"odfybc22"="C:\WINDOWS\System32\odfybc22.exe" [2008-05-21 13:14 83108]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" [ ]
"BMffcc0e30"="C:\WINDOWS\system32\qdncmtkc.dll" [2008-05-21 13:18 126464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-18 14:00 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{444FC7D1-8F08-4377-B39B-4D75AE0E9F70}"= C:\WINDOWS\system32\vtUonmkl.dll [2008-05-17 10:52 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ksdmgr]
ksdmgr32.dll 2007-06-20 12:56 331776 C:\WINDOWS\system32\ksdmgr32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\odfwbc22]
C:\WINDOWS\System32\odfwbc22.dll 2007-07-05 17:40 102400 C:\WINDOWS\system32\odfwbc22.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\odfybc22]
C:\WINDOWS\System32\odfybc22.dll 2007-06-20 12:56 102400 C:\WINDOWS\system32\odfybc22.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUonmkl]
vtUonmkl.dll 2008-05-17 10:52 57344 C:\WINDOWS\system32\vtUonmkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= confksd.dll ksdstat.dll odfwbcmz22.dll odfybcmz22.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mlJCUOih

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Documents and Settings\\Marketka\\Dokumenty\\ICQ Lite\\367409488\\Kubca_198961746\\sdc203\\StrongDC.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 15:00]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 16:01]
R2 Ethpdrv;Ethernet Packet Driver;C:\WINDOWS\system32\DRIVERS\ethpdrv.sys [2005-09-08 01:18]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-18 14:00]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-04-19 13:50]
S3 ipw_bus;IPWireless;C:\WINDOWS\system32\DRIVERS\ipw_bus.sys [2005-09-27 10:21]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys [2005-09-27 10:21]
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys [2005-09-27 10:21]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16a2a9fc-9cef-11db-b51a-00c0a8c89514}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AYX5-00401C648513}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 13:15:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ksdmgr32.dll
-> C:\WINDOWS\System32\odfwbc22.dll
-> C:\WINDOWS\System32\odfybc22.dll
-> C:\WINDOWS\system32\vtUonmkl.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\System32\odfwbcmc22.dll
-> C:\WINDOWS\system32\odfwbcmz22.dll
-> C:\WINDOWS\System32\odfybcmc22.dll
-> C:\WINDOWS\system32\odfybcmz22.dll
-> C:\WINDOWS\system32\qdncmtkc.dll
-> C:\WINDOWS\system32\vtUonmkl.dll
-> C:\WINDOWS\system32\mlJCUOih.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Marketka\Nabídka Start\Programy\Po spuC:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-21 13:23:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 11:20:21

Adresářů: 13, Volných bajtů: 4,338,827,264
Adres ý…: 16, Volněch bajt…: 4,268,507,136

196

[goldstein]

Čauky Miku.
Myslím, že ti dodatečné doinstalování dalšího antiviru nepomůže. Asi bude nejlepší vypnout Automatickou obnovu. Restartoval se do Nouzového režimu. Tam spustit HijackThis a pomazat přes něj zepár klíčů.
Osobně bych smáznul toto:
O4 - HKLM\..\Run: [ksddiag] C:\WINDOWS\system32\ksdconf.exe
O4 - HKLM\..\Run: [odfwbc22] C:\WINDOWS\System32\odfwbc22.exe
O4 - HKLM\..\Run: [odfybc22] C:\WINDOWS\System32\odfybc22.exe
O4 - HKLM\..\Run: [Salestart(1)] &quot;C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe&quot; dm=http://winantivirus.com ad=http://winantivirus.com sd=http://ulog.winantivirus.com
O4 - HKLM\..\Run: [fcff3dac] rundll32.exe &quot;C:\WINDOWS\system32\pkvaohbq.dll&quot;,b
O4 - HKLM\..\Run: [BMffcc0e30] Rundll32.exe &quot;C:\WINDOWS\system32\lniaumaf.dll&quot;,s
O20 - AppInit_DLLs: confksd.dll ksdstat.dll odfwbcmz22.dll odfybcmz22.dll
Tak třeba hned ten první, google pojem "ksdconf.exe" nezná, asi to bude šmejd. Log bych si uložil (záloha klíčů je myslím zbytečná) a počítač restartoval. do normálního režimu. Zase HJ a porovnat s předchozím logem, jestli se ty klíče třeba znovu nevytvořily. Víc mě zatím nenapadá. Hele, ale určitě řekni přítelkyni, že je lepší si nejdřív najít na internetu relevantní informace k programu, který si chce nainstalovat.

[Slender]

To je vlastně i moje chyba trochu... měla na notesu bordel, tak jsem jí ho uklidil, odviroval, takové ty klasické věci. Mno a zapomněl jí toho NODa vrátit zpět... hups. Jsem bussy, no :-))

Co s tím zpomalením systému?? Neustále v normálním režimu vybíhají v procesech takové, jako CLI.exe a pod, bere si to 100prc výkonu.

[Slender]

Nový HJT...


SDFix: Version 1.184
Run by Marketka on Łt 20.05.2008 at 23:09

Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\WMS2-2~1.EXE - Deleted
C:\autorun.inf - Deleted



Folder C:\Documents and Settings\All Users\Application Data\SalesMon - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 23:21:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?é?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1í?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\Msmsgs.exe"="C:\\Program Files\\Messenger\\Msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Documents and Settings\\Marketka\\Dokumenty\\ICQ Lite\\367409488\\Kubca_198961746\\sdc203\\StrongDC.exe"="C:\\Documents and Settings\\Marketka\\Dokumenty\\ICQ Lite\\367409488\\Kubca_198961746\\sdc203\\StrongDC.exe:*:Enabled:StrongDC++"
"C:\\Documents and Settings\\Marketka\\Dokumenty\\Administration\\LimeWire\\LimeWire.exe"="C:\\Documents and Settings\\Marketka\\Dokumenty\\Administration\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\ADFC.exe"="C:\\WINDOWS\\system32\\ADFC.exe:*:Enabled:SystemVersion"
"C:\\WINDOWS\\system32\\svchd32.exe"="C:\\WINDOWS\\system32\\svchd32.exe:*:Enabled:SystemVersion"
"C:\\WINDOWS\\system32\\servsq.exe"="C:\\WINDOWS\\system32\\servsq.exe:*:Enabled:SystemVersion"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. The whole world can talk for free."

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 17 Dec 2006 61,985 ..SHR --- "C:\Recycled\ctfmon.exe"
Sun 17 Dec 2006 61,985 ..SHR --- "C:\Recycled\Recycled\ctfmon.exe"
Sat 22 Mar 2008 12,288 ..SHR --- "C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe"
Fri 15 Jun 2007 40,960 A..H. --- "C:\WINDOWS\system32\cnnperf.exe"
Fri 15 Jun 2007 45,056 A..H. --- "C:\WINDOWS\system32\cnnprf32.dll"
Fri 15 Jun 2007 53,248 A..H. --- "C:\WINDOWS\system32\confcnn.dll"
Wed 20 Jun 2007 57,344 A..H. --- "C:\WINDOWS\system32\confksd.dll"
Wed 20 Jun 2007 331,776 A..H. --- "C:\WINDOWS\system32\ksdmgr32.dll"
Wed 20 Jun 2007 40,960 A..H. --- "C:\WINDOWS\system32\ksdperf.exe"
Wed 20 Jun 2007 122,880 A..H. --- "C:\WINDOWS\system32\ksdstat.dll"
Tue 17 Jul 2007 45,056 A..H. --- "C:\WINDOWS\system32\sdperf.exe"
Tue 27 Mar 2007 19,968 ...H. --- "C:\Documents and Settings\Marketka\Dokumenty\M‚moire\Parties\~WRL1856.tmp"
Tue 27 Mar 2007 19,968 A..H. --- "C:\Documents and Settings\Marketka\Dokumenty\tudes\Parties\~WRL1856.tmp"
Sat 5 May 2007 22,528 A..H. --- "C:\Documents and Settings\Marketka\Dokumenty\tudes\st tnice\~WRL3256.tmp"
Thu 14 Feb 2008 20,992 A..H. --- "C:\Documents and Settings\Marketka\Plocha\flash\CHRIS\~WRL0001.tmp"
Sat 5 May 2007 22,528 A..H. --- "C:\Documents and Settings\Marketka\Plocha\flash\st tnice\~WRL3256.tmp"
Tue 27 Mar 2007 19,968 A..H. --- "C:\Documents and Settings\Marketka\Local Settings\Data aplikacˇ\Microsoft\Z pis na CD\tudes\Parties\~WRL1856.tmp"
Sat 5 May 2007 22,528 A..H. --- "C:\Documents and Settings\Marketka\Local Settings\Data aplikacˇ\Microsoft\Z pis na CD\tudes\st tnice\~WRL3256.tmp"

Finished!

[fredik]

Stáhni tento program a použij ho po proběhnutí Combofixu Flash Disinfector (by sUBs)
- Spusť Flash Disinfector a počkej až program proběhne

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

KillAll::

File::
C:\WINDOWS\system32\hiOUCJlm.ini2
C:\WINDOWS\system32\hiOUCJlm.ini
C:\WINDOWS\system32\mlJCUOih.dll
C:\WINDOWS\system32\lniaumaf.dll
C:\WINDOWS\system32\vtUolJcb.dll
C:\WINDOWS\system32\qoMdAsrS.dll
C:\WINDOWS\system32\opnkhiFy.dll
C:\WINDOWS\system32\tuvSiIXp.dll
C:\WINDOWS\system32\qoMCtSMD.dll
C:\WINDOWS\system32\urqPhhHb.dll
C:\WINDOWS\system32\vtUonmkl.dll
C:\WINDOWS\system32\odfybc22.exe
C:\WINDOWS\system32\odfwbc22.exe
C:\WINDOWS\system32\qdncmtkc.dll
C:\WINDOWS\system32\ksdmgr32.dll
C:\WINDOWS\system32\odfwbc22.dll
C:\WINDOWS\system32\odfybc22.dll
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe
C:\WINDOWS\System32\odfwbcmc22.dll
C:\WINDOWS\system32\odfwbcmz22.dll
C:\WINDOWS\System32\odfybcmc22.dll
C:\WINDOWS\system32\odfybcmz22.dll
C:\WINDOWS\system32\ksdperf.exe
C:\WINDOWS\system32\ksdstat.dll
C:\WINDOWS\system32\sdperf.exe
C:\WINDOWS\system32\confksd.dll
C:\WINDOWS\system32\cnnprf32.dll
C:\WINDOWS\system32\cnnperf.exe

Folder::
C:\Program Files\Common Files\SuspenzorPC

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{444FC7D1-8F08-4377-B39B-4D75AE0E9F70}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{477E3281-8C75-408B-B0FF-773F921E1FD6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ksddiag"=-
"odfwbc22"=-
"odfybc22"=-
"BMffcc0e30"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{444FC7D1-8F08-4377-B39B-4D75AE0E9F70}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ksdmgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\odfwbc22]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\odfybc22]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUonmkl]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AYX5-00401C648513}]

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť

- Automaticky se spustí ComboFix (Pc se ti pak restartuje tak se nelekni)
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

[Slender]

Trvalo to, ale tady je... jsou:

ComboFix 08-05-20.5 - Marketka 2008-05-21 17:45:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.565 [GMT 2:00]
Running from: C:\Documents and Settings\Marketka\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marketka\Plocha\CFScript.txt.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe
C:\WINDOWS\system32\cnnperf.exe
C:\WINDOWS\system32\cnnprf32.dll
C:\WINDOWS\system32\confksd.dll
C:\WINDOWS\system32\hiOUCJlm.ini
C:\WINDOWS\system32\hiOUCJlm.ini2
C:\WINDOWS\system32\ksdmgr32.dll
C:\WINDOWS\system32\ksdperf.exe
C:\WINDOWS\system32\ksdstat.dll
C:\WINDOWS\system32\lniaumaf.dll
C:\WINDOWS\system32\mlJCUOih.dll
C:\WINDOWS\system32\odfwbc22.dll
C:\WINDOWS\system32\odfwbc22.exe
C:\WINDOWS\System32\odfwbcmc22.dll
C:\WINDOWS\system32\odfwbcmz22.dll
C:\WINDOWS\system32\odfybc22.dll
C:\WINDOWS\system32\odfybc22.exe
C:\WINDOWS\System32\odfybcmc22.dll
C:\WINDOWS\system32\odfybcmz22.dll
C:\WINDOWS\system32\opnkhiFy.dll
C:\WINDOWS\system32\qdncmtkc.dll
C:\WINDOWS\system32\qoMCtSMD.dll
C:\WINDOWS\system32\qoMdAsrS.dll
C:\WINDOWS\system32\sdperf.exe
C:\WINDOWS\system32\tuvSiIXp.dll
C:\WINDOWS\system32\urqPhhHb.dll
C:\WINDOWS\system32\vtUolJcb.dll
C:\WINDOWS\system32\vtUonmkl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\SuspenzorPC
C:\Program Files\Common Files\SuspenzorPC\stm.exe
C:\Recycled\Recycled
C:\Recycled\Recycled\ctfmon.exe
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe
C:\WINDOWS\BMffcc0e30.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cnnperf.exe
C:\WINDOWS\system32\cnnprf32.dll
C:\WINDOWS\system32\eivusjuc.ini
C:\WINDOWS\system32\hiOUCJlm.ini
C:\WINDOWS\system32\hiOUCJlm.ini2
C:\WINDOWS\system32\ksdmgr32.dll
C:\WINDOWS\system32\ksdperf.exe
C:\WINDOWS\system32\lniaumaf.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mkwbroji.exe
C:\WINDOWS\system32\mlJCUOih.dll
C:\WINDOWS\system32\odfwbc22.dll
C:\WINDOWS\system32\odfwbc22.exe
C:\WINDOWS\system32\odfwbcmz22.dll
C:\WINDOWS\system32\odfybc22.dll
C:\WINDOWS\system32\odfybc22.exe
C:\WINDOWS\system32\odfybcmz22.dll
C:\WINDOWS\system32\opnkhiFy.dll
C:\WINDOWS\system32\qdncmtkc.dll
C:\WINDOWS\system32\qoMCtSMD.dll
C:\WINDOWS\system32\qoMdAsrS.dll
C:\WINDOWS\system32\sdperf.exe
C:\WINDOWS\system32\tuvSiIXp.dll
C:\WINDOWS\system32\urqPhhHb.dll
C:\WINDOWS\system32\vtUolJcb.dll
C:\WINDOWS\system32\vtUonmkl.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-21 17:32 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-05-21 17:32 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-05-21 17:29 . 2008-05-21 17:29 <DIR> d-------- C:\Program Files\ESET
2008-05-21 17:14 . 2008-05-21 17:14 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-21 17:14 . 2008-05-21 17:14 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-21 17:14 . 2008-05-21 17:14 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-21 17:13 . 2008-05-21 17:13 <DIR> d-------- C:\Program Files\AVG
2008-05-21 13:22 . 2008-05-21 13:22 115,200 --a------ C:\WINDOWS\system32\cujsuvie.dll
2008-05-20 23:38 . 2008-05-20 23:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 23:02 . 2008-05-20 23:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-20 22:42 . 2008-05-20 23:24 <DIR> d-------- C:\SDFix
2008-05-20 22:07 . 2008-05-20 22:07 4,166 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-19 16:33 . 2004-10-07 14:39 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-05-16 21:57 . 2008-05-16 21:57 <DIR> d-------- C:\Program Files\Webteh

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 13:25 --------- d-----w C:\Program Files\Winamp Remote
2008-04-13 20:37 --------- d-----w C:\Program Files\Java
.

((((((((((((((((((((((((((((( snapshot@2008-05-21_13.19.17.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 11:14:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 16:00:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 15:30:29 10,134 ----a-r C:\WINDOWS\Installer\{7D974ACA-4EE5-412C-8E6A-A5B57B305727}\callmsi.exe
+ 2008-05-21 15:30:29 136,448 ----a-r C:\WINDOWS\Installer\{7D974ACA-4EE5-412C-8E6A-A5B57B305727}\egui.exe
+ 2008-05-21 15:14:05 26,184 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-02-20 09:01:30 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
+ 2008-02-20 09:02:22 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
+ 2008-02-20 09:11:16 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
+ 2006-12-01 20:56:00 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-01 20:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-01 20:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 20:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-01 22:25:52 1,101,824 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 22:25:56 1,093,120 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 22:25:58 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 22:26:00 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 22:08:00 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 22:08:00 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 22:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 22:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 22:08:00 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 22:08:00 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 22:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 22:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 22:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 22:46:44 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 14:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-23 00:31 25388584]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:55 5674352]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 22:02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 15:34 16143872 C:\WINDOWS\RTHDCPL.EXE]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 13:34 544768 C:\WINDOWS\sm56hlpr.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-04-15 16:13 45056]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2005-11-04 16:05 90112]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2005-09-05 16:55 339968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" [ ]
"fcff3dac"="C:\WINDOWS\system32\cujsuvie.dll" [2008-05-21 13:22 115200]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-18 14:00 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Documents and Settings\\Marketka\\Dokumenty\\ICQ Lite\\367409488\\Kubca_198961746\\sdc203\\StrongDC.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 15:00]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 16:01]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-21 17:14]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-21 17:13]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-21 17:14]
R2 Ethpdrv;Ethernet Packet Driver;C:\WINDOWS\system32\DRIVERS\ethpdrv.sys [2005-09-08 01:18]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-18 14:00]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-04-19 13:50]
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2004-08-18 14:00]
S3 ipw_bus;IPWireless;C:\WINDOWS\system32\DRIVERS\ipw_bus.sys [2005-09-27 10:21]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys [2005-09-27 10:21]
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys [2005-09-27 10:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16a2a9fc-9cef-11db-b51a-00c0a8c89514}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 18:00:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\cujsuvie.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-21 18:04:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 16:04:33
ComboFix2.txt 2008-05-21 11:24:31

Adresářů: 12, Volných bajtů: 4,110,757,888
Adres ý…: 16, Volněch bajt…: 4,185,718,784

213


a nový HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:06:08, on 21.5.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [fcff3dac] rundll32.exe "C:\WINDOWS\system32\cujsuvie.dll",b
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{021727B4-9C04-4881-A77E-7123D13F92B6}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{021727B4-9C04-4881-A77E-7123D13F92B6}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

--
End of file - 6579 bytes

[fredik]

Momentálně tam máš dva antiviry NOD32 a AVG 8. Vzhledem k tomu že jsi na NOD použil toto (C:\WINDOWS\nod32restoretemdono.reg &
C:\WINDOWS\nod32fixtemdono.reg) doporučil bych ti NOD odinstalovat a nechat si tam to AVG.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
C:\WINDOWS\system32\cujsuvie.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fcff3dac"=-

- Vlož sem log, který vyběhne v závěru čistícího procesu
Btw. potřetí a znovu už celý postup nepíši...

[Slender]

Potřetí?? :-) Kde jsou ty předchozí. Ne, jen žertuju... pošli číslo účtu, pošlu výraz díků.

Tady je:

ComboFix 08-05-20.5 - Marketka 2008-05-22 0:26:18.3 - NTFSx86
Running from: C:\Documents and Settings\Marketka\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marketka\Plocha\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\cujsuvie.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Marketka\err.log
C:\Documents and Settings\Marketka\ResErrors.log
C:\WINDOWS\system32\cujsuvie.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-21 19:02 . 2008-05-21 19:02 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-05-21 19:02 . 2008-05-21 19:02 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-21 18:41 . 2008-05-21 18:41 <DIR> d-------- C:\Program Files\CCleaner
2008-05-21 18:02 . 2008-05-22 00:26 594 ---hs---- C:\WINDOWS\system32\eivusjuc.ini
2008-05-21 17:32 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-05-21 17:29 . 2008-05-21 17:29 <DIR> d-------- C:\Program Files\ESET
2008-05-21 17:14 . 2008-05-21 19:04 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-21 17:14 . 2008-05-21 17:14 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-21 17:14 . 2008-05-21 17:14 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-21 17:13 . 2008-05-21 17:13 <DIR> d-------- C:\Program Files\AVG
2008-05-20 23:38 . 2008-05-20 23:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 23:02 . 2008-05-20 23:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-20 22:42 . 2008-05-20 23:24 <DIR> d-------- C:\SDFix
2008-05-20 22:07 . 2008-05-20 22:07 4,166 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-19 16:33 . 2004-10-07 14:39 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-05-16 21:57 . 2008-05-16 21:57 <DIR> d-------- C:\Program Files\Webteh

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 16:32 --------- d-----w C:\Program Files\Winamp
2008-04-13 20:37 --------- d-----w C:\Program Files\Java
.

((((((((((((((((((((((((((((( snapshot@2008-05-21_13.19.17.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 11:14:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 22:40:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 17:02:33 26,184 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2006-12-01 20:56:00 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-01 20:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-01 20:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 20:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-01 22:25:52 1,101,824 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 22:25:56 1,093,120 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 22:25:58 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 22:26:00 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 22:08:00 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 22:08:00 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 22:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 22:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 22:08:00 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 22:08:00 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 22:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 22:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 22:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 22:46:44 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 14:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-23 00:31 25388584]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 15:34 16143872 C:\WINDOWS\RTHDCPL.EXE]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-04-15 16:13 45056]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2005-11-04 16:05 90112]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2005-09-05 16:55 339968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" [ ]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-21 19:02 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-18 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Documents and Settings\\Marketka\\Dokumenty\\ICQ Lite\\367409488\\Kubca_198961746\\sdc203\\StrongDC.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-21 19:02]
R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 15:00]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 16:01]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-21 17:14]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-21 19:02]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-21 19:02]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-21 17:14]
R2 Ethpdrv;Ethernet Packet Driver;C:\WINDOWS\system32\DRIVERS\ethpdrv.sys [2005-09-08 01:18]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-18 14:00]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-04-19 13:50]
S3 ipw_bus;IPWireless;C:\WINDOWS\system32\DRIVERS\ipw_bus.sys [2005-09-27 10:21]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys [2005-09-27 10:21]
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys [2005-09-27 10:21]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16a2a9fc-9cef-11db-b51a-00c0a8c89514}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 00:40:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-05-22 0:44:27 - machine was rebooted [Marketka]
ComboFix-quarantined-files.txt 2008-05-21 22:44:19
ComboFix2.txt 2008-05-21 16:04:47
ComboFix3.txt 2008-05-21 11:24:31

Adresářů: 12, Volných bajtů: 4,050,567,168
Adres ý…: 16, Volněch bajt…: 4,040,060,928

146

[fredik]

Vytvoř si nový CFScript a použij ho stejným způsobem jako ten předchozí, ale vlož do něho tentokrát toto:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
C:\WINDOWS\system32\eivusjuc.ini
C:\WINDOWS\nod32restoretemdono.reg

FileLook::
C:\WINDOWS\system32\SpOrder.dll

- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

Zkus ještě otestovat tento soubor na VirusTotall a dej sem pak výsledek
C:\WINDOWS\system32\SpOrder.dll
2x se vyskytly technické problémy, které zapříčinily to že jsem to musel psát znovu...

[Slender]

Ahoj... tady je:

ComboFix 08-05-20.5 - Marketka 2008-05-23 12:54:19.4 - NTFSx86
Running from: C:\Documents and Settings\Marketka\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marketka\Plocha\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\nod32restoretemdono.reg
C:\WINDOWS\system32\eivusjuc.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\nod32restoretemdono.reg
C:\WINDOWS\system32\eivusjuc.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-23 12:44 . 2008-05-23 12:54 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-21 19:02 . 2008-05-21 19:02 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-05-21 19:02 . 2008-05-21 19:02 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-21 18:41 . 2008-05-21 18:41 <DIR> d-------- C:\Program Files\CCleaner
2008-05-21 17:29 . 2008-05-21 17:29 <DIR> d-------- C:\Program Files\ESET
2008-05-21 17:29 . 2008-05-21 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ESET
2008-05-21 17:14 . 2008-05-23 12:42 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-21 17:14 . 2008-05-21 17:14 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-21 17:14 . 2008-05-21 17:14 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-21 17:13 . 2008-05-21 17:13 <DIR> d-------- C:\Program Files\AVG
2008-05-21 17:13 . 2008-05-21 19:02 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\avg8
2008-05-20 23:38 . 2008-05-20 23:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 23:02 . 2008-05-20 23:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-20 22:42 . 2008-05-20 23:24 <DIR> d-------- C:\SDFix
2008-05-20 22:07 . 2008-05-20 22:07 4,166 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-19 16:33 . 2004-10-07 14:39 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-05-19 16:20 . 2008-05-19 16:20 <DIR> d-------- C:\Documents and Settings\Marketka\Data aplikací\SuspenzorPC
2008-05-19 16:15 . 2008-05-19 16:15 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\SuspenzorPC
2008-05-16 21:57 . 2008-05-16 21:57 <DIR> d-------- C:\Program Files\Webteh

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 10:53 --------- d-----w C:\Documents and Settings\Marketka\Data aplikací\Skype
2008-05-21 16:32 --------- d-----w C:\Program Files\Winamp
2008-04-13 20:37 --------- d-----w C:\Program Files\Java
2007-03-18 16:51 19,504 ----a-w C:\Documents and Settings\Marketka\Data aplikací\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.


---- C:\WINDOWS\system32\SpOrder.dll ----
Company: Microsoft Corporation
File Description: WinSock2 reorder service providers
File Version: 5.2.3663.0 (main.020715-1506)
Product Name: MicrosoftR WindowsR Operating System
Copyright: c Microsoft Corporation. All rights reserved.
Original file name: sporder.dll

((((((((((((((((((((((((((((( snapshot@2008-05-21_13.19.17.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 11:14:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 22:40:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 17:02:33 26,184 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2006-12-01 20:56:00 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-01 20:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-01 20:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 20:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-01 22:25:52 1,101,824 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 22:25:56 1,093,120 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 22:25:58 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 22:26:00 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 22:08:00 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 22:08:00 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 22:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 22:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 22:08:00 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 22:08:00 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 22:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 22:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 22:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 22:46:44 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 14:00 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-23 00:31 25388584]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 15:34 16143872 C:\WINDOWS\RTHDCPL.EXE]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-04-15 16:13 45056]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2005-11-04 16:05 90112]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2005-09-05 16:55 339968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" [ ]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-21 19:02 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-18 14:00 15360]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 07:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\Msmsgs.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Documents and Settings\\Marketka\\Dokumenty\\ICQ Lite\\367409488\\Kubca_198961746\\sdc203\\StrongDC.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-05-21 19:02]
R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2006-02-27 15:00]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2006-02-20 16:01]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-21 17:14]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-21 19:02]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-21 19:02]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-21 17:14]
R2 Ethpdrv;Ethernet Packet Driver;C:\WINDOWS\system32\DRIVERS\ethpdrv.sys [2005-09-08 01:18]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-18 14:00]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-04-19 13:50]
S3 ipw_bus;IPWireless;C:\WINDOWS\system32\DRIVERS\ipw_bus.sys [2005-09-27 10:21]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys [2005-09-27 10:21]
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys [2005-09-27 10:21]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16a2a9fc-9cef-11db-b51a-00c0a8c89514}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 12:56:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-23 12:57:30
ComboFix-quarantined-files.txt 2008-05-23 10:57:17
ComboFix2.txt 2008-05-21 22:44:33
ComboFix3.txt 2008-05-21 16:04:47
ComboFix4.txt 2008-05-21 11:24:31

Adresářů: 12, Volných bajtů: 3,993,649,152
Adresářů: 16, Volných bajtů: 3,984,867,328

149


Výsledek VirusTotal:

Soubor SpOrder.dll přijatý 2008.05.23 13:03:38 (CET)
Současný stav: Čekejte ... Ve frontě Čekání Testování Dokončeno NENALEZENO ZASTAVENO
Výsledek: 0/32 (0%)

AVG test:

Scan "Scan whole computer" was finished.
Infections found:;"7"
Infected objects removed or healed;"7"
Not removed or healed.;"0"
Spyware found:;"0"
Spyware removed:;"0"
Not removed:;"0"
Warnings count:;"2"
Information count:;"0"
Scan started:;"23. května 2008, 12:42:31"
Total object scanned:;"442199"
Time needed:;"40 minute(s) 50 second(s) "
Errors encountered:;"0"

Infections
File;"Infection";"Result"
C:\Documents and Settings\Marketka\Data aplikací\installer_cz[1].exe;"Trojan horse Downloader.Generic6.ADBH";"Moved to Virus Vault"
C:\Documents and Settings\Marketka\Local Settings\Temp\Av-test.txt;"Virus identified EICAR_Test";"Moved to Virus Vault"
C:\QooBox\Quarantine\catchme2008-05-21_131212,53.zip:\pmnMdCVo.dll;"Trojan horse Generic10.ZTG";"Moved to Virus Vault"
C:\QooBox\Quarantine\catchme2008-05-21_131212,53.zip;"Trojan horse Generic10.ZTG";"Moved to Virus Vault"
C:\Recycled\ctfmon.exe;"Trojan horse Generic.ZWE";"Moved to Virus Vault"
C:\SDFix\backups\backups.zip:\backups\autorun.inf;"Virus found Worm/AutoRun";"Moved to Virus Vault"
C:\SDFix\backups\backups.zip;"Virus found Worm/AutoRun";"Moved to Virus Vault"

Warnings
File;"Infection";"Result"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0EDC6C20-A31C-11DB-8AB9-0800200C9A66};"Found Adware.RogueSuspect";"Potentially dangerous object"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3AAC4C68-AFC8-11DB-80EF-8AF955D89593};"Found Adware.RogueSuspect";"Potentially dangerous object"


Nový HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:36:08, on 23.5.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{021727B4-9C04-4881-A77E-7123D13F92B6}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{021727B4-9C04-4881-A77E-7123D13F92B6}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

--
End of file - 6104 bytes


Dík--