Kontrola - prosím Vyřešeno

[Paulí]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:10:49, on 28.10.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\FSAUA\program\fsus.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Java\jre6\launch4j-tmp\frd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ICQ6.5\ICQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TATA\Dokumenty\Pavel\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1390067357-1417001333-725345543-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3964256734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3964504546
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Systémové aplikace modelu COM+ (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
O23 - Service: Služba DDE v síti (NetDDE) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Správce DSDM služby DDE v síti (NetDDEdsdm) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Lokátor vzdáleného volání procedur (RPC) (RpcLocator) - Unknown owner - C:\WINDOWS\System32\locator.exe (file missing)
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)

--
End of file - 6252 bytes

----------------------------------------------------------------

Malwarebytes' Anti-Malware 1.41
Verze databáze: 3047
Windows 5.1.2600 Service Pack 3

28.10.2009 16:37:57
mbam-log-2009-10-28 (16-37-50).txt

Typ kontroly: Rychlá kontrola
Zkontrolované objekty: 114860
Uplynulý čas: 23 minute(s), 31 second(s)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 3
Infikované hodnoty registru: 0
Infikované datové položky registru: 0
Infikované adresáře: 0
Infikované soubory: 2

Infikované procesy v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované moduly v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované klíče registru:
HKEY_CLASSES_ROOT\Typelib\{c20ee2d6-81c3-6a08-79c5-1989da43bc19} (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> No action taken.

Infikované hodnoty registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované datové položky registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované adresáře:
(Nebyly nalezeny žádné škodlivé položky)

Infikované soubory:
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.


----------------------------------------------------------------

Díky moc.

[Reklama]

[pitimir]

Sprav komplet kontrolu s MbAMom - co najde, zmaz. Log by som rad videl.

[Paulí]

Ty položky, které jsou v 1.logu MBAM, jsem už včera smazal.

Malwarebytes' Anti-Malware 1.41
Verze databáze: 3054
Windows 5.1.2600 Service Pack 3

29.10.2009 18:53:16
mbam-log-2009-10-29 (18-53-16).txt

Typ kontroly: Kompletní kontrola (C:\|)
Zkontrolované objekty: 160309
Uplynulý čas: 1 hour(s), 10 minute(s), 22 second(s)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 0
Infikované hodnoty registru: 0
Infikované datové položky registru: 0
Infikované adresáře: 0
Infikované soubory: 0

Infikované procesy v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované moduly v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované klíče registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované hodnoty registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované datové položky registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované adresáře:
(Nebyly nalezeny žádné škodlivé položky)

Infikované soubory:
(Nebyly nalezeny žádné škodlivé položky)

[pitimir]

Stiahni DDS. Uloz na plochu, ukonci vsetky spustene programy a spust ho. Po skonceni scanu sa otvoria vysledky v 2 oknach - DDS.txt a Attach.txt. Obsah oboch by som rad videl.

[Paulí]

DDS (Ver_09-10-26.01) - NTFSx86
Run by TATA at 19:48:54,21 on źt 29.10.2009
Internet Explorer: 8.0.6001.18702
AV: F-Secure Profi Antivirus 8.01 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Profi Antivirus 8.01 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [F-Secure Manager] "c:\program files\f-secure\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\f-secure\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [AGRSMMSG] AGRSMMSG.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 3964256734
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 3964504546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tata\dataap~1\mozilla\firefox\profiles\vcqbe8ph.default\
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.XMLHttpRequest.channel", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("security.checkloaduri", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("bidi.characterset", 1);
c:\program files\mozilla firefox\defaults\pref\channel-prefs.js - pref("app.update.channel", "release");
c:\program files\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-28 16:13:42 46799 -c--a-w- c:\windows\system32\netdde.exe
2009-10-28 15:13:19 0 dc----w- c:\docume~1\tata\dataap~1\Malwarebytes
2009-10-28 15:13:09 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 15:13:07 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 15:13:07 0 dc----w- c:\docume~1\alluse~1\dataap~1\Malwarebytes
2009-10-28 15:13:06 0 dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-26 13:04:58 0 dc----w- c:\program files\PCLab
2009-10-24 07:44:57 0 dc----w- c:\program files\FreeRapid Downloader
2009-10-18 15:48:44 98304 -c--a-w- c:\windows\system32\CmdLineExt.dll
2009-10-18 15:10:57 0 dc----w- c:\program files\Aspyr Media, Inc
2009-10-15 17:12:19 274288 -c--a-w- c:\windows\system32\mucltui.dll
2009-10-15 17:12:19 17264 -c--a-w- c:\windows\system32\mucltui.dll.mui
2009-10-11 15:17:41 443752 -c--a-w- c:\windows\system32\d3dx10_34.dll
2009-10-11 15:17:40 1124720 -c--a-w- c:\windows\system32\D3DCompiler_34.dll
2009-10-11 15:17:22 3497832 -c--a-w- c:\windows\system32\d3dx9_34.dll
2009-10-11 14:56:45 0 dc----w- c:\program files\Flagship Studios
2009-10-10 12:50:31 0 dc----w- c:\docume~1\tata\dataap~1\uTorrent
2009-10-10 12:50:29 0 dc----w- c:\program files\uTorrent
2009-10-08 17:39:00 0 dc----w- c:\program files\IVT Corporation
2009-10-08 17:38:55 32 -c--a-w- c:\windows\0
2009-10-08 17:38:54 0 -c--a-w- c:\windows\system32\0
2009-10-03 17:01:27 0 dc----w- c:\program files\DVD Shrink
2009-10-02 17:19:23 144 -c--a-w- c:\windows\Eudcedit.ini

==================== Find3M ====================

2009-10-29 07:08:25 85616 ----a-w- c:\windows\system32\perfc005.dat
2009-10-29 07:08:25 444686 ----a-w- c:\windows\system32\perfh005.dat
2009-09-26 13:30:27 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-09-26 11:04:30 33920 -c--a-w- c:\windows\system32\drivers\fsbts.sys
2009-09-26 09:18:50 21812 -c--a-w- c:\windows\system32\emptyregdb.dat
2009-08-16 15:08:36 178176 -c--a-w- c:\windows\system32\unrar.dll
2009-08-06 17:23:46 215920 -c--a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01:14 205312 -c--a-w- c:\windows\system32\mswebdvd.dll

============= FINISH: 19:49:51,73 ===============


-------------------------------------------------------------------------------------------------------------


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)


==== Disk Partitions =========================


==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

7-Zip 4.65
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1 - Czech
Aktualizace systému Windows Internet Explorer 8 (KB973874)
Aktualizace zabezpečení systému Windows Internet Explorer 8 (KB971961)
Aktualizace zabezpečení systému Windows Internet Explorer 8 (KB972260)
Aktualizace zabezpečení systému Windows XP (KB923789)
ATI Display Driver
µTorrent CZ 1.8.4 (build 16442)
Bluesoleil2.6.0.8 Release 070517
Drogerie TETA Home Print Service
DVD Shrink 3.2
EPSON Scan
F-Secure Profi Antivirus
Firebird SQL Server - MAGIX Edition
Hellgate: London
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
ICQ6.5
Java(TM) 6 Update 16
K-Lite Mega Codec Pack 5.1.4
Lineage II
MAGIX Music Maker 15 Premium Download version 15.0.1.5 (UK)
MAGIX Screenshare 4.3.6.1987 (UK)
Malwarebytes' Anti-Malware
MediaCoder 0.7.2.4528
Microcom InPorte Home
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Czech Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - CSY
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - CSY
Microsoft .NET Framework 3.5 Language Pack SP1 - csy
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 – jazyková sada – CSY
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Mozilla Firefox (3.0.15)
Nero OEM
PCLab
QIP 2005 8095
rulesPlayer 0.99.3
Samsung ML-1640 Series
Skype™ 4.1
Software tiskárny EPSON
SPORE™
Text-To-Speech-Runtime
Tony Hawk's American Wasteland (TM)
Tony Hawk's American Wasteland 1.01 Patch
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Wise Registry Cleaner 4 Professional V4.82

==== End Of File ===========================

[pitimir]

Stiahni ComboFix, najlepsie na plochu. Vypni vsetky otvorene aplikacie, ako aj rezidenty antiviru, antispywaru a firewall. Spust program cez ucet s administratorskymi pravami a postupuj podla instrukcii. Cely sken bude trvat cca 10 minut. Pocas neho moze byt PC restartovane. Log, ktory ComboFix vytvori, najdes na adrese "C:\ComboFix.txt".
Ten vloz sem.

Pozor: Kym ComboFix nevytvori log, na nic neklikat, nic nestlacat !!

[Paulí]

ComboFix 09-10-28.08 - TATA 30.10.2009 8:47.1.2 - NTFSx86
Spuštěný z: c:\documents and settings\TATA\Plocha\ComboFix.exe
AV: F-Secure Profi Antivirus 8.01 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Profi Antivirus 8.01 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
* Vytvořen nový Bod Obnovení
.

((((((((((((((((((((((((( Soubory vytvořené od 2009-09-28 do 2009-10-30 )))))))))))))))))))))))))))))))
.

2009-10-30 07:40 . 2009-10-30 07:40 -------- dc-h--w- c:\windows\PIF
2009-10-28 15:13 . 2009-09-10 13:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 15:13 . 2009-09-10 13:53 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 15:13 . 2009-10-28 15:13 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-26 13:04 . 2009-10-26 13:05 -------- dc----w- c:\program files\PCLab
2009-10-24 07:44 . 2009-10-29 14:15 -------- dc----w- c:\program files\FreeRapid Downloader
2009-10-18 15:48 . 2009-10-18 15:48 98304 -c--a-w- c:\windows\system32\CmdLineExt.dll
2009-10-18 15:10 . 2009-10-18 15:10 -------- dc----w- c:\program files\Aspyr Media, Inc
2009-10-15 17:12 . 2009-08-06 17:23 274288 -c--a-w- c:\windows\system32\mucltui.dll
2009-10-11 15:17 . 2007-05-16 14:45 443752 -c--a-w- c:\windows\system32\d3dx10_34.dll
2009-10-11 15:17 . 2007-05-16 14:45 1124720 -c--a-w- c:\windows\system32\D3DCompiler_34.dll
2009-10-11 15:17 . 2007-05-16 14:45 3497832 -c--a-w- c:\windows\system32\d3dx9_34.dll
2009-10-11 14:56 . 2009-10-11 14:56 -------- dc----w- c:\program files\Flagship Studios
2009-10-10 12:56 . 2009-10-10 12:56 -------- dc----w- c:\windows\Sun
2009-10-10 12:50 . 2009-10-10 12:50 -------- dc----w- c:\program files\uTorrent
2009-10-08 17:39 . 2009-10-08 17:39 -------- dc----w- c:\program files\IVT Corporation
2009-10-03 17:01 . 2009-10-03 17:01 -------- dc----w- c:\program files\DVD Shrink

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 07:32 . 2002-09-23 12:00 85616 ----a-w- c:\windows\system32\perfc005.dat
2009-10-30 07:32 . 2002-09-23 12:00 444686 ----a-w- c:\windows\system32\perfh005.dat
2009-10-29 20:10 . 2009-09-26 10:40 -------- dc----w- c:\program files\F-Secure
2009-10-29 12:10 . 2009-09-27 12:24 -------- dc----w- c:\program files\MediaCoder
2009-10-18 15:49 . 2009-09-26 13:56 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-10-17 14:00 . 2009-09-28 15:08 -------- dc----w- c:\program files\Lineage II
2009-10-17 09:45 . 2009-09-26 13:21 -------- dc----w- c:\program files\Wise Registry Cleaner
2009-09-28 15:08 . 2009-09-28 15:08 -------- dc----w- c:\program files\Common Files\InstallShield
2009-09-28 14:42 . 2009-09-28 14:42 -------- dc----w- c:\program files\Electronic Arts
2009-09-28 13:11 . 2009-09-26 13:55 -------- dc----w- c:\program files\ICQ6.5
2009-09-28 08:38 . 2009-09-28 08:35 -------- dc----w- c:\program files\MAGIX
2009-09-27 13:14 . 2009-09-27 13:08 -------- dc----w- c:\program files\K-Lite Codec Pack
2009-09-27 12:06 . 2009-09-27 12:06 -------- dc----w- c:\program files\Microsoft.NET
2009-09-26 19:21 . 2009-09-26 19:21 -------- dc----w- c:\program files\NOS
2009-09-26 15:22 . 2009-09-26 15:19 -------- dc----w- c:\program files\epson
2009-09-26 15:07 . 2009-09-26 15:07 -------- dc----w- c:\program files\Samsung
2009-09-26 14:58 . 2009-09-26 14:57 -------- dc----w- c:\program files\QIP
2009-09-26 14:19 . 2009-09-26 11:50 -------- dc-h--w- c:\program files\Windows Media Connect 2
2009-09-26 14:15 . 2009-09-26 14:15 -------- dc----w- c:\program files\7-Zip
2009-09-26 14:07 . 2009-09-26 14:05 -------- dc----w- c:\program files\Ahead
2009-09-26 14:06 . 2009-09-26 14:05 -------- dc----w- c:\program files\Common Files\Ahead
2009-09-26 14:02 . 2009-09-26 14:02 0 -c--a-w- c:\windows\nsreg.dat
2009-09-26 14:00 . 2009-09-26 14:00 -------- dc----w- c:\program files\Drogerie TETA Home Print Service
2009-09-26 13:59 . 2009-09-26 13:59 -------- dc----r- c:\program files\Skype
2009-09-26 13:46 . 2009-09-26 13:45 -------- dc----w- c:\program files\rulesPlayer
2009-09-26 13:30 . 2009-09-26 13:30 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-09-26 13:30 . 2009-09-26 13:30 -------- dc----w- c:\program files\Java
2009-09-26 12:52 . 2009-09-26 12:51 -------- dc----w- c:\program files\Common Files\Adobe
2009-09-26 12:26 . 2009-09-26 12:26 -------- dc-h--w- c:\program files\Microsoft Silverlight
2009-09-26 11:58 . 2009-09-26 11:58 -------- dc-h--w- c:\program files\MSBuild
2009-09-26 11:58 . 2009-09-26 11:58 -------- dc-h--w- c:\program files\Reference Assemblies
2009-09-26 11:04 . 2009-09-26 10:41 33920 -c--a-w- c:\windows\system32\drivers\fsbts.sys
2009-09-26 10:25 . 2009-09-26 10:25 -------- dc-h--w- c:\program files\Intel
2009-09-26 10:20 . 2009-09-26 10:20 -------- dc-h--w- c:\program files\Analog Devices
2009-09-26 09:21 . 2009-09-26 09:21 -------- dc-h--w- c:\program files\microsoft frontpage
2009-09-26 09:18 . 2009-09-26 09:18 21812 -c--a-w- c:\windows\system32\emptyregdb.dat
2009-08-16 15:08 . 2009-09-27 13:09 178176 -c--a-w- c:\windows\system32\unrar.dll
2009-08-06 17:24 . 2009-09-26 09:48 327896 -c--a-w- c:\windows\system32\wucltui.dll
2009-08-06 17:24 . 2009-09-26 09:48 209632 -c--a-w- c:\windows\system32\wuweb.dll
2009-08-06 17:24 . 2009-09-26 11:27 44768 -c--a-w- c:\windows\system32\wups2.dll
2009-08-06 17:24 . 2009-09-26 09:48 35552 -c--a-w- c:\windows\system32\wups.dll
2009-08-06 17:24 . 2009-09-26 09:17 53472 -c--a-w- c:\windows\system32\wuauclt.exe
2009-08-06 17:24 . 2002-09-23 12:00 96480 -c--a-w- c:\windows\system32\cdm.dll
2009-08-06 17:23 . 2009-09-26 09:48 575704 -c--a-w- c:\windows\system32\wuapi.dll
2009-08-06 17:23 . 2009-09-26 09:17 1929952 -c--a-w- c:\windows\system32\wuaueng.dll
2009-08-06 17:23 . 2008-10-16 12:07 215920 -c--a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2002-09-23 12:00 205312 -c--a-w- c:\windows\system32\mswebdvd.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2008-12-04 182936]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2008-12-04 957024]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2002-09-25 87751]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
R3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe [2008-04-14 14336]
R4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2008-12-04 39776]
R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2008-12-04 25184]
S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2009-09-26 33920]
S0 FSFW;F-Secure Firewall Driver;c:\windows\System32\drivers\fsdfw.sys [2008-12-04 79872]
S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [2008-12-04 67808]
S2 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [2008-12-04 55904]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2009-10-15 101496]


--- Ostatní služby/ovladače v paměti ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\TATA\Data aplikací\Mozilla\Firefox\Profiles\vcqbe8ph.default\
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-30 08:53
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3944)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Celkový čas: 2009-10-30 8:55
ComboFix-quarantined-files.txt 2009-10-30 07:55

Před spuštěním: Volných bajtů: 49 433 694 208
Po spuštění: Volných bajtů: 49 414 692 864

WindowsXP-KB310994-SP2-Home-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /noguiboot

- - End Of File - - 35EA99A2B3D9F50726002E3538341067

[pitimir]

1) Docistime to:

• Odinstaluj Combofix:
  Start -> Spustit -> (napis) combofix /uninstall

• Pouzi T-Cleaner (ak by ho antivirus hlasil ako smejda, nic sa netreba bat, ide len o paranoju AV programu).

• Precisti PC CCleanerom (vratane registrov).

• Pouzi TFC (spust program a klikni na "Start". Pozor, PC moze byt restartovane).

2) Vloz log z HJT.

V pripade nezrovnalosti sa >>tu<< nachadza navod.

[Paulí]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:58:57, on 31.10.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rsvp.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\FSAUA\program\fsus.exe
C:\Documents and Settings\TATA\Dokumenty\Pavel\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1390067357-1417001333-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3964256734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3964504546
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Systémové aplikace modelu COM+ (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
O23 - Service: Služba DDE v síti (NetDDE) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Správce DSDM služby DDE v síti (NetDDEdsdm) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)

--
End of file - 5707 bytes

[pitimir]

1) Fixni v HJT (zasrktni stvorcek pri danom riadku a stlac "Fix Checked"):

Kód: Vybrat vše

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3964256734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3964504546
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

2) Updatuj Adobe Reader (poslednu verziu najdes >>tu<<).

[Paulí]

Hotovo.

Nevíte náhodou proč mi blbnou služby ? Nejčastěji BITS a Windows Installer. Po startu (nebo i za běhu - třeba po zkončení instalace se sama ukončí služba Windows Installer a když se má spustit další instalace, služba sama nenaběhne) PC se tyto služby (ale i jiné) sami různě přenastavují. Mám u nich typ spuštění na "automaticky" a občas se to samo změní na "ručně" a pak nejde instalovat, protože "služba ... není spuštěná". Musím ji sám spustit.

A jinak, kde seženu soubory pro:
O23 - Service: Služba DDE v síti (NetDDE) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Správce DSDM služby DDE v síti (NetDDEdsdm) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
Musely být smazány kvůli virům.

[pitimir]

HJT takto odkazuje na "mrtve" sluzby, povedal by som, ze subory tam ostali