Prosím o kontrolu logu
Napsal: 29 pro 2008 21:01
Měl jsem pokus o průnik přes winlogon, který zachytil firewall. Následně spadl systém a nešly spouštět žádné aplikace. Vyskakovala mi hláška o souboru "stus.exe". Našel jsem si na tomto fóru podobný problém a zkoušel jsem to vyřešit podle něj. Přes konzolu zotavení jsem nahradil soubory user32.dll a userinit.exe, které byly pravděpodobně napadeny. Následně pomocí Combofixu jsem proscanoval PCa C+C Cleanerem udělal pořádek. Možná už je to v pohodě, ale přesto prosím o kontrolu logu z HijackThis + Combofixu. V adresáři C:\windows\system32\ mám soubor stus.exe a nevím jestli je tam nutný. Testoval jsem ho na Virustotalu a podle něho je úplně čistý. Díky za zprávu.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:49, on 2008-12-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\František Řepa\Plocha\protection\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.irfanview.net/faq.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WebTransBHO Class - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - C:\WINDOWS\WebIE.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\WINDOWS\WebIE.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [OEXPRESS] C:\WINDOWS\OETRN.EXE
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Převést cíl vazby do Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Převést cíl vazby do existujícího PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Převést do Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Převést do existujícího PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Převést vybrané vazby do Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Převést vybrané vazby do existujícího PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Převést výběr do Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Převést výběr do existujícího PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: WebTran - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - C:\WINDOWS\WebIE.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: &Nastavit překladač - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: &Slovník - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\WebIE.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{65A09B59-F1AB-47D4-AF2A-56CBF8E87603}: NameServer = 192.168.115.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{65A09B59-F1AB-47D4-AF2A-56CBF8E87603}: NameServer = 192.168.115.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{65A09B59-F1AB-47D4-AF2A-56CBF8E87603}: NameServer = 192.168.115.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 9300 bytes
ComboFix 08-12-28.04 - František Řepa 2008-12-29 20:27:39.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.1023.700 [GMT 1:00]
Spuštěný z: c:\documents and settings\František Řepa\Plocha\protection\ComboFix.exe
* Resident AV is active
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\NetworkService\Data aplikací\wsnpoem
c:\documents and settings\NetworkService\Data aplikací\wsnpoem\audio.dll
c:\windows\system32\ntos.exe
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll
.
((((((((((((((((((((((((( Soubory vytvořené od 2008-11-28 do 2008-12-29 )))))))))))))))))))))))))))))))
.
2008-12-29 18:38 . 2004-08-17 14:49 24,576 --a------ c:\windows\system32\stus.exe
2008-12-26 10:18 . 2008-12-26 10:18 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\ATI
2008-12-26 10:06 . 2008-12-26 10:06 0 --a------ c:\windows\ativpsrm.bin
2008-12-25 13:25 . 2008-12-25 13:25 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-12-25 13:18 . 2008-12-26 10:18 <DIR> d-------- c:\program files\ATI
2008-12-21 13:59 . 2008-12-21 14:48 <DIR> d-------- c:\documents and settings\František Řepa\Data aplikací\My Battle for Middle-earth(tm) II Files
2008-12-21 10:11 . 2004-08-03 23:08 25,600 --a------ c:\windows\system32\drivers\usbser.sys
2008-12-21 10:11 . 2004-08-03 23:08 25,600 --a--c--- c:\windows\system32\dllcache\usbser.sys
2008-12-21 10:11 . 2008-12-21 10:11 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-21 10:11 . 2008-12-21 10:11 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-12-20 18:59 . 2008-12-20 18:59 <DIR> d-------- c:\program files\Common Files\PCSuite
2008-12-20 18:59 . 2008-12-20 18:59 <DIR> d-------- c:\program files\Common Files\Nokia
2008-12-20 18:58 . 2008-12-20 18:58 <DIR> d-------- c:\program files\PC Connectivity Solution
2008-12-20 18:58 . 2007-09-17 15:53 21,632 --a------ c:\windows\system32\drivers\pccsmcfd.sys
2008-12-20 18:56 . 2008-05-07 07:39 1,419,232 --a------ c:\windows\system32\wdfcoinstaller01005.dll
2008-12-20 18:56 . 2008-05-07 07:38 659,968 --a------ c:\windows\system32\nmwcdcocls.dll
2008-12-20 18:56 . 2008-05-07 07:38 20,864 --a------ c:\windows\system32\drivers\ccdcmbo.sys
2008-12-20 18:56 . 2008-05-07 07:38 17,536 --a------ c:\windows\system32\drivers\ccdcmb.sys
2008-12-20 18:56 . 2008-05-07 07:38 8,064 --a------ c:\windows\system32\drivers\usbser_lowerfltj.sys
2008-12-20 18:56 . 2008-06-06 09:24 8,064 --a------ c:\windows\system32\drivers\usbser_lowerflt.sys
2008-12-20 18:49 . 2008-12-20 19:00 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Installations
2008-12-06 21:43 . 2008-12-27 22:30 1,073,180,672 --a------ c:\windows\MEMORY.DMP
2008-12-06 18:28 . 2008-12-27 10:13 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-06 18:25 . 2008-06-14 19:00 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-06 18:25 . 2008-06-14 19:00 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-06 18:09 . 2008-12-06 18:09 <DIR> d-------- c:\windows\ERUNT
2008-12-06 18:04 . 2008-12-06 18:04 212,427 --a------ c:\documents and settings\Franticatchme.zip
2008-12-01 21:11 . 2008-12-01 21:11 69,112 --a------ c:\windows\system32\ativvaxx.cap
2008-12-01 20:57 . 2008-12-01 20:57 48,640 --a------ c:\windows\system32\amdpcom32.dll
2008-12-01 20:53 . 2008-12-01 20:53 45,056 --a------ c:\windows\system32\amdcalrt.dll
2008-12-01 20:53 . 2008-12-01 20:53 45,056 --a------ c:\windows\system32\amdcalcl.dll
2008-12-01 20:52 . 2008-12-01 20:52 86,016 --a------ c:\windows\system32\atiadlxx.dll
2008-12-01 20:50 . 2008-12-01 20:50 3,252,224 --a------ c:\windows\system32\Amdcaldd.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 19:07 2,596 ----a-w c:\windows\system32\drivers\fwdrv.err
2008-12-29 14:20 --------- d-----w c:\documents and settings\All Users\Data aplikací\GetRight
2008-12-25 12:18 --------- d-----w c:\program files\ATI Technologies
2008-12-21 13:39 --------- d-----w c:\program files\GetRight
2008-12-21 12:51 --------- d-----w c:\program files\Electronic Arts
2008-12-21 09:12 --------- d-----w c:\documents and settings\František Řepa\Data aplikací\PC Suite
2008-12-21 09:11 --------- d-----w c:\documents and settings\František Řepa\Data aplikací\Nokia
2008-12-20 18:40 --------- d-----w c:\program files\EA GAMES
2008-12-20 18:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-20 17:59 --------- d-----w c:\program files\Nokia
2008-12-20 17:58 --------- d-----w c:\program files\DIFX
2008-12-08 11:53 57,344 ----a-w c:\windows\system32\ff_vfw.dll
2008-12-07 18:08 795,648 ----a-w c:\windows\system32\xvidcore.dll
2008-12-07 18:08 130,048 ----a-w c:\windows\system32\xvidvfw.dll
2008-12-06 16:07 --------- d-----w c:\program files\SUPERAntiSpyware
2008-12-06 15:45 --------- d-----w c:\program files\ESET
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 20:52 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-12-01 20:51 318,464 ----a-w c:\windows\system32\ati2dvag.dll
2008-12-01 20:46 11,304,960 ----a-w c:\windows\system32\atioglxx.dll
2008-12-01 20:41 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-12-01 20:40 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-12-01 20:40 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-12-01 20:40 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-12-01 20:40 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-12-01 20:38 598,016 ----a-w c:\windows\system32\ati2evxx.exe
2008-12-01 20:37 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-12-01 20:27 4,120,384 ----a-w c:\windows\system32\ati3duag.dll
2008-12-01 20:19 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-12-01 20:11 2,495,360 ----a-w c:\windows\system32\ativvaxx.dll
2008-12-01 19:53 401,408 ----a-w c:\windows\system32\atikvmag.dll
2008-12-01 19:52 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-12-01 19:50 286,720 ----a-w c:\windows\system32\atiok3x2.dll
2008-12-01 19:45 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-12-01 13:35 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-11-21 22:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-16 13:27 --------- d-----w c:\documents and settings\František Řepa\Data aplikací\My Battle for Middle-earth Files
2008-11-08 14:57 400,896 ----a-w c:\windows\system32\Baby Animals.scr
2008-11-08 14:57 29,184 ----a-w c:\windows\system32\sstunst2.exe
2008-11-08 14:57 1,117,921 ----a-w c:\windows\Friends.scr
2008-11-08 14:55 9,728 ----a-w c:\windows\system32\UnInstall Tricks_Bart.exe
2008-11-08 14:55 1,236,003 ----a-w c:\windows\system32\Tricks_Bart.scr
2008-11-07 18:46 --------- d-----w c:\program files\Horizons3
2008-10-29 16:05 --------- d-----w c:\program files\Lost 4 saver
2008-10-29 13:45 6,692,889 ----a-w c:\windows\Lost Screensaver 2.SCR
2008-10-29 13:45 --------- d-----w c:\documents and settings\František Řepa\Data aplikací\iScreensaver
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\divx.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-21 18:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:39 660,480 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:17 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-07-22 09:12 68,520 ----a-w c:\documents and settings\František Řepa\Data aplikací\GDIPFONTCACHEV1.DAT
2008-02-21 14:50 32 ----a-w c:\documents and settings\All Users\Data aplikací\ezsid.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-08-16 167368]
"OEXPRESS"="c:\windows\OETRN.EXE" [2007-11-06 26624]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-05-11 921600]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"CHotkey"="mHotkey.exe" [2006-12-08 c:\windows\mHotkey.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
c:\documents and settings\Frantiçek üepa\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-C740-7760-100000000002}\SC_Acrobat.exe [2007-11-06 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Sunbelt Software\\Personal Firewall 4\\kpf4gui.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2005-12-15 274432]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2005-12-15 81920]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2007-02-27 32256]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2008-07-09 222456]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\DRIVERS\psched.sys [2004-08-03 69120]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
*Newly Created Service* - PROCEXP90
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
HKU-Default-Run-PcSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = hxxp://www.irfanview.net/faq.htm
uInternet Settings,ProxyOverride = *.local
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Převést cíl vazby do Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Převést cíl vazby do existujícího PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Převést do Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Převést do existujícího PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Převést vybrané vazby do Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Převést vybrané vazby do existujícího PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Převést výběr do Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Převést výběr do existujícího PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748449} - {CC963627-B1DC-40E0-B52A-CF21EE748449} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\windows\WebIE.dll
LSP: c:\windows\system32\imon.dll
TCP: {65A09B59-F1AB-47D4-AF2A-56CBF8E87603} = 192.168.115.1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 20:33:03
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(876)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(932)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2008-12-29 20:35:28
ComboFix-quarantined-files.txt 2008-12-29 19:35:24
Před spuštěním: Volných bajtů: 11,728,396,288
Po spuštění: Volných bajtů: 12,199,604,224
220 --- E O F --- 2008-12-25 12:24:07
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:49, on 2008-12-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\František Řepa\Plocha\protection\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.irfanview.net/faq.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WebTransBHO Class - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - C:\WINDOWS\WebIE.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\WINDOWS\WebIE.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [OEXPRESS] C:\WINDOWS\OETRN.EXE
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Převést cíl vazby do Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Převést cíl vazby do existujícího PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Převést do Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Převést do existujícího PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Převést vybrané vazby do Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Převést vybrané vazby do existujícího PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Převést výběr do Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Převést výběr do existujícího PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: WebTran - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - C:\WINDOWS\WebIE.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: &Nastavit překladač - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: &Slovník - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\WebIE.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{65A09B59-F1AB-47D4-AF2A-56CBF8E87603}: NameServer = 192.168.115.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{65A09B59-F1AB-47D4-AF2A-56CBF8E87603}: NameServer = 192.168.115.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{65A09B59-F1AB-47D4-AF2A-56CBF8E87603}: NameServer = 192.168.115.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 9300 bytes
ComboFix 08-12-28.04 - František Řepa 2008-12-29 20:27:39.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.1023.700 [GMT 1:00]
Spuštěný z: c:\documents and settings\František Řepa\Plocha\protection\ComboFix.exe
* Resident AV is active
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\NetworkService\Data aplikací\wsnpoem
c:\documents and settings\NetworkService\Data aplikací\wsnpoem\audio.dll
c:\windows\system32\ntos.exe
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll
.
((((((((((((((((((((((((( Soubory vytvořené od 2008-11-28 do 2008-12-29 )))))))))))))))))))))))))))))))
.
2008-12-29 18:38 . 2004-08-17 14:49 24,576 --a------ c:\windows\system32\stus.exe
2008-12-26 10:18 . 2008-12-26 10:18 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\ATI
2008-12-26 10:06 . 2008-12-26 10:06 0 --a------ c:\windows\ativpsrm.bin
2008-12-25 13:25 . 2008-12-25 13:25 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-12-25 13:18 . 2008-12-26 10:18 <DIR> d-------- c:\program files\ATI
2008-12-21 13:59 . 2008-12-21 14:48 <DIR> d-------- c:\documents and settings\František Řepa\Data aplikací\My Battle for Middle-earth(tm) II Files
2008-12-21 10:11 . 2004-08-03 23:08 25,600 --a------ c:\windows\system32\drivers\usbser.sys
2008-12-21 10:11 . 2004-08-03 23:08 25,600 --a--c--- c:\windows\system32\dllcache\usbser.sys
2008-12-21 10:11 . 2008-12-21 10:11 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-21 10:11 . 2008-12-21 10:11 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-12-20 18:59 . 2008-12-20 18:59 <DIR> d-------- c:\program files\Common Files\PCSuite
2008-12-20 18:59 . 2008-12-20 18:59 <DIR> d-------- c:\program files\Common Files\Nokia
2008-12-20 18:58 . 2008-12-20 18:58 <DIR> d-------- c:\program files\PC Connectivity Solution
2008-12-20 18:58 . 2007-09-17 15:53 21,632 --a------ c:\windows\system32\drivers\pccsmcfd.sys
2008-12-20 18:56 . 2008-05-07 07:39 1,419,232 --a------ c:\windows\system32\wdfcoinstaller01005.dll
2008-12-20 18:56 . 2008-05-07 07:38 659,968 --a------ c:\windows\system32\nmwcdcocls.dll
2008-12-20 18:56 . 2008-05-07 07:38 20,864 --a------ c:\windows\system32\drivers\ccdcmbo.sys
2008-12-20 18:56 . 2008-05-07 07:38 17,536 --a------ c:\windows\system32\drivers\ccdcmb.sys
2008-12-20 18:56 . 2008-05-07 07:38 8,064 --a------ c:\windows\system32\drivers\usbser_lowerfltj.sys
2008-12-20 18:56 . 2008-06-06 09:24 8,064 --a------ c:\windows\system32\drivers\usbser_lowerflt.sys
2008-12-20 18:49 . 2008-12-20 19:00 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Installations
2008-12-06 21:43 . 2008-12-27 22:30 1,073,180,672 --a------ c:\windows\MEMORY.DMP
2008-12-06 18:28 . 2008-12-27 10:13 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-06 18:25 . 2008-06-14 19:00 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-06 18:25 . 2008-06-14 19:00 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-06 18:09 . 2008-12-06 18:09 <DIR> d-------- c:\windows\ERUNT
2008-12-06 18:04 . 2008-12-06 18:04 212,427 --a------ c:\documents and settings\Franticatchme.zip
2008-12-01 21:11 . 2008-12-01 21:11 69,112 --a------ c:\windows\system32\ativvaxx.cap
2008-12-01 20:57 . 2008-12-01 20:57 48,640 --a------ c:\windows\system32\amdpcom32.dll
2008-12-01 20:53 . 2008-12-01 20:53 45,056 --a------ c:\windows\system32\amdcalrt.dll
2008-12-01 20:53 . 2008-12-01 20:53 45,056 --a------ c:\windows\system32\amdcalcl.dll
2008-12-01 20:52 . 2008-12-01 20:52 86,016 --a------ c:\windows\system32\atiadlxx.dll
2008-12-01 20:50 . 2008-12-01 20:50 3,252,224 --a------ c:\windows\system32\Amdcaldd.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 19:07 2,596 ----a-w c:\windows\system32\drivers\fwdrv.err
2008-12-29 14:20 --------- d-----w c:\documents and settings\All Users\Data aplikací\GetRight
2008-12-25 12:18 --------- d-----w c:\program files\ATI Technologies
2008-12-21 13:39 --------- d-----w c:\program files\GetRight
2008-12-21 12:51 --------- d-----w c:\program files\Electronic Arts
2008-12-21 09:12 --------- d-----w c:\documents and settings\František Řepa\Data aplikací\PC Suite
2008-12-21 09:11 --------- d-----w c:\documents and settings\František Řepa\Data aplikací\Nokia
2008-12-20 18:40 --------- d-----w c:\program files\EA GAMES
2008-12-20 18:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-20 17:59 --------- d-----w c:\program files\Nokia
2008-12-20 17:58 --------- d-----w c:\program files\DIFX
2008-12-08 11:53 57,344 ----a-w c:\windows\system32\ff_vfw.dll
2008-12-07 18:08 795,648 ----a-w c:\windows\system32\xvidcore.dll
2008-12-07 18:08 130,048 ----a-w c:\windows\system32\xvidvfw.dll
2008-12-06 16:07 --------- d-----w c:\program files\SUPERAntiSpyware
2008-12-06 15:45 --------- d-----w c:\program files\ESET
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 20:52 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-12-01 20:51 318,464 ----a-w c:\windows\system32\ati2dvag.dll
2008-12-01 20:46 11,304,960 ----a-w c:\windows\system32\atioglxx.dll
2008-12-01 20:41 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-12-01 20:40 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-12-01 20:40 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-12-01 20:40 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-12-01 20:40 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-12-01 20:38 598,016 ----a-w c:\windows\system32\ati2evxx.exe
2008-12-01 20:37 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-12-01 20:27 4,120,384 ----a-w c:\windows\system32\ati3duag.dll
2008-12-01 20:19 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-12-01 20:11 2,495,360 ----a-w c:\windows\system32\ativvaxx.dll
2008-12-01 19:53 401,408 ----a-w c:\windows\system32\atikvmag.dll
2008-12-01 19:52 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-12-01 19:50 286,720 ----a-w c:\windows\system32\atiok3x2.dll
2008-12-01 19:45 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-12-01 13:35 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-11-21 22:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-16 13:27 --------- d-----w c:\documents and settings\František Řepa\Data aplikací\My Battle for Middle-earth Files
2008-11-08 14:57 400,896 ----a-w c:\windows\system32\Baby Animals.scr
2008-11-08 14:57 29,184 ----a-w c:\windows\system32\sstunst2.exe
2008-11-08 14:57 1,117,921 ----a-w c:\windows\Friends.scr
2008-11-08 14:55 9,728 ----a-w c:\windows\system32\UnInstall Tricks_Bart.exe
2008-11-08 14:55 1,236,003 ----a-w c:\windows\system32\Tricks_Bart.scr
2008-11-07 18:46 --------- d-----w c:\program files\Horizons3
2008-10-29 16:05 --------- d-----w c:\program files\Lost 4 saver
2008-10-29 13:45 6,692,889 ----a-w c:\windows\Lost Screensaver 2.SCR
2008-10-29 13:45 --------- d-----w c:\documents and settings\František Řepa\Data aplikací\iScreensaver
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\divx.dll
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-21 18:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:39 660,480 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:17 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-07-22 09:12 68,520 ----a-w c:\documents and settings\František Řepa\Data aplikací\GDIPFONTCACHEV1.DAT
2008-02-21 14:50 32 ----a-w c:\documents and settings\All Users\Data aplikací\ezsid.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-08-16 167368]
"OEXPRESS"="c:\windows\OETRN.EXE" [2007-11-06 26624]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-05-11 921600]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"CHotkey"="mHotkey.exe" [2006-12-08 c:\windows\mHotkey.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
c:\documents and settings\Frantiçek üepa\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-C740-7760-100000000002}\SC_Acrobat.exe [2007-11-06 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Sunbelt Software\\Personal Firewall 4\\kpf4gui.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2005-12-15 274432]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2005-12-15 81920]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2007-02-27 32256]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2008-07-09 222456]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\DRIVERS\psched.sys [2004-08-03 69120]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
*Newly Created Service* - PROCEXP90
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
HKU-Default-Run-PcSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = hxxp://www.irfanview.net/faq.htm
uInternet Settings,ProxyOverride = *.local
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Převést cíl vazby do Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Převést cíl vazby do existujícího PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Převést do Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Převést do existujícího PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Převést vybrané vazby do Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Převést vybrané vazby do existujícího PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Převést výběr do Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Převést výběr do existujícího PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748449} - {CC963627-B1DC-40E0-B52A-CF21EE748449} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\windows\WebIE.dll
LSP: c:\windows\system32\imon.dll
TCP: {65A09B59-F1AB-47D4-AF2A-56CBF8E87603} = 192.168.115.1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 20:33:03
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(876)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(932)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2008-12-29 20:35:28
ComboFix-quarantined-files.txt 2008-12-29 19:35:24
Před spuštěním: Volných bajtů: 11,728,396,288
Po spuštění: Volných bajtů: 12,199,604,224
220 --- E O F --- 2008-12-25 12:24:07