Poraďte prosím co dál (HJT mám)
EDIT: v "Other Deletions" jsem měl ještě několik stovek .tmp souborů, který by se sem ale nevešly
ComboFix 08-01-23.2 - Lancˇźek 2008-01-24 14:38:53.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.1481 [GMT 1:00]
Running from: C:\Documents and Settings\Lancˇźek\Plocha\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
-------\NPF
((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.
2008-01-24 14:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 14:35 . 2008-01-24 14:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 13:47 . 2008-01-24 13:48 <DIR> d-------- C:\Program Files\ICQ6
2008-01-17 21:47 . 2008-01-17 21:51 <DIR> d-------- C:\Program Files\Uniblue
2008-01-13 17:27 . 2008-01-19 15:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-13 16:40 . 2008-01-13 17:04 1,060,442 ---hs---- C:\WINDOWS\system32\mhdvoqdy.ini
2008-01-12 04:42 . 2008-01-12 04:42 1,060,562 ---hs---- C:\WINDOWS\system32\odvnypeh.ini
2008-01-10 01:47 . 2008-01-12 01:48 1,060,502 ---hs---- C:\WINDOWS\system32\gbwnshfc.ini
2008-01-09 01:46 . 2008-01-09 01:46 1,055,022 ---hs---- C:\WINDOWS\system32\wcwsgfgj.tmp
2008-01-06 13:16 . 2004-08-17 15:49 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-01-06 13:16 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-06 13:16 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-06 13:16 . 2001-10-24 12:25 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-01-06 07:48 . 2008-01-21 00:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-06 07:48 . 2008-01-06 07:48 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-06 01:14 . 2008-01-06 01:14 1,043,800 ---hs---- C:\WINDOWS\system32\ncbffwci.ini
2008-01-03 00:53 . 2008-01-05 00:57 1,031,458 ---hs---- C:\WINDOWS\system32\dgnyufrt.ini
2008-01-02 23:37 . 2008-01-02 23:37 294 ---hs---- C:\WINDOWS\system32\bvyxrcre.ini
2008-01-01 23:36 . 2008-01-02 14:13 354 ---hs---- C:\WINDOWS\system32\rjlaghem.ini
2008-01-01 22:59 . 2008-01-01 22:59 <DIR> d-------- C:\Program Files\Electronic Arts
2008-01-01 19:43 . 2008-01-01 19:44 <DIR> d-------- C:\Program Files\Reg Cleaner
2008-01-01 14:31 . 2008-01-01 14:40 114 --a------ C:\WINDOWS\level.ini
2007-12-29 23:31 . 2008-01-01 20:03 654 ---hs---- C:\WINDOWS\system32\pnwmakct.ini
2007-12-28 15:40 . 2007-12-29 17:03 4,096 --a------ C:\WINDOWS\system32\crash
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 13:24 --------- d-----w C:\Program Files\QuickTime
2008-01-24 13:24 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-24 12:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 10:53 --------- d-----w C:\Program Files\DC++
2008-01-19 14:48 --------- d-----w C:\Program Files\Spyware Terminator
2008-01-17 20:51 --------- d-----w C:\Program Files\TQDefiler
2008-01-13 16:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 13:57 --------- d-----w C:\Program Files\Lavasoft
2008-01-06 20:06 --------- d-----w C:\Program Files\Azureus
2008-01-01 18:49 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-12-29 22:20 --------- d-----w C:\Program Files\Microsoft Games
2007-12-29 01:44 --------- d-----w C:\Program Files\ATI Technologies
2007-12-28 13:17 --------- d-----w C:\Program Files\iTunes
2007-12-28 13:17 --------- d-----w C:\Program Files\iPod
2007-12-22 10:56 --------- d-----w C:\Program Files\AGEIA Technologies
2007-12-21 20:12 --------- d-----w C:\Program Files\Huawei technologies
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-02 13:22 --------- d-----w C:\Program Files\NCSoft
2007-11-25 16:31 --------- d-----w C:\Program Files\Creative Labs
.
Kód: Vybrat vše
<pre>
----a-w 90,112 2008-01-01 19:57:14 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
----a-w 171,464 2008-01-18 19:10:17 C:\Program Files\DAEMON Tools\daemon .exe
----a-w 1,410,304 2008-01-13 15:54:25 C:\Program Files\ESET\ESET NOD32 Antivirus\egui .exe
----a-w 1,877,272 2008-01-19 13:22:52 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster .exe
----a-w 159,232 2008-01-19 15:06:17 C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w 15,360 2008-01-11 15:30:06 C:\WINDOWS\system32\ctfmon .exe
----a-w 155,648 2008-01-01 19:57:14 C:\WINDOWS\system32\NeroCheck .exe
</pre>((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{836700F1-FF89-44BC-B5F3-781403D1A1D4}]
C:\WINDOWS\system32\mlljh.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-24 13:44 579072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-24 13:44 219136]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqnlli]
urqnlli.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhoq32]
winhoq32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Speed Launch.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Synchronizer.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^Lancíček^Nabídka Start^Programy^Po spuštění^findfast.exe]
[HKLM\~\startupfolder\^brpinfo.dll]
path=\brpinfo.dll
backup=C:\WINDOWS\pss\brpinfo.dllCommon Startup
[HKLM\~\startupfolder\^dxva_sig.txt]
path=\dxva_sig.txt
[HKLM\~\startupfolder\^HCAppRes.dll]
path=\HCAppRes.dll
backup=C:\WINDOWS\pss\HCAppRes.dllCommon Startup
[HKLM\~\startupfolder\^HelpCtr.exe]
path=\HelpCtr.exe
backup=C:\WINDOWS\pss\HelpCtr.exeCommon Startup
[HKLM\~\startupfolder\^HelpHost.exe]
path=\HelpHost.exe
backup=C:\WINDOWS\pss\HelpHost.exeCommon Startup
[HKLM\~\startupfolder\^HelpSvc.exe]
path=\HelpSvc.exe
backup=C:\WINDOWS\pss\HelpSvc.exeCommon Startup
[HKLM\~\startupfolder\^hscsp_w3.cab]
path=\hscsp_w3.cab
backup=C:\WINDOWS\pss\hscsp_w3.cabCommon Startup
[HKLM\~\startupfolder\^HscUpd.exe]
path=\HscUpd.exe
backup=C:\WINDOWS\pss\HscUpd.exeCommon Startup
[HKLM\~\startupfolder\^MSConfig .exe]
path=\MSConfig .exe
backup=C:\WINDOWS\pss\MSConfig .exeCommon Startup
[HKLM\~\startupfolder\^msinfo.dll]
path=\msinfo.dll
backup=C:\WINDOWS\pss\msinfo.dllCommon Startup
[HKLM\~\startupfolder\^notiflag.exe]
path=\notiflag.exe
backup=C:\WINDOWS\pss\notiflag.exeCommon Startup
[HKLM\~\startupfolder\^NTUSER.DAT]
path=\NTUSER.DAT
backup=C:\WINDOWS\pss\NTUSER.DATCommon Startup
[HKLM\~\startupfolder\^ntuser.dat.LOG]
path=\ntuser.dat.LOG
backup=C:\WINDOWS\pss\ntuser.dat.LOGCommon Startup
[HKLM\~\startupfolder\^ntuser.ini]
path=\ntuser.ini
backup=C:\WINDOWS\pss\ntuser.iniCommon Startup
[HKLM\~\startupfolder\^pchdt_w3.cab]
path=\pchdt_w3.cab
backup=C:\WINDOWS\pss\pchdt_w3.cabCommon Startup
[HKLM\~\startupfolder\^pchshell.dll]
path=\pchshell.dll
backup=C:\WINDOWS\pss\pchshell.dllCommon Startup
[HKLM\~\startupfolder\^pchsvc.dll]
path=\pchsvc.dll
backup=C:\WINDOWS\pss\pchsvc.dllCommon Startup
[HKLM\~\startupfolder\^Plocha(2)]
path=\Plocha(2)
[HKLM\~\startupfolder\^SI.bin]
path=\SI.bin
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\50f2dce7]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2006-12-12 20:33 69632 C:\WINDOWS\Alcmtr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctaratev]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2006-03-02 13:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\mlljh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-12-13 08:49 217088 C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegClean]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-12-12 20:33 16270848 C:\WINDOWS\RTHDCPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-12-12 20:33 2879488 C:\WINDOWS\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2008-01-19 14:22 1877272 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster .exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"DomainService"=2 (0x2)
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2007-08-26 13:30]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 13:00]
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2006-08-16 07:25]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16dfedde-b0ef-11dc-b9ff-0016e6dd6c22}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20fb28ec-b16c-11dc-ba07-0016e6dd6c22}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20fb28ee-b16c-11dc-ba07-0016e6dd6c22}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20fb28ef-b16c-11dc-ba07-0016e6dd6c22}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20fb28f0-b16c-11dc-ba07-0016e6dd6c22}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95e97ffa-b194-11dc-ba08-0016e6dd6c22}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7452f04-b542-11dc-ba11-0016e6dd6c22}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7452f05-b542-11dc-ba11-0016e6dd6c22}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce375769-affc-11dc-b9fe-0016e6dd6c22}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce37576b-affc-11dc-b9fe-0016e6dd6c22}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 02:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
- C:\Program Files\RegClean\RegClean.ex
- C:\Program Files\RegClean
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 14:43:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
