prosím o kontrolu logu
kerio mi detekuje opakovaně winlogon.exe. Co s tím? Děkuji.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:25:08, on 2.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\602phs\pdfSaver.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\antiviirus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\PDF\pdfSaver\pdfSaver3.exe
C:\Program Files\QIP\qip.exe
C:\Program Files\uTorrent\utorrent.exe
C:\rsvlqer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\User\LOCALS~1\Temp\C32c7STp.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\User\Dokumenty\Downloads\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SMSender.E.ToolbarsHelper - {24BCDA96-8FCB-4D3B-0500-000000000004} - mscoree.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B3ADDB7B-3DF5-4672-82DD-775FFF180134} - C:\WINDOWS\system32\cbxvsqq.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: SMSender - {24BCDA96-8FCB-4D3B-0500-000000000003} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [602PC SUITE PDF Saver] "C:\Program Files\Common Files\602phs\pdfSaver.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ConMet] C:\Program Files\ConMet\ConMet.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [advap32] c:\stwojhwy.exe/r
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [pdfSaver3] "c:\Program Files\PDF\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [QIP2005] C:\Program Files\QIP\qip.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [WintelUpdate] C:\rsvlqer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Jádro Plánovače úloh SolidWorks.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Místní vyhledávání.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm080YYCZ
O8 - Extra context menu item: Poslat jako MMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1001
O8 - Extra context menu item: Poslat jako SMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.15-3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: cbxvsqq - C:\WINDOWS\SYSTEM32\cbxvsqq.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O20 - Winlogon Notify: xpspqdvd - C:\WINDOWS\system32\xpspqdvd.dll (file missing)
O21 - SSODL: CheckSys - {f34ec5b0-6389-4673-9877-7fd68ae32920} - C:\WINDOWS\Installer\{f34ec5b0-6389-4673-9877-7fd68ae32920}\CheckSys.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 9881 bytes
prosím o kontrolu. nevím si rady s winlogon.exe
Zdravím...
Pro začátek použijte SDFix podle tohoto návodu: http://www.paul27.ic.cz/navody.html#sd
+ odinstalujte MyWebSearch, není to zrovna důvěryhodný program.
Společně s jeho logem pošlete i nový HijackThis.
Pro začátek použijte SDFix podle tohoto návodu: http://www.paul27.ic.cz/navody.html#sd
+ odinstalujte MyWebSearch, není to zrovna důvěryhodný program.
Společně s jeho logem pošlete i nový HijackThis.
report z sdfix, odinstalován mywebsearch, nový hijackthis
děkuji za pomoc. provedl jsem uvedené kroky a kopíruji výpisy. Jak postupovat dál?
okna od keria s upozorněním na winlogon.exe vyskakují i nyní.
SDFix: Version 1.150
Run by User on ne 02.03.2008 at 19:24
Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\Installer\{f34ec5b0-6389-4673-9877-7fd68ae32920}\CheckSys.dll - Deleted
C:\Program Files\tmp33718.exe - Deleted
C:\Program Files\tmp37328.exe - Deleted
C:\Program Files\tmp38109.exe - Deleted
C:\Program Files\tmp38703.exe - Deleted
C:\Program Files\tmp42140.exe - Deleted
C:\Program Files\tmp5574953.exe - Deleted
C:\WINDOWS\system32\system.exe - Deleted
C:\WINDOWS\system32\WLCtrl32.dll - Deleted
Folder C:\WINDOWS\Installer\{f34ec5b0-6389-4673-9877-7fd68ae32920} - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 19:33:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
IPC error: 2 Systém nemůže nalézt uvedený soubor.
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:ecffcbcc
"s2"=dword:990aedc3
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:c9,5e,c5,9e,7e,8b,21,10,71,90,09,e7,81,7d,18,30,14,ca,f8,7b,53,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:c9,5e,c5,9e,7e,8b,21,10,71,90,09,e7,81,7d,18,30,14,ca,f8,7b,53,..
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\f\1e]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,a0,38,7f,00,00,00,00,f4,d3,5d,26,66,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\f\1t]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?\xe9?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1\xed?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\f\1e]
"DisplayName"="\x010ce\x161tina do Commandos2"
"UninstallString"="c:\games\Commandos II\Smazat_CZ_p\x0159eklad.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\f\1t]
"DisplayName"="\x10cty\x159ka 3.30"
"UninstallString"="C:\games\Ctyrka\unins000.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\f\1e]
"Order"=hex:08,00,00,00,02,00,00,00,b4,00,00,00,01,00,00,00,01,00,00,00,a8,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\f\1t]
"Order"=hex:08,00,00,00,02,00,00,00,a2,01,00,00,01,00,00,00,03,00,00,00,74,..
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Tue 3 Feb 2004 3,198,976 A..HR --- "C:\games\JoWooD\SpellForce\ar.exe"
Sat 28 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 28 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\523d056929e13eacf8392044f602e53e\BIT4.tmp"
Thu 28 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\afa5528a2269b5106016bdbc1ea3037f\BIT3.tmp"
Thu 24 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT1.tmp"
Wed 6 Feb 2008 1,301 ...HR --- "C:\Documents and Settings\User\Data aplikacˇ\SecuROM\UserData\securom_v7_01.bak"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:43:29, on 2.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\602phs\pdfSaver.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\User\LOCALS~1\Temp\7j24kp53.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\PDF\pdfSaver\pdfSaver3.exe
C:\Program Files\QIP\qip.exe
C:\Program Files\uTorrent\utorrent.exe
C:\DOCUME~1\User\LOCALS~1\Temp\WY28GepY.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Dokumenty\Downloads\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SMSender.E.ToolbarsHelper - {24BCDA96-8FCB-4D3B-0500-000000000004} - mscoree.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B3ADDB7B-3DF5-4672-82DD-775FFF180134} - C:\WINDOWS\system32\cbxvsqq.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SMSender - {24BCDA96-8FCB-4D3B-0500-000000000003} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [602PC SUITE PDF Saver] "C:\Program Files\Common Files\602phs\pdfSaver.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ConMet] C:\Program Files\ConMet\ConMet.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [advap32] c:\stwojhwy.exe/r
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [pdfSaver3] "c:\Program Files\PDF\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [QIP2005] C:\Program Files\QIP\qip.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Jádro Plánovače úloh SolidWorks.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Místní vyhledávání.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm080YYCZ
O8 - Extra context menu item: Poslat jako MMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1001
O8 - Extra context menu item: Poslat jako SMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.15-3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: cbxvsqq - C:\WINDOWS\SYSTEM32\cbxvsqq.dll
O20 - Winlogon Notify: xpspqdvd - C:\WINDOWS\system32\xpspqdvd.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing)
--
End of file - 9056 bytes
okna od keria s upozorněním na winlogon.exe vyskakují i nyní.
SDFix: Version 1.150
Run by User on ne 02.03.2008 at 19:24
Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\Installer\{f34ec5b0-6389-4673-9877-7fd68ae32920}\CheckSys.dll - Deleted
C:\Program Files\tmp33718.exe - Deleted
C:\Program Files\tmp37328.exe - Deleted
C:\Program Files\tmp38109.exe - Deleted
C:\Program Files\tmp38703.exe - Deleted
C:\Program Files\tmp42140.exe - Deleted
C:\Program Files\tmp5574953.exe - Deleted
C:\WINDOWS\system32\system.exe - Deleted
C:\WINDOWS\system32\WLCtrl32.dll - Deleted
Folder C:\WINDOWS\Installer\{f34ec5b0-6389-4673-9877-7fd68ae32920} - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 19:33:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
IPC error: 2 Systém nemůže nalézt uvedený soubor.
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:ecffcbcc
"s2"=dword:990aedc3
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:c9,5e,c5,9e,7e,8b,21,10,71,90,09,e7,81,7d,18,30,14,ca,f8,7b,53,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:c9,5e,c5,9e,7e,8b,21,10,71,90,09,e7,81,7d,18,30,14,ca,f8,7b,53,..
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\f\1e]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,a0,38,7f,00,00,00,00,f4,d3,5d,26,66,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\f\1t]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?\xe9?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1\xed?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\f\1e]
"DisplayName"="\x010ce\x161tina do Commandos2"
"UninstallString"="c:\games\Commandos II\Smazat_CZ_p\x0159eklad.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\f\1t]
"DisplayName"="\x10cty\x159ka 3.30"
"UninstallString"="C:\games\Ctyrka\unins000.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\f\1e]
"Order"=hex:08,00,00,00,02,00,00,00,b4,00,00,00,01,00,00,00,01,00,00,00,a8,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\f\1t]
"Order"=hex:08,00,00,00,02,00,00,00,a2,01,00,00,01,00,00,00,03,00,00,00,74,..
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Tue 3 Feb 2004 3,198,976 A..HR --- "C:\games\JoWooD\SpellForce\ar.exe"
Sat 28 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 28 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\523d056929e13eacf8392044f602e53e\BIT4.tmp"
Thu 28 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\afa5528a2269b5106016bdbc1ea3037f\BIT3.tmp"
Thu 24 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT1.tmp"
Wed 6 Feb 2008 1,301 ...HR --- "C:\Documents and Settings\User\Data aplikacˇ\SecuROM\UserData\securom_v7_01.bak"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:43:29, on 2.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\602phs\pdfSaver.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\User\LOCALS~1\Temp\7j24kp53.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\PDF\pdfSaver\pdfSaver3.exe
C:\Program Files\QIP\qip.exe
C:\Program Files\uTorrent\utorrent.exe
C:\DOCUME~1\User\LOCALS~1\Temp\WY28GepY.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Dokumenty\Downloads\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SMSender.E.ToolbarsHelper - {24BCDA96-8FCB-4D3B-0500-000000000004} - mscoree.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B3ADDB7B-3DF5-4672-82DD-775FFF180134} - C:\WINDOWS\system32\cbxvsqq.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SMSender - {24BCDA96-8FCB-4D3B-0500-000000000003} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [602PC SUITE PDF Saver] "C:\Program Files\Common Files\602phs\pdfSaver.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ConMet] C:\Program Files\ConMet\ConMet.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [advap32] c:\stwojhwy.exe/r
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [pdfSaver3] "c:\Program Files\PDF\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [QIP2005] C:\Program Files\QIP\qip.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Jádro Plánovače úloh SolidWorks.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Místní vyhledávání.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm080YYCZ
O8 - Extra context menu item: Poslat jako MMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1001
O8 - Extra context menu item: Poslat jako SMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.15-3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: cbxvsqq - C:\WINDOWS\SYSTEM32\cbxvsqq.dll
O20 - Winlogon Notify: xpspqdvd - C:\WINDOWS\system32\xpspqdvd.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SQL Server VSS Writer (SQLWriter) - Unknown owner - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (file missing)
--
End of file - 9056 bytes
Ještě to není dobrý. Přizveme silnějšího pomocníka, ale než se pustíte do scanu, tak prosím vyčistěte pc s CCleanerem, více třeba zde: http://www.paul27.ic.cz/navody_3.html#cc
No a potom to projeďte ComboFixem podle tohoto návodu:
Stáhněte a uložte na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Spusťte aplikaci pod účtem s administrátorským oprávněním - zavřete všechny spuštěné programy - následuje licenční ujednání, klikněte na Ano - začne se testovat (celá akce trvá cca. 5-10 minut, někdy i trochu déle) - během skenu se nepokoušejte spouštět žádne jiné aplikace a neklikejte do okna ComboFixu - po dokončení se automaticky otevře okno poznámkového bloku s textem (pokud se tak nestane, log je v C:\ComboFix.txt), který sem pomocí známých klávesových zkratek Ctrl + A (označení celého textu) -> Ctrl + C (uložení do jakési schránky) -> Ctrl + V (vložení textu) zkopírujte - a počkejte na další postup
VAROVÁNÍ: Pokud se vám zobrazí "CRITICAL WARNING !!" nesmíte restartovat počítač, o varování napište.
VAROVÁNÍ2: Je možné, že při testu budou různé bezpečnostní programy hlásit neoprávněný pokus o smazání daného souboru či něco jiného. Povolte jejich případné dotazy nebo na dobu scanu úplně vypněte rezidentní modul daného programu.
No a potom to projeďte ComboFixem podle tohoto návodu:
Stáhněte a uložte na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Spusťte aplikaci pod účtem s administrátorským oprávněním - zavřete všechny spuštěné programy - následuje licenční ujednání, klikněte na Ano - začne se testovat (celá akce trvá cca. 5-10 minut, někdy i trochu déle) - během skenu se nepokoušejte spouštět žádne jiné aplikace a neklikejte do okna ComboFixu - po dokončení se automaticky otevře okno poznámkového bloku s textem (pokud se tak nestane, log je v C:\ComboFix.txt), který sem pomocí známých klávesových zkratek Ctrl + A (označení celého textu) -> Ctrl + C (uložení do jakési schránky) -> Ctrl + V (vložení textu) zkopírujte - a počkejte na další postup
VAROVÁNÍ: Pokud se vám zobrazí "CRITICAL WARNING !!" nesmíte restartovat počítač, o varování napište.
VAROVÁNÍ2: Je možné, že při testu budou různé bezpečnostní programy hlásit neoprávněný pokus o smazání daného souboru či něco jiného. Povolte jejich případné dotazy nebo na dobu scanu úplně vypněte rezidentní modul daného programu.
provedeno dle návodu
během scanu vyskočilo opět okno Keria ale snad scan proběhl jak měl a log vyskočil sám.
ComboFix 08-03-03.4 - User 2008-03-02 21:15:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.1362 [GMT 1:00]
Running from: C:\Documents and Settings\User\Dokumenty\Downloads\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\027E6EF7.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\028115DB.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\02815601.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\Program Files\Uninstall Fun Web Products.dll
C:\WINDOWS\system32\cbxvsqq.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.
2008-03-03 21:22 . 2008-03-03 21:22 16,628 --a------ C:\Program Files\tmp60953.exe
2008-03-03 21:21 . 2008-03-03 21:21 11,776 --a------ C:\WINDOWS\system32\WLCtrl32.dll
2008-03-02 21:02 . 2008-03-02 21:02 <DIR> d-------- C:\Program Files\CCleaner
2008-03-02 19:39 . 2008-03-02 19:39 16,496 --a------ C:\Program Files\tmp473812.exe
2008-03-02 19:32 . 2008-03-02 19:32 11,776 --a------ C:\WINDOWS\system32\WLCtrl32.dl_
2008-03-02 19:21 . 2008-03-02 19:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-02 19:20 . 2008-03-02 19:20 163 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2008-03-02 18:59 . 2008-03-02 19:39 <DIR> d-------- C:\SDFix
2008-03-02 18:58 . 2008-03-02 18:58 1,312,273 --a------ C:\SDFix.exe
2008-03-02 18:48 . 2008-03-02 18:49 1,312,273 --a------ C:\default
2008-03-02 17:18 . 2008-03-02 17:18 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-03-02 16:36 . 2008-03-02 16:36 26,240 --a------ C:\WINDOWS\system32\drivers\Fms64.sys
2008-03-02 16:19 . 2008-03-02 16:19 <DIR> d-------- C:\Program Files\Ashampoo
2008-03-02 16:11 . 2008-03-02 16:11 11,968 --a------ C:\Program Files\antiviirus.exe
2008-03-02 16:10 . 2008-03-02 11:22 352,256 --a------ C:\WINDOWS\btrklfr.dll
2008-03-02 16:10 . 2008-03-02 11:22 315,392 --a------ C:\WINDOWS\apdqnxp.dll
2008-03-02 16:10 . 2008-03-02 16:10 47 --a------ C:\amp.bat
2008-03-02 14:48 . 2008-03-02 14:48 52,236 --a------ C:\rsvlqer.exe
2008-03-02 14:48 . 2008-03-02 16:09 11,776 --a------ C:\stwojhwy.exe
2008-03-01 14:16 . 2008-03-02 14:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-01 13:47 . 2008-03-01 13:47 <DIR> d-------- C:\Program Files\MagicISO
2008-02-27 15:52 . 2008-02-27 15:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\DassaultSystemes
2008-02-27 15:45 . 2008-02-27 15:45 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI
2008-02-27 15:43 . 2008-02-27 15:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-27 15:43 . 2008-02-27 15:43 23 --ah----- C:\WINDOWS\yacht.xws
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-02-27 15:39 . 2008-02-27 15:44 <DIR> d-------- C:\Program Files\Solidworks Data
2008-02-27 15:39 . 2008-02-27 16:02 <DIR> d-------- C:\Program Files\SolidWorks
2008-02-27 15:39 . 2008-02-27 16:02 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\SolidWorks
2008-02-27 15:38 . 2008-02-27 15:38 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-02-27 15:13 . 2008-02-27 15:13 <DIR> d-------- C:\Program Files\MSBuild
2008-02-27 15:11 . 2008-02-27 15:11 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-27 15:10 . 2008-02-27 15:10 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-27 15:10 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-27 15:09 . 2008-02-27 15:09 <DIR> d-------- C:\Program Files\MSECache
2008-02-27 14:55 . 2008-02-27 14:55 <DIR> d-------- C:\Program Files\PowerISO
2008-02-21 21:40 . 2008-03-02 17:53 <DIR> d-------- C:\Program Files\Opera
2008-02-15 19:07 . 2008-02-15 19:12 2,359,350 --a------ C:\WINDOWS\ACD Wallpaper.bmp
2008-02-06 21:25 . 2008-02-06 21:25 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-02-06 21:24 . 2008-03-01 17:07 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-02-06 21:24 . 2008-03-01 17:07 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-02-06 21:24 . 2008-03-01 17:07 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-02-06 21:24 . 2008-03-01 17:07 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-06 20:38 . 2008-02-06 20:38 <DIR> d-------- C:\Program Files\totalcmd
2008-02-06 20:38 . 2008-02-26 21:00 1,592 --a------ C:\WINDOWS\wincmd.ini
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\UC.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\RAR.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\LHA.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\ARJ.PIF
2008-02-03 20:48 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-02-03 20:48 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-02-03 20:48 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-02-03 20:48 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-02-03 20:39 . 2008-02-03 20:48 <DIR> d-------- C:\Program Files\Zaklˇnaź
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 16:31 --------- d-----w C:\DOCUME~1\ALLUSE~1\DATAAP~1\avg7
2008-02-27 15:03 --------- d-----w C:\Program Files\SpeedFan
2008-02-27 14:55 --------- d-----w C:\Program Files\Software2000
2008-02-17 22:53 --------- d-----w C:\Program Files\Cool CENZURA
2008-02-07 20:15 --------- d-----w C:\Program Files\EA SPORTS
2008-02-06 20:19 --------- d-----w C:\Program Files\Electronic Arts
2008-02-03 19:48 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-02-03 19:48 --------- d-----w C:\Program Files\Zaklínač
2008-02-03 19:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-31 18:50 --------- d-----w C:\Program Files\ElcomSoft
2008-01-31 18:38 --------- d-----w C:\Program Files\RAR Password Cracker
2008-01-31 16:54 --------- d-----w C:\Program Files\THQ
2008-01-27 21:56 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-26 23:31 --------- d-----w C:\Program Files\uTorrent
2008-01-20 07:07 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-01-16 16:20 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2008-01-16 16:18 --------- d-----w C:\Program Files\BlackIsle
2008-01-08 19:00 --------- d-----w C:\Program Files\Pixia
2008-01-08 18:54 --------- d-----w C:\Program Files\GIMP-2.0
2008-01-08 15:25 --------- d-----w C:\Program Files\Activision
2008-01-07 21:17 --------- d-----w C:\Program Files\JoWooD Productions Software AG
2008-01-07 15:40 --------- d-----w C:\Program Files\ParadisePoker
2008-01-02 10:13 197,120 ----a-w C:\WINDOWS\system32\FHMcom_OxleyStrip.scr
2007-12-07 02:14 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-09-23 21:32 4,687,304 ----a-w C:\Program Files\paradisepoker_com_cs.exe
2007-01-14 21:00 1 ----a-w C:\Documents and Settings\User\SI.bin
2005-08-08 00:41 35,328 ----a-w C:\Program Files\usb_format.exe
2002-05-27 08:25 295,424 ----a-w C:\Program Files\SubtitleToolCZ.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24BCDA96-8FCB-4D3B-0500-000000000004}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 17:32 25365032]
"pdfSaver3"="c:\Program Files\PDF\pdfSaver\pdfSaver3.exe" [2004-05-19 14:29 385024]
"QIP2005"="C:\Program Files\QIP\qip.exe" [2007-11-16 14:17 3264512]
"uTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2008-01-26 18:02 219952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 14:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 14:43 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 07:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 15:21 579072]
"pdfSaver3"="" []
"602PC SUITE PDF Saver"="C:\Program Files\Common Files\602phs\pdfSaver.exe" [2005-08-31 16:00 49152]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 05:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 10:58 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-16 17:44 155648]
"ConMet"="C:\Program Files\ConMet\ConMet.exe" [ ]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2006-07-07 15:04 262144]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-18 14:12 843776]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 08:05 217088]
"advap32"="c:\stwojhwy.exe/r" [ ]
"antiviirus"="C:\Program Files\antiviirus.exe" [2008-03-02 16:11 11968]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 13:58 219136]
C:\DOCUME~1\ALLUSE~1\NABDKA~1\Programy\POSPUT~1\
Mˇstnˇ vyhled v nˇ.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 2008-03-03 21:21 11776 C:\WINDOWS\system32\WLCtrl32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xpspqdvd]
C:\WINDOWS\system32\xpspqdvd.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-02-20 13:34]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-02-20 13:34]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 13:00]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 23:08]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-03-02 13:00]
S0 Hou85;Hou85;C:\WINDOWS\system32\Drivers\Hou85.sys []
S0 Pwd74;Pwd74;C:\WINDOWS\system32\Drivers\Pwd74.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-28 23:54]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23146296-69c9-11dc-a3cc-001617ba045b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 21:21:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WLCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\DOCUME~1\User\LOCALS~1\Temp\UUAIzguX.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2008-03-03 21:26:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 20:26:31
.
2008-02-28 20:30:44 --- E O F ---
ComboFix 08-03-03.4 - User 2008-03-02 21:15:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.1362 [GMT 1:00]
Running from: C:\Documents and Settings\User\Dokumenty\Downloads\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\027E6EF7.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\028115DB.urr
C:\Program Files\FunWebProducts\ScreenSaver\Images\02815601.dat
C:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\Program Files\Uninstall Fun Web Products.dll
C:\WINDOWS\system32\cbxvsqq.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.
2008-03-03 21:22 . 2008-03-03 21:22 16,628 --a------ C:\Program Files\tmp60953.exe
2008-03-03 21:21 . 2008-03-03 21:21 11,776 --a------ C:\WINDOWS\system32\WLCtrl32.dll
2008-03-02 21:02 . 2008-03-02 21:02 <DIR> d-------- C:\Program Files\CCleaner
2008-03-02 19:39 . 2008-03-02 19:39 16,496 --a------ C:\Program Files\tmp473812.exe
2008-03-02 19:32 . 2008-03-02 19:32 11,776 --a------ C:\WINDOWS\system32\WLCtrl32.dl_
2008-03-02 19:21 . 2008-03-02 19:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-02 19:20 . 2008-03-02 19:20 163 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2008-03-02 18:59 . 2008-03-02 19:39 <DIR> d-------- C:\SDFix
2008-03-02 18:58 . 2008-03-02 18:58 1,312,273 --a------ C:\SDFix.exe
2008-03-02 18:48 . 2008-03-02 18:49 1,312,273 --a------ C:\default
2008-03-02 17:18 . 2008-03-02 17:18 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-03-02 16:36 . 2008-03-02 16:36 26,240 --a------ C:\WINDOWS\system32\drivers\Fms64.sys
2008-03-02 16:19 . 2008-03-02 16:19 <DIR> d-------- C:\Program Files\Ashampoo
2008-03-02 16:11 . 2008-03-02 16:11 11,968 --a------ C:\Program Files\antiviirus.exe
2008-03-02 16:10 . 2008-03-02 11:22 352,256 --a------ C:\WINDOWS\btrklfr.dll
2008-03-02 16:10 . 2008-03-02 11:22 315,392 --a------ C:\WINDOWS\apdqnxp.dll
2008-03-02 16:10 . 2008-03-02 16:10 47 --a------ C:\amp.bat
2008-03-02 14:48 . 2008-03-02 14:48 52,236 --a------ C:\rsvlqer.exe
2008-03-02 14:48 . 2008-03-02 16:09 11,776 --a------ C:\stwojhwy.exe
2008-03-01 14:16 . 2008-03-02 14:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-01 13:47 . 2008-03-01 13:47 <DIR> d-------- C:\Program Files\MagicISO
2008-02-27 15:52 . 2008-02-27 15:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\DassaultSystemes
2008-02-27 15:45 . 2008-02-27 15:45 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI
2008-02-27 15:43 . 2008-02-27 15:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-27 15:43 . 2008-02-27 15:43 23 --ah----- C:\WINDOWS\yacht.xws
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-02-27 15:39 . 2008-02-27 15:44 <DIR> d-------- C:\Program Files\Solidworks Data
2008-02-27 15:39 . 2008-02-27 16:02 <DIR> d-------- C:\Program Files\SolidWorks
2008-02-27 15:39 . 2008-02-27 16:02 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\SolidWorks
2008-02-27 15:38 . 2008-02-27 15:38 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-02-27 15:13 . 2008-02-27 15:13 <DIR> d-------- C:\Program Files\MSBuild
2008-02-27 15:11 . 2008-02-27 15:11 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-27 15:10 . 2008-02-27 15:10 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-27 15:10 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-27 15:09 . 2008-02-27 15:09 <DIR> d-------- C:\Program Files\MSECache
2008-02-27 14:55 . 2008-02-27 14:55 <DIR> d-------- C:\Program Files\PowerISO
2008-02-21 21:40 . 2008-03-02 17:53 <DIR> d-------- C:\Program Files\Opera
2008-02-15 19:07 . 2008-02-15 19:12 2,359,350 --a------ C:\WINDOWS\ACD Wallpaper.bmp
2008-02-06 21:25 . 2008-02-06 21:25 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-02-06 21:24 . 2008-03-01 17:07 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-02-06 21:24 . 2008-03-01 17:07 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-02-06 21:24 . 2008-03-01 17:07 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-02-06 21:24 . 2008-03-01 17:07 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-06 20:38 . 2008-02-06 20:38 <DIR> d-------- C:\Program Files\totalcmd
2008-02-06 20:38 . 2008-02-26 21:00 1,592 --a------ C:\WINDOWS\wincmd.ini
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\UC.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\RAR.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\LHA.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\ARJ.PIF
2008-02-03 20:48 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-02-03 20:48 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-02-03 20:48 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-02-03 20:48 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-02-03 20:39 . 2008-02-03 20:48 <DIR> d-------- C:\Program Files\Zaklˇnaź
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 16:31 --------- d-----w C:\DOCUME~1\ALLUSE~1\DATAAP~1\avg7
2008-02-27 15:03 --------- d-----w C:\Program Files\SpeedFan
2008-02-27 14:55 --------- d-----w C:\Program Files\Software2000
2008-02-17 22:53 --------- d-----w C:\Program Files\Cool CENZURA
2008-02-07 20:15 --------- d-----w C:\Program Files\EA SPORTS
2008-02-06 20:19 --------- d-----w C:\Program Files\Electronic Arts
2008-02-03 19:48 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-02-03 19:48 --------- d-----w C:\Program Files\Zaklínač
2008-02-03 19:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-31 18:50 --------- d-----w C:\Program Files\ElcomSoft
2008-01-31 18:38 --------- d-----w C:\Program Files\RAR Password Cracker
2008-01-31 16:54 --------- d-----w C:\Program Files\THQ
2008-01-27 21:56 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-26 23:31 --------- d-----w C:\Program Files\uTorrent
2008-01-20 07:07 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-01-16 16:20 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2008-01-16 16:18 --------- d-----w C:\Program Files\BlackIsle
2008-01-08 19:00 --------- d-----w C:\Program Files\Pixia
2008-01-08 18:54 --------- d-----w C:\Program Files\GIMP-2.0
2008-01-08 15:25 --------- d-----w C:\Program Files\Activision
2008-01-07 21:17 --------- d-----w C:\Program Files\JoWooD Productions Software AG
2008-01-07 15:40 --------- d-----w C:\Program Files\ParadisePoker
2008-01-02 10:13 197,120 ----a-w C:\WINDOWS\system32\FHMcom_OxleyStrip.scr
2007-12-07 02:14 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-09-23 21:32 4,687,304 ----a-w C:\Program Files\paradisepoker_com_cs.exe
2007-01-14 21:00 1 ----a-w C:\Documents and Settings\User\SI.bin
2005-08-08 00:41 35,328 ----a-w C:\Program Files\usb_format.exe
2002-05-27 08:25 295,424 ----a-w C:\Program Files\SubtitleToolCZ.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24BCDA96-8FCB-4D3B-0500-000000000004}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 17:32 25365032]
"pdfSaver3"="c:\Program Files\PDF\pdfSaver\pdfSaver3.exe" [2004-05-19 14:29 385024]
"QIP2005"="C:\Program Files\QIP\qip.exe" [2007-11-16 14:17 3264512]
"uTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2008-01-26 18:02 219952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 14:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 14:43 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 07:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 15:21 579072]
"pdfSaver3"="" []
"602PC SUITE PDF Saver"="C:\Program Files\Common Files\602phs\pdfSaver.exe" [2005-08-31 16:00 49152]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 05:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 10:58 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-16 17:44 155648]
"ConMet"="C:\Program Files\ConMet\ConMet.exe" [ ]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2006-07-07 15:04 262144]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-18 14:12 843776]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 08:05 217088]
"advap32"="c:\stwojhwy.exe/r" [ ]
"antiviirus"="C:\Program Files\antiviirus.exe" [2008-03-02 16:11 11968]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 13:58 219136]
C:\DOCUME~1\ALLUSE~1\NABDKA~1\Programy\POSPUT~1\
Mˇstnˇ vyhled v nˇ.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 2008-03-03 21:21 11776 C:\WINDOWS\system32\WLCtrl32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xpspqdvd]
C:\WINDOWS\system32\xpspqdvd.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-02-20 13:34]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-02-20 13:34]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 13:00]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 23:08]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-03-02 13:00]
S0 Hou85;Hou85;C:\WINDOWS\system32\Drivers\Hou85.sys []
S0 Pwd74;Pwd74;C:\WINDOWS\system32\Drivers\Pwd74.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-28 23:54]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23146296-69c9-11dc-a3cc-001617ba045b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 21:21:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WLCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\DOCUME~1\User\LOCALS~1\Temp\UUAIzguX.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2008-03-03 21:26:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 20:26:31
.
2008-02-28 20:30:44 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:32, on 4.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\602phs\pdfSaver.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\antiviirus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\PDF\pdfSaver\pdfSaver3.exe
C:\Program Files\QIP\qip.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\DOCUME~1\User\LOCALS~1\Temp\CaY7KZdD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\User\Dokumenty\Downloads\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SMSender.E.ToolbarsHelper - {24BCDA96-8FCB-4D3B-0500-000000000004} - mscoree.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SMSender - {24BCDA96-8FCB-4D3B-0500-000000000003} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [602PC SUITE PDF Saver] "C:\Program Files\Common Files\602phs\pdfSaver.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ConMet] C:\Program Files\ConMet\ConMet.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [advap32] c:\stwojhwy.exe/r
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [pdfSaver3] "c:\Program Files\PDF\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [QIP2005] C:\Program Files\QIP\qip.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Jádro Plánovače úloh SolidWorks.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Místní vyhledávání.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm080YYCZ
O8 - Extra context menu item: Poslat jako MMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1001
O8 - Extra context menu item: Poslat jako SMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.15-3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O20 - Winlogon Notify: xpspqdvd - C:\WINDOWS\system32\xpspqdvd.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 8618 bytes
Scan saved at 2:08:32, on 4.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\602phs\pdfSaver.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\antiviirus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\PDF\pdfSaver\pdfSaver3.exe
C:\Program Files\QIP\qip.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\DOCUME~1\User\LOCALS~1\Temp\CaY7KZdD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\User\Dokumenty\Downloads\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SMSender.E.ToolbarsHelper - {24BCDA96-8FCB-4D3B-0500-000000000004} - mscoree.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SMSender - {24BCDA96-8FCB-4D3B-0500-000000000003} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [602PC SUITE PDF Saver] "C:\Program Files\Common Files\602phs\pdfSaver.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ConMet] C:\Program Files\ConMet\ConMet.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [advap32] c:\stwojhwy.exe/r
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [pdfSaver3] "c:\Program Files\PDF\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [QIP2005] C:\Program Files\QIP\qip.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Jádro Plánovače úloh SolidWorks.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Místní vyhledávání.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm080YYCZ
O8 - Extra context menu item: Poslat jako MMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1001
O8 - Extra context menu item: Poslat jako SMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.15-3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O20 - Winlogon Notify: xpspqdvd - C:\WINDOWS\system32\xpspqdvd.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 8618 bytes
Takže udělejte následující:
Přesuňte Combofix na plochu (pokud ho tam ještě nemáte) - otevřete si poznámkový blok - do něj zkopírujte text z nasledujícího okna:
Text uložte jako CFScript.txt na plochu - po uložení uchopte vámi vytvořený soubor .txt levým tlačítkem myši a přesuňte jej nad ikonu ComboFixu - nad ikonou ComboFixu soubor .txt upusťte - spustí se ComboFix (možná budete muset znova potvrdit licenční podmínky kliknutím na Ano) - a CF začne znova scanovat, nakonci scanování se pokusí CF smazat zadané soubory či něco jiného, co jsme mu zadali - po provedení akce se opět zobrazí okno poznámkového bloku s textem, který sem zkopírujte a vyčkejte prosím na další rady
+ tohle nechte prosím otestovat na http://www.virustotal.com :
C:\Program Files\tmp60953.exe
C:\Program Files\tmp473812.exe
C:\WINDOWS\system32\Drivers\Hou85.sys
C:\WINDOWS\system32\Drivers\Pwd74.sys
Přesuňte Combofix na plochu (pokud ho tam ještě nemáte) - otevřete si poznámkový blok - do něj zkopírujte text z nasledujícího okna:
Kód: Vybrat vše
File::
C:\WINDOWS\yacht.xws
C:\stwojhwy.exe
C:\rsvlqer.exe
C:\WINDOWS\apdqnxp.dll
C:\WINDOWS\btrklfr.dll
C:\amp.bat
C:\Program Files\antiviirus.exe
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\xpspqdvd.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"antiviirus"=-
"advap32"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xpspqdvd]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=-
"C:\\Program Files\\uTorrent\\utorrent.exe"=-
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=-Text uložte jako CFScript.txt na plochu - po uložení uchopte vámi vytvořený soubor .txt levým tlačítkem myši a přesuňte jej nad ikonu ComboFixu - nad ikonou ComboFixu soubor .txt upusťte - spustí se ComboFix (možná budete muset znova potvrdit licenční podmínky kliknutím na Ano) - a CF začne znova scanovat, nakonci scanování se pokusí CF smazat zadané soubory či něco jiného, co jsme mu zadali - po provedení akce se opět zobrazí okno poznámkového bloku s textem, který sem zkopírujte a vyčkejte prosím na další rady
+ tohle nechte prosím otestovat na http://www.virustotal.com :
C:\Program Files\tmp60953.exe
C:\Program Files\tmp473812.exe
C:\WINDOWS\system32\Drivers\Hou85.sys
C:\WINDOWS\system32\Drivers\Pwd74.sys
rozumím. posílám log a vyčkávám.
ComboFix 08-03-03.4 - User 2008-03-04 23:15:27.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.1425 [GMT 1:00]
Running from: C:\Documents and Settings\User\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Plocha\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\amp.bat
C:\Program Files\antiviirus.exe
C:\rsvlqer.exe
C:\stwojhwy.exe
C:\WINDOWS\apdqnxp.dll
C:\WINDOWS\btrklfr.dll
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\xpspqdvd.dll
C:\WINDOWS\yacht.xws
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\amp.bat
C:\Program Files\antiviirus.exe
C:\rsvlqer.exe
C:\stwojhwy.exe
C:\WINDOWS\apdqnxp.dll
C:\WINDOWS\btrklfr.dll
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\yacht.xws
.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.
2008-03-04 22:25 . 2008-03-04 22:25 16,592 --a------ C:\Program Files\tmp37390.exe
2008-03-04 04:00 . 2008-03-04 04:00 16,632 --a------ C:\Program Files\tmp41265.exe
2008-03-04 03:53 . 2008-03-04 03:53 16,632 --a------ C:\Program Files\tmp41125.exe
2008-03-04 03:32 . 2008-03-04 03:32 16,648 --a------ C:\Program Files\tmp37203.exe
2008-03-02 21:02 . 2008-03-02 21:02 <DIR> d-------- C:\Program Files\CCleaner
2008-03-02 19:21 . 2008-03-02 19:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-02 19:20 . 2008-03-04 03:18 326 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2008-03-02 18:59 . 2008-03-04 03:27 <DIR> d-------- C:\SDFix
2008-03-02 18:58 . 2008-03-02 18:58 1,312,273 --a------ C:\SDFix.exe
2008-03-02 18:48 . 2008-03-02 18:49 1,312,273 --a------ C:\default
2008-03-02 17:18 . 2008-03-02 17:18 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-03-02 16:36 . 2008-03-02 16:36 26,240 --a------ C:\WINDOWS\system32\drivers\Fms64.sys
2008-03-02 16:19 . 2008-03-02 16:19 <DIR> d-------- C:\Program Files\Ashampoo
2008-03-01 14:16 . 2008-03-02 14:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-01 13:47 . 2008-03-01 13:47 <DIR> d-------- C:\Program Files\MagicISO
2008-02-27 15:52 . 2008-02-27 15:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\DassaultSystemes
2008-02-27 15:45 . 2008-02-27 15:45 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI
2008-02-27 15:43 . 2008-02-27 15:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-02-27 15:39 . 2008-02-27 15:44 <DIR> d-------- C:\Program Files\Solidworks Data
2008-02-27 15:39 . 2008-02-27 16:02 <DIR> d-------- C:\Program Files\SolidWorks
2008-02-27 15:39 . 2008-02-27 16:02 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\SolidWorks
2008-02-27 15:38 . 2008-02-27 15:38 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-02-27 15:13 . 2008-02-27 15:13 <DIR> d-------- C:\Program Files\MSBuild
2008-02-27 15:11 . 2008-02-27 15:11 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-27 15:10 . 2008-02-27 15:10 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-27 15:10 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-27 15:09 . 2008-02-27 15:09 <DIR> d-------- C:\Program Files\MSECache
2008-02-27 14:55 . 2008-02-27 14:55 <DIR> d-------- C:\Program Files\PowerISO
2008-02-21 21:40 . 2008-03-02 17:53 <DIR> d-------- C:\Program Files\Opera
2008-02-15 19:07 . 2008-02-15 19:12 2,359,350 --a------ C:\WINDOWS\ACD Wallpaper.bmp
2008-02-06 21:25 . 2008-02-06 21:25 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-02-06 21:24 . 2008-03-01 17:07 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-02-06 21:24 . 2008-03-01 17:07 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-02-06 21:24 . 2008-03-01 17:07 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-02-06 21:24 . 2008-03-01 17:07 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-06 20:38 . 2008-02-06 20:38 <DIR> d-------- C:\Program Files\totalcmd
2008-02-06 20:38 . 2008-02-26 21:00 1,592 --a------ C:\WINDOWS\wincmd.ini
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\UC.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\RAR.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\LHA.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\ARJ.PIF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 03:10 --------- d-----w C:\DOCUME~1\ALLUSE~1\DATAAP~1\avg7
2008-02-27 15:03 --------- d-----w C:\Program Files\SpeedFan
2008-02-27 14:55 --------- d-----w C:\Program Files\Software2000
2008-02-17 22:53 --------- d-----w C:\Program Files\Cool CENZURA
2008-02-07 20:15 --------- d-----w C:\Program Files\EA SPORTS
2008-02-06 20:19 --------- d-----w C:\Program Files\Electronic Arts
2008-02-03 19:48 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-02-03 19:48 --------- d-----w C:\Program Files\Zaklínač
2008-02-03 19:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-31 18:50 --------- d-----w C:\Program Files\ElcomSoft
2008-01-31 18:38 --------- d-----w C:\Program Files\RAR Password Cracker
2008-01-31 16:54 --------- d-----w C:\Program Files\THQ
2008-01-27 21:56 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-26 23:31 --------- d-----w C:\Program Files\uTorrent
2008-01-20 07:07 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-01-16 16:20 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2008-01-16 16:18 --------- d-----w C:\Program Files\BlackIsle
2008-01-08 19:00 --------- d-----w C:\Program Files\Pixia
2008-01-08 18:54 --------- d-----w C:\Program Files\GIMP-2.0
2008-01-08 15:25 --------- d-----w C:\Program Files\Activision
2008-01-07 21:17 --------- d-----w C:\Program Files\JoWooD Productions Software AG
2008-01-07 15:40 --------- d-----w C:\Program Files\ParadisePoker
2008-01-02 10:13 197,120 ----a-w C:\WINDOWS\system32\FHMcom_OxleyStrip.scr
2007-12-07 02:14 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-09-23 21:32 4,687,304 ----a-w C:\Program Files\paradisepoker_com_cs.exe
2007-01-14 21:00 1 ----a-w C:\Documents and Settings\User\SI.bin
2005-08-08 00:41 35,328 ----a-w C:\Program Files\usb_format.exe
2002-05-27 08:25 295,424 ----a-w C:\Program Files\SubtitleToolCZ.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24BCDA96-8FCB-4D3B-0500-000000000004}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 17:32 25365032]
"pdfSaver3"="c:\Program Files\PDF\pdfSaver\pdfSaver3.exe" [2004-05-19 14:29 385024]
"QIP2005"="C:\Program Files\QIP\qip.exe" [2007-11-16 14:17 3264512]
"uTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2008-01-26 18:02 219952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 14:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 14:43 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 07:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 15:21 579072]
"pdfSaver3"="" []
"602PC SUITE PDF Saver"="C:\Program Files\Common Files\602phs\pdfSaver.exe" [2005-08-31 16:00 49152]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 05:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 10:58 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-16 17:44 155648]
"ConMet"="C:\Program Files\ConMet\ConMet.exe" [ ]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2006-07-07 15:04 262144]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-18 14:12 843776]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 08:05 217088]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 13:58 219136]
C:\DOCUME~1\ALLUSE~1\NABDKA~1\Programy\POSPUT~1\
Mˇstnˇ vyhled v nˇ.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-02-20 13:34]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-02-20 13:34]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 13:00]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 23:08]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-03-02 13:00]
S0 Hou85;Hou85;C:\WINDOWS\system32\Drivers\Hou85.sys []
S0 Pwd74;Pwd74;C:\WINDOWS\system32\Drivers\Pwd74.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-28 23:54]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23146296-69c9-11dc-a3cc-001617ba045b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 23:21:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\savedump.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2008-03-04 23:26:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 22:26:05
ComboFix2.txt 2008-03-04 02:43:52
ComboFix3.txt 2008-03-03 20:26:41
.
2008-02-28 20:30:44 --- E O F ---
ComboFix 08-03-03.4 - User 2008-03-04 23:15:27.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.1425 [GMT 1:00]
Running from: C:\Documents and Settings\User\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Plocha\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\amp.bat
C:\Program Files\antiviirus.exe
C:\rsvlqer.exe
C:\stwojhwy.exe
C:\WINDOWS\apdqnxp.dll
C:\WINDOWS\btrklfr.dll
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\system32\xpspqdvd.dll
C:\WINDOWS\yacht.xws
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\amp.bat
C:\Program Files\antiviirus.exe
C:\rsvlqer.exe
C:\stwojhwy.exe
C:\WINDOWS\apdqnxp.dll
C:\WINDOWS\btrklfr.dll
C:\WINDOWS\system32\WLCtrl32.dll
C:\WINDOWS\yacht.xws
.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.
2008-03-04 22:25 . 2008-03-04 22:25 16,592 --a------ C:\Program Files\tmp37390.exe
2008-03-04 04:00 . 2008-03-04 04:00 16,632 --a------ C:\Program Files\tmp41265.exe
2008-03-04 03:53 . 2008-03-04 03:53 16,632 --a------ C:\Program Files\tmp41125.exe
2008-03-04 03:32 . 2008-03-04 03:32 16,648 --a------ C:\Program Files\tmp37203.exe
2008-03-02 21:02 . 2008-03-02 21:02 <DIR> d-------- C:\Program Files\CCleaner
2008-03-02 19:21 . 2008-03-02 19:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-02 19:20 . 2008-03-04 03:18 326 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2008-03-02 18:59 . 2008-03-04 03:27 <DIR> d-------- C:\SDFix
2008-03-02 18:58 . 2008-03-02 18:58 1,312,273 --a------ C:\SDFix.exe
2008-03-02 18:48 . 2008-03-02 18:49 1,312,273 --a------ C:\default
2008-03-02 17:18 . 2008-03-02 17:18 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-03-02 16:36 . 2008-03-02 16:36 26,240 --a------ C:\WINDOWS\system32\drivers\Fms64.sys
2008-03-02 16:19 . 2008-03-02 16:19 <DIR> d-------- C:\Program Files\Ashampoo
2008-03-01 14:16 . 2008-03-02 14:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-01 13:47 . 2008-03-01 13:47 <DIR> d-------- C:\Program Files\MagicISO
2008-02-27 15:52 . 2008-02-27 15:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\DassaultSystemes
2008-02-27 15:45 . 2008-02-27 15:45 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI
2008-02-27 15:43 . 2008-02-27 15:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-02-27 15:39 . 2008-02-27 15:44 <DIR> d-------- C:\Program Files\Solidworks Data
2008-02-27 15:39 . 2008-02-27 16:02 <DIR> d-------- C:\Program Files\SolidWorks
2008-02-27 15:39 . 2008-02-27 16:02 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\SolidWorks
2008-02-27 15:38 . 2008-02-27 15:38 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-02-27 15:13 . 2008-02-27 15:13 <DIR> d-------- C:\Program Files\MSBuild
2008-02-27 15:11 . 2008-02-27 15:11 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-27 15:10 . 2008-02-27 15:10 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-27 15:10 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-27 15:09 . 2008-02-27 15:09 <DIR> d-------- C:\Program Files\MSECache
2008-02-27 14:55 . 2008-02-27 14:55 <DIR> d-------- C:\Program Files\PowerISO
2008-02-21 21:40 . 2008-03-02 17:53 <DIR> d-------- C:\Program Files\Opera
2008-02-15 19:07 . 2008-02-15 19:12 2,359,350 --a------ C:\WINDOWS\ACD Wallpaper.bmp
2008-02-06 21:25 . 2008-02-06 21:25 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-02-06 21:24 . 2008-03-01 17:07 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-02-06 21:24 . 2008-03-01 17:07 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-02-06 21:24 . 2008-03-01 17:07 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-02-06 21:24 . 2008-03-01 17:07 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-06 20:38 . 2008-02-06 20:38 <DIR> d-------- C:\Program Files\totalcmd
2008-02-06 20:38 . 2008-02-26 21:00 1,592 --a------ C:\WINDOWS\wincmd.ini
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\UC.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\RAR.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\LHA.PIF
2008-02-06 20:38 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\ARJ.PIF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 03:10 --------- d-----w C:\DOCUME~1\ALLUSE~1\DATAAP~1\avg7
2008-02-27 15:03 --------- d-----w C:\Program Files\SpeedFan
2008-02-27 14:55 --------- d-----w C:\Program Files\Software2000
2008-02-17 22:53 --------- d-----w C:\Program Files\Cool CENZURA
2008-02-07 20:15 --------- d-----w C:\Program Files\EA SPORTS
2008-02-06 20:19 --------- d-----w C:\Program Files\Electronic Arts
2008-02-03 19:48 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-02-03 19:48 --------- d-----w C:\Program Files\Zaklínač
2008-02-03 19:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-31 18:50 --------- d-----w C:\Program Files\ElcomSoft
2008-01-31 18:38 --------- d-----w C:\Program Files\RAR Password Cracker
2008-01-31 16:54 --------- d-----w C:\Program Files\THQ
2008-01-27 21:56 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-26 23:31 --------- d-----w C:\Program Files\uTorrent
2008-01-20 07:07 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-01-16 16:20 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2008-01-16 16:18 --------- d-----w C:\Program Files\BlackIsle
2008-01-08 19:00 --------- d-----w C:\Program Files\Pixia
2008-01-08 18:54 --------- d-----w C:\Program Files\GIMP-2.0
2008-01-08 15:25 --------- d-----w C:\Program Files\Activision
2008-01-07 21:17 --------- d-----w C:\Program Files\JoWooD Productions Software AG
2008-01-07 15:40 --------- d-----w C:\Program Files\ParadisePoker
2008-01-02 10:13 197,120 ----a-w C:\WINDOWS\system32\FHMcom_OxleyStrip.scr
2007-12-07 02:14 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-09-23 21:32 4,687,304 ----a-w C:\Program Files\paradisepoker_com_cs.exe
2007-01-14 21:00 1 ----a-w C:\Documents and Settings\User\SI.bin
2005-08-08 00:41 35,328 ----a-w C:\Program Files\usb_format.exe
2002-05-27 08:25 295,424 ----a-w C:\Program Files\SubtitleToolCZ.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24BCDA96-8FCB-4D3B-0500-000000000004}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 17:32 25365032]
"pdfSaver3"="c:\Program Files\PDF\pdfSaver\pdfSaver3.exe" [2004-05-19 14:29 385024]
"QIP2005"="C:\Program Files\QIP\qip.exe" [2007-11-16 14:17 3264512]
"uTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2008-01-26 18:02 219952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 14:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 14:43 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 07:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 15:21 579072]
"pdfSaver3"="" []
"602PC SUITE PDF Saver"="C:\Program Files\Common Files\602phs\pdfSaver.exe" [2005-08-31 16:00 49152]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 05:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 10:58 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-16 17:44 155648]
"ConMet"="C:\Program Files\ConMet\ConMet.exe" [ ]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2006-07-07 15:04 262144]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-18 14:12 843776]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 08:05 217088]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 13:58 219136]
C:\DOCUME~1\ALLUSE~1\NABDKA~1\Programy\POSPUT~1\
Mˇstnˇ vyhled v nˇ.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-02-20 13:34]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-02-20 13:34]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 13:00]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 23:08]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-03-02 13:00]
S0 Hou85;Hou85;C:\WINDOWS\system32\Drivers\Hou85.sys []
S0 Pwd74;Pwd74;C:\WINDOWS\system32\Drivers\Pwd74.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-28 23:54]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23146296-69c9-11dc-a3cc-001617ba045b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 23:21:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\savedump.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2008-03-04 23:26:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 22:26:05
ComboFix2.txt 2008-03-04 02:43:52
ComboFix3.txt 2008-03-03 20:26:41
.
2008-02-28 20:30:44 --- E O F ---
Jak dopadli ty soubory na VirusTotale?
Kód: Vybrat vše
+ tohle nechte prosím otestovat na www.virustotal.com :
C:\Program Files\tmp60953.exe
C:\Program Files\tmp473812.exe
C:\WINDOWS\system32\Drivers\Hou85.sys
C:\WINDOWS\system32\Drivers\Pwd74.sys
A pardon, to jsem přehlédl. hmmm. tak žádný se již na původní lokaci nenachází. Hou 85 je ve virus vualtu AVG. ostatní asi Avg odhalilo průběžně, a zřejmě jsem je zrušil. Pár věcí mi zahlasilo v posledních dnech.
Kerio dnes nehlásilo Winlogon zatím ani jednou. Příjemná změna. posílám aktuální HiJackThis.
Mohu požádat o další postup.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:44, on 6.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\602phs\pdfSaver.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\PDF\pdfSaver\pdfSaver3.exe
C:\Program Files\QIP\qip.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Documents and Settings\User\Plocha\system\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SMSender.E.ToolbarsHelper - {24BCDA96-8FCB-4D3B-0500-000000000004} - mscoree.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SMSender - {24BCDA96-8FCB-4D3B-0500-000000000003} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [602PC SUITE PDF Saver] "C:\Program Files\Common Files\602phs\pdfSaver.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ConMet] C:\Program Files\ConMet\ConMet.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [pdfSaver3] "c:\Program Files\PDF\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [QIP2005] C:\Program Files\QIP\qip.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Jádro Plánovače úloh SolidWorks.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Místní vyhledávání.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm080YYCZ
O8 - Extra context menu item: Poslat jako MMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1001
O8 - Extra context menu item: Poslat jako SMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.15-3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 8337 bytes
Kerio dnes nehlásilo Winlogon zatím ani jednou. Příjemná změna. posílám aktuální HiJackThis.
Mohu požádat o další postup.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:44, on 6.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\602phs\pdfSaver.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\PDF\pdfSaver\pdfSaver3.exe
C:\Program Files\QIP\qip.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Documents and Settings\User\Plocha\system\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SMSender.E.ToolbarsHelper - {24BCDA96-8FCB-4D3B-0500-000000000004} - mscoree.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SMSender - {24BCDA96-8FCB-4D3B-0500-000000000003} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [602PC SUITE PDF Saver] "C:\Program Files\Common Files\602phs\pdfSaver.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ConMet] C:\Program Files\ConMet\ConMet.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [pdfSaver3] "c:\Program Files\PDF\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [QIP2005] C:\Program Files\QIP\qip.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Jádro Plánovače úloh SolidWorks.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Místní vyhledávání.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm080YYCZ
O8 - Extra context menu item: Poslat jako MMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1001
O8 - Extra context menu item: Poslat jako SMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.15-3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 8337 bytes
Požádat o další postup můžete kdykoli, otázka je, zda ho budu vědět.
Tohle fixněte, jen zbytečnosti:
O2 - BHO: SMSender.E.ToolbarsHelper - {24BCDA96-8FCB-4D3B-0500-000000000004} - mscoree.dll (file missing)
O3 - Toolbar: SMSender - {24BCDA96-8FCB-4D3B-0500-000000000003} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
jinak v tom Keriu nemůžete dát zablokovat ten winlogon a aby se Kerio už neptalo? Jinak ještě radši pošlete jeden ComboFix a uvidíme co tam zbylo.
Tohle fixněte, jen zbytečnosti:
O2 - BHO: SMSender.E.ToolbarsHelper - {24BCDA96-8FCB-4D3B-0500-000000000004} - mscoree.dll (file missing)
O3 - Toolbar: SMSender - {24BCDA96-8FCB-4D3B-0500-000000000003} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
jinak v tom Keriu nemůžete dát zablokovat ten winlogon a aby se Kerio už neptalo? Jinak ještě radši pošlete jeden ComboFix a uvidíme co tam zbylo.
Kdo je online
Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 59 hostů