Prosím Vás o kontrolu logu..

[Shorty_Rasta]

Jde mi hlavně o 'winlogon.exe', vím,že to není vir, ale podle všeho je infikován.. a spouští se mi pří startu systému a dost využívá cpu.. //chci ho zkrátka 'ignorovat'..

report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:38:30, on 5.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\Shorty\LOCALS~1\Temp\winlogon.exe
O4 - HKUS\S-1-5-18\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'Default user')
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E369ECCF-C0FB-44D0-A35C-BA4472DD240D}: NameServer = 62.129.50.20,85.135.32.100
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Plánovač úloh (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4779 bytes

[Reklama]

[Baron Prášil]

vítej na fóru PC-HELP a řeknu ti hned na rovinu-nevím kde jsi vzal informace o tom
že tvůj winlogon není vir,protože je

ten eTrust je asi jen antivir,že,takže momentálně zkontroluj,zda ti běží firewall ve windows(ovl.panely)

a poté použij combofix

Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem klávesy 1
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log, který se ti zobrazí, jinak ho najdeš zde: C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah+nový log z hijackthis

[Shorty_Rasta]

Podle všeho to vypadá dobře ,ale přece jen tedy posuďte.. (btw: děkuji..)

ComboFix 08-03-05.1 - Shorty 2008-03-05 17:44:16.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.431 [GMT 1:00]
Running from: C:\Downloads\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 28672 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\DefLib.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\tmp_024.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CCEVTSVC
-------\LEGACY_FCI
-------\LEGACY_MSUPDATE
-------\LEGACY_SYSLIBRARY
-------\LEGACY_VQS45
-------\CcEvtSvc
-------\SysLibrary


((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-05 16:26 . 2001-08-17 21:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-03-05 16:25 . 2001-08-17 21:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-03-05 16:24 . 2001-10-24 12:24 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-03-05 16:23 . 2001-10-24 12:24 86,097 --a--c--- C:\WINDOWS\system32\dllcache\reslog32.dll
2008-03-05 16:23 . 2004-08-17 15:44 79,104 --a--c--- C:\WINDOWS\system32\dllcache\rocket.sys
2008-03-05 16:23 . 2001-08-17 20:12 37,563 --a--c--- C:\WINDOWS\system32\dllcache\rlnet5.sys
2008-03-05 16:23 . 2001-08-17 20:19 30,720 --a--c--- C:\WINDOWS\system32\dllcache\rthwcls.sys
2008-03-05 16:23 . 2001-10-24 12:25 25,088 --a--c--- C:\WINDOWS\system32\dllcache\rw430ext.dll
2008-03-05 16:23 . 2001-08-17 20:12 19,017 --a--c--- C:\WINDOWS\system32\dllcache\rtl8029.sys
2008-03-05 16:23 . 2001-10-24 12:25 9,728 --a--c--- C:\WINDOWS\system32\dllcache\rsmgrstr.dll
2008-03-05 16:23 . 2001-08-17 20:19 3,840 --a--c--- C:\WINDOWS\system32\dllcache\rpfun.sys
2008-03-05 16:21 . 2004-08-17 15:45 2,017,280 --a--c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-03-05 16:20 . 2001-10-24 11:52 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2008-03-05 16:19 . 2001-08-17 21:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-03-05 16:18 . 2001-10-24 11:58 907,456 --a--c--- C:\WINDOWS\system32\dllcache\hcf_msft.sys
2008-03-05 16:17 . 2001-10-24 12:24 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-03-05 16:16 . 2001-10-24 11:52 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-03-05 16:15 . 2001-08-17 21:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-03-05 16:14 . 2001-08-17 21:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-03-05 16:13 . 2004-08-17 15:45 2,150,400 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-03-05 16:13 . 2001-10-24 12:24 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-03-05 14:10 . 2008-03-05 14:10 29 --a------ C:\WINDOWS\system32\ggwettso.tmp
2008-03-05 14:09 . 2008-03-05 14:09 167,936 --------- C:\WINDOWS\system32\drivers\Vqs45.sys
2008-02-26 18:33 . 2008-02-27 21:42 <DIR> d-------- C:\Program Files\Legacy of Kain - Defiance
2008-02-21 20:29 . 2008-02-21 20:29 <DIR> d-------- C:\Program Files\FLVPlayer
2008-02-17 20:01 . 2008-02-17 20:01 <DIR> d--hs---- C:\found.000
2008-02-15 19:23 . 2008-01-04 00:05 <DIR> d--h----- C:\Documents and Settings\Internet ONLY\ćablony
2008-02-15 19:23 . 2008-02-27 23:40 <DIR> d-------- C:\Documents and Settings\Internet ONLY\Plocha
2008-02-15 19:23 . 2007-03-04 02:52 <DIR> d--h----- C:\Documents and Settings\Internet ONLY\Okolnˇ tisk rny
2008-02-15 19:23 . 2007-03-04 02:52 <DIR> d--h----- C:\Documents and Settings\Internet ONLY\Okolnˇ sˇś
2008-02-15 19:23 . 2008-02-15 19:24 <DIR> dr------- C:\Documents and Settings\Internet ONLY\Oblˇben‚ polo§ky
2008-02-15 19:23 . 2007-03-04 02:52 <DIR> dr------- C:\Documents and Settings\Internet ONLY\Nabˇdka Start
2008-02-15 19:23 . 2008-02-27 23:39 <DIR> dr------- C:\Documents and Settings\Internet ONLY\Dokumenty
2008-02-15 19:23 . 2008-02-25 10:39 <DIR> dr-h----- C:\Documents and Settings\Internet ONLY\Data aplikacˇ
2008-02-06 17:30 . 2008-02-06 17:30 <DIR> d-------- C:\Program Files\AimOne Video Converter
2008-02-06 17:30 . 2008-02-06 17:50 56 --a------ C:\WINDOWS\VideoConvert.INI
2008-02-06 15:23 . 2008-03-05 14:09 <DIR> d-------- C:\Program Files\QIP Infium

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-29 14:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-11 22:34 --------- d-----w C:\Program Files\IrfanView
2008-02-01 12:57 --------- d-----w C:\Program Files\World of Warcraft
2008-01-31 18:25 --------- d-----w C:\Program Files\ABC
2008-01-22 16:11 --------- d-----w C:\Program Files\Trend Micro
2008-01-19 09:39 --------- d-----w C:\Program Files\Zaklínač
2008-01-17 16:56 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-01-17 16:56 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-01-13 14:48 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-13 14:48 --------- d-----w C:\Program Files\Ahead
2008-01-13 14:47 --------- d-----w C:\Program Files\Common Files\Nero
2008-01-09 21:51 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-01-09 16:50 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-01-09 16:39 --------- d-----w C:\Program Files\Warcraft III
2008-01-08 22:40 --------- d-----w C:\Program Files\Hamachi
2008-01-08 22:39 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-01-08 22:13 --------- d-----w C:\Program Files\Steam
2008-01-08 22:06 --------- d-----w C:\Program Files\ATI Technologies
2008-01-08 22:01 --------- d-----w C:\Program Files\7-12_xp32_dd_ccc_wdm_enu_55811
2008-01-08 21:21 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-01-06 13:19 --------- d-----w C:\Program Files\EasyPHP 2.0b1
2008-01-05 17:06 --------- d-----w C:\Program Files\ACE Mega CoDecS Pack
2008-01-05 00:15 --------- d-----w C:\Program Files\Lavasoft
2008-01-04 01:23 737,280 ----a-w C:\WINDOWS\iun6002.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2003-02-13 10:25 493024]
"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 21:00 270336]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 577536 C:\WINDOWS\soundman.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Firewall auto setup"="C:\WINDOWS\TEMP\winlogon.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Shorty\Local Settings\Application Data\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
--------- 2008-03-05 14:09 39424 C:\DOCUME~1\Shorty\LOCALS~1\Temp\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Local Security Authority Service]
C:\WINDOWS\System32\Isass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MicroSoft ssadsadas3s1]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nod32 Service]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
--a------ 2005-09-30 14:04 270336 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-05 18:06 98304 C:\WINDOWS\system32\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"ERSvc"=2 (0x2)
"Alerter"=3 (0x3)
"wscsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Program Files\\ABC\\abc.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\QIP Infium\\infium.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16023:TCP"= 16023:TCP:BitComet 16023 TCP
"16023:UDP"= 16023:UDP:BitComet 16023 UDP

R2 LogWatch;Event Log Watch;"C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2002-09-20 17:29]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S3 CA_LIC_CLNT;CA License Client;"C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe" [2002-09-20 17:27]
S3 CA_LIC_SRVR;CA License Server;"C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe" [2002-09-20 17:41]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 17:47:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\PROGRA~1\CA\SHARED~1\SCANEN~1\InoDist.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2008-03-05 17:49:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-05 16:49:54

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:55:29, on 5.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKUS\S-1-5-18\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe (User 'Default user')
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E369ECCF-C0FB-44D0-A35C-BA4472DD240D}: NameServer = 62.129.50.20,85.135.32.100
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4912 bytes

[Baron Prášil]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

File::
C:\WINDOWS\TEMP\winlogon.exe
C:\WINDOWS\iun6002.exe
C:\Documents and Settings\Shorty\Local Settings\Application Data\cftmon.exe
C:\DOCUME~1\Shorty\LOCALS~1\Temp\winlogon.exe
C:\WINDOWS\System32\Isass.exe

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Firewall auto setup"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Local Security Authority Service]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MicroSoft ssadsadas3s1] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nod32 Service]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=-

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.
Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu+nový log z hijackthis+info o chování kompu
.......................................
(co ten firewall?)

[Shorty_Rasta]

Firewall je zapnutý, vše ok. Stav pc? zaznamenávám pomalejší reakce, rychlost internetu je taky snížená..,ale to už bude jiný problém, ad-aware a spybot používám, udělám kontrolu..

report:

ComboFix 08-03-05.1 - Shorty 2008-03-05 18:30:48.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.481 [GMT 1:00]
Running from: C:\Documents and Settings\Shorty\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Shorty\Plocha\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\DOCUME~1\Shorty\LOCALS~1\Temp\winlogon.exe
C:\Documents and Settings\Shorty\Local Settings\Application Data\cftmon.exe
C:\WINDOWS\iun6002.exe
C:\WINDOWS\System32\Isass.exe
C:\WINDOWS\TEMP\winlogon.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\drivers\Vqs45.sys

.
((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-05 16:25 . 2001-08-17 21:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-03-05 16:24 . 2001-10-24 12:24 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-03-05 16:23 . 2001-10-24 12:24 86,097 --a--c--- C:\WINDOWS\system32\dllcache\reslog32.dll
2008-03-05 16:23 . 2004-08-17 15:44 79,104 --a--c--- C:\WINDOWS\system32\dllcache\rocket.sys
2008-03-05 16:23 . 2001-08-17 20:12 37,563 --a--c--- C:\WINDOWS\system32\dllcache\rlnet5.sys
2008-03-05 16:23 . 2001-08-17 20:19 30,720 --a--c--- C:\WINDOWS\system32\dllcache\rthwcls.sys
2008-03-05 16:23 . 2001-10-24 12:25 25,088 --a--c--- C:\WINDOWS\system32\dllcache\rw430ext.dll
2008-03-05 16:23 . 2001-08-17 20:12 19,017 --a--c--- C:\WINDOWS\system32\dllcache\rtl8029.sys
2008-03-05 16:23 . 2001-10-24 12:25 9,728 --a--c--- C:\WINDOWS\system32\dllcache\rsmgrstr.dll
2008-03-05 16:23 . 2001-08-17 20:19 3,840 --a--c--- C:\WINDOWS\system32\dllcache\rpfun.sys
2008-03-05 16:21 . 2004-08-17 15:45 2,017,280 --a--c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-03-05 16:20 . 2001-10-24 11:52 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2008-03-05 16:19 . 2001-08-17 21:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-03-05 16:18 . 2001-10-24 11:58 907,456 --a--c--- C:\WINDOWS\system32\dllcache\hcf_msft.sys
2008-03-05 16:17 . 2001-10-24 12:24 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-03-05 16:16 . 2001-10-24 11:52 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-03-05 16:15 . 2001-08-17 21:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-03-05 16:14 . 2001-08-17 21:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-03-05 16:13 . 2004-08-17 15:45 2,150,400 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-03-05 16:13 . 2001-10-24 12:24 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-03-05 14:10 . 2008-03-05 14:10 29 --a------ C:\WINDOWS\system32\ggwettso.tmp
2008-02-26 18:33 . 2008-02-27 21:42 <DIR> d-------- C:\Program Files\Legacy of Kain - Defiance
2008-02-21 20:29 . 2008-02-21 20:29 <DIR> d-------- C:\Program Files\FLVPlayer
2008-02-17 20:01 . 2008-02-17 20:01 <DIR> d--hs---- C:\found.000
2008-02-15 19:24 . 2008-02-15 19:24 <DIR> d-------- C:\Documents and Settings\Internet ONLY\Data aplikací\Avant Profiles
2008-02-15 19:24 . 2008-02-15 19:24 <DIR> d-------- C:\Documents and Settings\Internet ONLY\Data aplikací\ATI
2008-02-15 19:23 . 2008-02-27 23:40 <DIR> d-------- C:\Documents and Settings\Internet ONLY\Plocha
2008-02-15 19:23 . 2007-03-04 02:52 <DIR> d--h----- C:\Documents and Settings\Internet ONLY\Okolní tiskárny
2008-02-15 19:23 . 2007-03-04 02:52 <DIR> d--h----- C:\Documents and Settings\Internet ONLY\Okolní síť
2008-02-15 19:23 . 2008-02-15 19:24 <DIR> dr------- C:\Documents and Settings\Internet ONLY\Oblíbené položky
2008-02-15 19:23 . 2008-01-04 00:05 <DIR> d--h----- C:\Documents and Settings\Internet ONLY\Šablony
2008-02-15 19:23 . 2007-03-04 02:52 <DIR> dr------- C:\Documents and Settings\Internet ONLY\Nabídka Start
2008-02-15 19:23 . 2008-02-27 23:39 <DIR> dr------- C:\Documents and Settings\Internet ONLY\Dokumenty
2008-02-15 19:23 . 2008-02-25 10:39 <DIR> dr-h----- C:\Documents and Settings\Internet ONLY\Data aplikací
2008-02-06 17:30 . 2008-02-06 17:30 <DIR> d-------- C:\Program Files\AimOne Video Converter
2008-02-06 17:30 . 2008-02-06 17:50 56 --a------ C:\WINDOWS\VideoConvert.INI
2008-02-06 15:23 . 2008-03-05 14:09 <DIR> d-------- C:\Program Files\QIP Infium

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 13:09 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2008-02-29 14:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 12:52 --------- d-----w C:\Documents and Settings\Shorty\Data aplikací\OpenOffice.org2
2008-02-11 22:34 --------- d-----w C:\Program Files\IrfanView
2008-02-01 12:57 --------- d-----w C:\Program Files\World of Warcraft
2008-01-31 18:25 --------- d-----w C:\Program Files\ABC
2008-01-22 16:11 --------- d-----w C:\Program Files\Trend Micro
2008-01-19 09:39 --------- d-----w C:\Program Files\Zaklínač
2008-01-17 16:56 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-01-17 16:56 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-01-13 14:48 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-13 14:48 --------- d-----w C:\Program Files\Ahead
2008-01-13 14:47 --------- d-----w C:\Program Files\Common Files\Nero
2008-01-13 08:49 --------- d-----w C:\Documents and Settings\Shorty\Data aplikací\.ABC
2008-01-10 14:01 --------- d-----w C:\Documents and Settings\Shorty\Data aplikací\Hamachi
2008-01-09 21:51 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-01-09 16:50 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-01-09 16:39 --------- d-----w C:\Program Files\Warcraft III
2008-01-08 22:40 --------- d-----w C:\Program Files\Hamachi
2008-01-08 22:39 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-01-08 22:13 --------- d-----w C:\Program Files\Steam
2008-01-08 22:09 --------- d-----w C:\Documents and Settings\Shorty\Data aplikací\ATI
2008-01-08 22:09 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\ATI
2008-01-08 22:06 --------- d-----w C:\Program Files\ATI Technologies
2008-01-08 22:01 --------- d-----w C:\Program Files\7-12_xp32_dd_ccc_wdm_enu_55811
2008-01-08 21:21 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-01-06 21:50 --------- d-----w C:\Documents and Settings\Shorty\Data aplikací\Nero
2008-01-06 13:19 --------- d-----w C:\Program Files\EasyPHP 2.0b1
2008-01-05 17:06 98,304 ----a-w C:\WINDOWS\system32\qttask.exe
2008-01-05 17:06 --------- d-----w C:\Program Files\ACE Mega CoDecS Pack
2008-01-05 00:15 --------- d-----w C:\Program Files\Lavasoft
2008-01-05 00:15 --------- d-----w C:\Documents and Settings\Shorty\Data aplikací\Lavasoft
2008-01-03 23:44 20,819 ----a-w C:\WINDOWS\system32\yukuvhfy.exe
2008-01-03 23:30 20,819 ----a-w C:\WINDOWS\system32\ihjdx.exe
2008-01-03 23:21 20,819 ----a-w C:\WINDOWS\system32\lpzgf.exe
2007-12-05 13:17 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2003-02-13 10:25 493024]
"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 21:00 270336]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 577536 C:\WINDOWS\soundman.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Shorty\Local Settings\Application Data\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
--a------ 2005-09-30 14:04 270336 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-05 18:06 98304 C:\WINDOWS\system32\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"ERSvc"=2 (0x2)
"Alerter"=3 (0x3)
"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Program Files\\ABC\\abc.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\QIP Infium\\infium.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16023:TCP"= 16023:TCP:BitComet 16023 TCP
"16023:UDP"= 16023:UDP:BitComet 16023 UDP

R2 LogWatch;Event Log Watch;"C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2002-09-20 17:29]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S3 CA_LIC_CLNT;CA License Client;"C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe" [2002-09-20 17:27]
S3 CA_LIC_SRVR;CA License Server;"C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe" [2002-09-20 17:41]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 18:32:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-05 18:32:41
ComboFix-quarantined-files.txt 2008-03-05 17:32:33

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:39:50, on 5.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E369ECCF-C0FB-44D0-A35C-BA4472DD240D}: NameServer = 62.129.50.20,85.135.32.100
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4778 bytes

[Baron Prášil]

C:\Documents and Settings\Shorty\Local Settings\Application Data\cftmon.exe
toto nech zkontrolovat a pošli výsledky
http://www.virustotal.com/flash/index_en.html
nepoužívej "Procházet" ale vlož do okna celou cestu,tučně označenou,k souboru metodou Ctrl+C > Ctrl+V

mě hlavně ohledně firewallu zajímalo jestli není náhodou obsažen v tom eTrustu,pokud ne
nainstaluj pořádnej firewall
vyber si tady,doporučuju ZoneAlarm nebo Comodo
návod na ZA http://www.kn.vutbr.cz/docs/conf/zonealarm/
na comodo http://www.nforce.cz/modules.php?name=N ... cle&sid=18

vyčisti systém CCleanerem a RegCleanerem
použijT-Cleaner smaže vše po Combu,SDFixu,Avengeru,MWAVu atd.-stáhneš>spustíš

u spybotu spust rezidentní štíty
Režim>Pro pokročilé>Nástroje>Rezidentní a zaškrtni oboje

a napiš,co a jak,co kdo hlásí a tak

[Shorty_Rasta]

okes, ztm moc díky..