Moc prosím o kontrolu logu Vyřešeno

[štefy]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:42:26, on 19.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\FirefoxPortable\App\firefox\firefox.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.atlas.cz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: GNX Rolex - {0D504883-70CA-48BD-A282-639753D3B0CE} - C:\WINDOWS\drnpfdxwlv.dll
O2 - BHO: e404 helper - {C03FD59D-9104-44B7-929A-9EAA0BA05211} - (no file)
O3 - Toolbar: (no name) - {70DE7956-479D-4eb7-8641-2B45774C350E} - (no file)
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [iftcprom] rundll32.exe "C:\WINDOWS\TEMP\webqoho.drv" WLEntryPoint
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\uživatel\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [mtsfjdbl] rundll32.exe "C:\WINDOWS\system32\msdgjmlof.dll" WLEntryPoint
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Global Startup: Avast!.lnk = C:\Program Files\Avast4\ashDisp.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.05\AMVConverter\grab.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.05\MediaManager\grab.html
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: ritgrqt - C:\WINDOWS\SYSTEM32\ritgrqt.dll
O21 - SSODL: AlrtCheck - {13afa401-7cca-4be8-94d0-928c31546ba8} - C:\WINDOWS\Installer\{13afa401-7cca-4be8-94d0-928c31546ba8}\AlrtCheck.dll
O21 - SSODL: altvxvm - {22554F41-F6C4-414D-89DE-D1C1664B1452} - C:\WINDOWS\altvxvm.dll
O21 - SSODL: bokpkov - {11C5B193-5C3D-413D-A388-5357050E6F5B} - (no file)
O21 - SSODL: zip - {5942f2a5-65f6-4236-b2c7-7164b4a182c2} - C:\WINDOWS\Installer\{5942f2a5-65f6-4236-b2c7-7164b4a182c2}\zip.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - rundll32.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Plánovač úloh (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O24 - Desktop Component 0: (no name) - file:///C:/WINDOWS/Help/Tours/htmlTour/intro_logo.jpg
O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6588 bytes

[Reklama]

[fredik]

Vítej na fóru

Stáhni si SDFix
- Spusť ho a rozbalí se ti na disk kde je nainstalovaný Windows (typicky to je C:\SDfix)
- Pak restartuj PC do nouzového režimu (zvol možnost: Stav nouze, ne Stav nouze s práci v síti)
- Otevři adresář kde je vybalený SDFix a spusť soubor RunThis.bat tím spustíš program.
* Pak stiskni klávesu Y a pak Enter pro zahájení čistícího procesu.
* Pro dokončení kontroly budeš vyzván ke stisknoutí libovolné klávesy a počítač se restartuje.
* Při nabíhání operačního systému se program spustí znovu a dokončí čistící proces. Až se objeví Finish, budeš muset po vyzvání stisknout libovolnou klávesu, tim se ukončí program a zobrazí se ti ikony na ploše
- Když se skončí načítání ikon na ploše, otevře se ti na obrazovce log z SDFix a zároveň ho uloží do adresáře kde je rozbalený SDFix jako soubor Report.txt
Pak sem zkopíruj jeho obsah + nový log z HJT

[štefy]

tady to je

[štefy]

R-E-P-O-R-T.TXT

SDFix: Version 1.159

Run by u§ivatel on st 19.03.2008 at 19:46

Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Default Schedule Service Path

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Installer\{13afa401-7cca-4be8-94d0-928c31546ba8}\AlrtCheck.dll - Deleted
C:\WINDOWS\Installer\{5942f2a5-65f6-4236-b2c7-7164b4a182c2}\zip.dll - Deleted
C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\WINDOWS\drnpfdxwlv.dll - Deleted
C:\Program Files\tmp0.exe - Deleted
C:\DOCUME~1\UIVATE~1\LOCALS~1\Temp\ac8zt2.dat - Deleted
C:\WINDOWS\altvxvm.dll - Deleted
C:\WINDOWS\fmsxwqs.exe - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\system32\diperto.ini - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\help\pzqlp.chm - Deleted
C:\WINDOWS\system32\drivers\ndisaluo.sys - Deleted
C:\WINDOWS\system32\drivers\spools.exe - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted



Folder C:\WINDOWS\Installer\{13afa401-7cca-4be8-94d0-928c31546ba8} - Removed
Folder C:\WINDOWS\Installer\{5942f2a5-65f6-4236-b2c7-7164b4a182c2} - Removed
Folder C:\WINDOWS\privacy_danger - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 19:52:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:36,d2,57,77,3e,cc,e6,c9,b0,ab,be,b6,d6,73,df,52,ba,1c,fb,63,03,..
"p0"="C:\Program Files\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:5a,01,9e,c4,cb,f1,b8,cd,0f,4a,f2,c6,a9,9e,1d,2e,16,97,a1,5b,c3,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:fa,2a,0c,1e,ba,6d,a4,59,b7,6e,0c,e0,20,d6,60,1f,b9,43,54,35,28,..
"a0"=hex:20,01,00,00,bf,f4,61,1e,84,77,d1,2a,53,4b,ec,04,81,b2,9d,af,21,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:dd,36,42,7b,25,6f,38,6e,b4,e8,d7,a2,8b,87,90,5b,74,dd,59,8b,1f,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:36,d2,57,77,3e,cc,e6,c9,b0,ab,be,b6,d6,73,df,52,ba,1c,fb,63,03,..
"p0"="C:\Program Files\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:5a,01,9e,c4,cb,f1,b8,cd,0f,4a,f2,c6,a9,9e,1d,2e,16,97,a1,5b,c3,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:fa,2a,0c,1e,ba,6d,a4,59,b7,6e,0c,e0,20,d6,60,1f,b9,43,54,35,28,..
"a0"=hex:20,01,00,00,bf,f4,61,1e,84,77,d1,2a,53,4b,ec,04,81,b2,9d,af,21,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:dd,36,42,7b,25,6f,38,6e,b4,e8,d7,a2,8b,87,90,5b,74,dd,59,8b,1f,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:00001365
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"36831:TCP"="36831:TCP:*:Enabled:@xpsp2res.dll,-22004"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:e55465b6
"s2"=dword:40baed21
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:36,d2,57,77,3e,cc,e6,c9,b0,ab,be,b6,d6,73,df,52,ba,1c,fb,63,03,..
"p0"="C:\Program Files\Alcohol 120\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:5a,01,9e,c4,cb,f1,b8,cd,0f,4a,f2,c6,a9,9e,1d,2e,16,97,a1,5b,c3,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:fa,2a,0c,1e,ba,6d,a4,59,b7,6e,0c,e0,20,d6,60,1f,b9,43,54,35,28,..
"a0"=hex:20,01,00,00,bf,f4,61,1e,84,77,d1,2a,53,4b,ec,04,81,b2,9d,af,21,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:dd,36,42,7b,25,6f,38,6e,b4,e8,d7,a2,8b,87,90,5b,74,dd,59,8b,1f,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?\xe9?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1\xed?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG08.00.00.01WORKSTATION"="1ADEB5A964304E5981E8A04DC4C893228561CE91D3AACA43BA2AB5395EBBE47AC14DE87ED8B36E8158D20A405842A545B2B18AC251B7672CA842B7FC3452666C30D02275CC09B2722EB04835757191D810EC98411FB0A86E3500C4AC248073C7FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A6171C11EC38DE3DA6A0AC4980AC7933A2D97226D213B555D4A6E7A2D71B2083281AF328A123F1F695FEC80F6306BEECE9E82C0E680AB6C4474659C2582F6F7788A0D6C18EB1DEAF88E31430B81923F3A234DA75525D975597E00F7BE51A45BDB95ABEF7A1CD14C162BB86CE3BAFD309C867BC01A3111A43943274A7904F6530D29A4D064A5497362A1617A7D3B03F876F6BBC0B6134AE587D1B8965972665A860DB376E2488461858A44FBC20E5A54B9E49DAB9C5399BE3859DE31BF3DC2F89663AC5F3858DCFF95B3E4D526F7E1C37CF2FA86FBDF8FAB8D462AAEB509304B2D675D51E74ED38EE165AC3F1478B0BB07272CFD96A2E3AAC08B61A4689CCF40E9CF459BAAC175690DD99F8E9DE04AE216A888964A2F79A1AAE08835733F2E807154056581EDA577A7C3B474924431AF60D0B2642EDD833E04DECCA1293521A0D8E04634C6CEC39CEB0A71C6637862F2328BB09690DBAEBE35B9BE62F269A9914D012B0AD6EE851B12CE77B5A6BF0281AF77B2815ED67058844EE65A918DFC79493DD7ED9B04AC64B9428F9024B0812D8315211C1B88F0E3A6A69673F4C9B5C08850221EFF1F394C884BCC27E92374C597A6AE0B24544ED67A0AD1E7359A962EE44B982D5A52A0DD90A9A143530CB8DA0EE93CB6EA17E5E822D04558F0A4B384DE767A0B07417D0B426DB40CF4B795DB11C3F19BC1099EB024E57E71BDC2391AB790F8CEE3848D990CF3E2CBA3A5698170705A3AE85557A6133B845E8043AF214745A6A4081AEF22BF023D3278B5C705EA620DB152CD33E1F015BF20AE67E39174A15F4981320BCC36711450A7EE9681AE3EFC306DF9CC13DCC1788559EBD924960B0783065D429A086B1A29D8741DBDE2075F2DB331DE243A5E8B2E67A2F82BF8F43D604A36B030A11D3225DCE8975C62ED995B3EC23D2BB8B6F321EFD685E97258305D22EE4E24C45E70E0CB24C36EED2E5E97204611733706E591DDD6851F061508B2117A6BA38CD84C32DC178F3F9CB8A43BBA7710BBFBD4F124C858EDBEEF9A90A38267A4CA14E64B60C4261568C47D90A7A39CC5A75CE9CD955149E4EB818332F22578D32625C63ECB4AA3B5AD0E68AB7DC4E53887074073D295BC0507B5838C1B05AF0D556028580772921D075C376DC553049694EF161E3F86103DCE44BA49A78129A77DEBCEF9FEA9E93602A679E1D995CD329B2FEA5053DE0D4432AF68927D096E22C60"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero 7 Ultra Edition\`\1t]
"Order"=hex:08,00,00,00,02,00,00,00,9a,00,00,00,01,00,00,00,01,00,00,00,8e,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D55C3C11-C38F-42A9-B461-1791DCA47211}]
"abnplkamdncnpgklkkehbhcmbkjajlmacd"=hex:61,62,6c,6f,69,6a,64,70,68,61,70,68,6f,69,67,6b,64,70,6f,62,68,..
"bbnplkamdncnpgklkkdhclafidkgmfeimgee"=hex:61,62,61,70,6c,62,69,62,6a,67,6d,64,6b,6d,61,68,63,68,67,63,68,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS"
"C:\\Program Files\\Cossacks\\dmcr.exe"="C:\\Program Files\\Cossacks\\dmcr.exe:*:Enabled:dmcr"
"C:\\Program Files\\Medal of Honor-PA\\ua_lsp_inst.exe"="C:\\Program Files\\Medal of Honor-PA\\ua_lsp_inst.exe:*:Enabled:ua_lsp_inst"
"C:\\Program Files\\EA GAMES\\Need for Speed Most Wanted\\speed.exe"="C:\\Program Files\\EA GAMES\\Need for Speed Most Wanted\\speed.exe:*:Enabled:speed"
"C:\\Program Files\\GPRSpeed Plus\\GPRSpeed Plus Client\\GPRSpeed_c.exe"="C:\\Program Files\\GPRSpeed Plus\\GPRSpeed Plus Client\\GPRSpeed_c.exe:*:Enabled:NettGain1100_C"
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
"C:\\Program Files\\InterVideo\\DVD5\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD5\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Program Files\\GameSpy Arcade\\Services\\_common\\RWVoice.exe"="C:\\Program Files\\GameSpy Arcade\\Services\\_common\\RWVoice.exe:*:Disabled:RogerWilco Lite for GameSpy Arcade"
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Hry\\Serious Sam 2\\Bin\\DedicatedServer.exe"="C:\\Hry\\Serious Sam 2\\Bin\\DedicatedServer.exe:*:Enabled:DedicatedServer"
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\FirefoxPortable\\FirefoxPortable.exe"="C:\\Program Files\\FirefoxPortable\\FirefoxPortable.exe:*:Enabled:FirefoxPortable.exe"
"C:\\Program Files\\Miranda IM\\miranda32.exe"="C:\\Program Files\\Miranda IM\\miranda32.exe:*:Enabled:Miranda IM"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:uTorrent"
"C:\\Hry\\Worms Armageddon\\wa.exe"="C:\\Hry\\Worms Armageddon\\wa.exe:*:Enabled:Worms Armageddon"
"C:\\Program Files\\PPMate\\ppmate.exe"="C:\\Program Files\\PPMate\\ppmate.exe:*:Enabled:PPMate"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\PPMate\\ppamnet.exe"="C:\\Program Files\\PPMate\\ppamnet.exe:*:Enabled:PPMate"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\\Program Files\\SopCast\\sopvod.exe"="C:\\Program Files\\SopCast\\sopvod.exe:*:Enabled:sopvod"
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:Nero ProductSetup"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\SUPER\cygwin1.dll"
Tue 21 Jun 2005 45,568 ..SHR --- "C:\Program Files\SUPER\cygz.dll"
Fri 22 Feb 2008 72,704 ..SHR --- "C:\Program Files\SUPER\Setup.exe"
Fri 27 Oct 2006 15,360 A.SHR --- "C:\Program Files\SUPER\_Setup.dll"
Wed 3 May 2006 163,328 ..SHR --- "C:\WINDOWS\system32\flvDX.dll"
Tue 17 Aug 2004 1,028,096 ...H. --- "C:\WINDOWS\system32\mfc42.dll"
Sat 20 Jan 2007 945 A.SH. --- "C:\WINDOWS\system32\mmf.sys"
Wed 21 Feb 2007 31,232 ..SHR --- "C:\WINDOWS\system32\msfDX.dll"
Tue 17 Aug 2004 54,784 ...H. --- "C:\WINDOWS\system32\msvcirt.dll"
Thu 25 Oct 2001 565,760 ...H. --- "C:\WINDOWS\system32\msvcp50.dll"
Tue 17 Aug 2004 413,696 ...H. --- "C:\WINDOWS\system32\msvcp60.dll"
Tue 17 Aug 2004 343,040 ...H. --- "C:\WINDOWS\system32\msvcrt.dll"
Thu 25 Oct 2001 253,952 ...H. --- "C:\WINDOWS\system32\msvcrt20.dll"
Tue 3 Aug 2004 61,440 ...H. --- "C:\WINDOWS\system32\msvcrt40.dll"
Mon 17 Dec 2007 27,648 ..SH. --- "C:\WINDOWS\system32\Smab0.dll"
Sat 18 Dec 2004 1,005,056 A..H. --- "C:\Hry\P lˇ N m To\Data\PnT.exe"
Tue 4 Jun 2002 84,992 ...HR --- "C:\Program Files\SUPER\mencoder\14_43260.dll"
Tue 4 Jun 2002 44,032 ...HR --- "C:\Program Files\SUPER\mencoder\28_83260.dll"
Tue 10 Dec 2002 73,766 ...HR --- "C:\Program Files\SUPER\mencoder\atrc3260.dll"
Tue 10 Dec 2002 65,575 ...HR --- "C:\Program Files\SUPER\mencoder\cook3260.dll"
Sun 9 Jun 2002 36,864 ...HR --- "C:\Program Files\SUPER\mencoder\ddnt3260.dll"
Tue 4 Jun 2002 20,480 ...HR --- "C:\Program Files\SUPER\mencoder\dnet3260.dll"
Tue 10 Dec 2002 102,437 ...HR --- "C:\Program Files\SUPER\mencoder\drv13260.dll"
Tue 10 Dec 2002 176,165 ...HR --- "C:\Program Files\SUPER\mencoder\drv23260.dll"
Tue 10 Dec 2002 208,935 ...HR --- "C:\Program Files\SUPER\mencoder\drv33260.dll"
Tue 10 Dec 2002 217,127 ...HR --- "C:\Program Files\SUPER\mencoder\drv43260.dll"
Sun 9 Jun 2002 40,448 ...HR --- "C:\Program Files\SUPER\mencoder\dspr3260.dll"
Sun 4 Nov 2001 225,280 ...HR --- "C:\Program Files\SUPER\mencoder\ivvideo.dll"
Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\SUPER\mencoder\raac.dll"
Sun 9 Jun 2002 525,824 ...HR --- "C:\Program Files\SUPER\mencoder\rnco3260.dll"
Tue 10 Dec 2002 245,805 ...HR --- "C:\Program Files\SUPER\mencoder\rnlt3260.dll"
Tue 10 Dec 2002 45,093 ...HR --- "C:\Program Files\SUPER\mencoder\rv103260.dll"
Tue 10 Dec 2002 98,341 ...HR --- "C:\Program Files\SUPER\mencoder\rv203260.dll"
Tue 10 Dec 2002 94,247 ...HR --- "C:\Program Files\SUPER\mencoder\rv303260.dll"
Tue 10 Dec 2002 90,151 ...HR --- "C:\Program Files\SUPER\mencoder\rv403260.dll"
Tue 10 Dec 2002 102,439 ...HR --- "C:\Program Files\SUPER\mencoder\sipr3260.dll"
Sun 9 Jun 2002 49,152 ...HR --- "C:\Program Files\SUPER\mencoder\tokr3260.dll"

Finished!


NOVÝ HIJACKTHIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:54:30, on 19.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O3 - Toolbar: (no name) - {70DE7956-479D-4eb7-8641-2B45774C350E} - (no file)
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [iftcprom] rundll32.exe "C:\WINDOWS\TEMP\kbdlk.nls" WLEntryPoint
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [mshgm] rundll32.exe "C:\WINDOWS\system32\msdgjmlof.dll" WLEntryPoint
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: Avast!.lnk = C:\Program Files\Avast4\ashDisp.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.05\AMVConverter\grab.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.05\MediaManager\grab.html
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: ritgrqt - C:\WINDOWS\SYSTEM32\ritgrqt.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - rundll32.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

--
End of file - 4737 bytes

[fredik]

Vlož sem ještě log z:
Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[štefy]

ComboFix 08-03-18.1 - uživatel 2008-03-20 7:19:13.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.142 [GMT 1:00]
Running from: C:\Documents and Settings\uživatel\Plocha\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\uživatel\iexplorer.exe
C:\WINDOWS\nt32200axR.dll
C:\WINDOWS\system32\ntcheck3232bxR.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-19 19:45 . 2005-03-02 19:18 577,024 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-03-19 19:43 . 2008-03-19 19:44 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-19 19:38 . 2008-03-19 19:54 <DIR> d-------- C:\SDFix
2008-03-19 17:40 . 2008-03-19 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ESET
2008-03-19 17:10 . 2008-03-19 17:10 <DIR> d-------- C:\Program Files\ESET
2008-03-16 18:42 . 2008-03-16 18:42 <DIR> d-------- C:\Program Files\CCleaner
2008-03-16 15:37 . 2008-03-19 19:20 5,120 --a------ C:\Documents and Settings\LocalService\ftpdll.dll
2008-03-15 13:17 . 2008-03-15 13:17 2 --a------ C:\-2132409765
2008-03-15 13:16 . 2008-03-19 19:20 5,120 --a------ C:\WINDOWS\system32\ftpdll.dll
2008-03-15 13:16 . 2008-03-19 17:29 5,120 --a------ C:\Documents and Settings\uživatel\ftpdll.dll
2008-03-15 13:16 . 2008-03-19 17:29 5,120 --a------ C:\Documents and Settings\uživatel\ftpdll.dll
2008-03-15 13:07 . 2008-03-15 13:07 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\Roxio
2008-03-15 13:06 . 2008-03-15 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Sonic
2008-03-15 13:04 . 2008-03-15 13:04 <DIR> d-------- C:\Program Files\DivX
2008-03-15 13:04 . 2008-03-16 16:50 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-03-15 13:04 . 2008-03-16 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Roxio
2008-03-03 19:48 . 2008-03-03 19:48 <DIR> d-------- C:\Documents and Settings\uži\Bullfrog
2008-03-01 09:59 . 2006-05-23 09:25 4,290,048 --a------ C:\WINDOWS\Heroes of Might and Magic V.scr
2008-02-23 18:03 . 2008-02-23 18:03 <DIR> d-------- C:\Program Files\TVAnts
2008-02-23 17:51 . 2008-02-24 09:28 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\DMCache
2008-02-23 11:46 . 2008-03-19 17:36 <DIR> d-------- C:\Program Files\Ad-Aware 2007
2008-02-23 11:46 . 2008-02-23 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Lavasoft
2008-02-23 11:45 . 2008-02-23 11:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 17:29 . 2008-02-22 17:29 8,192 --ahs---- C:\WINDOWS\Thumbs.db
2008-02-22 15:40 . 2008-02-22 23:46 <DIR> d-------- C:\Program Files\SUPER
2008-02-22 15:40 . 2008-02-04 20:26 151,040 ---hs---- C:\WINDOWS\system32\VistaUltm.dll
2008-02-22 15:40 . 2005-02-22 17:55 81,920 -r-hs---- C:\WINDOWS\system32\aac_parser.ax
2008-02-22 15:40 . 2007-02-21 12:47 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll
2008-02-22 15:40 . 2007-12-17 14:43 27,648 ---hs---- C:\WINDOWS\system32\Smab0.dll
2008-02-22 15:24 . 2008-03-19 20:30 <DIR> d-------- C:\Program Files\Torrents
2008-02-21 18:17 . 2008-02-22 22:20 <DIR> d-------- C:\Program Files\TVUPlayer
2008-02-21 18:12 . 2008-02-21 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\TVU networks
2008-02-21 18:00 . 2008-02-21 18:00 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\TVU Networks
2008-02-21 17:17 . 2008-02-21 19:09 <DIR> d-------- C:\Program Files\SopCast
2008-02-21 17:01 . 2008-02-21 17:01 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\ppStream
2008-02-21 17:01 . 2008-02-23 12:26 569 --a------ C:\WINDOWS\psnetwork.ini
2008-02-21 17:01 . 2008-02-23 12:23 35 --a------ C:\WINDOWS\powerplayer.ini
2008-02-21 16:59 . 2008-02-21 16:59 57 --a------ C:\WINDOWS\system32\peer.ini
2008-02-21 16:49 . 2008-02-21 16:49 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\PPMate
2008-02-21 16:48 . 2008-02-23 12:21 <DIR> d-------- C:\Program Files\PPMate
2008-02-21 16:48 . 2008-02-21 16:48 <DIR> d-------- C:\Program Files\Common Files\Synacast
2008-02-20 11:11 . 2008-02-20 11:11 33,800 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-02-20 11:02 . 2008-02-20 11:02 29,704 --a------ C:\WINDOWS\system32\drivers\easdrv.sys
2008-02-20 11:01 . 2008-02-20 11:01 39,944 --a------ C:\WINDOWS\system32\drivers\eamon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 20:24 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\uTorrent
2008-03-19 16:39 --------- d-----w C:\Program Files\Avast4
2008-03-19 16:37 --------- d---a-w C:\Documents and Settings\All Users\Data aplikací\TEMP
2008-03-16 18:16 --------- d-----w C:\Program Files\us download share
2008-03-16 15:52 --------- d-----w C:\Program Files\Your Uninstaller 2008
2008-03-06 18:48 --------- d-----w C:\Program Files\Winamp
2008-03-03 16:02 --------- d-----w C:\Program Files\PeerGuardian2
2008-02-23 07:42 --------- d-----w C:\Program Files\BitComet
2008-02-18 18:24 --------- d-----w C:\Program Files\NOD32
2008-02-18 18:21 --------- d-----w C:\Program Files\Common Files\InstallerA
2008-02-18 18:13 --------- d-----w C:\Program Files\Gamenext
2008-02-18 18:12 --------- d-----w C:\Program Files\PFConfig
2008-02-16 18:46 --------- d---a-w C:\Program Files\Miranda IM
2008-01-31 06:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-27 19:45 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\Vso
2008-01-27 15:57 --------- d-----w C:\Program Files\uTorrent
2008-01-26 11:11 --------- d-----w C:\Program Files\Game XP
2008-01-26 10:59 --------- d-----w C:\Program Files\Take2Interactive
2008-01-26 09:27 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\URSoft
2008-01-24 14:21 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-01-24 14:21 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-01-23 17:43 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-01-23 17:43 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-01-23 17:43 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-01-21 16:57 173 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2008-01-20 17:36 --------- d-----w C:\Program Files\FirefoxPortable
2007-04-30 15:25 81,920 ----a-w C:\Documents and Settings\uživatel\Data aplikací\ezpinst.exe
2007-04-30 15:25 47,360 ----a-w C:\Documents and Settings\uživatel\Data aplikací\pcouffin.sys
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-01-20 11:29 945 --sha-w C:\WINDOWS\system32\mmf.sys
2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
.

------- Sigcheck -------

2005-03-14 02:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2001-10-25 13:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2005-03-14 01:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 C:\WINDOWS\SoftwareDistribution\Download\465d74f489a08daa339a96fd1eedeb4e\sp2gdr\tcpip.sys
2005-03-14 02:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\SoftwareDistribution\Download\465d74f489a08daa339a96fd1eedeb4e\sp2qfe\tcpip.sys
2008-01-24 15:21 359808 f91e8f4c501f2128d7a92f723b6d6577 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-01-24 15:21 359808 f91e8f4c501f2128d7a92f723b6d6577 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXSUPMON"="C:\WINDOWS\system32\LXSUPMON.exe" [2002-01-28 13:48 885760]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 16:34 213936]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 16:34 86960]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 16:34 213936]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
"hpqsmocs"="C:\WINDOWS\TEMP\cabpii.sys WLEntryPoint" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"= 0 (0x0)
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"mshgm"= rundll32.exe "C:\WINDOWS\system32\msdgjmlof.dll" WLEntryPoint

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoAutoTrayNotify"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ritgrqt]
ritgrqt.dll 2004-08-17 14:49 114688 C:\WINDOWS\system32\ritgrqt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\WindowBlinds\wbsrv.dll 2005-12-20 21:57 176128 C:\PROGRA~1\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^GPRSpeed Plus Client.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\GPRSpeed Plus Client.lnk
backup=C:\WINDOWS\pss\GPRSpeed Plus Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^uživatel^Nabídka Start^Programy^Po spuštění^RollerCoaster Tycoon 3 Registration.lnk]
path=C:\Documents and Settings\uživatel\Nabídka Start\Programy\Po spuštění\RollerCoaster Tycoon 3 Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^uživatel^Nabídka Start^Programy^Po spuštění^Ubisoft register.lnk]
path=C:\Documents and Settings\uživatel\Nabídka Start\Programy\Po spuštění\Ubisoft register.lnk
backup=C:\WINDOWS\pss\Ubisoft register.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\uživatel\Local Settings\Application Data\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\Program Files\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BSplayer_WhenUSave_Installer]
C:\Program Files\BSplayer_WhenUSave_Installer\BSplayer_WhenUSave_Installer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-17 14:49 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 23:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
--a------ 2006-03-22 23:13 1591808 C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iftcprom]
C:\WINDOWS\TEMP\p2ptor.sys WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ndqgdsdl]
C:\WINDOWS\TEMP\p2ptor.sys WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 17:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PromoReg]
C:\WINDOWS\system32\alt.exe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-12-09 12:07 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\retsfahg]
C:\WINDOWS\TEMP\p2ptor.sys WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2004-01-28 22:42 565248 C:\WINDOWS\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-09-16 13:39 69632 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
c:\program files\divx\divx pro codec\gain_trickler_3202.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
C:\Program Files\VVSN\VVSN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NOD32krn"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\FirefoxPortable\\FirefoxPortable.exe"=
"C:\\Program Files\\Miranda IM\\miranda32.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Hry\\Worms Armageddon\\wa.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\PPMate\\ppamnet.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"44724:TCP"= 44724:TCP:pan port
"42378:TCP"= 42378:TCP:@xpsp2res.dll,-22004
"8193:TCP"= 8193:TCP:@xpsp2res.dll,-22004
"45812:TCP"= 45812:TCP:@xpsp2res.dll,-22004
"10011:TCP"= 10011:TCP:@xpsp2res.dll,-22004
"5307:TCP"= 5307:TCP:@xpsp2res.dll,-22004

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R2 LicCtrlService;LicCtrl Service;rundll32.exe C:\WINDOWS\mmfs.dll,Service []
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 22:04]
R3 usbhub;Ovladač standardního rozbočovače USB;C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 22:08]
S2 grande48;grande48;C:\WINDOWS\system32\drivers\grande48.sys []
S3 adusbmdm6501;AnyDATA CDMA USB Modem Driver (PID 6501);C:\WINDOWS\system32\DRIVERS\adusbmdm65.sys [2005-05-02 12:55]
S3 adusbser6501;AnyDATA CDMA USB Serial Port (PID 6501);C:\WINDOWS\system32\DRIVERS\adusbser65.sys [2005-05-02 12:55]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 usb2vcom;USB Data Cable;C:\WINDOWS\system32\DRIVERS\usb2vcom.sys [2005-08-06 04:06]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 22:08]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 22:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78608d7-940e-11db-8af3-0011098da354}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f72c2d0d-4fbc-11db-8aa0-0011098da354}]
\Shell\AutoRun\command - H:\autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 07:21:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-20 7:22:02
ComboFix-quarantined-files.txt 2008-03-20 06:21:59

[štefy]

Už je to teda hotové?

[fredik]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

Driver::
grande48

File::
C:\Documents and Settings\LocalService\ftpdll.dll
C:\-2132409765
C:\WINDOWS\system32\ftpdll.dll
C:\Documents and Settings\uživatel\ftpdll.dll
C:\WINDOWS\system32\alt.exe.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpqsmocs"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"mshgm"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ritgrqt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BSplayer_WhenUSave_Installer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iftcprom]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ndqgdsdl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ndqgdsdl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PromoReg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\retsfahg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78608d7-940e-11db-8af3-0011098da354}]

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

[štefy]

ComboFix 08-03-18.1 - uživatel 2008-03-21 20:57:57.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.203 [GMT 1:00]
Running from: C:\Documents and Settings\uživatel\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\u×ivatel\Plocha\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

2008-03-21 11:21 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-21 11:20 . 2008-03-21 11:21 <DIR> d-------- C:\Program Files\Java
2008-03-21 11:20 . 2008-03-21 11:20 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-19 19:45 . 2005-03-02 19:18 577,024 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-03-19 19:43 . 2008-03-19 19:44 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-19 19:38 . 2008-03-19 19:54 <DIR> d-------- C:\SDFix
2008-03-19 17:40 . 2008-03-19 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ESET
2008-03-19 17:10 . 2008-03-19 17:10 <DIR> d-------- C:\Program Files\ESET
2008-03-16 18:42 . 2008-03-16 18:42 <DIR> d-------- C:\Program Files\CCleaner
2008-03-16 15:37 . 2008-03-19 19:20 5,120 --a------ C:\Documents and Settings\LocalService\ftpdll.dll
2008-03-15 13:17 . 2008-03-15 13:17 2 --a------ C:\-2132409765
2008-03-15 13:16 . 2008-03-19 19:20 5,120 --a------ C:\WINDOWS\system32\ftpdll.dll
2008-03-15 13:16 . 2008-03-19 17:29 5,120 --a------ C:\Documents and Settings\uživatel\ftpdll.dll
2008-03-15 13:16 . 2008-03-19 17:29 5,120 --a------ C:\Documents and Settings\uživatel\ftpdll.dll
2008-03-15 13:07 . 2008-03-15 13:07 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\Roxio
2008-03-15 13:06 . 2008-03-15 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Sonic
2008-03-15 13:04 . 2008-03-15 13:04 <DIR> d-------- C:\Program Files\DivX
2008-03-15 13:04 . 2008-03-16 16:50 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-03-15 13:04 . 2008-03-16 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Roxio
2008-03-03 19:48 . 2008-03-03 19:48 <DIR> d-------- C:\Documents and Settings\uži\Bullfrog
2008-03-01 09:59 . 2006-05-23 09:25 4,290,048 --a------ C:\WINDOWS\Heroes of Might and Magic V.scr
2008-02-23 17:51 . 2008-02-24 09:28 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\DMCache
2008-02-23 11:46 . 2008-03-19 17:36 <DIR> d-------- C:\Program Files\Ad-Aware 2007
2008-02-23 11:46 . 2008-02-23 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Lavasoft
2008-02-23 11:45 . 2008-02-23 11:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 17:29 . 2008-02-22 17:29 8,192 --ahs---- C:\WINDOWS\Thumbs.db
2008-02-22 15:40 . 2008-02-22 23:46 <DIR> d-------- C:\Program Files\SUPER
2008-02-22 15:40 . 2008-02-04 20:26 151,040 ---hs---- C:\WINDOWS\system32\VistaUltm.dll
2008-02-22 15:40 . 2005-02-22 17:55 81,920 -r-hs---- C:\WINDOWS\system32\aac_parser.ax
2008-02-22 15:40 . 2007-02-21 12:47 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll
2008-02-22 15:40 . 2007-12-17 14:43 27,648 ---hs---- C:\WINDOWS\system32\Smab0.dll
2008-02-22 15:24 . 2008-03-21 10:36 <DIR> d-------- C:\Program Files\Torrents
2008-02-21 18:17 . 2008-02-22 22:20 <DIR> d-------- C:\Program Files\TVUPlayer
2008-02-21 18:12 . 2008-02-21 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\TVU networks
2008-02-21 18:00 . 2008-02-21 18:00 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\TVU Networks
2008-02-21 17:17 . 2008-02-21 19:09 <DIR> d-------- C:\Program Files\SopCast
2008-02-21 17:01 . 2008-02-21 17:01 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\ppStream
2008-02-21 17:01 . 2008-02-23 12:26 569 --a------ C:\WINDOWS\psnetwork.ini
2008-02-21 17:01 . 2008-02-23 12:23 35 --a------ C:\WINDOWS\powerplayer.ini
2008-02-21 16:59 . 2008-02-21 16:59 57 --a------ C:\WINDOWS\system32\peer.ini
2008-02-21 16:49 . 2008-02-21 16:49 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\PPMate
2008-02-21 16:48 . 2008-02-23 12:21 <DIR> d-------- C:\Program Files\PPMate
2008-02-21 16:48 . 2008-02-21 16:48 <DIR> d-------- C:\Program Files\Common Files\Synacast

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 10:14 --------- d-----w C:\Program Files\Common Files\InterVideo
2008-03-21 10:12 --------- d---a-w C:\Documents and Settings\All Users\Data aplikací\TEMP
2008-03-19 20:24 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\uTorrent
2008-03-16 15:52 --------- d-----w C:\Program Files\Your Uninstaller 2008
2008-03-06 18:48 --------- d-----w C:\Program Files\Winamp
2008-03-03 16:02 --------- d-----w C:\Program Files\PeerGuardian2
2008-02-20 10:11 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-02-20 10:02 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-02-20 10:01 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-02-18 18:21 --------- d-----w C:\Program Files\Common Files\InstallerA
2008-02-18 18:13 --------- d-----w C:\Program Files\Gamenext
2008-02-16 18:46 --------- d---a-w C:\Program Files\Miranda IM
2008-01-31 06:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-27 19:45 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\Vso
2008-01-27 15:57 --------- d-----w C:\Program Files\uTorrent
2008-01-26 11:11 --------- d-----w C:\Program Files\Game XP
2008-01-26 09:27 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\URSoft
2008-01-24 14:21 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-01-24 14:21 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-01-23 17:43 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-01-23 17:43 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-01-23 17:43 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-01-21 16:57 173 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2007-04-30 15:25 81,920 ----a-w C:\Documents and Settings\uživatel\Data aplikací\ezpinst.exe
2007-04-30 15:25 47,360 ----a-w C:\Documents and Settings\uživatel\Data aplikací\pcouffin.sys
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-01-20 11:29 945 --sha-w C:\WINDOWS\system32\mmf.sys
2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
.

------- Sigcheck -------

2005-03-14 02:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2001-10-25 13:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2005-03-14 01:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 C:\WINDOWS\SoftwareDistribution\Download\465d74f489a08daa339a96fd1eedeb4e\sp2gdr\tcpip.sys
2005-03-14 02:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\SoftwareDistribution\Download\465d74f489a08daa339a96fd1eedeb4e\sp2qfe\tcpip.sys
2008-01-24 15:21 359808 f91e8f4c501f2128d7a92f723b6d6577 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-01-24 15:21 359808 f91e8f4c501f2128d7a92f723b6d6577 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot@2008-03-20_ 7.21.52,84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-22 00:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 00:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 01:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXSUPMON"="C:\WINDOWS\system32\LXSUPMON.exe" [2002-01-28 13:48 885760]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 16:34 213936]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 16:34 86960]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 16:34 213936]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"lhoend"="C:\WINDOWS\TEMP\ctlhmme.nls WLEntryPoint" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"= 0 (0x0)
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"mshgm"= rundll32.exe "C:\WINDOWS\system32\msdgjmlof.dll" WLEntryPoint

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoAutoTrayNotify"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ritgrqt]
ritgrqt.dll 2004-08-17 14:49 114688 C:\WINDOWS\system32\ritgrqt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\WindowBlinds\wbsrv.dll 2005-12-20 21:57 176128 C:\PROGRA~1\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^GPRSpeed Plus Client.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\GPRSpeed Plus Client.lnk
backup=C:\WINDOWS\pss\GPRSpeed Plus Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^uživatel^Nabídka Start^Programy^Po spuštění^RollerCoaster Tycoon 3 Registration.lnk]
path=C:\Documents and Settings\uživatel\Nabídka Start\Programy\Po spuštění\RollerCoaster Tycoon 3 Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^uživatel^Nabídka Start^Programy^Po spuštění^Ubisoft register.lnk]
path=C:\Documents and Settings\uživatel\Nabídka Start\Programy\Po spuštění\Ubisoft register.lnk
backup=C:\WINDOWS\pss\Ubisoft register.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\uživatel\Local Settings\Application Data\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\Program Files\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BSplayer_WhenUSave_Installer]
C:\Program Files\BSplayer_WhenUSave_Installer\BSplayer_WhenUSave_Installer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-17 14:49 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 23:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
--a------ 2006-03-22 23:13 1591808 C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iftcprom]
C:\WINDOWS\TEMP\p2ptor.sys WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ndqgdsdl]
C:\WINDOWS\TEMP\p2ptor.sys WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 17:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PromoReg]
C:\WINDOWS\system32\alt.exe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-12-09 12:07 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\retsfahg]
C:\WINDOWS\TEMP\p2ptor.sys WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2004-01-28 22:42 565248 C:\WINDOWS\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-09-16 13:39 69632 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
c:\program files\divx\divx pro codec\gain_trickler_3202.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
C:\Program Files\VVSN\VVSN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NOD32krn"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\FirefoxPortable\\FirefoxPortable.exe"=
"C:\\Program Files\\Miranda IM\\miranda32.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Hry\\Worms Armageddon\\wa.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\PPMate\\ppamnet.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"44724:TCP"= 44724:TCP:pan port
"8859:TCP"= 8859:TCP:@xpsp2res.dll,-22004
"9374:TCP"= 9374:TCP:@xpsp2res.dll,-22004
"11853:TCP"= 11853:TCP:@xpsp2res.dll,-22004
"46304:TCP"= 46304:TCP:@xpsp2res.dll,-22004
"5307:TCP"= 5307:TCP:@xpsp2res.dll,-22004

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R2 LicCtrlService;LicCtrl Service;rundll32.exe C:\WINDOWS\mmfs.dll,Service []
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 22:04]
R3 usbhub;Ovladač standardního rozbočovače USB;C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 22:08]
S2 grande48;grande48;C:\WINDOWS\system32\drivers\grande48.sys []
S3 adusbmdm6501;AnyDATA CDMA USB Modem Driver (PID 6501);C:\WINDOWS\system32\DRIVERS\adusbmdm65.sys [2005-05-02 12:55]
S3 adusbser6501;AnyDATA CDMA USB Serial Port (PID 6501);C:\WINDOWS\system32\DRIVERS\adusbser65.sys [2005-05-02 12:55]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 usb2vcom;USB Data Cable;C:\WINDOWS\system32\DRIVERS\usb2vcom.sys [2005-08-06 04:06]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 22:08]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 22:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f72c2d0d-4fbc-11db-8aa0-0011098da354}]
\Shell\AutoRun\command - H:\autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 21:00:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-21 21:00:35
ComboFix-quarantined-files.txt 2008-03-21 20:00:33
ComboFix2.txt 2008-03-20 06:22:03

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:02:59, on 21.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\FirefoxPortable\App\firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {70DE7956-479D-4eb7-8641-2B45774C350E} - (no file)
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lhoend] rundll32.exe "C:\WINDOWS\TEMP\iasfgjahd.drv" WLEntryPoint
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [mshgm] rundll32.exe "C:\WINDOWS\system32\msdgjmlof.dll" WLEntryPoint
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.05\AMVConverter\grab.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.05\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: ritgrqt - C:\WINDOWS\SYSTEM32\ritgrqt.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - rundll32.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

--
End of file - 5360 bytes

[fredik]

Vytvoř si nový CFScript a vlož do něho tentokrát toto:

Kód: Vybrat vše

KillAll::

Driver::
grande48

File::
C:\WINDOWS\system32\msdgjmlof.dll
C:\WINDOWS\TEMP\iasfgjahd.drv
C:\Documents and Settings\LocalService\ftpdll.dll
C:\WINDOWS\system32\ftpdll.dll
C:\Documents and Settings\uživatel\ftpdll.dll
C:\-2132409765
C:\WINDOWS\TEMP\ctlhmme.nls
C:\WINDOWS\TEMP\p2ptor.sys
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\ritgrqt.dll
C:\Program Files\antiviirus.exe
c:\program files\divx\divx pro codec\gain_trickler_3202.exe
C:\WINDOWS\TEMP\cabpii.sys
C:\WINDOWS\TEMP\kbdlk.nls
C:\WINDOWS\TEMP\webqoho.drv

Folder::
C:\Program Files\BSplayer_WhenUSave_Installer
C:\Program Files\VVSN

DirLook::
C:\WINDOWS\TEMP

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lhoend"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"mshgm"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ritgrqt]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BSplayer_WhenUSave_Installer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iftcprom]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ndqgdsdl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PromoReg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\retsfahg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]

- použij ho stejným způsobem jak už bylo popsáno a vlož sem pak jeho log po proběhnutí.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Proveď kontrolu a vlož sem log z Kaspersky Online Scanner! (potřeba spustit v IE)
- klikni na tlačítko Accept
- budeš vyzván k nainstalovaní ActiveX komponenty od Kasperského, tak to povol
- program si stáhne potřebnou databázi
- po stažení klikni na volbu:
Po té klikni na tlačítko: Scan Settings
- dostaneš se do okna Scan settings a tam zvol následující možnosti vyber následující:

Pod položkou: Scan using the following antivirus database:

standard - detect viruses, worms, Trojans, rootkits

Pod položkou: Scan Options: - nech zvlolené obě možnosti:

Scan Archives - scan files inside archives
Scan Mail Bases - scan e-mails/attachments inside mail base files

Pak klikni na tlačítko OK

Nyní pak pod položkou Please select a target to scan zvol možnost:

- spustí se kontrola systému
- po jejím proběhnutí se ti zobrazí seznam co našel
Klikni na tlačítko Save Report As...
- ulož si ho třeba na plochu a zvol tyto parametry:
- Název souboru: zde napiš: Kavlog
- Uložit jako typ: tak tam vyber: Text file (*.txt)

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

V následujícím příspěvku sem vlož tyto logy/výsledky:
- log z ComboFix po použití skriptu
- log z Kaspersky Online Scanner

[štefy]

ComboFix 08-03-18.1 - uživatel 2008-03-22 11:29:45.3 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.211 [GMT 1:00]
Running from: C:\Documents and Settings\uživatel\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\u×ivatel\Plocha\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.

2008-03-21 11:21 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-21 11:20 . 2008-03-21 11:21 <DIR> d-------- C:\Program Files\Java
2008-03-21 11:20 . 2008-03-21 11:20 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-19 19:45 . 2005-03-02 19:18 577,024 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-03-19 19:43 . 2008-03-19 19:44 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-19 19:38 . 2008-03-19 19:54 <DIR> d-------- C:\SDFix
2008-03-19 17:40 . 2008-03-19 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ESET
2008-03-19 17:10 . 2008-03-19 17:10 <DIR> d-------- C:\Program Files\ESET
2008-03-16 18:42 . 2008-03-16 18:42 <DIR> d-------- C:\Program Files\CCleaner
2008-03-16 15:37 . 2008-03-19 19:20 5,120 --a------ C:\Documents and Settings\LocalService\ftpdll.dll
2008-03-15 13:17 . 2008-03-15 13:17 2 --a------ C:\-2132409765
2008-03-15 13:16 . 2008-03-19 19:20 5,120 --a------ C:\WINDOWS\system32\ftpdll.dll
2008-03-15 13:16 . 2008-03-19 17:29 5,120 --a------ C:\Documents and Settings\uživatel\ftpdll.dll
2008-03-15 13:16 . 2008-03-19 17:29 5,120 --a------ C:\Documents and Settings\uživatel\ftpdll.dll
2008-03-15 13:07 . 2008-03-15 13:07 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\Roxio
2008-03-15 13:06 . 2008-03-15 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Sonic
2008-03-15 13:04 . 2008-03-15 13:04 <DIR> d-------- C:\Program Files\DivX
2008-03-15 13:04 . 2008-03-16 16:50 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-03-15 13:04 . 2008-03-16 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Roxio
2008-03-03 19:48 . 2008-03-03 19:48 <DIR> d-------- C:\Documents and Settings\uži\Bullfrog
2008-03-01 09:59 . 2006-05-23 09:25 4,290,048 --a------ C:\WINDOWS\Heroes of Might and Magic V.scr
2008-02-23 17:51 . 2008-02-24 09:28 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\DMCache
2008-02-23 11:46 . 2008-03-19 17:36 <DIR> d-------- C:\Program Files\Ad-Aware 2007
2008-02-23 11:46 . 2008-02-23 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Lavasoft
2008-02-23 11:45 . 2008-02-23 11:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 17:29 . 2008-02-22 17:29 8,192 --ahs---- C:\WINDOWS\Thumbs.db
2008-02-22 15:40 . 2008-02-22 23:46 <DIR> d-------- C:\Program Files\SUPER
2008-02-22 15:40 . 2008-02-04 20:26 151,040 ---hs---- C:\WINDOWS\system32\VistaUltm.dll
2008-02-22 15:40 . 2005-02-22 17:55 81,920 -r-hs---- C:\WINDOWS\system32\aac_parser.ax
2008-02-22 15:40 . 2007-02-21 12:47 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll
2008-02-22 15:40 . 2007-12-17 14:43 27,648 ---hs---- C:\WINDOWS\system32\Smab0.dll
2008-02-22 15:24 . 2008-03-21 10:36 <DIR> d-------- C:\Program Files\Torrents

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 10:14 --------- d-----w C:\Program Files\Common Files\InterVideo
2008-03-21 10:12 --------- d---a-w C:\Documents and Settings\All Users\Data aplikací\TEMP
2008-03-19 20:24 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\uTorrent
2008-03-16 15:52 --------- d-----w C:\Program Files\Your Uninstaller 2008
2008-03-06 18:48 --------- d-----w C:\Program Files\Winamp
2008-03-03 16:02 --------- d-----w C:\Program Files\PeerGuardian2
2008-02-23 11:21 --------- d-----w C:\Program Files\PPMate
2008-02-22 21:20 --------- d-----w C:\Program Files\TVUPlayer
2008-02-21 18:09 --------- d-----w C:\Program Files\SopCast
2008-02-21 17:12 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\TVU networks
2008-02-21 17:00 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\TVU Networks
2008-02-21 16:01 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\ppStream
2008-02-21 15:49 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\PPMate
2008-02-21 15:48 --------- d-----w C:\Program Files\Common Files\Synacast
2008-02-20 10:11 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-02-20 10:02 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-02-20 10:01 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-02-18 18:21 --------- d-----w C:\Program Files\Common Files\InstallerA
2008-02-18 18:13 --------- d-----w C:\Program Files\Gamenext
2008-02-16 18:46 --------- d---a-w C:\Program Files\Miranda IM
2008-01-31 06:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-27 19:45 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\Vso
2008-01-27 15:57 --------- d-----w C:\Program Files\uTorrent
2008-01-26 11:11 --------- d-----w C:\Program Files\Game XP
2008-01-26 09:27 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\URSoft
2008-01-24 14:21 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-01-24 14:21 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-01-23 17:43 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-01-23 17:43 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-01-23 17:43 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2007-04-30 15:25 81,920 ----a-w C:\Documents and Settings\uživatel\Data aplikací\ezpinst.exe
2007-04-30 15:25 47,360 ----a-w C:\Documents and Settings\uživatel\Data aplikací\pcouffin.sys
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-01-20 11:29 945 --sha-w C:\WINDOWS\system32\mmf.sys
2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
.

------- Sigcheck -------

2005-03-14 02:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2001-10-25 13:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2005-03-14 01:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 C:\WINDOWS\SoftwareDistribution\Download\465d74f489a08daa339a96fd1eedeb4e\sp2gdr\tcpip.sys
2005-03-14 02:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\SoftwareDistribution\Download\465d74f489a08daa339a96fd1eedeb4e\sp2qfe\tcpip.sys
2008-01-24 15:21 359808 f91e8f4c501f2128d7a92f723b6d6577 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-01-24 15:21 359808 f91e8f4c501f2128d7a92f723b6d6577 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot@2008-03-20_ 7.21.52,84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-22 00:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 00:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 01:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXSUPMON"="C:\WINDOWS\system32\LXSUPMON.exe" [2002-01-28 13:48 885760]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 16:34 213936]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 16:34 86960]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 16:34 213936]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"cpkarme"="C:\WINDOWS\TEMP\streqdqm.sys WLEntryPoint" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"= 0 (0x0)
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"mshgm"= rundll32.exe "C:\WINDOWS\system32\msdgjmlof.dll" WLEntryPoint

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoAutoTrayNotify"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ritgrqt]
ritgrqt.dll 2004-08-17 14:49 114688 C:\WINDOWS\system32\ritgrqt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\WindowBlinds\wbsrv.dll 2005-12-20 21:57 176128 C:\PROGRA~1\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^GPRSpeed Plus Client.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\GPRSpeed Plus Client.lnk
backup=C:\WINDOWS\pss\GPRSpeed Plus Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^uživatel^Nabídka Start^Programy^Po spuštění^RollerCoaster Tycoon 3 Registration.lnk]
path=C:\Documents and Settings\uživatel\Nabídka Start\Programy\Po spuštění\RollerCoaster Tycoon 3 Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^uživatel^Nabídka Start^Programy^Po spuštění^Ubisoft register.lnk]
path=C:\Documents and Settings\uživatel\Nabídka Start\Programy\Po spuštění\Ubisoft register.lnk
backup=C:\WINDOWS\pss\Ubisoft register.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\uživatel\Local Settings\Application Data\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\Program Files\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG Free\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BSplayer_WhenUSave_Installer]
C:\Program Files\BSplayer_WhenUSave_Installer\BSplayer_WhenUSave_Installer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-17 14:49 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 23:29 165784 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
--a------ 2006-03-22 23:13 1591808 C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iftcprom]
C:\WINDOWS\TEMP\p2ptor.sys WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ndqgdsdl]
C:\WINDOWS\TEMP\p2ptor.sys WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 17:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PromoReg]
C:\WINDOWS\system32\alt.exe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-12-09 12:07 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\retsfahg]
C:\WINDOWS\TEMP\p2ptor.sys WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2004-01-28 22:42 565248 C:\WINDOWS\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-09-16 13:39 69632 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
c:\program files\divx\divx pro codec\gain_trickler_3202.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
C:\Program Files\VVSN\VVSN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NOD32krn"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\FirefoxPortable\\FirefoxPortable.exe"=
"C:\\Program Files\\Miranda IM\\miranda32.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Hry\\Worms Armageddon\\wa.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\PPMate\\ppamnet.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"44724:TCP"= 44724:TCP:pan port
"42210:TCP"= 42210:TCP:@xpsp2res.dll,-22004
"17385:TCP"= 17385:TCP:@xpsp2res.dll,-22004
"19500:TCP"= 19500:TCP:@xpsp2res.dll,-22004
"3363:TCP"= 3363:TCP:@xpsp2res.dll,-22004
"5307:TCP"= 5307:TCP:@xpsp2res.dll,-22004

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R2 LicCtrlService;LicCtrl Service;rundll32.exe C:\WINDOWS\mmfs.dll,Service []
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 22:04]
R3 usbhub;Ovladač standardního rozbočovače USB;C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 22:08]
S2 grande48;grande48;C:\WINDOWS\system32\drivers\grande48.sys []
S3 adusbmdm6501;AnyDATA CDMA USB Modem Driver (PID 6501);C:\WINDOWS\system32\DRIVERS\adusbmdm65.sys [2005-05-02 12:55]
S3 adusbser6501;AnyDATA CDMA USB Serial Port (PID 6501);C:\WINDOWS\system32\DRIVERS\adusbser65.sys [2005-05-02 12:55]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 usb2vcom;USB Data Cable;C:\WINDOWS\system32\DRIVERS\usb2vcom.sys [2005-08-06 04:06]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 22:08]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 22:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f72c2d0d-4fbc-11db-8aa0-0011098da354}]
\Shell\AutoRun\command - H:\autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 11:31:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-22 11:32:21
ComboFix-quarantined-files.txt 2008-03-22 10:32:18
ComboFix2.txt 2008-03-21 20:00:36
ComboFix3.txt 2008-03-20 06:22:03



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 22, 2008 12:38:22 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/03/2008
Kaspersky Anti-Virus database records: 591137
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 60832
Number of viruses found: 8
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 00:43:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Data aplikací\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\All Users\Data aplikací\ESET\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Data aplikací\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\LocalService\ftpdll.dll Infected: Trojan-Downloader.Win32.Small.tcw skipped
C:\Documents and Settings\LocalService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ucatchme.zip/ntos.exe Infected: Trojan-Spy.Win32.Zbot.aow skipped
C:\Documents and Settings\ucatchme.zip/ndisaluo.sys Infected: Rootkit.Win32.Agent.adh skipped
C:\Documents and Settings\ucatchme.zip/spools.exe Infected: Worm.Win32.Socks.s skipped
C:\Documents and Settings\ucatchme.zip ZIP: infected - 3 skipped
C:\Documents and Settings\uživatel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\uživatel\ftpdll.dll Infected: Trojan-Downloader.Win32.Small.tcw skipped
C:\Documents and Settings\uživatel\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\uživatel\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\uživatel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\uživatel\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\uživatel\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\uživatel\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\uživatel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\uživatel\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\uživatel\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\uživatel\iexplorer.exe.vir Infected: Worm.Win32.Socks.s skipped
C:\SDFix\backups\backups.zip/backups/tmp0.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3B74E4BC-2B5F-433E-AD5E-13F0EC583B53}\RP10\change.log Object is locked skipped
C:\System Volume Information\_restore{3B74E4BC-2B5F-433E-AD5E-13F0EC583B53}\RP2\A0000003.exe Infected: Worm.Win32.Socks.s skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CM5FBI9T\rbfgg[1].htm Infected: Trojan.Win32.Pakes.cjm skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\ftpdll.dll Infected: Trojan-Downloader.Win32.Small.tcw skipped
C:\WINDOWS\system32\gnitsrqt.dll Infected: Email-Worm.Win32.Locksky.df skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mmf.sys Object is locked skipped
C:\WINDOWS\system32\msdgjmlof.dll Infected: Email-Worm.Win32.Locksky.dm skipped
C:\WINDOWS\system32\ritgrqt.dll Infected: Email-Worm.Win32.Locksky.dm skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\webdsnah.sys Infected: Email-Worm.Win32.Locksky.dm skipped
C:\WINDOWS\TEMP\kbddsipna.dll Infected: Email-Worm.Win32.Locksky.dm skipped
C:\WINDOWS\TEMP\netdchnrk.nls Infected: Email-Worm.Win32.Locksky.dm skipped
C:\WINDOWS\TEMP\vgaikqcmj.nls Infected: Email-Worm.Win32.Locksky.dm skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[fredik]

Stáhni si Registry Search (by Bobbi Flekman) a ulož si ho na disk.
- vytvoř si na disku adresář/složku, do kterého pak rozbal obsah stáhnutého archivu regsearch.zip

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující celý text označený modře:
RegSearch Options File

[Search]
webdsnah
p2ptor
cabpii

[Exclude]

[Options]
Filter=KVDLUI
Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: options.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor do adresáře/složky kde už máš rozbalený regsearch.

Spusť soubor regsearch.exe a otevře se ti okno.
- tam klikni na tlačítko Import..., otevře se ti okno kde vyber soubor Options a dej otevřít.
- pak klikni v úvodním okně na tlačítko Ok
Spustí se vyhledávání a po jeho proběhnutí sem vlož log, který se ti zobrazí.