Prosím o pomoc, stáhli jsme viry, které jsme následně vymazali. Jenže Avast nám signalizuje, že se odesíla příliš mnoho stejných e-mailu za krátkou dobu. Na liště se nám objevila ikonka Avastu - ochrana pošty ( svchost.exe + měnící se emaily). Zároveň Spyware Terminator nám hlásí, že se mění koncovky v souborech ve Windowsu ( složka system32). Kamarád mi poradil, abych vám poslal výpis HiJacku. Prosím o radu co mám dělat. Jsem začátečník
Změněn název z nic neřákajícího - "Prosím pomoc". Pic[color=#FF00BF][/color]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:45:30, on 28.4.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminator.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Roman Šorna\Dokumenty\ICQ Lite\393435578\Radek Pechal_470625856\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files\XstreamRadio 3.02\RadioHelper.dll
O9 - Extra 'Tools' menuitem: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files\XstreamRadio 3.02\RadioHelper.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 8390 bytes
Prosím o kontrolu logu Vyřešeno
Re: Prosím o pomoc
V tomto logu nic špatného nevidím =>>
1.- Pročistěte CCleanerem (odkaz v podpise).
2.- Stáhněte a uložte na plochu ComboFix:
Spusťte aplikaci pod účtem Správce počítače - zavřete všechny spuštěné programy (webový prohlížeč, messenger, ...) - následuje licenční ujednání, klikněte na Ano - začne se testovat (celá akce trvá cca. 5 - 10 minut, někdy i trochu déle) - během skenu se nepokoušejte spouštět žádne jiné aplikace a neklikejte do okna ComboFixu - po dokončení se automaticky otevře okno poznámkového bloku s textem (pokud se tak nestane, log je v C:\ComboFix.txt), který sem pomocí známých klávesových zkratek Ctrl + A (označení celého textu) -> Ctrl + C (uložení do jakési schránky) -> Ctrl + V (vložení textu) zkopírujte - a počkejte na další postup
VAROVÁNÍ: Pokud se vám zobrazí "CRITICAL WARNING !!" nesmíte restartovat počítač, o varování napište.
VAROVÁNÍ2: Je možné, že při testu budou různé bezpečnostní programy hlásit neoprávněný pokus o smazání daného souboru či něco jiného. Povolte jejich případné dotazy nebo na dobu scanu úplně vypněte rezidentní modul daného programu.
1.- Pročistěte CCleanerem (odkaz v podpise).
2.- Stáhněte a uložte na plochu ComboFix:
Spusťte aplikaci pod účtem Správce počítače - zavřete všechny spuštěné programy (webový prohlížeč, messenger, ...) - následuje licenční ujednání, klikněte na Ano - začne se testovat (celá akce trvá cca. 5 - 10 minut, někdy i trochu déle) - během skenu se nepokoušejte spouštět žádne jiné aplikace a neklikejte do okna ComboFixu - po dokončení se automaticky otevře okno poznámkového bloku s textem (pokud se tak nestane, log je v C:\ComboFix.txt), který sem pomocí známých klávesových zkratek Ctrl + A (označení celého textu) -> Ctrl + C (uložení do jakési schránky) -> Ctrl + V (vložení textu) zkopírujte - a počkejte na další postup
VAROVÁNÍ: Pokud se vám zobrazí "CRITICAL WARNING !!" nesmíte restartovat počítač, o varování napište.
VAROVÁNÍ2: Je možné, že při testu budou různé bezpečnostní programy hlásit neoprávněný pokus o smazání daného souboru či něco jiného. Povolte jejich případné dotazy nebo na dobu scanu úplně vypněte rezidentní modul daného programu.
Re: Prosím o kontrolu logu
Vyčistili jsme počítač ccleanerem podle návodu a udělali combofix. Akorát nám zmizel Avast na liště v pravé straně. Dále zůstává ikonka Avast - ochrana pošty ( svchost.exe + měnící se email). Při kontrole Combofixem se neobjevilo žádné cricital warning. Zde jsou výsledky Combo fixu.
ComboFix 08-04-27.3 - Roman Šorna 2008-04-28 20:07:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.468 [GMT 2:00]
Running from: C:\Documents and Settings\Roman Šorna\Plocha\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ajbusxun.ini
C:\WINDOWS\system32\arjegodc.dll
C:\WINDOWS\system32\jkkIcdBr.dll
C:\WINDOWS\system32\nuxsubja.dll
C:\WINDOWS\system32\opnonkLD.dll
C:\WINDOWS\system32\rBdcIkkj.ini
C:\WINDOWS\system32\rBdcIkkj.ini2
C:\WINDOWS\system32\sibcgwwr.dll
C:\WINDOWS\system32\ucurmhyx.dll
C:\WINDOWS\system32\WinNt32.dll
C:\WINDOWS\system32\xyhmrucu.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_HQIOPA
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.
2008-04-28 20:14 . 2008-04-28 20:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-28 20:14 . 2008-04-28 20:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-28 20:10 . 2008-04-28 20:10 264,760 --a------ C:\Documents and Settings\Roman catchme.zip
2008-04-27 08:30 . 2008-04-28 19:40 109,793 --a------ C:\WINDOWS\BM137a1c6a.xml
2008-04-26 20:20 . 2008-04-28 20:13 14,976 --a------ C:\WINDOWS\system32\drivers\Ekq30.sys
2008-04-26 20:20 . 2008-04-28 20:13 10,240 --a------ C:\WINDOWS\system32\WinData.cab
2008-04-24 20:04 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-04-24 20:04 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-04-24 20:04 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-04-24 20:04 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-04-16 20:19 . 2008-04-25 22:21 <DIR> d-------- C:\My Recordings
2008-04-16 20:15 . 2008-04-17 21:49 <DIR> d-------- C:\Program Files\XstreamRadio 3.02
2008-04-03 01:26 . 2008-04-03 01:26 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 18:12 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd5709.sys
2008-04-28 18:02 --------- d-----w C:\Program Files\Spyware Terminator
2008-04-26 17:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 14:58 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-26 11:18 --------- d-----w C:\Program Files\Morpheus
2008-04-24 17:47 --------- d-----w C:\Program Files\Electronic Arts
2008-04-20 17:35 --------- d-----w C:\Program Files\Xfire
2008-04-18 12:12 --------- d-----w C:\Program Files\ICQ6
2008-03-30 08:11 --------- d-----w C:\Program Files\ICQLite
2008-03-24 12:58 138,752 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-23 12:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-23 12:26 --------- d-----w C:\Program Files\Firefly Studios
2008-03-11 19:23 --------- d-----w C:\Program Files\LucasArts
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 12:14 57344]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 14:32 94208]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 20:12 3142236]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 16:08 577536 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 18:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 18:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 18:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 12:06 40960]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57 133016]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-06-19 21:09 499712]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-17 20:24 77824]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-03-24 14:58 2957824]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 02:06 487424]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-03 18:00 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 18:50 1603152]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 20:12 3142236]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ekq30.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Valve\\Half-Life 2\\cstrike.exe"=
"C:\\Program Files\\Valve\\Half-Life 2\\hl2.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Firefly Studios\\Stronghold Crusader\\Stronghold Crusader.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault(tm)\\mohpa.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Empire Interactive\\FlatOut 2\\flatout2.exe"=
"C:\\Program Files\\Call of Duty\\CoDMP.exe"=
"C:\\Program Files\\Sierra\\SWAT 4\\Content\\System\\Swat4.exe"=
"C:\\Program Files\\Ubisoft\\Heroes of Might and Magic V\\bin\\H5_Game.exe"=
"C:\\Program Files\\Team17\\Worms World Party\\wwp.exe"=
"C:\\Program Files\\Eidos\\Pyro Studios\\Commandos Strike Force\\CommXPC.exe"=
"C:\\Program Files\\Cossacks 2 - Battle for Europe\\Run\\Data\\engine.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\Company of Heroes\\BugReport\\BugReport.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\Age3.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\battlefrontII.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Kylotonn Entertainment\\Bet on Soldier\\BoS.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.6\\cnc3game.dat"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3 Kane's Wrath\\RetailExe\\1.0\\cnc3ep1.dat"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2190:UDP"= 2190:UDP:Windows Media Format SDK (XstreamRadio.exe)
"2191:UDP"= 2191:UDP:Windows Media Format SDK (XstreamRadio.exe)
"2192:UDP"= 2192:UDP:Windows Media Format SDK (XstreamRadio.exe)
R0 Ekq30;Ekq30;C:\WINDOWS\system32\Drivers\Ekq30.sys [2008-04-28 20:13]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-24 14:58]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 14:00]
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 20:14:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WinNt32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-28 20:19:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-28 18:19:03
Adresářů: 10, Volných bajtů: 116,194,820,096
Adres ý…: 12, Volněch bajt…: 116,161,855,488
180 --- E O F --- 2008-04-09 14:58:52
ComboFix 08-04-27.3 - Roman Šorna 2008-04-28 20:07:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.468 [GMT 2:00]
Running from: C:\Documents and Settings\Roman Šorna\Plocha\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ajbusxun.ini
C:\WINDOWS\system32\arjegodc.dll
C:\WINDOWS\system32\jkkIcdBr.dll
C:\WINDOWS\system32\nuxsubja.dll
C:\WINDOWS\system32\opnonkLD.dll
C:\WINDOWS\system32\rBdcIkkj.ini
C:\WINDOWS\system32\rBdcIkkj.ini2
C:\WINDOWS\system32\sibcgwwr.dll
C:\WINDOWS\system32\ucurmhyx.dll
C:\WINDOWS\system32\WinNt32.dll
C:\WINDOWS\system32\xyhmrucu.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_HQIOPA
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.
2008-04-28 20:14 . 2008-04-28 20:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-28 20:14 . 2008-04-28 20:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-28 20:10 . 2008-04-28 20:10 264,760 --a------ C:\Documents and Settings\Roman catchme.zip
2008-04-27 08:30 . 2008-04-28 19:40 109,793 --a------ C:\WINDOWS\BM137a1c6a.xml
2008-04-26 20:20 . 2008-04-28 20:13 14,976 --a------ C:\WINDOWS\system32\drivers\Ekq30.sys
2008-04-26 20:20 . 2008-04-28 20:13 10,240 --a------ C:\WINDOWS\system32\WinData.cab
2008-04-24 20:04 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-04-24 20:04 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-04-24 20:04 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-04-24 20:04 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-04-16 20:19 . 2008-04-25 22:21 <DIR> d-------- C:\My Recordings
2008-04-16 20:15 . 2008-04-17 21:49 <DIR> d-------- C:\Program Files\XstreamRadio 3.02
2008-04-03 01:26 . 2008-04-03 01:26 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 18:12 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd5709.sys
2008-04-28 18:02 --------- d-----w C:\Program Files\Spyware Terminator
2008-04-26 17:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 14:58 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-26 11:18 --------- d-----w C:\Program Files\Morpheus
2008-04-24 17:47 --------- d-----w C:\Program Files\Electronic Arts
2008-04-20 17:35 --------- d-----w C:\Program Files\Xfire
2008-04-18 12:12 --------- d-----w C:\Program Files\ICQ6
2008-03-30 08:11 --------- d-----w C:\Program Files\ICQLite
2008-03-24 12:58 138,752 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-23 12:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-23 12:26 --------- d-----w C:\Program Files\Firefly Studios
2008-03-11 19:23 --------- d-----w C:\Program Files\LucasArts
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 12:14 57344]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 14:32 94208]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 20:12 3142236]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 16:08 577536 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 18:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 18:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 18:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 12:06 40960]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57 133016]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-06-19 21:09 499712]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-17 20:24 77824]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-03-24 14:58 2957824]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 02:06 487424]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-03 18:00 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 18:50 1603152]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 20:12 3142236]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ekq30.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Valve\\Half-Life 2\\cstrike.exe"=
"C:\\Program Files\\Valve\\Half-Life 2\\hl2.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Firefly Studios\\Stronghold Crusader\\Stronghold Crusader.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault(tm)\\mohpa.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Empire Interactive\\FlatOut 2\\flatout2.exe"=
"C:\\Program Files\\Call of Duty\\CoDMP.exe"=
"C:\\Program Files\\Sierra\\SWAT 4\\Content\\System\\Swat4.exe"=
"C:\\Program Files\\Ubisoft\\Heroes of Might and Magic V\\bin\\H5_Game.exe"=
"C:\\Program Files\\Team17\\Worms World Party\\wwp.exe"=
"C:\\Program Files\\Eidos\\Pyro Studios\\Commandos Strike Force\\CommXPC.exe"=
"C:\\Program Files\\Cossacks 2 - Battle for Europe\\Run\\Data\\engine.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\Company of Heroes\\BugReport\\BugReport.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\Age3.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\battlefrontII.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Kylotonn Entertainment\\Bet on Soldier\\BoS.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.6\\cnc3game.dat"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3 Kane's Wrath\\RetailExe\\1.0\\cnc3ep1.dat"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2190:UDP"= 2190:UDP:Windows Media Format SDK (XstreamRadio.exe)
"2191:UDP"= 2191:UDP:Windows Media Format SDK (XstreamRadio.exe)
"2192:UDP"= 2192:UDP:Windows Media Format SDK (XstreamRadio.exe)
R0 Ekq30;Ekq30;C:\WINDOWS\system32\Drivers\Ekq30.sys [2008-04-28 20:13]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-24 14:58]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 14:00]
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 20:14:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WinNt32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-28 20:19:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-28 18:19:03
Adresářů: 10, Volných bajtů: 116,194,820,096
Adres ý…: 12, Volněch bajt…: 116,161,855,488
180 --- E O F --- 2008-04-09 14:58:52
Re: Prosím o kontrolu logu
CF toho hodně smazal, ještě to dorazíme:
Opět vypněte veškeré spuštěné programy (webový prohlížeč, messenger, ...). Přesuňte Combofix na plochu (pokud ho tam ještě nemáte) - otevřete si poznámkový blok - do něj zkopírujte text z nasledujícího okna:
Text uložte jako CFScript.txt na plochu - po uložení uchopte vámi vytvořený soubor .txt levým tlačítkem myši a přesuňte jej nad ikonu ComboFixu - nad ikonou ComboFixu soubor .txt upusťte - spustí se ComboFix - a CF začne znova scanovat, nakonci scanování se pokusí CF smazat zadané soubory či něco jiného, co jsme mu zadali - po provedení akce se opět zobrazí okno poznámkového bloku s textem, který sem zkopírujte a vyčkejte prosím na další rady :)
+ nový HijackThis a info, jak se chová pc.
Opět vypněte veškeré spuštěné programy (webový prohlížeč, messenger, ...). Přesuňte Combofix na plochu (pokud ho tam ještě nemáte) - otevřete si poznámkový blok - do něj zkopírujte text z nasledujícího okna:
Kód: Vybrat vše
File::
C:\WINDOWS\BM137a1c6a.xml
C:\WINDOWS\system32\drivers\Ekq30.sys
Driver::
Ekq30Text uložte jako CFScript.txt na plochu - po uložení uchopte vámi vytvořený soubor .txt levým tlačítkem myši a přesuňte jej nad ikonu ComboFixu - nad ikonou ComboFixu soubor .txt upusťte - spustí se ComboFix - a CF začne znova scanovat, nakonci scanování se pokusí CF smazat zadané soubory či něco jiného, co jsme mu zadali - po provedení akce se opět zobrazí okno poznámkového bloku s textem, který sem zkopírujte a vyčkejte prosím na další rady :)
+ nový HijackThis a info, jak se chová pc.
Re: Prosím o kontrolu logu
Při kontrole ComboFixu se nám se zobrazilo že v souboru WIN32 došlo k chybě ( tabulka s odpovědí odesílat zprávu o chybě a nebo neodesílat). Po restartování počítače ComboFixem došlo k změně rozlišení monitoru. Spyware Terminator zakázal proces se souborem svchost.exe. Na liště už zmizela ikonka Avastu - ochrana pošty. Připadá nám, že počítač rychleji nabíhá. 
Na liště chybí kontrolka Avastu o rezidentním štítu.( Je to dobře? )
Zde je výsledek CF:
ComboFix 08-04-27.3 - Roman Šorna 2008-04-29 18:24:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.613 [GMT 2:00]
Running from: C:\Documents and Settings\Roman Šorna\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Roman Šorna\Plocha\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\BM137a1c6a.xml
C:\WINDOWS\system32\drivers\Ekq30.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM137a1c6a.xml
C:\WINDOWS\system32\drivers\Ekq30.sys
C:\WINDOWS\system32\WinNt32.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_EKQ30
-------\Service_Ekq30
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.
2008-04-29 18:27 . 2008-04-29 18:27 271,254 --a------ C:\Documents and Settings\Roman catchme.zip
2008-04-28 20:19 . 2008-04-28 20:19 <DIR> d-------- C:\Documents and Settings\Roman Šorna
2008-04-28 20:19 . <DIR> C:\Documents and Settings\Roman Őorna\Local Settings
2008-04-28 20:19 . <DIR> C:\Documents and Settings\Roman Őorna\Local Settings
2008-04-26 20:20 . 2008-04-29 14:26 10,240 --a------ C:\WINDOWS\system32\WinData.cab
2008-04-24 20:04 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-04-24 20:04 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-04-24 20:04 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-04-24 20:04 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-04-16 20:19 . 2008-04-25 22:21 <DIR> d-------- C:\My Recordings
2008-04-16 20:15 . 2008-04-17 21:49 <DIR> d-------- C:\Program Files\XstreamRadio 3.02
2008-04-03 01:26 . 2008-04-03 01:26 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 12:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 12:45 --------- d-----w C:\Program Files\EA GAMES
2008-04-29 12:42 --------- d-----w C:\Program Files\EA SPORTS
2008-04-29 12:38 --------- d-----w C:\Program Files\THQ
2008-04-29 12:37 --------- d-----w C:\Program Files\LucasArts
2008-04-29 12:36 --------- d-----w C:\Program Files\Electronic Arts
2008-04-29 12:29 --------- d-----w C:\Program Files\Spyware Terminator
2008-04-28 18:12 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd5709.sys
2008-04-26 17:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 14:58 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-26 14:58 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-26 11:18 --------- d-----w C:\Program Files\Morpheus
2008-04-20 17:35 --------- d-----w C:\Program Files\Xfire
2008-04-18 12:12 --------- d-----w C:\Program Files\ICQ6
2008-03-30 08:11 --------- d-----w C:\Program Files\ICQLite
2008-03-24 12:58 138,752 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-20 08:09 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 14:12 158,720 ----a-w C:\WINDOWS\system32\unrar.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:05 660,480 ----a-w C:\WINDOWS\system32\wininet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-04-28_20.18.50.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 18:13:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 16:29:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-28 18:13:51 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-29 16:28:15 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-28 18:15:26 180,224 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-29 16:28:15 212,992 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-28 18:13:51 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat
+ 2008-04-28 18:43:14 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat
+ 2008-04-29 16:23:33 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042920080430\index.dat
- 2008-04-28 18:13:51 442,368 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-29 16:28:15 573,440 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-28 18:13:19 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_78c.dat
+ 2008-04-29 16:29:33 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_78c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 12:14 57344]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 14:32 94208]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 20:12 3142236]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 16:08 577536 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 18:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 18:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 18:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 12:06 40960]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57 133016]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-06-19 21:09 499712]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-17 20:24 77824]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-03-24 14:58 2957824]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 02:06 487424]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-03 18:00 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 18:50 1603152]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 20:12 3142236]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ekq30.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Valve\\Half-Life 2\\cstrike.exe"=
"C:\\Program Files\\Valve\\Half-Life 2\\hl2.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Team17\\Worms World Party\\wwp.exe"=
"C:\\Program Files\\Cossacks 2 - Battle for Europe\\Run\\Data\\engine.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\Age3.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\battlefrontII.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.6\\cnc3game.dat"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3 Kane's Wrath\\RetailExe\\1.0\\cnc3ep1.dat"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2190:UDP"= 2190:UDP:Windows Media Format SDK (XstreamRadio.exe)
"2191:UDP"= 2191:UDP:Windows Media Format SDK (XstreamRadio.exe)
"2192:UDP"= 2192:UDP:Windows Media Format SDK (XstreamRadio.exe)
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-24 14:58]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 14:00]
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 18:29:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
.
**************************************************************************
.
Completion time: 2008-04-29 18:34:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-29 16:34:34
ComboFix2.txt 2008-04-28 18:19:09
Adresářů: 10, Volných bajtů: 166,886,912,000
Adres ý…: 12, Volněch bajt…: 166,921,031,680
183 --- E O F --- 2008-04-09 14:58:52
A zde je výsledek HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:41:44, on 29.4.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\Roman Šorna\Dokumenty\ICQ Lite\393435578\Radek Pechal_470625856\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files\XstreamRadio 3.02\RadioHelper.dll
O9 - Extra 'Tools' menuitem: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files\XstreamRadio 3.02\RadioHelper.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 8431 bytes
Na liště chybí kontrolka Avastu o rezidentním štítu.( Je to dobře? ) Zde je výsledek CF:
ComboFix 08-04-27.3 - Roman Šorna 2008-04-29 18:24:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.613 [GMT 2:00]
Running from: C:\Documents and Settings\Roman Šorna\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Roman Šorna\Plocha\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\BM137a1c6a.xml
C:\WINDOWS\system32\drivers\Ekq30.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM137a1c6a.xml
C:\WINDOWS\system32\drivers\Ekq30.sys
C:\WINDOWS\system32\WinNt32.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_EKQ30
-------\Service_Ekq30
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.
2008-04-29 18:27 . 2008-04-29 18:27 271,254 --a------ C:\Documents and Settings\Roman catchme.zip
2008-04-28 20:19 . 2008-04-28 20:19 <DIR> d-------- C:\Documents and Settings\Roman Šorna
2008-04-28 20:19 . <DIR> C:\Documents and Settings\Roman Őorna\Local Settings
2008-04-28 20:19 . <DIR> C:\Documents and Settings\Roman Őorna\Local Settings
2008-04-26 20:20 . 2008-04-29 14:26 10,240 --a------ C:\WINDOWS\system32\WinData.cab
2008-04-24 20:04 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-04-24 20:04 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-04-24 20:04 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-04-24 20:04 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-04-16 20:19 . 2008-04-25 22:21 <DIR> d-------- C:\My Recordings
2008-04-16 20:15 . 2008-04-17 21:49 <DIR> d-------- C:\Program Files\XstreamRadio 3.02
2008-04-03 01:26 . 2008-04-03 01:26 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 12:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 12:45 --------- d-----w C:\Program Files\EA GAMES
2008-04-29 12:42 --------- d-----w C:\Program Files\EA SPORTS
2008-04-29 12:38 --------- d-----w C:\Program Files\THQ
2008-04-29 12:37 --------- d-----w C:\Program Files\LucasArts
2008-04-29 12:36 --------- d-----w C:\Program Files\Electronic Arts
2008-04-29 12:29 --------- d-----w C:\Program Files\Spyware Terminator
2008-04-28 18:12 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd5709.sys
2008-04-26 17:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 14:58 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-26 14:58 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-26 11:18 --------- d-----w C:\Program Files\Morpheus
2008-04-20 17:35 --------- d-----w C:\Program Files\Xfire
2008-04-18 12:12 --------- d-----w C:\Program Files\ICQ6
2008-03-30 08:11 --------- d-----w C:\Program Files\ICQLite
2008-03-24 12:58 138,752 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-20 08:09 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 14:12 158,720 ----a-w C:\WINDOWS\system32\unrar.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:05 660,480 ----a-w C:\WINDOWS\system32\wininet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-04-28_20.18.50.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 18:13:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 16:29:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-28 18:13:51 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-29 16:28:15 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-28 18:15:26 180,224 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-29 16:28:15 212,992 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-28 18:13:51 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat
+ 2008-04-28 18:43:14 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat
+ 2008-04-29 16:23:33 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042920080430\index.dat
- 2008-04-28 18:13:51 442,368 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-29 16:28:15 573,440 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-28 18:13:19 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_78c.dat
+ 2008-04-29 16:29:33 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_78c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 12:14 57344]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 14:32 94208]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 20:12 3142236]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 16:08 577536 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 18:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 18:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 18:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 12:06 40960]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57 133016]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-06-19 21:09 499712]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-17 20:24 77824]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-03-24 14:58 2957824]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 02:06 487424]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-03 18:00 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 18:50 1603152]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 20:12 3142236]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.XFR1"= xfcodec.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ekq30.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Valve\\Half-Life 2\\cstrike.exe"=
"C:\\Program Files\\Valve\\Half-Life 2\\hl2.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Team17\\Worms World Party\\wwp.exe"=
"C:\\Program Files\\Cossacks 2 - Battle for Europe\\Run\\Data\\engine.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\Age3.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\battlefrontII.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.6\\cnc3game.dat"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3 Kane's Wrath\\RetailExe\\1.0\\cnc3ep1.dat"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2190:UDP"= 2190:UDP:Windows Media Format SDK (XstreamRadio.exe)
"2191:UDP"= 2191:UDP:Windows Media Format SDK (XstreamRadio.exe)
"2192:UDP"= 2192:UDP:Windows Media Format SDK (XstreamRadio.exe)
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-24 14:58]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 14:00]
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 18:29:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
.
**************************************************************************
.
Completion time: 2008-04-29 18:34:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-29 16:34:34
ComboFix2.txt 2008-04-28 18:19:09
Adresářů: 10, Volných bajtů: 166,886,912,000
Adres ý…: 12, Volněch bajt…: 166,921,031,680
183 --- E O F --- 2008-04-09 14:58:52
A zde je výsledek HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:41:44, on 29.4.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\Roman Šorna\Dokumenty\ICQ Lite\393435578\Radek Pechal_470625856\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files\XstreamRadio 3.02\RadioHelper.dll
O9 - Extra 'Tools' menuitem: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files\XstreamRadio 3.02\RadioHelper.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 8431 bytes
Re: Prosím o kontrolu logu
Ještě jednou:
Opět vypněte veškeré spuštěné programy (webový prohlížeč, messenger, ...). Přesuňte Combofix na plochu (pokud ho tam ještě nemáte) - otevřete si poznámkový blok - do něj zkopírujte text z nasledujícího okna:
Text uložte jako CFScript.txt na plochu - po uložení uchopte vámi vytvořený soubor .txt levým tlačítkem myši a přesuňte jej nad ikonu ComboFixu - nad ikonou ComboFixu soubor .txt upusťte - spustí se ComboFix - a CF začne znova scanovat, nakonci scanování se pokusí CF smazat zadané soubory či něco jiného, co jsme mu zadali - po provedení akce se opět zobrazí okno poznámkového bloku s textem, který sem zkopírujte a vyčkejte prosím na další rady :)
_____________________________________________________________________________________________
Jinak podle HJT by Avast měl být spuštěn - zkuste kliknout na panel pravým myšítkem a zkontrolovat, zda-li není zatržená volba "Skrýt neaktivní ikony" -> kdyžtak odškrtně nebo klikněte na "Vlastní..." a u Avastu nastavte, aby se ikonka zobrazovala stále.
Také pročistěte CCleanerem a po tomto všem sem vložte (spolu s logem ComboFix - z úvodu) nový HijackThis log.
Opět vypněte veškeré spuštěné programy (webový prohlížeč, messenger, ...). Přesuňte Combofix na plochu (pokud ho tam ještě nemáte) - otevřete si poznámkový blok - do něj zkopírujte text z nasledujícího okna:
Kód: Vybrat vše
File::
C:\WINDOWS\system32\WinData.cab
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ekq30.sys]Text uložte jako CFScript.txt na plochu - po uložení uchopte vámi vytvořený soubor .txt levým tlačítkem myši a přesuňte jej nad ikonu ComboFixu - nad ikonou ComboFixu soubor .txt upusťte - spustí se ComboFix - a CF začne znova scanovat, nakonci scanování se pokusí CF smazat zadané soubory či něco jiného, co jsme mu zadali - po provedení akce se opět zobrazí okno poznámkového bloku s textem, který sem zkopírujte a vyčkejte prosím na další rady :)
_____________________________________________________________________________________________
Jinak podle HJT by Avast měl být spuštěn - zkuste kliknout na panel pravým myšítkem a zkontrolovat, zda-li není zatržená volba "Skrýt neaktivní ikony" -> kdyžtak odškrtně nebo klikněte na "Vlastní..." a u Avastu nastavte, aby se ikonka zobrazovala stále.
Také pročistěte CCleanerem a po tomto všem sem vložte (spolu s logem ComboFix - z úvodu) nový HijackThis log.
Re: Prosím o kontrolu logu
Vše jsme udělali. Objevila se výstraha Windows ( činnost systému byla obnovena po závažné chybě ). Ikonka Avastu se nám na liště i po provedení vašich instrukcí neobjevila.
Zde je výsledek CF:
ComboFix 08-04-27.3 - Roman Šorna 2008-04-29 20:37:10.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.716 [GMT 2:00]
Running from: C:\Documents and Settings\Roman Šorna\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Roman Šorna\Plocha\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\WinData.cab
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\WinData.cab
.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.
2008-04-29 18:27 . 2008-04-29 18:27 271,254 --a------ C:\Documents and Settings\Roman catchme.zip
2008-04-28 20:19 . 2008-04-28 20:19 <DIR> d-------- C:\Documents and Settings\Roman Őorna
2008-04-24 20:06 . 2008-04-24 20:11 <DIR> d-------- C:\Documents and Settings\Roman Šorna\Data aplikací\Command & Conquer 3 Kane's Wrath
2008-04-24 20:04 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-04-24 20:04 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-04-24 20:04 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-04-24 20:04 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-04-20 21:47 . 2008-04-21 08:05 <DIR> d-------- C:\Documents and Settings\Roman Šorna\Data aplikací\Command & Conquer 3 Tiberium Wars
2008-04-16 20:19 . 2008-04-25 22:21 <DIR> d-------- C:\My Recordings
2008-04-16 20:15 . 2008-04-17 21:49 <DIR> d-------- C:\Program Files\XstreamRadio 3.02
2008-04-03 01:26 . 2008-04-03 01:26 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 12:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 12:45 --------- d-----w C:\Program Files\EA GAMES
2008-04-29 12:42 --------- d-----w C:\Program Files\EA SPORTS
2008-04-29 12:38 --------- d-----w C:\Program Files\THQ
2008-04-29 12:37 --------- d-----w C:\Program Files\LucasArts
2008-04-29 12:36 --------- d-----w C:\Program Files\Electronic Arts
2008-04-29 12:29 --------- d-----w C:\Program Files\Spyware Terminator
2008-04-29 12:29 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Spyware Terminator
2008-04-29 12:27 --------- d-----w C:\Documents and Settings\Roman Šorna\Data aplikací\Spyware Terminator
2008-04-28 18:12 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd5709.sys
2008-04-27 18:01 --------- d-----w C:\Documents and Settings\Roman Šorna\Data aplikací\teamspeak2
2008-04-26 17:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 14:58 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-26 14:58 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-26 11:18 --------- d-----w C:\Program Files\Morpheus
2008-04-25 18:02 --------- d-----w C:\Documents and Settings\Roman Šorna\Data aplikací\Hamachi
2008-04-21 09:47 --------- d-----w C:\Documents and Settings\Roman Šorna\Data aplikací\Morpheus
2008-04-20 17:35 --------- d-----w C:\Program Files\Xfire
2008-04-18 12:12 --------- d-----w C:\Program Files\ICQ6
2008-04-15 20:05 --------- d-----w C:\Documents and Settings\Roman Šorna\Data aplikací\Skype
2008-04-06 12:20 67,704 ----a-w C:\Documents and Settings\Roman Šorna\Data aplikací\GDIPFONTCACHEV1.DAT
2008-03-30 08:11 --------- d-----w C:\Program Files\ICQLite
2008-03-25 14:43 --------- d-----w C:\Documents and Settings\Roman Šorna\Data aplikací\Kingston
2008-03-24 12:58 138,752 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-20 08:09 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 14:12 158,720 ----a-w C:\WINDOWS\system32\unrar.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:05 660,480 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-06 11:51 22,328 ----a-w C:\Documents and Settings\Roman Šorna\Data aplikací\PnkBstrK.sys
.
((((((((((((((((((((((((((((( snapshot@2008-04-28_20.18.50.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 18:13:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 16:39:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-28 18:13:51 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-29 16:28:15 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-28 18:15:26 180,224 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-29 16:28:15 212,992 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-28 18:13:51 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat
+ 2008-04-28 18:43:14 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat
+ 2008-04-29 16:23:33 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042920080430\index.dat
+ 2008-04-29 16:39:12 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_788.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 12:14 57344]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 14:32 94208]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 20:12 3142236]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 16:08 577536 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 18:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 18:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 18:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 12:06 40960]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57 133016]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-06-19 21:09 499712]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-17 20:24 77824]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-03-24 14:58 2957824]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 02:06 487424]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-03 18:00 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 18:50 1603152]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 20:12 3142236]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-22 20:07:28 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 12:01:04 83360]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2006-12-28 16:49:40 1073152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.XFR1"= xfcodec.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Valve\\Half-Life 2\\cstrike.exe"=
"C:\\Program Files\\Valve\\Half-Life 2\\hl2.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Team17\\Worms World Party\\wwp.exe"=
"C:\\Program Files\\Cossacks 2 - Battle for Europe\\Run\\Data\\engine.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\Age3.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\battlefrontII.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.6\\cnc3game.dat"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3 Kane's Wrath\\RetailExe\\1.0\\cnc3ep1.dat"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2190:UDP"= 2190:UDP:Windows Media Format SDK (XstreamRadio.exe)
"2191:UDP"= 2191:UDP:Windows Media Format SDK (XstreamRadio.exe)
"2192:UDP"= 2192:UDP:Windows Media Format SDK (XstreamRadio.exe)
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-24 14:58]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 14:00]
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 20:40:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-29 20:41:25
ComboFix-quarantined-files.txt 2008-04-29 18:41:13
ComboFix2.txt 2008-04-29 16:34:39
ComboFix3.txt 2008-04-28 18:19:09
Adresářů: 10, Volných bajtů: 166,910,029,824
Adresářů: 11, Volných bajtů: 166,897,770,496
169 --- E O F --- 2008-04-09 14:58:52
Zde je výsledek HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:52, on 2008-04-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\Roman Šorna\Dokumenty\ICQ Lite\393435578\Radek Pechal_470625856\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files\XstreamRadio 3.02\RadioHelper.dll
O9 - Extra 'Tools' menuitem: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files\XstreamRadio 3.02\RadioHelper.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 8431 bytes
Zde je výsledek CF:
ComboFix 08-04-27.3 - Roman Šorna 2008-04-29 20:37:10.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.716 [GMT 2:00]
Running from: C:\Documents and Settings\Roman Šorna\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Roman Šorna\Plocha\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\WinData.cab
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\WinData.cab
.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.
2008-04-29 18:27 . 2008-04-29 18:27 271,254 --a------ C:\Documents and Settings\Roman catchme.zip
2008-04-28 20:19 . 2008-04-28 20:19 <DIR> d-------- C:\Documents and Settings\Roman Őorna
2008-04-24 20:06 . 2008-04-24 20:11 <DIR> d-------- C:\Documents and Settings\Roman Šorna\Data aplikací\Command & Conquer 3 Kane's Wrath
2008-04-24 20:04 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-04-24 20:04 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-04-24 20:04 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-04-24 20:04 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-04-20 21:47 . 2008-04-21 08:05 <DIR> d-------- C:\Documents and Settings\Roman Šorna\Data aplikací\Command & Conquer 3 Tiberium Wars
2008-04-16 20:19 . 2008-04-25 22:21 <DIR> d-------- C:\My Recordings
2008-04-16 20:15 . 2008-04-17 21:49 <DIR> d-------- C:\Program Files\XstreamRadio 3.02
2008-04-03 01:26 . 2008-04-03 01:26 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 12:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 12:45 --------- d-----w C:\Program Files\EA GAMES
2008-04-29 12:42 --------- d-----w C:\Program Files\EA SPORTS
2008-04-29 12:38 --------- d-----w C:\Program Files\THQ
2008-04-29 12:37 --------- d-----w C:\Program Files\LucasArts
2008-04-29 12:36 --------- d-----w C:\Program Files\Electronic Arts
2008-04-29 12:29 --------- d-----w C:\Program Files\Spyware Terminator
2008-04-29 12:29 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Spyware Terminator
2008-04-29 12:27 --------- d-----w C:\Documents and Settings\Roman Šorna\Data aplikací\Spyware Terminator
2008-04-28 18:12 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd5709.sys
2008-04-27 18:01 --------- d-----w C:\Documents and Settings\Roman Šorna\Data aplikací\teamspeak2
2008-04-26 17:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-26 14:58 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-26 14:58 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-26 11:18 --------- d-----w C:\Program Files\Morpheus
2008-04-25 18:02 --------- d-----w C:\Documents and Settings\Roman Šorna\Data aplikací\Hamachi
2008-04-21 09:47 --------- d-----w C:\Documents and Settings\Roman Šorna\Data aplikací\Morpheus
2008-04-20 17:35 --------- d-----w C:\Program Files\Xfire
2008-04-18 12:12 --------- d-----w C:\Program Files\ICQ6
2008-04-15 20:05 --------- d-----w C:\Documents and Settings\Roman Šorna\Data aplikací\Skype
2008-04-06 12:20 67,704 ----a-w C:\Documents and Settings\Roman Šorna\Data aplikací\GDIPFONTCACHEV1.DAT
2008-03-30 08:11 --------- d-----w C:\Program Files\ICQLite
2008-03-25 14:43 --------- d-----w C:\Documents and Settings\Roman Šorna\Data aplikací\Kingston
2008-03-24 12:58 138,752 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-20 08:09 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 14:12 158,720 ----a-w C:\WINDOWS\system32\unrar.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:05 660,480 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-06 11:51 22,328 ----a-w C:\Documents and Settings\Roman Šorna\Data aplikací\PnkBstrK.sys
.
((((((((((((((((((((((((((((( snapshot@2008-04-28_20.18.50.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 18:13:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 16:39:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-28 18:13:51 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-29 16:28:15 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-28 18:15:26 180,224 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-29 16:28:15 212,992 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-28 18:13:51 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat
+ 2008-04-28 18:43:14 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat
+ 2008-04-29 16:23:33 49,152 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008042920080430\index.dat
+ 2008-04-29 16:39:12 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_788.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 12:14 57344]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 14:32 94208]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 20:12 3142236]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 16:08 577536 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 18:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 18:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 18:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 12:06 40960]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 16:57 133016]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-06-19 21:09 499712]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-17 20:24 77824]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-03-24 14:58 2957824]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 02:06 487424]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-03 18:00 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 18:50 1603152]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 20:12 3142236]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-22 20:07:28 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 12:01:04 83360]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2006-12-28 16:49:40 1073152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.XFR1"= xfcodec.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Valve\\Half-Life 2\\cstrike.exe"=
"C:\\Program Files\\Valve\\Half-Life 2\\hl2.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\Program Files\\Hamachi\\hamachi.exe"=
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Team17\\Worms World Party\\wwp.exe"=
"C:\\Program Files\\Cossacks 2 - Battle for Europe\\Run\\Data\\engine.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\Age3.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\battlefrontII.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.6\\cnc3game.dat"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3 Kane's Wrath\\RetailExe\\1.0\\cnc3ep1.dat"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2190:UDP"= 2190:UDP:Windows Media Format SDK (XstreamRadio.exe)
"2191:UDP"= 2191:UDP:Windows Media Format SDK (XstreamRadio.exe)
"2192:UDP"= 2192:UDP:Windows Media Format SDK (XstreamRadio.exe)
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-24 14:58]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 14:00]
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 20:40:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-29 20:41:25
ComboFix-quarantined-files.txt 2008-04-29 18:41:13
ComboFix2.txt 2008-04-29 16:34:39
ComboFix3.txt 2008-04-28 18:19:09
Adresářů: 10, Volných bajtů: 166,910,029,824
Adresářů: 11, Volných bajtů: 166,897,770,496
169 --- E O F --- 2008-04-09 14:58:52
Zde je výsledek HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:52, on 2008-04-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\Roman Šorna\Dokumenty\ICQ Lite\393435578\Radek Pechal_470625856\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files\XstreamRadio 3.02\RadioHelper.dll
O9 - Extra 'Tools' menuitem: Xstream Radio - {7A0815F1-6B65-4e3a-B198-709807B4042A} - C:\Program Files\XstreamRadio 3.02\RadioHelper.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 8431 bytes
Re: Prosím o kontrolu logu
Nyní jděte přes Start - spustit - napište: msconfig - otevře se okno, kde se přepněte na poslední záložku "po spuštění" - zkuste najít: Avast C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe - pokud tam bude, tak nebude zaškrtlé políčko napravo -> zaškrtněte ho.
V HijackThisu můžete ještě fixnout tohle:
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - (no file)
+ pročistěte T-Cleanerem (smaže ComboFix a jím vytvořené složky + spoustu dalších věcí).
V HijackThisu můžete ještě fixnout tohle:
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - (no file)
+ pročistěte T-Cleanerem (smaže ComboFix a jím vytvořené složky + spoustu dalších věcí).
Re: Prosím o kontrolu logu
T-cleaner nám nešel stáhnout, a tak jej stáhneme zítra. Mockrát děkuji za pomoc. Jsem rád, že existují odborníci jako vy.
Kdo je online
Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 0 hostů