Ahoj všem, vytvořil jsem si log z programu Combofix ale nevím jak postupovat dál, poradí někdo? dík
ComboFix 08-07-07.3 - uživatel 2008-07-08 17:41:34.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.460 [GMT 2:00]
Running from: C:\Documents and Settings\uživatel\Plocha\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM7f70a1df.txt
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aakmqgpt.ini
C:\WINDOWS\system32\akttzn.exe
C:\WINDOWS\system32\bdn.com
C:\WINDOWS\system32\bplsqjxe.dll
C:\WINDOWS\system32\cbXpNFwV.dll
C:\WINDOWS\system32\ceqrjdyc.ini
C:\WINDOWS\system32\cydjrqec.dll
C:\WINDOWS\system32\edpirffm.dll
C:\WINDOWS\system32\exjqslpb.ini
C:\WINDOWS\system32\exjqslpb.tmp
C:\WINDOWS\system32\hxiwlgpm.dat
C:\WINDOWS\system32\hxiwlgpm.exe
C:\WINDOWS\system32\kdvlf.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msgp.exe
C:\WINDOWS\system32\mssecu.exe
C:\WINDOWS\system32\mtr2.exe
C:\WINDOWS\system32\mwin32.exe
C:\WINDOWS\system32\netode.exe
C:\WINDOWS\system32\opnkKddD.dll
C:\WINDOWS\system32\regm64.dll
C:\WINDOWS\system32\ssvchost.exe
C:\WINDOWS\system32\sysreq.exe
C:\WINDOWS\system32\taack.dat
C:\WINDOWS\system32\taack.exe
C:\WINDOWS\system32\uwsgckrt.dll
C:\WINDOWS\system32\VBIEWER.OCX
C:\WINDOWS\system32\VwFNpXbc.ini
C:\WINDOWS\system32\VwFNpXbc.ini2
C:\WINDOWS\system32\winlogonpc.exe
C:\WINDOWS\system32\WINWGPX.EXE
.
((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 )))))))))))))))))))))))))))))))
.
2008-07-07 17:02 . 2008-07-08 17:38 110,479 --a------ C:\WINDOWS\BM7f70a1df.xml
2008-07-06 19:02 . 2008-07-06 19:02 <DIR> d-------- C:\Program Files\Web Technologies
2008-07-06 11:12 . 2008-07-06 11:12 <DIR> d-------- C:\Program Files\ICQ6
2008-06-11 15:59 . 2008-06-14 20:00 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-08 15:51 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd1725.sys
2008-06-20 05:47 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-14 18:00 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 18:09 --------- d-----w C:\Program Files\AnMing
2008-05-08 18:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-08 17:37 --------- d-----w C:\Program Files\a-squared Free
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-04 15:25 691,545 ----a-w C:\WINDOWS\unins000.exe
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-09-14 20:44 5,632 --sha-w C:\Program Files\Thumbs.db
2006-03-26 05:07 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 16:03 1957888]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-05-19 18:11 18577448]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 16:50 1289000]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="F:\TOM\ICQ\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-18 21:41 286720]
"mouseElf"="C:\PROGRA~1\GAMING~1\MouseElf.EXE" [2006-02-27 05:47 471166]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 14:16 185896]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 13:45 75304]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 09:35 20480]
"ScanSoft OmniPage SE 4.0-reminder"="C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2006-09-26 16:38 1410600]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 01:26 406016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ICQ Lite"="F:\TOM\ICQ\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 18:35 1294336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"this"="C:\Program Files\Web Technologies\wcs.exe" [2008-07-06 19:02 7680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.fvfw"= ffvfw.dll
"msacm.avis"= ffvfw.dll
"msacm.WRPR"= aviwrap.dll
"msacm.l3radius"= l3codecp.acm
"msacm.divxa"= divxa32.acm
"vidc.3iv2"= 3ivxVfWCodec.dll
"SENTINEL"= snti386.dll
"vidc.yv12"= yv12vfw.dll
"vidc.i420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"G:\\WOLF\\ET.exe"=
"F:\\TOM\\StrongDC.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"G:\\ARMA\\ArmA Demo\\ArmADemo.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"F:\\TOM\\ICQ\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2001-12-20 18:00]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]
R1 Cinemsup;Cinemsup;C:\WINDOWS\System32\drivers\cinemsup.sys [2002-07-19 10:10]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-02-08 12:16]
R3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gmfiltr.sys [2005-07-02 06:35]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S2 Parclass;Parclass;C:\WINDOWS\system32\Drivers\Parclass.sys []
S3 MA8630C;MA8630C;C:\WINDOWS\system32\DRIVERS\MA8630C.sys [2004-08-30 13:26]
S3 MA8630M;MA8630M;C:\WINDOWS\system32\DRIVERS\MA8630M.sys [2004-09-01 11:56]
S3 MA8630U;MA8630U;C:\WINDOWS\system32\DRIVERS\MA8630U.sys [2004-09-01 13:59]
S3 MaRdPnp;MaRdPnp;C:\WINDOWS\system32\DRIVERS\MaRdP2K.sys [2004-08-12 09:30]
.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 23:34:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-C:\WINDOWS\system32\kdvlf.exe - C:\WINDOWS\system32\kdvlf.exe
HKLM-Run-BM7f70a1df - C:\WINDOWS\system32\uwsgckrt.dll
HKLM-Run-7c439243 - C:\WINDOWS\system32\bplsqjxe.dll
SSODL-wetkadmr-{21DEFFE9-D389-44D8-AD07-B1F6E1409A56} - (no file)
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-08 17:53:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ALWIL Software\Avast4\aswUpdSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
.
**************************************************************************
.
Completion time: 2008-07-08 17:58:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-08 15:58:11
ComboFix2.txt 2008-05-08 18:08:26
ComboFix3.txt 2008-05-08 17:51:17
ComboFix4.txt 2008-05-08 17:15:29
ComboFix5.txt 2008-05-06 16:57:17
Adresářů: 16, Volných bajtů: 6,111,166,464
Adres ý…: 19, Volněch bajt…: 6,724,956,160
179 --- E O F --- 2008-06-20 21:33:24
Log z Combofix
-
fredik
- člen Security týmu
-
Master Level 7
- Příspěvky: 4680
- Registrován: červenec 06
- Pohlaví:
- Stav:
Offline
Re: Log z Combofix
Vítej na fóru
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE
Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.
Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE
Kód: Vybrat vše
File::
C:\WINDOWS\BM7f70a1df.xml
Folder::
C:\Program Files\Web Technologies
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"this"=-Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.
Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT
It may take a while to get a response, because the "HJT Team" are very busy. Please, be patient, these people are volunteers. They will help you out, as soon as possible.
Pokud máte nějaký problém, tak mi neposílejte SZ/PM zprávy s logy a dejte je do fóra. Na tyto SZ není možno odpovědět
Pokud máte nějaký problém, tak mi neposílejte SZ/PM zprávy s logy a dejte je do fóra. Na tyto SZ není možno odpovědět
Re: Log z Combofix
Dík za radu a přidávám novej log z Combofix a HJT
ComboFix 08-07-07.3 - uživatel 2008-07-09 18:19:14.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.409 [GMT 2:00]
Running from: C:\Documents and Settings\uživatel\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\uživatel\Plocha\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\BM7f70a1df.xml
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Web Technologies
C:\Program Files\Web Technologies\wcs.exe
C:\Program Files\Web Technologies\wcu.exe
C:\WINDOWS\BM7f70a1df.xml
.
((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.
2008-07-09 18:07 . 2008-07-09 18:08 <DIR> d-------- C:\Program Files\ICQ6
2008-07-09 16:44 . 2008-07-09 16:44 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-09 11:12 . 2008-07-09 11:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-09 11:12 . 2008-07-09 11:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-05 19:03 . 2008-07-05 19:04 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\Miranda
2008-07-05 18:59 . 2008-07-05 18:59 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\ICQ Toolbar
2008-06-11 15:59 . 2008-06-14 20:00 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-08 15:51 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd1725.sys
2008-06-22 14:59 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\Nokia Multimedia Player
2008-06-20 05:47 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-17 19:15 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\AdobeUM
2008-06-14 18:00 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 18:09 --------- d-----w C:\Program Files\AnMing
2008-05-07 05:16 1,290,240 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-04 15:25 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-04-21 07:03 660,480 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 14:47 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-09-14 20:44 5,632 --sha-w C:\Program Files\Thumbs.db
2006-03-26 05:07 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-07-08_17.57.53.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-08 15:52:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-09 09:07:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-08 14:03:50 68,878 ----a-w C:\WINDOWS\system32\perfc005.dat
+ 2008-07-09 09:11:58 68,878 ----a-w C:\WINDOWS\system32\perfc005.dat
- 2008-07-08 14:03:50 18,238 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-09 09:11:58 18,238 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-08 14:03:50 352,314 ----a-w C:\WINDOWS\system32\perfh005.dat
+ 2008-07-09 09:11:58 352,314 ----a-w C:\WINDOWS\system32\perfh005.dat
- 2008-07-08 14:03:50 42,904 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-09 09:11:58 42,904 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-09 16:07:11 156,616 ----a-w C:\WINDOWS\TEMP\{465129FB-974E-4B3A-B946-28437BB9F0A5}\_Setup.dll
+ 2008-07-09 16:07:10 535,552 ----a-w C:\WINDOWS\TEMP\{465129FB-974E-4B3A-B946-28437BB9F0A5}\Disk1\ISSetup.dll
+ 2007-04-27 09:08:58 126,912 ------w C:\WINDOWS\TEMP\{967493D4-0B20-4CC0-A2C6-5D2DE7A3CD99}\{60DE4033-9503-48D1-A483-7846BD217CA9}\_IsRes.dll
+ 2008-03-09 14:08:34 147,456 ----a-w C:\WINDOWS\TEMP\{967493D4-0B20-4CC0-A2C6-5D2DE7A3CD99}\{60DE4033-9503-48D1-A483-7846BD217CA9}\_ISUser.dll
+ 2008-02-19 16:16:54 389,120 ----a-w C:\WINDOWS\TEMP\{967493D4-0B20-4CC0-A2C6-5D2DE7A3CD99}\{60DE4033-9503-48D1-A483-7846BD217CA9}\FlashPlayerControl.dll
+ 2007-04-27 09:10:44 222,144 ------w C:\WINDOWS\TEMP\{967493D4-0B20-4CC0-A2C6-5D2DE7A3CD99}\{60DE4033-9503-48D1-A483-7846BD217CA9}\isrt.dll
+ 2008-02-19 16:16:54 437,760 ----a-w C:\WINDOWS\TEMP\{967493D4-0B20-4CC0-A2C6-5D2DE7A3CD99}\{60DE4033-9503-48D1-A483-7846BD217CA9}\MoveIt.dll
+ 2007-12-19 13:17:44 78,848 ----a-w C:\WINDOWS\TEMP\{967493D4-0B20-4CC0-A2C6-5D2DE7A3CD99}\{60DE4033-9503-48D1-A483-7846BD217CA9}\MReport.dll
+ 2008-02-19 16:16:54 10,752 ----a-w C:\WINDOWS\TEMP\{967493D4-0B20-4CC0-A2C6-5D2DE7A3CD99}\{60DE4033-9503-48D1-A483-7846BD217CA9}\XPFwResolve.dll
- 2008-07-08 15:53:07 53,248 ----a-w C:\WINDOWS\TEMP\catchme.dll
+ 2008-07-09 16:21:54 53,248 ----a-w C:\WINDOWS\TEMP\catchme.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 16:03 1957888]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-05-19 18:11 18577448]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 16:50 1289000]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-18 21:41 286720]
"mouseElf"="C:\PROGRA~1\GAMING~1\MouseElf.EXE" [2006-02-27 05:47 471166]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 14:16 185896]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 13:45 75304]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 09:35 20480]
"ScanSoft OmniPage SE 4.0-reminder"="C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2006-09-26 16:38 1410600]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 01:26 406016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ICQ Lite"="F:\TOM\ICQ\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 18:35 1294336]
C:\Documents and Settings\Vlastnˇk\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Reminder-cor40212.lnk - C:\WINDOWS\system32\magnify.exe [2004-08-30 15:43:14 72704]
C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-24 13:23:08 113664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.fvfw"= ffvfw.dll
"msacm.avis"= ffvfw.dll
"msacm.WRPR"= aviwrap.dll
"msacm.l3radius"= l3codecp.acm
"msacm.divxa"= divxa32.acm
"vidc.3iv2"= 3ivxVfWCodec.dll
"SENTINEL"= snti386.dll
"vidc.yv12"= yv12vfw.dll
"vidc.i420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"G:\\WOLF\\ET.exe"=
"F:\\TOM\\StrongDC.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"G:\\ARMA\\ArmA Demo\\ArmADemo.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"F:\\TOM\\ICQ\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2001-12-20 18:00]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]
R1 Cinemsup;Cinemsup;C:\WINDOWS\System32\drivers\cinemsup.sys [2002-07-19 10:10]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-02-08 12:16]
R3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gmfiltr.sys [2005-07-02 06:35]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S2 Parclass;Parclass;C:\WINDOWS\system32\Drivers\Parclass.sys []
S3 MA8630C;MA8630C;C:\WINDOWS\system32\DRIVERS\MA8630C.sys [2004-08-30 13:26]
S3 MA8630M;MA8630M;C:\WINDOWS\system32\DRIVERS\MA8630M.sys [2004-09-01 11:56]
S3 MA8630U;MA8630U;C:\WINDOWS\system32\DRIVERS\MA8630U.sys [2004-09-01 13:59]
S3 MaRdPnp;MaRdPnp;C:\WINDOWS\system32\DRIVERS\MaRdP2K.sys [2004-08-12 09:30]
*Newly Created Service* - CATCHME
*Newly Created Service* - NMSCFG
.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 23:34:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-C:\WINDOWS\system32\kdvlf.exe - C:\WINDOWS\system32\kdvlf.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 18:21:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-09 18:24:02
ComboFix-quarantined-files.txt 2008-07-09 16:23:36
ComboFix2.txt 2008-07-08 15:58:18
ComboFix3.txt 2008-05-08 18:08:26
ComboFix4.txt 2008-05-08 17:51:17
ComboFix5.txt 2008-05-08 17:15:29
Adresářů: 16, Volných bajtů: 6,381,649,920
Adresářů: 19, Volných bajtů: 6,648,770,560
166 --- E O F --- 2008-06-20 21:33:24
Logfile of HijackThis v1.99.1
Scan saved at 18:40:12, on 9.7.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\TEMP\Rar$EX00.860\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\TOM\ICQ\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - F:\TOM\ICQ\ICQToolbar\toolbaru.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\TOM\ICQ\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvlf.exe] C:\WINDOWS\system32\kdvlf.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\GAMING~1\MouseElf.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Data aplikací\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ICQ Lite] "F:\TOM\ICQ\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Vytvořit mobilní oblíbenou položku… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\TOM\ICQ\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\TOM\ICQ\ICQLite\ICQLite.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=19588
O16 - DPF: {D5AE06F6-9883-4E06-9FE8-4114B16B20BF} (CatFSO2.UserControl1) - http://www.zelenahvezda.cz/katalog/CatFSO2.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Temp\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Temp\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
ComboFix 08-07-07.3 - uživatel 2008-07-09 18:19:14.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.409 [GMT 2:00]
Running from: C:\Documents and Settings\uživatel\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\uživatel\Plocha\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\BM7f70a1df.xml
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Web Technologies
C:\Program Files\Web Technologies\wcs.exe
C:\Program Files\Web Technologies\wcu.exe
C:\WINDOWS\BM7f70a1df.xml
.
((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.
2008-07-09 18:07 . 2008-07-09 18:08 <DIR> d-------- C:\Program Files\ICQ6
2008-07-09 16:44 . 2008-07-09 16:44 <DIR> d-------- C:\WINDOWS\LastGood
2008-07-09 11:12 . 2008-07-09 11:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-09 11:12 . 2008-07-09 11:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-05 19:03 . 2008-07-05 19:04 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\Miranda
2008-07-05 18:59 . 2008-07-05 18:59 <DIR> d-------- C:\Documents and Settings\uživatel\Data aplikací\ICQ Toolbar
2008-06-11 15:59 . 2008-06-14 20:00 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-08 15:51 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd1725.sys
2008-06-22 14:59 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\Nokia Multimedia Player
2008-06-20 05:47 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-17 19:15 --------- d-----w C:\Documents and Settings\uživatel\Data aplikací\AdobeUM
2008-06-14 18:00 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 18:09 --------- d-----w C:\Program Files\AnMing
2008-05-07 05:16 1,290,240 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-04 15:25 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-04-21 07:03 660,480 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 14:47 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-09-14 20:44 5,632 --sha-w C:\Program Files\Thumbs.db
2006-03-26 05:07 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-07-08_17.57.53.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-08 15:52:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-09 09:07:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-07-08 14:03:50 68,878 ----a-w C:\WINDOWS\system32\perfc005.dat
+ 2008-07-09 09:11:58 68,878 ----a-w C:\WINDOWS\system32\perfc005.dat
- 2008-07-08 14:03:50 18,238 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-09 09:11:58 18,238 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-08 14:03:50 352,314 ----a-w C:\WINDOWS\system32\perfh005.dat
+ 2008-07-09 09:11:58 352,314 ----a-w C:\WINDOWS\system32\perfh005.dat
- 2008-07-08 14:03:50 42,904 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-09 09:11:58 42,904 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-09 16:07:11 156,616 ----a-w C:\WINDOWS\TEMP\{465129FB-974E-4B3A-B946-28437BB9F0A5}\_Setup.dll
+ 2008-07-09 16:07:10 535,552 ----a-w C:\WINDOWS\TEMP\{465129FB-974E-4B3A-B946-28437BB9F0A5}\Disk1\ISSetup.dll
+ 2007-04-27 09:08:58 126,912 ------w C:\WINDOWS\TEMP\{967493D4-0B20-4CC0-A2C6-5D2DE7A3CD99}\{60DE4033-9503-48D1-A483-7846BD217CA9}\_IsRes.dll
+ 2008-03-09 14:08:34 147,456 ----a-w C:\WINDOWS\TEMP\{967493D4-0B20-4CC0-A2C6-5D2DE7A3CD99}\{60DE4033-9503-48D1-A483-7846BD217CA9}\_ISUser.dll
+ 2008-02-19 16:16:54 389,120 ----a-w C:\WINDOWS\TEMP\{967493D4-0B20-4CC0-A2C6-5D2DE7A3CD99}\{60DE4033-9503-48D1-A483-7846BD217CA9}\FlashPlayerControl.dll
+ 2007-04-27 09:10:44 222,144 ------w C:\WINDOWS\TEMP\{967493D4-0B20-4CC0-A2C6-5D2DE7A3CD99}\{60DE4033-9503-48D1-A483-7846BD217CA9}\isrt.dll
+ 2008-02-19 16:16:54 437,760 ----a-w C:\WINDOWS\TEMP\{967493D4-0B20-4CC0-A2C6-5D2DE7A3CD99}\{60DE4033-9503-48D1-A483-7846BD217CA9}\MoveIt.dll
+ 2007-12-19 13:17:44 78,848 ----a-w C:\WINDOWS\TEMP\{967493D4-0B20-4CC0-A2C6-5D2DE7A3CD99}\{60DE4033-9503-48D1-A483-7846BD217CA9}\MReport.dll
+ 2008-02-19 16:16:54 10,752 ----a-w C:\WINDOWS\TEMP\{967493D4-0B20-4CC0-A2C6-5D2DE7A3CD99}\{60DE4033-9503-48D1-A483-7846BD217CA9}\XPFwResolve.dll
- 2008-07-08 15:53:07 53,248 ----a-w C:\WINDOWS\TEMP\catchme.dll
+ 2008-07-09 16:21:54 53,248 ----a-w C:\WINDOWS\TEMP\catchme.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 16:03 1957888]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-05-19 18:11 18577448]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 16:50 1289000]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-18 21:41 286720]
"mouseElf"="C:\PROGRA~1\GAMING~1\MouseElf.EXE" [2006-02-27 05:47 471166]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 14:16 185896]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 13:45 75304]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 09:35 20480]
"ScanSoft OmniPage SE 4.0-reminder"="C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2006-09-26 16:38 1410600]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 01:26 406016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ICQ Lite"="F:\TOM\ICQ\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 18:35 1294336]
C:\Documents and Settings\Vlastnˇk\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Reminder-cor40212.lnk - C:\WINDOWS\system32\magnify.exe [2004-08-30 15:43:14 72704]
C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-24 13:23:08 113664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.fvfw"= ffvfw.dll
"msacm.avis"= ffvfw.dll
"msacm.WRPR"= aviwrap.dll
"msacm.l3radius"= l3codecp.acm
"msacm.divxa"= divxa32.acm
"vidc.3iv2"= 3ivxVfWCodec.dll
"SENTINEL"= snti386.dll
"vidc.yv12"= yv12vfw.dll
"vidc.i420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"G:\\WOLF\\ET.exe"=
"F:\\TOM\\StrongDC.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"G:\\ARMA\\ArmA Demo\\ArmADemo.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"F:\\TOM\\ICQ\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2001-12-20 18:00]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 17:11]
R1 Cinemsup;Cinemsup;C:\WINDOWS\System32\drivers\cinemsup.sys [2002-07-19 10:10]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-02-08 12:16]
R3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gmfiltr.sys [2005-07-02 06:35]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S2 Parclass;Parclass;C:\WINDOWS\system32\Drivers\Parclass.sys []
S3 MA8630C;MA8630C;C:\WINDOWS\system32\DRIVERS\MA8630C.sys [2004-08-30 13:26]
S3 MA8630M;MA8630M;C:\WINDOWS\system32\DRIVERS\MA8630M.sys [2004-09-01 11:56]
S3 MA8630U;MA8630U;C:\WINDOWS\system32\DRIVERS\MA8630U.sys [2004-09-01 13:59]
S3 MaRdPnp;MaRdPnp;C:\WINDOWS\system32\DRIVERS\MaRdP2K.sys [2004-08-12 09:30]
*Newly Created Service* - CATCHME
*Newly Created Service* - NMSCFG
.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 23:34:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-C:\WINDOWS\system32\kdvlf.exe - C:\WINDOWS\system32\kdvlf.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 18:21:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-09 18:24:02
ComboFix-quarantined-files.txt 2008-07-09 16:23:36
ComboFix2.txt 2008-07-08 15:58:18
ComboFix3.txt 2008-05-08 18:08:26
ComboFix4.txt 2008-05-08 17:51:17
ComboFix5.txt 2008-05-08 17:15:29
Adresářů: 16, Volných bajtů: 6,381,649,920
Adresářů: 19, Volných bajtů: 6,648,770,560
166 --- E O F --- 2008-06-20 21:33:24
Logfile of HijackThis v1.99.1
Scan saved at 18:40:12, on 9.7.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\TEMP\Rar$EX00.860\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\TOM\ICQ\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - F:\TOM\ICQ\ICQToolbar\toolbaru.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\TOM\ICQ\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvlf.exe] C:\WINDOWS\system32\kdvlf.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\GAMING~1\MouseElf.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Data aplikací\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ICQ Lite] "F:\TOM\ICQ\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Vytvořit mobilní oblíbenou položku… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\TOM\ICQ\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\TOM\ICQ\ICQLite\ICQLite.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=19588
O16 - DPF: {D5AE06F6-9883-4E06-9FE8-4114B16B20BF} (CatFSO2.UserControl1) - http://www.zelenahvezda.cz/katalog/CatFSO2.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Temp\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Temp\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
-
fredik
- člen Security týmu
-
Master Level 7
- Příspěvky: 4680
- Registrován: červenec 06
- Pohlaví:
- Stav:
Offline
Re: Log z Combofix
Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvlf.exe] C:\WINDOWS\system32\kdvlf.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
po zaškrtnutí klikni na tlačítko Fix Checked
Doporučil bych ti aktualizovat Javu:
- Stáhni si poslední verzi Java Runtime Environment (JRE) 6 Update 7
- Posuň se dolů kde je napsáno Java Runtime Environment (JRE) 6 Update 7 a klikni na tlačítko Download
- Načte se ti nová stránka
- Pod nadpisem Select Platform and Language for your download:
* u položky Platform: vyber OS který používáš
* zatrhni možnost kde je napsáno: I agree to the Java SE Runtime Environment 6 License Agreement
* klikni na tlačítko Continue >>
- Načte se ti nová stránka
- Klikni na odkaz pro stažení pod položkou: Windows Offline Installation
a ulož si ho na disk
- Ukonči běžící programy které máš spuštěné, hlavě webový prohlížeč
- Jdi přes Start -> Ovládací panely -> Přidat nebo odebrat programy a odinstaluj všechny staré verze Javy
- Podívej se po položkách s názvem Java Runtime Environment (JRE or J2SE)
* příklady starých verzí v Přidat nebo odebrat programy:
- Odinstaluj postupně po sobě případné všechny staré verze Javy
- Po skončení odinstalovaní restartuj Pc.
- Pak už jen spusť instalaci poslední verze ze souboru jre-6u7-windows-i586-p.exe, který sis stáhl na začátku
Používáš ještě Avast, protože ti neběží/nefunguje celý?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdvlf.exe] C:\WINDOWS\system32\kdvlf.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
po zaškrtnutí klikni na tlačítko Fix Checked
Doporučil bych ti aktualizovat Javu:
- Stáhni si poslední verzi Java Runtime Environment (JRE) 6 Update 7
- Posuň se dolů kde je napsáno Java Runtime Environment (JRE) 6 Update 7 a klikni na tlačítko Download
- Načte se ti nová stránka
- Pod nadpisem Select Platform and Language for your download:
* u položky Platform: vyber OS který používáš
* zatrhni možnost kde je napsáno: I agree to the Java SE Runtime Environment 6 License Agreement
* klikni na tlačítko Continue >>
- Načte se ti nová stránka
- Klikni na odkaz pro stažení pod položkou: Windows Offline Installation
a ulož si ho na disk
- Ukonči běžící programy které máš spuštěné, hlavě webový prohlížeč
- Jdi přes Start -> Ovládací panely -> Přidat nebo odebrat programy a odinstaluj všechny staré verze Javy
- Podívej se po položkách s názvem Java Runtime Environment (JRE or J2SE)
* příklady starých verzí v Přidat nebo odebrat programy:
- J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2
- Odinstaluj postupně po sobě případné všechny staré verze Javy
- Po skončení odinstalovaní restartuj Pc.
- Pak už jen spusť instalaci poslední verze ze souboru jre-6u7-windows-i586-p.exe, který sis stáhl na začátku
Používáš ještě Avast, protože ti neběží/nefunguje celý?
It may take a while to get a response, because the "HJT Team" are very busy. Please, be patient, these people are volunteers. They will help you out, as soon as possible.
Pokud máte nějaký problém, tak mi neposílejte SZ/PM zprávy s logy a dejte je do fóra. Na tyto SZ není možno odpovědět
Pokud máte nějaký problém, tak mi neposílejte SZ/PM zprávy s logy a dejte je do fóra. Na tyto SZ není možno odpovědět
Kdo je online
Uživatelé prohlížející si toto fórum: Google [Bot] a 79 hostů