Malwarebytes' Anti-Malware 1.29
Verze databáze: 1298
Windows 5.1.2600 Service Pack 3
10/21/2008 10:52:27 PM
mbam-log-2008-10-21 (22-52-27).txt
Typ skenu: Rychlý sken
Objektu skenováno: 53281
Uplynulý cas: 7 minute(s), 56 second(s)
Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 0
Infikované hodnoty registru: 0
Infikované položky dat registru: 0
Infikované složky: 0
Infikované soubory: 12
Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)
Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)
Infikované klíce registru:
(Žádné zákerné položky nebyly zjišteny)
Infikované hodnoty registru:
(Žádné zákerné položky nebyly zjišteny)
Infikované položky dat registru:
(Žádné zákerné položky nebyly zjišteny)
Infikované složky:
(Žádné zákerné položky nebyly zjišteny)
Infikované soubory:
C:\WINDOWS\system32\winupd.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\winsys.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\skybot.exe (Backdoor.Bot) -> Delete on reboot.
C:\csrss.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\0.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msa64chk.dll (Trojan.Perfiler) -> Delete on reboot.
C:\WINDOWS\system32\filekiller.dll (Rogue.Multiple) -> Delete on reboot.
C:\WINDOWS\system32\draw32.dll (Rootkit.Haxdor) -> Delete on reboot.
C:\WINDOWS\system32\cm.dll (Rootkit.Haxdor) -> Delete on reboot.
C:\WINDOWS\system32\vdnt32.sys (Rootkit.Haxdor) -> Delete on reboot.
C:\WINDOWS\system32\memlow.sys (Rootkit.Haxdor) -> Delete on reboot.
C:\WINDOWS\system32\hm.sys (Rootkit.Haxdor) -> Delete on reboot.
Malwarebytes Anti-Malware v 1.29 Vyřešeno
-
jaro3
- člen Security týmu
-
Guru Level 15
- Příspěvky: 43293
- Registrován: červen 07
- Bydliště: Jižní Čechy
- Pohlaví:
- Stav:
Offline
Re: Malwarebytes Anti-Malware v 1.29
Ten MbAM je určitě vadný nebo napadený:
Pokud máš problém s MbAM- tak ho odinstaluj, vyčisti registry.Toto smázni:
C:\Documents and Settings\Jméno\Data aplikací\Malwarebytes
Pak smázni i stažený Malwarebytes. Stáhni to celé znova z této stránky a mělo by to fungovat:
http://www.besttechie.net/tools/mbam-setup.exe
Pokud máš problém s MbAM- tak ho odinstaluj, vyčisti registry.Toto smázni:
C:\Documents and Settings\Jméno\Data aplikací\Malwarebytes
Pak smázni i stažený Malwarebytes. Stáhni to celé znova z této stránky a mělo by to fungovat:
http://www.besttechie.net/tools/mbam-setup.exe
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Re: Malwarebytes Anti-Malware v 1.29
Žiaľ nie je to v programe Malwarebytes Anti-Malware. Situácia zostala po všetkych krokoch ako na začiatku.
Zrekapitulujem :
Program identifikuje 13 nakazených programov, ale až v poslednej fáze programu...heuristické prehliadavanie.
V núdzovom režime neidentifikuje žiadny nakazený program. Program nevyčistí svoje nálezy a hlási že tak urobí po reštarte. No ani po reštarte nálezy nezlikviduje. Tieto nálezy neidentifikuje žiadny iný antivír alebo antimalware program.
Vzdávam to, prestávam ho používať tento program.
Vďaka kolegovi z Južných Čiech za snahu .
Zrekapitulujem :
Program identifikuje 13 nakazených programov, ale až v poslednej fáze programu...heuristické prehliadavanie.
V núdzovom režime neidentifikuje žiadny nakazený program. Program nevyčistí svoje nálezy a hlási že tak urobí po reštarte. No ani po reštarte nálezy nezlikviduje. Tieto nálezy neidentifikuje žiadny iný antivír alebo antimalware program.
Vzdávam to, prestávam ho používať tento program.
Vďaka kolegovi z Južných Čiech za snahu .
-
jaro3
- člen Security týmu
-
Guru Level 15
- Příspěvky: 43293
- Registrován: červen 07
- Bydliště: Jižní Čechy
- Pohlaví:
- Stav:
Offline
Re: Malwarebytes Anti-Malware v 1.29
Nemáš za co, opravdu nevím co s tím může být. Pokud je jinak comp O.K. mohu poradit jen vypnout obnovu systému- restart- a pak jí zase zapnout, třeba to detekuje v system volume...
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Re: Malwarebytes Anti-Malware v 1.29
Obnovu systemu mám vypnutú. Používam teraz iba Acronis.
Re: Malwarebytes Anti-Malware v 1.29
Tak teraz je to už Malwarebytes Anti-Malware v 1.30 a log :
Malwarebytes' Anti-Malware 1.30
Verze databáze: 1324
Windows 5.1.2600 Service Pack 3
10/26/2008 9:06:53 PM
mbam-log-2008-10-26 (21-06-53).txt
Typ skenu: Rychlý sken
Objektu skenováno: 54389
Uplynulý cas: 6 minute(s), 48 second(s)
Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 0
Infikované hodnoty registru: 0
Infikované položky dat registru: 0
Infikované složky: 0
Infikované soubory: 13
Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)
Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)
Infikované klíce registru:
(Žádné zákerné položky nebyly zjišteny)
Infikované hodnoty registru:
(Žádné zákerné položky nebyly zjišteny)
Infikované položky dat registru:
(Žádné zákerné položky nebyly zjišteny)
Infikované složky:
(Žádné zákerné položky nebyly zjišteny)
Infikované soubory:
C:\WINDOWS\system32\winupd.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\winsys.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\skybot.exe (Backdoor.Bot) -> Delete on reboot.
C:\csrss.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\0.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msa64chk.dll (Trojan.Perfiler) -> Delete on reboot.
C:\WINDOWS\system32\filekiller.dll (Rogue.Multiple) -> Delete on reboot.
C:\WINDOWS\system32\draw32.dll (Rootkit.Haxdor) -> Delete on reboot.
C:\WINDOWS\system32\cm.dll (Rootkit.Haxdor) -> Delete on reboot.
C:\WINDOWS\system32\vdnt32.sys (Rootkit.Haxdor) -> Delete on reboot.
C:\WINDOWS\system32\memlow.sys (Rootkit.Haxdor) -> Delete on reboot.
C:\WINDOWS\system32\hm.sys (Rootkit.Haxdor) -> Delete on reboot.
C:\WINDOWS\system32\wd.sys (Rootkit.Haxdor) -> Delete on reboot.
Malwarebytes' Anti-Malware 1.30
Verze databáze: 1324
Windows 5.1.2600 Service Pack 3
10/26/2008 9:06:53 PM
mbam-log-2008-10-26 (21-06-53).txt
Typ skenu: Rychlý sken
Objektu skenováno: 54389
Uplynulý cas: 6 minute(s), 48 second(s)
Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 0
Infikované hodnoty registru: 0
Infikované položky dat registru: 0
Infikované složky: 0
Infikované soubory: 13
Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)
Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)
Infikované klíce registru:
(Žádné zákerné položky nebyly zjišteny)
Infikované hodnoty registru:
(Žádné zákerné položky nebyly zjišteny)
Infikované položky dat registru:
(Žádné zákerné položky nebyly zjišteny)
Infikované složky:
(Žádné zákerné položky nebyly zjišteny)
Infikované soubory:
C:\WINDOWS\system32\winupd.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\winsys.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\skybot.exe (Backdoor.Bot) -> Delete on reboot.
C:\csrss.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\0.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msa64chk.dll (Trojan.Perfiler) -> Delete on reboot.
C:\WINDOWS\system32\filekiller.dll (Rogue.Multiple) -> Delete on reboot.
C:\WINDOWS\system32\draw32.dll (Rootkit.Haxdor) -> Delete on reboot.
C:\WINDOWS\system32\cm.dll (Rootkit.Haxdor) -> Delete on reboot.
C:\WINDOWS\system32\vdnt32.sys (Rootkit.Haxdor) -> Delete on reboot.
C:\WINDOWS\system32\memlow.sys (Rootkit.Haxdor) -> Delete on reboot.
C:\WINDOWS\system32\hm.sys (Rootkit.Haxdor) -> Delete on reboot.
C:\WINDOWS\system32\wd.sys (Rootkit.Haxdor) -> Delete on reboot.
-
jaro3
- člen Security týmu
-
Guru Level 15
- Příspěvky: 43293
- Registrován: červen 07
- Bydliště: Jižní Čechy
- Pohlaví:
- Stav:
Offline
Re: Malwarebytes Anti-Malware v 1.29
a je to i smazáno? Prve ukazovalo 12 nákaz , teď 13..
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Re: Malwarebytes Anti-Malware v 1.29
nie nevymaže , ani keď je tam teraz nie je free verzia....ako pri v 1.29, nemám tie označené programy natvrdo vyraziť s PC ? Nehrozí že system neobnovím ani z Acronisu ?
Re: Malwarebytes Anti-Malware v 1.29
a napr. pod C://windows/system32/ winupd.exe je zložka v ktorej je textový súbor so zápisom :
This folder is created by Malware Immunizer. Please DO NOT remove it!
Note: If this folder is opened automatically, it means that your system may be infected with an unknown malware.
You may wish to find out more about this malware by visiting http://www.google.com/search?hl=en&q=winupd.exe
You should perform a full scan for malware immediately!
This folder is created by Malware Immunizer. Please DO NOT remove it!
Note: If this folder is opened automatically, it means that your system may be infected with an unknown malware.
You may wish to find out more about this malware by visiting http://www.google.com/search?hl=en&q=winupd.exe
You should perform a full scan for malware immediately!
-
jaro3
- člen Security týmu
-
Guru Level 15
- Příspěvky: 43293
- Registrován: červen 07
- Bydliště: Jižní Čechy
- Pohlaví:
- Stav:
Offline
Re: Malwarebytes Anti-Malware v 1.29
Já vím , že je to trojan:
http://www.greatis.com/appdata/d/w/winupd.exe.htm
Ale Combofix by si s ním měl poradit. Jenže v žádném ze tří logů vůbec není...
Zkus ještě toto:
Stáhni si SDFix
- Spusť ho a rozbalí se ti na disk kde je nainstalovaný Windows (typicky to je C:\SDfix)
- Pak restartuj PC do nouzového režimu (zvol možnost: Stav nouze, ne Stav nouze s práci v síti)
- Otevři adresář kde je vybalený SDFix a spusť soubor RunThis.bat tím spustíš program.
* Pak stiskni klávesu Y a pak Enter pro zahájení čistícího procesu.
* Pro dokončení kontroly budeš vyzván ke stisknutí libovolné klávesy a počítač se restartuje.
* Při nabíhání operačního systému se program spustí znovu a dokončí čistící proces. Až se objeví Finish, budeš muset po vyzvání stisknout libovolnou klávesu, tim se ukončí program a zobrazí se ti ikony na ploše
- Když se skončí načítání ikon na ploše, otevře se ti na obrazovce log z SDFix a zároveň ho uloží do adresáře kde je rozbalený SDFix jako soubor Report.txt
Pak sem zkopíruj jeho obsah + nový log z HJT+ mrkni se jestli ti pod Startem nechybí nějaké ikony, zobrazují se ti disky pod Tento počítač....
P.S. nemáš tam někde:C:\pagefile.sys ?
http://www.greatis.com/appdata/d/w/winupd.exe.htm
Ale Combofix by si s ním měl poradit. Jenže v žádném ze tří logů vůbec není...
Zkus ještě toto:
Stáhni si SDFix
- Spusť ho a rozbalí se ti na disk kde je nainstalovaný Windows (typicky to je C:\SDfix)
- Pak restartuj PC do nouzového režimu (zvol možnost: Stav nouze, ne Stav nouze s práci v síti)
- Otevři adresář kde je vybalený SDFix a spusť soubor RunThis.bat tím spustíš program.
* Pak stiskni klávesu Y a pak Enter pro zahájení čistícího procesu.
* Pro dokončení kontroly budeš vyzván ke stisknutí libovolné klávesy a počítač se restartuje.
* Při nabíhání operačního systému se program spustí znovu a dokončí čistící proces. Až se objeví Finish, budeš muset po vyzvání stisknout libovolnou klávesu, tim se ukončí program a zobrazí se ti ikony na ploše
- Když se skončí načítání ikon na ploše, otevře se ti na obrazovce log z SDFix a zároveň ho uloží do adresáře kde je rozbalený SDFix jako soubor Report.txt
Pak sem zkopíruj jeho obsah + nový log z HJT+ mrkni se jestli ti pod Startem nechybí nějaké ikony, zobrazují se ti disky pod Tento počítač....
P.S. nemáš tam někde:C:\pagefile.sys ?
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Re: Malwarebytes Anti-Malware v 1.29
Report.txt :
SDFix: Version 1.238
Run by pistabaci on ut 10/28/2008 at 01:41 PM
Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\Documents and Settings\pistabaci\Dokumenty\Hudba\My Music.url - Deleted
C:\Documents and Settings\pistabaci\Dokumenty\Filmy\My Video.url - Deleted
C:\hellmsn.exe - Deleted
Could Not Remove C:\WINDOWS\system32\Fuck.exe
Could Not Remove C:\WINDOWS\system32\msclt.exe
Could Not Remove C:\WINDOWS\system32\mstc.exe
Could Not Remove C:\WINDOWS\system32\msupdate.exe
Could Not Remove C:\WINDOWS\system32\mswins.exe
Could Not Remove C:\WINDOWS\system32\scrigz.exe
Could Not Remove C:\WINDOWS\system32\se.exe
Could Not Remove C:\WINDOWS\system32\update.exe
Could Not Remove C:\WINDOWS\system32\windowz.exe
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 13:57:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:15,ed,f3,02,7b,59,79,3c,7b,b4,5a,33,38,79,8a,8a,d4,2a,d8,65,10,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:05,3b,57,31,1a,04,49,83,99,19,a8,60,80,98,9f,95,9d,f1,2d,8c,c7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:15,ed,f3,02,7b,59,79,3c,7b,b4,5a,33,38,79,8a,8a,d4,2a,d8,65,10,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:05,3b,57,31,1a,04,49,83,99,19,a8,60,80,98,9f,95,9d,f1,2d,8c,c7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:15,ed,f3,02,7b,59,79,3c,7b,b4,5a,33,38,79,8a,8a,d4,2a,d8,65,10,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:05,3b,57,31,1a,04,49,83,99,19,a8,60,80,98,9f,95,9d,f1,2d,8c,c7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:15,ed,f3,02,7b,59,79,3c,7b,b4,5a,33,38,79,8a,8a,d4,2a,d8,65,10,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:05,3b,57,31,1a,04,49,83,99,19,a8,60,80,98,9f,95,9d,f1,2d,8c,c7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:15,ed,f3,02,7b,59,79,3c,7b,b4,5a,33,38,79,8a,8a,d4,2a,d8,65,10,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:05,3b,57,31,1a,04,49,83,99,19,a8,60,80,98,9f,95,9d,f1,2d,8c,c7,..
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?é?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1í?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG08.00.00.01WORKSTATION"="8EA54774A8BC0987FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A9C6AECB7A5D1407FEBC9E127BECC74CA9C6AECB7A5D14078CA65538CBF256602387B98C748C5219E59F4F9A1709343E96A02BA8CE59FBDE5F8BBF7913DF25A564895CC051AAF17C5F0B436E148445F6D043CA49BB4D8C1D3E638FD03E2A3B727FBA367D018055D91D8D3E44453F87C83FD7E7EF948057C12D45A1C94CF356ACD90E8C94B69A71EF051810CFAA544A6467EB7B564ABBA39571F9B6C242D156D31BAC8AA7A3FDE01041CE6A1B4BD4811214C2DE0CD53BDD759780F3EDA74D4078AE6FBB2F041D61223D0A6301B041C12E53CFD170B0AD154F6E8B5F5387E03D3FC56992779164D49E2A57F533E712C627F63DF93CD938FDA90802E74C72011BE253DA641F0EB041947FF47F370332F00094695B765373709C3DFDDB887A91492F903D699B3E5450A673DAC3649600415088E4E37EA4E9E7D3A8CD710BB8E95E86793BC0B26B16CF0B852EE7693D50DF43ED756104579D858F29F43F2AC8D8905DCDB56A02602F330B75CD774595E616192A950910FA7F0B24E129C3104920BFBC113DCC78EECE0E8648C8DFCD408155A2DFF0F0F9237A61793A54DD3CDEF16A440D9C30D9EC141C6E4864F32AE1CD2FCA7C6A157064E9950DDC16D18230F9B7224D4E44BE3118B9C98299EAD9A570D8892C975375D99CD56E39C0C886E8D3EE9D2181971118646A32C693DDABB8FE306F6140F05EA35877C182DBCFC6BA91FD0F1E19211204F452D5ABB44CC44D84B220D26515556254F13F301FD5105737F4E49A2DBA5558BD3DF8098F171E970103D1FAB4CAD63FBBDF34FDFBAF05763E091EB40A9FC2FE2418EE7DED07055265E851961601B5E1AF037F6913969CD4949252CBAD7495E2837424684B4399BB1C4EFC29220D187B443E16B63BA5A231988FAA83CD3CDDF5A78796F0D9DDCF15FCC2C7F826A377BD811A7F6C805FB44FA120E2C44FE0FEACD3ADD67FFCC6F12259F9B90E25E0A15E62C159569FA546F779894CBA502FB1003E630E404D551C2F72C8EC39D345B79AD785D2828CC11D74DAB54E569E5A016A8F4BF32597423F88002B138A9B34B0AD455932C5EB615596F72FDF4BBE76CDEF67A9D7645C2EA080ADC0ECD919F355DC0454CCB51A92DC3175A7909267FCC913D7E89C744F1B57EB99CAD2401F31C3EDDEB3102EA54CF69BECF57F6704CBFEDBE5973816D9EF5124D632301BB379EC2C9657FC4FCEE43A32EA91624AB4A347D98B67334798F4CF09ED00048F0EC298E4DDC1277A8E1A11D4EF1683004DABD39A372F2F4EDBD9677AD7E4E0019D62DE6B5E9C38580E0CBBE572C63F8FD46AA635CBE65BB4A7B0805D843170998315AD9634B1E9D22DBECACDD90708"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{22183E50-BFAD-B0FE-419D-23B5E922BA9E}]
"cbbdoifbpdgojiaoiidaejiohedfdafhppbjhk"=hex:6a,61,6e,6c,68,69,6e,6d,70,6c,6a,6a,69,69,6d,62,6d,6b,64,69,00,..
"bbhmppjkicdecijnmmjlakggnpilcekmakhe"=hex:6a,61,6e,6c,68,69,6e,6d,70,6c,6a,6a,69,69,6d,62,6d,6b,64,69,00,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4C991E65-D33A-8934-3B8C-0CF8408EA187}]
"dbkojahmhhabloelbnfceljggbkkhmgnpimfagki"=hex:6a,61,67,70,69,67,69,6c,66,6f,67,6c,68,70,67,6d,64,6b,61,66,00,..
"cbeolckphhcjfcdcphmikmkibgfcfionhndoae"=hex:6a,61,67,70,69,67,69,6c,66,6f,67,6c,68,70,67,6d,64,6b,61,66,00,..
"abgbjfinbejoponfmojhgfgbjnieiehnmm"=hex:6a,61,69,64,6c,68,63,6d,70,69,6b,6b,65,64,61,68,63,6b,67,65,00,..
"mafbeefcpndinlnlmbifefkpem"=hex:6a,61,6b,6f,6e,6b,69,66,70,6a,6d,70,6b,61,61,68,6d,66,6d,61,00,..
"iakojahmhhabloelbn"=hex:61,61,00,00
"haeolckphhcjfcdc"=hex:61,61,00,00
"iagbjeacmdjfmcenok"=hex:61,61,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7BBC8AB8-4D21-33CD-AE55-A487CE7590D5}]
"abenkahgfbokahpmkdmgieaeeebihfmgcl"=hex:61,62,63,61,64,70,6f,68,6c,66,6f,63,61,66,64,6a,68,67,63,6e,70,..
"bbenkahgfbokahpmkdbhlefnnpjcaclhnfao"=hex:61,62,6e,6e,61,68,70,64,67,62,69,64,6a,61,63,68,6d,70,61,64,69,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E0ABBE6-D1F7-6B1D-B889-E0117EC186E5}]
"jacdolobbeinkbfgabgb"=hex:62,61,6f,65,00,00
"jacdolobbeinkbfgabcb"=hex:62,61,63,66,00,00
"iacgckbancjkfjmnff"=hex:6b,61,6e,65,64,6a,6b,6c,70,70,68,70,70,63,6c,64,6a,69,65,61,62,..
"haifibnmdjjhgpjo"=hex:6b,61,6e,65,64,6a,6b,6c,67,70,6a,70,6e,6e,6a,6c,6c,61,66,6a,6c,..
"haockkddjlgbcmfl"=hex:61,62,6e,66,63,6b,62,6c,69,65,63,6c,64,63,69,61,65,6a,62,67,6b,..
"japcdcjkednhcbedbmeh"=hex:64,62,62,67,62,66,6b,6c,6b,63,6c,6d,67,64,66,6a,68,70,6e,62,66,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DD5AE5BF-FCA9-278E-AEE9-651C7E67539F}]
"dbeflohpleccnfkeblfdblagdabpdkgfgjmfkfie"=hex:6a,61,61,61,66,6d,70,70,6a,6e,66,65,63,63,6c,65,6c,63,61,6e,00,..
"cbkeinaaalkeoidgknfmgcgipmnnklbdcmfhbm"=hex:6a,61,61,61,66,6d,70,70,6a,6e,66,65,63,63,6c,65,6c,63,61,6e,00,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E5F1ADA2-8253-D657-BEB4-A5E41B27B0DB}]
"dbflcgiabgpcpfcgkkbcgjionpgmlhkkegahnhdn"=hex:6a,61,6a,6d,66,67,65,69,67,6e,68,6e,6e,6a,68,6c,6e,63,65,65,00,..
"cbdnafmmcomegeailkhdfmjdjbjmmjmmfbnbng"=hex:6a,61,6a,6d,66,67,65,69,67,6e,68,6e,6e,6a,68,6c,6e,63,65,65,00,..
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:uTorrent"
"C:\\Program Files\\IEPro\\MiniDM.exe"="C:\\Program Files\\IEPro\\MiniDM.exe:*:Enabled:MiniDM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MGrab\\MGrab.exe"="C:\\Program Files\\MGrab\\MGrab.exe:*:Enabled:MGrab"
"C:\\Documents and Settings\\pistabaci\\Plocha\\DCC-Sony\\DCC.exe"="C:\\Documents and Settings\\pistabaci\\Plocha\\DCC-Sony\\DCC.exe:*:Enabled:Dreambox Control Center"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Opera\\opera.exe"="C:\\Program Files\\Opera\\opera.exe:*:Disabled:Opera Internet Browser"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"="C:\\Program Files\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3"
"C:\\Documents and Settings\\pistabaci\\Plocha\\Skype.exe"="C:\\Documents and Settings\\pistabaci\\Plocha\\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\PROGRA~1\\COMMON~1\\MICROW~1\\Agent\\MWAGENT.EXE"="C:\\PROGRA~1\\COMMON~1\\MICROW~1\\Agent\\MWAGENT.EXE:*:Enabled:MicroWorld Management Agent"
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"="C:\\Program Files\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
C:\WINDOWS\system32\Fuck.exe Found
C:\WINDOWS\system32\msclt.exe Found
C:\WINDOWS\system32\mstc.exe Found
C:\WINDOWS\system32\msupdate.exe Found
C:\WINDOWS\system32\mswins.exe Found
C:\WINDOWS\system32\scrigz.exe Found
C:\WINDOWS\system32\se.exe Found
C:\WINDOWS\system32\update.exe Found
C:\WINDOWS\system32\windowz.exe Found
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 14 Apr 2008 1,695,232 A.SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 14 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 14 Apr 2008 60,416 A.SH. --- "C:\WINDOWS\ServicePackFiles\i386\msimn.exe"
Fri 28 Jan 2005 73,728 A.SH. --- "C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe"
Mon 28 Jan 2008 165,232 A..H. --- "C:\Documents and Settings\pistabaci\Data aplikacˇ\Microsoft\Virtual PC\VPCKeyboard.dll"
Finished!
a HJT :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:01 PM, on 10/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\windows\system32\oodag.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: WebTransBHO Class - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - C:\TRANSLAT\WEBIE.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: InlineSearchHandleHotKeys Class - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - C:\Program Files\IEForge\Inline Search\InlineSearch.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\TRANSLAT\WEBIE.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: WebTran - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - C:\TRANSLAT\WEBIE.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\TRANSLAT\WEBIE.DLL
O9 - Extra 'Tools' menuitem: &Nastavit překladač - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\TRANSLAT\WEBIE.DLL
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\TRANSLAT\WEBIE.DLL
O9 - Extra 'Tools' menuitem: Přeložit &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\TRANSLAT\WEBIE.DLL
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\TRANSLAT\WEBIE.DLL
O9 - Extra 'Tools' menuitem: Přeložit &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\TRANSLAT\WEBIE.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\windows\system32\oodag.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 10132 bytes
Pod C: sa otvarajú disky a nezaregistroval som zmiznutie ikony. Je treba ale povedať, že ja som fyzicky zničil označené súbory bez ohľadu na následky....a nový sken malwarebytes bol prázdny.
SDFix: Version 1.238
Run by pistabaci on ut 10/28/2008 at 01:41 PM
Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\Documents and Settings\pistabaci\Dokumenty\Hudba\My Music.url - Deleted
C:\Documents and Settings\pistabaci\Dokumenty\Filmy\My Video.url - Deleted
C:\hellmsn.exe - Deleted
Could Not Remove C:\WINDOWS\system32\Fuck.exe
Could Not Remove C:\WINDOWS\system32\msclt.exe
Could Not Remove C:\WINDOWS\system32\mstc.exe
Could Not Remove C:\WINDOWS\system32\msupdate.exe
Could Not Remove C:\WINDOWS\system32\mswins.exe
Could Not Remove C:\WINDOWS\system32\scrigz.exe
Could Not Remove C:\WINDOWS\system32\se.exe
Could Not Remove C:\WINDOWS\system32\update.exe
Could Not Remove C:\WINDOWS\system32\windowz.exe
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 13:57:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:15,ed,f3,02,7b,59,79,3c,7b,b4,5a,33,38,79,8a,8a,d4,2a,d8,65,10,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:05,3b,57,31,1a,04,49,83,99,19,a8,60,80,98,9f,95,9d,f1,2d,8c,c7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:15,ed,f3,02,7b,59,79,3c,7b,b4,5a,33,38,79,8a,8a,d4,2a,d8,65,10,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:05,3b,57,31,1a,04,49,83,99,19,a8,60,80,98,9f,95,9d,f1,2d,8c,c7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:15,ed,f3,02,7b,59,79,3c,7b,b4,5a,33,38,79,8a,8a,d4,2a,d8,65,10,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:05,3b,57,31,1a,04,49,83,99,19,a8,60,80,98,9f,95,9d,f1,2d,8c,c7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:15,ed,f3,02,7b,59,79,3c,7b,b4,5a,33,38,79,8a,8a,d4,2a,d8,65,10,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:05,3b,57,31,1a,04,49,83,99,19,a8,60,80,98,9f,95,9d,f1,2d,8c,c7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:15,ed,f3,02,7b,59,79,3c,7b,b4,5a,33,38,79,8a,8a,d4,2a,d8,65,10,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:05,3b,57,31,1a,04,49,83,99,19,a8,60,80,98,9f,95,9d,f1,2d,8c,c7,..
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?é?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1í?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG08.00.00.01WORKSTATION"="8EA54774A8BC0987FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A9C6AECB7A5D1407FEBC9E127BECC74CA9C6AECB7A5D14078CA65538CBF256602387B98C748C5219E59F4F9A1709343E96A02BA8CE59FBDE5F8BBF7913DF25A564895CC051AAF17C5F0B436E148445F6D043CA49BB4D8C1D3E638FD03E2A3B727FBA367D018055D91D8D3E44453F87C83FD7E7EF948057C12D45A1C94CF356ACD90E8C94B69A71EF051810CFAA544A6467EB7B564ABBA39571F9B6C242D156D31BAC8AA7A3FDE01041CE6A1B4BD4811214C2DE0CD53BDD759780F3EDA74D4078AE6FBB2F041D61223D0A6301B041C12E53CFD170B0AD154F6E8B5F5387E03D3FC56992779164D49E2A57F533E712C627F63DF93CD938FDA90802E74C72011BE253DA641F0EB041947FF47F370332F00094695B765373709C3DFDDB887A91492F903D699B3E5450A673DAC3649600415088E4E37EA4E9E7D3A8CD710BB8E95E86793BC0B26B16CF0B852EE7693D50DF43ED756104579D858F29F43F2AC8D8905DCDB56A02602F330B75CD774595E616192A950910FA7F0B24E129C3104920BFBC113DCC78EECE0E8648C8DFCD408155A2DFF0F0F9237A61793A54DD3CDEF16A440D9C30D9EC141C6E4864F32AE1CD2FCA7C6A157064E9950DDC16D18230F9B7224D4E44BE3118B9C98299EAD9A570D8892C975375D99CD56E39C0C886E8D3EE9D2181971118646A32C693DDABB8FE306F6140F05EA35877C182DBCFC6BA91FD0F1E19211204F452D5ABB44CC44D84B220D26515556254F13F301FD5105737F4E49A2DBA5558BD3DF8098F171E970103D1FAB4CAD63FBBDF34FDFBAF05763E091EB40A9FC2FE2418EE7DED07055265E851961601B5E1AF037F6913969CD4949252CBAD7495E2837424684B4399BB1C4EFC29220D187B443E16B63BA5A231988FAA83CD3CDDF5A78796F0D9DDCF15FCC2C7F826A377BD811A7F6C805FB44FA120E2C44FE0FEACD3ADD67FFCC6F12259F9B90E25E0A15E62C159569FA546F779894CBA502FB1003E630E404D551C2F72C8EC39D345B79AD785D2828CC11D74DAB54E569E5A016A8F4BF32597423F88002B138A9B34B0AD455932C5EB615596F72FDF4BBE76CDEF67A9D7645C2EA080ADC0ECD919F355DC0454CCB51A92DC3175A7909267FCC913D7E89C744F1B57EB99CAD2401F31C3EDDEB3102EA54CF69BECF57F6704CBFEDBE5973816D9EF5124D632301BB379EC2C9657FC4FCEE43A32EA91624AB4A347D98B67334798F4CF09ED00048F0EC298E4DDC1277A8E1A11D4EF1683004DABD39A372F2F4EDBD9677AD7E4E0019D62DE6B5E9C38580E0CBBE572C63F8FD46AA635CBE65BB4A7B0805D843170998315AD9634B1E9D22DBECACDD90708"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{22183E50-BFAD-B0FE-419D-23B5E922BA9E}]
"cbbdoifbpdgojiaoiidaejiohedfdafhppbjhk"=hex:6a,61,6e,6c,68,69,6e,6d,70,6c,6a,6a,69,69,6d,62,6d,6b,64,69,00,..
"bbhmppjkicdecijnmmjlakggnpilcekmakhe"=hex:6a,61,6e,6c,68,69,6e,6d,70,6c,6a,6a,69,69,6d,62,6d,6b,64,69,00,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4C991E65-D33A-8934-3B8C-0CF8408EA187}]
"dbkojahmhhabloelbnfceljggbkkhmgnpimfagki"=hex:6a,61,67,70,69,67,69,6c,66,6f,67,6c,68,70,67,6d,64,6b,61,66,00,..
"cbeolckphhcjfcdcphmikmkibgfcfionhndoae"=hex:6a,61,67,70,69,67,69,6c,66,6f,67,6c,68,70,67,6d,64,6b,61,66,00,..
"abgbjfinbejoponfmojhgfgbjnieiehnmm"=hex:6a,61,69,64,6c,68,63,6d,70,69,6b,6b,65,64,61,68,63,6b,67,65,00,..
"mafbeefcpndinlnlmbifefkpem"=hex:6a,61,6b,6f,6e,6b,69,66,70,6a,6d,70,6b,61,61,68,6d,66,6d,61,00,..
"iakojahmhhabloelbn"=hex:61,61,00,00
"haeolckphhcjfcdc"=hex:61,61,00,00
"iagbjeacmdjfmcenok"=hex:61,61,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7BBC8AB8-4D21-33CD-AE55-A487CE7590D5}]
"abenkahgfbokahpmkdmgieaeeebihfmgcl"=hex:61,62,63,61,64,70,6f,68,6c,66,6f,63,61,66,64,6a,68,67,63,6e,70,..
"bbenkahgfbokahpmkdbhlefnnpjcaclhnfao"=hex:61,62,6e,6e,61,68,70,64,67,62,69,64,6a,61,63,68,6d,70,61,64,69,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E0ABBE6-D1F7-6B1D-B889-E0117EC186E5}]
"jacdolobbeinkbfgabgb"=hex:62,61,6f,65,00,00
"jacdolobbeinkbfgabcb"=hex:62,61,63,66,00,00
"iacgckbancjkfjmnff"=hex:6b,61,6e,65,64,6a,6b,6c,70,70,68,70,70,63,6c,64,6a,69,65,61,62,..
"haifibnmdjjhgpjo"=hex:6b,61,6e,65,64,6a,6b,6c,67,70,6a,70,6e,6e,6a,6c,6c,61,66,6a,6c,..
"haockkddjlgbcmfl"=hex:61,62,6e,66,63,6b,62,6c,69,65,63,6c,64,63,69,61,65,6a,62,67,6b,..
"japcdcjkednhcbedbmeh"=hex:64,62,62,67,62,66,6b,6c,6b,63,6c,6d,67,64,66,6a,68,70,6e,62,66,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DD5AE5BF-FCA9-278E-AEE9-651C7E67539F}]
"dbeflohpleccnfkeblfdblagdabpdkgfgjmfkfie"=hex:6a,61,61,61,66,6d,70,70,6a,6e,66,65,63,63,6c,65,6c,63,61,6e,00,..
"cbkeinaaalkeoidgknfmgcgipmnnklbdcmfhbm"=hex:6a,61,61,61,66,6d,70,70,6a,6e,66,65,63,63,6c,65,6c,63,61,6e,00,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E5F1ADA2-8253-D657-BEB4-A5E41B27B0DB}]
"dbflcgiabgpcpfcgkkbcgjionpgmlhkkegahnhdn"=hex:6a,61,6a,6d,66,67,65,69,67,6e,68,6e,6e,6a,68,6c,6e,63,65,65,00,..
"cbdnafmmcomegeailkhdfmjdjbjmmjmmfbnbng"=hex:6a,61,6a,6d,66,67,65,69,67,6e,68,6e,6e,6a,68,6c,6e,63,65,65,00,..
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:uTorrent"
"C:\\Program Files\\IEPro\\MiniDM.exe"="C:\\Program Files\\IEPro\\MiniDM.exe:*:Enabled:MiniDM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MGrab\\MGrab.exe"="C:\\Program Files\\MGrab\\MGrab.exe:*:Enabled:MGrab"
"C:\\Documents and Settings\\pistabaci\\Plocha\\DCC-Sony\\DCC.exe"="C:\\Documents and Settings\\pistabaci\\Plocha\\DCC-Sony\\DCC.exe:*:Enabled:Dreambox Control Center"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Opera\\opera.exe"="C:\\Program Files\\Opera\\opera.exe:*:Disabled:Opera Internet Browser"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"="C:\\Program Files\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3"
"C:\\Documents and Settings\\pistabaci\\Plocha\\Skype.exe"="C:\\Documents and Settings\\pistabaci\\Plocha\\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\PROGRA~1\\COMMON~1\\MICROW~1\\Agent\\MWAGENT.EXE"="C:\\PROGRA~1\\COMMON~1\\MICROW~1\\Agent\\MWAGENT.EXE:*:Enabled:MicroWorld Management Agent"
"C:\\Program Files\\FlashFXP\\FlashFXP.exe"="C:\\Program Files\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
C:\WINDOWS\system32\Fuck.exe Found
C:\WINDOWS\system32\msclt.exe Found
C:\WINDOWS\system32\mstc.exe Found
C:\WINDOWS\system32\msupdate.exe Found
C:\WINDOWS\system32\mswins.exe Found
C:\WINDOWS\system32\scrigz.exe Found
C:\WINDOWS\system32\se.exe Found
C:\WINDOWS\system32\update.exe Found
C:\WINDOWS\system32\windowz.exe Found
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 14 Apr 2008 1,695,232 A.SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 14 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 14 Apr 2008 60,416 A.SH. --- "C:\WINDOWS\ServicePackFiles\i386\msimn.exe"
Fri 28 Jan 2005 73,728 A.SH. --- "C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe"
Mon 28 Jan 2008 165,232 A..H. --- "C:\Documents and Settings\pistabaci\Data aplikacˇ\Microsoft\Virtual PC\VPCKeyboard.dll"
Finished!
a HJT :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:01 PM, on 10/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\windows\system32\oodag.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: WebTransBHO Class - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - C:\TRANSLAT\WEBIE.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: InlineSearchHandleHotKeys Class - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - C:\Program Files\IEForge\Inline Search\InlineSearch.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\TRANSLAT\WEBIE.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: WebTran - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - C:\TRANSLAT\WEBIE.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\TRANSLAT\WEBIE.DLL
O9 - Extra 'Tools' menuitem: &Nastavit překladač - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\TRANSLAT\WEBIE.DLL
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\TRANSLAT\WEBIE.DLL
O9 - Extra 'Tools' menuitem: Přeložit &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\TRANSLAT\WEBIE.DLL
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\TRANSLAT\WEBIE.DLL
O9 - Extra 'Tools' menuitem: Přeložit &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\TRANSLAT\WEBIE.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\windows\system32\oodag.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
--
End of file - 10132 bytes
Pod C: sa otvarajú disky a nezaregistroval som zmiznutie ikony. Je treba ale povedať, že ja som fyzicky zničil označené súbory bez ohľadu na následky....a nový sken malwarebytes bol prázdny.
-
jaro3
- člen Security týmu
-
Guru Level 15
- Příspěvky: 43293
- Registrován: červen 07
- Bydliště: Jižní Čechy
- Pohlaví:
- Stav:
Offline
Re: Malwarebytes Anti-Malware v 1.29
Najdi a smaž: C:\SDFix
Podle mě se tam zase infiltrovalo něco závadného.Nebyl jsi na nějakých podezřelých stránkách?
Takže si to smáznul ručně? Bylo tam vše jako v nálezu MbAM?
ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix[mezera]/u
takže jestli nejsou problémy,tak vyčisti systém CCleanerem
a použij i T-Cleaner
smaže vše po Combu,SDFixu,Avengeru,MWAVu atd.-stáhneš>spustíš
Aktualizuj javu:
Java SE Runtime Environment 6u10
Vyber OS ( předpokládám Windows), zatržítko agree-continue
Vyber:
Windows Offline Installation
jre-6u10-windows-i586-p.exe
Ostatní javy odeber v přidat/odebrat programy.
Ochranu máš dostatečnou, nevím proč se systém pořád infikuje.
EDIT
Fix v HJT:
Aktualizuj javu:
Java SE Runtime Environment 6u10
Vyber OS ( předpokládám Windows), zatržítko agree-continue
Vyber:
Windows Offline Installation
jre-6u10-windows-i586-p.exe
Ostatní javy odeber v přidat/odebrat programy.
Podle mě se tam zase infiltrovalo něco závadného.Nebyl jsi na nějakých podezřelých stránkách?
Takže si to smáznul ručně? Bylo tam vše jako v nálezu MbAM?
ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix[mezera]/u
takže jestli nejsou problémy,tak vyčisti systém CCleanerem
a použij i T-Cleaner
smaže vše po Combu,SDFixu,Avengeru,MWAVu atd.-stáhneš>spustíš
Aktualizuj javu:
Java SE Runtime Environment 6u10
Vyber OS ( předpokládám Windows), zatržítko agree-continue
Vyber:
Windows Offline Installation
jre-6u10-windows-i586-p.exe
Ostatní javy odeber v přidat/odebrat programy.
Ochranu máš dostatečnou, nevím proč se systém pořád infikuje.
EDIT
Fix v HJT:
Kód: Vybrat vše
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
Aktualizuj javu:
Java SE Runtime Environment 6u10
Vyber OS ( předpokládám Windows), zatržítko agree-continue
Vyber:
Windows Offline Installation
jre-6u10-windows-i586-p.exe
Ostatní javy odeber v přidat/odebrat programy.
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Zpět na “Viry, antiviry, firewally…”
Kdo je online
Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 3 hosti