Prosím kontrolu logu

[jaro3]

Můžeš manuálně smazat:
C:\!KillBox

Ještě jeden script v CF, zase něco vylezlo:

Kód: Vybrat vše

Folder::
C:\FOUND.017
C:\FOUND.013


Pak zase log z CF.

[Reklama]

[Nuny]

ComboFix 08-10-28.01 - Jan_2 2008-10-30 19:31:58.6 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.664 [GMT 1:00]
Spuštěný z: C:\Documents and Settings\Jan_2\Plocha\ComboFix.exe
Použité ovládací přepínače :: C:\Documents and Settings\Jan_2\Plocha\CFScript.txt
* Vytvořen nový Bod Obnovení

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.013
C:\FOUND.013\FILE0000.CHK
C:\FOUND.013\FILE0001.CHK
C:\FOUND.013\FILE0002.CHK
C:\FOUND.013\FILE0003.CHK
C:\FOUND.013\FILE0004.CHK
C:\FOUND.013\FILE0005.CHK
C:\FOUND.013\FILE0006.CHK
C:\FOUND.013\FILE0007.CHK
C:\FOUND.013\FILE0008.CHK
C:\FOUND.013\FILE0009.CHK
C:\FOUND.013\FILE0010.CHK
C:\FOUND.013\FILE0011.CHK
C:\FOUND.017
C:\FOUND.017\FILE0000.CHK
C:\FOUND.017\FILE0001.CHK

.
((((((((((((((((((((((((( Soubory vytvořené od 2008-09-28 do 2008-10-30 )))))))))))))))))))))))))))))))
.

2065-05-22 19:17 . 1998-05-07 10:57 143,872 --a------ C:\WINDOWS.0\system32\iacenc.dll
2065-05-22 19:17 . 2065-05-22 19:17 56,832 --------- C:\WINDOWS.0\system32\iyvu9_32.dll
2008-12-05 19:09 . 2008-12-05 19:09 <DIR> d-------- C:\Program Files\JoWooD Productions Software AG
2008-12-04 10:13 . 2008-12-04 10:23 43,520 --a------ C:\WINDOWS.0\system32\CmdLineExt03.dll
2008-10-30 19:25 . 2008-10-30 19:25 247,162 --a------ C:\Documents and Settings\Iulia AD-1874.Civ4SavedGame
2008-10-29 10:43 . 2008-10-29 10:43 234,132 --a------ C:\Documents and Settings\Iulia AD-1725.Civ4SavedGame
2008-10-29 03:00 . 2008-10-29 03:02 1,393 --a------ C:\WINDOWS.0\imsins.BAK
2008-10-28 21:30 . 2008-10-28 21:30 <DIR> d-------- C:\WINDOWS.0\system32\CatRoot_bak
2008-10-28 19:37 . 2008-10-28 19:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-28 19:37 . 2008-10-28 19:37 <DIR> d-------- C:\Documents and Settings\Jan_2\Data aplikací\Malwarebytes
2008-10-28 19:37 . 2008-10-28 19:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Data aplikací\Malwarebytes
2008-10-28 19:37 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS.0\system32\drivers\mbamswissarmy.sys
2008-10-28 19:37 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS.0\system32\drivers\mbam.sys
2008-10-28 17:12 . 2008-10-28 21:01 568 --a------ C:\WINDOWS.0\system32\drivers\fwdrv.err
2008-10-28 17:08 . 2008-10-28 17:08 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-10-28 11:17 . 2008-10-28 11:17 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Data aplikací\SecTaskMan
2008-10-28 10:13 . 2008-10-28 10:13 253,625 --a------ C:\Documents and Settings\Sarkaaa AD-1868.Civ4SavedGame
2008-10-28 08:14 . 2008-10-28 08:14 <DIR> d-------- C:\Documents and Settings\ćuRKA~1.ROD
2008-10-27 18:00 . 2008-10-27 18:00 320,425 --a------ C:\Documents and Settings\sarkaaa AD-1986.Civ4SavedGame
2008-10-26 10:47 . 2008-10-26 10:47 270,615 --a------ C:\Documents and Settings\sarkaaa AD-1920.Civ4SavedGame
2008-10-25 10:45 . 2008-10-25 10:45 178,111 --a------ C:\Documents and Settings\sarkaaa AD-1280.Civ4SavedGame
2008-10-22 14:05 . 2008-10-22 14:05 204,954 --a------ C:\Documents and Settings\Sarka AD-1020.Civ4SavedGame
2008-10-22 13:31 . 2008-10-22 13:31 206,325 --a------ C:\Documents and Settings\S'arus AD-1340.Civ4SavedGame
2008-10-20 17:27 . 2008-10-20 17:27 335,706 --a------ C:\Documents and Settings\S'arka AD-2008.Civ4SavedGame
2008-10-20 15:22 . 2008-10-20 15:22 <DIR> d-------- C:\Program Files\Testy Autoškola
2008-10-19 18:18 . 2008-10-19 18:18 298,666 --a------ C:\Documents and Settings\S'arka AD-1964.Civ4SavedGame
2008-10-19 10:28 . 2008-10-19 10:29 210,188 --a------ C:\Documents and Settings\S'arka AD-1670.Civ4SavedGame
2008-10-18 19:26 . 2008-10-18 19:26 135,305 --a------ C:\Documents and Settings\S'arka AD-0325.Civ4SavedGame
2008-10-12 09:44 . 2008-10-12 09:44 <DIR> d-------- C:\Program Files\Teacher
2008-10-11 17:40 . 2008-10-11 17:40 694,346 --a------ C:\Documents and Settings\S'arka AD-1984.Civ4SavedGame
2008-10-11 10:45 . 2008-10-11 10:45 455,423 --a------ C:\Documents and Settings\S'arka AD-1705.Civ4SavedGame
2008-10-11 09:40 . 2008-10-11 10:31 424,269 --a------ C:\Documents and Settings\S'arka AD-0820.Civ4SavedGame
2008-10-10 19:26 . 2008-10-10 19:26 262,379 --a------ C:\Documents and Settings\S'arka BC-0075.Civ4SavedGame
2008-10-06 07:52 . 2008-10-07 20:30 541,211 --a------ C:\Documents and Settings\Sarka AD-1939.Civ4SavedGame
2008-10-05 11:30 . 2008-10-05 11:30 <DIR> d-------- C:\Documents and Settings\Jan_2\Data aplikací\Lineage Utils
2008-10-05 11:29 . 2008-10-05 11:29 <DIR> d-------- C:\Program Files\LineAge Utils
2008-10-05 10:35 . 2008-10-05 10:35 479,082 --a------ C:\Documents and Settings\Sarka AD-1918.Civ4SavedGame
2008-10-04 10:47 . 2008-10-04 10:47 344,186 --a------ C:\Documents and Settings\Sarka AD-1515.Civ4SavedGame
2008-10-03 19:26 . 2008-10-03 19:26 286,052 --a------ C:\Documents and Settings\Sarka AD-0780.Civ4SavedGame
2008-10-03 19:09 . 2008-10-03 19:09 265,490 --a------ C:\Documents and Settings\Sarka AD-0520.Civ4SavedGame
2008-09-20 09:30 . 2008-09-20 09:30 267,143 --a------ C:\Documents and Settings\Sarka AD-1904.Civ4SavedGame
2008-09-19 19:28 . 2008-09-19 19:28 222,547 --a------ C:\Documents and Settings\Sarka AD-1685.Civ4SavedGame
2008-09-18 19:28 . 2008-09-18 19:28 205,463 --a------ C:\Documents and Settings\Sarka AD-1560.Civ4SavedGame
2008-09-15 16:50 . 2008-09-15 16:50 361,212 --a------ C:\Documents and Settings\Sarka AD-1938.Civ4SavedGame
2008-09-15 15:37 . 2008-09-15 15:37 319,989 --a------ C:\Documents and Settings\Sarka AD-1820.Civ4SavedGame
2008-09-14 19:16 . 2008-09-14 19:16 306,015 --a------ C:\Documents and Settings\Sarka AD-1710.Civ4SavedGame
2008-09-14 18:39 . 2008-09-14 18:39 283,929 --a------ C:\Documents and Settings\Sarka AD-1535.Civ4SavedGame
2008-09-14 10:14 . 2008-09-14 10:14 282,837 --a------ C:\Documents and Settings\Sarka AD-1520.Civ4SavedGame
2008-09-13 19:25 . 2008-09-13 19:25 216,480 --a------ C:\Documents and Settings\Sarka AD-0200.Civ4SavedGame
2008-09-13 10:36 . 2008-09-13 10:36 <DIR> d-------- C:\WINDOWS.0\Logs
2008-09-13 09:58 . 2008-09-13 09:58 283,998 --a------ C:\Documents and Settings\Sarka AD-2086.Civ4SavedGame
2008-09-12 19:27 . 2008-09-12 19:27 270,027 --a------ C:\Documents and Settings\Sarka AD-2040.Civ4SavedGame
2008-09-12 06:55 . 2008-09-12 06:55 211,607 --a------ C:\Documents and Settings\Sarka AD-1933.Civ4SavedGame
2008-09-11 19:21 . 2008-09-11 19:21 182,573 --a------ C:\Documents and Settings\Sarka AD-1780m.Civ4SavedGame
2008-09-10 19:26 . 2008-09-10 19:26 100,541 --a------ C:\Documents and Settings\Sarka BC-0050.Civ4SavedGame

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 21:26 2,829 ----a-w C:\WINDOWS.0\War3Unin.pif
2008-12-04 21:26 126,976 ----a-w C:\WINDOWS.0\War3Unin.exe
2008-10-26 19:45 138,136 ----a-w C:\WINDOWS.0\system32\drivers\PnkBstrK.sys
2008-10-26 19:45 111,928 ----a-w C:\WINDOWS.0\system32\PnkBstrB.exe
2008-10-15 17:00 332,800 ------w C:\WINDOWS.0\system32\dllcache\netapi32.dll
2008-10-03 17:26 6,066,176 ------w C:\WINDOWS.0\system32\dllcache\ieframe.dll
2008-09-15 15:40 1,846,016 ----a-w C:\WINDOWS.0\system32\win32k.sys
2008-09-15 15:40 1,846,016 ------w C:\WINDOWS.0\system32\dllcache\win32k.sys
2008-08-28 10:04 333,056 ------w C:\WINDOWS.0\system32\drivers\srv.sys
2008-08-28 10:04 333,056 ------w C:\WINDOWS.0\system32\dllcache\srv.sys
2008-08-27 09:27 3,593,216 ------w C:\WINDOWS.0\system32\dllcache\mshtml.dll
2008-08-26 08:26 63,488 ------w C:\WINDOWS.0\system32\dllcache\icardie.dll
2008-08-26 08:26 44,544 ------w C:\WINDOWS.0\system32\dllcache\iernonce.dll
2008-08-26 08:26 384,512 ------w C:\WINDOWS.0\system32\dllcache\iedkcs32.dll
2008-08-26 08:26 383,488 ------w C:\WINDOWS.0\system32\dllcache\ieapfltr.dll
2008-08-26 08:26 347,136 ------w C:\WINDOWS.0\system32\dllcache\dxtmsft.dll
2008-08-26 08:26 267,776 ------w C:\WINDOWS.0\system32\dllcache\iertutil.dll
2008-08-26 08:26 230,400 ------w C:\WINDOWS.0\system32\dllcache\ieaksie.dll
2008-08-26 08:26 214,528 ------w C:\WINDOWS.0\system32\dllcache\dxtrans.dll
2008-08-26 08:26 153,088 ------w C:\WINDOWS.0\system32\dllcache\ieakeng.dll
2008-08-26 08:26 133,120 ------w C:\WINDOWS.0\system32\dllcache\extmgr.dll
2008-08-26 08:26 124,928 ------w C:\WINDOWS.0\system32\dllcache\advpack.dll
2008-08-25 08:38 13,824 ------w C:\WINDOWS.0\system32\dllcache\ieudinit.exe
2008-08-25 08:36 70,656 ------w C:\WINDOWS.0\system32\dllcache\ie4uinit.exe
2008-08-24 14:32 81,920 ----a-w C:\WINDOWS.0\system32\OpenAL32.dll
2008-08-24 14:32 233,472 ----a-w C:\WINDOWS.0\system32\wrap_oal.dll
2008-08-23 05:56 635,848 ------w C:\WINDOWS.0\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w C:\WINDOWS.0\system32\dllcache\ieakui.dll
2008-08-14 13:46 2,182,528 ----a-w C:\WINDOWS.0\system32\ntoskrnl.exe
2008-08-14 13:46 2,182,528 ------w C:\WINDOWS.0\system32\dllcache\ntoskrnl.exe
2008-08-14 13:46 2,138,112 ------w C:\WINDOWS.0\system32\dllcache\ntkrnlmp.exe
2008-08-14 13:46 2,059,904 ----a-w C:\WINDOWS.0\system32\ntkrnlpa.exe
2008-08-14 13:46 2,059,904 ------w C:\WINDOWS.0\system32\dllcache\ntkrnlpa.exe
2008-08-14 13:46 2,017,792 ------w C:\WINDOWS.0\system32\dllcache\ntkrpamp.exe
2008-08-14 09:51 138,368 ----a-w C:\WINDOWS.0\system32\dllcache\afd.sys
2008-07-31 09:41 68,616 ----a-w C:\WINDOWS.0\system32\XAPOFX1_1.dll
2008-07-31 09:41 238,088 ----a-w C:\WINDOWS.0\system32\xactengine3_2.dll
2008-07-31 09:40 509,448 ----a-w C:\WINDOWS.0\system32\XAudio2_2.dll
2008-07-18 19:39 586,752 ----a-w C:\WINDOWS.0\WLXPGSS.SCR
2008-07-13 08:18 348,160 ----a-w C:\WINDOWS.0\system32\msvcr71.dll
2008-07-12 07:18 467,984 ----a-w C:\WINDOWS.0\system32\d3dx10_39.dll
2008-07-12 07:18 3,851,784 ----a-w C:\WINDOWS.0\system32\D3DX9_39.dll
2008-07-12 07:18 1,493,528 ----a-w C:\WINDOWS.0\system32\D3DCompiler_39.dll
2008-07-07 21:32 253,952 ----a-w C:\WINDOWS.0\system32\es.dll
2008-07-07 21:32 253,952 ------w C:\WINDOWS.0\system32\dllcache\es.dll
2007-03-06 16:14 1,218,696 ---ha-w C:\Documents and Settings\webspell\webspell4[1].01.01.zip
2003-11-30 14:31 842 ----a-w C:\Program Files\options.cfg
2002-07-26 16:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
2002-06-24 14:46 3,360 ------w C:\WINDOWS.0\inf\OTHER\cmiainfo.sys
2006-07-09 06:12 11,270 --sha-w C:\WINDOWS.0\system32\KGyGaAvL.sys
2006-02-11 08:55 56 --sh--r C:\WINDOWS.0\system32\4F4F9D4257.sys
.

((((((((((((((((((((((((((((( snapshot_2008-10-29_11.15.37,04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-28 20:28:18 5,120 ----a-r C:\WINDOWS.0\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
+ 2008-10-30 14:24:12 5,120 ----a-r C:\WINDOWS.0\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
+ 2008-10-30 13:56:32 16,384 ----a-w C:\WINDOWS.0\Temp\Perflib_Perfdata_5b4.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="C:\WINDOWS.0\system32\ctfmon.exe" [2004-08-17 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS.0\SiSUSBrg.exe" [2002-07-12 106496]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-06-06 40960]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"UpdReg"="C:\WINDOWS.0\UpdReg.EXE" [2000-05-11 90112]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTSysVol"="C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]

C:\Documents and Settings\ć rka.RODINA-\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 2.2.lnk.disabled [2007-05-28 785]

C:\Documents and Settings\Jan_2\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma.lnk.disabled [2007-07-15 897]

C:\Documents and Settings\All Users.WINDOWS.0\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk.disabled [2007-05-25 1670]
Microsoft Office.lnk.disabled [2006-05-01 1640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoAutoTrayNotify"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= C:\WINDOWS.0\system32\ir32_32.dll
"vidc.iv32"= C:\WINDOWS.0\system32\ir32_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"STYLEXP"=C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
"IDMan"=C:\Program Files\Internet Download Manager\IDMan.exe /onboot
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB0_0_0 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
"NeroFilterCheck"=C:\WINDOWS.0\system32\NeroCheck.exe
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS.0\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 fwdrv;Firewall Driver;C:\WINDOWS.0\system32\drivers\fwdrv.sys [2007-02-20 302000]
R1 khips;Kerio HIPS Driver;C:\WINDOWS.0\system32\drivers\khips.sys [2007-02-20 71088]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS.0\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 SVKP;SVKP;C:\WINDOWS.0\system32\SVKP.sys [2006-04-30 2368]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS.0\system32\DRIVERS\psched.sys [2004-08-03 69120]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS.0\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS.0\system32\drivers\ASUSHWIO.sys [ ]
S3 npkycryp;npkycryp;F:\Hry\Lineage II - Kamael CT1\system\npkycryp.sys [ ]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS.0\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]

*Newly Created Service* - NPKCRYPT
.
Obsah adresáře 'Naplánované úlohy'

2008-10-30 C:\WINDOWS.0\Tasks\A1D92D2C91CAA938.job
- c:\docume~1\jan_2\dataap~1\realhe~1\Idle64upload.exe []

2008-10-22 C:\WINDOWS.0\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe []

2008-12-07 C:\WINDOWS.0\Tasks\User_Feed_Synchronization-{E4C8D7AB-6A62-4060-A20D-7B571BACF88D}.job
- C:\WINDOWS.0\system32\msfeedssync.exe [2007-08-13 18:36]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 19:38:23
Windows 5.1.2600 Service Pack 2 FAT NTAPI

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...


C:\sccfg.sys 32768 bytes

sken byl úspešně dokončen
skryté soubory: 1

**************************************************************************
.
Celkový čas: 2008-10-30 19:41:29
ComboFix-quarantined-files.txt 2008-10-30 18:41:22
ComboFix4.txt 2008-10-29 13:30:12
ComboFix5.txt 2008-10-30 18:30:46
ComboFix3.txt 2008-10-29 18:24:46
ComboFix2.txt 2008-10-30 14:15:30

Před spuštěním: 5 929 205 760
Po spuštění: 5,922,684,928

250 --- E O F --- 2008-10-29 02:02:21

[jaro3]

Až na toto:c:\docume~1\jan_2\dataap~1\realhe~1\Idle64upload.exe je to O.k.
Nenašel jsi, máš v možnostech složky zobrazovat skryté a systémové složky?
Mělo by to být tady:
C:\Documents and Settings\Jméno\Data aplikací
Zkus ještě dát hledat v tomto adresáři.
Jinak vlož nový log z HJT.

[Nuny]

pokud stačí dát Hledat a tam zaškrtnout systémové složky a skryté soubory nic to nenachází. Mám to raději projít sám?

Log z HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:35:58, on 30.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS.0\system32\CTsvcCDA.EXE
C:\WINDOWS.0\system32\PnkBstrA.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\WINDOWS.0\explorer.exe
C:\Documents and Settings\Jan_2\Plocha\Programy\Clean\Hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/8SEENUS020100/FRWCompleteAddIns
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O3 - Toolbar: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS.0\SiSUSBrg.exe
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS.0\UpdReg.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Přidat na blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Přidat na blog Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: WebTran - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - C:\WINDOWS.0\system32\SHDOCVW.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS.0\system32\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: &Nastavit překladač - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS.0\system32\SHDOCVW.DLL
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS.0\system32\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Přeložit &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS.0\system32\SHDOCVW.DLL
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS.0\system32\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Přeložit &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS.0\system32\SHDOCVW.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5177247953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5177481953
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-493a2124009ba347.spaces.live ... nPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95A1834B-035F-4E95-A4EB-203971E44BAA}: NameServer = 217.197.158.17
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DFC39DF-A0B2-49EB-AF9D-C40184E88E93}: NameServer = 192.168.154.33
O17 - HKLM\System\CCS\Services\Tcpip\..\{C78501D8-6CD9-4807-840F-BC68F5756F52}: NameServer = 192.168.154.33
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file)
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS.0\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS.0\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS.0\system32\PnkBstrA.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 8428 bytes

[jaro3]

Nemusíš, když tam není
Fix v HJT:

Kód: Vybrat vše

O3 - Toolbar: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS.0\UpdReg.EXE
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)


ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix[mezera]/u
takže jestli nejsou problémy,tak vyčisti systém CCleanerem
viewtopic.php?t=5130
a použij i T-Cleaner
http://www.sweb.cz/Marinus/T-Cleaner.exe
smaže vše po Combu,SDFixu,Avengeru,MWAVu atd.-stáhneš>spustíš

Aktualizuj javu:
Java SE Runtime Environment 6u10

Vyber OS ( předpokládám Windows), zatržítko agree-continue
Vyber:
Windows Offline Installation
jre-6u10-windows-i586-p.exe
Ostatní javy odeber v přidat/odebrat programy.
Je to vše.

[Nuny]

Děkuju moc.

a ještě toto doufám nic neznamená? vím že mi to blokovalo kerio tak sem to zkusil dat na www.virustotal.com a .....
Soubor winlogon.exe přijatý 2008.10.30 22:08:06 (CET)
Současný stav: Dokončeno
Výsledek: 1/36 (2.78%)
eSafe 7.0.17.0 2008.10.30 Win32.Agent.ha

[jaro3]

Pokud je v této destinaci: C:\WINDOWS.0\system32\winlogon.exe, tak je to legální proces win ,běžící na pozadí.
eSafe nepatří k těm dobrým testům. winlogon.exe může být infikovaný, ale podle tohoto testu na virustotal (1/36), bych usuzoval na chybu. Pokud by byl infikovaný tak by test vyzněl daleko jasněji a bylo by třeba ho odstranit a nahradit jiným.Nedělal bych nic , pokud nejsou jiné problémy.

[Nuny]

Dobře... ještě jedou moc diky

[Nuny]

mohu prosim ještě jednu věc...? měl jsem tu 2 windowsy ten prvni se odstranil a jede to na tom druhém(Windows.0) ale když se PC zapíná tak ho musim vždy vybrat i když je už jen jeden šlo by nějak udělat aby nabíhal automaticky? vim že je to mimo téma ale poradil by jste?

[jaro3]

Uprav si boot.ini.
Tento počítač-pravým vlastnosti-upřesnit-spuštění a zotavení systému-nastavení-upravit a tam vymaž ten systém , který jsi odebral.
Více zde:
http://support.microsoft.com/kb/888023/cs

[Nuny]

no... ono tam mam tohle:
[boot loader]
timeout=40
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Windows XP Home Edition" /fastdetect
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Windows XP Home Edition" /fastdetect

a asi by nebylo dobre to střilet od boku... případně co by se stalo/co bych měl dělat kdybych smazal ten funkční?

[jaro3]

Buď můžeš udělat toto:
http://support.microsoft.com/kb/291980
je to zdlouhavější, ale obstará to za Tebe windows.
Nebo si zazálohuj boot.ini, podle odkazu v minulém příspěvku ( do dokumentů). Soubor-uložit atd.
Jinak by to mělo vypadat asi takto:

Kód: Vybrat vše

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Home"
/fastdetect