Zamrzávání prohlížeče Vyřešeno

[cranberiss]

Dobrý den, včera se mi nešlo "přihlásit" na většinu stránek, popíši problém (Mozilla Firefox, akt. verze): když se chci zalogovat (přihlásit) do nějaké stránky, dejme tomu třeba online hry, nebo třeba tady na pc-help, tak to neskutečně dlouho trvalo, stránku to otevře v pohodě, ale přihlásit už se prostě nedá, jako by to dělalo ještě nějakou skrytou operaci jak kliknu na tlačítko přihlásit. Počítač jsem projel spyware terminatorem a ad awarem, ale problém neodezněl.

Dnes jsem nainstaloval operu a vše běží v pohodě, nevím, kde může být problém, ale nejspíše v těch heslech, v opeře nemám žádný a v Mozille to mám vše naťukaný v tom správci hesel, ale radši bych používal Mozillu, jsem na ní zvyklý, ikdyž jak se teď koukám, tak je opera mnohem rychlejší.

Přikládám log z hjt:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:58, on 2.3.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ASUS\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Opera\opera.exe
D:\Hijack\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{99C72B01-DCAC-40CA-ABC3-CD6214DFABA9}: NameServer = 62.129.50.20,62.129.32.100
O23 - Service: Služba inteligentního přenosu na pozadí (BITS) (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ASUS\Bluetooth Software\bin\btwdins.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 2850 bytes

[Reklama]

[jaro3]

Stáhni si Malwarebytes' Anti-Malware
Nainstaluj a spusť ho
- na konci instalace se ujisti že máš zvoleny/zatrhnuty obě možnosti:
Aktualizace Malwarebytes' Anti-Malware a Spustit aplikaci Malwarebytes' Anti-Malware, pokud jo tak klikni na tlačítko konec
- pokud bude nalezena aktualizace, tak se stáhne a nainstaluje
- program se po té spustí a nech vybranou možnost Provést rychlý sken a klikni na tlačítko Skenovat
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Zobrazit výsledky
- pak zvol možnost uložit log a ulož si log na plochu
- po té klikni na tlačítko Exit, objeví se ti hláška tak zvol Ano
(zatím nic nemaž!).
Vlož sem pak obsah toho logu.

[cranberiss]

Tak jsem to nainstaloval, ale nemohu to otevřít, jakoby to vůbec nereagovalo, ještě předtím, než jsem to nainstaloval, jsem tu poslal příspěvek, že to nemohu stáhnout a asi po x pokusech se mi to povedlo a příspěvěk jsem vzápětí smazal, ale tohle je skoro podobný problém, jakoby tomu něco vadilo a nereaguje to na kliknutí.

Mám to zkusit spustit v nozovém režimu ?

[jaro3]

Jo , zkus ho v nouz. režimu.

[cranberiss]

Bohužel, ani v nouzovém režimu to nefunguje, nechápu to, ať klikám jak klikám, nemohu to otevřít...
Možná to zakazuje něco ve službách, nějak se mi nelíbí služba: vzdálené volání procedur (RPC) navíc nejde nijak zakázat, vypnout .... a je na ní závislé strašné moc věcí, to bude asi taky jeden problém, mrknu na google...

[jaro3]

Zkus si zde
http://www.edisk.cz/stahni/23032/tools.rar_3.51MB.html
stáhnout některé prográmky co by se nám mohly hodit.
Rozbal si archiv do svého adresáře. Soubory jsou záměrně pojmenované jinak než původní v návodech, tak se nediv.
Zkus pak spustit:
VerTerm.exe, můžeš v nouzovém režimu.
VerTerm=Combofix
itr=RSIT
buss=DDS

[cranberiss]

Díky, problém je vyřešen, mám tu spoustu uložených logů, pokud je chceš vidět, jinak moc dík.

[cranberiss]

ComboFix 09-03-01.01 - Jarek 2009-03-02 16:38:42.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.1534.1195 [GMT 1:00]
Spuštěný z: c:\documents and settings\Jarek\Plocha\tools\VerTerm.exe
FW: Norton Internet Worm Protection *disabled*
.

((((((((((((((((((((((((( Soubory vytvořené od 2009-02-02 do 2009-03-02 )))))))))))))))))))))))))))))))
.

2009-03-02 10:15 . 2009-03-02 10:15 <DIR> d-------- c:\documents and settings\Jarek\Data aplikací\Malwarebytes
2009-03-02 10:05 . 2009-03-02 10:05 <DIR> d-------- C:\rsit
2009-03-02 08:47 . 2009-03-02 08:47 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Malwarebytes
2009-03-02 08:47 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-02 08:47 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-02 02:33 . 2009-03-02 02:33 22,315 --a------ c:\windows\system32\AAWService_2009_03_02_02_33_17.dmp
2009-03-02 02:12 . 2009-03-02 02:12 0 --a------ c:\windows\system32\AAWService_2009_03_02_02_12_21.dmp
2009-03-02 02:10 . 2009-03-02 02:00 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-02 02:02 . 2009-03-02 02:02 <DIR> d-------- c:\documents and settings\NetworkService\Plocha
2009-03-02 02:00 . 2009-03-02 01:59 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-02 01:59 . 2009-03-02 01:59 <DIR> d-------- c:\program files\Lavasoft
2009-03-02 01:59 . 2009-03-02 01:59 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Lavasoft
2009-03-02 01:59 . 2009-03-02 01:59 <DIR> d--h-c--- c:\documents and settings\All Users\Data aplikací\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-01 21:43 . 2009-03-02 16:39 85,102 --a------ c:\windows\system32\drivers\e8f66f4a.sys
2009-03-01 21:43 . 2009-03-01 21:43 82,432 --a------ C:\vlcj.exe
2009-03-01 21:43 . 2009-03-01 21:43 74,752 --a------ c:\windows\system32\xwfqyyiu.dll
2009-03-01 21:43 . 2009-03-01 21:43 8,704 --a------ C:\uagxble.exe
2009-03-01 20:26 . 2009-03-01 20:26 <DIR> d-------- c:\documents and settings\Jarek\Data aplikací\Digital Red
2009-03-01 19:24 . 2009-03-01 19:24 131 -ra------ c:\windows\amunres.lsl
2009-03-01 18:35 . 2001-07-01 17:30 112,640 --a------ c:\windows\lsb_un20.exe
2009-02-27 14:53 . 2001-08-23 17:00 1,700,352 --a------ c:\windows\system32\gdiplus.dll
2009-02-27 14:50 . 2009-02-27 14:50 <DIR> d-------- C:\Temp
2009-02-23 14:33 . 2009-02-23 14:33 9 --a------ c:\windows\nfsc_patch.ini
2009-02-22 17:07 . 2009-03-01 21:43 2 --a------ C:\215564481

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 00:52 --------- d-----w c:\documents and settings\Jarek\Data aplikací\Spyware Terminator
2009-03-01 23:51 --------- d-----w c:\program files\WinClamAVShield
2009-03-01 23:40 --------- d-----w c:\program files\Spyware Terminator
2009-03-01 22:40 --------- d-----w c:\documents and settings\All Users\Data aplikací\Spyware Terminator
2009-03-01 19:40 --------- d-----w c:\documents and settings\Jarek\Data aplikací\uTorrent
2009-02-28 17:52 --------- d-----w c:\documents and settings\All Users\Data aplikací\VSO
2009-02-19 14:45 --------- d-----w c:\documents and settings\All Users\Data aplikací\CanonIJPLM
2009-02-19 14:40 --------- d-----w c:\documents and settings\All Users\Data aplikací\CanonIJ
2009-02-07 11:18 --------- d-----w c:\documents and settings\Jarek\Data aplikací\Kingston
2009-02-06 20:58 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-29 17:40 --------- d-----w c:\documents and settings\Jarek\Data aplikací\GetRightToGo
2009-01-29 17:29 53,248 ----a-w c:\windows\system32\unrar.dll
2009-01-25 13:01 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-01-25 13:01 47,360 ----a-w c:\documents and settings\Jarek\Data aplikací\pcouffin.sys
2009-01-25 13:01 --------- d-----w c:\documents and settings\Jarek\Data aplikací\Vso
2009-01-24 21:10 --------- d-----w c:\documents and settings\All Users\Data aplikací\BigFishGamesCache
2009-01-24 19:06 --------- d-----w c:\program files\Canon
2009-01-24 14:58 --------- d-----w c:\documents and settings\Jarek\Data aplikací\Inkscape
2009-01-06 22:13 --------- d--h--w c:\documents and settings\All Users\Data aplikací\CanonIJEGV
2009-01-06 21:56 --------- d--h--w c:\documents and settings\All Users\Data aplikací\CanonIJEPPEX
2009-01-06 21:37 --------- d--h--w c:\documents and settings\All Users\Data aplikací\CanonIJScan
2009-01-06 21:37 --------- d-----w c:\documents and settings\Jarek\Data aplikací\Canon
2009-01-06 21:30 --------- d--h--w c:\documents and settings\All Users\Data aplikací\CanonIJSolutionMenu
2009-01-06 21:30 --------- d--h--w c:\documents and settings\All Users\Data aplikací\CanonIJMyPrinter
2009-01-06 21:22 --------- d-----w c:\program files\Common Files\CANON
2009-01-06 21:19 --------- d--h--w c:\program files\CanonBJ
2009-01-06 21:19 --------- d--h--w c:\documents and settings\All Users\Data aplikací\CanonBJ
2009-01-04 21:11 --------- d-----w c:\documents and settings\All Users\Data aplikací\Microsoft Help
2007-10-20 18:33 3 -c--a-w c:\documents and settings\Jarek\BBCONFIG.DAT
1999-04-23 22:22 12 -csh--w c:\windows\system\WININETICMP32.drv
2008-08-27 09:08 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082720080828\index.dat
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-02 509784]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.DLL]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-16 13:01 13529088 c:\windows\system32\nvcpl.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\ICQ6\\ICQ.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"d:\\IW FTPort Client\\Cftp32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"d:\\uTorrent\\utorrent.exe"=

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-02 64160]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-03-06 141312]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2004-08-03 69120]
R3 SQTECH930B;Trust WB-3500T USB2 Webcam;c:\windows\system32\drivers\Capt930b.sys [2007-05-08 273982]
R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-04-21 9344]
S2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [2006-01-11 13824]
S3 cem56;Xircom CreditCard 10/100 + Modem 56 Network;c:\windows\system32\drivers\cem56n5.sys [2002-09-12 49182]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\screamingbdriver.sys [2007-10-27 13824]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{881b7f8a-fce1-11db-ab63-806d6172696f}]
\Shell\AutoRun\command - G:\setup.exe
\Shell\dinstall\command - g:\quake3\directx7\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2003d26-00b1-11dc-ab82-001a92159d7d}]
\Shell\AutoRun\command - H:\level.exe
\Shell\dxsetup\command - directx\dxsetup.exe
\Shell\level\command - H:\level.exe
\Shell\setup\command - H:\setup.exe
.
Obsah adresáře 'Naplánované úlohy'

2008-09-26 c:\windows\Tasks\1-Click Maintenance.job
- d:\tuneup\OneClick.exe []

2009-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-02 01:59]
.
.
------- Doplňkový sken -------
.
TCP: {99C72B01-DCAC-40CA-ABC3-CD6214DFABA9} = 62.129.50.20,62.129.32.100
FF - ProfilePath - c:\documents and settings\Jarek\Data aplikací\Mozilla\Firefox\Profiles\blyv4sc3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.webgame.cz
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_result ... id=afex&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: d:\adobe\Reader\browser\nppdf32.dll
FF - plugin: d:\opera\program\plugins\npdsplay.dll
FF - plugin: d:\opera\program\plugins\npwmsdrm.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-02 16:39:48
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\e8f66f4a]
"ImagePath"="\SystemRoot\System32\drivers\e8f66f4a.sys"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,93,21,c0,46,66,
cf,ce,f4,e2,63,26,f1,3f,c8,ff,68,41,78,54,6b,cb,25,73,5e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,05,c0,14,5f,bb,
e9,85,85,6a,9c,d6,61,af,45,84,18,38,bb,d5,45,c2,68,70,5c,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,93,d0,f4,a2,35,
d8,55,c1,ff,7c,85,e0,43,d4,0e,fe,e7,38,ef,42,95,63,97,c3,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,0e,27,da,90,08,
df,39,24,86,8c,21,01,be,91,eb,e7,ba,33,a5,03,1a,41,48,16,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,d5,c5,d9,dc,10,
6c,68,4e,f5,1d,4d,73,a8,13,5c,05,1d,83,69,e8,ac,fb,66,38,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,8c,01,b2,94,d8,
59,c1,9f,df,20,58,62,78,6b,cf,c8,4e,9e,52,48,ec,c0,a7,1c,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,88,84,9e,0e,72,
6b,35,79,fb,a7,78,e6,12,2f,9a,ea,e2,c6,0d,83,3a,45,f8,77,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,e0,4f,7f,d9,52,
24,9e,e5,01,3a,48,fc,e8,04,4a,f1,82,29,83,2f,7d,40,7b,d2,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,ec,35,dc,a7,cc,
0d,b7,a8,f6,0f,4e,58,98,5b,89,c9,25,df,65,00,2e,63,32,b1,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,45,b7,60,43,bc,
2c,e9,04,3d,ce,ea,26,2d,45,aa,78,37,32,9f,41,5c,1f,78,77,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,2b,5d,19,ff,f8,
16,84,f1,2a,b7,cc,b5,b9,7f,41,e7,8b,2c,6d,d9,31,77,a6,50,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,df,03,eb,cc,95,
a7,76,5e,6c,43,2d,1e,aa,22,2f,9c,92,e1,1e,0f,d6,06,73,36,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="8E3CEB13AAE5EBB94E6D45886407C58A912EEDA33CB12204129CB291055F41DA553DBBAF0FDF76DD251CAB4386C0E431D37F863F1E4995A2CBAAE81A8B84D4837AAF903458DDDF1901D3B7CF77C8ED1E3A00B89637FAF5480EC40A30FA3BD67096E908684937C6BC16150A6727EE905F38F9C97445312765A71CA2D1FBA5041377A5921D196559D84E41184A792791497217D52A7878A2AD9D47917DAC0928A21B01F420F008D9C44622AC3AC4884972C5E9CB8AF500759A26BE0A3A1F51A694B97F47C972FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555FEBC9E127BECC74CFEBC9E127BECC74CA63064E68CA63C83B9C10080BD45BEEC782C9199E3F8BFFBFC6C2D32B867C719EDF661F5C45FB7C28010901EAE6129D61D04E02C207A65B0839D3A6836E66F938684573A841196E959505F48AA5621D0640198F4709FFB74363B26997ECC8BBA7ADDD5211E6875C2045C7D6A8AB314B168746BFCD700E2CA2BA9648CDED20BDF769BB15045E3F48CE72340A50F5F754468BF4E81BD847CAB19612A3C070AE2C64BEB811F1558BA788DA5404C58913A48475C7AF3ED6A2F03DAEC73D50CD20AAB6D102397096C6D2CA4FA5BE9EED7DA6E0BD371FA97C4E5B1726E003D65E5FBB7F5DBB6FA841EBBC2FD4D3239BA11D661DF47F16FCD788F8B031A538970CBB98E22B91FBB4CBB54498F5B2AAB0DF42E3993E7845F08BF9D57543733836DE545C352A605028868ED4273776D659689678699FDF18AA2A807D252A2ABAA016527E00DB4D529C89C3FA26786673E6D2D0DCB09E34869DC1347AC8C4D8BB0B2D06AE37887BE40FC2406D64D05C9C40D10AA7F1D0B5AA258385D0A37B966FDEE059F3C635AB70CFA1E82BAAA7F0B3752B6D20E3374BE959E9E4A012A02132B872ED8D0BEF87682FB80F9222A98E10B827B9B555038CED29925169F61D1AC87AE4FAFF71E45F6CF1D90B4501A85CD6841881FA81982A89F1A7DCA66FD681316FE41BE803CB47A5360EA7F03EA930FAC99E079CFDA91AE7651AE7747411C688CF32EA5ACF3CF05212B00AAE4331EA9E77AD8CD84023807055990AE2B94531455EC13082E4835DD8047930B99AD19E8DDB5984176A3DF9BAC2CD186ED050B4190B0448D31DC94916CE0BC7937B60AD809039CFC49F5019B81A9F49AE0C0D35F8D6568E2D0FAB3F19589E6D1C6518B4A94FAB7AE13532D78CE94CE88469BD121D619F9371F8EEC90DE38527548A24CD2619C0C88DEBA866791940AF2D68EBC7E24BA473C212AACC6DE4413C9AAF50D4B03CB14C0AB4FC3647BB4A202BD3561B2E49FF3ACCE8173B063EC1136D7B7A5D143CC1B8F6DD732AB7165EB5F1D4E203BBB00F74295ED582EE9D107A626FA7FC5"
.
Celkový čas: 2009-03-02 16:41:57
ComboFix-quarantined-files.txt 2009-03-02 15:40:40
ComboFix2.txt 2009-03-02 09:02:18

Před spuštěním: 1 638 318 080
Po spuštění: 1,626,386,432

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
218 --- E O F --- 2008-09-15 14:28:08

[jaro3]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
c:\windows\system32\AAWService_2009_03_02_02_33_17.dmp
c:\windows\system32\AAWService_2009_03_02_02_12_21.dmp
c:\windows\system32\drivers\e8f66f4a.sys
c:\windows\system32\xwfqyyiu.dll

Driver::
e8f66f4a


Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

Toto otestuj na Virustotal
C:\vlcj.exe
C:\uagxble.exe
C:\215564481
Vlož sem pak odkazy výsledků.
Pokud mít C:\215564481 větší kapacitu mrkni co tam .

[cranberiss]

Předem přikládám info o službě virustotal:

http://www.virustotal.com/cs/analisis/959aaeb9696b7f19d31813b27b17ce64
http://www.virustotal.com/cs/analisis/6f46646ad5b582771173aac0d7ce1588
http://www.virustotal.com/cs/analisis/29f063d993cb737daf2734e8b040e0bf

První dva jsou nejspíše trojani, 3.tí bez přítomnosti infekce. (jinak tu tvoji poslední větu jsem nepochopil)

Log z hjt:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:46:17, on 2.3.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ASUS\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
D:\Hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O11 - Options group: [java_sun] Java (Sun)
O17 - HKLM\System\CCS\Services\Tcpip\..\{99C72B01-DCAC-40CA-ABC3-CD6214DFABA9}: NameServer = 62.129.50.20,62.129.32.100
O23 - Service: Služba inteligentního přenosu na pozadí (BITS) (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ASUS\Bluetooth Software\bin\btwdins.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 3613 bytes




Log z CF:
ComboFix 09-03-02.01 - Jarek 2009-03-02 18:39:24.3 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.1534.1109 [GMT 1:00]
Spuštěný z: c:\documents and settings\Jarek\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Jarek\Plocha\CFScript.txt
FW: Norton Internet Worm Protection *disabled*
* Vytvořen nový Bod Obnovení

FILE ::
c:\windows\system32\AAWService_2009_03_02_02_12_21.dmp
c:\windows\system32\AAWService_2009_03_02_02_33_17.dmp
c:\windows\system32\drivers\e8f66f4a.sys
c:\windows\system32\xwfqyyiu.dll
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AAWService_2009_03_02_02_12_21.dmp
c:\windows\system32\AAWService_2009_03_02_02_33_17.dmp
c:\windows\system32\drivers\e8f66f4a.sys
c:\windows\system32\xwfqyyiu.dll

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_e8f66f4a


((((((((((((((((((((((((( Soubory vytvořené od 2009-02-02 do 2009-03-02 )))))))))))))))))))))))))))))))
.

2009-03-02 16:53 . 2009-03-02 16:53 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-02 16:38 . 2009-03-02 16:42 <DIR> d-------- C:\VerTerm
2009-03-02 10:15 . 2009-03-02 10:15 <DIR> d-------- c:\documents and settings\Jarek\Data aplikací\Malwarebytes
2009-03-02 10:05 . 2009-03-02 10:05 <DIR> d-------- C:\rsit
2009-03-02 08:47 . 2009-03-02 08:47 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Malwarebytes
2009-03-02 08:47 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-02 08:47 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-02 02:10 . 2009-03-02 02:00 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-02 02:02 . 2009-03-02 02:02 <DIR> d-------- c:\documents and settings\NetworkService\Plocha
2009-03-02 02:00 . 2009-03-02 01:59 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-02 01:59 . 2009-03-02 01:59 <DIR> d-------- c:\program files\Lavasoft
2009-03-02 01:59 . 2009-03-02 01:59 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Lavasoft
2009-03-02 01:59 . 2009-03-02 01:59 <DIR> d--h-c--- c:\documents and settings\All Users\Data aplikací\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-01 21:43 . 2009-03-01 21:43 82,432 --a------ C:\vlcj.exe
2009-03-01 21:43 . 2009-03-01 21:43 8,704 --a------ C:\uagxble.exe
2009-03-01 20:26 . 2009-03-01 20:26 <DIR> d-------- c:\documents and settings\Jarek\Data aplikací\Digital Red
2009-03-01 19:24 . 2009-03-01 19:24 131 -ra------ c:\windows\amunres.lsl
2009-03-01 18:35 . 2001-07-01 17:30 112,640 --a------ c:\windows\lsb_un20.exe
2009-02-27 14:53 . 2001-08-23 17:00 1,700,352 --a------ c:\windows\system32\gdiplus.dll
2009-02-27 14:50 . 2009-02-27 14:50 <DIR> d-------- C:\Temp
2009-02-23 14:33 . 2009-02-23 14:33 9 --a------ c:\windows\nfsc_patch.ini
2009-02-22 17:07 . 2009-03-01 21:43 2 --a------ C:\215564481

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 15:53 --------- d-----w c:\program files\Java
2009-03-02 00:52 --------- d-----w c:\documents and settings\Jarek\Data aplikací\Spyware Terminator
2009-03-01 23:51 --------- d-----w c:\program files\WinClamAVShield
2009-03-01 23:40 --------- d-----w c:\program files\Spyware Terminator
2009-03-01 22:40 --------- d-----w c:\documents and settings\All Users\Data aplikací\Spyware Terminator
2009-03-01 19:40 --------- d-----w c:\documents and settings\Jarek\Data aplikací\uTorrent
2009-02-28 17:52 --------- d-----w c:\documents and settings\All Users\Data aplikací\VSO
2009-02-19 14:45 --------- d-----w c:\documents and settings\All Users\Data aplikací\CanonIJPLM
2009-02-19 14:40 --------- d-----w c:\documents and settings\All Users\Data aplikací\CanonIJ
2009-02-07 11:18 --------- d-----w c:\documents and settings\Jarek\Data aplikací\Kingston
2009-02-06 20:58 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-29 17:40 --------- d-----w c:\documents and settings\Jarek\Data aplikací\GetRightToGo
2009-01-25 13:01 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-01-25 13:01 47,360 ----a-w c:\documents and settings\Jarek\Data aplikací\pcouffin.sys
2009-01-25 13:01 --------- d-----w c:\documents and settings\Jarek\Data aplikací\Vso
2009-01-24 21:10 --------- d-----w c:\documents and settings\All Users\Data aplikací\BigFishGamesCache
2009-01-24 19:06 --------- d-----w c:\program files\Canon
2009-01-24 14:58 --------- d-----w c:\documents and settings\Jarek\Data aplikací\Inkscape
2009-01-06 22:13 --------- d--h--w c:\documents and settings\All Users\Data aplikací\CanonIJEGV
2009-01-06 21:56 --------- d--h--w c:\documents and settings\All Users\Data aplikací\CanonIJEPPEX
2009-01-06 21:37 --------- d--h--w c:\documents and settings\All Users\Data aplikací\CanonIJScan
2009-01-06 21:37 --------- d-----w c:\documents and settings\Jarek\Data aplikací\Canon
2009-01-06 21:30 --------- d--h--w c:\documents and settings\All Users\Data aplikací\CanonIJSolutionMenu
2009-01-06 21:30 --------- d--h--w c:\documents and settings\All Users\Data aplikací\CanonIJMyPrinter
2009-01-06 21:22 --------- d-----w c:\program files\Common Files\CANON
2009-01-06 21:19 --------- d--h--w c:\program files\CanonBJ
2009-01-06 21:19 --------- d--h--w c:\documents and settings\All Users\Data aplikací\CanonBJ
2009-01-04 21:11 --------- d-----w c:\documents and settings\All Users\Data aplikací\Microsoft Help
2007-10-20 18:33 3 -c--a-w c:\documents and settings\Jarek\BBCONFIG.DAT
1999-04-23 22:22 12 -csh--w c:\windows\system\WININETICMP32.drv
2008-08-27 09:08 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082720080828\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-02_10.01.41.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 23:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-03-02 15:53:29 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-09 23:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-02 15:53:29 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-10 00:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-02 15:53:29 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-02 17:41:53 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6c0.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-02 509784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-02 136600]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.DLL]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-16 13:01 13529088 c:\windows\system32\nvcpl.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\ICQ6\\ICQ.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"d:\\IW FTPort Client\\Cftp32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"d:\\uTorrent\\utorrent.exe"=

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-02 64160]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-03-06 141312]
R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2004-08-03 69120]
R3 SQTECH930B;Trust WB-3500T USB2 Webcam;c:\windows\system32\drivers\Capt930b.sys [2007-05-08 273982]
R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-04-21 9344]
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\drivers\Amps2prt.sys [2006-01-11 13824]
S3 cem56;Xircom CreditCard 10/100 + Modem 56 Network;c:\windows\system32\drivers\cem56n5.sys [2002-09-12 49182]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\screamingbdriver.sys [2007-10-27 13824]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{881b7f8a-fce1-11db-ab63-806d6172696f}]
\Shell\AutoRun\command - G:\setup.exe
\Shell\dinstall\command - g:\quake3\directx7\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2003d26-00b1-11dc-ab82-001a92159d7d}]
\Shell\AutoRun\command - H:\level.exe
\Shell\dxsetup\command - directx\dxsetup.exe
\Shell\level\command - H:\level.exe
\Shell\setup\command - H:\setup.exe
.
Obsah adresáře 'Naplánované úlohy'

2008-09-26 c:\windows\Tasks\1-Click Maintenance.job
- d:\tuneup\OneClick.exe []

2009-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-02 01:59]
.
.
------- Doplňkový sken -------
.
TCP: {99C72B01-DCAC-40CA-ABC3-CD6214DFABA9} = 62.129.50.20,62.129.32.100
FF - ProfilePath - c:\documents and settings\Jarek\Data aplikací\Mozilla\Firefox\Profiles\blyv4sc3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.webgame.cz
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_result ... id=afex&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: d:\adobe\Reader\browser\nppdf32.dll
FF - plugin: d:\opera\program\plugins\npdsplay.dll
FF - plugin: d:\opera\program\plugins\npwmsdrm.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-02 18:42:08
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,93,21,c0,46,66,
cf,ce,f4,e2,63,26,f1,3f,c8,ff,68,41,78,54,6b,cb,25,73,5e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,05,c0,14,5f,bb,
e9,85,85,6a,9c,d6,61,af,45,84,18,38,bb,d5,45,c2,68,70,5c,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,93,d0,f4,a2,35,
d8,55,c1,ff,7c,85,e0,43,d4,0e,fe,e7,38,ef,42,95,63,97,c3,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,0e,27,da,90,08,
df,39,24,86,8c,21,01,be,91,eb,e7,ba,33,a5,03,1a,41,48,16,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,d5,c5,d9,dc,10,
6c,68,4e,f5,1d,4d,73,a8,13,5c,05,1d,83,69,e8,ac,fb,66,38,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,8c,01,b2,94,d8,
59,c1,9f,df,20,58,62,78,6b,cf,c8,4e,9e,52,48,ec,c0,a7,1c,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,88,84,9e,0e,72,
6b,35,79,fb,a7,78,e6,12,2f,9a,ea,e2,c6,0d,83,3a,45,f8,77,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,e0,4f,7f,d9,52,
24,9e,e5,01,3a,48,fc,e8,04,4a,f1,82,29,83,2f,7d,40,7b,d2,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,ec,35,dc,a7,cc,
0d,b7,a8,f6,0f,4e,58,98,5b,89,c9,25,df,65,00,2e,63,32,b1,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,45,b7,60,43,bc,
2c,e9,04,3d,ce,ea,26,2d,45,aa,78,37,32,9f,41,5c,1f,78,77,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,2b,5d,19,ff,f8,
16,84,f1,2a,b7,cc,b5,b9,7f,41,e7,8b,2c,6d,d9,31,77,a6,50,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,df,03,eb,cc,95,
a7,76,5e,6c,43,2d,1e,aa,22,2f,9c,92,e1,1e,0f,d6,06,73,36,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="8E3CEB13AAE5EBB94E6D45886407C58A912EEDA33CB12204129CB291055F41DA553DBBAF0FDF76DD251CAB4386C0E431D37F863F1E4995A2CBAAE81A8B84D4837AAF903458DDDF1901D3B7CF77C8ED1E3A00B89637FAF5480EC40A30FA3BD67096E908684937C6BC16150A6727EE905F38F9C97445312765A71CA2D1FBA5041377A5921D196559D84E41184A792791497217D52A7878A2AD9D47917DAC0928A21B01F420F008D9C44622AC3AC4884972C5E9CB8AF500759A26BE0A3A1F51A694B97F47C972FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555FEBC9E127BECC74CFEBC9E127BECC74CA63064E68CA63C83B9C10080BD45BEEC782C9199E3F8BFFBFC6C2D32B867C719EDF661F5C45FB7C28010901EAE6129D61D04E02C207A65B0839D3A6836E66F938684573A841196E959505F48AA5621D0640198F4709FFB74363B26997ECC8BBA7ADDD5211E6875C2045C7D6A8AB314B168746BFCD700E2CA2BA9648CDED20BDF769BB15045E3F48CE72340A50F5F754468BF4E81BD847CAB19612A3C070AE2C64BEB811F1558BA788DA5404C58913A48475C7AF3ED6A2F03DAEC73D50CD20AAB6D102397096C6D2CA4FA5BE9EED7DA6E0BD371FA97C4E5B1726E003D65E5FBB7F5DBB6FA841EBBC2FD4D3239BA11D661DF47F16FCD788F8B031A538970CBB98E22B91FBB4CBB54498F5B2AAB0DF42E3993E7845F08BF9D57543733836DE545C352A605028868ED4273776D659689678699FDF18AA2A807D252A2ABAA016527E00DB4D529C89C3FA26786673E6D2D0DCB09E34869DC1347AC8C4D8BB0B2D06AE37887BE40FC2406D64D05C9C40D10AA7F1D0B5AA258385D0A37B966FDEE059F3C635AB70CFA1E82BAAA7F0B3752B6D20E3374BE959E9E4A012A02132B872ED8D0BEF87682FB80F9222A98E10B827B9B555038CED29925169F61D1AC87AE4FAFF71E45F6CF1D90B4501A85CD6841881FA81982A89F1A7DCA66FD681316FE41BE803CB47A5360EA7F03EA930FAC99E079CFDA91AE7651AE7747411C688CF32EA5ACF3CF05212B00AAE4331EA9E77AD8CD84023807055990AE2B94531455EC13082E4835DD8047930B99AD19E8DDB5984176A3DF9BAC2CD186ED050B4190B0448D31DC94916CE0BC7937B60AD809039CFC49F5019B81A9F49AE0C0D35F8D6568E2D0FAB3F19589E6D1C6518B4A94FAB7AE13532D78CE94CE88469BD121D619F9371F8EEC90DE38527548A24CD2619C0C88DEBA866791940AF2D68EBC7E24BA473C212AACC6DE4413C9AAF50D4B03CB14C0AB4FC3647BB4A202BD3561B2E49FF3ACCE8173B063EC1136D7B7A5D143CC1B8F6DD732AB7165EB5F1D4E203BBB00F74295ED582EE9D107A626FA7FC5"
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\ASUS\Bluetooth Software\bin\btwdins.exe
c:\program files\Canon\IJPLM\ijplmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkový čas: 2009-03-02 18:43:51 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-03-02 17:43:49
ComboFix2.txt 2009-03-02 15:41:58
ComboFix3.txt 2009-03-02 09:02:18

Před spuštěním: 1 408 393 216
Po spuštění: 1,441,443,840

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
259 --- E O F --- 2008-09-15 14:28:08

[jaro3]

Někdy má soubor nebo složka větší kapacitu a VT ho neveme..
Ten první soubor , cos dával na VT: kwfu.exe to máš v compu? Kde? Nikde ho v logu nevidím.Psal jsem C:\vlcj.exe
Ten tam ještě dej.

[cranberiss]

http://www.virustotal.com/cs/analisis/959aaeb9696b7f19d31813b27b17ce64

Tady je ten poslední, hele nechápu to, ten soubor nemůžu najít, zkoušel jsem, jestli není skrytý, ale není, hledal jsem ho i přes vyhledávač, ale není tu, nemohu si to vysvětlit možná, že se spouští s nějakou instancí, nechápu to. Přitom jsem to tam dával ani ne před 10 minutama, hmm...