Infikovane PC - log z MWAV Vyřešeno

[japi]

Ahoj,
potreboval bych poradit jak vycistit kamaradky pocitac (uz je dost starej a ma ho vlastne jen pujceny). Avast neco odstarnil, neco se povedlo i Malwaru, ale pri skenovani MWAV opet nasel infikovane soubory.
Mockrat diky za radu!

Honza

Object "Parentis Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Parentis Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Parentis Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Parentis Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Silver Codec Trojan" found in File System! Action Taken: No Action Taken.
Object "video activex access Trojan" found in File System! Action Taken: No Action Taken.
Object "Popup XP Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Parentis Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Parentis Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Parentis Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Parentis Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Parentis Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Parentis Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Parentis Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "W32.Myzor.fk@yf.1 Trojan" found in File System! Action Taken: No Action Taken.
Object "srchasst Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "WeatherBug Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "WeatherBug Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "WeatherBug Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Cydoor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Cydoor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CyberSitter Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\ezPMUtils.GameController" refers to invalid object "{CA1073A2-5F3F-4445-8E5E-7109BDCEDDBE}". Action Taken: No Action Taken.
Entry "HKCR\ImageReady.Application.1" refers to invalid object "{52F2F130-2BC5-11D2-8FB7-000000000000}". Action Taken: No Action Taken.
Entry "HKCR\spmServices.NamedStrings" refers to invalid object "{D5A55D2D-C59D-42C3-A5BF-4C08EEE74339}". Action Taken: No Action Taken.
Entry "HKCR\spmServices.PluginWindow" refers to invalid object "{BB6410D8-F879-4184-9C5C-6A02D16AE0B3}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object ""C:\Program Files\Java\jre1.5.0_04\bin\javaws.exe"". Action Taken: No Action Taken.

[Reklama]

[jaro3]

Vše jsou zbytky po vyléčených nákazách nebo invalidní objekty , vlož sem log z HJT. A popiš zda máš nějaké problémy.

[japi]

Potom co se mi vcera konecne povedlo Avastem odstranit nejakyho trojana, tak jsem byl schopnej odstranit i dalsi smejdy (predtim se blokoval pristup k aplikacim a na net), takze komp vicemene funguje, ale je dost pomalej a nejakym zpusobem vse zabira moc mista na disku ikdyz by nemelo. Muj komp to ale neni, takze nejsem schopnej rict jak moc je zpomalenej. Diky za pomoc...

Tady je ten log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:53 AM, on 3/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\DOCUME~1\ALGISS~1\LOCALS~1\Temp\mexe.com
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: (no name) - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\6fb2c01a1.dll"" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\6fb2c01a1.dll"" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://bmm.imgag.com/imgag/cp/install/crusher-us.cab
O21 - SSODL: amaranthaceous - {4fc003c3-87a0-489c-85cd-878246eb2d18} - (no file)
O22 - SharedTaskScheduler: amaranthaceous - {4fc003c3-87a0-489c-85cd-878246eb2d18} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9081 bytes

[jaro3]

Zavři ostatní aplikace a prohlížeče, odpoj se od netu a fixni v HJT:

Kód: Vybrat vše

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: (no name) - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe (file missing)
O21 - SSODL: amaranthaceous - {4fc003c3-87a0-489c-85cd-878246eb2d18} - (no file)
O22 - SharedTaskScheduler: amaranthaceous - {4fc003c3-87a0-489c-85cd-878246eb2d18} - (no file)

****************************************************************************************************************************************
Vypni rez. ochranu u Avastu.
Stáhni si ComboFix (by sUBs)
a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[japi]

Rezidentni ochrana od Avastu vypnuta, ale nemuzu najit pod cim bezi a tudiz jak vypnout VirusRescue 3.

Nevim jak to...

[jaro3]

Aplikuj Combofix v nouz. režimu , tam nepracují ochrany. Nouz. režim-po restartu držet F8, vybrat stav nouze.
V okně Start- spustit- napiš combofix.exe.

[japi]

Tak tady je ten log. Diky za Tvuj cas!

ComboFix 09-03-02.03 - Algis Sirvaitis 2009-03-03 12:43:30.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.767 [GMT -5:00]
Running from: c:\documents and settings\Algis Sirvaitis\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090303-0] *On-access scanning enabled* (Updated)
AV: VirusRescue 3.0 *On-access scanning enabled* (Outdated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\regedit.com
c:\windows\setup.exe
c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common
c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common\6fb2c01a1.dll
c:\windows\system32\taskmgr.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACD.SYS
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))
.

2009-03-03 10:11 . 2009-03-03 10:11 <DIR> d-------- c:\program files\Trend Micro
2009-03-03 00:23 . 2009-03-03 00:23 0 --a------ C:\23990098.$$$
2009-03-02 19:35 . 2009-03-02 19:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\MicroWorld
2009-03-02 19:35 . 2009-03-02 19:35 626,688 --a------ c:\windows\system32\msvcr80.dll
2009-03-02 19:35 . 2009-03-02 19:35 548,864 --a------ c:\windows\system32\msvcp80.dll
2009-03-02 19:35 . 2004-08-04 07:00 146,432 --a------ c:\windows\R.COM
2009-03-02 19:35 . 2004-08-04 07:00 135,680 --a------ c:\windows\system32\T.COM
2009-03-02 19:35 . 2009-03-02 19:35 28,672 --a------ c:\windows\system32\eEmpty.exe
2009-03-02 19:35 . 2005-09-22 23:22 522 --a------ c:\windows\system32\Microsoft.VC80.CRT.manifest
2009-03-02 19:35 . 2009-03-03 12:06 54 --a------ c:\windows\Lic.xxx
2009-03-02 18:56 . 2009-03-02 18:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-02 18:56 . 2009-03-02 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-02 18:56 . 2009-03-02 18:56 <DIR> d-------- c:\documents and settings\Algis Sirvaitis\Application Data\Malwarebytes
2009-03-02 18:56 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-02 18:56 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-02 17:02 . 2009-03-02 17:02 24,196 --a------ c:\windows\system32\AAWService_2009_03_02_17_02_39.dmp
2009-03-02 15:03 . 2009-03-02 15:03 24,196 --a------ c:\windows\system32\AAWService_2009_03_02_15_03_49.dmp
2009-03-02 13:32 . 2009-03-03 11:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-02 12:58 . 2009-03-02 12:58 24,196 --a------ c:\windows\system32\AAWService_2009_03_02_12_58_15.dmp
2009-03-02 12:32 . 2009-03-03 11:39 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-01 23:20 . 2009-03-01 23:20 0 --a------ c:\windows\system32\AAWService_2009_03_01_23_20_32.dmp
2009-03-01 22:43 . 2009-03-02 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-01 20:20 . 2009-03-01 20:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-03-01 20:20 . 2009-03-01 20:20 262,144 --a------ c:\documents and settings\AIRERI~2
2009-03-01 20:20 . 2009-03-01 20:20 262,144 --a------ c:\documents and settings\AIRERI~1
2009-03-01 18:51 . 2009-03-01 18:51 <DIR> d-------- c:\program files\Alwil Software
2009-03-01 18:51 . 2003-03-18 17:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-03-01 18:50 . 2009-03-01 18:50 17,140,360 --a------ c:\program files\setupengpro.exe
2009-02-14 18:40 . 2009-02-14 18:40 <DIR> d-------- c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 18:25 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-02 18:20 --------- d-----w c:\program files\DivX
2009-03-02 18:19 --------- d-----w c:\program files\Miranda IM
2009-03-02 18:19 --------- d-----w c:\program files\Common Files\Adobe
2009-03-02 02:52 --------- d-----w c:\program files\SearchAssistant
2009-03-01 17:06 --------- d-----w c:\documents and settings\Algis Sirvaitis\Application Data\Skype
2009-03-01 15:46 --------- d-----w c:\documents and settings\Algis Sirvaitis\Application Data\skypePM
2009-01-25 00:39 --------- d-----w c:\documents and settings\Algis Sirvaitis\Application Data\InterVideo
2009-01-21 22:45 --------- d-----w c:\program files\CCleaner
2007-01-03 06:25 214,616 ----a-w c:\program files\mozilla firefox\components\FFHook.dll
2009-01-29 19:21 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-29 19:21 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-29 19:21 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-29 19:21 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-29 19:21 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 339968]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2004-06-29 180224]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2004-06-29 122880]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-03-15 180269]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreateCD_Reminder]
--a------ 2004-07-16 14:17 53248 c:\windows\SONYSYS\VAIO Recovery\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 19:52 50736 c:\program files\Common Files\AOL\1124472800\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
--a------ 2003-04-20 00:08 28672 c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
--a------ 2004-01-17 05:36 135168 c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
--a------ 2004-07-30 14:51 331776 c:\program files\Sony\VAIO Survey\SurveySA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WANMiniportService"=2 (0x2)
"VAIOMediaPlatform-VideoServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-VideoServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-VideoServer-AppServer"=3 (0x3)
"VAIOMediaPlatform-Mobile-Gateway"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-AppServer"=3 (0x3)
"VAIO Entertainment UPnP Client Adapter"=3 (0x3)
"VAIO Entertainment TV Device Arbitration Service"=3 (0x3)
"VAIO Entertainment File Import Service"=2 (0x2)
"VAIO Entertainment Aggregation and Control Service"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"iPod Service"=3 (0x3)
"HP Status Server"=3 (0x3)
"HP Port Resolver"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1124472800\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\1124472800\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1124472800\\ee\\aim6.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"10049:TCP"= 10049:TCP:BitComet 10049 TCP
"10049:UDP"= 10049:UDP:BitComet 10049 UDP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-01 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-01 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-21 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 macrofir;MacroFire Camera;c:\windows\system32\drivers\MacroFIR.sys [2005-07-06 38368]
S3 microfir;MicroFire Camera;c:\windows\system32\drivers\MICROFIR.SYS [2005-07-06 37728]
S3 pcand5bk;PCAND5BK PCANDIS5 Protocol Driver;\??\c:\windows\system32\pcand5bk.SYS --> c:\windows\system32\pcand5bk.SYS [?]
S3 sonydcam;Generic 1394 Desktop Camera;c:\windows\system32\drivers\sonydcam.sys [2004-08-03 25472]
S4 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2004-08-18 118877]
S4 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a3ef6b0-7917-11dd-81da-00038a000015}]
\Shell\AutoRun\command - f:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b61680-a507-11dd-81fd-00038a000015}]
\Shell\AutoRun\command - WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
MSConfigStartUp-Mouse Suite 98 Daemon - ICO.EXE


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Algis Sirvaitis\Application Data\Mozilla\Firefox\Profiles\8v9gh1w4.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\progra~1\MOZILL~1\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Mozilla Firefox\components\FFHook.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 12:47:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\macrofir]
"ImagePath"=hex:53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\microfir]
"ImagePath"=hex:53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\macrofir]
"ImagePath"=hex:53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\microfir]
"ImagePath"=hex:53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar0]
"BarID"=dword:00000067
"XPos"=dword:00000293
"YPos"=dword:fffffffe
"Docking"=dword:00000001
"MRUDockID"=dword:00000000
"MRUDockLeftPos"=dword:00000293
"MRUDockTopPos"=dword:fffffffe
"MRUDockRightPos"=dword:000005e6
"MRUDockBottomPos"=dword:0000001b
"MRUFloatStyle"=dword:00002004
"MRUFloatXPos"=dword:80000000
"MRUFloatYPos"=dword:00000000

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar1]
"BarID"=dword:00000001
"XPos"=dword:fffffffe
"YPos"=dword:fffffffe
"Docking"=dword:00000001
"MRUDockID"=dword:00000000
"MRUDockLeftPos"=dword:fffffffe
"MRUDockTopPos"=dword:fffffffe
"MRUDockRightPos"=dword:00000295
"MRUDockBottomPos"=dword:0000001b
"MRUFloatStyle"=dword:00002004
"MRUFloatXPos"=dword:80000000
"MRUFloatYPos"=dword:00000000

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar2]
"BarID"=dword:00000002
"XPos"=dword:fffffffe
"YPos"=dword:fffffffe
"Docking"=dword:00000001
"MRUDockID"=dword:00000000
"MRUDockLeftPos"=dword:fffffffe
"MRUDockTopPos"=dword:fffffffe
"MRUDockRightPos"=dword:00000024
"MRUDockBottomPos"=dword:000000d1
"MRUFloatStyle"=dword:00000004
"MRUFloatXPos"=dword:80000000
"MRUFloatYPos"=dword:00000000

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar3]
"BarID"=dword:000000a5
"XPos"=dword:fffffffe
"YPos"=dword:00000005
"Docking"=dword:00000001
"MRUDockID"=dword:0000e81c
"MRUDockLeftPos"=dword:fffffffe
"MRUDockTopPos"=dword:00000005
"MRUDockRightPos"=dword:00000099
"MRUDockBottomPos"=dword:0000028a
"MRUFloatStyle"=dword:00001000
"MRUFloatXPos"=dword:00000000
"MRUFloatYPos"=dword:0000004c

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar4]
"BarID"=dword:0000e81b
"Bars"=dword:00000004
"Bar#0"=dword:00000000
"Bar#1"=dword:00000001
"Bar#2"=dword:00000067
"Bar#3"=dword:00000000

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar5]
"BarID"=dword:0000e81c
"Bars"=dword:00000003
"Bar#0"=dword:00000000
"Bar#1"=dword:000000a5
"Bar#2"=dword:00000000

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar6]
"BarID"=dword:0000e81d
"Bars"=dword:00000003
"Bar#0"=dword:00000000
"Bar#1"=dword:00000002
"Bar#2"=dword:00000000

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar7]
"BarID"=dword:0000e801

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar8]
"BarID"=dword:0000e81f
"Horz"=dword:00000000
"Floating"=dword:00000001
"XPos"=dword:00000002
"YPos"=dword:0000005f
"Bars"=dword:00000003
"Bar#0"=dword:00000000
"Bar#1"=dword:000000a5
"Bar#2"=dword:00000000

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Summary]
"Bars"=dword:00000008
"ScreenCX"=dword:00000500
"ScreenCY"=dword:00000320

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\Recent File List]
"File1"="c:\\IMAGES from MICROSCOPE\\ACADIA_NP_diatoms\\Peronia\\Peronia_12_073A_1600x.tif"
"File2"="c:\\IMAGES from MICROSCOPE\\ACADIA_NP_diatoms\\Eunotia\\Eunotia_254_073A_1600x.tif"
"File3"="c:\\IMAGES from MICROSCOPE\\ACADIA_NP_diatoms\\Navicula\\Navicula_22_073A_1600x.tif"
"File4"="c:\\IMAGES from MICROSCOPE\\ACADIA_NP_diatoms\\Nitzschia\\Nitzschia_33_073A_1600x.tif"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Sony\HotKey Utility\HKWnd.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-03-03 12:51:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-03 17:51:09

Pre-Run: 20,766,842,880 bytes free
Post-Run: 19,747,860,480 bytes free

340 --- E O F --- 2008-10-28 00:53:20

[jaro3]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
c:\windows\system32\AAWService_2009_03_02_17_02_39.dmp
c:\windows\system32\AAWService_2009_03_02_15_03_49.dmp
c:\windows\system32\AAWService_2009_03_02_12_58_15.dmp
c:\windows\system32\AAWService_2009_03_01_23_20_32.dmp

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

[japi]

Tady novy logy:

ComboFix:
ComboFix 09-03-02.03 - Algis Sirvaitis 2009-03-03 14:09:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.644 [GMT -5:00]
Running from: c:\documents and settings\Algis Sirvaitis\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Algis Sirvaitis\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090303-0] *On-access scanning disabled* (Updated)
AV: VirusRescue 3.0 *On-access scanning enabled* (Outdated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\AAWService_2009_03_01_23_20_32.dmp
c:\windows\system32\AAWService_2009_03_02_12_58_15.dmp
c:\windows\system32\AAWService_2009_03_02_15_03_49.dmp
c:\windows\system32\AAWService_2009_03_02_17_02_39.dmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AAWService_2009_03_01_23_20_32.dmp
c:\windows\system32\AAWService_2009_03_02_12_58_15.dmp
c:\windows\system32\AAWService_2009_03_02_15_03_49.dmp
c:\windows\system32\AAWService_2009_03_02_17_02_39.dmp

.
((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))
.

2009-03-03 10:11 . 2009-03-03 10:11 <DIR> d-------- c:\program files\Trend Micro
2009-03-03 00:23 . 2009-03-03 00:23 0 --a------ C:\23990098.$$$
2009-03-02 19:35 . 2009-03-02 19:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\MicroWorld
2009-03-02 19:35 . 2009-03-02 19:35 626,688 --a------ c:\windows\system32\msvcr80.dll
2009-03-02 19:35 . 2009-03-02 19:35 548,864 --a------ c:\windows\system32\msvcp80.dll
2009-03-02 19:35 . 2004-08-04 07:00 146,432 --a------ c:\windows\R.COM
2009-03-02 19:35 . 2004-08-04 07:00 135,680 --a------ c:\windows\system32\T.COM
2009-03-02 19:35 . 2009-03-02 19:35 28,672 --a------ c:\windows\system32\eEmpty.exe
2009-03-02 19:35 . 2005-09-22 23:22 522 --a------ c:\windows\system32\Microsoft.VC80.CRT.manifest
2009-03-02 19:35 . 2009-03-03 12:06 54 --a------ c:\windows\Lic.xxx
2009-03-02 18:56 . 2009-03-02 18:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-02 18:56 . 2009-03-02 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-02 18:56 . 2009-03-02 18:56 <DIR> d-------- c:\documents and settings\Algis Sirvaitis\Application Data\Malwarebytes
2009-03-02 18:56 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-02 18:56 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-02 13:32 . 2009-03-03 11:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-02 12:32 . 2009-03-03 11:39 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-01 22:43 . 2009-03-02 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-01 20:20 . 2009-03-01 20:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-03-01 20:20 . 2009-03-01 20:20 262,144 --a------ c:\documents and settings\AIRERI~2
2009-03-01 20:20 . 2009-03-01 20:20 262,144 --a------ c:\documents and settings\AIRERI~1
2009-03-01 18:51 . 2009-03-01 18:51 <DIR> d-------- c:\program files\Alwil Software
2009-03-01 18:51 . 2003-03-18 17:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-03-01 18:50 . 2009-03-01 18:50 17,140,360 --a------ c:\program files\setupengpro.exe
2009-02-14 18:40 . 2009-02-14 18:40 <DIR> d-------- c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 18:25 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-02 18:20 --------- d-----w c:\program files\DivX
2009-03-02 18:19 --------- d-----w c:\program files\Miranda IM
2009-03-02 18:19 --------- d-----w c:\program files\Common Files\Adobe
2009-03-02 02:52 --------- d-----w c:\program files\SearchAssistant
2009-03-01 17:06 --------- d-----w c:\documents and settings\Algis Sirvaitis\Application Data\Skype
2009-03-01 15:46 --------- d-----w c:\documents and settings\Algis Sirvaitis\Application Data\skypePM
2009-01-25 00:39 --------- d-----w c:\documents and settings\Algis Sirvaitis\Application Data\InterVideo
2009-01-21 22:45 --------- d-----w c:\program files\CCleaner
2007-01-03 06:25 214,616 ----a-w c:\program files\mozilla firefox\components\FFHook.dll
2009-01-29 19:21 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-29 19:21 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-29 19:21 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-29 19:21 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-29 19:21 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 339968]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2004-06-29 180224]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2004-06-29 122880]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-03-15 180269]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreateCD_Reminder]
--a------ 2004-07-16 14:17 53248 c:\windows\SONYSYS\VAIO Recovery\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 19:52 50736 c:\program files\Common Files\AOL\1124472800\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
--a------ 2003-04-20 00:08 28672 c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
--a------ 2004-01-17 05:36 135168 c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
--a------ 2004-07-30 14:51 331776 c:\program files\Sony\VAIO Survey\SurveySA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WANMiniportService"=2 (0x2)
"VAIOMediaPlatform-VideoServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-VideoServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-VideoServer-AppServer"=3 (0x3)
"VAIOMediaPlatform-Mobile-Gateway"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-AppServer"=3 (0x3)
"VAIO Entertainment UPnP Client Adapter"=3 (0x3)
"VAIO Entertainment TV Device Arbitration Service"=3 (0x3)
"VAIO Entertainment File Import Service"=2 (0x2)
"VAIO Entertainment Aggregation and Control Service"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"iPod Service"=3 (0x3)
"HP Status Server"=3 (0x3)
"HP Port Resolver"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\acsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1124472800\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\1124472800\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1124472800\\ee\\aim6.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"10049:TCP"= 10049:TCP:BitComet 10049 TCP
"10049:UDP"= 10049:UDP:BitComet 10049 UDP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-01 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-01 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-21 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 macrofir;MacroFire Camera;c:\windows\system32\drivers\MacroFIR.sys [2005-07-06 38368]
S3 microfir;MicroFire Camera;c:\windows\system32\drivers\MICROFIR.SYS [2005-07-06 37728]
S3 pcand5bk;PCAND5BK PCANDIS5 Protocol Driver;\??\c:\windows\system32\pcand5bk.SYS --> c:\windows\system32\pcand5bk.SYS [?]
S3 sonydcam;Generic 1394 Desktop Camera;c:\windows\system32\drivers\sonydcam.sys [2004-08-03 25472]
S4 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2004-08-18 118877]
S4 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a3ef6b0-7917-11dd-81da-00038a000015}]
\Shell\AutoRun\command - f:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b61680-a507-11dd-81fd-00038a000015}]
\Shell\AutoRun\command - WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Algis Sirvaitis\Application Data\Mozilla\Firefox\Profiles\8v9gh1w4.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\progra~1\MOZILL~1\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Mozilla Firefox\components\FFHook.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 14:11:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\macrofir]
"ImagePath"=hex:53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\microfir]
"ImagePath"=hex:53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\macrofir]
"ImagePath"=hex:53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\microfir]
"ImagePath"=hex:53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar0]
"BarID"=dword:00000067
"XPos"=dword:00000293
"YPos"=dword:fffffffe
"Docking"=dword:00000001
"MRUDockID"=dword:00000000
"MRUDockLeftPos"=dword:00000293
"MRUDockTopPos"=dword:fffffffe
"MRUDockRightPos"=dword:000005e6
"MRUDockBottomPos"=dword:0000001b
"MRUFloatStyle"=dword:00002004
"MRUFloatXPos"=dword:80000000
"MRUFloatYPos"=dword:00000000

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar1]
"BarID"=dword:00000001
"XPos"=dword:fffffffe
"YPos"=dword:fffffffe
"Docking"=dword:00000001
"MRUDockID"=dword:00000000
"MRUDockLeftPos"=dword:fffffffe
"MRUDockTopPos"=dword:fffffffe
"MRUDockRightPos"=dword:00000295
"MRUDockBottomPos"=dword:0000001b
"MRUFloatStyle"=dword:00002004
"MRUFloatXPos"=dword:80000000
"MRUFloatYPos"=dword:00000000

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar2]
"BarID"=dword:00000002
"XPos"=dword:fffffffe
"YPos"=dword:fffffffe
"Docking"=dword:00000001
"MRUDockID"=dword:00000000
"MRUDockLeftPos"=dword:fffffffe
"MRUDockTopPos"=dword:fffffffe
"MRUDockRightPos"=dword:00000024
"MRUDockBottomPos"=dword:000000d1
"MRUFloatStyle"=dword:00000004
"MRUFloatXPos"=dword:80000000
"MRUFloatYPos"=dword:00000000

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar3]
"BarID"=dword:000000a5
"XPos"=dword:fffffffe
"YPos"=dword:00000005
"Docking"=dword:00000001
"MRUDockID"=dword:0000e81c
"MRUDockLeftPos"=dword:fffffffe
"MRUDockTopPos"=dword:00000005
"MRUDockRightPos"=dword:00000099
"MRUDockBottomPos"=dword:0000028a
"MRUFloatStyle"=dword:00001000
"MRUFloatXPos"=dword:00000000
"MRUFloatYPos"=dword:0000004c

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar4]
"BarID"=dword:0000e81b
"Bars"=dword:00000004
"Bar#0"=dword:00000000
"Bar#1"=dword:00000001
"Bar#2"=dword:00000067
"Bar#3"=dword:00000000

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar5]
"BarID"=dword:0000e81c
"Bars"=dword:00000003
"Bar#0"=dword:00000000
"Bar#1"=dword:000000a5
"Bar#2"=dword:00000000

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar6]
"BarID"=dword:0000e81d
"Bars"=dword:00000003
"Bar#0"=dword:00000000
"Bar#1"=dword:00000002
"Bar#2"=dword:00000000

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar7]
"BarID"=dword:0000e801

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Bar8]
"BarID"=dword:0000e81f
"Horz"=dword:00000000
"Floating"=dword:00000001
"XPos"=dword:00000002
"YPos"=dword:0000005f
"Bars"=dword:00000003
"Bar#0"=dword:00000000
"Bar#1"=dword:000000a5
"Bar#2"=dword:00000000

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\General-Summary]
"Bars"=dword:00000008
"ScreenCX"=dword:00000500
"ScreenCY"=dword:00000320

[HKEY_USERS\S-1-5-21-1611189662-842349286-2651635134-1007\Software\PictureFrame\P*i*c*t*u*r*e*F*r*a*m*e*"!\Recent File List]
"File1"="c:\\IMAGES from MICROSCOPE\\ACADIA_NP_diatoms\\Peronia\\Peronia_12_073A_1600x.tif"
"File2"="c:\\IMAGES from MICROSCOPE\\ACADIA_NP_diatoms\\Eunotia\\Eunotia_254_073A_1600x.tif"
"File3"="c:\\IMAGES from MICROSCOPE\\ACADIA_NP_diatoms\\Navicula\\Navicula_22_073A_1600x.tif"
"File4"="c:\\IMAGES from MICROSCOPE\\ACADIA_NP_diatoms\\Nitzschia\\Nitzschia_33_073A_1600x.tif"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-03 14:12:50
ComboFix-quarantined-files.txt 2009-03-03 19:12:43
ComboFix2.txt 2009-03-03 17:51:14

Pre-Run: 19,727,872,000 bytes free
Post-Run: 19,713,646,592 bytes free

321 --- E O F --- 2008-10-28 00:53:20


HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:59 PM, on 3/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://bmm.imgag.com/imgag/cp/install/crusher-us.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7386 bytes

[jaro3]

Logy O.K.
ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix[mezera]/u

takže jestli nejsou problémy,tak vyčisti systém CCleanerem
a použij i T-Cleaner
smaže vše po Combu,SDFixu,Avengeru,MWAVu atd.-stáhneš>spustíš

Stáhni si ATF Cleaner
Poklepej na ATF Cleaner.exe, klikni select all found, pak klik empty selected.
Pokud chceš zachovat svoje uložená hesla, klikni na No.
ATF-Cleaner je jednoduchý nástroj na odstranění historie z webového prohlížeče. Program dokáže odstranit cache, cookies, historii a další stopy po surfování na Internetu. Mezi podporované prohlížeče patří Internet Explorer, Firefox a Opera. Aplikace navíc umí odstranit dočasné soubory Windows, vysypat koš atd.

Aktualizuj javu:
Java SE Runtime Environment 6u12
Vyber OS ( předpokládám Windows), zatržítko agree-continue
Vyber:
Windows Offline Installation
jre-6u12-windows-i586-p.exe
Ostatní javy odeber v přidat/odebrat programy.
Vše.

[japi]

Ahoj,

omlouvam se, ale musel jsem vcera vecer zmizet. Jo pocitac vypada ze funguje. Jdu ho jeste vycistit a aktualizovat jak doporucujes.

Jeste jednou velky dik za Tvoji pomoc!!!

Honza