HiJackThis=kontrola Vyřešeno

[jaro3]

Trochu jsem pozapomněl..

Stáhni si ty soubory zde:
http://www.edisk.cz/stahni/14842/files.rar_43.83KB.html

Rozbal, vyjmi jednotlivé soubory a vlož všechny postupně do D:\

Zase musím pryč,nejlépe by bylo kdybys v nouz. režimu vložil ty soubory na správná místa:
d:\windows\system32\midimap.dll
d:\windows\System32\wscntfy.exe
d:\windows\System32\regsvc.dll

Pokud to nepůjde, tak Ti pak napíšu příkaz.

[Reklama]

[warcraftan]

Takže do nouzového režimu se dostanu pokud se nemýlím opakovaným klikáním tlačítka F8
Vyjelo mi na výběr floopy disk..nebo Hdd..tak jsem oboji vyzkoušel ale system načetl jako obvykle...

Tak jsem ty soubory postupně naházel do (D:), chci se zeptat, je to tak dobře? nemělo to být např do složky WINDOWS?..musí to záležet na umístění? a všechny soubory mi bez problému šli tam hodit...

[jaro3]

Takže , pokud máš všechny jednotlivé soubory v D:\

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

KillAll::
File::
d:\docume~1\ADMINI~1\LOCALS~1\Temp\TXH418.tmp

Folder::
d:\program files\DAEMON Tools SearchBar

DirLook::
d:\program files\pp
d:\program files\BC

Driver::
GarenaPEngine

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]

DDS::
uInternet Connection Wizard,ShellNext = hxxp://www.poweredbyadvantage.com/advan ... campaign=&

FCOPY::
d:\midimap.dll | d:\windows\system32\midimap.dll
d:\wscntfy.exe | d:\windows\System32\wscntfy.exe
d:\regsvc.dll | d:\windows\System32\regsvc.dll


Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

[warcraftan]

ComboFix 10-02-12.01 - Administrator 19.02.2010 18:51:03.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2047.1573 [GMT 1:00]
Spuštěný z: d:\documents and settings\Administrator\Plocha\ComboFix.exe
Použité ovládací přepínače :: d:\documents and settings\Administrator\Plocha\CFScript.txt
* Rezidentní štít AV je zapnutý


VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!

FILE ::
"d:\docume~1\ADMINI~1\LOCALS~1\Temp\TXH418.tmp"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

-- Předchozí spuštění --

d:\windows\system32\midimap.dll . . . je infikován!!

--------

.
--------------- FCopy ---------------

d:\midimap.dll --> d:\windows\system32\midimap.dll
d:\wscntfy.exe --> d:\windows\System32\wscntfy.exe
d:\regsvc.dll --> d:\windows\System32\regsvc.dll
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GARENAPENGINE


((((((((((((((((((((((((( Soubory vytvořené od 2010-01-19 do 2010-02-19 )))))))))))))))))))))))))))))))
.

2010-02-19 17:51 . 2008-04-14 06:52 13824 ----a-w- d:\windows\system32\wscntfy.exe
2010-02-19 17:51 . 2008-04-14 06:52 13824 ----a-w- d:\windows\system32\dllcache\wscntfy.exe
2010-02-19 17:51 . 2008-04-14 06:51 59904 ----a-w- d:\windows\system32\regsvc.dll
2010-02-19 17:51 . 2008-04-14 06:51 59904 ----a-w- d:\windows\system32\dllcache\regsvc.dll
2010-02-19 16:10 . 2008-04-14 06:52 13824 ------w- D:\wscntfy.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 17:45 . 2009-07-23 08:17 -------- d-----w- d:\program files\Steam
2010-02-19 16:01 . 2009-11-23 18:08 -------- d-----w- d:\program files\BitComet
2010-02-18 17:45 . 2009-07-24 08:44 -------- d-----w- d:\program files\BC
2010-02-17 19:57 . 2010-02-17 19:57 -------- d-----w- d:\program files\The KMPlayer
2010-02-17 19:42 . 2010-02-17 19:28 225687552 ----a-w- d:\program files\[TATAMI]FMA43.avi
2010-02-16 20:39 . 2010-02-16 19:24 -------- d-----w- d:\program files\pp
2010-02-16 19:27 . 2010-02-16 19:27 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-02-16 13:43 . 2009-07-23 06:20 -------- d--h--w- d:\program files\InstallShield Installation Information
2010-02-09 14:29 . 2009-07-23 13:01 -------- d-----w- d:\program files\Garena
2010-01-22 18:35 . 2009-07-24 07:18 -------- d-----w- d:\program files\Wow
2010-01-20 13:34 . 2010-01-08 17:41 -------- d-----w- d:\program files\Modern Warfare 2
2010-01-08 18:47 . 2009-08-08 19:59 -------- d-----w- d:\program files\OpenAL
2010-01-07 15:07 . 2010-02-16 19:27 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07 . 2010-02-16 19:27 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-01-01 20:44 . 2010-01-01 20:44 -------- d-----w- d:\program files\Play+Smile
2009-12-31 16:24 . 2009-07-23 09:58 -------- d-----w- d:\program files\ICQ6.5
2009-12-28 17:00 . 2009-12-28 17:00 -------- d-----w- d:\program files\18 Wheels of Steel Haulin
2009-12-27 14:17 . 2009-12-27 14:17 -------- d-----w- d:\program files\TeamViewer
2009-12-22 18:09 . 2009-12-22 18:08 -------- d-----w- d:\program files\Dofus 2
2009-12-22 18:08 . 2009-12-22 18:08 -------- d-----w- d:\program files\Common Files\Adobe AIR
2009-12-19 22:03 . 2009-12-19 21:22 719100867 ----a-w- d:\program files\Xmo & Uck 2650+ Mage-Lock.wmv
2009-12-06 08:39 . 2009-12-06 08:39 411368 ----a-w- d:\windows\system32\deploytk.dll
2009-12-01 10:10 . 2009-12-23 14:24 1709470208 ----a-w- d:\program files\hydra7.avi
2009-11-25 15:45 . 2001-10-25 13:00 77578 ----a-w- d:\windows\system32\perfc005.dat
2009-11-25 15:45 . 2001-10-25 13:00 429562 ----a-w- d:\windows\system32\perfh005.dat
2009-03-23 06:21 . 2010-02-17 19:53 1464318936 ----a-w- d:\program files\Trestna.lavice.2005.DVDRip.XviD.AC3.CZ.avi
2008-04-14 06:52 . 2009-08-03 10:03 468480 --sha-w- d:\windows\NiwradSoft Shell Pack\Backup\iexplore.exe
2008-04-14 06:52 . 2009-08-03 10:04 73728 --sha-w- d:\windows\NiwradSoft Shell Pack\Backup\wmplayer.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

2009-07-24 09:51 . 2009-07-24 10:26 366065421 ----a-w- d:\program files\BC\Data\enUS\speech-enUS.MPQ
2009-07-24 09:50 . 2009-07-24 10:25 120367228 ----a-w- d:\program files\BC\Data\enUS\locale-enUS.MPQ
2009-07-24 09:45 . 2009-07-24 10:25 3832940110 ----a-w- d:\program files\BC\Data\common.MPQ
2009-07-24 09:44 . 2009-07-24 09:44 14872 ----a-w- d:\program files\BC\World of Warcraft Install Log.html
2009-07-24 08:44 . 2009-07-24 10:02 413696 ----a-w- d:\program files\BC\DivxDecoder.dll
2009-07-24 08:44 . 2009-07-24 10:22 372736 ----a-w- d:\program files\BC\ijl15.dll
2009-07-24 08:44 . 2009-07-24 10:02 245408 ----a-w- d:\program files\BC\unicows.dll
2009-07-24 08:44 . 2009-07-24 12:13 1039728 ----a-w- d:\program files\BC\dbghelp.dll
2009-07-24 08:44 . 2009-12-18 20:14 25 ----a-w- d:\program files\BC\realmlist.wtf
2009-07-24 08:44 . 2009-07-24 08:44 6506496 ----a-w- d:\program files\BC\Data\enUS\Interface\Cinematics\Logo_1024.avi
2009-07-24 08:44 . 2009-07-24 08:44 4589568 ----a-w- d:\program files\BC\Data\enUS\Interface\Cinematics\Logo_800.avi
2009-07-24 08:44 . 2009-07-24 08:45 47632384 ----a-w- d:\program files\BC\Data\enUS\Interface\Cinematics\WOW_Intro_1024.avi
2009-07-24 08:44 . 2009-07-24 08:45 41175040 ----a-w- d:\program files\BC\Data\enUS\Interface\Cinematics\WOW_Intro_800.avi

---- Directory of d:\program files\pp ----

2010-02-16 20:39 . 2010-01-11 20:32 40237056 ----a-w- d:\program files\pp\VIDEO_TS\VTS_03_1.VOB
2010-02-16 20:39 . 2010-01-11 19:50 12288 ----a-w- d:\program files\pp\VIDEO_TS\VTS_03_0.BUP
2010-02-16 20:39 . 2010-01-11 19:50 12288 ----a-w- d:\program files\pp\VIDEO_TS\VTS_03_0.IFO
2010-02-16 20:39 . 2010-01-11 19:50 24576 ----a-w- d:\program files\pp\VIDEO_TS\VTS_02_0.BUP
2010-02-16 20:39 . 2010-01-11 19:50 24576 ----a-w- d:\program files\pp\VIDEO_TS\VTS_02_0.IFO
2010-02-16 20:39 . 2010-01-11 19:50 77824 ----a-w- d:\program files\pp\VIDEO_TS\VTS_02_0.VOB
2010-02-16 20:39 . 2010-01-11 21:09 384321536 ----a-w- d:\program files\pp\VIDEO_TS\VTS_02_1.VOB
2010-02-16 20:38 . 2010-01-11 21:08 609607680 ----a-w- d:\program files\pp\VIDEO_TS\VTS_01_4.VOB
2010-02-16 20:37 . 2010-01-11 21:15 1073739776 ----a-w- d:\program files\pp\VIDEO_TS\VTS_01_3.VOB
2010-02-16 20:36 . 2010-01-11 21:15 1073739776 ----a-w- d:\program files\pp\VIDEO_TS\VTS_01_2.VOB
2010-02-16 20:34 . 2010-01-11 21:15 1073739776 ----a-w- d:\program files\pp\VIDEO_TS\VTS_01_1.VOB
2010-02-16 20:34 . 2010-01-11 19:50 57344 ----a-w- d:\program files\pp\VIDEO_TS\VTS_01_0.BUP
2010-02-16 20:34 . 2010-01-11 19:50 57344 ----a-w- d:\program files\pp\VIDEO_TS\VTS_01_0.IFO
2010-02-16 20:34 . 2010-01-11 19:50 3987456 ----a-w- d:\program files\pp\VIDEO_TS\VTS_01_0.VOB
2010-02-16 20:34 . 2010-01-11 19:50 6241 ----a-w- d:\program files\pp\pntb-DRagON.nfo
2010-02-16 20:34 . 2010-01-11 19:50 14336 ----a-w- d:\program files\pp\VIDEO_TS\VIDEO_TS.BUP
2010-02-16 20:34 . 2010-01-11 19:50 14336 ----a-w- d:\program files\pp\VIDEO_TS\VIDEO_TS.IFO
2010-02-16 20:34 . 2010-01-11 19:50 987136 ----a-w- d:\program files\pp\VIDEO_TS\VIDEO_TS.VOB


------- Sigcheck -------

[-] 2008-04-14 . 471341D353962A35DA3C6324D59D09C4 . 547328 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\winlogon.exe
[-] 2008-04-14 . 471341D353962A35DA3C6324D59D09C4 . 547328 . . [5.1.2600.5512] . . d:\windows\system32\winlogon.exe

[-] 2008-04-14 . 347A58792F9322CCAB5ED09FAB72803B . 111104 . . [5.4.3790.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\wuauclt.exe
[-] 2008-04-14 . 27B06B78F42D195C35ECA9199AF97CB9 . 115712 . . [5.4.3790.5512] . . d:\windows\system32\wuauclt.exe

[-] 2008-04-14 . B06B1E696E8B0117EFF67D91E83574AB . 724992 . . [5.82] . . d:\windows\NiwradSoft Shell Pack\Backup\comctl32.dll
[-] 2008-04-14 . 244159B19BC4B9B6E3CFE0305049F1C3 . 694784 . . [5.82] . . d:\windows\system32\comctl32.dll

[-] 2008-04-14 . 5A80B641C10230FDE03DEAB04DCF5E0D . 3459072 . . [6.00.2900.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\mshtml.dll
[-] 2008-04-14 . 07E3ECD608CE9ED9275D4B320E333002 . 3395072 . . [6.00.2900.5512] . . d:\windows\system32\mshtml.dll

[-] 2008-04-14 . 1BC2CBAF4395E7446EC57D1D14C408AD . 2448384 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\ntoskrnl.exe
[-] 2008-04-14 . 37993C2479A148B156DD61E17A2E0476 . 2367872 . . [5.1.2600.5512] . . d:\windows\system32\ntoskrnl.exe

[7] 2008-04-14 . E16E0990967374E76F3E40CACAFD3D53 . 578560 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\user32.dll
[-] 2008-04-14 . CCB32D10C69A89822E9134C0C4894BE1 . 578560 . . [5.1.2600.5512] . . d:\windows\system32\user32.dll

[-] 2008-04-14 . 5E7011ACCA2C391A9446C201D5848E23 . 812032 . . [6.00.2900.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\wininet.dll
[-] 2008-04-14 . 5D2352B05C0F41FFC0A8D4232752E5AC . 777216 . . [6.00.2900.5512] . . d:\windows\system32\wininet.dll

[-] 2008-04-14 . 121A686E3D61D9D45F25C03A1E4EC6D5 . 1541120 . . [6.00.2900.5512] . . d:\windows\explorer.exe
[-] 2008-04-14 . 137A31C90841DB6EF71ABE912E72121E . 1552384 . . [6.00.2900.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\explorer.exe

[-] 2008-04-14 . D8152865F2A59D765AF8317E38AA5FB4 . 25088 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\ctfmon.exe
[-] 2008-04-14 . 0415E09C0BCCBF8B5CD5A05889EFB962 . 40448 . . [5.1.2600.5512] . . d:\windows\system32\ctfmon.exe

[-] 2008-12-19 . AF9671053F8E5272D879A0F0B2E418DD . 2325248 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\ntkrnlpa.exe
[-] 2008-12-19 . BB65E17A747BE935D30B142297224DDB . 2244736 . . [5.1.2600.5512] . . d:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-02-17_14.59.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-19 17:56 . 2010-02-19 17:56 16384 d:\windows\temp\Perflib_Perfdata_120.dat
+ 2008-04-14 06:51 . 2008-04-14 06:51 18944 d:\windows\system32\dllcache\midimap.dll
+ 2010-02-17 15:00 . 2010-02-17 14:47 16384 d:\windows\Cookies\index.dat
+ 2010-02-19 17:43 . 2010-02-19 17:43 5120 d:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
- 2010-02-07 16:29 . 2010-02-07 16:29 5120 d:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"nwiz"="nwiz.exe" [2009-02-09 1657376]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-19 15797248]
"nod32kui"="d:\program files\Eset\nod32kui.exe" [2009-08-03 949376]
"Reloader"="d:\windows\NiwradSoft Shell Pack\Tools\Reloader.exe" [2009-07-23 364846]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 40448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-04-14 100352]

d:\documents and settings\Administrator\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Stardock ObjectDock.lnk - d:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-8-3 3450608]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"="d:\program files\steam\steam.exe" -silent
"AlcoholAutomount"="d:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
"CTFMON.EXE"=d:\windows\system32\ctfmon.exe
"Google Update"="d:\documents and settings\Administrator\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"OODefragTray"=d:\windows\system32\oodtray.exe
"CSR"=d:\windows\dftp.exe
"HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe"
"SVT"=d:\windows\nnmp.exe
"WhenUSearch"="d:\program files\DAEMON Tools SearchBar\Search.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Si3124;Si3124;d:\windows\system32\drivers\si3124.sys [19.12.2008 14:14 76208]
R0 Si3531;Si3531;d:\windows\system32\drivers\Si3531.sys [19.12.2008 14:14 210224]
R1 nod32drv;nod32drv;d:\windows\system32\drivers\nod32drv.sys [3.8.2009 9:52 15424]
R2 cpuz132;cpuz132;d:\windows\system32\drivers\cpuz132_x32.sys [8.11.2009 9:21 12672]
S0 ylnt;ylnt;d:\windows\system32\drivers\ycpgve.sys --> d:\windows\system32\drivers\ycpgve.sys [?]
S4 sptd;sptd;d:\windows\system32\drivers\sptd.sys [23.7.2009 9:32 721904]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'

2010-02-19 d:\windows\Tasks\1-Click Maintenance.job
- d:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 19:36]

2009-10-12 d:\windows\Tasks\HPpromotions journeysoftware.job
- d:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 15:36]
.
.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Office Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Stáhnout odkaz s použitím BitCometu - d:\program files\BitComet\BitComet.exe/AddLink.htm
IE: Stáhnout všechna videa s použitím BitCometu - d:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Stáhnout všechny odkazy s použitím BitCometu - d:\program files\BitComet\BitComet.exe/AddAllLink.htm
LSP: d:\windows\system32\imon.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-19 18:57
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1409082233-1417001333-1801674531-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a6,19,81,df,cd,88,5f,78,20,04,ab,44,34,07,f2,3e,db,dc,50,28,b6,43,f7,
ab,13,2f,2b,fa,c7,d2,82,1e,21,3b,8c,c7,c4,03,9f,92,f5,ca,f7,82,41,6a,fc,12,\
"??"=hex:1d,5a,02,6e,a1,91,e1,37,80,a6,f8,27,69,5a,ff,b4

[HKEY_USERS\S-1-5-21-1409082233-1417001333-1801674531-500\Software\SecuROM\License information*]
"datasecu"=hex:d4,e4,ae,e9,c9,46,c8,20,09,1e,be,22,fc,7d,14,10,d6,84,2f,54,d0,
49,44,20,25,18,97,35,1f,35,49,39,e6,14,fa,89,fa,ac,87,e0,b9,43,22,2d,fb,15,\
"rkeysecu"=hex:e9,8a,d8,8c,04,8e,0c,6e,28,0d,12,16,3f,d7,c8,fd

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="9942A825F11C18E17EF1E4DFF26DFA58F3F272ED0AD9B2FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB34529DB7CE019D40AA5C8EDD5E5BE2F6E667079E2EEF457D4BDF4D4864A6B38FB31B9D140EC3BAC672681C7A847EFAF3F3BE0B32B1E1DF96773E8C5D0EE471ECC9E17B072AC2AFD81E89D06ECA2F81166BD61B2410D7343B61CD8374B0B18D13EBD465A6C81EE03D43F8F689AFD347258E09F8CD612959C41AFA85B2FE9C7CB893A5E006D4B8C72763CC636AF3C3E7730A73EBFA61C2A9419388EAB2CB45FDC91E5FF529D9082180E5F36F2300E94187EB093E6BF0A4C3F4298F8E7F12DF9065CCDAB10C0B986E63942D7BBCDDC5F498298FBE5412E18CD49579511BEBB8F7DFC6C9A41C3F86F3231E8EE6B0BD6AE916981FBF5C6DA4AA8BF88496FA1DABBC4092AD62BAED84BBC1957F176D717E4A207527191F502809F8D8C3450709A8AAC21FE105BEB7D99379EF3FF658EF3E830EDDE8A4AEA83D552D1D1FC99C39B65355BE8EA8F25CDF8BB5085C734653F847E7D7F9C08D0C4885729150130DD9EE889CA4B5ED924306F8979DBC7F03DC918CEA49C4D0343140CE3F6765159D3BFCE4716BAAF952F44C747451980ECC6D7F8E897D063A8E73B32CC43343480754A443DB1115F4D721CADC53AA7D9AD88C4D4969A4CF69FCD4C05F646C1F27F6BD39439EF6F08ABB982B5171934B234C651B80635288CBD2F79C67B5EF04318D32A44AAC600DED8D51AC38BFD9B6A943471C3986FBE954D7A48F8E01FECF6B5F94E480AB790ED04EE4A03BE1B14932CBA397BE927E81F8C9C675DF47BC385C76E88AD0F84EECEEF491EC46B0AF5F46E812E81F7D193035D6EEBFA9BAB1C010CFD73BECA350F182EAB90D0B384F2AF412CDFDAB70EFAC88A4CFF07EBF4BC6965C302F476F55C0CC8DE18EFDBAEEAE50B236DCF94A0901734A42A23673D8F68380E03419D3164B92AFB59359AACFC3EBA9CC1AE61BD00BFED34201EBA38F556C1600AC5F7B30D89D18825299B29918E2C8B9620D2995FB33C0EF4B7F5186B770E9C40D58462585B800391680AD562C525946F3D1EE8C5A21860E5713353CCAACBC0E5E8848DA42B59470BB12ACF354DC94E3A35917CBFDDA0C850C0E39100B46445CBD39491AD168F9E2B69873453A26A9A3D70E074F96F52D61669BF9C54C63A8D2DDF54311CB2A446C8CA1FB02D8D9BC3C8B9ED0F4250D3BD2F62B4C85B531073C028EE7CF1D57FD91587CF14283A5E289CE7CBF0280C0F8ABE0EE365DC1DD71850598994D045126F54840B5065C39A98A44DF511D50311F66DDDFF1BC3E1EEBBE52EAEE6195FBADE41DC4DC2E5E4B0E6124BF37521508D99D39B76E78CF296F1DEDA1B5CAB8BFFACBAEA7AE03D417"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1104)
d:\windows\system32\SETUPAPI.dll
d:\windows\system32\sfc_os.dll
d:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1164)
d:\windows\system32\setupapi.dll
d:\windows\system32\imon.dll
d:\program files\Eset\pr_imon.dll
d:\windows\system32\psbase.dll

- - - - - - - > 'explorer.exe'(3308)
d:\program files\Stardock\ObjectDock\DockShellHook.dll
d:\windows\system32\COMRes.dll
d:\windows\System32\cscui.dll
d:\windows\system32\SETUPAPI.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
d:\windows\system32\NETSHELL.dll
d:\windows\system32\credui.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
d:\windows\RTHDCPL.EXE
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
d:\program files\Eset\nod32krn.exe
d:\windows\system32\nvsvc32.exe
d:\windows\system32\oodag.exe
d:\windows\system32\HPZipm12.exe
d:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
d:\windows\System32\TUProgSt.exe
d:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkový čas: 2010-02-19 18:59:12 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-02-19 17:59
ComboFix2.txt 2010-02-17 15:00

Před spuštěním: 3 257 483 264
Po spuštění: 3 174 211 584

- - End Of File - - 73B97EB64BE5283E82806C639B43FE73

[warcraftan]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:02:22, on 19.2.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\oodag.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\TUProgSt.exe
D:\WINDOWS\system32\wbem\wmiapsrv.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Documents and Settings\Administrator\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\Administrator\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Reloader] D:\WINDOWS\NiwradSoft Shell Pack\Tools\Reloader.exe /S
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = D:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stáhnout odkaz s použitím BitCometu - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Stáhnout všechna videa s použitím BitCometu - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Stáhnout všechny odkazy s použitím BitCometu - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Program Files\ICQ6.5\ICQ.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: CiSvc - Unknown owner - D:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - D:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - D:\WINDOWS\System32\TUProgSt.exe

--
End of file - 5842 bytes

[jaro3]

Ještě jeden script v CF:

Kód: Vybrat vše

Driver::
ylnt
ycpgve

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WhenUSearch"=-


Pak zase log z CF.

Zavři ostatní aplikace a prohlížeče, odpoj se od netu a fixni v HJT:
Návod

Kód: Vybrat vše

R3 - URLSearchHook: (no name) - - (no file)
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing)
O23 - Service: CiSvc - Unknown owner - D:\WINDOWS\system32\cisvc.exe (file missing)



Pak napiš , jak je to s rychlostí PC.

[warcraftan]

ComboFix 10-02-12.01 - Administrator 19.02.2010 19:39:37.4.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2047.1582 [GMT 1:00]
Spuštěný z: d:\documents and settings\Administrator\Plocha\ComboFix.exe
Použité ovládací přepínače :: d:\documents and settings\Administrator\Plocha\CFScript.txt
* Rezidentní štít AV je zapnutý


VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ylnt


((((((((((((((((((((((((( Soubory vytvořené od 2010-01-19 do 2010-02-19 )))))))))))))))))))))))))))))))
.

2010-02-19 17:51 . 2008-04-14 06:52 13824 ----a-w- d:\windows\system32\dllcache\wscntfy.exe
2010-02-19 17:51 . 2008-04-14 06:52 13824 ------w- d:\windows\system32\wscntfy.exe
2010-02-19 17:51 . 2008-04-14 06:51 59904 ----a-w- d:\windows\system32\dllcache\regsvc.dll
2010-02-19 17:51 . 2008-04-14 06:51 59904 ------w- d:\windows\system32\regsvc.dll
2010-02-19 16:10 . 2008-04-14 06:52 13824 ------w- D:\wscntfy.exe
2010-02-19 16:10 . 2008-04-14 06:51 59904 ------w- D:\regsvc.dll
2010-02-19 16:10 . 2008-04-14 06:51 18944 ------w- D:\midimap.dll
2010-02-17 19:57 . 2010-02-17 19:57 -------- d-----w- d:\program files\The KMPlayer
2010-02-17 15:00 . 2010-02-17 15:00 -------- d-s---w- d:\windows\Cookies
2010-02-16 19:27 . 2010-01-07 15:07 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-02-16 19:27 . 2010-01-07 15:07 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-02-16 19:27 . 2010-02-16 19:27 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-02-16 19:24 . 2010-02-16 20:39 -------- d-----w- d:\program files\pp
2010-02-13 21:00 . 2009-10-20 11:02 -------- d-----w- d:\program files\AUDIO_TS
2010-02-13 20:56 . 2009-10-20 11:02 -------- d-----w- d:\program files\VIDEO_TS

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 17:45 . 2009-07-23 08:17 -------- d-----w- d:\program files\Steam
2010-02-19 16:01 . 2009-11-23 18:08 -------- d-----w- d:\program files\BitComet
2010-02-18 17:45 . 2009-07-24 08:44 -------- d-----w- d:\program files\BC
2010-02-17 19:42 . 2010-02-17 19:28 225687552 ----a-w- d:\program files\[TATAMI]FMA43.avi
2010-02-16 13:43 . 2009-07-23 06:20 -------- d--h--w- d:\program files\InstallShield Installation Information
2010-02-09 14:29 . 2009-07-23 13:01 -------- d-----w- d:\program files\Garena
2010-01-22 18:35 . 2009-07-24 07:18 -------- d-----w- d:\program files\Wow
2010-01-20 13:34 . 2010-01-08 17:41 -------- d-----w- d:\program files\Modern Warfare 2
2010-01-08 18:47 . 2009-08-08 19:59 -------- d-----w- d:\program files\OpenAL
2010-01-01 20:44 . 2010-01-01 20:44 -------- d-----w- d:\program files\Play+Smile
2009-12-31 16:24 . 2009-07-23 09:58 -------- d-----w- d:\program files\ICQ6.5
2009-12-28 17:00 . 2009-12-28 17:00 -------- d-----w- d:\program files\18 Wheels of Steel Haulin
2009-12-27 14:17 . 2009-12-27 14:17 -------- d-----w- d:\program files\TeamViewer
2009-12-22 18:09 . 2009-12-22 18:08 -------- d-----w- d:\program files\Dofus 2
2009-12-22 18:08 . 2009-12-22 18:08 -------- d-----w- d:\program files\Common Files\Adobe AIR
2009-12-19 22:03 . 2009-12-19 21:22 719100867 ----a-w- d:\program files\Xmo & Uck 2650+ Mage-Lock.wmv
2009-12-06 08:39 . 2009-12-06 08:39 411368 ----a-w- d:\windows\system32\deploytk.dll
2009-12-01 10:10 . 2009-12-23 14:24 1709470208 ----a-w- d:\program files\hydra7.avi
2009-11-25 15:45 . 2001-10-25 13:00 77578 ----a-w- d:\windows\system32\perfc005.dat
2009-11-25 15:45 . 2001-10-25 13:00 429562 ----a-w- d:\windows\system32\perfh005.dat
2009-03-23 06:21 . 2010-02-17 19:53 1464318936 ----a-w- d:\program files\Trestna.lavice.2005.DVDRip.XviD.AC3.CZ.avi
2008-04-14 06:52 . 2009-08-03 10:03 468480 --sha-w- d:\windows\NiwradSoft Shell Pack\Backup\iexplore.exe
2008-04-14 06:52 . 2009-08-03 10:04 73728 --sha-w- d:\windows\NiwradSoft Shell Pack\Backup\wmplayer.exe
.

------- Sigcheck -------

[-] 2008-04-14 . 471341D353962A35DA3C6324D59D09C4 . 547328 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\winlogon.exe
[-] 2008-04-14 . 471341D353962A35DA3C6324D59D09C4 . 547328 . . [5.1.2600.5512] . . d:\windows\system32\winlogon.exe

[-] 2008-04-14 . 347A58792F9322CCAB5ED09FAB72803B . 111104 . . [5.4.3790.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\wuauclt.exe
[-] 2008-04-14 . 27B06B78F42D195C35ECA9199AF97CB9 . 115712 . . [5.4.3790.5512] . . d:\windows\system32\wuauclt.exe

[-] 2008-04-14 . B06B1E696E8B0117EFF67D91E83574AB . 724992 . . [5.82] . . d:\windows\NiwradSoft Shell Pack\Backup\comctl32.dll
[-] 2008-04-14 . 244159B19BC4B9B6E3CFE0305049F1C3 . 694784 . . [5.82] . . d:\windows\system32\comctl32.dll

[-] 2008-04-14 . 5A80B641C10230FDE03DEAB04DCF5E0D . 3459072 . . [6.00.2900.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\mshtml.dll
[-] 2008-04-14 . 07E3ECD608CE9ED9275D4B320E333002 . 3395072 . . [6.00.2900.5512] . . d:\windows\system32\mshtml.dll

[-] 2008-04-14 . 1BC2CBAF4395E7446EC57D1D14C408AD . 2448384 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\ntoskrnl.exe
[-] 2008-04-14 . 37993C2479A148B156DD61E17A2E0476 . 2367872 . . [5.1.2600.5512] . . d:\windows\system32\ntoskrnl.exe

[7] 2008-04-14 . E16E0990967374E76F3E40CACAFD3D53 . 578560 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\user32.dll
[-] 2008-04-14 . CCB32D10C69A89822E9134C0C4894BE1 . 578560 . . [5.1.2600.5512] . . d:\windows\system32\user32.dll

[-] 2008-04-14 . 5E7011ACCA2C391A9446C201D5848E23 . 812032 . . [6.00.2900.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\wininet.dll
[-] 2008-04-14 . 5D2352B05C0F41FFC0A8D4232752E5AC . 777216 . . [6.00.2900.5512] . . d:\windows\system32\wininet.dll

[-] 2008-04-14 . 121A686E3D61D9D45F25C03A1E4EC6D5 . 1541120 . . [6.00.2900.5512] . . d:\windows\explorer.exe
[-] 2008-04-14 . 137A31C90841DB6EF71ABE912E72121E . 1552384 . . [6.00.2900.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\explorer.exe

[-] 2008-04-14 . D8152865F2A59D765AF8317E38AA5FB4 . 25088 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\ctfmon.exe
[-] 2008-04-14 . 0415E09C0BCCBF8B5CD5A05889EFB962 . 40448 . . [5.1.2600.5512] . . d:\windows\system32\ctfmon.exe

[-] 2008-12-19 . AF9671053F8E5272D879A0F0B2E418DD . 2325248 . . [5.1.2600.5512] . . d:\windows\NiwradSoft Shell Pack\Backup\ntkrnlpa.exe
[-] 2008-12-19 . BB65E17A747BE935D30B142297224DDB . 2244736 . . [5.1.2600.5512] . . d:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-02-17_14.59.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-19 18:44 . 2010-02-19 18:44 16384 d:\windows\temp\Perflib_Perfdata_a4.dat
+ 2010-02-19 17:56 . 2010-02-19 17:56 16384 d:\windows\temp\Perflib_Perfdata_120.dat
+ 2008-04-14 06:51 . 2008-04-14 06:51 18944 d:\windows\system32\midimap.dll
+ 2008-04-14 06:51 . 2008-04-14 06:51 18944 d:\windows\system32\dllcache\midimap.dll
+ 2010-02-17 15:00 . 2010-02-17 14:47 16384 d:\windows\Cookies\index.dat
+ 2010-02-19 18:02 . 2010-02-19 18:02 5120 d:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
- 2010-02-07 16:29 . 2010-02-07 16:29 5120 d:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"nwiz"="nwiz.exe" [2009-02-09 1657376]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-19 15797248]
"nod32kui"="d:\program files\Eset\nod32kui.exe" [2009-08-03 949376]
"Reloader"="d:\windows\NiwradSoft Shell Pack\Tools\Reloader.exe" [2009-07-23 364846]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 40448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-04-14 100352]

d:\documents and settings\Administrator\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Stardock ObjectDock.lnk - d:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-8-3 3450608]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"="d:\program files\steam\steam.exe" -silent
"AlcoholAutomount"="d:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
"CTFMON.EXE"=d:\windows\system32\ctfmon.exe
"Google Update"="d:\documents and settings\Administrator\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"OODefragTray"=d:\windows\system32\oodtray.exe
"CSR"=d:\windows\dftp.exe
"HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe"
"SVT"=d:\windows\nnmp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Si3124;Si3124;d:\windows\system32\drivers\si3124.sys [19.12.2008 14:14 76208]
R0 Si3531;Si3531;d:\windows\system32\drivers\Si3531.sys [19.12.2008 14:14 210224]
R1 nod32drv;nod32drv;d:\windows\system32\drivers\nod32drv.sys [3.8.2009 9:52 15424]
R2 cpuz132;cpuz132;d:\windows\system32\drivers\cpuz132_x32.sys [8.11.2009 9:21 12672]
S4 sptd;sptd;d:\windows\system32\drivers\sptd.sys [23.7.2009 9:32 721904]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'

2010-02-19 d:\windows\Tasks\1-Click Maintenance.job
- d:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 19:36]

2009-10-12 d:\windows\Tasks\HPpromotions journeysoftware.job
- d:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 15:36]
.
.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Office Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Stáhnout odkaz s použitím BitCometu - d:\program files\BitComet\BitComet.exe/AddLink.htm
IE: Stáhnout všechna videa s použitím BitCometu - d:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Stáhnout všechny odkazy s použitím BitCometu - d:\program files\BitComet\BitComet.exe/AddAllLink.htm
LSP: d:\windows\system32\imon.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-19 19:45
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1409082233-1417001333-1801674531-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a6,19,81,df,cd,88,5f,78,20,04,ab,44,34,07,f2,3e,db,dc,50,28,b6,43,f7,
ab,13,2f,2b,fa,c7,d2,82,1e,21,3b,8c,c7,c4,03,9f,92,f5,ca,f7,82,41,6a,fc,12,\
"??"=hex:1d,5a,02,6e,a1,91,e1,37,80,a6,f8,27,69,5a,ff,b4

[HKEY_USERS\S-1-5-21-1409082233-1417001333-1801674531-500\Software\SecuROM\License information*]
"datasecu"=hex:d4,e4,ae,e9,c9,46,c8,20,09,1e,be,22,fc,7d,14,10,d6,84,2f,54,d0,
49,44,20,25,18,97,35,1f,35,49,39,e6,14,fa,89,fa,ac,87,e0,b9,43,22,2d,fb,15,\
"rkeysecu"=hex:e9,8a,d8,8c,04,8e,0c,6e,28,0d,12,16,3f,d7,c8,fd

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="9942A825F11C18E17EF1E4DFF26DFA58F3F272ED0AD9B2FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB34529DB7CE019D40AA5C8EDD5E5BE2F6E667079E2EEF457D4BDF4D4864A6B38FB31B9D140EC3BAC672681C7A847EFAF3F3BE0B32B1E1DF96773E8C5D0EE471ECC9E17B072AC2AFD81E89D06ECA2F81166BD61B2410D7343B61CD8374B0B18D13EBD465A6C81EE03D43F8F689AFD347258E09F8CD612959C41AFA85B2FE9C7CB893A5E006D4B8C72763CC636AF3C3E7730A73EBFA61C2A9419388EAB2CB45FDC91E5FF529D9082180E5F36F2300E94187EB093E6BF0A4C3F4298F8E7F12DF9065CCDAB10C0B986E63942D7BBCDDC5F498298FBE5412E18CD49579511BEBB8F7DFC6C9A41C3F86F3231E8EE6B0BD6AE916981FBF5C6DA4AA8BF88496FA1DABBC4092AD62BAED84BBC1957F176D717E4A207527191F502809F8D8C3450709A8AAC21FE105BEB7D99379EF3FF658EF3E830EDDE8A4AEA83D552D1D1FC99C39B65355BE8EA8F25CDF8BB5085C734653F847E7D7F9C08D0C4885729150130DD9EE889CA4B5ED924306F8979DBC7F03DC918CEA49C4D0343140CE3F6765159D3BFCE4716BAAF952F44C747451980ECC6D7F8E897D063A8E73B32CC43343480754A443DB1115F4D721CADC53AA7D9AD88C4D4969A4CF69FCD4C05F646C1F27F6BD39439EF6F08ABB982B5171934B234C651B80635288CBD2F79C67B5EF04318D32A44AAC600DED8D51AC38BFD9B6A943471C3986FBE954D7A48F8E01FECF6B5F94E480AB790ED04EE4A03BE1B14932CBA397BE927E81F8C9C675DF47BC385C76E88AD0F84EECEEF491EC46B0AF5F46E812E81F7D193035D6EEBFA9BAB1C010CFD73BECA350F182EAB90D0B384F2AF412CDFDAB70EFAC88A4CFF07EBF4BC6965C302F476F55C0CC8DE18EFDBAEEAE50B236DCF94A0901734A42A23673D8F68380E03419D3164B92AFB59359AACFC3EBA9CC1AE61BD00BFED34201EBA38F556C1600AC5F7B30D89D18825299B29918E2C8B9620D2995FB33C0EF4B7F5186B770E9C40D58462585B800391680AD562C525946F3D1EE8C5A21860E5713353CCAACBC0E5E8848DA42B59470BB12ACF354DC94E3A35917CBFDDA0C850C0E39100B46445CBD39491AD168F9E2B69873453A26A9A3D70E074F96F52D61669BF9C54C63A8D2DDF54311CB2A446C8CA1FB02D8D9BC3C8B9ED0F4250D3BD2F62B4C85B531073C028EE7CF1D57FD91587CF14283A5E289CE7CBF0280C0F8ABE0EE365DC1DD71850598994D045126F54840B5065C39A98A44DF511D50311F66DDDFF1BC3E1EEBBE52EAEE6195FBADE41DC4DC2E5E4B0E6124BF37521508D99D39B76E78CF296F1DEDA1B5CAB8BFFACBAEA7AE03D417"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1104)
d:\windows\system32\SETUPAPI.dll
d:\windows\system32\sfc_os.dll
d:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1164)
d:\windows\system32\SETUPAPI.dll
d:\windows\system32\imon.dll
d:\program files\Eset\pr_imon.dll
d:\windows\system32\psbase.dll

- - - - - - - > 'explorer.exe'(1508)
d:\program files\Stardock\ObjectDock\DockShellHook.dll
d:\windows\system32\COMRes.dll
d:\windows\System32\cscui.dll
d:\windows\system32\SETUPAPI.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
d:\windows\system32\NETSHELL.dll
d:\windows\system32\credui.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
d:\windows\system32\RUNDLL32.EXE
d:\windows\RTHDCPL.EXE
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
d:\program files\Eset\nod32krn.exe
d:\windows\system32\nvsvc32.exe
d:\windows\system32\oodag.exe
d:\windows\system32\HPZipm12.exe
d:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
d:\windows\System32\TUProgSt.exe
d:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkový čas: 2010-02-19 19:47:06 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-02-19 18:47
ComboFix2.txt 2010-02-19 17:59
ComboFix3.txt 2010-02-17 15:00

Před spuštěním: 3 071 782 912
Po spuštění: 3 050 463 232

- - End Of File - - 0D0737426BEAA7267093C3572914606E

[warcraftan]

Vše jsem udělal, mám takovy pocit, že je to lepší, Díky Jaro, že jsi to se mnou vyřešil i za tvůj volný čas, jsi opravdu borec!

Je to tedy vše? můžu ještě nakonec to projet ATF-cleanerem, a CCčkem?

[jaro3]

Nemáš zač.

ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix /Uninstall

vyčisti systém CCleanerem

a použij i T-Cleaner
smaže vše po Combu,MWAVu atd.-stáhneš>spustíš

Pokud nejsou problémy , je to vše a můžeš dát vyřešeno , zelenou fajfku

[warcraftan]

jj, ještě jednou díky, měj se