svchost vytazuje proc. na 100%

Dencul · Příspěvekod **Dencul** » 02 dub 2010 20:55

Najprv by som chcela poďakovať za predchádzajúcu pomoc, a zároveň poprosiť o ďalšiu. Neviem čím to je ale svchost mi vyťažuje procesor na 100% :-(

(už zas)

Vkladám log z HijackThis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:13:26, on 2. 4. 2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\csrss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\ZoneLabs\vsmon.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
H:\Program Files\Alwil Software\Avast4\ashServ.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
H:\Program Files\Alwil Software\Avast4\ashWebSv.exe
H:\WINDOWS\System32\alg.exe
H:\Program Files\XpertVision\TBPanel.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\WINDOWS\system32\taskmgr.exe
H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\WINDOWS\RTHDCPL.EXE
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Documents and Settings\All Users\Data aplikací\LangSoft\OETRN.EXE
H:\Program Files\ICQ6.5\ICQ.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe
H:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://search13.net/search.php?clid=486&q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search13.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search13.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search13.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search13.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search13.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search13.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search13.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Podpora odkazu pre aplikáciu Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WebTransBHO Class - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - H:\Documents and Settings\All Users\Data aplikací\LangSoft\WebIE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - H:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - H:\Documents and Settings\All Users\Data aplikací\LangSoft\WebIE.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - H:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [TBPanel] H:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [avast!] H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [OEXPRESS] H:\Documents and Settings\All Users\Data aplikací\LangSoft\OETRN.EXE
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ICQ] "H:\Program Files\ICQ6.5\ICQ.exe" silent
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "H:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: syspck32.exe
O8 - Extra context menu item: E&xportovať do programu Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: StylishProfile - {14CD42DD-ABCD-3586-DCAB-40E3693E3737} - H:\Program Files\Stylish Profile\ct.htm (file missing)
O9 - Extra 'Tools' menuitem: StylishProfile - {14CD42DD-ABCD-3586-DCAB-40E3693E3737} - H:\Program Files\Stylish Profile\ct.htm (file missing)
O9 - Extra button: WebTran - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - H:\Documents and Settings\All Users\Data aplikací\LangSoft\WebIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748449} - H:\Documents and Settings\All Users\Data aplikací\LangSoft\WebIE.dll
O9 - Extra 'Tools' menuitem: &Nastavit překladač - {CC963627-B1DC-40E0-B52A-CF21EE748449} - H:\Documents and Settings\All Users\Data aplikací\LangSoft\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - H:\Documents and Settings\All Users\Data aplikací\LangSoft\WebIE.dll
O9 - Extra 'Tools' menuitem: &Slovník - {CC963627-B1DC-40E0-B52A-CF21EE748450} - H:\Documents and Settings\All Users\Data aplikací\LangSoft\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - H:\Documents and Settings\All Users\Data aplikací\LangSoft\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - H:\Documents and Settings\All Users\Data aplikací\LangSoft\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - H:\Documents and Settings\All Users\Data aplikací\LangSoft\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - H:\Documents and Settings\All Users\Data aplikací\LangSoft\WebIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - H:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - H:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2097655796
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - H:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - H:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia - H:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - H:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10362 bytes
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Stiahla som si Malwarebytes' Anti-Malware a robím sken, len čo skončí kontrola hodím sem log.

Reklama

Dencul · Příspěvekod **Dencul** » 02 dub 2010 21:40

Tu je ten log z Malwarebytes.
Mám to zmazať všetky infikované súbory?

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Verzia databázy: 3947

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2. 4. 2010 21:34:07
mbam-log-2010-04-02 (21-34-07).txt

Typ kontroly: Rýchla kontrola
Objektov kontrolovaných: 105104
Uplynulý čas: 58 min, 21 sek

Infikované služby pamäte: 0
Infikované moduly pamäte: 0
Infikované registračné kľúče: 0
Infikované registračné hodnoty: 0
Infikované položky registračných dát: 7
Infikované priečinky: 0
Infikované súbory: 3

Infikované služby pamäte:
(Škodlivé položky neboli zistené)

Infikované moduly pamäte:
(Škodlivé položky neboli zistené)

Infikované registračné kľúče:
(Škodlivé položky neboli zistené)

Infikované registračné hodnoty:
(Škodlivé položky neboli zistené)

Infikované položky registračných dát:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.SearchPage) -> Bad: (http://search13.net/) Good: (http://www.Google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.SearchPage) -> Bad: (http://search13.net/) Good: (http://www.Google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.SearchPage) -> Bad: (http://search13.net/) Good: (http://www.Google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\CustomizeSearch (Hijack.SearchPage) -> Bad: (http://search13.net/) Good: (http://www.Google.com/) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL (Hijack.StartPage) -> Bad: (http://search13.net/) Good: (http://www.Google.com) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.StartPage) -> Bad: (http://search13.net/) Good: (http://www.Google.com) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.SearchPage) -> Bad: (http://search13.net/) Good: (http://www.Google.com) -> No action taken.

Infikované priečinky:
(Škodlivé položky neboli zistené)

Infikované súbory:
H:\Documents and Settings\dena\Data aplikací\avdrn.dat (Malware.Trace) -> No action taken.
H:\WINDOWS\system32\config\systemprofile\Data aplikací\fvgqad.dat (Malware.Trace) -> No action taken.
H:\Documents and Settings\dena\Nabídka Start\Programy\Po spuštění\syspck32.exe (Trojan.Downloader) -> No action taken.

Příspěvekod **jaro3** » 02 dub 2010 22:58

. Takže spusť znovu MbAM a dej Scan
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Ukaž výsledky
- ujistit se že máš zatrhnuté všechny vypsané nálezy a klikni na tlačítko Odstranit označené
- když skončí odstraňování tak se ti zobrazí log, tak ho sem dej.
- pak zvol v programu OK a pak program ukonči přes Exit

Můžeš sem pak vložit log z MbAM.

Zavři ostatní aplikace a prohlížeče, odpoj se od netu a fixni v HJT:
Návod

Kód: Vybrat vše

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://search13.net/search.php?clid=486&q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search13.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search13.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search13.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search13.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search13.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search13.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search13.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Podpora odkazu pre aplikáciu Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - Startup: syspck32.exe
O9 - Extra button: StylishProfile - {14CD42DD-ABCD-3586-DCAB-40E3693E3737} - H:\Program Files\Stylish Profile\ct.htm (file missing)
O9 - Extra 'Tools' menuitem: StylishProfile - {14CD42DD-ABCD-3586-DCAB-40E3693E3737} - H:\Program Files\Stylish Profile\ct.htm (file missing)
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2097655796
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

Stáhni si ATF Cleaner
Poklepej na ATF Cleaner.exe, klikni na select all found, poté:
-Když používáš Firefox (Mozzila), klikni na Firefox nahoře a vyber: Select All, poté klikni na Empty Selected.
-Když používáš Operu, klikni nahoře na Operu a vyber: Select All, poté klikni na Empty Selected.
Po vyčištění klikni na Exit k zavření programu.

Vypni rez. ochranu u Avastu
Stáhni si ComboFix (by sUBs)
a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah
Pokud budou problémy , spusť ho v nouz. režimu.

Dencul · Příspěvekod **Dencul** » 03 dub 2010 01:27

log z ComboFix:

ComboFix 10-04-01.02 - dena . 04. 2010 1:06.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.2047.1601 [GMT 2:00]
Running from: h:\documents and settings\dena\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100402-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\windows\AppPatch\AcAdProc.dll
h:\windows\system32\fjhdyfhsn.bat

.
((((((((((((((((((((((((( Files Created from 2010-03-02 to 2010-04-02 )))))))))))))))))))))))))))))))
.

2010-04-02 18:23 . 2010-03-29 22:46 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
2010-04-02 18:23 . 2010-04-02 18:24 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
2010-04-02 18:23 . 2010-03-29 22:45 20824 ----a-w- h:\windows\system32\drivers\mbam.sys
2010-04-02 18:12 . 2010-04-02 18:12 -------- d-----w- h:\program files\Trend Micro
2010-04-02 16:57 . 2008-04-13 22:10 34688 -c--a-w- h:\windows\system32\dllcache\lbrtfdc.sys
2010-04-02 16:57 . 2008-04-13 22:10 34688 ----a-w- h:\windows\system32\drivers\lbrtfdc.sys
2010-04-02 16:56 . 2008-04-13 22:11 8576 -c--a-w- h:\windows\system32\dllcache\i2omgmt.sys
2010-04-02 16:56 . 2008-04-13 22:11 8576 ----a-w- h:\windows\system32\drivers\i2omgmt.sys
2010-04-02 16:56 . 2008-04-13 22:11 8192 -c--a-w- h:\windows\system32\dllcache\changer.sys
2010-04-02 16:56 . 2008-04-13 22:11 8192 ----a-w- h:\windows\system32\drivers\changer.sys
2010-03-31 20:39 . 2010-03-31 20:39 -------- d-----w- h:\program files\Codemasters
2010-03-27 20:58 . 2010-03-29 17:17 -------- d-----w- h:\program files\Games
2010-03-21 09:54 . 2010-03-21 09:54 -------- d-----w- h:\program files\Common Files\Program4Pc
2010-03-19 17:41 . 2010-03-20 23:26 2560 ----a-w- h:\windows\_MSRSTRT.EXE
2010-03-19 17:31 . 2008-04-26 15:14 42672 ------w- h:\windows\system32\wbsys.dll
2010-03-19 16:45 . 2010-03-19 16:45 -------- d-----w- h:\program files\Common Files\Stardock
2010-03-19 09:25 . 2010-03-19 09:25 -------- d-----w- h:\program files\Microsoft Silverlight
2010-03-18 14:56 . 2010-03-18 14:56 -------- d-----w- h:\program files\NVIDIA Corporation
2010-03-08 16:16 . 2010-03-31 11:32 -------- d-----w- h:\windows\ie8updates
2010-03-08 16:15 . 2010-02-12 10:03 293376 ------w- h:\windows\system32\browserchoice.exe
2010-03-08 16:12 . 2010-02-25 06:18 594432 -c----w- h:\windows\system32\dllcache\msfeeds.dll
2010-03-08 16:12 . 2010-02-25 06:18 1985536 -c----w- h:\windows\system32\dllcache\iertutil.dll
2010-03-08 16:12 . 2010-02-25 06:18 247808 -c----w- h:\windows\system32\dllcache\ieproxy.dll
2010-03-08 16:12 . 2010-02-25 06:18 12800 -c----w- h:\windows\system32\dllcache\xpshims.dll
2010-03-08 16:12 . 2010-02-25 06:18 55296 -c----w- h:\windows\system32\dllcache\msfeedsbs.dll
2010-03-08 16:12 . 2010-02-25 09:48 11070976 -c----w- h:\windows\system32\dllcache\ieframe.dll
2010-03-08 16:09 . 2010-03-08 16:09 -------- d-sh--w- h:\documents and settings\dena\IECompatCache
2010-03-08 16:09 . 2010-03-08 16:09 -------- d-sh--w- h:\documents and settings\dena\PrivacIE
2010-03-08 16:04 . 2010-03-08 16:04 -------- d-sh--w- h:\documents and settings\dena\IETldCache
2010-03-08 15:57 . 2010-03-08 15:58 -------- dc-h--w- h:\windows\ie8
2010-03-08 15:57 . 2010-03-08 15:58 -------- d-----w- h:\windows\system32\sk-SK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-02 23:14 . 2010-01-15 17:35 2040629 ----a-w- h:\windows\Internet Logs\tvDebug.Zip
2010-04-02 17:49 . 2010-04-02 17:50 3125248 ----a-w- h:\windows\Internet Logs\xDB15.tmp
2010-03-31 20:45 . 2008-12-28 18:03 108144 -c--a-w- h:\windows\system32\CmdLineExt.dll
2010-03-28 10:54 . 2001-10-25 14:00 439798 ----a-w- h:\windows\system32\perfh005.dat
2010-03-28 10:54 . 2001-10-25 14:00 82014 ----a-w- h:\windows\system32\perfc005.dat
2010-03-23 14:47 . 2010-03-24 14:18 8704 ----a-w- h:\windows\Internet Logs\xDB14.tmp
2010-03-22 22:02 . 2010-03-23 14:47 139776 ----a-w- h:\windows\Internet Logs\xDB13.tmp
2010-03-21 00:20 . 2010-03-31 11:29 287806 ----a-w- h:\windows\pchealth\helpctr\Config\Cache\Professional_32_1029.dat
2010-03-20 10:20 . 2010-03-20 20:21 8704 ----a-w- h:\windows\Internet Logs\xDB12.tmp
2010-03-20 10:16 . 2010-03-20 10:20 304640 ----a-w- h:\windows\Internet Logs\xDB11.tmp
2010-03-12 11:02 . 2010-03-13 12:26 8704 ----a-w- h:\windows\Internet Logs\xDB10.tmp
2010-03-12 09:04 . 2010-03-12 11:02 106496 ----a-w- h:\windows\Internet Logs\xDBF.tmp
2010-03-08 16:22 . 2010-03-08 16:23 3063296 ----a-w- h:\windows\Internet Logs\xDBE.tmp
2010-03-08 16:22 . 2010-03-08 16:23 172544 ----a-w- h:\windows\Internet Logs\xDBD.tmp
2010-03-01 15:25 . 2010-03-02 14:17 8704 ----a-w- h:\windows\Internet Logs\xDBC.tmp
2010-02-28 22:09 . 2010-03-01 15:25 491008 ----a-w- h:\windows\Internet Logs\xDBB.tmp
2010-02-25 06:18 . 2008-04-14 06:52 916480 ----a-w- h:\windows\system32\wininet.dll
2010-02-14 00:49 . 2010-02-14 08:57 3038720 ----a-w- h:\windows\Internet Logs\xDBA.tmp
2010-02-12 21:26 . 2008-12-12 16:39 -------- d--h--w- h:\program files\InstallShield Installation Information
2010-02-12 14:20 . 2010-02-13 10:05 8704 ----a-w- h:\windows\Internet Logs\xDB9.tmp
2010-02-11 21:04 . 2010-02-12 14:20 234496 ----a-w- h:\windows\Internet Logs\xDB8.tmp
2010-01-30 08:52 . 2010-01-31 08:45 8704 ----a-w- h:\windows\Internet Logs\xDB7.tmp
2010-01-29 20:18 . 2010-01-30 08:52 95232 ----a-w- h:\windows\Internet Logs\xDB6.tmp
2010-01-23 10:54 . 2010-01-24 10:21 8704 ----a-w- h:\windows\Internet Logs\xDB5.tmp
2010-01-23 10:52 . 2010-01-23 10:54 204800 ----a-w- h:\windows\Internet Logs\xDB3.tmp
2010-01-23 10:25 . 2008-12-25 14:18 721904 ----a-w- h:\windows\system32\drivers\sptd.sys
2010-01-18 15:56 . 2010-01-18 15:57 120320 ----a-w- h:\windows\Internet Logs\xDB2.tmp
2010-01-15 17:35 . 2010-01-16 10:10 8704 ----a-w- h:\windows\Internet Logs\xDB4.tmp
2010-01-15 17:33 . 2010-01-15 17:35 48640 ----a-w- h:\windows\Internet Logs\xDB1.tmp
2010-01-15 16:15 . 2010-01-15 16:15 56 ---ha-w- h:\windows\system32\ezsidmv.dat
2010-01-11 21:17 . 2010-01-11 21:17 278120 ----a-w- h:\windows\system32\nvmccs.dll
2010-01-11 21:17 . 2010-01-11 21:17 154216 ----a-w- h:\windows\system32\nvsvc32.exe
2010-01-11 21:17 . 2010-01-11 21:17 145000 ----a-w- h:\windows\system32\nvcolor.exe
2010-01-11 21:17 . 2010-01-11 21:17 13666408 ----a-w- h:\windows\system32\nvcpl.dll
2010-01-11 21:17 . 2010-01-11 21:17 110696 ----a-w- h:\windows\system32\nvmctray.dll
2010-01-11 21:17 . 2010-01-11 21:17 81920 ----a-w- h:\windows\system32\nvwddi.dll
2010-01-04 14:09 . 2008-04-14 06:51 17408 ----a-w- h:\windows\system32\alrsvc.dll
2010-01-04 14:08 . 2008-12-12 10:17 6656 ----a-w- h:\windows\system32\wuauserv.dll
.

------- Sigcheck -------

[-] 2008-05-11 . E3B22F050F840306FD522227F68046C5 . 1571840 . . [5.1.2600.5512] . . h:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEXPRESS"="h:\documents and settings\All Users\Data aplikací\LangSoft\OETRN.EXE" [2009-09-12 26624]
"ICQ"="h:\program files\ICQ6.5\ICQ.exe" [2010-01-03 172792]
"AlcoholAutomount"="h:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBPanel"="h:\program files\XpertVision\TBPanel.exe" [2008-01-29 2157064]
"avast!"="h:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"ZoneAlarm Client"="h:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2010-01-11 110696]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2010-01-11 13666408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
h:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia FastStart]
2009-02-26 16:04 2376992 ----a-w- h:\program files\Nokia\Nokia Music\NokiaMusic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2009-10-27 14:10 401728 ----a-w- h:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"h:\\Program Files\\Vuze\\Azureus.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"h:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"h:\\WINDOWS\\system32\\sessmgr.exe"=
"h:\\Program Files\\ICQ6.5\\ICQ.exe"=
"h:\\Program Files\\Messenger\\msmsgs.exe"=

R0 sptd;sptd;h:\windows\system32\drivers\sptd.sys [25. 12. 2008 16:18 721904]
R1 aswSP;avast! Self Protection;h:\windows\system32\drivers\aswSP.sys [26. 12. 2008 23:09 114768]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;h:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [27. 10. 2008 18:03 759072]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [26. 12. 2008 23:09 20560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.Google.com
uDefault_Search_URL = hxxp://www.Google.com
uSearchAssistant = hxxp://www.Google.com/
uCustomizeSearch = hxxp://www.Google.com/
IE: E&xportovať do programu Microsoft Excel - h:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - h:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748449} - {CC963627-B1DC-40E0-B52A-CF21EE748449} - h:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - h:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - h:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - h:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
FF - ProfilePath - h:\documents and settings\dena\Data aplikací\Mozilla\Firefox\Profiles\m607gfzq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search13.net/search.php?clid=486&q=
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - prefs.js: keyword.URL - hxxp://search13.net/search.php?clid=486&q=
FF - plugin: h:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - h:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
h:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
h:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
h:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
h:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - nwiz.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-03 01:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spkz.sys >>UNKNOWN [0x8A684938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf7495cb8
\Driver\atapi -> atapi.sys @ 0xf7978b40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1960408961-1715567821-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="h:\\WINDOWS\\System32\\shell32.dll,15"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="h:\\WINDOWS\\system32\\SHELL32.dll,17"
"{208D2C60-3AEA-1069-A2D7-08002B30309D}"="h:\\WINDOWS\\system32\\SHELL32.dll,17"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="h:\\WINDOWS\\system32\\shell32.dll,22"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="h:\\WINDOWS\\system32\\shell32.dll,23"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="h:\\WINDOWS\\system32\\shell32.dll,24"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="h:\\WINDOWS\\system32\\shell32.dll,-175"
"{21EC2020-3AEA-1069-A2DD-08002B30309D}"="h:\\WINDOWS\\System32\\shell32.dll,-137"
"{2227A280-3AEA-1069-A2DE-08002B30309D}"="h:\\WINDOWS\\System32\\shell32.dll,-138"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="h:\\WINDOWS\\system32\\shell32.dll,38"
"AudioCD"="h:\\WINDOWS\\System32\\shell32.dll,40"
"{FBF23B42-E3F0-101B-8488-00AA003E56F8}"="h:\\WINDOWS\\system32\\shell32.dll,220"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="h:\\WINDOWS\\system32\\mydocs.dll,0"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="h:\\WINDOWS\\system32\\main.cpl,10"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="h:\\WINDOWS\\system32\\wiashext.dll,0"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="h:\\WINDOWS\\system32\\mstask.dll,-100"
"{88C6C381-2E85-11D0-94DE-444553540000}"="h:\\WINDOWS\\System32\\occache.dll,0"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="h:\\Program Files\\COMMON~1\\MICROS~1\\WEBFOL~1\\MSONSEXT.DLL,0"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="h:\\WINDOWS\\System32\\shdocvw.dll,-20785"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="h:\\WINDOWS\\System32\\webcheck.dll,0"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="h:\\WINDOWS\\system32\\syncui.dll,0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.EXE'(1884)
h:\windows\system32\webcheck.dll
h:\windows\system32\WPDShServiceObj.dll
h:\windows\system32\PortableDeviceTypes.dll
h:\windows\system32\PortableDeviceApi.dll
h:\documents and settings\All Users\Data aplikací\LangSoft\TrnOEH.dll
.
------------------------ Other Running Processes ------------------------
.
h:\windows\system32\nvsvc32.exe
h:\program files\Alwil Software\Avast4\aswUpdSv.exe
h:\program files\Alwil Software\Avast4\ashServ.exe
h:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
h:\program files\Bonjour\mDNSResponder.exe
h:\program files\Java\jre6\bin\jqs.exe
h:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
h:\program files\Alwil Software\Avast4\ashMaiSv.exe
h:\program files\Alwil Software\Avast4\ashWebSv.exe
h:\windows\RTHDCPL.EXE
h:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-03 01:17:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-02 23:17

Pre-Run: Volných bajtů: 70 743 392 256
Post-Run: Volných bajtů: 70 983 462 912

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4F5E8C7E1E02CE7AA35B64E792D9293F

Příspěvekod **jaro3** » 03 dub 2010 08:08

Stáhni si RootRepeal

Rozbal si archív třeba do C:\RootRepeal
Poklepej na RootRepeal.exe ke startu programu ( ve vistě pravým a vybrat spustit jako administrátor).
Klikni v dolní části na Files a potom na Scan .
Objeví se dialog.okno, dej zatržítko na disk, který chceš skenovat( nejčastěji na C:\ , a potom na OK.
Program začne skenovat zatržený disk. Když sken skončí , budou tam vypsané soubory, ale ne všechny musí být legitimní. Klikni na Save Report a ulož si log do dokumentů. Vlož sem prosím celý jeho obsah.
///////////////////////////

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

KillAll::
h:\windows\Internet Logs\xDB*.tmp
h:\windows\system32\ezsidmv.dat

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000

RegLock::
[HKEY_USERS\S-1-5-21-1960408961-1715567821-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

Firefox::
FF - ProfilePath - h:\documents and settings\dena\Data aplikací\Mozilla\Firefox\Profiles\m607gfzq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search13.net/search.php?clid=486&q=
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: keyword.URL - hxxp://search13.net/search.php?clid=486&q=

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

/////////////////////////////////
V možnostech složky si povol zobrazování skrytých souborů a složek+ odškrtni zatržítko skrýt chráněné soubory operačního systému

Toto otestuj na Virustotal
h:\windows\system32\wininet.dll
h:\windows\system32\wuauserv.dll
h:\windows\system32\sfcfiles.dll
h:\windows\_MSRSTRT.EXE
h:\windows\pchealth\helpctr\Config\Cache\Professional_32_1029.dat

Pokud už byl soubor testován-klikni na otestovat znovu.
Až skončí test všech antivirů, vlož sem pak odkazy na stránky s výsledky.

Dencul · Příspěvekod **Dencul** » 03 dub 2010 12:43

Spravila som vsetko. Akurát ten posledný súbor na otestovanie mi to nenašlo v počítači (h:\windows\pchealth\helpctr\Config\Cache\Professional_32_1029.dat) takže ten nie je otestovaný.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/04/03 11:43
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: H:\RootRepeal
Status: Visible to the Windows API, but not on disk.

Path: H:\WINDOWS\Prefetch\ROOTREPEAL.EXE-146CC66B.pf
Status: Visible to the Windows API, but not on disk.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 10-04-01.02 - dena . 04. 2010 12:08:15.4.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.2047.1690 [GMT 2:00]
Running from: h:\documents and settings\dena\Plocha\ComboFix.exe
Command switches used :: h:\documents and settings\dena\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100402-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))
.

2010-04-03 09:40 . 2010-04-03 09:40 -------- d-----w- H:\RootRepeal
2010-04-03 00:38 . 2010-04-03 00:38 -------- d-----w- h:\program files\Common Files\Java
2010-04-03 00:17 . 2010-04-03 00:17 -------- d-----w- h:\program files\Club Control
2010-04-02 18:23 . 2010-03-29 22:46 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
2010-04-02 18:23 . 2010-04-02 18:24 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
2010-04-02 18:23 . 2010-03-29 22:45 20824 ----a-w- h:\windows\system32\drivers\mbam.sys
2010-04-02 18:12 . 2010-04-02 18:12 -------- d-----w- h:\program files\Trend Micro
2010-04-02 16:57 . 2008-04-13 22:10 34688 -c--a-w- h:\windows\system32\dllcache\lbrtfdc.sys
2010-04-02 16:57 . 2008-04-13 22:10 34688 ----a-w- h:\windows\system32\drivers\lbrtfdc.sys
2010-04-02 16:56 . 2008-04-13 22:11 8576 -c--a-w- h:\windows\system32\dllcache\i2omgmt.sys
2010-04-02 16:56 . 2008-04-13 22:11 8576 ----a-w- h:\windows\system32\drivers\i2omgmt.sys
2010-04-02 16:56 . 2008-04-13 22:11 8192 -c--a-w- h:\windows\system32\dllcache\changer.sys
2010-04-02 16:56 . 2008-04-13 22:11 8192 ----a-w- h:\windows\system32\drivers\changer.sys
2010-03-31 20:39 . 2010-03-31 20:39 -------- d-----w- h:\program files\Codemasters
2010-03-27 20:58 . 2010-03-29 17:17 -------- d-----w- h:\program files\Games
2010-03-21 09:54 . 2010-03-21 09:54 -------- d-----w- h:\program files\Common Files\Program4Pc
2010-03-19 17:41 . 2010-03-20 23:26 2560 ----a-w- h:\windows\_MSRSTRT.EXE
2010-03-19 17:31 . 2008-04-26 15:14 42672 ------w- h:\windows\system32\wbsys.dll
2010-03-19 16:45 . 2010-03-19 16:45 -------- d-----w- h:\program files\Common Files\Stardock
2010-03-19 09:25 . 2010-03-19 09:25 -------- d-----w- h:\program files\Microsoft Silverlight
2010-03-18 14:56 . 2010-03-18 14:56 -------- d-----w- h:\program files\NVIDIA Corporation
2010-03-08 16:16 . 2010-03-31 11:32 -------- d-----w- h:\windows\ie8updates
2010-03-08 16:15 . 2010-02-12 10:03 293376 ------w- h:\windows\system32\browserchoice.exe
2010-03-08 16:12 . 2010-02-25 06:18 594432 -c----w- h:\windows\system32\dllcache\msfeeds.dll
2010-03-08 16:12 . 2010-02-25 06:18 1985536 -c----w- h:\windows\system32\dllcache\iertutil.dll
2010-03-08 16:12 . 2010-02-25 06:18 247808 -c----w- h:\windows\system32\dllcache\ieproxy.dll
2010-03-08 16:12 . 2010-02-25 06:18 12800 -c----w- h:\windows\system32\dllcache\xpshims.dll
2010-03-08 16:12 . 2010-02-25 06:18 55296 -c----w- h:\windows\system32\dllcache\msfeedsbs.dll
2010-03-08 16:12 . 2010-02-25 09:48 11070976 -c----w- h:\windows\system32\dllcache\ieframe.dll
2010-03-08 16:09 . 2010-03-08 16:09 -------- d-sh--w- h:\documents and settings\dena\IECompatCache
2010-03-08 16:09 . 2010-03-08 16:09 -------- d-sh--w- h:\documents and settings\dena\PrivacIE
2010-03-08 16:04 . 2010-03-08 16:04 -------- d-sh--w- h:\documents and settings\dena\IETldCache
2010-03-08 15:57 . 2010-03-08 15:58 -------- dc-h--w- h:\windows\ie8
2010-03-08 15:57 . 2010-03-08 15:58 -------- d-----w- h:\windows\system32\sk-SK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-03 09:48 . 2010-01-15 17:35 3334156 ----a-w- h:\windows\Internet Logs\tvDebug.Zip
2010-04-03 00:37 . 2008-12-25 17:55 -------- d-----w- h:\program files\Java
2010-04-03 00:18 . 2008-12-12 16:41 6272 ----a-w- h:\windows\system32\drivers\splitter.sys
2010-04-03 00:17 . 2008-12-12 16:41 4992 ----a-w- h:\windows\system32\drivers\mspqm.sys
2010-04-03 00:17 . 2001-08-17 21:52 18688 ----a-w- h:\windows\system32\drivers\cdaudio.sys
2010-04-02 17:49 . 2010-04-02 17:50 3125248 ----a-w- h:\windows\Internet Logs\xDB15.tmp
2010-03-31 20:45 . 2008-12-28 18:03 108144 -c--a-w- h:\windows\system32\CmdLineExt.dll
2010-03-28 10:54 . 2001-10-25 14:00 439798 ----a-w- h:\windows\system32\perfh005.dat
2010-03-28 10:54 . 2001-10-25 14:00 82014 ----a-w- h:\windows\system32\perfc005.dat
2010-03-23 14:47 . 2010-03-24 14:18 8704 ----a-w- h:\windows\Internet Logs\xDB14.tmp
2010-03-22 22:02 . 2010-03-23 14:47 139776 ----a-w- h:\windows\Internet Logs\xDB13.tmp
2010-03-20 10:20 . 2010-03-20 20:21 8704 ----a-w- h:\windows\Internet Logs\xDB12.tmp
2010-03-20 10:16 . 2010-03-20 10:20 304640 ----a-w- h:\windows\Internet Logs\xDB11.tmp
2010-03-12 11:02 . 2010-03-13 12:26 8704 ----a-w- h:\windows\Internet Logs\xDB10.tmp
2010-03-12 09:04 . 2010-03-12 11:02 106496 ----a-w- h:\windows\Internet Logs\xDBF.tmp
2010-03-09 02:28 . 2008-12-25 17:55 411368 ----a-w- h:\windows\system32\deploytk.dll
2010-03-08 16:22 . 2010-03-08 16:23 3063296 ----a-w- h:\windows\Internet Logs\xDBE.tmp
2010-03-08 16:22 . 2010-03-08 16:23 172544 ----a-w- h:\windows\Internet Logs\xDBD.tmp
2010-03-01 15:25 . 2010-03-02 14:17 8704 ----a-w- h:\windows\Internet Logs\xDBC.tmp
2010-02-28 22:09 . 2010-03-01 15:25 491008 ----a-w- h:\windows\Internet Logs\xDBB.tmp
2010-02-25 06:18 . 2008-04-14 06:52 916480 ------w- h:\windows\system32\wininet.dll
2010-02-14 00:49 . 2010-02-14 08:57 3038720 ----a-w- h:\windows\Internet Logs\xDBA.tmp
2010-02-12 21:26 . 2008-12-12 16:39 -------- d--h--w- h:\program files\InstallShield Installation Information
2010-02-12 14:20 . 2010-02-13 10:05 8704 ----a-w- h:\windows\Internet Logs\xDB9.tmp
2010-02-11 21:04 . 2010-02-12 14:20 234496 ----a-w- h:\windows\Internet Logs\xDB8.tmp
2010-01-30 08:52 . 2010-01-31 08:45 8704 ----a-w- h:\windows\Internet Logs\xDB7.tmp
2010-01-29 20:18 . 2010-01-30 08:52 95232 ----a-w- h:\windows\Internet Logs\xDB6.tmp
2010-01-23 10:54 . 2010-01-24 10:21 8704 ----a-w- h:\windows\Internet Logs\xDB5.tmp
2010-01-23 10:52 . 2010-01-23 10:54 204800 ----a-w- h:\windows\Internet Logs\xDB3.tmp
2010-01-23 10:25 . 2008-12-25 14:18 721904 ----a-w- h:\windows\system32\drivers\sptd.sys
2010-01-18 15:56 . 2010-01-18 15:57 120320 ----a-w- h:\windows\Internet Logs\xDB2.tmp
2010-01-15 17:35 . 2010-01-16 10:10 8704 ----a-w- h:\windows\Internet Logs\xDB4.tmp
2010-01-15 17:33 . 2010-01-15 17:35 48640 ----a-w- h:\windows\Internet Logs\xDB1.tmp
2010-01-15 16:15 . 2010-01-15 16:15 56 ---ha-w- h:\windows\system32\ezsidmv.dat
2010-01-11 21:17 . 2010-01-11 21:17 278120 ----a-w- h:\windows\system32\nvmccs.dll
2010-01-11 21:17 . 2010-01-11 21:17 154216 ----a-w- h:\windows\system32\nvsvc32.exe
2010-01-11 21:17 . 2010-01-11 21:17 145000 ----a-w- h:\windows\system32\nvcolor.exe
2010-01-11 21:17 . 2010-01-11 21:17 13666408 ----a-w- h:\windows\system32\nvcpl.dll
2010-01-11 21:17 . 2010-01-11 21:17 110696 ----a-w- h:\windows\system32\nvmctray.dll
2010-01-11 21:17 . 2010-01-11 21:17 81920 ----a-w- h:\windows\system32\nvwddi.dll
2010-01-04 14:09 . 2008-04-14 06:51 17408 ----a-w- h:\windows\system32\alrsvc.dll
2010-01-04 14:08 . 2008-12-12 10:17 6656 ----a-w- h:\windows\system32\wuauserv.dll
.

------- Sigcheck -------

[-] 2008-05-11 . E3B22F050F840306FD522227F68046C5 . 1571840 . . [5.1.2600.5512] . . h:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-04-02_23.11.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-04-02 23:11 . 2010-04-02 23:11 16384 h:\windows\Temp\Perflib_Perfdata_7e8.dat
+ 2010-04-03 10:14 . 2010-04-03 10:14 16384 h:\windows\Temp\Perflib_Perfdata_7e8.dat
+ 2010-04-03 10:13 . 2010-04-03 10:13 16384 h:\windows\Temp\Perflib_Perfdata_20c.dat
+ 2001-08-17 21:52 . 2010-04-03 00:17 18688 h:\windows\system32\dllcache\cdaudio.sys
- 2001-08-17 21:52 . 2001-08-17 19:52 18688 h:\windows\system32\dllcache\cdaudio.sys
- 2009-07-12 11:07 . 2010-02-24 16:44 87716 h:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
+ 2009-07-12 11:07 . 2010-04-03 00:36 87716 h:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
- 2008-12-12 16:41 . 2008-04-13 23:15 6272 h:\windows\system32\dllcache\splitter.sys
+ 2008-12-12 16:41 . 2010-04-03 00:18 6272 h:\windows\system32\dllcache\splitter.sys
+ 2008-12-12 16:41 . 2010-04-03 00:17 4992 h:\windows\system32\dllcache\mspqm.sys
- 2008-12-12 16:41 . 2008-04-13 23:09 4992 h:\windows\system32\dllcache\mspqm.sys
+ 2010-04-03 00:37 . 2010-03-09 02:28 153376 h:\windows\system32\javaws.exe
+ 2010-04-03 00:37 . 2010-03-09 02:28 145184 h:\windows\system32\javaw.exe
- 2009-11-04 15:19 . 2009-10-11 03:17 145184 h:\windows\system32\javaw.exe
+ 2010-04-03 00:37 . 2010-03-09 02:28 145184 h:\windows\system32\java.exe
- 2009-11-04 15:19 . 2009-10-11 03:17 145184 h:\windows\system32\java.exe
+ 2010-04-03 00:38 . 2010-04-03 00:38 180224 h:\windows\Installer\457d9b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEXPRESS"="h:\documents and settings\All Users\Data aplikací\LangSoft\OETRN.EXE" [2009-09-12 26624]
"AlcoholAutomount"="h:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBPanel"="h:\program files\XpertVision\TBPanel.exe" [2008-01-29 2157064]
"avast!"="h:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"ZoneAlarm Client"="h:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2010-01-11 110696]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2010-01-11 13666408]
"SunJavaUpdateSched"="h:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
h:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia FastStart]
2009-02-26 16:04 2376992 ----a-w- h:\program files\Nokia\Nokia Music\NokiaMusic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2009-10-27 14:10 401728 ----a-w- h:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"h:\\Program Files\\Vuze\\Azureus.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"h:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"h:\\WINDOWS\\system32\\sessmgr.exe"=
"h:\\Program Files\\ICQ6.5\\ICQ.exe"=
"h:\\Program Files\\Messenger\\msmsgs.exe"=

R0 sptd;sptd;h:\windows\system32\drivers\sptd.sys [25. 12. 2008 16:18 721904]
R1 aswSP;avast! Self Protection;h:\windows\system32\drivers\aswSP.sys [26. 12. 2008 23:09 114768]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;h:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [27. 10. 2008 18:03 759072]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [26. 12. 2008 23:09 20560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.sk/
uDefault_Search_URL = hxxp://www.Google.com
uSearchAssistant = hxxp://www.Google.com/
uCustomizeSearch = hxxp://www.Google.com/
IE: E&xportovať do programu Microsoft Excel - h:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - h:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748449} - {CC963627-B1DC-40E0-B52A-CF21EE748449} - h:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - h:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - h:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - h:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
FF - ProfilePath - h:\documents and settings\dena\Data aplikací\Mozilla\Firefox\Profiles\m607gfzq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - plugin: h:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - h:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
h:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
h:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
h:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
h:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
h:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
h:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
h:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-03 12:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spae.sys >>UNKNOWN [0x8A684938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf7495cb8
\Driver\atapi -> atapi.sys @ 0xf7978b40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3880)
h:\documents and settings\All Users\Data aplikací\LangSoft\TrnOEH.dll
h:\windows\system32\webcheck.dll
h:\windows\system32\WPDShServiceObj.dll
h:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
h:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
h:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_slk.nlr
h:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
h:\windows\system32\PortableDeviceTypes.dll
h:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
h:\windows\system32\nvsvc32.exe
h:\program files\Alwil Software\Avast4\aswUpdSv.exe
h:\program files\Alwil Software\Avast4\ashServ.exe
h:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
h:\program files\Bonjour\mDNSResponder.exe
h:\program files\Java\jre6\bin\jqs.exe
h:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
h:\program files\Alwil Software\Avast4\ashMaiSv.exe
h:\program files\Alwil Software\Avast4\ashWebSv.exe
h:\windows\RTHDCPL.EXE
h:\windows\system32\RUNDLL32.EXE
h:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-03 12:17:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-03 10:17
ComboFix2.txt 2010-04-02 23:17

Pre-Run: Volných bajtů: 70 848 294 912
Post-Run: Volných bajtů: 70 797 131 776

- - End Of File - - A89E1D123202B0480AC885DFD9DC993C

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

http://www.virustotal.com/cs/analisis/b ... 1270290242
http://www.virustotal.com/cs/analisis/5 ... 1270290640
http://www.virustotal.com/cs/analisis/3 ... 1270290948
http://www.virustotal.com/cs/analisis/1 ... 1270291035

Příspěvekod **jaro3** » 03 dub 2010 13:53

Stáhni si program OTM (by OldTimer)

a ulož si ho na disk C a spusť ho.
- Do levého sloupce (Paste Instructions for Items to be Moved) zkopíruj tyto cesty:
Poznámka: Nepoužij k označení funkci VYBRAT VŠE

Kód: Vybrat vše

:Processes
explorer.exe

:Services

:Reg

:Files
h:\windows\Internet Logs\xDB*.tmp
h:\windows\system32\ezsidmv.dat

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

- Po zkopírování klikni na tlačítko MoveIt! a vlož sem následně celý obsah z pravého sloupce, jinak uložený ve složce C:\_OTMoveIt\MovedFiles\, který bude informovat o výsledcích
- Je možné, že pokud nebudou moci být soubory odstraněny, budeš dotázán na restart počítače, v tom případě restart potvrď.

Dencul · Příspěvekod **Dencul** » 03 dub 2010 14:08

All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
h:\windows\Internet Logs\xDB1.tmp moved successfully.
h:\windows\Internet Logs\xDB10.tmp moved successfully.
h:\windows\Internet Logs\xDB11.tmp moved successfully.
h:\windows\Internet Logs\xDB12.tmp moved successfully.
h:\windows\Internet Logs\xDB13.tmp moved successfully.
h:\windows\Internet Logs\xDB14.tmp moved successfully.
h:\windows\Internet Logs\xDB15.tmp moved successfully.
h:\windows\Internet Logs\xDB2.tmp moved successfully.
h:\windows\Internet Logs\xDB3.tmp moved successfully.
h:\windows\Internet Logs\xDB4.tmp moved successfully.
h:\windows\Internet Logs\xDB5.tmp moved successfully.
h:\windows\Internet Logs\xDB6.tmp moved successfully.
h:\windows\Internet Logs\xDB7.tmp moved successfully.
h:\windows\Internet Logs\xDB8.tmp moved successfully.
h:\windows\Internet Logs\xDB9.tmp moved successfully.
h:\windows\Internet Logs\xDBA.tmp moved successfully.
h:\windows\Internet Logs\xDBB.tmp moved successfully.
h:\windows\Internet Logs\xDBC.tmp moved successfully.
h:\windows\Internet Logs\xDBD.tmp moved successfully.
h:\windows\Internet Logs\xDBE.tmp moved successfully.
h:\windows\Internet Logs\xDBF.tmp moved successfully.
h:\windows\system32\ezsidmv.dat moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: dena
->Temp folder emptied: 99926 bytes
->Temporary Internet Files folder emptied: 6410466 bytes
->Java cache emptied: 14417437 bytes
->FireFox cache emptied: 85495344 bytes
->Google Chrome cache emptied: 6240419 bytes
->Flash cache emptied: 31253 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2351732 bytes
%systemroot%\System32 .tmp files removed: 1160192 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 14592 bytes
Windows Temp folder emptied: 16640 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 111,00 mb

OTM by OldTimer - Version 3.1.10.1 log created on 04032010_140103

Files moved on Reboot...
H:\Documents and Settings\dena\Local Settings\Temp\~DF1D85.tmp moved successfully.
File move failed. H:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File H:\WINDOWS\temp\Perflib_Perfdata_20c.dat not found!
H:\WINDOWS\temp\ZLT07cbd.TMP moved successfully.

Registry entries deleted on Reboot...

Příspěvekod **jaro3** » 03 dub 2010 18:31

ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix /Uninstall

vyčisti systém CCleanerem

a použij i T-Cleaner
smaže vše po Combu,MWAVu atd.-stáhneš>spustíš

pozn. před stažením T-Cleaneru a po dobu čištění deaktivuj AVG či Avast, následně T-Cleaner smaž a zapni si AVG či Avast.

Pokud nejsou problémy , je to vše a můžeš dát vyřešeno , zelenou fajfku.

Dencul · Příspěvekod **Dencul** » 03 dub 2010 19:08

díky

svchost vytazuje proc. na 100% Vyřešeno

svchost vytazuje proc. na 100% Vyřešeno

Re: svchost vytazuje proc. na 100%

Re: svchost vytazuje proc. na 100%

Re: svchost vytazuje proc. na 100%

Re: svchost vytazuje proc. na 100%

Re: svchost vytazuje proc. na 100%

Re: svchost vytazuje proc. na 100%

Re: svchost vytazuje proc. na 100%

Re: svchost vytazuje proc. na 100%

Re: svchost vytazuje proc. na 100%

Kdo je online