Prosím o kontrolu logu

[83.Pepas]

Logfile of HijackThis v1.99.1
Scan saved at 11:26:08, on 11.7.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Seznam\Postak\Postak.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Pepas\Dokumenty\Nepoužívané !!SLOŽKY!!\Ccleaner,Spybot,Ad Adware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SMail] "C:\Program Files\Seznam\Postak\Postak.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3D3B2F4-293D-4CBA-9003-701EF795C804}: NameServer = 10.10.10.10,10.10.11.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: efcyawx - efcyawx.dll (file missing)
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe

[Reklama]

[sakiri]

Postupuj dle tohoto návodu

Použij toho Vundofix-a

Akorát je ten návod psaný na starou verzi takže mám k tomu dvě připomínky:

1.Hned jak to spustíš tak klikni na Scan for Vundo

2.Je možné že se VundoFix po restartu znovu automaticky spustí, znamená, že některé infikované soubory, které našel, nemohly být smazány.A v tom případě opakuj postup s Vundofixem znovu.

Poté přejmenuj HijackThis.exe na abc.bat a udělej z něj log z toho přejmenovaného souboru + sem dej log z Vundofixu měl by být umístěný na C:\Vundofix.txt.

[83.Pepas]

Udělal jsem all z toho návodu + cos mi řekl.
Tady je ten log. Ale já nemam problém s nesabilitou systému a s popup oknama...


VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 13:57:59 11.7.2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

[sakiri]

Možná že ne ale v logu máš tuto položku:
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\

A podle této položky tam máš Vundo nákazu.

Takže přejmenuj ten HijackThis.exe na abc.bat a udělej z něho nový log.

[83.Pepas]

Tady to máš.
Udělal jsem tím Vundo Scanem 4x kontrolu a nic to nenašlo...
Nestačilo by kdybych to fixnul přes HijackThis ???

Logfile of HijackThis v1.99.1
Scan saved at 14:16:09, on 11.7.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Seznam\Postak\Postak.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\totalcmd\TOTALCMD.EXE
c:\Documents and Settings\Pepas\Dokumenty\Nepoužívané !!SLOŽKY!!\Ccleaner,Spybot,Ad Adware\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SMail] "C:\Program Files\Seznam\Postak\Postak.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3D3B2F4-293D-4CBA-9003-701EF795C804}: NameServer = 10.10.10.10,10.10.11.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: efcyawx - efcyawx.dll (file missing)
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe

[sakiri]

Dobře smaž tento soubor:
C:\Vundofix.txt

Spusť znovu Vundofix.
A klikni na Scan for Vundo poté co skončí scanování tak klikn i pravým tlačítkem do toho bílého okýnka.
A klikni na Add more files? objeví se ti okno se řádkama.
Do prvního řádku zkopíruj tento červeně označený text:
C:\WINDOWS\System32\pmnnm.dll

Poté klikni na Add File(s).
Pak klikni na Remove Vundo.

Začne odstraňování Vundo takže ti zmizí obrazovka.
Poté by se ti měl restartovat PC.

Po restartu sem zkopíruj log Vundofixa + nový log z HJT.

[83.Pepas]

Tady to máš.

Logfile of HijackThis v1.99.1
Scan saved at 14:43:08, on 11.7.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Seznam\Postak\Postak.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Pepas\Dokumenty\Nepoužívané !!SLOŽKY!!\Ccleaner,Spybot,Ad Adware\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SMail] "C:\Program Files\Seznam\Postak\Postak.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3D3B2F4-293D-4CBA-9003-701EF795C804}: NameServer = 10.10.10.10,10.10.11.11
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: efcyawx - efcyawx.dll (file missing)
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 14:46:06 11.7.2007

Listing files found while scanning....

No infected files were found.

[sakiri]

Sorry že jsem se dřív neozval.

V HJT fixni:
O20 - Winlogon Notify: efcyawx - efcyawx.dll (file missing)
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\

A nainstaluj si FIREWALL.

Pak postupuj takto:
Stáhni si ComboFix zavři všechna spuštěná okna a spusť ho.
Postupuj dle pokynů během aplikování ComboFixu neklikej do zobrazujícího se okna může se stát totiž že to proces zastaví.
Po skončení se vytvoří log tak sem zkopíruj jeho obsah.
(Je možné že se počítač restartuje, bude to kvůli tomu že ComboFix našel infikované soubory aby je smazal tak se restartuje PC)
Pro spusťění ComboFixu je nutné mít práva administrátora.

[83.Pepas]

Tady to je.

"Pepas" - 2007-07-13 11:42:00 - ComboFix 07-07-13.8 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\regedit.com
C:\WINDOWS\system32\taskmgr.com


((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))


2007-07-13 11:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-13 02:17 <DIR> d-------- C:\Program Files\RocketDock
2007-07-13 01:56 2,322,176 --a------ C:\WINDOWS\system32\TUKernel.exe
2007-07-13 01:43 <DIR> d-------- C:\Program Files\CursorXP
2007-07-13 01:38 <DIR> d-------- C:\Program Files\UberIcon
2007-07-13 01:29 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-07-13 01:23 42,672 --------- C:\WINDOWS\system32\wbsys.dll
2007-07-13 00:05 10 --a------ C:\WINDOWS\system32\wfxhelp21.dll
2007-07-12 23:59 25,088 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-07-12 23:59 <DIR> d-------- C:\Program Files\Common Files\stardock
2007-07-12 22:31 1,024 -r-h----- C:\WINDOWS\system32\$FSPINI$.DAT
2007-07-12 22:24 327,680 --a------ C:\WINDOWS\system32\Flocker.dll
2007-07-12 18:25 <DIR> d-------- C:\Program Files\Half-Life 2 Episode One
2007-07-12 12:47 <DIR> d-------- C:\DOCUME~1\Pepas\DATAAP~1\Comodo
2007-07-12 12:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Comodo
2007-07-12 12:45 <DIR> d-------- C:\Program Files\Comodo
2007-07-08 00:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\CyberLink
2007-07-03 12:56 <DIR> d-------- C:\DOCUME~1\Pepas\DATAAP~1\Atari
2007-07-02 16:27 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-07-02 16:27 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-07-01 11:37 <DIR> d-------- C:\Program Files\Eidos
2007-06-29 15:08 197,120 --a------ C:\WINDOWS\patchw32.dll
2007-06-29 15:08 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2007-06-29 15:06 <DIR> d-------- C:\Program Files\Atari
2007-06-29 11:24 <DIR> d-------- C:\Program Files\EA GAMES
2007-06-17 22:23 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-06-17 22:00 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-16 14:15 138,368 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-06-16 14:14 <DIR> d-------- C:\Program Files\WinClamAVShield
2007-06-16 14:12 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-06-16 14:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Spyware Terminator
2007-06-15 14:23 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-15 14:23 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-06-15 14:23 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-06-14 15:31 <DIR> d-------- C:\Program Files\Common Files\Real
2007-06-14 15:31 <DIR> d-------- C:\DOCUME~1\Pepas\DATAAP~1\Real
2007-06-13 14:35 <DIR> d-------- C:\Program Files\Common Files\Totem Shared


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-13 09:38:17 73,326 ----a-w C:\WINDOWS\system32\perfc005.dat
2007-07-13 09:38:17 397,976 ----a-w C:\WINDOWS\system32\perfh005.dat
2007-07-12 20:35:36 1,024 ---h--r C:\WINDOWS\system32\$FSPINI$.DAT
2007-07-12 17:02:47 -------- d-----w C:\DOCUME~1\Pepas\DATAAP~1\Image Zone Express
2007-07-11 23:34:17 -------- d-----w C:\Program Files\PSPad editor
2007-07-08 15:51:29 -------- d-----w C:\Program Files\Call of Duty
2007-07-07 22:20:37 -------- d-----w C:\DOCUME~1\Pepas\DATAAP~1\CyberLink
2007-07-07 22:18:30 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-07 22:17:09 -------- d-----w C:\Program Files\CyberLink
2007-07-05 18:27:35 -------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-07-01 08:20:12 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-30 09:59:22 -------- d-----w C:\Program Files\GamePark
2007-06-28 19:53:47 -------- d-----w C:\DOCUME~1\Pepas\DATAAP~1\Skype
2007-06-12 14:18:50 -------- d-----w C:\Program Files\SmartSound Software
2007-06-12 13:29:19 -------- d-----w C:\DOCUME~1\Pepas\DATAAP~1\MegauploadToolbar
2007-06-03 17:10:27 -------- d-----w C:\DOCUME~1\Pepas\DATAAP~1\GeoVid
2007-06-03 10:39:45 -------- d-----w C:\Program Files\Apex
2007-06-01 20:43:03 -------- d-----w C:\DOCUME~1\Pepas\DATAAP~1\Microsoft Games
2007-05-27 18:07:32 -------- d-----w C:\Program Files\MegauploadToolbar
2007-05-16 15:18:40 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 13:00:26 -------- d-----w C:\Program Files\ImTOO
2007-05-15 16:43:55 -------- d-----w C:\DOCUME~1\Pepas\DATAAP~1\jStrip
2007-05-15 14:32:27 -------- d-----w C:\DOCUME~1\Pepas\DATAAP~1\InstallShield
2007-05-10 15:31:26 95 ----a-w C:\AUTOEXEC.BAT
2007-05-02 16:41:43 1,289 ----a-w C:\WINDOWS\mozver.dat
2007-05-02 12:21:26 606,848 ----a-w C:\WINDOWS\flashax.exe
2007-05-02 12:21:26 12,288 ----a-w C:\WINDOWS\impborl.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-28 06:50:01 524,268 --sh--w C:\WINDOWS\system32\mnnmp.bak2
2007-04-26 18:59:05 586,528 --sh--w C:\WINDOWS\system32\mnnmp.bak1
2007-04-25 14:22:50 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-18 16:15:25 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2005-09-24 07:12 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}]
2007-05-25 00:35 1929160 --a------ C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 02:04 853672 --a------ C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMail"="C:\Program Files\Seznam\Postak\Postak.exe" [2006-05-18 14:36]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 17:42]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2007-06-27 14:18]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-12 12:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 14:00]
"DesktopX"="C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX Builder.exe" []
"UberIcon"="C:\Program Files\UberIcon\UberIcon Manager.exe" [2006-07-17 23:16]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-03-19 00:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"=SOUNDMAN.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
UxTuneUp


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-13 11:45:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-13 11:45:37
C:\ComboFix-quarantined-files.txt ... 2007-07-13 11:45

--- E O F ---

[sakiri]

Sorry za hodně zpožděnou odpověď.

Stáhni si Avenger a spusť ho pod účtem administrátora.
Zaškrtni volbu - Input script manually a klikni na ikonku lupy vyskočí prázdné okno kam zkopíruj ten tučně označený text:
Files to delete:
C:\WINDOWS\system32\mnnmp.bak2
C:\WINDOWS\system32\mnnmp.bak1

A klikni na Done.
Poté klikni na ikonku Semafory.

Vyskočí hláška kde odklikni Yes poté další hláška kde odklikni Yes.
PC se restartuje.Po restartu by ti měl "vyběhnout" log z Avengeru tak ho sem zkopíruj.

Na Virustotalu nechej zkontrolovat tyto soubory:
C:\WINDOWS\system32\TUKernel.exe
C:\WINDOWS\_MSRSTRT.EXE
C:\WINDOWS\system32\wfxhelp21.dll
C:\WINDOWS\system32\$FSPINI$.DAT
C:\WINDOWS\flashax.exe
C:\WINDOWS\impborl.dll

Pro lepší nalezení si zapni - Zobrazovat skryté a systémové soubory.
A zkopíruj sem pak výsledky.

+ nový log z ComboFixu.

[83.Pepas]

Tady to všechno máš..

Virustotal

MSRSTRT.EXE
Antivirus Version Last Update Result

AhnLab-V3 2007.7.18.0 2007.07.19 no virus found
AntiVir 7.4.0.44 2007.07.19 no virus found
Authentium 4.93.8 2007.07.19 no virus found
Avast 4.7.997.0 2007.07.18 no virus found
AVG 7.5.0.476 2007.07.18 no virus found
BitDefender 7.2 2007.07.19 no virus found
CAT-QuickHeal 9.00 2007.07.18 Tool.Win32.Reboot (Not a Virus)
ClamAV devel-20070416 2007.07.19 no virus found
DrWeb 4.33 2007.07.19 no virus found
eSafe 7.0.15.0 2007.07.17 no virus found
eTrust-Vet 30.8.3794 2007.07.19 no virus found
Ewido 4.0 2007.07.18 no virus found
FileAdvisor 1 2007.07.19 no virus found
Fortinet 2.91.0.0 2007.07.19 no virus found
F-Prot 4.3.2.48 2007.07.19 no virus found
F-Secure 6.70.13030.0 2007.07.19 no virus found
Ikarus T3.1.1.8 2007.07.19 no virus found
Kaspersky 4.0.2.24 2007.07.19 no virus found
McAfee 5077 2007.07.18 no virus found
Microsoft 1.2704 2007.07.19 no virus found
NOD32v2 2406 2007.07.19 no virus found
Norman 5.80.02 2007.07.18 no virus found
Panda 9.0.0.4 2007.07.19 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.19 no virus found
Symantec 10 2007.07.19 no virus found
TheHacker 6.1.7.149 2007.07.18 no virus found
VBA32 3.12.2.1 2007.07.19 no virus found
VirusBuster 4.3.26:9 2007.07.19 no virus found
Webwasher-Gateway 6.0.1 2007.07.19 no virus found
Aditional information
File size: 2560 bytes
MD5: 815372073da85b2098a37ded84083c8a
SHA1: 0a70574450bee11c9c09f25f082e0253aa32ceaa

File wfxhelp21.dll received on 07.19.2007 12:48:36 (CET)
Current status: Loading ... queued waiting scanning finished

Antivirus Version Last Update Result
AhnLab-V3 2007.7.18.0 2007.07.19 no virus found
AntiVir 7.4.0.44 2007.07.19 no virus found
Authentium 4.93.8 2007.07.19 no virus found
Avast 4.7.997.0 2007.07.18 no virus found
AVG 7.5.0.476 2007.07.18 no virus found
BitDefender 7.2 2007.07.19 no virus found
CAT-QuickHeal 9.00 2007.07.18 no virus found
ClamAV devel-20070416 2007.07.19 no virus found
DrWeb 4.33 2007.07.19 no virus found
eSafe 7.0.15.0 2007.07.17 no virus found
eTrust-Vet 30.8.3794 2007.07.19 no virus found
Ewido 4.0 2007.07.18 no virus found
FileAdvisor 1 2007.07.19 no virus found
Fortinet 2.91.0.0 2007.07.19 no virus found
F-Prot 4.3.2.48 2007.07.19 no virus found
F-Secure 6.70.13030.0 2007.07.19 no virus found
Ikarus T3.1.1.8 2007.07.19 no virus found
Kaspersky 4.0.2.24 2007.07.19 no virus found
McAfee 5077 2007.07.18 no virus found
Microsoft 1.2704 2007.07.19 no virus found
NOD32v2 2406 2007.07.19 no virus found
Norman 5.80.02 2007.07.18 no virus found
Panda 9.0.0.4 2007.07.19 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.19 no virus found
Symantec 10 2007.07.19 no virus found
TheHacker 6.1.7.149 2007.07.18 no virus found
VBA32 3.12.2.1 2007.07.19 no virus found
VirusBuster 4.3.26:9 2007.07.19 no virus found
Webwasher-Gateway 6.0.1 2007.07.19 no virus found
Aditional information
File size: 10 bytes
MD5: 781c3cda8d82d0884bd4c9dc61006da8
SHA1: ca10f3ecbcbb8b0af60ceebe2cc6a0e3d08860c3

File _FSPINI_.DAT received on 07.19.2007 12:58:22 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.7.18.0 2007.07.19 no virus found
AntiVir 7.4.0.44 2007.07.19 no virus found
Authentium 4.93.8 2007.07.19 no virus found
Avast 4.7.997.0 2007.07.18 no virus found
AVG 7.5.0.476 2007.07.18 no virus found
BitDefender 7.2 2007.07.19 no virus found
CAT-QuickHeal 9.00 2007.07.18 no virus found
ClamAV devel-20070416 2007.07.19 no virus found
DrWeb 4.33 2007.07.19 no virus found
eSafe 7.0.15.0 2007.07.17 no virus found
eTrust-Vet 30.8.3794 2007.07.19 no virus found
Ewido 4.0 2007.07.19 no virus found
FileAdvisor 1 2007.07.19 no virus found
Fortinet 2.91.0.0 2007.07.19 no virus found
F-Prot 4.3.2.48 2007.07.19 no virus found
F-Secure 6.70.13030.0 2007.07.19 no virus found
Ikarus T3.1.1.8 2007.07.19 no virus found
Kaspersky 4.0.2.24 2007.07.19 no virus found
McAfee 5077 2007.07.18 no virus found
Microsoft 1.2704 2007.07.19 no virus found
NOD32v2 2406 2007.07.19 no virus found
Norman 5.80.02 2007.07.18 no virus found
Panda 9.0.0.4 2007.07.19 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.19 no virus found
Symantec 10 2007.07.19 no virus found
TheHacker 6.1.7.149 2007.07.18 no virus found
VBA32 3.12.2.1 2007.07.19 no virus found
VirusBuster 4.3.26:9 2007.07.19 no virus found
Webwasher-Gateway 6.0.1 2007.07.19 no virus found
Aditional information
File size: 1024 bytes
MD5: f6b1d317f56bb6153d6b4bc4c85e998e
SHA1: 544d9eb4bdeeb75ba55efbedddf6b48eca73a28e

File flashax.exe received on 07.19.2007 13:05:11 (CET)

Antivirus Version Last Update Result
AhnLab-V3 2007.7.18.0 2007.07.19 no virus found
AntiVir 7.4.0.44 2007.07.19 no virus found
Authentium 4.93.8 2007.07.19 no virus found
Avast 4.7.997.0 2007.07.18 no virus found
AVG 7.5.0.476 2007.07.18 no virus found
BitDefender 7.2 2007.07.19 no virus found
CAT-QuickHeal 9.00 2007.07.18 no virus found
ClamAV devel-20070416 2007.07.19 no virus found
DrWeb 4.33 2007.07.19 no virus found
eSafe 7.0.15.0 2007.07.17 no virus found
eTrust-Vet 30.8.3794 2007.07.19 no virus found
Ewido 4.0 2007.07.19 no virus found
FileAdvisor 1 2007.07.19 no virus found
Fortinet 2.91.0.0 2007.07.19 no virus found
F-Prot 4.3.2.48 2007.07.19 no virus found
F-Secure 6.70.13030.0 2007.07.19 no virus found
Ikarus T3.1.1.8 2007.07.19 no virus found
Kaspersky 4.0.2.24 2007.07.19 no virus found
McAfee 5077 2007.07.18 no virus found
Microsoft 1.2704 2007.07.19 no virus found
NOD32v2 2406 2007.07.19 no virus found
Norman 5.80.02 2007.07.18 no virus found
Panda 9.0.0.4 2007.07.19 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.19 no virus found
Symantec 10 2007.07.19 no virus found
TheHacker 6.1.7.149 2007.07.18 no virus found
VBA32 3.12.2.1 2007.07.19 no virus found
VirusBuster 4.3.26:9 2007.07.19 no virus found
Webwasher-Gateway 6.0.1 2007.07.19 no virus found
Aditional information
File size: 606848 bytes
MD5: a16126510106990df3e4445191adead8
SHA1: 444b40b55c52b57472a6011ea7bdc5e2566e0242

impborl.dll

Antivirus Version Last Update Result
AhnLab-V3 2007.7.18.0 2007.07.19 no virus found
AntiVir 7.4.0.44 2007.07.19 no virus found
Authentium 4.93.8 2007.07.19 no virus found
Avast 4.7.997.0 2007.07.18 no virus found
AVG 7.5.0.476 2007.07.18 no virus found
BitDefender 7.2 2007.07.19 no virus found
CAT-QuickHeal 9.00 2007.07.18 no virus found
ClamAV devel-20070416 2007.07.19 no virus found
DrWeb 4.33 2007.07.19 no virus found
eSafe 7.0.15.0 2007.07.17 no virus found
eTrust-Vet 30.8.3794 2007.07.19 no virus found
Ewido 4.0 2007.07.19 no virus found
FileAdvisor 1 2007.07.19 no virus found
Fortinet 2.91.0.0 2007.07.19 no virus found
F-Prot 4.3.2.48 2007.07.19 no virus found
F-Secure 6.70.13030.0 2007.07.19 no virus found
Ikarus T3.1.1.8 2007.07.19 no virus found
Kaspersky 4.0.2.24 2007.07.19 no virus found
McAfee 5077 2007.07.18 no virus found
Microsoft 1.2704 2007.07.19 no virus found
NOD32v2 2406 2007.07.19 no virus found
Norman 5.80.02 2007.07.19 no virus found
Panda 9.0.0.4 2007.07.19 no virus found
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.19 no virus found
Symantec 10 2007.07.19 no virus found
TheHacker 6.1.7.149 2007.07.18 no virus found
VBA32 3.12.2.1 2007.07.19 no virus found
VirusBuster 4.3.26:9 2007.07.19 no virus found
Webwasher-Gateway 6.0.1 2007.07.19 no virus found
Aditional information
File size: 12288 bytes
MD5: 23a38a0f3b5fb112809c339725a9e318
SHA1: 165dc2cb79d167b53bd35d42eb9ff33087040a19

Combofix

"Pepas" - 2007-07-19 13:30:43 - ComboFix 07-07-13.8 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-19 to 2007-07-19 )))))))))))))))))))))))))))))))


2007-07-17 06:28 <DIR> d-------- C:\Program Files\GoldWave
2007-07-15 01:24 37,136 --a------ C:\WINDOWS\system32\MSJINT35.DLL
2007-07-15 01:24 24,336 --a------ C:\WINDOWS\system32\MSJTER35.DLL
2007-07-15 01:24 1,046,288 --a------ C:\WINDOWS\system32\msjet35.dll
2007-07-14 14:10 <DIR> d-------- C:\DOCUME~1\Pepas\DATAAP~1\Simply Super Software
2007-07-13 12:14 <DIR> d-------- C:\DOCUME~1\Pepas\DATAAP~1\OtakuSoftware
2007-07-13 11:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-13 01:29 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-07-13 01:23 42,672 --------- C:\WINDOWS\system32\wbsys.dll
2007-07-13 00:05 10 --a------ C:\WINDOWS\system32\wfxhelp21.dll
2007-07-12 23:59 25,088 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-07-12 23:59 <DIR> d-------- C:\Program Files\Common Files\stardock
2007-07-12 22:31 1,024 -r-h----- C:\WINDOWS\system32\$FSPINI$.DAT
2007-07-12 22:24 327,680 --a------ C:\WINDOWS\system32\Flocker.dll
2007-07-12 18:25 <DIR> d-------- C:\Program Files\Half-Life 2 Episode One
2007-07-12 12:47 <DIR> d-------- C:\DOCUME~1\Pepas\DATAAP~1\Comodo
2007-07-12 12:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Comodo
2007-07-12 12:45 <DIR> d-------- C:\Program Files\Comodo
2007-07-08 00:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\CyberLink
2007-07-03 12:56 <DIR> d-------- C:\DOCUME~1\Pepas\DATAAP~1\Atari
2007-07-02 16:27 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-07-02 16:27 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-07-01 11:37 <DIR> d-------- C:\Program Files\Eidos
2007-06-29 15:08 197,120 --a------ C:\WINDOWS\patchw32.dll
2007-06-29 15:08 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2007-06-29 15:06 <DIR> d-------- C:\Program Files\Atari
2007-06-29 11:24 <DIR> d-------- C:\Program Files\EA GAMES


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-19 10:34:18 73,326 ----a-w C:\WINDOWS\system32\perfc005.dat
2007-07-19 10:34:18 397,976 ----a-w C:\WINDOWS\system32\perfh005.dat
2007-07-18 20:26:20 -------- d-----w C:\Program Files\Spyware Terminator
2007-07-13 19:28:32 -------- d-----w C:\Program Files\Call of Duty
2007-07-12 20:35:36 1,024 ---h--r C:\WINDOWS\system32\$FSPINI$.DAT
2007-07-12 17:02:47 -------- d-----w C:\DOCUME~1\Pepas\DATAAP~1\Image Zone Express
2007-07-11 23:34:17 -------- d-----w C:\Program Files\PSPad editor
2007-07-07 22:20:37 -------- d-----w C:\DOCUME~1\Pepas\DATAAP~1\CyberLink
2007-07-07 22:18:30 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-07 22:17:09 -------- d-----w C:\Program Files\CyberLink
2007-07-06 19:07:37 -------- d-----w C:\Program Files\WinClamAVShield
2007-07-05 18:27:35 -------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-07-01 08:20:12 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-30 09:59:22 -------- d-----w C:\Program Files\GamePark
2007-06-28 19:53:47 -------- d-----w C:\DOCUME~1\Pepas\DATAAP~1\Skype
2007-06-27 12:19:07 138,368 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-06-22 21:04:05 -------- d-----w C:\Program Files\DAEMON Tools
2007-06-17 20:00:27 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-06-14 13:38:18 -------- d-----w C:\Program Files\Common Files\Real
2007-06-14 13:38:09 -------- d-----w C:\DOCUME~1\Pepas\DATAAP~1\Real
2007-06-13 12:39:11 -------- d-----w C:\Program Files\Common Files\Totem Shared
2007-06-12 14:18:50 -------- d-----w C:\Program Files\SmartSound Software
2007-06-12 13:29:19 -------- d-----w C:\DOCUME~1\Pepas\DATAAP~1\MegauploadToolbar
2007-06-03 17:10:27 -------- d-----w C:\DOCUME~1\Pepas\DATAAP~1\GeoVid
2007-06-03 10:39:45 -------- d-----w C:\Program Files\Apex
2007-06-01 20:43:03 -------- d-----w C:\DOCUME~1\Pepas\DATAAP~1\Microsoft Games
2007-05-27 18:07:32 -------- d-----w C:\Program Files\MegauploadToolbar
2007-05-16 15:18:40 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-10 15:31:26 95 ----a-w C:\AUTOEXEC.BAT
2007-05-02 16:41:43 1,289 ----a-w C:\WINDOWS\mozver.dat
2007-05-02 12:21:26 606,848 ----a-w C:\WINDOWS\flashax.exe
2007-05-02 12:21:26 12,288 ----a-w C:\WINDOWS\impborl.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:22:50 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2005-09-24 07:12 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}]
2007-05-25 00:35 1929160 --a------ C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 02:04 853672 --a------ C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMail"="C:\Program Files\Seznam\Postak\Postak.exe" [2006-05-18 14:36]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 17:42]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2007-06-27 14:18]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-12 12:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 14:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"=SOUNDMAN.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
UxTuneUp


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-19 13:33:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-19 13:34:11

--- E O F ---

Avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hrqgkvdm

*******************

Script file located at: \??\C:\WINDOWS\system32\ecggvmay.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\mnnmp.bak2 deleted successfully.
File C:\WINDOWS\system32\mnnmp.bak1 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.