prosím o kontrolu. nevím si rady s winlogon.exe

[ivo.hriso]

Taaak. Zbytečnosti fixnuty. Winlogon už nevyskakuje. nastaveni Keria nezabíralo, a přestalo to při těch čistkách koní virů atd, tak asi byla odstraněna příčina. Krátce po spuštění ComboFix mi AVG zahlásilo soubor v sekci system32/WLctrl3.dll tak jsem dal heal. Log přikládám.

ComboFix 08-03-03.4 - User 2008-03-07 23:33:07.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.1481 [GMT 1:00]
Running from: C:\Documents and Settings\User\Plocha\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-02 21:02 . 2008-03-02 21:02 <DIR> d-------- C:\Program Files\CCleaner
2008-03-02 19:21 . 2008-03-02 19:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-02 19:20 . 2008-03-04 03:18 326 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2008-03-02 18:59 . 2008-03-04 03:27 <DIR> d-------- C:\SDFix
2008-03-02 18:58 . 2008-03-02 18:58 1,312,273 --a------ C:\SDFix.exe
2008-03-02 18:48 . 2008-03-02 18:49 1,312,273 --a------ C:\default
2008-03-02 17:18 . 2008-03-02 17:18 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-03-02 16:36 . 2008-03-02 16:36 26,240 --a------ C:\WINDOWS\system32\drivers\Fms64.sys
2008-03-02 16:19 . 2008-03-02 16:19 <DIR> d-------- C:\Program Files\Ashampoo
2008-03-01 14:16 . 2008-03-02 14:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-01 13:47 . 2008-03-01 13:47 <DIR> d-------- C:\Program Files\MagicISO
2008-02-27 15:52 . 2008-02-27 15:52 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\DassaultSystemes
2008-02-27 15:52 . 2008-02-27 15:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\DassaultSystemes
2008-02-27 15:51 . 2008-02-27 15:51 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\SolidWorks 2008
2008-02-27 15:48 . 2008-02-27 15:48 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\SolidWorks
2008-02-27 15:45 . 2008-02-27 15:45 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\DWGeditor
2008-02-27 15:45 . 2008-02-27 15:45 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI
2008-02-27 15:43 . 2008-02-27 15:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-02-27 15:39 . 2008-02-27 15:44 <DIR> d-------- C:\Program Files\Solidworks Data
2008-02-27 15:39 . 2008-02-27 16:02 <DIR> d-------- C:\Program Files\SolidWorks
2008-02-27 15:39 . 2008-02-27 16:02 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\SolidWorks
2008-02-27 15:38 . 2008-02-27 15:38 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-02-27 15:13 . 2008-02-27 15:13 <DIR> d-------- C:\Program Files\MSBuild
2008-02-27 15:11 . 2008-02-27 15:11 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-27 15:10 . 2008-02-27 15:10 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-27 15:10 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-27 15:09 . 2008-02-27 15:09 <DIR> d-------- C:\Program Files\MSECache
2008-02-27 14:55 . 2008-02-27 14:55 <DIR> d-------- C:\Program Files\PowerISO
2008-02-21 21:40 . 2008-03-02 17:53 <DIR> d-------- C:\Program Files\Opera
2008-02-15 19:07 . 2008-02-15 19:12 2,359,350 --a------ C:\WINDOWS\ACD Wallpaper.bmp
2008-02-12 02:12 . 2008-02-12 02:12 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\CoolFlvMan
2008-02-12 01:09 . 2008-02-12 01:09 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\CoolYouTubeDownloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 22:37 --------- d-----w C:\Documents and Settings\User\Data aplikací\Skype
2008-03-07 22:33 --------- d-----w C:\Documents and Settings\User\Data aplikací\uTorrent
2008-03-05 23:31 --------- d-----w C:\DOCUME~1\ALLUSE~1\DATAAP~1\avg7
2008-03-04 01:38 --------- d-----w C:\Documents and Settings\User\Data aplikací\AVG7
2008-03-03 22:29 --------- d-----w C:\Documents and Settings\User\Data aplikací\temp
2008-03-01 16:07 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-03-01 16:07 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-03-01 16:07 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-01 16:07 22,328 ----a-w C:\Documents and Settings\User\Data aplikací\PnkBstrK.sys
2008-03-01 16:07 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-27 15:03 --------- d-----w C:\Program Files\SpeedFan
2008-02-27 14:55 --------- d-----w C:\Program Files\Software2000
2008-02-17 22:53 --------- d-----w C:\Program Files\Cool CENZURA
2008-02-08 19:08 --------- d-----w C:\Documents and Settings\User\Data aplikací\gtk-2.0
2008-02-07 20:15 --------- d-----w C:\Program Files\EA SPORTS
2008-02-06 20:19 --------- d-----w C:\Program Files\Electronic Arts
2008-02-06 19:38 --------- d-----w C:\Program Files\totalcmd
2008-02-03 19:48 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-02-03 19:48 --------- d-----w C:\Program Files\Zaklínač
2008-02-03 19:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-31 18:50 --------- d-----w C:\Program Files\ElcomSoft
2008-01-31 18:38 --------- d-----w C:\Program Files\RAR Password Cracker
2008-01-31 16:54 --------- d-----w C:\Program Files\THQ
2008-01-27 21:56 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-26 23:31 --------- d-----w C:\Program Files\uTorrent
2008-01-20 07:07 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-01-16 16:20 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2008-01-16 16:18 --------- d-----w C:\Program Files\BlackIsle
2008-01-08 19:00 --------- d-----w C:\Program Files\Pixia
2008-01-08 18:54 --------- d-----w C:\Program Files\GIMP-2.0
2008-01-08 15:25 --------- d-----w C:\Program Files\Activision
2008-01-07 21:17 --------- d-----w C:\Program Files\JoWooD Productions Software AG
2008-01-07 15:40 --------- d-----w C:\Program Files\ParadisePoker
2008-01-02 10:13 197,120 ----a-w C:\WINDOWS\system32\FHMcom_OxleyStrip.scr
2007-12-07 02:14 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-09-23 21:32 4,687,304 ----a-w C:\Program Files\paradisepoker_com_cs.exe
2007-01-14 21:00 1 ----a-w C:\Documents and Settings\User\SI.bin
2005-08-08 00:41 35,328 ----a-w C:\Program Files\usb_format.exe
2002-05-27 08:25 295,424 ----a-w C:\Program Files\SubtitleToolCZ.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 17:32 25365032]
"pdfSaver3"="c:\Program Files\PDF\pdfSaver\pdfSaver3.exe" [2004-05-19 14:29 385024]
"QIP2005"="C:\Program Files\QIP\qip.exe" [2007-11-16 14:17 3264512]
"uTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2008-01-26 18:02 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 14:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 14:43 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 07:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 15:21 579072]
"pdfSaver3"="" []
"602PC SUITE PDF Saver"="C:\Program Files\Common Files\602phs\pdfSaver.exe" [2005-08-31 16:00 49152]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 05:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 10:58 278528]
"ConMet"="C:\Program Files\ConMet\ConMet.exe" [ ]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2006-07-07 15:04 262144]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-18 14:12 843776]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 08:05 217088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 13:58 219136]

C:\DOCUME~1\ALLUSE~1\NABDKA~1\Programy\POSPUT~1\
Mˇstnˇ vyhled v nˇ.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-02-20 13:34]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-02-20 13:34]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 13:00]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 23:08]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-03-02 13:00]
S0 Hou85;Hou85;C:\WINDOWS\system32\Drivers\Hou85.sys []
S0 Pwd74;Pwd74;C:\WINDOWS\system32\Drivers\Pwd74.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-28 23:54]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23146296-69c9-11dc-a3cc-001617ba045b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 23:37:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-07 23:38:58
ComboFix-quarantined-files.txt 2008-03-07 22:38:51
ComboFix2.txt 2008-03-04 22:26:15
ComboFix3.txt 2008-03-04 02:43:52
ComboFix4.txt 2008-03-03 20:26:41
.
2008-02-28 20:30:44 --- E O F ---

[Reklama]

[paul27]

Pokud virustotal našel něco v souboru C:\WINDOWS\system32\Drivers\Hou85.sys, tak ho musíme smazat.

Přesuňte Combofix na plochu (pokud ho tam ještě nemáte) - otevřete si poznámkový blok - do něj zkopírujte text z nasledujícího okna:

Kód: Vybrat vše

File::
C:\WINDOWS\system32\Drivers\Hou85.sys

Drivers::
Hou85


Text uložte jako CFScript.txt na plochu - po uložení uchopte vámi vytvořený soubor .txt levým tlačítkem myši a přesuňte jej nad ikonu ComboFixu - nad ikonou ComboFixu soubor .txt upusťte - spustí se ComboFix (možná budete muset znova potvrdit licenční podmínky kliknutím na Ano) - a CF začne znova scanovat, nakonci scanování se pokusí CF smazat zadané soubory či něco jiného, co jsme mu zadali - po provedení akce se opět zobrazí okno poznámkového bloku s textem, který sem zkopírujte a vyčkejte prosím na další rady


+ radši se ještě jednou zeptám, jak dopadl tento soubor na virustotale: C:\WINDOWS\system32\Drivers\Pwd74.sys

[ivo.hriso]

Provedeno. soubor C:\WINDOWS\system32\Drivers\Pwd74.sys se v drivers nenachází a není tam ani Hou 85.sys. přikládám log. Všiml jsem si, že v logu je o těchto souborech zmínka viz. S0 Hou85;Hou85;C:\WINDOWS\system32\Drivers\Hou85.sys []
S0 Pwd74;Pwd74;C:\WINDOWS\system32\Drivers\Pwd74.sys []
prohlédl jsem to proto velmi pečlivě, přesto jsem je v udané lokaci neobjevil. Pokud tam jsou, pak jsou nějak maskované a nejsou vidět, tedy ani nejdou zadat do virustotal.

ComboFix 08-03-03.4 - User 2008-03-09 1:05:00.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.1455 [GMT 1:00]
Running from: C:\Documents and Settings\User\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Plocha\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\Drivers\Hou85.sys
.

((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-02 21:02 . 2008-03-02 21:02 <DIR> d-------- C:\Program Files\CCleaner
2008-03-02 19:21 . 2008-03-02 19:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-02 19:20 . 2008-03-04 03:18 326 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2008-03-02 18:59 . 2008-03-04 03:27 <DIR> d-------- C:\SDFix
2008-03-02 18:58 . 2008-03-02 18:58 1,312,273 --a------ C:\SDFix.exe
2008-03-02 18:48 . 2008-03-02 18:49 1,312,273 --a------ C:\default
2008-03-02 17:18 . 2008-03-02 17:18 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-03-02 16:36 . 2008-03-02 16:36 26,240 --a------ C:\WINDOWS\system32\drivers\Fms64.sys
2008-03-02 16:19 . 2008-03-02 16:19 <DIR> d-------- C:\Program Files\Ashampoo
2008-03-01 14:16 . 2008-03-02 14:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-01 13:47 . 2008-03-01 13:47 <DIR> d-------- C:\Program Files\MagicISO
2008-02-27 15:52 . 2008-02-27 15:52 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\DassaultSystemes
2008-02-27 15:52 . 2008-02-27 15:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\DassaultSystemes
2008-02-27 15:51 . 2008-02-27 15:51 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\SolidWorks 2008
2008-02-27 15:48 . 2008-02-27 15:48 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\SolidWorks
2008-02-27 15:45 . 2008-02-27 15:45 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\DWGeditor
2008-02-27 15:45 . 2008-02-27 15:45 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI
2008-02-27 15:43 . 2008-02-27 15:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-02-27 15:39 . 2008-02-27 15:44 <DIR> d-------- C:\Program Files\Solidworks Data
2008-02-27 15:39 . 2008-02-27 16:02 <DIR> d-------- C:\Program Files\SolidWorks
2008-02-27 15:39 . 2008-02-27 16:02 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\SolidWorks
2008-02-27 15:38 . 2008-02-27 15:38 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-02-27 15:13 . 2008-02-27 15:13 <DIR> d-------- C:\Program Files\MSBuild
2008-02-27 15:11 . 2008-02-27 15:11 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-27 15:10 . 2008-02-27 15:10 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-27 15:10 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-27 15:09 . 2008-02-27 15:09 <DIR> d-------- C:\Program Files\MSECache
2008-02-27 14:55 . 2008-02-27 14:55 <DIR> d-------- C:\Program Files\PowerISO
2008-02-21 21:40 . 2008-03-02 17:53 <DIR> d-------- C:\Program Files\Opera
2008-02-15 19:07 . 2008-02-15 19:12 2,359,350 --a------ C:\WINDOWS\ACD Wallpaper.bmp
2008-02-12 02:12 . 2008-02-12 02:12 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\CoolFlvMan
2008-02-12 01:09 . 2008-02-12 01:09 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\CoolYouTubeDownloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 00:09 --------- d-----w C:\Documents and Settings\User\Data aplikací\Skype
2008-03-09 00:04 --------- d-----w C:\Documents and Settings\User\Data aplikací\uTorrent
2008-03-08 02:09 --------- d-----w C:\Documents and Settings\User\Data aplikací\temp
2008-03-05 23:31 --------- d-----w C:\DOCUME~1\ALLUSE~1\DATAAP~1\avg7
2008-03-04 01:38 --------- d-----w C:\Documents and Settings\User\Data aplikací\AVG7
2008-03-01 16:07 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-03-01 16:07 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-03-01 16:07 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-01 16:07 22,328 ----a-w C:\Documents and Settings\User\Data aplikací\PnkBstrK.sys
2008-03-01 16:07 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-27 15:03 --------- d-----w C:\Program Files\SpeedFan
2008-02-27 14:55 --------- d-----w C:\Program Files\Software2000
2008-02-17 22:53 --------- d-----w C:\Program Files\Cool CENZURA
2008-02-08 19:08 --------- d-----w C:\Documents and Settings\User\Data aplikací\gtk-2.0
2008-02-07 20:15 --------- d-----w C:\Program Files\EA SPORTS
2008-02-06 20:19 --------- d-----w C:\Program Files\Electronic Arts
2008-02-06 19:38 --------- d-----w C:\Program Files\totalcmd
2008-02-03 19:48 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-02-03 19:48 --------- d-----w C:\Program Files\Zaklínač
2008-02-03 19:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-31 18:50 --------- d-----w C:\Program Files\ElcomSoft
2008-01-31 18:38 --------- d-----w C:\Program Files\RAR Password Cracker
2008-01-31 16:54 --------- d-----w C:\Program Files\THQ
2008-01-27 21:56 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-26 23:31 --------- d-----w C:\Program Files\uTorrent
2008-01-20 07:07 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-01-16 16:20 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2008-01-16 16:18 --------- d-----w C:\Program Files\BlackIsle
2008-01-02 10:13 197,120 ----a-w C:\WINDOWS\system32\FHMcom_OxleyStrip.scr
2007-09-23 21:32 4,687,304 ----a-w C:\Program Files\paradisepoker_com_cs.exe
2007-01-14 21:00 1 ----a-w C:\Documents and Settings\User\SI.bin
2005-08-08 00:41 35,328 ----a-w C:\Program Files\usb_format.exe
2002-05-27 08:25 295,424 ----a-w C:\Program Files\SubtitleToolCZ.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 17:32 25365032]
"pdfSaver3"="c:\Program Files\PDF\pdfSaver\pdfSaver3.exe" [2004-05-19 14:29 385024]
"QIP2005"="C:\Program Files\QIP\qip.exe" [2007-11-16 14:17 3264512]
"uTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2008-01-26 18:02 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 14:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 14:43 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 07:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 15:21 579072]
"pdfSaver3"="" []
"602PC SUITE PDF Saver"="C:\Program Files\Common Files\602phs\pdfSaver.exe" [2005-08-31 16:00 49152]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 05:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 10:58 278528]
"ConMet"="C:\Program Files\ConMet\ConMet.exe" [ ]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2006-07-07 15:04 262144]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-18 14:12 843776]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 08:05 217088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 13:58 219136]

C:\DOCUME~1\ALLUSE~1\NABDKA~1\Programy\POSPUT~1\
Mˇstnˇ vyhled v nˇ.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\QIP\\qip.exe"=
"C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"=

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-02-20 13:34]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-02-20 13:34]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 13:00]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 23:08]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-03-02 13:00]
S0 Hou85;Hou85;C:\WINDOWS\system32\Drivers\Hou85.sys []
S0 Pwd74;Pwd74;C:\WINDOWS\system32\Drivers\Pwd74.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-28 23:54]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23146296-69c9-11dc-a3cc-001617ba045b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 01:09:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-09 1:10:38
ComboFix-quarantined-files.txt 2008-03-09 00:10:32
ComboFix2.txt 2008-03-07 22:39:00
ComboFix3.txt 2008-03-04 22:26:15
ComboFix4.txt 2008-03-04 02:43:52
ComboFix5.txt 2008-03-03 20:26:41
.
2008-02-28 20:30:44 --- E O F ---

[paul27]

Do Virustotalu stačí zkopírovat ty řádky, hledat soubor přes to okno na disku nemusíš.

[ivo.hriso]

Jasně, ale ono se to i při tom, tváří, jako že tam ten soubor není a nic se neodešle. respektive zůstane stránka s obrazovkou odesílám, a nic se neděje. Když to skusím, s jiným souborem, který v počítači prokazatelně je, tak kontrola proběhne. Nevím.
Jinak jsem si nainstaloval Spyware terminator, který nalezl a odstranil C:/windows/system32/wLctrl32.dll s tím, že se jedná o trojan horse downloader agent. ACFG (stejně jako avgéčko) plus jeho součást v registrech. problém je , že jsem ho odstranil už poněkolikáté. Nejsem si jist, zda to tím spywere terminatorem, bylo definitivní. a momentálně hlavní věc, co mě trápí. Byl jsem upozorněn poskytovatelem internetu na spam odcházející z mého počítače. Když v Keiro spustím přehled, tak je vidět, že to jde přes C/Windows/system32/services.exe, kde vyskakuje jedno odchozí spojení za druhým. Jak to zarazit? A ještě jedna věc něco mi zřejmě zvládne vypnout firewel, co je integrovaný ve windows.

[paul27]

Zkuste použít SDFix v nouzovém režimu: http://www.paul27.ic.cz/navody.html - v menu klik na SDFix.

[ivo.hriso]

při testu po fázi, kdy se po mě žádá stisknutí libovolné klávesy vyskočila modrá chyba. Report přikládám. na plochu se mi též uložila položka catchme ve formě poznámkového bloku. posílám i výpis z ní.

SDFix: Version 1.150

Run by Administrator on po 10.03.2008 at 17:51

Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Program Files\tmp39671.exe - Deleted
C:\Program Files\tmp473812.exe - Deleted
C:\Program Files\tmp60953.exe - Deleted
C:\WINDOWS\system32\WLCtrl32.dll - Deleted
C:\WINDOWS\system32\WLCtrl32.dll - Deleted





Removing Temp Files

ADS Check :


-----------------------------------------------------------------------------------------------------------------



catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 18:10:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 Systém nemůže nalézt uvedený soubor.
scanning hidden services & system hive ...

[paul27]

SDFix něco smazal, je to lepší?

[ivo.hriso]

no ani bych neřekl lepší, spíš trošku jiné. Nyní, když chci otevřít Kerio, abych se podíval na přehled odchozích procesů, tak buď v pohodě naběhne, a ukazuje jen asi dva přenosy pochybného charakteru a nebo se mu nabíhat nechce a zobrazí se jen rámec a pár ůdajů ve spodní části, včetně počtu odchozích procesů, jež jdou do stovek. Když spustím správce úloh , dám procesy, tak mi tam položka Kpf4gui.exe zabírá něco přes 90% CPU a PC tak prakticky zamrzne a je třeba dát tento proces ukončit. WLctrl.dll je stále, respektive opět ve složce system 32. Není možné, že by díky nastavení kerio blokovalo třeba odeslání souboru na Virustotal? ( zkoušel jsem tam odeslat onen WLctrl.dll, který v PC tedy určitě je a ani tomu se odejít nezdařilo. Ty které jsem zkoušel před tím, se jednalo vesměs asi o systémové věci, jež byly zhodnoceny, jako standardní, a tedy bez potřeby něco odeslat.

[paul27]

Tak poprosím ještě o jeden ComboFix a HijackThis. Vyčistěte před tím CCleanerem a RegCleanerem: http://www.pcpomocnik.cz/c/softwarova-u ... leaner.htm

[ivo.hriso]

Odpoledne jsem nainstaloval avast. ten objevil spolu s AVG pár virů a velké množství trojských koní, většinu pak v Lokaci C:/System Volume Information... potom jsem dal combofix a nakonec Hijackthis


ComboFix 08-03-03.4 - User 2008-03-11 22:24:04.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.1403 [GMT 1:00]
Running from: C:\Documents and Settings\User\Plocha\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.

2008-03-11 22:14 . 2008-03-11 22:20 <DIR> d-------- C:\Program Files\RegCleaner
2008-03-11 16:38 . 2008-03-11 16:38 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-11 16:38 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-11 16:38 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-11 16:38 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-11 16:38 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-11 16:38 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-11 16:38 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-11 16:38 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-11 16:38 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-09 12:38 . 2008-03-10 22:22 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-03-09 12:20 . 2008-03-09 12:20 <DIR> d-------- C:\searchplugins
2008-03-09 12:20 . 2008-03-09 12:20 <DIR> d-------- C:\Program Files\Crawler
2008-03-09 12:19 . 2008-03-10 05:29 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-03-09 12:19 . 2008-03-10 23:06 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\Spyware Terminator
2008-03-09 12:19 . 2008-03-10 04:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Spyware Terminator
2008-03-09 12:19 . 2008-03-09 12:19 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-09 05:22 . 2008-03-09 05:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-09 05:22 . 2008-03-09 05:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-02 21:02 . 2008-03-02 21:02 <DIR> d-------- C:\Program Files\CCleaner
2008-03-02 19:21 . 2008-03-02 19:22 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-02 19:20 . 2008-03-11 16:44 28,342 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2008-03-02 18:59 . 2008-03-10 18:10 <DIR> d-------- C:\SDFix
2008-03-02 18:58 . 2008-03-02 18:58 1,312,273 --a------ C:\SDFix.exe
2008-03-02 18:48 . 2008-03-02 18:49 1,312,273 --a------ C:\default
2008-03-02 17:18 . 2008-03-02 17:18 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-03-02 16:36 . 2008-03-02 16:36 26,240 --a------ C:\WINDOWS\system32\drivers\Fms64.sys
2008-03-02 16:19 . 2008-03-02 16:19 <DIR> d-------- C:\Program Files\Ashampoo
2008-03-01 14:16 . 2008-03-02 14:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-01 13:47 . 2008-03-01 13:47 <DIR> d-------- C:\Program Files\MagicISO
2008-02-27 15:52 . 2008-02-27 15:52 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\DassaultSystemes
2008-02-27 15:52 . 2008-02-27 15:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\DassaultSystemes
2008-02-27 15:51 . 2008-02-27 15:51 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\SolidWorks 2008
2008-02-27 15:48 . 2008-02-27 15:48 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\SolidWorks
2008-02-27 15:45 . 2008-02-27 15:45 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\DWGeditor
2008-02-27 15:45 . 2008-02-27 15:45 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI
2008-02-27 15:43 . 2008-02-27 15:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-02-27 15:39 . 2008-02-27 16:02 <DIR> d-------- C:\Program Files\Common Files\SolidWorks Shared
2008-02-27 15:39 . 2008-02-27 15:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\SolidWorks
2008-02-27 15:38 . 2008-02-27 15:38 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-02-27 15:13 . 2008-02-27 15:13 <DIR> d-------- C:\Program Files\MSBuild
2008-02-27 15:11 . 2008-02-27 15:11 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-27 15:10 . 2008-02-27 15:10 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-27 15:10 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-27 15:09 . 2008-02-27 15:09 <DIR> d-------- C:\Program Files\MSECache
2008-02-27 14:55 . 2008-02-27 14:55 <DIR> d-------- C:\Program Files\PowerISO
2008-02-21 21:40 . 2008-03-02 17:53 <DIR> d-------- C:\Program Files\Opera
2008-02-15 19:07 . 2008-02-15 19:12 2,359,350 --a------ C:\WINDOWS\ACD Wallpaper.bmp
2008-02-12 02:12 . 2008-02-12 02:12 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\CoolFlvMan
2008-02-12 01:09 . 2008-02-12 01:09 <DIR> d-------- C:\Documents and Settings\User\Data aplikací\CoolYouTubeDownloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 21:21 --------- d-----w C:\Documents and Settings\User\Data aplikací\uTorrent
2008-03-11 21:10 --------- d-----w C:\Documents and Settings\User\Data aplikací\Skype
2008-03-09 18:40 --------- d-----w C:\Documents and Settings\User\Data aplikací\AVG7
2008-03-09 16:24 --------- d-----w C:\Program Files\ElcomSoft
2008-03-09 04:22 --------- d-----w C:\Program Files\QuickTime
2008-03-09 03:00 --------- d-----w C:\Documents and Settings\User\Data aplikací\temp
2008-03-05 23:31 --------- d-----w C:\DOCUME~1\ALLUSE~1\DATAAP~1\avg7
2008-03-01 16:07 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-03-01 16:07 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-03-01 16:07 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-03-01 16:07 22,328 ----a-w C:\Documents and Settings\User\Data aplikací\PnkBstrK.sys
2008-03-01 16:07 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-27 15:03 --------- d-----w C:\Program Files\SpeedFan
2008-02-27 14:55 --------- d-----w C:\Program Files\Software2000
2008-02-17 22:53 --------- d-----w C:\Program Files\Cool CENZURA
2008-02-08 19:08 --------- d-----w C:\Documents and Settings\User\Data aplikací\gtk-2.0
2008-02-07 20:15 --------- d-----w C:\Program Files\EA SPORTS
2008-02-06 20:19 --------- d-----w C:\Program Files\Electronic Arts
2008-02-06 19:38 --------- d-----w C:\Program Files\totalcmd
2008-02-03 19:48 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-02-03 19:48 --------- d-----w C:\Program Files\Zaklínač
2008-02-03 19:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-31 16:54 --------- d-----w C:\Program Files\THQ
2008-01-27 21:56 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-26 23:31 --------- d-----w C:\Program Files\uTorrent
2008-01-20 07:07 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-01-16 16:20 52,736 ----a-w C:\WINDOWS\ipuninst.exe
2008-01-16 16:18 --------- d-----w C:\Program Files\BlackIsle
2008-01-02 10:13 197,120 ----a-w C:\WINDOWS\system32\FHMcom_OxleyStrip.scr
2007-09-23 21:32 4,687,304 ----a-w C:\Program Files\paradisepoker_com_cs.exe
2007-01-14 21:00 1 ----a-w C:\Documents and Settings\User\SI.bin
2005-08-08 00:41 35,328 ----a-w C:\Program Files\usb_format.exe
2002-05-27 08:25 295,424 ----a-w C:\Program Files\SubtitleToolCZ.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 17:32 25365032]
"pdfSaver3"="c:\Program Files\PDF\pdfSaver\pdfSaver3.exe" [2004-05-19 14:29 385024]
"QIP2005"="C:\Program Files\QIP\qip.exe" [2007-11-16 14:17 3264512]
"uTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2008-01-26 18:02 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 14:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-08-11 14:43 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 07:54 16248320 C:\WINDOWS\RTHDCPL.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 15:21 579072]
"pdfSaver3"="" []
"602PC SUITE PDF Saver"="C:\Program Files\Common Files\602phs\pdfSaver.exe" [2005-08-31 16:00 49152]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 05:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 10:58 278528]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [2006-07-07 15:04 262144]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-18 14:12 843776]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 08:05 217088]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-03-09 12:19 2957824]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 13:58 219136]

C:\DOCUME~1\ALLUSE~1\NABDKA~1\Programy\POSPUT~1\
Mˇstnˇ vyhled v nˇ.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\QIP\\qip.exe"=
"C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-02-20 13:34]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-02-20 13:34]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-09 12:19]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 13:00]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 23:08]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-03-02 13:00]
S0 Hou85;Hou85;C:\WINDOWS\system32\Drivers\Hou85.sys []
S0 Pwd74;Pwd74;C:\WINDOWS\system32\Drivers\Pwd74.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-08-28 23:54]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23146296-69c9-11dc-a3cc-001617ba045b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - AAVMKER4
*Newly Created Service* - ASWMON2
*Newly Created Service* - ASWRDR
*Newly Created Service* - ASWTDI
*Newly Created Service* - ASWUPDSV
*Newly Created Service* - AVAST!_ANTIVIRUS
*Newly Created Service* - AVAST!_MAIL_SCANNER
*Newly Created Service* - AVAST!_WEB_SCANNER
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 22:31:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-11 22:32:53
ComboFix-quarantined-files.txt 2008-03-11 21:32:47
ComboFix2.txt 2008-03-09 00:10:40
ComboFix3.txt 2008-03-07 22:39:00
ComboFix4.txt 2008-03-04 22:26:15
ComboFix5.txt 2008-03-04 02:43:52
.
2008-02-28 20:30:44 --- E O F ---









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:49:41, on 11.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\602phs\pdfSaver.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PDF\pdfSaver\pdfSaver3.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\User\Plocha\system\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Crawler lišta - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [602PC SUITE PDF Saver] "C:\Program Files\Common Files\602phs\pdfSaver.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [pdfSaver3] "c:\Program Files\PDF\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [QIP2005] C:\Program Files\QIP\qip.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Jádro Plánovače úloh SolidWorks.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Místní vyhledávání.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm080YYCZ
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Poslat jako MMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1001
O8 - Extra context menu item: Poslat jako SMS - res://C:\Program Files\O2\SMSender\SMSender.E.dll/1000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.15-3.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: WLCtrl32 - WLCtrl32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 9263 bytes

[paul27]

Nejdřív vypněte jeden antivir, dva je moc.

Pak toto:

Přesuňte Combofix na plochu (pokud ho tam ještě nemáte) - otevřete si poznámkový blok - do něj zkopírujte text z nasledujícího okna:

Kód: Vybrat vše

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]

Driver::
Hou85
Pwd74

Text uložte jako CFScript.txt na plochu - po uložení uchopte vámi vytvořený soubor .txt levým tlačítkem myši a přesuňte jej nad ikonu ComboFixu - nad ikonou ComboFixu soubor .txt upusťte - spustí se ComboFix (možná budete muset znova potvrdit licenční podmínky kliknutím na Ano) - a CF začne znova scanovat, nakonci scanování se pokusí CF smazat zadané soubory či něco jiného, co jsme mu zadali - po provedení akce se opět zobrazí okno poznámkového bloku s textem, který sem zkopírujte a vyčkejte prosím na další rady

Pak napište, jestli to zabralo.