Celé pozadie sa mi zmenilo, vypisuje varovanie pred spywarom, pri hodinach je nápis Virus Alert. Pri resete nesiel Windows načítať, musel som nahrať poslednú známu funkčnú konfiguráciu. Prosím o pomoc
Log z HiJackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:11: VIRUS ALERT!, on 3.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
G:\PROGRA~1\GENIUS~1\mouseElf.exe
G:\PROGRA~1\Grisoft\AVG7\avgcc.exe
G:\WINDOWS\system32\RunDLL32.exe
G:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
G:\Program Files\Spamihilator\spamihilator.exe
G:\Program Files\DU Meter\DUMeter.exe
G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
G:\PROGRA~1\Grisoft\AVG7\avgemc.exe
G:\WINDOWS\vVX1000.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\Program Files\Microsoft LifeCam\MSCamS32.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\rundll32.exe
G:\WINDOWS\explorer.exe
G:\Program Files\HijackThis\HijackThis.exe
G:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2
O3 - Toolbar: I.R.I.S. Desktop Search - {577EBCA9-8ED3-45FC-A514-55B3817D4BCF} - G:\Program Files\IRIS Desktop Search\IRISDesktopSearchIntegration910.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar3.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: peltodgx - {0FA15166-39DA-4DAB-9B1A-0DDDBACA8BD5} - G:\WINDOWS\peltodgx.dll
O4 - HKLM\..\Run: [mouseElf] G:\PROGRA~1\GENIUS~1\mouseElf.exe
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Spamihilator] "G:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [DU Meter] G:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VX1000] G:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [LifeCam] "G:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [242d12a4] rundll32.exe "G:\WINDOWS\system32\hplyecuf.dll",b
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] G:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - G:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\MIMI\FRONTP~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - H:\MIMI\ICQ Lite\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - H:\MIMI\ICQ Lite\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - H:\MIMI\ICQ Lite\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - H:\MIMI\ICQ Lite\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {B10CBD8D-F9B6-11CF-9B38-0080AD11B667} (Ikonic Button Control) - http://jenci.com/www.naema2.host.sk/tab ... cntrls.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player ... taller.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - G:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: onfwbsak - {9441869C-D541-49AB-91D4-3AEEE74AFC6A} - G:\WINDOWS\onfwbsak.dll
O21 - SSODL: rwlfsdmk - {25C79CB1-BEFD-4E30-B908-EAA371F3B8AA} - G:\WINDOWS\rwlfsdmk.dll
O23 - Service: Adobe LM Service - Adobe Systems - G:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: Privacy Protection - file:///G:\WINDOWS\privacy_danger\index.htm
--
End of file - 7119 bytes
Virus Alert! - pomoc
-
jaro3
- člen Security týmu
-
Guru Level 15
- Příspěvky: 43294
- Registrován: červen 07
- Bydliště: Jižní Čechy
- Pohlaví:
- Stav:
Offline
Re: Virus Alert! - pomoc
Vítej na fóru PC-HELP!
Stáhni si SDFix
http://downloads.andymanchesta.com/Remo ... /SDFix.exe
- Spusť ho a rozbalí se ti na disk kde je nainstalovaný Windows (typicky to je C:\SDfix)
- Pak restartuj PC do nouzového režimu (zvol možnost: Stav nouze, ne Stav nouze s práci v síti)
- Otevři adresář kde je vybalený SDFix a spusť soubor RunThis.bat tím spustíš program.
* Pak stiskni klávesu Y a pak Enter pro zahájení čistícího procesu.
* Pro dokončení kontroly budeš vyzván ke stisknutí libovolné klávesy a počítač se restartuje.
* Při nabíhání operačního systému se program spustí znovu a dokončí čistící proces. Až se objeví Finish, budeš muset po vyzvání stisknout libovolnou klávesu, tim se ukončí program a zobrazí se ti ikony na ploše
- Když se skončí načítání ikon na ploše, otevře se ti na obrazovce log z SDFix a zároveň ho uloží do adresáře kde je rozbalený SDFix jako soubor Report.txt
Pak sem zkopíruj jeho obsah + mrkni se jestli ti pod Startem nechybí nějaké ikony, zobrazují se ti disky pod Tento počítač....
Můžeš smazat jeho složku C:\SDFix.
Stáhni si SDFix
http://downloads.andymanchesta.com/Remo ... /SDFix.exe
- Spusť ho a rozbalí se ti na disk kde je nainstalovaný Windows (typicky to je C:\SDfix)
- Pak restartuj PC do nouzového režimu (zvol možnost: Stav nouze, ne Stav nouze s práci v síti)
- Otevři adresář kde je vybalený SDFix a spusť soubor RunThis.bat tím spustíš program.
* Pak stiskni klávesu Y a pak Enter pro zahájení čistícího procesu.
* Pro dokončení kontroly budeš vyzván ke stisknutí libovolné klávesy a počítač se restartuje.
* Při nabíhání operačního systému se program spustí znovu a dokončí čistící proces. Až se objeví Finish, budeš muset po vyzvání stisknout libovolnou klávesu, tim se ukončí program a zobrazí se ti ikony na ploše
- Když se skončí načítání ikon na ploše, otevře se ti na obrazovce log z SDFix a zároveň ho uloží do adresáře kde je rozbalený SDFix jako soubor Report.txt
Pak sem zkopíruj jeho obsah + mrkni se jestli ti pod Startem nechybí nějaké ikony, zobrazují se ti disky pod Tento počítač....
Můžeš smazat jeho složku C:\SDFix.
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Re: Virus Alert! - pomoc
Vďaka! Použil som SDFix aj ComboFix (najprv SDFix, potom ComboFix). Píšem obidva výpisy:
SDFix:
SDFix: Version 1.230
Run by Administrator on pi 03. 10. 2008 at 17:06
Microsoft Windows XP [Version 5.1.2600]
Running From: G:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Windows Product ID To Remove Fake Virus Alert
Rebooting
Checking Files :
Trojan Files Found:
G:\WINDOWS\system32\awtrOEuV.dll - Deleted
G:\WINDOWS\EVQB.EXE - Deleted
G:\WINDOWS\privacy_danger\index.htm - Deleted
G:\WINDOWS\privacy_danger\images\body.gif - Deleted
G:\WINDOWS\privacy_danger\images\capt.gif - Deleted
G:\WINDOWS\privacy_danger\images\capt2.gif - Deleted
G:\WINDOWS\privacy_danger\images\red.gif - Deleted
G:\WINDOWS\privacy_danger\images\text.gif - Deleted
G:\WINDOWS\dfmlxbpkvlo.dll - Deleted
G:\WINDOWS\fbxrqtwn.exe - Deleted
G:\WINDOWS\onfwbsak.dll - Deleted
G:\WINDOWS\peltodgx.dll - Deleted
G:\WINDOWS\rwlfsdmk.dll - Deleted
G:\WINDOWS\system32\winsoft.nls - Deleted
G:\WINDOWS\system32\drivers\tdssserv.sys - Deleted
G:\WINDOWS\system32\tdssadw.dll - Deleted
G:\WINDOWS\system32\TDSSerrors.log - Deleted
G:\WINDOWS\system32\tdssinit.dll - Deleted
G:\WINDOWS\system32\tdssl.dll - Deleted
G:\WINDOWS\system32\tdsslog.dll - Deleted
G:\WINDOWS\system32\tdssmain.dll - Deleted
G:\WINDOWS\system32\tdssserf.dll - Deleted
G:\WINDOWS\system32\tdssserf1.dll - Deleted
G:\WINDOWS\system32\tdssservers.dat - Deleted
Folder G:\WINDOWS\privacy_danger - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 17:12:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:d9,bf,80,9f,af,df,de,ce,66,e7,f0,83,39,4b,de,c6,28,6a,ab,da,ea,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000001
"khjeh"=hex:f3,dd,77,1f,f8,21,8a,5e,23,1d,87,b0,4e,03,ca,6a,a1,4f,74,5b,03,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:81be52dc
"s2"=dword:4123244b
"h0"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:d9,bf,80,9f,af,df,de,ce,66,e7,f0,83,39,4b,de,c6,28,6a,ab,da,ea,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000001
"khjeh"=hex:f3,dd,77,1f,f8,21,8a,5e,23,1d,87,b0,4e,03,ca,6a,a1,4f,74,5b,03,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:d9,bf,80,9f,af,df,de,ce,66,e7,f0,83,39,4b,de,c6,28,6a,ab,da,ea,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000001
"khjeh"=hex:f3,dd,77,1f,f8,21,8a,5e,23,1d,87,b0,4e,03,ca,6a,a1,4f,74,5b,03,..
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"G:\\WINDOWS\\system32\\mmc.exe"="G:\\WINDOWS\\system32\\mmc.exe:*:Disabled:Microsoft Management Console"
"G:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="G:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"G:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="G:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"G:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="G:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"G:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="G:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"G:\\WINDOWS\\system32\\java.exe"="G:\\WINDOWS\\system32\\java.exe:*:Disabled:Java(TM) 2 Platform Standard Edition binary"
"H:\\MIMI\\Jalbum\\JAlbumWin.exe"="H:\\MIMI\\Jalbum\\JAlbumWin.exe:*:Disabled:JAlbumWin"
"G:\\Program Files\\Spamihilator\\dccproc.exe"="G:\\Program Files\\Spamihilator\\dccproc.exe:*:Disabled:dccproc"
"H:\\MIMI\\Half-Life 2\\Half-Life 2\\hl2.exe"="H:\\MIMI\\Half-Life 2\\Half-Life 2\\hl2.exe:*:Disabled:hl2"
"H:\\MIMI\\Half-Life\\hl.exe"="H:\\MIMI\\Half-Life\\hl.exe:*:Disabled:Half-Life Launcher"
"H:\\MIMI\\Operace Flashpoint Platinum ed¡cia\\OperationFlashpoint\\FlashpointResistance.exe"="H:\\MIMI\\Operace Flashpoint Platinum ed¡cia\\OperationFlashpoint\\FlashpointResistance.exe:*:Disabled:Operation Flashpoint"
"H:\\MIMI\\Novy priecinok (3)\\RocketRacer\\RocketRacer.exe"="H:\\MIMI\\Novy priecinok (3)\\RocketRacer\\RocketRacer.exe:*:Disabled:RocketRacer"
"H:\\MIMI\\MS Flight Simulator 2004-Century od flight\\fs9.exe"="H:\\MIMI\\MS Flight Simulator 2004-Century od flight\\fs9.exe:*:Disabled:Microsoft Flight Simulator"
"G:\\WINDOWS\\system32\\dpnsvr.exe"="G:\\WINDOWS\\system32\\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"H:\\MIMI\\Defcon\\Defcon\\defcon.exe"="H:\\MIMI\\Defcon\\Defcon\\defcon.exe:*:Disabled:Defcon"
"H:\\MIMI\\ICQ Lite\\ICQLite\\ICQLite.exe"="H:\\MIMI\\ICQ Lite\\ICQLite\\ICQLite.exe:*:Disabled:ICQ Lite"
"H:\\MIMI\\SWAT 4\\ContentExpansion\\System\\Swat4X.exe"="H:\\MIMI\\SWAT 4\\ContentExpansion\\System\\Swat4X.exe:*:Disabled:SWAT 4 - The Stetchkov Syndicate"
"H:\\MIMI\\SWAT 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe"="H:\\MIMI\\SWAT 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe:*:Disabled:SWAT 4 - The Stetchkov Syndicate Dedicated Server"
"H:\\MIMI\\half\\totalcmd\\TOTALCMD.EXE"="H:\\MIMI\\half\\totalcmd\\TOTALCMD.EXE:*:Disabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\\Program Files\\Cenega Czech\\VIETCONG\\vietcong.exe"="C:\\Program Files\\Cenega Czech\\VIETCONG\\vietcong.exe:*:Disabled:vietcong"
"G:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="G:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger"
"G:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="G:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Disabled:Windows Live Messenger (Phone)"
"G:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="G:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"H:\\MIMI\\ICQ Lite\\ICQ6\\ICQ.exe"="H:\\MIMI\\ICQ Lite\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"G:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="G:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"
"G:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="G:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"
"G:\\Program Files\\SopCast\\SopCast.exe"="G:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast"
"G:\\Program Files\\Skype\\Phone\\Skype.exe"="G:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"G:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="G:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"G:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="G:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
File Backups: - G:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Fri 3 Nov 2006 210 A.SH. --- "G:\BOOT.BAK"
Mon 28 Jan 2008 1,404,240 A.SHR --- "G:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "G:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 10 Jun 2007 876,334 A.SH. --- "G:\WINDOWS\system32\ilkkj.bak1"
Mon 11 Jun 2007 890,922 A.SH. --- "G:\WINDOWS\system32\ilkkj.bak2"
Sat 17 Feb 2007 4,348 ..SH. --- "G:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 17 Feb 2007 401 ..SH. --- "G:\Documents and Settings\All Users\DRM\DRMv12.bak"
Sat 17 Feb 2007 4,348 ...H. --- "G:\Documents and Settings\M\My Documents\My Music\Z loha licencie\drmv1key.bak"
Sat 17 Feb 2007 20 A..H. --- "G:\Documents and Settings\M\My Documents\My Music\Z loha licencie\drmv1lic.bak"
Sat 17 Feb 2007 312 ...H. --- "G:\Documents and Settings\M\My Documents\My Music\Z loha licencie\drmv2key.bak"
Sat 17 Feb 2007 1,536 A..H. --- "G:\Documents and Settings\M\My Documents\My Music\Z loha licencie\drmv2lic.bak"
Finished!
ComboFix:
ComboFix 08-10-02.04 - M 2008-10-03 17:21:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.178 [GMT 2:00]
Running from: G:\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
G:\WINDOWS\Downloaded Program Files\setup.inf
G:\WINDOWS\system32\EMVDLRqr.ini
G:\WINDOWS\system32\EMVDLRqr.ini2
G:\WINDOWS\system32\khfdBRiH.dll
G:\WINDOWS\system32\mcrh.tmp
G:\WINDOWS\system32\rqRLDVME.dll
.
((((((((((((((((((((((((( Files Created from 2008-09-03 to 2008-10-03 )))))))))))))))))))))))))))))))
.
2008-10-03 17:02 . 2008-10-03 17:03 <DIR> d-------- G:\WINDOWS\ERUNT
2008-10-03 17:01 . 2008-10-03 17:01 <DIR> d-------- G:\Documents and Settings\Administrator.MILAN
2008-10-03 16:55 . 2008-10-03 17:14 <DIR> d-------- G:\SDFix
2008-10-03 15:36 . 2008-10-03 15:37 2,885,948 -ra------ G:\ComboFix.exe
2008-10-03 14:57 . 2008-10-03 14:58 1,429,069 --a------ G:\SDFix.exe
2008-10-03 14:43 . 2008-10-03 17:30 994,007 ---hs---- G:\WINDOWS\system32\fuceylph.ini
2008-10-03 14:43 . 2008-10-03 14:43 80,000 --a------ G:\WINDOWS\system32\hplyecuf.dll
2008-10-03 14:39 . 2008-10-03 14:39 994,004 --ahs---- G:\WINDOWS\system32\giqkrqss.ini
2008-09-21 06:48 . 2008-10-02 20:54 54,156 --ah----- G:\WINDOWS\QTFont.qfn
2008-09-21 06:48 . 2008-09-21 06:48 1,409 --a------ G:\WINDOWS\QTFont.for
2008-09-20 20:47 . 2008-09-28 22:17 <DIR> d-------- G:\Dni NATO 2008
2008-09-14 23:07 . 2008-09-14 23:07 <DIR> d-------- G:\Program Files\www.freewordexcelpassword.com
2008-09-07 22:44 . 2008-09-07 22:44 268 --ah----- G:\sqmdata10.sqm
2008-09-07 22:44 . 2008-09-07 22:44 244 --ah----- G:\sqmnoopt10.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 12:45 --------- d-----w G:\Documents and Settings\M\Application Data\AVG7
2008-10-02 20:44 --------- d-----w G:\Program Files\Spamihilator
2008-10-01 19:42 --------- d-----w G:\Documents and Settings\M\Application Data\Skype
2008-10-01 16:21 --------- d-----w G:\Documents and Settings\M\Application Data\skypePM
2008-09-15 17:15 --------- d-----w G:\Documents and Settings\M\Application Data\U3
2008-08-17 07:19 --------- d-----w G:\Program Files\Canon
2008-08-16 22:05 --------- d-----w G:\Program Files\Common Files\Canon
2008-08-09 19:41 --------- d-----w G:\Program Files\Common Files\soft602
2008-08-09 15:50 --------- d-----w G:\Program Files\Google
2008-08-08 22:25 --------- d-----w G:\Program Files\Common Files\Skype
2008-08-08 13:34 --------- d-----w G:\Program Files\Microsoft LifeCam
2008-08-07 06:16 --------- d-----w G:\Program Files\FastStone Image Viewer
2008-08-04 19:31 --------- d-----w G:\Documents and Settings\M\Application Data\FastStone
2008-03-01 18:38 32 ----a-w G:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-06-10 08:21 876,334 --sha-w G:\WINDOWS\system32\ilkkj.bak1
2007-06-11 09:09 890,922 --sha-w G:\WINDOWS\system32\ilkkj.bak2
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mouseElf"="G:\PROGRA~1\GENIUS~1\mouseElf.exe" [2002-05-23 151552]
"AVG7_CC"="G:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 579584]
"NvCplDaemon"="G:\WINDOWS\system32\NvCpl.dll" [2006-10-22 7700480]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-12-21 98304]
"Spamihilator"="G:\Program Files\Spamihilator\spamihilator.exe" [2007-08-17 716800]
"DU Meter"="G:\Program Files\DU Meter\DUMeter.exe" [2007-08-30 1583644]
"QuickTime Task"="G:\Program Files\QuickTime\qttask.exe" [2007-02-10 98304]
"Adobe Reader Speed Launcher"="G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"VX1000"="G:\WINDOWS\vVX1000.exe" [2007-04-10 709992]
"LifeCam"="G:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"242d12a4"="G:\WINDOWS\system32\hplyecuf.dll" [2008-10-03 80000]
"nwiz"="nwiz.exe" [2006-10-22 G:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 G:\WINDOWS\system32\nvmctray.dll]
"Cmaudio"="cmicnfg.cpl" [2003-10-14 C:\WINDOWS\SYSTEM\CMICNFG.CPL]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="G:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 15360]
"AVG7_Run"="G:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 219136]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NBJ"="G:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
"CTFMON.EXE"=G:\WINDOWS\system32\ctfmon.exe
"swg"=G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"SpybotSD TeaTimer"=G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"Windows Live Messenger"="G:\Program Files\Windows Live\Messenger\msnmsgr.exe"
"msnmsgr"="G:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="G:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="G:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
"NvCplDaemon"=RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
"NeroFilterCheck"=G:\WINDOWS\system32\NeroCheck.exe
"Adobe Reader Speed Launcher"="G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="G:\Program Files\QuickTime\qttask.exe" -atboottime
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"G:\\WINDOWS\\system32\\mmc.exe"=
"G:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"G:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"G:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"G:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"G:\\WINDOWS\\system32\\java.exe"=
"H:\\MIMI\\Jalbum\\JAlbumWin.exe"=
"G:\\Program Files\\Spamihilator\\dccproc.exe"=
"H:\\MIMI\\Half-Life\\hl.exe"=
"H:\\MIMI\\Nový priecinok (3)\\RocketRacer\\RocketRacer.exe"=
"H:\\MIMI\\MS Flight Simulator 2004-Century od flight\\fs9.exe"=
"G:\\WINDOWS\\system32\\dpnsvr.exe"=
"H:\\MIMI\\Defcon\\Defcon\\defcon.exe"=
"H:\\MIMI\\SWAT 4\\ContentExpansion\\System\\Swat4X.exe"=
"H:\\MIMI\\SWAT 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe"=
"H:\\MIMI\\half\\totalcmd\\TOTALCMD.EXE"=
"C:\\Program Files\\Cenega Czech\\VIETCONG\\vietcong.exe"=
"G:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"G:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"H:\\MIMI\\ICQ Lite\\ICQ6\\ICQ.exe"=
"G:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"G:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"G:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 MSCamSvc;MSCamSvc;G:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 271720]
R2 UxTuneUp;TuneUp Design Expansion;G:\WINDOWS\System32\svchost.exe [2006-02-28 14336]
R3 genmcmn;Genus Mouse+ Driver;G:\WINDOWS\system32\DRIVERS\gmfiltr.sys [2002-05-17 6656]
R3 PSched;QoS Packet Scheduler;G:\WINDOWS\system32\DRIVERS\psched.sys [2006-02-28 69120]
R3 VX1000;VX-1000;G:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 1966312]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);G:\WINDOWS\system32\DRIVERS\LwAdiHid.sys [2004-08-03 20864]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{057dc92e-6904-11dc-b8ba-00e04c03afce}]
\Shell\AutoRun\command - J:\AutoRunTribunal.exe
\Shell\install\command - J:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{188ac6d1-6915-11dc-b8bb-00e04c03afce}]
\Shell\AutoRun\command - J:\AutoRunTribunal.exe
\Shell\install\command - J:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{300a355f-e22b-11dc-bd03-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{343519cc-e09c-11dc-bcf1-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{470b6ac5-c2a6-11dc-bbcd-00e04c03afce}]
\Shell\AutoRun\command - J:\alliance.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{470b6ac7-c2a6-11dc-bbcd-00e04c03afce}]
\Shell\AutoRun\command - J:\alliance.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e5faae-eb01-11db-b4d5-00e04c03afce}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e5faaf-eb01-11db-b4d5-00e04c03afce}]
\Shell\AutoRun\command - h6o0re.cmd
\Shell\explore\Command - h6o0re.cmd
\Shell\open\Command - h6o0re.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67580592-cff5-11dc-bc55-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74e75f6e-c433-11dc-bbdd-00e04c03afce}]
\Shell\AutoRun\command - J:\alliance.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74e75f70-c433-11dc-bbdd-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ed8c2a-c2b8-11dc-bbce-00e04c03afce}]
\Shell\AutoRun\command - J:\alliance.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae311bb2-c38d-11dc-bbd7-00e04c03afce}]
\Shell\AutoRun\command - J:\alliance.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b582bf9a-c501-11dc-bbe3-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c055ee5a-bc3d-11dc-bb90-00e04c03afce}]
\Shell\AutoRun\command - J:\stub.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3ba1bcc-699a-11dc-b8bf-00e04c03afce}]
\Shell\AutoRun\command - J:\AutoRunBloodmoon.exe
\Shell\install\command - J:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d223040a-e141-11dc-bcf6-00e04c03afce}]
\Shell\AutoRun\command - J:\AUTORUN.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3bcc4a9-591b-11dc-b83f-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d70b1756-c44e-11dc-bbdf-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfe1ce1e-c9b3-11dc-bc14-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5506afa-65fd-11dc-b8a8-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbbfff04-c2db-11dc-bbd2-00e04c03afce}]
\Shell\AutoRun\command - J:\alliance.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{F30635B9-9704-41FD-B473-05B3D98EBB36} - G:\WINDOWS\system32\rqRLDVME.dll
Notify-nnnoono - nnnoono.dll
Notify-vtusssr - vtusssr.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - G:\Documents and Settings\M\Application Data\Mozilla\Firefox\Profiles\ac1cy3i5.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 17:29:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
G:\WINDOWS\system32\wuaueng.dll.wusetup.243406.bak 1712984 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: G:\WINDOWS\explorer.exe
-> G:\WINDOWS\system32\hplyecuf.dll
.
------------------------ Other Running Processes ------------------------
.
G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
G:\PROGRA~1\Grisoft\AVG7\avgemc.exe
G:\WINDOWS\system32\rundll32.exe
G:\WINDOWS\system32\rundll32.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\WINDOWS\system32\spool\drivers\w32x86\3\HP1005MC.EXE
G:\WINDOWS\system32\rundll32.exe
G:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-10-03 17:33:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-03 15:33:24
Pre-Run: 84ÿ521ÿ803ÿ776 bytes free
Post-Run: 84,470,222,848 bytes free
219 --- E O F --- 2008-08-09 19:16:23
Zdá sa, že všetko beží ako má, disky sa zobrazujú, ide Task Manager (predtým nešiel), ale mám problém s tým, že som nahral "poslednú známu funkčnú konfiguráciu" a nahralo mi to Windows v angličtine. Chcel som teda teraz nahrať nejaký skorší restore point, aby sa mi to vrátilo do slovenčiny, ale v zozname žiadny skorší nie je...Nevieš čo s tým?
SDFix:
SDFix: Version 1.230
Run by Administrator on pi 03. 10. 2008 at 17:06
Microsoft Windows XP [Version 5.1.2600]
Running From: G:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Windows Product ID To Remove Fake Virus Alert
Rebooting
Checking Files :
Trojan Files Found:
G:\WINDOWS\system32\awtrOEuV.dll - Deleted
G:\WINDOWS\EVQB.EXE - Deleted
G:\WINDOWS\privacy_danger\index.htm - Deleted
G:\WINDOWS\privacy_danger\images\body.gif - Deleted
G:\WINDOWS\privacy_danger\images\capt.gif - Deleted
G:\WINDOWS\privacy_danger\images\capt2.gif - Deleted
G:\WINDOWS\privacy_danger\images\red.gif - Deleted
G:\WINDOWS\privacy_danger\images\text.gif - Deleted
G:\WINDOWS\dfmlxbpkvlo.dll - Deleted
G:\WINDOWS\fbxrqtwn.exe - Deleted
G:\WINDOWS\onfwbsak.dll - Deleted
G:\WINDOWS\peltodgx.dll - Deleted
G:\WINDOWS\rwlfsdmk.dll - Deleted
G:\WINDOWS\system32\winsoft.nls - Deleted
G:\WINDOWS\system32\drivers\tdssserv.sys - Deleted
G:\WINDOWS\system32\tdssadw.dll - Deleted
G:\WINDOWS\system32\TDSSerrors.log - Deleted
G:\WINDOWS\system32\tdssinit.dll - Deleted
G:\WINDOWS\system32\tdssl.dll - Deleted
G:\WINDOWS\system32\tdsslog.dll - Deleted
G:\WINDOWS\system32\tdssmain.dll - Deleted
G:\WINDOWS\system32\tdssserf.dll - Deleted
G:\WINDOWS\system32\tdssserf1.dll - Deleted
G:\WINDOWS\system32\tdssservers.dat - Deleted
Folder G:\WINDOWS\privacy_danger - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 17:12:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:d9,bf,80,9f,af,df,de,ce,66,e7,f0,83,39,4b,de,c6,28,6a,ab,da,ea,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000001
"khjeh"=hex:f3,dd,77,1f,f8,21,8a,5e,23,1d,87,b0,4e,03,ca,6a,a1,4f,74,5b,03,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:81be52dc
"s2"=dword:4123244b
"h0"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:d9,bf,80,9f,af,df,de,ce,66,e7,f0,83,39,4b,de,c6,28,6a,ab,da,ea,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000001
"khjeh"=hex:f3,dd,77,1f,f8,21,8a,5e,23,1d,87,b0,4e,03,ca,6a,a1,4f,74,5b,03,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:d9,bf,80,9f,af,df,de,ce,66,e7,f0,83,39,4b,de,c6,28,6a,ab,da,ea,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000001
"khjeh"=hex:f3,dd,77,1f,f8,21,8a,5e,23,1d,87,b0,4e,03,ca,6a,a1,4f,74,5b,03,..
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"G:\\WINDOWS\\system32\\mmc.exe"="G:\\WINDOWS\\system32\\mmc.exe:*:Disabled:Microsoft Management Console"
"G:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="G:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"G:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="G:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"G:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="G:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"G:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="G:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"G:\\WINDOWS\\system32\\java.exe"="G:\\WINDOWS\\system32\\java.exe:*:Disabled:Java(TM) 2 Platform Standard Edition binary"
"H:\\MIMI\\Jalbum\\JAlbumWin.exe"="H:\\MIMI\\Jalbum\\JAlbumWin.exe:*:Disabled:JAlbumWin"
"G:\\Program Files\\Spamihilator\\dccproc.exe"="G:\\Program Files\\Spamihilator\\dccproc.exe:*:Disabled:dccproc"
"H:\\MIMI\\Half-Life 2\\Half-Life 2\\hl2.exe"="H:\\MIMI\\Half-Life 2\\Half-Life 2\\hl2.exe:*:Disabled:hl2"
"H:\\MIMI\\Half-Life\\hl.exe"="H:\\MIMI\\Half-Life\\hl.exe:*:Disabled:Half-Life Launcher"
"H:\\MIMI\\Operace Flashpoint Platinum ed¡cia\\OperationFlashpoint\\FlashpointResistance.exe"="H:\\MIMI\\Operace Flashpoint Platinum ed¡cia\\OperationFlashpoint\\FlashpointResistance.exe:*:Disabled:Operation Flashpoint"
"H:\\MIMI\\Novy priecinok (3)\\RocketRacer\\RocketRacer.exe"="H:\\MIMI\\Novy priecinok (3)\\RocketRacer\\RocketRacer.exe:*:Disabled:RocketRacer"
"H:\\MIMI\\MS Flight Simulator 2004-Century od flight\\fs9.exe"="H:\\MIMI\\MS Flight Simulator 2004-Century od flight\\fs9.exe:*:Disabled:Microsoft Flight Simulator"
"G:\\WINDOWS\\system32\\dpnsvr.exe"="G:\\WINDOWS\\system32\\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"H:\\MIMI\\Defcon\\Defcon\\defcon.exe"="H:\\MIMI\\Defcon\\Defcon\\defcon.exe:*:Disabled:Defcon"
"H:\\MIMI\\ICQ Lite\\ICQLite\\ICQLite.exe"="H:\\MIMI\\ICQ Lite\\ICQLite\\ICQLite.exe:*:Disabled:ICQ Lite"
"H:\\MIMI\\SWAT 4\\ContentExpansion\\System\\Swat4X.exe"="H:\\MIMI\\SWAT 4\\ContentExpansion\\System\\Swat4X.exe:*:Disabled:SWAT 4 - The Stetchkov Syndicate"
"H:\\MIMI\\SWAT 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe"="H:\\MIMI\\SWAT 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe:*:Disabled:SWAT 4 - The Stetchkov Syndicate Dedicated Server"
"H:\\MIMI\\half\\totalcmd\\TOTALCMD.EXE"="H:\\MIMI\\half\\totalcmd\\TOTALCMD.EXE:*:Disabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\\Program Files\\Cenega Czech\\VIETCONG\\vietcong.exe"="C:\\Program Files\\Cenega Czech\\VIETCONG\\vietcong.exe:*:Disabled:vietcong"
"G:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="G:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger"
"G:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="G:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Disabled:Windows Live Messenger (Phone)"
"G:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="G:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"H:\\MIMI\\ICQ Lite\\ICQ6\\ICQ.exe"="H:\\MIMI\\ICQ Lite\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"G:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="G:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"
"G:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="G:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"
"G:\\Program Files\\SopCast\\SopCast.exe"="G:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast"
"G:\\Program Files\\Skype\\Phone\\Skype.exe"="G:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"G:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="G:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"G:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="G:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
File Backups: - G:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Fri 3 Nov 2006 210 A.SH. --- "G:\BOOT.BAK"
Mon 28 Jan 2008 1,404,240 A.SHR --- "G:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "G:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 10 Jun 2007 876,334 A.SH. --- "G:\WINDOWS\system32\ilkkj.bak1"
Mon 11 Jun 2007 890,922 A.SH. --- "G:\WINDOWS\system32\ilkkj.bak2"
Sat 17 Feb 2007 4,348 ..SH. --- "G:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 17 Feb 2007 401 ..SH. --- "G:\Documents and Settings\All Users\DRM\DRMv12.bak"
Sat 17 Feb 2007 4,348 ...H. --- "G:\Documents and Settings\M\My Documents\My Music\Z loha licencie\drmv1key.bak"
Sat 17 Feb 2007 20 A..H. --- "G:\Documents and Settings\M\My Documents\My Music\Z loha licencie\drmv1lic.bak"
Sat 17 Feb 2007 312 ...H. --- "G:\Documents and Settings\M\My Documents\My Music\Z loha licencie\drmv2key.bak"
Sat 17 Feb 2007 1,536 A..H. --- "G:\Documents and Settings\M\My Documents\My Music\Z loha licencie\drmv2lic.bak"
Finished!
ComboFix:
ComboFix 08-10-02.04 - M 2008-10-03 17:21:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.178 [GMT 2:00]
Running from: G:\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
G:\WINDOWS\Downloaded Program Files\setup.inf
G:\WINDOWS\system32\EMVDLRqr.ini
G:\WINDOWS\system32\EMVDLRqr.ini2
G:\WINDOWS\system32\khfdBRiH.dll
G:\WINDOWS\system32\mcrh.tmp
G:\WINDOWS\system32\rqRLDVME.dll
.
((((((((((((((((((((((((( Files Created from 2008-09-03 to 2008-10-03 )))))))))))))))))))))))))))))))
.
2008-10-03 17:02 . 2008-10-03 17:03 <DIR> d-------- G:\WINDOWS\ERUNT
2008-10-03 17:01 . 2008-10-03 17:01 <DIR> d-------- G:\Documents and Settings\Administrator.MILAN
2008-10-03 16:55 . 2008-10-03 17:14 <DIR> d-------- G:\SDFix
2008-10-03 15:36 . 2008-10-03 15:37 2,885,948 -ra------ G:\ComboFix.exe
2008-10-03 14:57 . 2008-10-03 14:58 1,429,069 --a------ G:\SDFix.exe
2008-10-03 14:43 . 2008-10-03 17:30 994,007 ---hs---- G:\WINDOWS\system32\fuceylph.ini
2008-10-03 14:43 . 2008-10-03 14:43 80,000 --a------ G:\WINDOWS\system32\hplyecuf.dll
2008-10-03 14:39 . 2008-10-03 14:39 994,004 --ahs---- G:\WINDOWS\system32\giqkrqss.ini
2008-09-21 06:48 . 2008-10-02 20:54 54,156 --ah----- G:\WINDOWS\QTFont.qfn
2008-09-21 06:48 . 2008-09-21 06:48 1,409 --a------ G:\WINDOWS\QTFont.for
2008-09-20 20:47 . 2008-09-28 22:17 <DIR> d-------- G:\Dni NATO 2008
2008-09-14 23:07 . 2008-09-14 23:07 <DIR> d-------- G:\Program Files\www.freewordexcelpassword.com
2008-09-07 22:44 . 2008-09-07 22:44 268 --ah----- G:\sqmdata10.sqm
2008-09-07 22:44 . 2008-09-07 22:44 244 --ah----- G:\sqmnoopt10.sqm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 12:45 --------- d-----w G:\Documents and Settings\M\Application Data\AVG7
2008-10-02 20:44 --------- d-----w G:\Program Files\Spamihilator
2008-10-01 19:42 --------- d-----w G:\Documents and Settings\M\Application Data\Skype
2008-10-01 16:21 --------- d-----w G:\Documents and Settings\M\Application Data\skypePM
2008-09-15 17:15 --------- d-----w G:\Documents and Settings\M\Application Data\U3
2008-08-17 07:19 --------- d-----w G:\Program Files\Canon
2008-08-16 22:05 --------- d-----w G:\Program Files\Common Files\Canon
2008-08-09 19:41 --------- d-----w G:\Program Files\Common Files\soft602
2008-08-09 15:50 --------- d-----w G:\Program Files\Google
2008-08-08 22:25 --------- d-----w G:\Program Files\Common Files\Skype
2008-08-08 13:34 --------- d-----w G:\Program Files\Microsoft LifeCam
2008-08-07 06:16 --------- d-----w G:\Program Files\FastStone Image Viewer
2008-08-04 19:31 --------- d-----w G:\Documents and Settings\M\Application Data\FastStone
2008-03-01 18:38 32 ----a-w G:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-06-10 08:21 876,334 --sha-w G:\WINDOWS\system32\ilkkj.bak1
2007-06-11 09:09 890,922 --sha-w G:\WINDOWS\system32\ilkkj.bak2
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mouseElf"="G:\PROGRA~1\GENIUS~1\mouseElf.exe" [2002-05-23 151552]
"AVG7_CC"="G:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 579584]
"NvCplDaemon"="G:\WINDOWS\system32\NvCpl.dll" [2006-10-22 7700480]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-12-21 98304]
"Spamihilator"="G:\Program Files\Spamihilator\spamihilator.exe" [2007-08-17 716800]
"DU Meter"="G:\Program Files\DU Meter\DUMeter.exe" [2007-08-30 1583644]
"QuickTime Task"="G:\Program Files\QuickTime\qttask.exe" [2007-02-10 98304]
"Adobe Reader Speed Launcher"="G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"VX1000"="G:\WINDOWS\vVX1000.exe" [2007-04-10 709992]
"LifeCam"="G:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"242d12a4"="G:\WINDOWS\system32\hplyecuf.dll" [2008-10-03 80000]
"nwiz"="nwiz.exe" [2006-10-22 G:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 G:\WINDOWS\system32\nvmctray.dll]
"Cmaudio"="cmicnfg.cpl" [2003-10-14 C:\WINDOWS\SYSTEM\CMICNFG.CPL]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="G:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 15360]
"AVG7_Run"="G:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 219136]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NBJ"="G:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
"CTFMON.EXE"=G:\WINDOWS\system32\ctfmon.exe
"swg"=G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"SpybotSD TeaTimer"=G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"Windows Live Messenger"="G:\Program Files\Windows Live\Messenger\msnmsgr.exe"
"msnmsgr"="G:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="G:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="G:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
"NvCplDaemon"=RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
"NeroFilterCheck"=G:\WINDOWS\system32\NeroCheck.exe
"Adobe Reader Speed Launcher"="G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="G:\Program Files\QuickTime\qttask.exe" -atboottime
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"G:\\WINDOWS\\system32\\mmc.exe"=
"G:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"G:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"G:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"G:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"G:\\WINDOWS\\system32\\java.exe"=
"H:\\MIMI\\Jalbum\\JAlbumWin.exe"=
"G:\\Program Files\\Spamihilator\\dccproc.exe"=
"H:\\MIMI\\Half-Life\\hl.exe"=
"H:\\MIMI\\Nový priecinok (3)\\RocketRacer\\RocketRacer.exe"=
"H:\\MIMI\\MS Flight Simulator 2004-Century od flight\\fs9.exe"=
"G:\\WINDOWS\\system32\\dpnsvr.exe"=
"H:\\MIMI\\Defcon\\Defcon\\defcon.exe"=
"H:\\MIMI\\SWAT 4\\ContentExpansion\\System\\Swat4X.exe"=
"H:\\MIMI\\SWAT 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe"=
"H:\\MIMI\\half\\totalcmd\\TOTALCMD.EXE"=
"C:\\Program Files\\Cenega Czech\\VIETCONG\\vietcong.exe"=
"G:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"G:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"H:\\MIMI\\ICQ Lite\\ICQ6\\ICQ.exe"=
"G:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"G:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"G:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 MSCamSvc;MSCamSvc;G:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 271720]
R2 UxTuneUp;TuneUp Design Expansion;G:\WINDOWS\System32\svchost.exe [2006-02-28 14336]
R3 genmcmn;Genus Mouse+ Driver;G:\WINDOWS\system32\DRIVERS\gmfiltr.sys [2002-05-17 6656]
R3 PSched;QoS Packet Scheduler;G:\WINDOWS\system32\DRIVERS\psched.sys [2006-02-28 69120]
R3 VX1000;VX-1000;G:\WINDOWS\system32\DRIVERS\VX1000.sys [2007-04-10 1966312]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);G:\WINDOWS\system32\DRIVERS\LwAdiHid.sys [2004-08-03 20864]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{057dc92e-6904-11dc-b8ba-00e04c03afce}]
\Shell\AutoRun\command - J:\AutoRunTribunal.exe
\Shell\install\command - J:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{188ac6d1-6915-11dc-b8bb-00e04c03afce}]
\Shell\AutoRun\command - J:\AutoRunTribunal.exe
\Shell\install\command - J:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{300a355f-e22b-11dc-bd03-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{343519cc-e09c-11dc-bcf1-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{470b6ac5-c2a6-11dc-bbcd-00e04c03afce}]
\Shell\AutoRun\command - J:\alliance.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{470b6ac7-c2a6-11dc-bbcd-00e04c03afce}]
\Shell\AutoRun\command - J:\alliance.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e5faae-eb01-11db-b4d5-00e04c03afce}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e5faaf-eb01-11db-b4d5-00e04c03afce}]
\Shell\AutoRun\command - h6o0re.cmd
\Shell\explore\Command - h6o0re.cmd
\Shell\open\Command - h6o0re.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67580592-cff5-11dc-bc55-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74e75f6e-c433-11dc-bbdd-00e04c03afce}]
\Shell\AutoRun\command - J:\alliance.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74e75f70-c433-11dc-bbdd-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ed8c2a-c2b8-11dc-bbce-00e04c03afce}]
\Shell\AutoRun\command - J:\alliance.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae311bb2-c38d-11dc-bbd7-00e04c03afce}]
\Shell\AutoRun\command - J:\alliance.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b582bf9a-c501-11dc-bbe3-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c055ee5a-bc3d-11dc-bb90-00e04c03afce}]
\Shell\AutoRun\command - J:\stub.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3ba1bcc-699a-11dc-b8bf-00e04c03afce}]
\Shell\AutoRun\command - J:\AutoRunBloodmoon.exe
\Shell\install\command - J:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d223040a-e141-11dc-bcf6-00e04c03afce}]
\Shell\AutoRun\command - J:\AUTORUN.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3bcc4a9-591b-11dc-b83f-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d70b1756-c44e-11dc-bbdf-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfe1ce1e-c9b3-11dc-bc14-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5506afa-65fd-11dc-b8a8-00e04c03afce}]
\Shell\AutoRun\command - J:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbbfff04-c2db-11dc-bbd2-00e04c03afce}]
\Shell\AutoRun\command - J:\alliance.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{F30635B9-9704-41FD-B473-05B3D98EBB36} - G:\WINDOWS\system32\rqRLDVME.dll
Notify-nnnoono - nnnoono.dll
Notify-vtusssr - vtusssr.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - G:\Documents and Settings\M\Application Data\Mozilla\Firefox\Profiles\ac1cy3i5.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 17:29:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
G:\WINDOWS\system32\wuaueng.dll.wusetup.243406.bak 1712984 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: G:\WINDOWS\explorer.exe
-> G:\WINDOWS\system32\hplyecuf.dll
.
------------------------ Other Running Processes ------------------------
.
G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
G:\PROGRA~1\Grisoft\AVG7\avgemc.exe
G:\WINDOWS\system32\rundll32.exe
G:\WINDOWS\system32\rundll32.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\WINDOWS\system32\spool\drivers\w32x86\3\HP1005MC.EXE
G:\WINDOWS\system32\rundll32.exe
G:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-10-03 17:33:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-03 15:33:24
Pre-Run: 84ÿ521ÿ803ÿ776 bytes free
Post-Run: 84,470,222,848 bytes free
219 --- E O F --- 2008-08-09 19:16:23
Zdá sa, že všetko beží ako má, disky sa zobrazujú, ide Task Manager (predtým nešiel), ale mám problém s tým, že som nahral "poslednú známu funkčnú konfiguráciu" a nahralo mi to Windows v angličtine. Chcel som teda teraz nahrať nejaký skorší restore point, aby sa mi to vrátilo do slovenčiny, ale v zozname žiadny skorší nie je...Nevieš čo s tým?
-
jaro3
- člen Security týmu
-
Guru Level 15
- Příspěvky: 43294
- Registrován: červen 07
- Bydliště: Jižní Čechy
- Pohlaví:
- Stav:
Offline
Re: Virus Alert! - pomoc
Neměl jsi nahrávat poslední známou konfiguraci.To je pak práce na draka a paraziti se mohou vrátit...
Smazat!!
G:\SDFix
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE
Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.
Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT
Smazat!!
G:\SDFix
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE
Kód: Vybrat vše
File::
G:\WINDOWS\system32\fuceylph.ini
G:\WINDOWS\system32\hplyecuf.dll
G:\WINDOWS\system32\giqkrqss.ini
G:\sqmdata10.sqm
G:\sqmnoopt10.sqm
G:\WINDOWS\system32\ilkkj.bak1
G:\WINDOWS\system32\ilkkj.bak2Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.
Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Kdo je online
Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 132 hostů