v návodoch som si prečítal, že na každý problém treba novú tému, tak by som poprosil o pomoc pri odstránení tohto vírusu, alebo čo to je. V predošlých témach som sa dozvedel, že bude treba log z rsit (podarilo sa mi ho spravit len v núdzvom režime) takže prikladám.
Logfile of random's system information tool 1.08 (written by random/random)
Run by kulla at 2010-09-23 09:49:27
Systém Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 41 GB (54%) free of 76 GB
Total RAM: 511 MB (69% free)
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:49:34, on 23.9.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\kulla\Desktop\RSIT.exe
C:\Program Files\trend micro\kulla.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Microcom\ADSL DeskPorte USB\CnxDslTb.exe" "Microcom\ADSL DeskPorte USB"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Direct -p DOT4_002 -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1051 -sl 120000
O4 - HKLM\..\Run: [XoftSpySE] "C:\Program Files\XoftSpySE6\XoftSpySE.exe" -NM -hidesplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [{10040D24-12DB-7A2A-791D-BB9CEEDAFC71}] "C:\Documents and Settings\kulla\Application Data\Ypydu\irqe.exe"
O4 - HKCU\..\Run: [Ihiyehu] rundll32.exe "C:\WINDOWS\chlest.dll",Startup
O4 - HKCU\..\RunOnce: [91292082] "C:\DOCUME~1\kulla\LOCALS~1\APPLIC~1\91292082.exe" 21 42
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xportova do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2825497218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2826246078
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
--
End of file - 7204 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\Schedule Task Weekly.job
C:\WINDOWS\tasks\dqexgurz.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}]
Skype add-on for Internet Explorer - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2010-02-08 804136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-04-12 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-04-12 79648]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"CnxDslTaskBar"=C:\Program Files\Microcom\ADSL DeskPorte USB\CnxDslTb.exe [2004-06-16 233472]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2007-04-16 577536]
"nod32kui"=C:\Program Files\Eset\nod32kui.exe [2009-03-13 949376]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2005-10-02 77824]
"tsnpstd3"=C:\WINDOWS\tsnpstd3.exe [2005-12-20 94208]
"snpstd3"=C:\WINDOWS\vsnpstd3.exe [2006-09-19 827392]
"Sony Ericsson PC Suite"=C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [2007-06-13 528384]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-06-20 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832]
""= []
"StatusClient"=C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe [2002-12-16 36864]
"TomcatStartup"=C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe [2003-03-31 155648]
"HPLJ Config"=C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe [2003-03-31 28672]
"XoftSpySE"=C:\Program Files\XoftSpySE6\XoftSpySE.exe [2009-10-23 4854040]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"{10040D24-12DB-7A2A-791D-BB9CEEDAFC71}"=C:\Documents and Settings\kulla\Application Data\Ypydu\irqe.exe [2006-09-15 169984]
"Ihiyehu"=C:\WINDOWS\chlest.dll [2008-04-14 76800]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"91292082"=C:\DOCUME~1\kulla\LOCALS~1\APPLIC~1\91292082.exe [2010-09-23 930304]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\System32\NvCpl.dll [2006-10-22 7700480]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
C:\WINDOWS\SOUNDMAN.EXE [2007-04-16 577536]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoSecCPL"=0
"NoDevMgrPage"=0
"NoConfigPage"=0
"NoVirtMemPage"=0
"NoFileSysPage"=0
"NoNetSetup"=0
"NoNetSetupIDPage"=0
"NoNetSetupSecurityPage"=0
"NoWorkgroupContents"=0
"NoEntireNetwork"=0
"NoFileSharingControl"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"RestrictRun"=0
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\System32\dpvsetup.exe"="C:\WINDOWS\System32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\System32\rundll32.exe"="C:\WINDOWS\System32\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\Program Files\Valve\hl.exe"="C:\Program Files\Valve\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Valve\hlds.exe"="C:\Program Files\Valve\hlds.exe:*:Enabled:HLDS Launcher"
"C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe:*:Disabled:javaw"
"C:\Program Files\HP\Digital Imaging\BIN\HPQTRA08.EXE"="C:\Program Files\HP\Digital Imaging\BIN\HPQTRA08.EXE:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\BIN\HPQSTE08.EXE"="C:\Program Files\HP\Digital Imaging\BIN\HPQSTE08.EXE:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\BIN\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\BIN\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\BIN\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\BIN\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\BIN\hposid01.exe"="C:\Program Files\HP\Digital Imaging\BIN\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\BIN\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\BIN\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\BIN\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\BIN\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\BIN\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\BIN\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\BIN\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\BIN\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\BIN\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\BIN\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\HP\Digital Imaging\BIN\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\BIN\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\BIN\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\BIN\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
======File associations======
.scr - open -
.scr - install -
.scr - config -
======List of files/folders created in the last 1 months======
2010-09-23 09:49:28 ----D---- C:\Program Files\trend micro
2010-09-23 09:49:27 ----D---- C:\rsit
2010-09-23 09:19:04 ----A---- C:\WINDOWS\ntbtlog.txt
2010-09-23 09:15:58 ----D---- C:\Documents and Settings\All Users\Application Data\ParetoLogic
2010-09-23 09:15:57 ----D---- C:\Program Files\Common Files\ParetoLogic
2010-09-23 09:15:54 ----D---- C:\Program Files\Common Files\XoftSpySE
2010-09-23 09:15:54 ----D---- C:\Documents and Settings\All Users\Application Data\XoftSpySE
2010-09-23 09:15:49 ----D---- C:\Program Files\XoftSpySE6
2010-09-23 08:29:46 ----D---- C:\Documents and Settings\kulla\Application Data\Ypydu
2010-09-23 08:29:46 ----D---- C:\Documents and Settings\kulla\Application Data\Owaco
2010-09-14 08:00:34 ----D---- C:\Program Files\HDplot
2010-08-30 09:25:47 ----A---- C:\Documents and Settings\All Users\Application Data\tmp1356.tmp
======List of files/folders modified in the last 1 months======
2010-09-23 09:28:28 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-09-23 08:50:02 ----A---- C:\WINDOWS\WIN.INI
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R0 agp440;Intel AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agp440.sys [2008-04-13 42368]
R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2008-11-20 43872]
R0 sfdrv01;StarForce Protection Environment Driver (version 1.x); C:\WINDOWS\System32\drivers\sfdrv01.sys [2005-08-10 50688]
R0 sfhlp02;StarForce Protection Helper Driver (version 2.x); C:\WINDOWS\System32\drivers\sfhlp02.sys [2005-05-16 6656]
R0 sfvfs02;StarForce Protection VFS Driver (version 2.x); C:\WINDOWS\System32\drivers\sfvfs02.sys [2005-11-03 63488]
R1 WS2IFSL;Prostredie podpory poskytovateŸa sluby Windows Socket 2.0 Non-IFS Service; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter; C:\WINDOWS\System32\DRIVERS\yukonwxp.sys [2003-12-23 174464]
S1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
S1 nod32drv;nod32drv; C:\WINDOWS\system32\drivers\nod32drv.sys [2009-03-13 15424]
S2 AMON;AMON; C:\WINDOWS\system32\drivers\amon.sys [2009-03-13 512096]
S2 Angelnt;Angelnt; C:\WINDOWS\System32\Drivers\ANGELNT.SYS [2010-03-14 51072]
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2008-09-24 4122368]
S3 catchme;catchme; \??\C:\DOCUME~1\kulla\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 CnxEtP;Conexant AccessRunner USB ADSL Adapter Filter Driver; C:\WINDOWS\System32\DRIVERS\CnxEtP.sys [2004-06-16 131072]
S3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver; C:\WINDOWS\System32\DRIVERS\CnxEtU.sys [2004-06-16 614272]
S3 CnxTgNP;Conexant AccessRunner ADSL WAN PPPoE Adapter Driver; C:\WINDOWS\System32\DRIVERS\CnxTgNP.sys [2004-06-16 60416]
S3 Dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2008-04-13 206976]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 Edspport;EDSP Port Driver; C:\WINDOWS\System32\DRIVERS\es56hpi.sys [2000-02-25 546863]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-04-12 49664]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-04-12 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2006-04-12 21568]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]
S3 s125bus;Sony Ericsson Device 125 driver (WDM); C:\WINDOWS\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\s125mgmt.sys [2007-04-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SNPSTD3;USB PC Camera (SNPSTD3); C:\WINDOWS\system32\DRIVERS\snpstd3.sys [2007-03-27 10252544]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WDC_SAM;WD SCSI Pass Thru driver; C:\WINDOWS\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
S2 C-DillaSrv;C-DillaSrv; C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE [2003-04-24 32256]
S2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-04-12 153376]
S2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2009-03-13 552064]
S2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 159810]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2006-03-03 69632]
S2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-20 136120]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 XoftSpyService;XoftSpyService; C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe [2009-10-23 582424]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------
Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz
Security tool
Moderátor: Moderátoři
Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
-
Rudy
- Site Admin
- Příspěvky: 119426
- Registrován: 30 říj 2003 13:42
- Bydliště: Plzeň
- Kontaktovat uživatele:
Re: Security tool
Dejte log z ComboFix.
Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
pote spustte aplikaci pod uctem s administratorskym opravnenim
hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.
v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho
behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)
upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode, pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k nezadoucim kolizim s rezidentem antispyware
Dotazy a logy vkládejte pouze do vašich threadů. Soukromé zprávy, icq a e-maily neslouží k řešení vašich problémů.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
-
2eraser2
Re: Security tool
combofix nejde spustit, Security tool mi ho ohlasi ako virus a zablokuje
-
Rudy
- Site Admin
- Příspěvky: 119426
- Registrován: 30 říj 2003 13:42
- Bydliště: Plzeň
- Kontaktovat uživatele:
Re: Security tool
OK. Stáhněte a spustte toto: http://download.bleepingcomputer.com/grinler/rkill.com . Příp. chybovou hlášku ignorujte. Po seknu PC nesmí být restartován. Pak udělejte sken MBAM: http://www.malwarebytes.org/mbam.php a dejte log. Předem nic nemažte.
Dotazy a logy vkládejte pouze do vašich threadů. Soukromé zprávy, icq a e-maily neslouží k řešení vašich problémů.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
-
2eraser2
Re: Security tool
opať to isté, pri jednom aj druhom vyskočí hlásenie, že sa snažím spustiť vírus a program sa zablokuje
-
Rudy
- Site Admin
- Příspěvky: 119426
- Registrován: 30 říj 2003 13:42
- Bydliště: Plzeň
- Kontaktovat uživatele:
Re: Security tool
Stáhněte jiný z tohoto odkazu: http://download.bleepingcomputer.com/grinler/rkill.com a postupujte stejně. Eventuální další odkazy jsou:
http://download.bleepingcomputer.com/grinler/rkill.exe
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/rkill.pif
Tuto utilitu je nutné spustit a pak se musí PC dočistit.
http://download.bleepingcomputer.com/grinler/rkill.exe
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/rkill.pif
Tuto utilitu je nutné spustit a pak se musí PC dočistit.
Dotazy a logy vkládejte pouze do vašich threadů. Soukromé zprávy, icq a e-maily neslouží k řešení vašich problémů.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
-
2eraser2
Re: Security tool
neviem či je chyba na mojej strane, ale nech robím čo robím žiadna s tých možností nejde spustiť
-
stell
- VIP in memoriam
- Příspěvky: 5175
- Registrován: 09 pro 2007 09:27
- Bydliště: SK-REVUCA
- Kontaktovat uživatele:
Re: Security tool
zaskok..
Kolega ti zabudol napisat, vsetko to co pisal mas robit v nudzovom rezime.
Kolega ti zabudol napisat, vsetko to co pisal mas robit v nudzovom rezime.
Dôležité informácie.
NEŠLAPE Vám počítač?
Je zavirovaný? Šlape pomalu? Nefunguje program? Problém s instalací?
Využíjte služby vzdálené pomoci!
e-mail: stell(zavináč)forum.viry.cz
Thanks! Vďaka!
NEŠLAPE Vám počítač?
Je zavirovaný? Šlape pomalu? Nefunguje program? Problém s instalací?
Využíjte služby vzdálené pomoci!
e-mail: stell(zavináč)forum.viry.cz
Thanks! Vďaka!
-
2eraser2
Re: Security tool
njn to ma nenapadlo, diki 
prikladam ten log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Verzia databázy: 4676
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13
23.9.2010 19:22:06
mbam-log-2010-09-23 (19-22-06).txt
Typ kontroly: Úplná kontrola (C:\|)
Objektov kontrolovaných: 235242
Uplynulý èas: 25 min, 20 sek
Infikované sluby pamäte: 0
Infikované moduly pamäte: 0
Infikované registraèné kŸúèe: 2
Infikované registraèné hodnoty: 3
Infikované poloky registraèných dát: 1
Infikované prieèinky: 0
Infikované súbory: 11
Infikované sluby pamäte:
(kodlivé poloky neboli zistené)
Infikované moduly pamäte:
(kodlivé poloky neboli zistené)
Infikované registraèné kŸúèe:
HKEY_CLASSES_ROOT\CLSID\{22a6ff82-b3e0-94bb-5fcd-ea067b86810f} (Backdoor.Sdbot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe (Adware.Agent) -> No action taken.
Infikované registraèné hodnoty:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ihiyehu (Trojan.Hiloti) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\91292082 (Rogue.SecurityTool) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{10040d24-12db-7a2a-791d-bb9ceedafc71} (Trojan.ZbotR.Gen) -> No action taken.
Infikované poloky registraèných dát:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Infikované prieèinky:
(kodlivé poloky neboli zistené)
Infikované súbory:
C:\WINDOWS\chlest.dll (Trojan.Hiloti) -> No action taken.
C:\Documents and Settings\kulla\Local Settings\Application Data\91292082.exe (Rogue.SecurityTool) -> No action taken.
C:\WINDOWS\system32\TFTP3820 (Malware.Packer.Gen) -> No action taken.
C:\Documents and Settings\kulla\Local Settings\Temp\8A4.tmp (Rootkit.TDSS) -> No action taken.
C:\Documents and Settings\kulla\Local Settings\Temporary Internet Files\Content.IE5\D5VYD0Z1\setup[1].exe (Rogue.SecurityTool) -> No action taken.
C:\Documents and Settings\kulla\Local Settings\Temporary Internet Files\Content.IE5\ETD4GO2L\setup[1].exe (Trojan.Hiloti) -> No action taken.
C:\Documents and Settings\kulla\Local Settings\Temporary Internet Files\Content.IE5\N2ND6UAG\setup[1].exe (Rootkit.TDSS) -> No action taken.
C:\Documents and Settings\kulla\Desktop\Security\MWAV KEYGEN -CORE\keygenMWAV.exe (Malware.Packer.Gen) -> No action taken.
C:\msfixup\Install.exe (Adware.Agent) -> No action taken.
C:\Documents and Settings\kulla\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> No action taken.
C:\Documents and Settings\kulla\Application Data\Ypydu\irqe.exe (Trojan.ZbotR.Gen) -> No action taken.
prikladam ten logMalwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Verzia databázy: 4676
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13
23.9.2010 19:22:06
mbam-log-2010-09-23 (19-22-06).txt
Typ kontroly: Úplná kontrola (C:\|)
Objektov kontrolovaných: 235242
Uplynulý èas: 25 min, 20 sek
Infikované sluby pamäte: 0
Infikované moduly pamäte: 0
Infikované registraèné kŸúèe: 2
Infikované registraèné hodnoty: 3
Infikované poloky registraèných dát: 1
Infikované prieèinky: 0
Infikované súbory: 11
Infikované sluby pamäte:
(kodlivé poloky neboli zistené)
Infikované moduly pamäte:
(kodlivé poloky neboli zistené)
Infikované registraèné kŸúèe:
HKEY_CLASSES_ROOT\CLSID\{22a6ff82-b3e0-94bb-5fcd-ea067b86810f} (Backdoor.Sdbot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe (Adware.Agent) -> No action taken.
Infikované registraèné hodnoty:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ihiyehu (Trojan.Hiloti) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\91292082 (Rogue.SecurityTool) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{10040d24-12db-7a2a-791d-bb9ceedafc71} (Trojan.ZbotR.Gen) -> No action taken.
Infikované poloky registraèných dát:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Infikované prieèinky:
(kodlivé poloky neboli zistené)
Infikované súbory:
C:\WINDOWS\chlest.dll (Trojan.Hiloti) -> No action taken.
C:\Documents and Settings\kulla\Local Settings\Application Data\91292082.exe (Rogue.SecurityTool) -> No action taken.
C:\WINDOWS\system32\TFTP3820 (Malware.Packer.Gen) -> No action taken.
C:\Documents and Settings\kulla\Local Settings\Temp\8A4.tmp (Rootkit.TDSS) -> No action taken.
C:\Documents and Settings\kulla\Local Settings\Temporary Internet Files\Content.IE5\D5VYD0Z1\setup[1].exe (Rogue.SecurityTool) -> No action taken.
C:\Documents and Settings\kulla\Local Settings\Temporary Internet Files\Content.IE5\ETD4GO2L\setup[1].exe (Trojan.Hiloti) -> No action taken.
C:\Documents and Settings\kulla\Local Settings\Temporary Internet Files\Content.IE5\N2ND6UAG\setup[1].exe (Rootkit.TDSS) -> No action taken.
C:\Documents and Settings\kulla\Desktop\Security\MWAV KEYGEN -CORE\keygenMWAV.exe (Malware.Packer.Gen) -> No action taken.
C:\msfixup\Install.exe (Adware.Agent) -> No action taken.
C:\Documents and Settings\kulla\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> No action taken.
C:\Documents and Settings\kulla\Application Data\Ypydu\irqe.exe (Trojan.ZbotR.Gen) -> No action taken.
-
Rudy
- Site Admin
- Příspěvky: 119426
- Registrován: 30 říj 2003 13:42
- Bydliště: Plzeň
- Kontaktovat uživatele:
Re: Security tool
Omlouvám se, že jsem vám neřekl podstatnou věc. Nyní smažte vše, co MBASM nalezl a dejte ještě log z ComboFix.
Dotazy a logy vkládejte pouze do vašich threadů. Soukromé zprávy, icq a e-maily neslouží k řešení vašich problémů.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
-
Rudy
- Site Admin
- Příspěvky: 119426
- Registrován: 30 říj 2003 13:42
- Bydliště: Plzeň
- Kontaktovat uživatele:
Re: Security tool
Ano, můžete. Restartovat se nesmí, pokud nejsou položky smazány.
Dotazy a logy vkládejte pouze do vašich threadů. Soukromé zprávy, icq a e-maily neslouží k řešení vašich problémů.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
-
2eraser2
Re: Security tool
chvíľu mi to síce trvalo ale tu je ten log z combofixu
ComboFix 10-09-23.01 - kulla 23.09.2010 21:17:45.3.1 - FAT32x86
Systém Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.511.252 [GMT 2:00]
Running from: c:\documents and settings\kulla\Desktop\ComboFix.exe
AV: Eset NOD32 Antivirus 2.70 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\kulla\kulla
c:\documents and settings\kulla\p1pT01.dll
c:\windows\Debug\dcpromo.log
c:\windows\system32\3117124489.dat
c:\windows\system32\system32
c:\windows\system32\system32\msmapi32.ocx
c:\windows\system32\system32\msvcr71.dll
c:\windows\system32\system32\msvcrt20.dll
Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NETSIK
((((((((((((((((((((((((( Files Created from 2010-08-23 to 2010-09-23 )))))))))))))))))))))))))))))))
.
2010-09-23 16:52 . 2010-09-23 16:52 -------- d-----w- c:\documents and settings\kulla\Application Data\Malwarebytes
2010-09-23 16:52 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-23 16:52 . 2010-09-23 16:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-23 16:52 . 2010-09-23 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-23 16:52 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-23 16:51 . 2010-09-23 16:51 -------- d--h--w- c:\windows\PIF
2010-09-23 07:49 . 2010-09-23 07:49 -------- d-----w- c:\program files\trend micro
2010-09-23 07:49 . 2010-09-23 07:49 -------- d-----w- C:\rsit
2010-09-23 07:15 . 2010-09-23 07:16 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-09-23 07:15 . 2010-09-23 07:15 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-09-23 07:15 . 2010-09-23 07:15 -------- d-----w- c:\program files\Common Files\XoftSpySE
2010-09-23 07:15 . 2010-09-23 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2010-09-23 07:15 . 2010-09-23 07:15 -------- d-----w- c:\program files\XoftSpySE6
2010-09-23 06:29 . 2010-09-23 06:29 -------- d-----w- c:\documents and settings\kulla\Application Data\Ypydu
2010-09-23 06:29 . 2010-09-23 06:29 -------- d-----w- c:\documents and settings\kulla\Application Data\Owaco
2010-09-23 06:29 . 2010-09-23 06:29 91136 ----a-w- c:\documents and settings\kulla\exe.exe
2010-09-14 06:00 . 2010-09-14 06:00 -------- d-----w- c:\program files\HDplot
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-30 07:25 . 2010-08-30 07:25 91299 ----a-w- c:\documents and settings\All Users\Application Data\tmp1356.tmp
2010-08-26 09:51 . 2010-01-11 19:06 19 ----a-w- c:\documents and settings\kulla\Application Data\mdbu.bin
2010-08-13 07:52 . 2010-08-13 07:52 -------- d-----w- c:\program files\Western Digital
2010-08-03 09:08 . 2010-08-03 09:08 503808 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-33b25ef0-n\msvcp71.dll
2010-08-03 09:08 . 2010-08-03 09:08 499712 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-33b25ef0-n\jmc.dll
2010-08-03 09:08 . 2010-08-03 09:08 348160 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-33b25ef0-n\msvcr71.dll
2010-08-03 09:08 . 2010-08-03 09:08 61440 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4b078443-n\decora-sse.dll
2010-08-03 09:08 . 2010-08-03 09:08 12800 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4b078443-n\decora-d3d.dll
2010-08-03 05:14 . 2010-08-03 05:14 -------- d-----w- c:\program files\Common Files\Skype
2010-07-06 10:52 . 2010-07-06 10:52 78336 --sha-r- c:\windows\system32\netplwizw.dll
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-12 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-01-12 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2GDR\tcpip.sys
[-] 2006-01-12 . 8C101C9C566E2384AF28EF7C1DE4A36E . 340480 . . [5.1.2600.1792] . . c:\windows\$NtUninstallKB917953_0$\tcpip.sys
[-] 2005-05-25 . 228B0385BBFCA24332FA22DB45A8B684 . 339968 . . [5.1.2600.1693] . . c:\windows\$NtUninstallKB913446_0$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2GDR\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2003-03-31 . 244A2F9816BC9B593957281EF577D976 . 332928 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB893066_0$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CnxDslTaskBar"="c:\program files\Microcom\ADSL DeskPorte USB\CnxDslTb.exe Microcom\ADSL DeskPorte USB" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-03-13 949376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-02 77824]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2005-12-20 94208]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"HPLJ Config"="c:\program files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe" [2003-03-31 28672]
"XoftSpySE"="c:\program files\XoftSpySE6\XoftSpySE.exe" [2009-10-23 4854040]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoNetSetup"= 0 (0x0)
"NoNetSetupIDPage"= 0 (0x0)
"NoNetSetupSecurityPage"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoEntireNetwork"= 0 (0x0)
"NoFileSharingControl"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 23:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-22 10:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-22 10:22 1622016 ----a-w- c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 13:28 577536 ----a-w- c:\windows\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"antivirusoverride"=dword:00000001
"firewalldisableoverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\Valve\\hlds.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\HPQTRA08.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\HPQSTE08.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [13.3.2009 19:10 15424]
R2 Angelnt;Angelnt;c:\windows\system32\drivers\ANGELNT.SYS [18.3.2007 1:25 51072]
S3 CnxEtP;Conexant AccessRunner USB ADSL Adapter Filter Driver;c:\windows\system32\drivers\CnxEtP.sys [18.9.2006 11:55 131072]
S3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;c:\windows\system32\drivers\CnxEtU.sys [18.9.2006 11:55 614272]
S3 CnxTgNP;Conexant AccessRunner ADSL WAN PPPoE Adapter Driver;c:\windows\system32\drivers\CnxTgNP.sys [18.9.2006 11:56 60416]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [13.8.2010 9:52 11520]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [23.10.2009 23:58 582424]
.
Contents of the 'Scheduled Tasks' folder
2010-08-28 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe [2009-03-14 12:17]
2010-09-23 c:\windows\Tasks\dqexgurz.job
- c:\windows\system32\netplwizw.dll [2010-07-06 10:52]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportova do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-23 21:25
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1957994488-152049171-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
- - - - - - - > 'explorer.exe'(2456)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\System32\DRIVERS\CDANTSRV.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Eset\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Microcom\ADSL DeskPorte USB\CnxDslTb.exe
c:\program files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2010-09-23 21:30:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-23 19:29
ComboFix2.txt 2009-03-17 19:48
ComboFix3.txt 2009-03-14 11:16
Pre-Run: 43 236 622 336 bytes free
Post-Run: 54 adresárov, 43 424 415 744 voŸných bajtov
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - F56663CA407427224EB005245B7D1530
ComboFix 10-09-23.01 - kulla 23.09.2010 21:17:45.3.1 - FAT32x86
Systém Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.511.252 [GMT 2:00]
Running from: c:\documents and settings\kulla\Desktop\ComboFix.exe
AV: Eset NOD32 Antivirus 2.70 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\kulla\kulla
c:\documents and settings\kulla\p1pT01.dll
c:\windows\Debug\dcpromo.log
c:\windows\system32\3117124489.dat
c:\windows\system32\system32
c:\windows\system32\system32\msmapi32.ocx
c:\windows\system32\system32\msvcr71.dll
c:\windows\system32\system32\msvcrt20.dll
Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NETSIK
((((((((((((((((((((((((( Files Created from 2010-08-23 to 2010-09-23 )))))))))))))))))))))))))))))))
.
2010-09-23 16:52 . 2010-09-23 16:52 -------- d-----w- c:\documents and settings\kulla\Application Data\Malwarebytes
2010-09-23 16:52 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-23 16:52 . 2010-09-23 16:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-23 16:52 . 2010-09-23 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-23 16:52 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-23 16:51 . 2010-09-23 16:51 -------- d--h--w- c:\windows\PIF
2010-09-23 07:49 . 2010-09-23 07:49 -------- d-----w- c:\program files\trend micro
2010-09-23 07:49 . 2010-09-23 07:49 -------- d-----w- C:\rsit
2010-09-23 07:15 . 2010-09-23 07:16 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-09-23 07:15 . 2010-09-23 07:15 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-09-23 07:15 . 2010-09-23 07:15 -------- d-----w- c:\program files\Common Files\XoftSpySE
2010-09-23 07:15 . 2010-09-23 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2010-09-23 07:15 . 2010-09-23 07:15 -------- d-----w- c:\program files\XoftSpySE6
2010-09-23 06:29 . 2010-09-23 06:29 -------- d-----w- c:\documents and settings\kulla\Application Data\Ypydu
2010-09-23 06:29 . 2010-09-23 06:29 -------- d-----w- c:\documents and settings\kulla\Application Data\Owaco
2010-09-23 06:29 . 2010-09-23 06:29 91136 ----a-w- c:\documents and settings\kulla\exe.exe
2010-09-14 06:00 . 2010-09-14 06:00 -------- d-----w- c:\program files\HDplot
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-30 07:25 . 2010-08-30 07:25 91299 ----a-w- c:\documents and settings\All Users\Application Data\tmp1356.tmp
2010-08-26 09:51 . 2010-01-11 19:06 19 ----a-w- c:\documents and settings\kulla\Application Data\mdbu.bin
2010-08-13 07:52 . 2010-08-13 07:52 -------- d-----w- c:\program files\Western Digital
2010-08-03 09:08 . 2010-08-03 09:08 503808 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-33b25ef0-n\msvcp71.dll
2010-08-03 09:08 . 2010-08-03 09:08 499712 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-33b25ef0-n\jmc.dll
2010-08-03 09:08 . 2010-08-03 09:08 348160 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-33b25ef0-n\msvcr71.dll
2010-08-03 09:08 . 2010-08-03 09:08 61440 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4b078443-n\decora-sse.dll
2010-08-03 09:08 . 2010-08-03 09:08 12800 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4b078443-n\decora-d3d.dll
2010-08-03 05:14 . 2010-08-03 05:14 -------- d-----w- c:\program files\Common Files\Skype
2010-07-06 10:52 . 2010-07-06 10:52 78336 --sha-r- c:\windows\system32\netplwizw.dll
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-12 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-01-12 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2GDR\tcpip.sys
[-] 2006-01-12 . 8C101C9C566E2384AF28EF7C1DE4A36E . 340480 . . [5.1.2600.1792] . . c:\windows\$NtUninstallKB917953_0$\tcpip.sys
[-] 2005-05-25 . 228B0385BBFCA24332FA22DB45A8B684 . 339968 . . [5.1.2600.1693] . . c:\windows\$NtUninstallKB913446_0$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2GDR\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2003-03-31 . 244A2F9816BC9B593957281EF577D976 . 332928 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB893066_0$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CnxDslTaskBar"="c:\program files\Microcom\ADSL DeskPorte USB\CnxDslTb.exe Microcom\ADSL DeskPorte USB" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-03-13 949376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-02 77824]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2005-12-20 94208]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"HPLJ Config"="c:\program files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe" [2003-03-31 28672]
"XoftSpySE"="c:\program files\XoftSpySE6\XoftSpySE.exe" [2009-10-23 4854040]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoNetSetup"= 0 (0x0)
"NoNetSetupIDPage"= 0 (0x0)
"NoNetSetupSecurityPage"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoEntireNetwork"= 0 (0x0)
"NoFileSharingControl"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 23:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-22 10:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-22 10:22 1622016 ----a-w- c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 13:28 577536 ----a-w- c:\windows\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"antivirusoverride"=dword:00000001
"firewalldisableoverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\Valve\\hlds.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\HPQTRA08.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\HPQSTE08.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [13.3.2009 19:10 15424]
R2 Angelnt;Angelnt;c:\windows\system32\drivers\ANGELNT.SYS [18.3.2007 1:25 51072]
S3 CnxEtP;Conexant AccessRunner USB ADSL Adapter Filter Driver;c:\windows\system32\drivers\CnxEtP.sys [18.9.2006 11:55 131072]
S3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;c:\windows\system32\drivers\CnxEtU.sys [18.9.2006 11:55 614272]
S3 CnxTgNP;Conexant AccessRunner ADSL WAN PPPoE Adapter Driver;c:\windows\system32\drivers\CnxTgNP.sys [18.9.2006 11:56 60416]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [13.8.2010 9:52 11520]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [23.10.2009 23:58 582424]
.
Contents of the 'Scheduled Tasks' folder
2010-08-28 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe [2009-03-14 12:17]
2010-09-23 c:\windows\Tasks\dqexgurz.job
- c:\windows\system32\netplwizw.dll [2010-07-06 10:52]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportova do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-23 21:25
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1957994488-152049171-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
- - - - - - - > 'explorer.exe'(2456)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\System32\DRIVERS\CDANTSRV.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Eset\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Microcom\ADSL DeskPorte USB\CnxDslTb.exe
c:\program files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2010-09-23 21:30:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-23 19:29
ComboFix2.txt 2009-03-17 19:48
ComboFix3.txt 2009-03-14 11:16
Pre-Run: 43 236 622 336 bytes free
Post-Run: 54 adresárov, 43 424 415 744 voŸných bajtov
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - F56663CA407427224EB005245B7D1530
-
Rudy
- Site Admin
- Příspěvky: 119426
- Registrován: 30 říj 2003 13:42
- Bydliště: Plzeň
- Kontaktovat uživatele:
Re: Security tool
Ještě dočistíme. Otevřte poznámkový blok a zkopírujte do něj:
Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pustte. CF se spustí a vykoná příkazy ze skriptu.Collect::
c:\documents and settings\kulla\exe.exe
c:\windows\system32\netplwizw.dll
Dotazy a logy vkládejte pouze do vašich threadů. Soukromé zprávy, icq a e-maily neslouží k řešení vašich problémů.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
Podpořte, prosím, naše fórum : https://platba.viry.cz/payment/.
Navštivte:
e-mail: rudy(zavináč)forum.viry.cz
Varování: Před odvirováním PC si udělejte zálohy svých důležitých dat (pošta, kontakty, dokumenty, fotografie, videa, hudba apod.). Virus mimo svých "viditelných" aktivit může poškodit systém!
Po dořešení vašeho problému bude vlákno zamknuto. Stejně tak tehdy, pokud bude nečinné více než 14dnů. Pokud budete chtít vlákno aktivovat, napište mi na mail uvedený výše.
-
2eraser2
Re: Security tool
stalo sa, tu je log
ComboFix 10-09-23.01 - kulla 24.09.2010 6:53.4.1 - FAT32x86
Systém Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.511.160 [GMT 2:00]
Running from: c:\documents and settings\kulla\Desktop\ComboFix.exe
Command switches used :: F:\CFScript.txt
AV: Eset NOD32 Antivirus 2.70 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
file zipped: c:\documents and settings\kulla\exe.exe
file zipped: c:\windows\system32\netplwizw.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\kulla\exe.exe
c:\windows\system32\netplwizw.dll
.
((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 )))))))))))))))))))))))))))))))
.
2010-09-23 16:52 . 2010-09-23 16:52 -------- d-----w- c:\documents and settings\kulla\Application Data\Malwarebytes
2010-09-23 16:52 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-23 16:52 . 2010-09-23 16:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-23 16:52 . 2010-09-23 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-23 16:52 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-23 16:51 . 2010-09-23 16:51 -------- d--h--w- c:\windows\PIF
2010-09-23 07:49 . 2010-09-23 07:49 -------- d-----w- c:\program files\trend micro
2010-09-23 07:49 . 2010-09-23 07:49 -------- d-----w- C:\rsit
2010-09-23 06:29 . 2010-09-23 06:29 -------- d-----w- c:\documents and settings\kulla\Application Data\Ypydu
2010-09-23 06:29 . 2010-09-23 06:29 -------- d-----w- c:\documents and settings\kulla\Application Data\Owaco
2010-09-14 06:00 . 2010-09-14 06:00 -------- d-----w- c:\program files\HDplot
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-30 07:25 . 2010-08-30 07:25 91299 ----a-w- c:\documents and settings\All Users\Application Data\tmp1356.tmp
2010-08-26 09:51 . 2010-01-11 19:06 19 ----a-w- c:\documents and settings\kulla\Application Data\mdbu.bin
2010-08-13 07:52 . 2010-08-13 07:52 -------- d-----w- c:\program files\Western Digital
2010-08-03 09:08 . 2010-08-03 09:08 503808 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-33b25ef0-n\msvcp71.dll
2010-08-03 09:08 . 2010-08-03 09:08 499712 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-33b25ef0-n\jmc.dll
2010-08-03 09:08 . 2010-08-03 09:08 348160 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-33b25ef0-n\msvcr71.dll
2010-08-03 09:08 . 2010-08-03 09:08 61440 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4b078443-n\decora-sse.dll
2010-08-03 09:08 . 2010-08-03 09:08 12800 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4b078443-n\decora-d3d.dll
2010-08-03 05:14 . 2010-08-03 05:14 -------- d-----w- c:\program files\Common Files\Skype
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-12 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-01-12 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2GDR\tcpip.sys
[-] 2006-01-12 . 8C101C9C566E2384AF28EF7C1DE4A36E . 340480 . . [5.1.2600.1792] . . c:\windows\$NtUninstallKB917953_0$\tcpip.sys
[-] 2005-05-25 . 228B0385BBFCA24332FA22DB45A8B684 . 339968 . . [5.1.2600.1693] . . c:\windows\$NtUninstallKB913446_0$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2GDR\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2003-03-31 . 244A2F9816BC9B593957281EF577D976 . 332928 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB893066_0$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-09-23_19.25.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-24 04:35 . 2010-09-24 04:35 16384 c:\windows\Temp\Perflib_Perfdata_7a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CnxDslTaskBar"="c:\program files\Microcom\ADSL DeskPorte USB\CnxDslTb.exe Microcom\ADSL DeskPorte USB" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-03-13 949376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-02 77824]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2005-12-20 94208]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"HPLJ Config"="c:\program files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe" [2003-03-31 28672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoNetSetup"= 0 (0x0)
"NoNetSetupIDPage"= 0 (0x0)
"NoNetSetupSecurityPage"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoEntireNetwork"= 0 (0x0)
"NoFileSharingControl"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 23:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-22 10:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-22 10:22 1622016 ----a-w- c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 13:28 577536 ----a-w- c:\windows\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"antivirusoverride"=dword:00000001
"firewalldisableoverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\Valve\\hlds.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\HPQTRA08.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\HPQSTE08.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [13.3.2009 19:10 15424]
R2 Angelnt;Angelnt;c:\windows\system32\drivers\ANGELNT.SYS [18.3.2007 1:25 51072]
S3 CnxEtP;Conexant AccessRunner USB ADSL Adapter Filter Driver;c:\windows\system32\drivers\CnxEtP.sys [18.9.2006 11:55 131072]
S3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;c:\windows\system32\drivers\CnxEtU.sys [18.9.2006 11:55 614272]
S3 CnxTgNP;Conexant AccessRunner ADSL WAN PPPoE Adapter Driver;c:\windows\system32\drivers\CnxTgNP.sys [18.9.2006 11:56 60416]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [13.8.2010 9:52 11520]
S3 XoftSpyService;XoftSpyService;"c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe" --> c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [?]
.
Contents of the 'Scheduled Tasks' folder
2010-08-28 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe [2009-03-14 12:17]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportova do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-24 07:00
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1957994488-152049171-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Completion time: 2010-09-24 07:02:57
ComboFix-quarantined-files.txt 2010-09-24 05:02
ComboFix2.txt 2010-09-23 19:30
ComboFix3.txt 2009-03-17 19:48
ComboFix4.txt 2009-03-14 11:16
Pre-Run: 43 431 198 720 bytes free
Post-Run: 43 433 656 320 bytes free
- - End Of File - - 1992A926A3AE8A994EE4F40EC88A4E49
Upload was successful
ComboFix 10-09-23.01 - kulla 24.09.2010 6:53.4.1 - FAT32x86
Systém Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.511.160 [GMT 2:00]
Running from: c:\documents and settings\kulla\Desktop\ComboFix.exe
Command switches used :: F:\CFScript.txt
AV: Eset NOD32 Antivirus 2.70 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
file zipped: c:\documents and settings\kulla\exe.exe
file zipped: c:\windows\system32\netplwizw.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\kulla\exe.exe
c:\windows\system32\netplwizw.dll
.
((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 )))))))))))))))))))))))))))))))
.
2010-09-23 16:52 . 2010-09-23 16:52 -------- d-----w- c:\documents and settings\kulla\Application Data\Malwarebytes
2010-09-23 16:52 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-23 16:52 . 2010-09-23 16:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-23 16:52 . 2010-09-23 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-23 16:52 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-23 16:51 . 2010-09-23 16:51 -------- d--h--w- c:\windows\PIF
2010-09-23 07:49 . 2010-09-23 07:49 -------- d-----w- c:\program files\trend micro
2010-09-23 07:49 . 2010-09-23 07:49 -------- d-----w- C:\rsit
2010-09-23 06:29 . 2010-09-23 06:29 -------- d-----w- c:\documents and settings\kulla\Application Data\Ypydu
2010-09-23 06:29 . 2010-09-23 06:29 -------- d-----w- c:\documents and settings\kulla\Application Data\Owaco
2010-09-14 06:00 . 2010-09-14 06:00 -------- d-----w- c:\program files\HDplot
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-30 07:25 . 2010-08-30 07:25 91299 ----a-w- c:\documents and settings\All Users\Application Data\tmp1356.tmp
2010-08-26 09:51 . 2010-01-11 19:06 19 ----a-w- c:\documents and settings\kulla\Application Data\mdbu.bin
2010-08-13 07:52 . 2010-08-13 07:52 -------- d-----w- c:\program files\Western Digital
2010-08-03 09:08 . 2010-08-03 09:08 503808 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-33b25ef0-n\msvcp71.dll
2010-08-03 09:08 . 2010-08-03 09:08 499712 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-33b25ef0-n\jmc.dll
2010-08-03 09:08 . 2010-08-03 09:08 348160 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-33b25ef0-n\msvcr71.dll
2010-08-03 09:08 . 2010-08-03 09:08 61440 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4b078443-n\decora-sse.dll
2010-08-03 09:08 . 2010-08-03 09:08 12800 ----a-w- c:\documents and settings\kulla\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4b078443-n\decora-d3d.dll
2010-08-03 05:14 . 2010-08-03 05:14 -------- d-----w- c:\program files\Common Files\Skype
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-06-20 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . ACCF5A9A1FFAA490F33DBA1C632B95E1 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-12 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-01-12 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2GDR\tcpip.sys
[-] 2006-01-12 . 8C101C9C566E2384AF28EF7C1DE4A36E . 340480 . . [5.1.2600.1792] . . c:\windows\$NtUninstallKB917953_0$\tcpip.sys
[-] 2005-05-25 . 228B0385BBFCA24332FA22DB45A8B684 . 339968 . . [5.1.2600.1693] . . c:\windows\$NtUninstallKB913446_0$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2GDR\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2003-03-31 . 244A2F9816BC9B593957281EF577D976 . 332928 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB893066_0$\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-09-23_19.25.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-24 04:35 . 2010-09-24 04:35 16384 c:\windows\Temp\Perflib_Perfdata_7a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CnxDslTaskBar"="c:\program files\Microcom\ADSL DeskPorte USB\CnxDslTb.exe Microcom\ADSL DeskPorte USB" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-03-13 949376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-10-02 77824]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2005-12-20 94208]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"HPLJ Config"="c:\program files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe" [2003-03-31 28672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoNetSetup"= 0 (0x0)
"NoNetSetupIDPage"= 0 (0x0)
"NoNetSetupSecurityPage"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoEntireNetwork"= 0 (0x0)
"NoFileSharingControl"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-13 23:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 23:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-22 10:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-22 10:22 1622016 ----a-w- c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 13:28 577536 ----a-w- c:\windows\soundman.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"antivirusoverride"=dword:00000001
"firewalldisableoverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\Valve\\hlds.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\HPQTRA08.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\HPQSTE08.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [13.3.2009 19:10 15424]
R2 Angelnt;Angelnt;c:\windows\system32\drivers\ANGELNT.SYS [18.3.2007 1:25 51072]
S3 CnxEtP;Conexant AccessRunner USB ADSL Adapter Filter Driver;c:\windows\system32\drivers\CnxEtP.sys [18.9.2006 11:55 131072]
S3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;c:\windows\system32\drivers\CnxEtU.sys [18.9.2006 11:55 614272]
S3 CnxTgNP;Conexant AccessRunner ADSL WAN PPPoE Adapter Driver;c:\windows\system32\drivers\CnxTgNP.sys [18.9.2006 11:56 60416]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [13.8.2010 9:52 11520]
S3 XoftSpyService;XoftSpyService;"c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe" --> c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [?]
.
Contents of the 'Scheduled Tasks' folder
2010-08-28 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe [2009-03-14 12:17]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportova do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-24 07:00
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1957994488-152049171-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Completion time: 2010-09-24 07:02:57
ComboFix-quarantined-files.txt 2010-09-24 05:02
ComboFix2.txt 2010-09-23 19:30
ComboFix3.txt 2009-03-17 19:48
ComboFix4.txt 2009-03-14 11:16
Pre-Run: 43 431 198 720 bytes free
Post-Run: 43 433 656 320 bytes free
- - End Of File - - 1992A926A3AE8A994EE4F40EC88A4E49
Upload was successful
Přispějete na provoz fóra?