Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz
Security tool
Moderátor: Moderátoři
Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Security tool
Mám problém s týmto šmejdom. Skúšal som staihnuť RSIT, ale cez Windows v normálnom režime mi to nejde spustiť. Mám to skúsiť cez núdzový? Alebo poznáte niečo lepšie? Dodám ešte, že sa jedná o Win XP. Vopred vďaka za pomoc
Re: Security tool
"Silent Runners.vbs", revision 63, http://www.silentrunners.org/
Operating System: Windows XP SP3
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"MP4 Player" = ""C:\Program Files\MP4 Player\mp4Player.exe" hmw" [empty string]
"OEXPRESS" = "(empty string)" [file not found]
"braviax" = "(empty string)" [file not found]
"sys32_nov" = "C:\Documents and Settings\Martin\sys32_nov.exe" [file not found]
"Livestation" = "C:\Program Files\Livestation\Livestation.exe -startup" [file not found]
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"800480" = ""C:\Documents and Settings\Martin\Local Settings\Application Data\800480.exe" 21 50 " ["********** **********" (unwritable string)]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gainward" = "C:\WINDOWS\TBPanel.exe /A" ["Gainward Co."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"JMB36X IDE Setup" = "C:\WINDOWS\JM\JMInsIDE.exe" [null data]
"36X Raid Configurer" = "C:\WINDOWS\system32\JMRaidSetup.exe boot" ["JMicron Technology Corp."]
"Regedit32" = "C:\WINDOWS\system32\regedit.exe" [file not found]
"Antivirus Pro 2010" = ""C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide" [file not found]
"sys32_nov" = "C:\WINDOWS\system32\sys32_nov.exe" [file not found]
"Internet Connection Wizard Setup Tool" = "C:\Program Files\Internet Explorer\Connection Wizard\icwsetup.exe" [file not found]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"sniffer" = "C:\WINDOWS\Temp\_ex-08.exe" [null data]
"avast5" = ""C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui" ["AVAST Software"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{2DB66063-BB98-466A-AA0D-3E7ACF5ED853}\(Default) = (no title provided)
-> {HKLM...CLSID} = "WebTransBHO Class"
\InProcServer32\(Default) = "C:\Documents and Settings\All Users\Application Data\LangSoft\WebIE.dll" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Prípona súboru ikony programu Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}" = "ShellPlusContextMenu"
-> {HKLM...CLSID} = "Burn4Freecontext menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\B4FM.dll" ["Ikysasoft s.r.l. uninominale"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast5\ashShell.dll" ["AVAST Software"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "cru629.dat" [file not found]
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<<!>> ("mcenspc.dll" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll"
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\
<<!>> mso-offdap\CLSID = "{3D9F03FA-7A94-11D3-BE81-0050048385D1}"
-> {HKLM...CLSID} = "Data Page Pluggable Protocol mso-offdap Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL" [MS]
<<!>> mso-offdap11\CLSID = "{32505114-5902-49B2-880A-1F7738E5A384}"
-> {HKLM...CLSID} = "Data Page Plugable Protocal mso-offdap11 Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL" [MS]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast5\ashShell.dll" ["AVAST Software"]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
ShellPlusContextMenu\(Default) = "{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}"
-> {HKLM...CLSID} = "Burn4Freecontext menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\B4FM.dll" ["Ikysasoft s.r.l. uninominale"]
HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\
00nView\(Default) = "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
NvCplDesktopContext\(Default) = "{A70C977A-BF00-412C-90B7-034C51DA2439}"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
TBPanelShlExt\(Default) = "{DF9B9090-B8A0-4505-9B00-CC64A0409C2F}"
-> {HKLM...CLSID} = "TBPanel Shell Extension Class"
\InProcServer32\(Default) = "C:\WINDOWS\TBPanelExt.dll" [empty string]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast5\ashShell.dll" ["AVAST Software"]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
"LowRiskFileTypes" = (REG_SZ) .exe;.EXE;zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav
{unrecognized setting}
"SaveZoneInformation" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
"SaveZoneInformation" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Windows Components|Attachment Manager|
Do not preserve zone information in file attachments}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Martin" & "All Users" startup folders:
--------------------------------------------------------
C:\Documents and Settings\Martin\Start Menu\Programs\Startup
<<!>> "PowerReg Scheduler V3.exe" ["Leader Technologies"]
Enabled Scheduled Tasks:
------------------------
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"Google Software Updater" -> launches: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe scheduled_start" ["Google"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{BFC32E1D-EE75-4A48-BC60-104E11EE2431}" = "WebTranslator"
-> {HKLM...CLSID} = "WebTranslator"
\InProcServer32\(Default) = "C:\Documents and Settings\All Users\Application Data\LangSoft\WebIE.dll" [file not found]
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQToolBar"
-> {HKLM...CLSID} = "ICQToolBar"
\InProcServer32\(Default) = "C:\Program Files\ICQ6Toolbar\ICQToolBar.dll" ["ICQ"]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Zdroje informácií"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{7E6A20FB-153F-402C-A84B-1A64E1955D3D}\
"ButtonText" = "WebTran"
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Zdroje informácií"
{BFC32E1D-EE75-4A48-BC60-104E11EE2431}\
{CC963627-B1DC-40E0-B52A-CF21EE748449}\
"MenuText" = "&Nastaviť prekladač"
{CC963627-B1DC-40E0-B52A-CF21EE748450}\
"MenuText" = "&Slovník"
{CC963627-B1DC-40E0-B52A-CF21EE748451}\
"MenuText" = "Preložiť &označený text"
{CC963627-B1DC-40E0-B52A-CF21EE748452}\
"MenuText" = "Preložiť &stránku"
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Program Files\ICQ6.5\ICQ.exe" ["ICQ, LLC."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQToolBar"
\InProcServer32\(Default) = "C:\Program Files\ICQ6Toolbar\ICQToolBar.dll" ["ICQ"]
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "Tabs" = "C:\Documents and Settings\All Users\Application Data\ICQ\ICQNewTab\newTab.html" [null data]
All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"" ["AVAST Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"" ["AVAST Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"" ["AVAST Software"]
Extensible Authentication Protocol Service, EapHost, "C:\WINDOWS\System32\svchost.exe -k eapsvcs" {"C:\WINDOWS\System32\eapsvc.dll" [MS]}
Google Software Updater, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
Health Key and Certificate Management Service, hkmsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\kmsvc.dll" [MS]}
ICQ Service, ICQ Service, "C:\Program Files\ICQ6Toolbar\ICQ Service.exe" [empty string]
InstallDriver Table Manager, IDriverT, ""C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe"" ["Macrovision Corporation"]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Network Access Protection Agent, napagent, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\qagentrt.dll" [MS]}
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Office Source Engine, ose, ""C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"" [MS]
Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\mspmsnsv.dll" [MS]}
Wired AutoConfig, Dot3svc, "C:\WINDOWS\System32\svchost.exe -k dot3svc" {"C:\WINDOWS\System32\dot3svc.dll" [MS]}
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
---------- (launch time: 2010-12-02 13:44:57)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 43 seconds, including 8 seconds for message boxes)
Čo teraz?
Operating System: Windows XP SP3
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"MP4 Player" = ""C:\Program Files\MP4 Player\mp4Player.exe" hmw" [empty string]
"OEXPRESS" = "(empty string)" [file not found]
"braviax" = "(empty string)" [file not found]
"sys32_nov" = "C:\Documents and Settings\Martin\sys32_nov.exe" [file not found]
"Livestation" = "C:\Program Files\Livestation\Livestation.exe -startup" [file not found]
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"800480" = ""C:\Documents and Settings\Martin\Local Settings\Application Data\800480.exe" 21 50 " ["********** **********" (unwritable string)]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gainward" = "C:\WINDOWS\TBPanel.exe /A" ["Gainward Co."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"JMB36X IDE Setup" = "C:\WINDOWS\JM\JMInsIDE.exe" [null data]
"36X Raid Configurer" = "C:\WINDOWS\system32\JMRaidSetup.exe boot" ["JMicron Technology Corp."]
"Regedit32" = "C:\WINDOWS\system32\regedit.exe" [file not found]
"Antivirus Pro 2010" = ""C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide" [file not found]
"sys32_nov" = "C:\WINDOWS\system32\sys32_nov.exe" [file not found]
"Internet Connection Wizard Setup Tool" = "C:\Program Files\Internet Explorer\Connection Wizard\icwsetup.exe" [file not found]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"sniffer" = "C:\WINDOWS\Temp\_ex-08.exe" [null data]
"avast5" = ""C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui" ["AVAST Software"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{2DB66063-BB98-466A-AA0D-3E7ACF5ED853}\(Default) = (no title provided)
-> {HKLM...CLSID} = "WebTransBHO Class"
\InProcServer32\(Default) = "C:\Documents and Settings\All Users\Application Data\LangSoft\WebIE.dll" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Prípona súboru ikony programu Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}" = "ShellPlusContextMenu"
-> {HKLM...CLSID} = "Burn4Freecontext menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\B4FM.dll" ["Ikysasoft s.r.l. uninominale"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast5\ashShell.dll" ["AVAST Software"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "cru629.dat" [file not found]
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<<!>> ("mcenspc.dll" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll"
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\
<<!>> mso-offdap\CLSID = "{3D9F03FA-7A94-11D3-BE81-0050048385D1}"
-> {HKLM...CLSID} = "Data Page Pluggable Protocol mso-offdap Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL" [MS]
<<!>> mso-offdap11\CLSID = "{32505114-5902-49B2-880A-1F7738E5A384}"
-> {HKLM...CLSID} = "Data Page Plugable Protocal mso-offdap11 Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL" [MS]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast5\ashShell.dll" ["AVAST Software"]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
ShellPlusContextMenu\(Default) = "{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}"
-> {HKLM...CLSID} = "Burn4Freecontext menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\B4FM.dll" ["Ikysasoft s.r.l. uninominale"]
HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\
00nView\(Default) = "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
NvCplDesktopContext\(Default) = "{A70C977A-BF00-412C-90B7-034C51DA2439}"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
TBPanelShlExt\(Default) = "{DF9B9090-B8A0-4505-9B00-CC64A0409C2F}"
-> {HKLM...CLSID} = "TBPanel Shell Extension Class"
\InProcServer32\(Default) = "C:\WINDOWS\TBPanelExt.dll" [empty string]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast5\ashShell.dll" ["AVAST Software"]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\
"LowRiskFileTypes" = (REG_SZ) .exe;.EXE;zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav
{unrecognized setting}
"SaveZoneInformation" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
"SaveZoneInformation" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Windows Components|Attachment Manager|
Do not preserve zone information in file attachments}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Martin" & "All Users" startup folders:
--------------------------------------------------------
C:\Documents and Settings\Martin\Start Menu\Programs\Startup
<<!>> "PowerReg Scheduler V3.exe" ["Leader Technologies"]
Enabled Scheduled Tasks:
------------------------
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"Google Software Updater" -> launches: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe scheduled_start" ["Google"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{BFC32E1D-EE75-4A48-BC60-104E11EE2431}" = "WebTranslator"
-> {HKLM...CLSID} = "WebTranslator"
\InProcServer32\(Default) = "C:\Documents and Settings\All Users\Application Data\LangSoft\WebIE.dll" [file not found]
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQToolBar"
-> {HKLM...CLSID} = "ICQToolBar"
\InProcServer32\(Default) = "C:\Program Files\ICQ6Toolbar\ICQToolBar.dll" ["ICQ"]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Zdroje informácií"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{7E6A20FB-153F-402C-A84B-1A64E1955D3D}\
"ButtonText" = "WebTran"
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Zdroje informácií"
{BFC32E1D-EE75-4A48-BC60-104E11EE2431}\
{CC963627-B1DC-40E0-B52A-CF21EE748449}\
"MenuText" = "&Nastaviť prekladač"
{CC963627-B1DC-40E0-B52A-CF21EE748450}\
"MenuText" = "&Slovník"
{CC963627-B1DC-40E0-B52A-CF21EE748451}\
"MenuText" = "Preložiť &označený text"
{CC963627-B1DC-40E0-B52A-CF21EE748452}\
"MenuText" = "Preložiť &stránku"
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Program Files\ICQ6.5\ICQ.exe" ["ICQ, LLC."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQToolBar"
\InProcServer32\(Default) = "C:\Program Files\ICQ6Toolbar\ICQToolBar.dll" ["ICQ"]
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "Tabs" = "C:\Documents and Settings\All Users\Application Data\ICQ\ICQNewTab\newTab.html" [null data]
All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"" ["AVAST Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"" ["AVAST Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"" ["AVAST Software"]
Extensible Authentication Protocol Service, EapHost, "C:\WINDOWS\System32\svchost.exe -k eapsvcs" {"C:\WINDOWS\System32\eapsvc.dll" [MS]}
Google Software Updater, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
Health Key and Certificate Management Service, hkmsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\kmsvc.dll" [MS]}
ICQ Service, ICQ Service, "C:\Program Files\ICQ6Toolbar\ICQ Service.exe" [empty string]
InstallDriver Table Manager, IDriverT, ""C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe"" ["Macrovision Corporation"]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Network Access Protection Agent, napagent, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\qagentrt.dll" [MS]}
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Office Source Engine, ose, ""C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"" [MS]
Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\mspmsnsv.dll" [MS]}
Wired AutoConfig, Dot3svc, "C:\WINDOWS\System32\svchost.exe -k dot3svc" {"C:\WINDOWS\System32\dot3svc.dll" [MS]}
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
---------- (launch time: 2010-12-02 13:44:57)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 43 seconds, including 8 seconds for message boxes)
Čo teraz?
Re: Security tool
Dobrý večer 
Stahněte Rkill z jednoho z odkazů, pokud by ho vir blokoval, zkuste stahnout jiný
Rkill EXE:
http://download.bleepingcomputer.com/grinler/rkill.exe
Rkill COM:
http://download.bleepingcomputer.com/grinler/rkill.com
Rkill SCR:
http://download.bleepingcomputer.com/grinler/rkill.scr
Rkill PIF:
http://download.bleepingcomputer.com/grinler/rkill.pif
-spusťte ho a nechejte pracovat. Sám se ukončí.
-
Ted nerestartujte počítač!
Spusťte combofix podle tohoto návodu
http://www.bleepingcomputer.com/combofi ... t-combofix
- přejmenujte ho na cokoliv.com
Stahněte Rkill z jednoho z odkazů, pokud by ho vir blokoval, zkuste stahnout jinýRkill EXE:
http://download.bleepingcomputer.com/grinler/rkill.exe
Rkill COM:
http://download.bleepingcomputer.com/grinler/rkill.com
Rkill SCR:
http://download.bleepingcomputer.com/grinler/rkill.scr
Rkill PIF:
http://download.bleepingcomputer.com/grinler/rkill.pif
-spusťte ho a nechejte pracovat. Sám se ukončí.
-
Ted nerestartujte počítač! Spusťte combofix podle tohoto návoduhttp://www.bleepingcomputer.com/combofi ... t-combofix
- přejmenujte ho na cokoliv.com
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde
K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde
K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Re: Security tool
ComboFix 10-12-02.04 - Martin 03.12.2010 7:50.1.2 - x86 NETWORK
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1033.18.1023.817 [GMT 1:00]
Running from: c:\documents and settings\Martin\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Martin\Application Data\wiaserva.log
c:\documents and settings\Martin\Local Settings\Application Data\800480.exe
c:\documents and settings\Martin\Local Settings\Temporary Internet Files\ajev.inf
c:\documents and settings\Martin\Local Settings\Temporary Internet Files\kiheru._dl
c:\documents and settings\Martin\Local Settings\Temporary Internet Files\matorivo.exe
c:\documents and settings\Martin\Local Settings\Temporary Internet Files\pepice.inf
c:\documents and settings\Martin\Local Settings\Temporary Internet Files\ufeka.dat
c:\documents and settings\Martin\Local Settings\Temporary Internet Files\zevaho.reg
c:\documents and settings\Martin\Start Menu\Programs\Security Tool.lnk
c:\windows\adedypoxyk.scr
c:\windows\doqybumyt._sy
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\Temp
c:\windows\system32\Temp\aawfhriejlcmbvbhxjui.list
c:\windows\system32\Temp\svsheimgvhmdwhuzmxva.list
c:\windows\system32\wpcap.dll
c:\windows\Temp\_ex-08.exe
c:\windows\ugyx.exe
c:\windows\ujunelatub.scr
c:\windows\system32\drivers\beep.sys . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_GLAIDE32
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2010-11-03 to 2010-12-03 )))))))))))))))))))))))))))))))
.
2010-12-02 13:59 . 2010-12-02 14:00 -------- d-----w- c:\documents and settings\Administrator
2010-12-02 11:36 . 2010-12-02 11:36 -------- d-----w- C:\rsit
2010-12-01 18:11 . 2010-12-01 18:31 -------- d-----w- c:\windows\SxsCaPendDel
2010-12-01 18:07 . 2010-12-01 18:07 -------- d-----w- c:\documents and settings\Martin\Local Settings\Application Data\Google
2010-12-01 18:03 . 2010-12-01 18:03 -------- d-----w- c:\documents and settings\Martin\Local Settings\Application Data\Apple Computer
2010-12-01 17:28 . 2010-12-01 17:28 -------- d-----w- c:\program files\NortonInstaller
2010-12-01 17:28 . 2010-12-01 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-11-12 11:32 . 2010-12-01 18:20 -------- d-----w- c:\program files\Quantum GIS Tethys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 10:23 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-23 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 14:16 . 2001-08-23 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:16 . 2001-08-23 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-09-09 14:16 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-09-08 16:49 . 2004-08-04 05:59 369664 ------w- c:\windows\system32\html.iec
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MP4 Player"="c:\program files\MP4 Player\mp4Player.exe" [2007-09-19 639488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="c:\windows\TBPanel.exe" [2007-03-23 2173744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"nwiz"="nwiz.exe" [2007-04-12 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-15 16270848]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-16 1953792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Martin\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2009-11-25 225280]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [30.1.2009 18:09 222456]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [30.1.2009 15:45 35840]
.
Contents of the 'Scheduled Tasks' folder
2010-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-12-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-01 07:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.icq.com/
mStart Page = hxxp://www.google.com
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748449} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} -
FF - ProfilePath - c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\92pub60i.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-OEXPRESS - (no file)
HKCU-Run-Livestation - c:\program files\Livestation\Livestation.exe
HKLM-Run-Internet Connection Wizard Setup Tool - c:\program files\Internet Explorer\Connection Wizard\icwsetup.exe
AddRemove-PC Translator - c:\docume~1\Martin\LOCALS~1\Temp\UN32.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-03 08:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-03 08:06:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-03 07:06
Pre-Run: 119 059 070 976 bytes free
Post-Run: 120 761 929 728 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - FBC1C449A6D7C25D7D9AB0ED44B9396E
Posielam výsledok z combofixu.Vopred dik.Martin
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1033.18.1023.817 [GMT 1:00]
Running from: c:\documents and settings\Martin\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Martin\Application Data\wiaserva.log
c:\documents and settings\Martin\Local Settings\Application Data\800480.exe
c:\documents and settings\Martin\Local Settings\Temporary Internet Files\ajev.inf
c:\documents and settings\Martin\Local Settings\Temporary Internet Files\kiheru._dl
c:\documents and settings\Martin\Local Settings\Temporary Internet Files\matorivo.exe
c:\documents and settings\Martin\Local Settings\Temporary Internet Files\pepice.inf
c:\documents and settings\Martin\Local Settings\Temporary Internet Files\ufeka.dat
c:\documents and settings\Martin\Local Settings\Temporary Internet Files\zevaho.reg
c:\documents and settings\Martin\Start Menu\Programs\Security Tool.lnk
c:\windows\adedypoxyk.scr
c:\windows\doqybumyt._sy
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\Temp
c:\windows\system32\Temp\aawfhriejlcmbvbhxjui.list
c:\windows\system32\Temp\svsheimgvhmdwhuzmxva.list
c:\windows\system32\wpcap.dll
c:\windows\Temp\_ex-08.exe
c:\windows\ugyx.exe
c:\windows\ujunelatub.scr
c:\windows\system32\drivers\beep.sys . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_GLAIDE32
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2010-11-03 to 2010-12-03 )))))))))))))))))))))))))))))))
.
2010-12-02 13:59 . 2010-12-02 14:00 -------- d-----w- c:\documents and settings\Administrator
2010-12-02 11:36 . 2010-12-02 11:36 -------- d-----w- C:\rsit
2010-12-01 18:11 . 2010-12-01 18:31 -------- d-----w- c:\windows\SxsCaPendDel
2010-12-01 18:07 . 2010-12-01 18:07 -------- d-----w- c:\documents and settings\Martin\Local Settings\Application Data\Google
2010-12-01 18:03 . 2010-12-01 18:03 -------- d-----w- c:\documents and settings\Martin\Local Settings\Application Data\Apple Computer
2010-12-01 17:28 . 2010-12-01 17:28 -------- d-----w- c:\program files\NortonInstaller
2010-12-01 17:28 . 2010-12-01 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-11-12 11:32 . 2010-12-01 18:20 -------- d-----w- c:\program files\Quantum GIS Tethys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 10:23 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-23 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 14:16 . 2001-08-23 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:16 . 2001-08-23 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-09-09 14:16 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-09-08 16:49 . 2004-08-04 05:59 369664 ------w- c:\windows\system32\html.iec
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MP4 Player"="c:\program files\MP4 Player\mp4Player.exe" [2007-09-19 639488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="c:\windows\TBPanel.exe" [2007-03-23 2173744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"nwiz"="nwiz.exe" [2007-04-12 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-15 16270848]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-16 1953792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Martin\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2009-11-25 225280]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [30.1.2009 18:09 222456]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [30.1.2009 15:45 35840]
.
Contents of the 'Scheduled Tasks' folder
2010-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-12-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-01 07:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.icq.com/
mStart Page = hxxp://www.google.com
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748449} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} -
FF - ProfilePath - c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\92pub60i.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-OEXPRESS - (no file)
HKCU-Run-Livestation - c:\program files\Livestation\Livestation.exe
HKLM-Run-Internet Connection Wizard Setup Tool - c:\program files\Internet Explorer\Connection Wizard\icwsetup.exe
AddRemove-PC Translator - c:\docume~1\Martin\LOCALS~1\Temp\UN32.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-03 08:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-03 08:06:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-03 07:06
Pre-Run: 119 059 070 976 bytes free
Post-Run: 120 761 929 728 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - FBC1C449A6D7C25D7D9AB0ED44B9396E
Posielam výsledok z combofixu.Vopred dik.Martin
Re: Security tool
Pokud nemáte, přesuňte Combofix na plochu-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka
Kód: Vybrat vše
Restore::
c:\windows\system32\drivers\beep.sys
Srpeek::
c:\windows\system32\drivers\beep.sys
DDS::
uStart Page = hxxp://start.icq.com/
Firefox::
FF - ProfilePath - c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\92pub60i.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_result ... id=afex&q=
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:
-po aplikaci na Vás vypadne další log,vložte ho sem
Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci
Stahněte MBAM z mého podpisu-Nainstalujte,dejte úplný sken
NIC NEMAZAT
-MBAM má občas falešné detekce,proto budeme mazat až po kontrole logu.
-Log zkopírujte sem.
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde
K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Vždy před odvirováním počítače zazálohujte důležitá data
Chcete podpořit naše forum? Informace zde
K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.
Přispějete na provoz fóra?