Restartovani Pc

[Y0G1]

takze ta hlaska co co sem poslal scren dam neodeslat a udela se mi tkzv zasek winu a vtedy mi vapdne zvuk youtube mi ide zvuk ale serialy alebo hudba nie musim restartnut pc a az potom mi ide zase zvuk a po nejakom case opat vypadne neviem si s tym rady raz som reinstaloval win zmazal hdd a ked som to pustil uz to udelalo zase takze nwm co s tim .

[cernohous13]

můžeš sem dát ještě jednou screen té hlášky? - topik už je dlouhý a špatně se to hledá

[Y0G1]

http://www.ulozto.sk/9047065/cd-jpg

[cernohous13]

cd.JPG

(150.02 KiB) Zatím ještě nestaženo

Můžeš mi pro kontrolu udělat ještě jednou scan ComboFix-em?

[Y0G1]

jasne nieje problem ale az zajtra

[cernohous13]

něco se nepovedlo?

[Y0G1]

prominte nebyl sem doma


ComboFix 11-05-21.03 - Martin 22.05.2011 8:54.9.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1033.18.1023.774 [GMT 2:00]
Running from: c:\documents and settings\Martin\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))
.
.
2011-05-18 09:05 . 2011-05-04 11:54 302080 ----a-w- C:\gmer.exe
2011-05-18 07:58 . 2011-05-18 07:58 -------- d-----w- C:\_OTM
2011-05-15 15:28 . 2011-05-15 15:28 -------- d-----w- c:\documents and settings\Martin\Application Data\IObit
2011-05-15 15:28 . 2011-05-15 15:28 -------- d-----w- c:\program files\IObit
2011-05-15 15:27 . 2011-05-15 15:27 -------- d-----w- c:\documents and settings\All Users\Uniblue
2011-05-15 15:26 . 2011-05-15 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-05-14 06:49 . 2011-05-15 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2011-05-14 06:48 . 2011-04-08 05:14 944232 ----a-w- c:\windows\system32\nvdispco3220140.dll
2011-05-14 06:48 . 2011-04-08 05:14 855656 ----a-w- c:\windows\system32\nvgenco322060.dll
2011-05-12 12:40 . 2011-05-12 17:17 -------- d-----w- c:\documents and settings\Martin\Application Data\RIFT
2011-05-10 11:37 . 2011-05-10 11:37 -------- d-----w- c:\documents and settings\Martin\.system32
2011-05-06 07:31 . 2008-04-14 03:41 33792 -c----w- c:\windows\system32\dllcache\custsat.dll
2011-05-06 07:30 . 2008-04-13 22:10 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2011-05-05 16:42 . 2011-05-05 16:42 -------- d-----w- C:\rsit
2011-05-05 16:42 . 2011-05-05 16:42 -------- d-----w- c:\program files\trend micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-26 16:49 . 2011-04-08 19:46 137464 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-04-26 16:49 . 2011-04-08 19:51 214520 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-04-26 16:49 . 2011-04-08 19:45 214520 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-04-26 15:55 . 2011-04-08 19:45 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-04-21 18:59 . 2011-04-08 19:46 22328 ----a-w- c:\documents and settings\Martin\Application Data\PnkBstrK.sys
2011-04-18 12:42 . 2011-04-18 12:39 2829 ----a-w- c:\windows\War3Unin.pif
2011-04-18 12:42 . 2011-04-18 12:39 139264 ----a-w- c:\windows\War3Unin.exe
2011-04-05 08:20 . 2011-04-05 08:20 146 ----a-w- c:\windows\DelMR.bat
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-17_16.33.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-20 10:35 . 2011-05-20 10:35 5120 c:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
- 2011-04-28 18:38 . 2011-04-28 18:38 5120 c:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-15 19:02 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\programy\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 03:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\programy\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-01-07 17:56 13880424 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-01-07 17:56 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-11-04 06:51 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-05-17 10:48 77824 ----a-r- c:\windows\SOUNDMAN.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programy\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6756:TCP"= 6756:TCP:rvgbebls
.
S2 rxfww;Time Installer;c:\windows\system32\svchost.exe -k netsvcs [23.8.2001 14:00 14336]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\programy\Garena\safedrv.sys --> c:\programy\Garena\safedrv.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [16.11.2010 16:55 691696]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jzmwnkm
rxfww
.
.
------- Supplementary Scan -------
.
uSearchAssistant =
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\ghya889f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - azet.sk
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-22 08:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rxfww]
"ServiceDll"="c:\windows\system32\oqhre.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-05-22 09:00:14
ComboFix-quarantined-files.txt 2011-05-22 06:59
ComboFix2.txt 2011-05-17 16:34
.
Pre-Run: 57 790 271 488 bytes free
Post-Run: 10 adresárov, 57 777 750 016 voľných bajtov
.
- - End Of File - - 76E55555F90E36DF0BB22238E2D91C97

[cernohous13]

Stáhni "System Look" - http://jpshortstuff.247fixes.com/SystemLook.exe
Spusť jej a do okna zkopíruj

Kód: Vybrat vše

:contents
c:\windows\DelMR.bat
:filefind
rvgbebls.*
:regfind
rvgbebls
:dir
c:\documents and settings\Martin\.system32 /s

Klik na Look a po scanu sem zkopíruj výsledek hledání

Klikni na https://www.virustotal.com/cs/
klik "Procházet" > do zadávacího pole "Název souboru" jen zkopíruj:

c:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe

"Send file" (pokud byl již testován, nech testovat znovu - Reanalyse)
Trpělivě vyčkej dokončení scanu dokud se neobjeví konečný výsledek např.0/41
Do fóra zkopíruj výsledný log. nebo odkaz z adresního řádku na stránku.
Pokud nebude nález stačí jen oznámit

[Y0G1]

ospravedlnujem sa nebol som dlhsi cas na internete

SystemLook 04.09.10 by jpshortstuff
Log created at 15:41 on 24/05/2011 by Martin
Administrator - Elevation successful

========== contents ==========

c:\windows\DelMR.bat - Opened succesfully.

rmdir /s /q "C:\Program Files\Intuwave\Shared\mRouterRuntime"
rmdir /q "C:\Program Files\Intuwave\Shared"
rmdir /q "C:\Program Files\Intuwave"


========== filefind ==========

Searching for "rvgbebls.*"
No files found.

========== regfind ==========

Searching for "rvgbebls"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"6756:TCP"="6756:TCP:*:Enabled:rvgbebls"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"6756:TCP"="6756:TCP:*:Enabled:rvgbebls"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"6756:TCP"="6756:TCP:*:Enabled:rvgbebls"

========== dir ==========

c:\documents and settings\Martin\.system32 - Parameters: "/s"

---Files---
data.ini --a---- 4 bytes [11:37 10/05/2011] [11:43 11/05/2011]

No folders found.

-= EOF =-

[Y0G1]

https://www.virustotal.com/cs/ tohle mi nejde nechce mi nacitat stranku

[cernohous13]

Nechej soubor c:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
otestovat zde http://virusscan.jotti.org/cs

Otevři Poznámkový blok (Notepad) a zkopíruj celý zelený text z "CFscriptu".
Soubor ulož na plochu jako CFscript.txt a jeho ikonu přetáhni myší nad ikonu ComboFixu - tam pusť.

ComboFix se spustí - počkej na log a vlož ho sem.

CFscript

Kód: Vybrat vše

KillAll::

File::
c:\windows\DelMR.bat
c:\windows\system32\oqhre.dll

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"6756:TCP"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"6756:TCP"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"6756:TCP"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rxfww]

Folder::
c:\documents and settings\Martin\.system32

NetSvc::
jzmwnkm
rxfww

Driver::
jzmwnkm
rxfww

Rootkit::
c:\windows\system32\oqhre.dll

[Y0G1]

Nechej soubor c:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
otestovat zde http://virusscan.jotti.org/cs

Otevři Poznámkový blok (Notepad) a zkopíruj celý zelený text z "CFscriptu".
Soubor ulož na plochu jako CFscript.txt a jeho ikonu přetáhni myší nad ikonu ComboFixu - tam pusť.

ComboFix se spustí - počkej na log a vlož ho sem.

CFscript

Kód: Vybrat vše

KillAll::

File::
c:\windows\DelMR.bat
c:\windows\system32\oqhre.dll

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"6756:TCP"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"6756:TCP"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"6756:TCP"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rxfww]

Folder::
c:\documents and settings\Martin\.system32

NetSvc::
jzmwnkm
rxfww

Driver::
jzmwnkm
rxfww

Rootkit::
c:\windows\system32\oqhre.dll

dakujem spravim zaujimalo by ma mam tam zase nieco v tom pc?

[cernohous13]

ano, pořád se nám tam vrací šmejdi a nemůžeme najít proč

[Y0G1]

ano, pořád se nám tam vrací šmejdi a nemůžeme najít proč

Nechej soubor c:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
otestovat zde http://virusscan.jotti.org/cs


tohle mi opat nejde zobrazit stranku

[Y0G1]

tady je ten log


ComboFix 11-05-24.06 - Martin 25.05.2011 16:27:15.9.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1033.18.1023.578 [GMT 2:00]
Running from: c:\documents and settings\Martin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Martin\Desktop\CFscript.txt
.
FILE ::
"c:\windows\DelMR.bat"
"c:\windows\system32\oqhre.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Martin\.system32
c:\documents and settings\Martin\.system32\data.ini
c:\windows\DelMR.bat
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_RXFWW
-------\Service_rxfww
.
.
((((((((((((((((((((((((( Files Created from 2011-04-25 to 2011-05-25 )))))))))))))))))))))))))))))))
.
.
2011-05-25 14:22 . 2011-05-25 14:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-23 12:50 . 2004-05-17 06:00 33280 ----a-r- c:\windows\system32\drivers\NVENETFD.sys
2011-05-23 12:50 . 2004-05-17 05:49 198656 ----a-r- c:\windows\system32\fdco1.dll
2011-05-23 12:50 . 2004-05-10 00:53 32256 ----a-r- c:\windows\system32\nvconrm.dll
2011-05-23 12:50 . 2004-05-10 00:52 172032 ----a-w- c:\windows\system32\nvunrm.exe
2011-05-23 12:50 . 2004-05-17 06:00 12928 ----a-r- c:\windows\system32\drivers\nvnetbus.sys
2011-05-23 12:50 . 2004-05-17 06:00 56960 ----a-r- c:\windows\system32\drivers\nvnrm.sys
2011-05-23 12:50 . 2004-05-17 06:00 191232 ----a-r- c:\windows\system32\drivers\nvsnpu.sys
2011-05-23 12:50 . 2004-05-17 05:48 8192 ----a-r- c:\windows\system32\bdco1.dll
2011-05-23 12:18 . 2011-05-23 12:18 -------- d-----w- c:\program files\AMD
2011-05-23 12:18 . 2005-03-09 12:53 36352 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2011-05-23 12:08 . 2011-05-23 12:08 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-22 07:04 . 2011-05-23 12:08 -------- d-----w- C:\RECYCLER(2)
2011-05-18 09:05 . 2011-05-04 11:54 302080 ----a-w- C:\gmer.exe
2011-05-18 07:58 . 2011-05-18 07:58 -------- d-----w- C:\_OTM
2011-05-15 15:28 . 2011-05-15 15:28 -------- d-----w- c:\documents and settings\Martin\Application Data\IObit
2011-05-15 15:28 . 2011-05-15 15:28 -------- d-----w- c:\program files\IObit
2011-05-15 15:27 . 2011-05-15 15:27 -------- d-----w- c:\documents and settings\All Users\Uniblue
2011-05-15 15:26 . 2011-05-15 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-05-14 06:49 . 2011-05-15 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2011-05-14 06:48 . 2011-04-08 05:14 944232 ----a-w- c:\windows\system32\nvdispco3220140.dll
2011-05-14 06:48 . 2011-04-08 05:14 855656 ----a-w- c:\windows\system32\nvgenco322060.dll
2011-05-12 12:40 . 2011-05-12 17:17 -------- d-----w- c:\documents and settings\Martin\Application Data\RIFT
2011-05-06 07:31 . 2008-04-14 03:41 33792 -c----w- c:\windows\system32\dllcache\custsat.dll
2011-05-06 07:30 . 2008-04-13 22:10 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2011-05-05 16:42 . 2011-05-05 16:42 -------- d-----w- C:\rsit
2011-05-05 16:42 . 2011-05-05 16:42 -------- d-----w- c:\program files\trend micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-26 16:49 . 2011-04-08 19:46 137464 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-04-26 16:49 . 2011-04-08 19:51 214520 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-04-26 16:49 . 2011-04-08 19:45 214520 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-04-26 15:55 . 2011-04-08 19:45 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-04-21 18:59 . 2011-04-08 19:46 22328 ----a-w- c:\documents and settings\Martin\Application Data\PnkBstrK.sys
2011-04-18 12:42 . 2011-04-18 12:39 2829 ----a-w- c:\windows\War3Unin.pif
2011-04-18 12:42 . 2011-04-18 12:39 139264 ----a-w- c:\windows\War3Unin.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-17_16.33.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-23 14:23 . 2011-05-23 14:23 5120 c:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
- 2011-04-28 18:38 . 2011-04-28 18:38 5120 c:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
+ 2011-05-25 14:22 . 2011-05-25 14:22 239776 c:\windows\system32\Macromed\Flash\FlashUtil10q_Plugin.exe
+ 2011-05-23 12:07 . 2011-05-15 11:46 164592 c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1051.dat
+ 2011-03-03 14:50 . 2011-05-23 12:08 1234520 c:\windows\system32\Restore\rstrlog.dat
+ 2010-11-15 17:39 . 2011-05-25 14:22 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-15 19:02 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\programy\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 03:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\programy\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-01-07 17:56 13880424 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-01-07 17:56 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-11-04 06:51 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-05-17 10:48 77824 ----a-r- c:\windows\SOUNDMAN.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programy\\Skype\\Phone\\Skype.exe"=
.
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\programy\Garena\safedrv.sys --> c:\programy\Garena\safedrv.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [16.11.2010 16:55 691696]
.
.
------- Supplementary Scan -------
.
uSearchAssistant =
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\ghya889f.default\
FF - prefs.js: browser.search.selectedEngine - QIP Search
FF - prefs.js: browser.startup.homepage - hxxp://www.azet.sk/
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-25 16:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\System32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-05-25 16:35:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-25 14:35
ComboFix2.txt 2011-05-22 07:00
ComboFix3.txt 2011-05-17 16:34
.
Pre-Run: 57 590 755 328 bytes free
Post-Run: 11 adresárov, 57 679 761 408 voľných bajtov
.
- - End Of File - - 7A7C5C6CB577AC938BE18C55233DE687