VIRY.CZ

Zdravím,
mám problém s otcovo PC, zamrzává, hlásí každou chvíli přítomnost viru a trojských koní, už si nevím rady, přikládám LOG a předem děkuji za pomoc.

info.txt logfile of random's system information tool 1.08 2011-05-29 20:42:36

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 Plugin-->C:\WINDOWS\System32\Macromed\Flash\FlashUtil10q_Plugin.exe -maintain plugin
Adobe Reader X - Czech-->MsiExec.exe /I{AC76BA86-7AD7-1029-7B44-AA0000000001}
AMD Processor Driver-->C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe -runfromtemp -l0x0005 -removeonly
ASUS Probe V2.17.07-->C:\WINDOWS\uninst.exe -f"C:\Program Files\ASUS\Probe\DeIsL1.isu"
ATI Catalyst Control Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver-->rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
BitComet 1.27-->C:\Program Files\BitComet\uninst.exe
Canon MP Navigator 3.0-->"C:\Program Files\Canon\MP Navigator 3.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator 3.0\uninst.ini
Canon MP180-->"C:\WINDOWS\System32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP180\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP180 /L0x0005
Canon Utilities Easy-PhotoPrint-->C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Faktury 3.6F -->C:\WINDOWS\iun6002.exe "C:\Program Files\mb\Faktury 3.6F\setup\irunin.ini"
Microsoft Office XP Professional s aplikací FrontPage-->MsiExec.exe /I{90280405-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Web Components-->MsiExec.exe /I{90260405-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox 4.0.1 (x86 cs)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers-->C:\WINDOWS\System32\nvuninst.exe UninstallGUI
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x5 -removeonly
Softarová utilita ATI - Odinstalovat-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
SUPERAntiSpyware-->"C:\Program Files\SUPERAntiSpyware\Uninstall.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
WinRAR 4.01 beta 1 (32-bit)-->C:\Program Files\WinRAR\uninstall.exe

======System event log======

Computer Name: MACHINENAME
Event Code: 9
Message: Zařízení \Device\Ide\IdePort0 neodpovídá v periodě časového limitu.

Record Number: 5
Source Name: atapi
Time Written: 20110525152245.000000+120
Event Type: Chyba
User:

Computer Name: MACHINENAME
Event Code: 9
Message: Zařízení \Device\Ide\IdePort0 neodpovídá v periodě časového limitu.

Record Number: 4
Source Name: atapi
Time Written: 20110525152240.000000+120
Event Type: Chyba
User:

Computer Name: MACHINENAME
Event Code: 6005
Message: Služba Event Log byla spuštěna.

Record Number: 3
Source Name: EventLog
Time Written: 20110525151905.000000+120
Event Type: Informace
User:

Computer Name: MACHINENAME
Event Code: 6009
Message: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 1 Uniprocessor Free.

Record Number: 2
Source Name: EventLog
Time Written: 20110525151905.000000+120
Event Type: Informace
User:

Computer Name: MACHINENAME
Event Code: 2
Message: Během prověřování, zda \Device\Serial0 je skutečně sériový port, byl zjištěn zásobník typu FIFO. Bude použit tento zásobník.

Record Number: 1
Source Name: Serial
Time Written: 20110525151928.000000+120
Event Type: Informace
User:

=====Application event log=====

Computer Name: PETR-PC
Event Code: 4097
Message: Chyba služby Stínová kopie svazků: Instanci katalogu Správce COM+ nelze vytvořit [0x80040154].

Record Number: 5
Source Name: VSS
Time Written: 20110525132740.000000+120
Event Type: Chyba
User:

Computer Name: PETR-PC
Event Code: 8193
Message: Chyba služby Stínová kopie svazků: Při volání rutiny CoCreateInstance došlo k neočekávané chybě. hr= 0x80040154.

Record Number: 4
Source Name: VSS
Time Written: 20110525132740.000000+120
Event Type: Chyba
User:

Computer Name: PETR-PC
Event Code: 1000
Message: Čítače výkonu pro službu RemoteAccess (Směrování a vzdálený přístup) byly úspěšně načteny.
Data záznamu obsahují nové indexové hodnoty přiřazené
této službě.

Record Number: 3
Source Name: LoadPerf
Time Written: 20110525132505.000000+120
Event Type: Informace
User:

Computer Name: PETR-PC
Event Code: 1000
Message: Čítače výkonu pro službu PSched (PSched) byly úspěšně načteny.
Data záznamu obsahují nové indexové hodnoty přiřazené
této službě.

Record Number: 2
Source Name: LoadPerf
Time Written: 20110525132449.000000+120
Event Type: Informace
User:

Computer Name: PETR-PC
Event Code: 1000
Message: Čítače výkonu pro službu RSVP (QoS RSVP) byly úspěšně načteny.
Data záznamu obsahují nové indexové hodnoty přiřazené
této službě.

Record Number: 1
Source Name: LoadPerf
Time Written: 20110525132448.000000+120
Event Type: Informace
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2f02
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Zdravim a pekny vecer preji

Tohle je info.txt, takze poprosim o log.txt, je ulozen v c:\rsit

Dejte log z ComboFix.

Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se

jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine

aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode,

pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k

nezadoucim kolizim s rezidentem antispyware

Takze:

ComboFix 11-05-28.01 - Petr Dušek . 05. 2011 21:17:47.2.1 - x86
Spuštěný z: c:\documents and settings\Petr Dušek\Plocha\ComboFix.exe
* Vytvořen nový Bod Obnovení
* Rezidentní štít AV je zapnutý
.
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Předchozí spuštění -------
.
c:\documents and settings\Petr Dušek\Data aplikací\als.exe
c:\documents and settings\Petr Dušek\Data aplikací\AudioSrv.exe
c:\documents and settings\Petr Dušek\Data aplikací\csrss.exe
c:\documents and settings\Petr Dušek\Data aplikací\jkqdh.exe
c:\documents and settings\Petr Dušek\Data aplikací\lsass.exe
c:\documents and settings\Petr Dušek\Data aplikací\PlugPlay.exe
c:\documents and settings\Petr Dušek\Data aplikací\qdql.exe
c:\documents and settings\Petr Dušek\Data aplikací\W32Time.exe
c:\documents and settings\Petr Dušek\Data aplikací\WLANSvc.exe
c:\windows\Debug\dcpromo.log
c:\windows\nigzss.txt
c:\windows\system32\.exe
c:\windows\system32\00.exe
c:\windows\system32\01.exe
c:\windows\system32\04.exe
c:\windows\system32\24.exe
c:\windows\system32\31.exe
c:\windows\system32\33.exe
c:\windows\system32\34.exe
c:\windows\system32\36.exe
c:\windows\system32\37.exe
c:\windows\system32\50.exe
c:\windows\system32\51.exe
c:\windows\system32\asr_qtkqtu.exe
c:\windows\system32\x.exe
.
-- Předchozí spuštění --
.
c:\windows\system32\qmgr.dll . . . je infikován!!
.
--------
.
c:\windows\system32\qmgr.dll . . . je infikován!!
.
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_WINSPOOLSVC
-------\Service_WinSpoolSvc
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-04-28 do 2011-05-29 )))))))))))))))))))))))))))))))
.
.
2011-05-29 18:31 . 2011-05-29 18:42 -------- d-----w- C:\rsit
2011-05-29 18:15 . 2011-05-29 18:15 -------- d-----w- C:\Downloads
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 16:38 . 2011-05-25 12:09 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-20 13312]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-15 19:02 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-11-15 19:02 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2010-08-12 12:16 2215064 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2002-08-20 13:08 1511453 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QIP Internet Guardian]
2010-06-09 16:35 187904 ----a-w- c:\documents and settings\Petr Dušek\Data aplikací\QipGuard\QipGuard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 13:28 577536 ----a-w- c:\windows\soundman.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-04-20 15:57 2423752 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29. 7. 2010 13:31 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3. 8. 2010 13:28 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17. 2. 2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10. 5. 2010 20:41 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12. 8. 2010 14:16 810144]
S2 Netmanm;Network Connections to Monitor;"c:\windows\system32\crssc.exe" --> c:\windows\system32\crssc.exe [?]
S2 ylvmcwy;fhumogsaj;c:\windows\system32\svchost.exe -k netsvcs [25. 10. 2001 16:00 12800]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ylvmcwy
.
.
------- Doplňkový sken -------
.
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
TCP: DhcpNameServer = 213.46.172.36 213.46.172.37
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Petr Dušek\Data aplikací\Mozilla\Firefox\Profiles\kd80g24z.default\
FF - prefs.js: browser.search.selectedEngine - QIP Search
FF - prefs.js: browser.startup.homepage - hxxp://qip.ru
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
HKU-Default-Run-Windows LoL Layer - uveitij.exe
MSConfigStartUp-Windows Time - c:\documents and settings\Petr Dušek\Data aplikací\W32Time.exe
MSConfigStartUp-{71F9BBEB-62AC-D1C4-40B6-54B97507D870} - c:\documents and settings\Petr Dušek\Data aplikací\Suwie\ebsao.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-29 21:22
Windows 5.1.2600 Service Pack 1 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ylvmcwy]
"ServiceDll"="c:\windows\System32\lhudgqbq.dll"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'winlogon.exe'(688)
c:\windows\System32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(752)
c:\windows\System32\dssenh.dll
.
- - - - - - - > 'explorer.exe'(1800)
c:\windows\System32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
.
**************************************************************************
.
Celkový čas: 2011-05-29 21:23:55 - počítač byl restartován
ComboFix-quarantined-files.txt 2011-05-29 19:23
.
Před spuštěním: Volných bajtů: 66 321 219 584
Po spuštění: Volných bajtů: 66 298 429 440
.
- - End Of File - - 5C70410E48B8133A4D305ADC14BF6DE8

a taky:

Logfile of random's system information tool 1.08 (written by random/random)
Run by Petr Dušek at 2011-05-29 21:25:26
Systém Microsoft Windows XP Professional Service Pack 1
System drive C: has 63 GB (83%) free of 76 GB
Total RAM: 1023 MB (60% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:25:29, on 29. 5. 2011
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Petr Dušek\Plocha\RSIT.exe
C:\Program Files\trend micro\Petr Dušek.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.qip.ru/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: QIPBHO - {95289393-33EA-4F8D-B952-483415B9C955} - C:\Documents and Settings\Petr Dušek\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: QIP 2005 - {1EF681F7-A04B-4D6D-9012-A307CCA55610} - C:\Program Files\QIP\qip.exe (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6325136718
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Network Connections to Monitor (Netmanm) - Unknown owner - C:\WINDOWS\system32\crssc.exe (file missing)

--
End of file - 3639 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-11-15 62376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95289393-33EA-4F8D-B952-483415B9C955}]
QIPBHO Class - C:\Documents and Settings\Petr Dušek\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll [2010-06-09 138240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Rádio - C:\WINDOWS\System32\msdxm.ocx [2002-09-20 844828]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-11-15 932288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe [2010-11-15 35736]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2010-08-12 2215064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2002-08-20 1511453]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QIP Internet Guardian]
C:\Documents and Settings\Petr Dušek\Data aplikací\QipGuard\QipGuard.exe [2010-06-09 187904]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
C:\WINDOWS\SOUNDMAN.EXE [2007-04-16 577536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2011-04-20 2423752]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~2\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2009-09-04 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2010-02-11 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2011-05-29 21:23:57 ----D---- C:\WINDOWS\temp
2011-05-29 21:23:56 ----A---- C:\ComboFix.txt
2011-05-29 20:52:28 ----A---- C:\Boot.bak
2011-05-29 20:52:23 ----RASHD---- C:\cmdcons
2011-05-29 20:51:31 ----A---- C:\WINDOWS\zip.exe
2011-05-29 20:51:31 ----A---- C:\WINDOWS\SWXCACLS.exe
2011-05-29 20:51:31 ----A---- C:\WINDOWS\SWSC.exe
2011-05-29 20:51:31 ----A---- C:\WINDOWS\SWREG.exe
2011-05-29 20:51:31 ----A---- C:\WINDOWS\sed.exe
2011-05-29 20:51:31 ----A---- C:\WINDOWS\PEV.exe
2011-05-29 20:51:31 ----A---- C:\WINDOWS\NIRCMD.exe
2011-05-29 20:51:31 ----A---- C:\WINDOWS\MBR.exe
2011-05-29 20:51:31 ----A---- C:\WINDOWS\grep.exe
2011-05-29 20:51:26 ----D---- C:\WINDOWS\ERDNT
2011-05-29 20:51:22 ----D---- C:\Qoobox
2011-05-29 20:42:23 ----D---- C:\Program Files\trend micro
2011-05-29 20:31:14 ----D---- C:\rsit
2011-05-29 20:15:57 ----D---- C:\Downloads
2011-05-29 20:15:14 ----D---- C:\Program Files\BitComet
2011-05-29 20:15:14 ----D---- C:\Documents and Settings\Petr Dušek\Data aplikací\BitComet
2011-05-29 20:09:44 ----D---- C:\Documents and Settings\Petr Dušek\Data aplikací\QipGuard
2011-05-29 20:09:29 ----D---- C:\Program Files\QIP
2011-05-26 14:48:39 ----D---- C:\Program Files\Common Files\Adobe
2011-05-26 14:48:39 ----D---- C:\Program Files\Adobe
2011-05-26 14:48:00 ----N---- C:\WINDOWS\System32\spmsg.dll
2011-05-26 14:47:58 ----HDC---- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
2011-05-26 14:47:35 ----D---- C:\Documents and Settings\All Users\Data aplikací\Adobe
2011-05-26 14:46:16 ----D---- C:\Documents and Settings\Petr Dušek\Data aplikací\Canon
2011-05-26 14:44:33 ----D---- C:\Program Files\Canon
2011-05-26 14:42:35 ----A---- C:\WINDOWS\System32\drivers\usbprint.sys
2011-05-26 14:42:24 ----A---- C:\WINDOWS\System32\drivers\usbscan.sys
2011-05-26 14:42:20 ----A---- C:\WINDOWS\System32\drivers\usbccgp.sys
2011-05-26 14:42:09 ----HD---- C:\Documents and Settings\All Users\Data aplikací\CanonBJ
2011-05-26 14:42:06 ----A---- C:\WINDOWS\System32\CNMLM82.DLL
2011-05-26 14:42:05 ----HD---- C:\WINDOWS\System32\CanonIJ Uninstaller Information
2011-05-26 14:42:00 ----A---- C:\WINDOWS\System32\cnco180.dll
2011-05-26 14:42:00 ----A---- C:\WINDOWS\System32\CNCL180.DLL
2011-05-26 14:42:00 ----A---- C:\WINDOWS\System32\CNCI180.DLL
2011-05-26 14:42:00 ----A---- C:\WINDOWS\System32\CNCC180.DLL
2011-05-26 14:41:55 ----HD---- C:\Program Files\CanonBJ
2011-05-25 20:33:07 ----A---- C:\WINDOWS\ntbtlog.txt
2011-05-25 20:31:15 ----D---- C:\Documents and Settings\Petr Dušek\Data aplikací\SUPERAntiSpyware.com
2011-05-25 20:31:15 ----D---- C:\Documents and Settings\All Users\Data aplikací\SUPERAntiSpyware.com
2011-05-25 20:31:09 ----D---- C:\Program Files\SUPERAntiSpyware
2011-05-25 17:00:29 ----D---- C:\Documents and Settings\Petr Dušek\Data aplikací\Macromedia
2011-05-25 17:00:29 ----D---- C:\Documents and Settings\Petr Dušek\Data aplikací\Adobe
2011-05-25 15:59:50 ----A---- C:\WINDOWS\iun6002.exe
2011-05-25 15:59:23 ----D---- C:\Program Files\mb
2011-05-25 15:57:57 ----A---- C:\WINDOWS\ODBC.INI
2011-05-25 15:57:44 ----D---- C:\Program Files\Common Files\Designer
2011-05-25 15:57:33 ----D---- C:\WINDOWS\ShellNew
2011-05-25 15:57:27 ----D---- C:\Program Files\Microsoft Office
2011-05-25 15:56:14 ----D---- C:\Documents and Settings\Petr Dušek\Data aplikací\Help
2011-05-25 15:24:38 ----A---- C:\WINDOWS\System32\h323log.txt
2011-05-25 15:23:05 ----A---- C:\WINDOWS\System32\drivers\audstub.sys
2011-05-25 15:21:50 ----A---- C:\WINDOWS\System32\drivers\redbook.sys
2011-05-25 15:20:30 ----A---- C:\WINDOWS\imsins.BAK
2011-05-25 15:20:26 ----D---- C:\Program Files\Common Files\ODBC
2011-05-25 15:20:26 ----A---- C:\WINDOWS\System32\PerfStringBackup.INI
2011-05-25 15:20:26 ----A---- C:\WINDOWS\ODBCINST.INI
2011-05-25 15:20:23 ----RD---- C:\Program Files
2011-05-25 15:20:23 ----D---- C:\Program Files\Common Files\SpeechEngines
2011-05-25 15:20:23 ----D---- C:\Program Files\Common Files\Microsoft Shared
2011-05-25 15:20:23 ----D---- C:\Program Files\Common Files
2011-05-25 15:20:11 ----A---- C:\WINDOWS\System32\EqnClass.Dll
2011-05-25 15:20:11 ----A---- C:\WINDOWS\System32\drivers\irenum.sys
2011-05-25 15:20:11 ----A---- C:\WINDOWS\System32\dgrpsetu.dll
2011-05-25 15:20:08 ----A---- C:\WINDOWS\System32\CONFIG.TMP
2011-05-25 15:20:06 ----A---- C:\WINDOWS\System32\storprop.dll
2011-05-25 15:20:00 ----ASH---- C:\Documents and Settings\All Users\Data aplikací\desktop.ini
2011-05-25 15:19:28 ----RA---- C:\WINDOWS\SETA.tmp
2011-05-25 15:19:26 ----RA---- C:\WINDOWS\SET3.tmp
2011-05-25 15:19:21 ----D---- C:\WINDOWS\System32\CatRoot2
2011-05-25 15:19:21 ----D---- C:\WINDOWS\System32\CatRoot
2011-05-25 15:19:15 ----SD---- C:\Documents and Settings\All Users\Data aplikací\Microsoft
2011-05-25 15:19:06 ----A---- C:\WINDOWS\setuplog.txt
2011-05-25 15:19:02 ----D---- C:\Documents and Settings
2011-05-25 15:17:34 ----RASH---- C:\boot.ini
2011-05-25 15:14:44 ----RSHDC---- C:\WINDOWS\System32\dllcache
2011-05-25 15:14:44 ----RSD---- C:\WINDOWS\Fonts
2011-05-25 15:14:44 ----RD---- C:\WINDOWS\Web
2011-05-25 15:14:44 ----HD---- C:\WINDOWS\inf
2011-05-25 15:14:44 ----D---- C:\WINDOWS\WinSxS
2011-05-25 15:14:44 ----D---- C:\WINDOWS\twain_32
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\wins
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\wbem
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\usmt
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\spool
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\ShellExt
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\Setup
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\ras
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\oobe
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\npp
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\mui
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\inetsrv
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\IME
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\icsxml
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\ias
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\export
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\drivers\etc
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\drivers\disdn
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\drivers
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\dhcp
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\config
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\3com_dmi
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\3076
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\2052
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\1054
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\1042
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\1041
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\1037
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\1033
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\1031
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\1029
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\1028
2011-05-25 15:14:44 ----D---- C:\WINDOWS\System32\1025
2011-05-25 15:14:44 ----D---- C:\WINDOWS\system32
2011-05-25 15:14:44 ----D---- C:\WINDOWS\system
2011-05-25 15:14:44 ----D---- C:\WINDOWS\security
2011-05-25 15:14:44 ----D---- C:\WINDOWS\Resources
2011-05-25 15:14:44 ----D---- C:\WINDOWS\repair
2011-05-25 15:14:44 ----D---- C:\WINDOWS\mui
2011-05-25 15:14:44 ----D---- C:\WINDOWS\msapps
2011-05-25 15:14:44 ----D---- C:\WINDOWS\msagent
2011-05-25 15:14:44 ----D---- C:\WINDOWS\Media
2011-05-25 15:14:44 ----D---- C:\WINDOWS\java
2011-05-25 15:14:44 ----D---- C:\WINDOWS\ime
2011-05-25 15:14:44 ----D---- C:\WINDOWS\Help
2011-05-25 15:14:44 ----D---- C:\WINDOWS\Driver Cache
2011-05-25 15:14:44 ----D---- C:\WINDOWS\Debug
2011-05-25 15:14:44 ----D---- C:\WINDOWS\Cursors
2011-05-25 15:14:44 ----D---- C:\WINDOWS\Connection Wizard
2011-05-25 15:14:44 ----D---- C:\WINDOWS\Config
2011-05-25 15:14:44 ----D---- C:\WINDOWS\AppPatch
2011-05-25 15:14:44 ----D---- C:\WINDOWS\addins
2011-05-25 15:14:44 ----D---- C:\WINDOWS
2011-05-25 15:14:44 ----ASH---- C:\pagefile.sys
2011-05-25 15:01:01 ----D---- C:\WINDOWS\pss
2011-05-25 14:50:53 ----D---- C:\Program Files\ESET
2011-05-25 14:50:53 ----D---- C:\Documents and Settings\All Users\Data aplikací\ESET
2011-05-25 14:48:30 ----D---- C:\Documents and Settings\Petr Dušek\Data aplikací\WinRAR
2011-05-25 14:48:28 ----D---- C:\Program Files\WinRAR
2011-05-25 14:47:06 ----A---- C:\WINDOWS\System32\drivers\USBSTOR.SYS
2011-05-25 14:43:28 ----A---- C:\WINDOWS\System32\nvunrm.exe
2011-05-25 14:40:16 ----A---- C:\WINDOWS\System32\ChCfg.exe
2011-05-25 14:40:10 ----RA---- C:\WINDOWS\System32\drivers\alcxwdm.sys
2011-05-25 14:40:10 ----A---- C:\WINDOWS\System32\drivers\portcls.sys
2011-05-25 14:40:10 ----A---- C:\WINDOWS\System32\drivers\ks.sys
2011-05-25 14:40:10 ----A---- C:\WINDOWS\System32\drivers\drmk.sys
2011-05-25 14:40:09 ----A---- C:\WINDOWS\System32\ksuser.dll
2011-05-25 14:40:09 ----A---- C:\WINDOWS\System32\drivers\stream.sys
2011-05-25 14:40:06 ----D---- C:\Program Files\Realtek AC97
2011-05-25 14:40:06 ----A---- C:\WINDOWS\System32\RTLCPL.exe
2011-05-25 14:40:05 ----A---- C:\WINDOWS\System32\RtlCPAPI.dll
2011-05-25 14:40:05 ----A---- C:\WINDOWS\soundman.exe
2011-05-25 14:40:04 ----A---- C:\WINDOWS\alcupd.exe
2011-05-25 14:40:04 ----A---- C:\WINDOWS\Alcrmv.exe
2011-05-25 14:38:10 ----A---- C:\WINDOWS\System32\drivers\splitter.sys
2011-05-25 14:38:10 ----A---- C:\WINDOWS\System32\drivers\DMusic.sys
2011-05-25 14:38:08 ----A---- C:\WINDOWS\System32\drivers\MSPQM.sys
2011-05-25 14:38:08 ----A---- C:\WINDOWS\System32\drivers\MSKSSRV.sys
2011-05-25 14:38:07 ----A---- C:\WINDOWS\System32\drivers\MSPCLOCK.sys
2011-05-25 14:37:50 ----A---- C:\WINDOWS\System32\nvuaudio.exe
2011-05-25 14:37:37 ----A---- C:\WINDOWS\System32\nvtcp.sys
2011-05-25 14:36:20 ----D---- C:\NVIDIA
2011-05-25 14:36:01 ----DC---- C:\WINDOWS\System32\DRVSTORE
2011-05-25 14:36:01 ----A---- C:\WINDOWS\System32\drivers\AmdK8.sys
2011-05-25 14:36:00 ----D---- C:\Program Files\AMD
2011-05-25 14:35:47 ----D---- C:\Documents and Settings\Petr Dušek\Data aplikací\InstallShield
2011-05-25 14:35:06 ----N---- C:\WINDOWS\System32\ati2sgag.exe
2011-05-25 14:34:42 ----HD---- C:\Program Files\InstallShield Installation Information
2011-05-25 14:34:42 ----D---- C:\Program Files\ATI Technologies
2011-05-25 14:34:15 ----D---- C:\ATI
2011-05-25 14:27:38 ----D---- C:\Documents and Settings\Petr Dušek\Data aplikací\Uxqy
2011-05-25 14:27:38 ----D---- C:\Documents and Settings\Petr Dušek\Data aplikací\Suwie
2011-05-25 14:11:23 ----D---- C:\Documents and Settings\Petr Dušek\Data aplikací\Mozilla
2011-05-25 14:09:01 ----D---- C:\Program Files\Mozilla Firefox
2011-05-25 14:06:33 ----A---- C:\WINDOWS\System32\wups2.dll
2011-05-25 14:06:33 ----A---- C:\WINDOWS\System32\wups.dll
2011-05-25 14:06:33 ----A---- C:\WINDOWS\System32\wucltui.dll.mui
2011-05-25 14:06:33 ----A---- C:\WINDOWS\System32\wucltui.dll
2011-05-25 14:06:33 ----A---- C:\WINDOWS\System32\wuaueng.dll.mui
2011-05-25 14:06:32 ----A---- C:\WINDOWS\System32\wuapi.dll.mui
2011-05-25 14:06:32 ----A---- C:\WINDOWS\System32\wuapi.dll
2011-05-25 14:06:30 ----D---- C:\WINDOWS\LastGood
2011-05-25 14:05:51 ----D---- C:\WINDOWS\SoftwareDistribution
2011-05-25 14:04:29 ----SD---- C:\WINDOWS\System32\Microsoft
2011-05-25 14:04:18 ----A---- C:\WINDOWS\System32\NVCOI.DLL
2011-05-25 14:04:18 ----A---- C:\WINDOWS\System32\idecoi.dll
2011-05-25 14:04:16 ----N---- C:\WINDOWS\System32\nvuide.exe
2011-05-25 14:04:04 ----A---- C:\WINDOWS\System32\NVUNINST.EXE
2011-05-25 14:04:01 ----A---- C:\WINDOWS\System32\drivers\pci.sys
2011-05-25 14:03:43 ----D---- C:\Program Files\Common Files\InstallShield
2011-05-25 14:03:31 ----D---- C:\WINDOWS\System32\ReinstallBackups
2011-05-25 14:03:27 ----D---- C:\WINDOWS\LastGood.Tmp
2011-05-25 14:03:27 ----A---- C:\WINDOWS\System32\xpsp1hfm.exe
2011-05-25 14:03:24 ----A---- C:\WINDOWS\System32\raidmgmt.ini
2011-05-25 14:01:35 ----D---- C:\Program Files\ASUS
2011-05-25 14:01:35 ----A---- C:\WINDOWS\System32\drivers\ASLM75.SYS
2011-05-25 14:01:32 ----A---- C:\WINDOWS\uninst.exe
2011-05-25 14:01:13 ----A---- C:\WINDOWS\Ascd_tmp.ini
2011-05-25 14:01:12 ----A---- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
2011-05-25 13:58:03 ----D---- C:\Documents and Settings\Petr Dušek\Data aplikací\MSN6
2011-05-25 13:58:03 ----D---- C:\Documents and Settings\All Users\Data aplikací\MSN6
2011-05-25 13:57:39 ----SHD---- C:\WINDOWS\Installer
2011-05-25 13:57:37 ----D---- C:\Documents and Settings\Petr Dušek\Data aplikací\Identities
2011-05-25 13:57:33 ----HD---- C:\Program Files\Uninstall Information
2011-05-25 13:57:20 ----ASH---- C:\Documents and Settings\Petr Dušek\Data aplikací\desktop.ini
2011-05-25 13:57:19 ----SD---- C:\Documents and Settings\Petr Dušek\Data aplikací\Microsoft
2011-05-25 13:56:45 ----SHD---- C:\System Volume Information
2011-05-25 13:56:45 ----D---- C:\WINDOWS\Prefetch
2011-05-25 13:56:44 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-05-25 13:52:06 ----A---- C:\WINDOWS\OEWABLog.txt
2011-05-25 13:52:02 ----A---- C:\WINDOWS\System32\mapi32.dll
2011-05-25 13:51:28 ----RAH---- C:\WINDOWS\System32\logonui.exe.manifest
2011-05-25 13:51:06 ----D---- C:\WINDOWS\System32\DirectX
2011-05-25 13:50:43 ----A---- C:\WINDOWS\System32\safrslv.dll
2011-05-25 13:50:43 ----A---- C:\WINDOWS\System32\safrdm.dll
2011-05-25 13:50:43 ----A---- C:\WINDOWS\System32\safrcdlg.dll
2011-05-25 13:50:43 ----A---- C:\WINDOWS\System32\racpldlg.dll
2011-05-25 13:50:43 ----A---- C:\WINDOWS\System32\atrace.dll
2011-05-25 13:50:40 ----A---- C:\WINDOWS\System32\desktop.ini
2011-05-25 13:50:40 ----A---- C:\WINDOWS\desktop.ini
2011-05-25 13:50:34 ----A---- C:\WINDOWS\System32\nmevtmsg.dll
2011-05-25 13:50:34 ----A---- C:\WINDOWS\System32\mnmsrvc.exe
2011-05-25 13:50:34 ----A---- C:\WINDOWS\System32\isrdbg32.dll
2011-05-25 13:50:32 ----D---- C:\Program Files\Common Files\Services
2011-05-25 13:50:32 ----A---- C:\WINDOWS\System32\acctres.dll
2011-05-25 13:50:31 ----A---- C:\WINDOWS\System32\inetres.dll
2011-05-25 13:50:28 ----SD---- C:\WINDOWS\Tasks
2011-05-25 13:50:28 ----A---- C:\WINDOWS\System32\isign32.dll
2011-05-25 13:50:28 ----A---- C:\WINDOWS\System32\inetcfg.dll
2011-05-25 13:50:28 ----A---- C:\WINDOWS\System32\icwphbk.dll
2011-05-25 13:50:28 ----A---- C:\WINDOWS\System32\icwdial.dll
2011-05-25 13:50:27 ----A---- C:\WINDOWS\System32\icfgnt5.dll
2011-05-25 13:50:21 ----D---- C:\WINDOWS\System32\Macromed
2011-05-25 13:50:21 ----A---- C:\WINDOWS\System32\qmgrprxy.dll
2011-05-25 13:50:21 ----A---- C:\WINDOWS\System32\qmgr.dll
2011-05-25 13:50:17 ----A---- C:\WINDOWS\System32\srsvc.dll
2011-05-25 13:50:17 ----A---- C:\WINDOWS\System32\srrstr.dll
2011-05-25 13:50:17 ----A---- C:\WINDOWS\System32\srclient.dll
2011-05-25 13:50:17 ----A---- C:\WINDOWS\System32\drivers\sr.sys
2011-05-25 13:50:16 ----A---- C:\WINDOWS\System32\nmmkcert.dll
2011-05-25 13:50:16 ----A---- C:\WINDOWS\System32\msconf.dll
2011-05-25 13:50:16 ----A---- C:\WINDOWS\System32\mnmdd.dll
2011-05-25 13:50:16 ----A---- C:\WINDOWS\System32\ils.dll
2011-05-25 13:50:14 ----A---- C:\WINDOWS\System32\msoert2.dll
2011-05-25 13:50:14 ----A---- C:\WINDOWS\System32\msoeacct.dll
2011-05-25 13:50:13 ----A---- C:\WINDOWS\System32\schedsvc.dll
2011-05-25 13:50:13 ----A---- C:\WINDOWS\System32\inetcomm.dll
2011-05-25 13:50:12 ----A---- C:\WINDOWS\System32\mstinit.exe
2011-05-25 13:50:12 ----A---- C:\WINDOWS\System32\mstask.dll
2011-05-25 13:49:37 ----D---- C:\Program Files\ComPlus Applications
2011-05-25 13:49:35 ----A---- C:\WINDOWS\vbaddin.ini
2011-05-25 13:49:35 ----A---- C:\WINDOWS\vb.ini
2011-05-25 13:49:31 ----D---- C:\WINDOWS\Registration
2011-05-25 13:49:26 ----HD---- C:\Program Files\WindowsUpdate
2011-05-25 13:49:26 ----D---- C:\Program Files\Online Services
2011-05-25 13:49:21 ----D---- C:\Program Files\Messenger
2011-05-25 13:49:17 ----A---- C:\WINDOWS\System32\write.exe
2011-05-25 13:49:09 ----A---- C:\WINDOWS\System32\accwiz.exe
2011-05-25 13:49:08 ----A---- C:\WINDOWS\System32\sndvol32.exe
2011-05-25 13:49:08 ----A---- C:\WINDOWS\System32\sndrec32.exe
2011-05-25 13:49:08 ----A---- C:\WINDOWS\System32\hypertrm.dll
2011-05-25 13:49:08 ----A---- C:\WINDOWS\System32\hticons.dll
2011-05-25 13:49:08 ----A---- C:\WINDOWS\System32\avwav.dll
2011-05-25 13:49:08 ----A---- C:\WINDOWS\System32\avtapi.dll
2011-05-25 13:49:08 ----A---- C:\WINDOWS\System32\avmeter.dll
2011-05-25 13:49:07 ----A---- C:\WINDOWS\System32\winchat.exe
2011-05-25 13:49:02 ----A---- C:\WINDOWS\System32\getuname.dll
2011-05-25 13:49:01 ----A---- C:\WINDOWS\System32\winmine.exe
2011-05-25 13:49:01 ----A---- C:\WINDOWS\System32\sol.exe
2011-05-25 13:49:01 ----A---- C:\WINDOWS\System32\mshearts.exe
2011-05-25 13:49:01 ----A---- C:\WINDOWS\System32\charmap.exe
2011-05-25 13:49:01 ----A---- C:\WINDOWS\System32\calc.exe
2011-05-25 13:49:00 ----A---- C:\WINDOWS\System32\usrlogon.cmd
2011-05-25 13:49:00 ----A---- C:\WINDOWS\System32\tsshutdn.exe
2011-05-25 13:49:00 ----A---- C:\WINDOWS\System32\tslabels.ini
2011-05-25 13:49:00 ----A---- C:\WINDOWS\System32\tskill.exe
2011-05-25 13:49:00 ----A---- C:\WINDOWS\System32\tsdiscon.exe
2011-05-25 13:49:00 ----A---- C:\WINDOWS\System32\reset.exe
2011-05-25 13:49:00 ----A---- C:\WINDOWS\System32\rdshost.exe
2011-05-25 13:49:00 ----A---- C:\WINDOWS\System32\freecell.exe
2011-05-25 13:49:00 ----A---- C:\WINDOWS\System32\drivers\tdtcp.sys
2011-05-25 13:49:00 ----A---- C:\WINDOWS\System32\drivers\tdpipe.sys
2011-05-25 13:48:59 ----A---- C:\WINDOWS\System32\tscon.exe
2011-05-25 13:48:59 ----A---- C:\WINDOWS\System32\shadow.exe
2011-05-25 13:48:59 ----A---- C:\WINDOWS\System32\rwinsta.exe
2011-05-25 13:48:59 ----A---- C:\WINDOWS\System32\regini.exe
2011-05-25 13:48:59 ----A---- C:\WINDOWS\System32\rdpcfgex.dll
2011-05-25 13:48:59 ----A---- C:\WINDOWS\System32\qwinsta.exe
2011-05-25 13:48:59 ----A---- C:\WINDOWS\System32\qprocess.exe
2011-05-25 13:48:59 ----A---- C:\WINDOWS\System32\qappsrv.exe
2011-05-25 13:48:59 ----A---- C:\WINDOWS\System32\mtxoci.dll
2011-05-25 13:48:59 ----A---- C:\WINDOWS\System32\msg.exe
2011-05-25 13:48:59 ----A---- C:\WINDOWS\System32\msdtcuiu.dll
2011-05-25 13:48:59 ----A---- C:\WINDOWS\System32\logoff.exe
2011-05-25 13:48:59 ----A---- C:\WINDOWS\System32\cdmodem.dll
2011-05-25 13:48:58 ----A---- C:\WINDOWS\System32\xolehlp.dll
2011-05-25 13:48:58 ----A---- C:\WINDOWS\System32\msdtctm.dll
2011-05-25 13:48:58 ----A---- C:\WINDOWS\System32\msdtcprf.ini
2011-05-25 13:48:58 ----A---- C:\WINDOWS\System32\msdtclog.dll
2011-05-25 13:48:58 ----A---- C:\WINDOWS\System32\msdtc.exe
2011-05-25 13:48:57 ----A---- C:\WINDOWS\System32\stclient.dll
2011-05-25 13:48:57 ----A---- C:\WINDOWS\System32\mtxlegih.dll
2011-05-25 13:48:57 ----A---- C:\WINDOWS\System32\mtxex.dll
2011-05-25 13:48:57 ----A---- C:\WINDOWS\System32\mtxdm.dll
2011-05-25 13:48:57 ----A---- C:\WINDOWS\System32\dcomcnfg.exe
2011-05-25 13:48:57 ----A---- C:\WINDOWS\System32\comrepl.dll
2011-05-25 13:48:57 ----A---- C:\WINDOWS\System32\comaddin.dll
2011-05-25 13:48:57 ----A---- C:\WINDOWS\System32\colbact.dll
2011-05-25 13:48:56 ----A---- C:\WINDOWS\System32\comuid.dll
2011-05-25 13:48:56 ----A---- C:\WINDOWS\System32\comsnap.dll
2011-05-25 13:48:56 ----A---- C:\WINDOWS\System32\clbcatq.dll
2011-05-25 13:48:56 ----A---- C:\WINDOWS\System32\clbcatex.dll
2011-05-25 13:48:56 ----A---- C:\WINDOWS\System32\catsrvps.dll
2011-05-25 13:48:56 ----A---- C:\WINDOWS\System32\catsrv.dll
2011-05-25 13:48:49 ----A---- C:\WINDOWS\System32\wmimgmt.msc
2011-05-25 13:48:49 ----A---- C:\WINDOWS\System32\servdeps.dll
2011-05-25 13:48:49 ----A---- C:\WINDOWS\System32\mmfutil.dll
2011-05-25 13:48:49 ----A---- C:\WINDOWS\System32\cmprops.dll
2011-05-25 13:48:46 ----D---- C:\Program Files\MSN
2011-05-25 13:48:45 ----A---- C:\WINDOWS\System32\wuauserv.dll
2011-05-25 13:48:45 ----A---- C:\WINDOWS\System32\wuaueng.dll
2011-05-25 13:48:45 ----A---- C:\WINDOWS\System32\wuauclt.exe
2011-05-25 13:48:45 ----A---- C:\WINDOWS\System32\spider.exe
2011-05-25 13:48:45 ----A---- C:\WINDOWS\System32\mspaint.exe
2011-05-25 13:48:45 ----A---- C:\WINDOWS\System32\mplay32.exe
2011-05-25 13:48:45 ----A---- C:\WINDOWS\System32\clipbrd.exe
2011-05-25 13:48:44 ----A---- C:\WINDOWS\System32\tscfgwmi.dll
2011-05-25 13:48:44 ----A---- C:\WINDOWS\System32\sessmgr.exe
2011-05-25 13:48:44 ----A---- C:\WINDOWS\System32\remotepg.dll
2011-05-25 13:48:44 ----A---- C:\WINDOWS\System32\rdsaddin.exe
2011-05-25 13:48:44 ----A---- C:\WINDOWS\System32\rdchost.dll
2011-05-25 13:48:44 ----A---- C:\WINDOWS\System32\mstscax.dll
2011-05-25 13:48:44 ----A---- C:\WINDOWS\System32\mstsc.exe
2011-05-25 13:48:44 ----A---- C:\WINDOWS\System32\drivers\rdpwd.sys
2011-05-25 13:48:43 ----D---- C:\WINDOWS\System32\MsDtc
2011-05-25 13:48:43 ----A---- C:\WINDOWS\System32\tscupgrd.exe
2011-05-25 13:48:43 ----A---- C:\WINDOWS\System32\termsrv.dll
2011-05-25 13:48:43 ----A---- C:\WINDOWS\System32\rdpwsx.dll
2011-05-25 13:48:43 ----A---- C:\WINDOWS\System32\rdpsnd.dll
2011-05-25 13:48:43 ----A---- C:\WINDOWS\System32\rdpclip.exe
2011-05-25 13:48:43 ----A---- C:\WINDOWS\System32\msdtcprx.dll
2011-05-25 13:48:43 ----A---- C:\WINDOWS\System32\icaapi.dll
2011-05-25 13:48:43 ----A---- C:\WINDOWS\System32\cfgbkend.dll
2011-05-25 13:48:42 ----A---- C:\WINDOWS\System32\comsvcs.dll
2011-05-25 13:48:42 ----A---- C:\WINDOWS\System32\catsrvut.dll
2011-05-25 13:48:39 ----A---- C:\WINDOWS\System32\licwmi.dll
2011-05-25 13:46:20 ----A---- C:\WINDOWS\System32\spxcoins.dll
2011-05-25 13:46:20 ----A---- C:\WINDOWS\System32\irclass.dll
2011-05-25 13:46:11 ----RA---- C:\WINDOWS\SET31.tmp
2011-05-25 13:46:09 ----RA---- C:\WINDOWS\SET1C.tmp
2011-05-25 13:36:45 ----D---- C:\WINDOWS\setup.pss
2011-05-25 13:35:43 ----A---- C:\WINDOWS\UPGRADE.TXT
2011-05-25 13:31:36 ----D---- C:\WINDOWS\CSC
2011-05-25 13:27:56 ----D---- C:\WINDOWS\System32\xircom
2011-05-25 13:27:56 ----D---- C:\WINDOWS\System32\restore
2011-05-25 13:27:56 ----D---- C:\WINDOWS\System32\com
2011-05-25 13:27:56 ----D---- C:\WINDOWS\srchasst
2011-05-25 13:27:56 ----D---- C:\WINDOWS\pchealth
2011-05-25 13:27:56 ----D---- C:\Program Files\xerox
2011-05-25 13:27:56 ----D---- C:\Program Files\windows nt
2011-05-25 13:27:56 ----D---- C:\Program Files\windows media player
2011-05-25 13:27:56 ----D---- C:\Program Files\outlook express
2011-05-25 13:27:56 ----D---- C:\Program Files\netmeeting
2011-05-25 13:27:56 ----D---- C:\Program Files\msn gaming zone
2011-05-25 13:27:56 ----D---- C:\Program Files\movie maker
2011-05-25 13:27:56 ----D---- C:\Program Files\microsoft frontpage
2011-05-25 13:27:56 ----D---- C:\Program Files\internet explorer
2011-05-25 13:27:56 ----D---- C:\Program Files\Common Files\system
2011-05-25 13:27:56 ----D---- C:\Program Files\Common Files\mssoap
2011-05-25 13:27:42 ----RASH---- C:\MSDOS.SYS
2011-05-25 13:27:42 ----RASH---- C:\IO.SYS
2011-05-25 13:27:42 ----A---- C:\WINDOWS\control.ini
2011-05-25 13:27:42 ----A---- C:\CONFIG.SYS
2011-05-25 13:27:42 ----A---- C:\AUTOEXEC.BAT
2011-05-25 13:27:18 ----SD---- C:\WINDOWS\Downloaded Program Files
2011-05-25 13:27:18 ----RD---- C:\WINDOWS\Offline Web Pages
2011-05-25 13:27:14 ----RAH---- C:\WINDOWS\System32\cdplayer.exe.manifest
2011-05-25 13:25:09 ----A---- C:\WINDOWS\System32\drivers\termdd.sys
2011-05-25 13:25:09 ----A---- C:\WINDOWS\System32\drivers\rdpdr.sys

======List of files/folders modified in the last 1 months======

2011-05-29 21:22:10 ----A---- C:\WINDOWS\system.ini
2011-05-29 21:10:46 ----A---- C:\WINDOWS\win.ini
2011-05-25 13:51:54 ----ASH---- C:\WINDOWS\fonts\desktop.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 nvata;nvata; C:\WINDOWS\System32\DRIVERS\nvata.sys [2005-08-18 93568]
R0 nvgts;nvgts; C:\WINDOWS\System32\DRIVERS\nvgts.sys [2008-11-12 145952]
R1 AmdK8;Ovladač procesoru AMD; C:\WINDOWS\System32\DRIVERS\AmdK8.sys [2006-07-01 43008]
R1 ehdrv;ehdrv; C:\WINDOWS\System32\DRIVERS\ehdrv.sys [2010-07-29 115008]
R1 epfwtdir;epfwtdir; C:\WINDOWS\System32\DRIVERS\epfwtdir.sys [2010-08-03 95896]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R2 aslm75;aslm75; \??\C:\WINDOWS\system32\drivers\aslm75.sys []
R2 eamon;eamon; C:\WINDOWS\System32\DRIVERS\eamon.sys [2010-08-04 140752]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2008-09-24 4122368]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2010-02-11 3565056]
R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
R3 NVENETFD;NVIDIA nForce 10/100/1000 Mbps Ethernet ; C:\WINDOWS\System32\DRIVERS\NVENETFD.sys [2008-08-01 54784]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\System32\DRIVERS\nvnetbus.sys [2008-08-01 22016]
S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS []
S3 mbr;mbr; \??\C:\DOCUME~1\PETRDU~1\LOCALS~1\Temp\mbr.sys []
S3 MSICPL;MSICPL; \??\D:\install4\MSICPL.sys []
S3 NTACCESS;NTACCESS; \??\D:\NTACCESS.sys []
S3 nvax;Service for NVIDIA(R) nForce(TM) Audio Enumerator; C:\WINDOWS\system32\drivers\nvax.sys [2005-04-13 53376]
S3 nvnforce;Service for NVIDIA(R) nForce(TM) Audio; C:\WINDOWS\system32\drivers\nvapu.sys [2005-04-13 414464]
S3 SetupNTGLM7X;SetupNTGLM7X; \??\D:\NTGLM7X.sys []
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2002-08-29 28160]
S3 usbprint;Třída USB Printer; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2002-08-29 24960]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 14208]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2002-08-29 21760]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2010-02-11 602112]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-08-12 810144]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2010-02-10 593920]
S2 Netmanm;Network Connections to Monitor; C:\WINDOWS\system32\crssc.exe []
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2010-08-12 33584]

-----------------EOF-----------------

Pokud nemate, tak presunte Combofix na plochu

Spustte poznamkovy blok (Start-spustit-notepad)
Zkopirujte skript nize

Kód: Vybrat vše

KillAll::

Driver::
ylvmcwy
Netmanm

NetSvc::
ylvmcwy

Restore::
c:\windows\system32\qmgr.dll

DDS::
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie

Firefox::
FF - ProfilePath - c:\documents and settings\Petr Dušek\Data aplikací\Mozilla\Firefox\Profiles\kd80g24z.default\
FF - prefs.js: browser.search.selectedEngine - QIP Search
FF - prefs.js: browser.startup.homepage - hxxp://qip.ru
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=

Reboot::

Ulozte vytvoreny TXT jako CFScript.txt
Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

Tady:

ComboFix 11-05-28.01 - Petr Dušek . 05. 2011 21:41:00.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.1.1250.420.1029.18.1023.728 [GMT 2:00]
Spuštěný z: c:\documents and settings\Petr DuÜek\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Petr DuÜek\Plocha\CFScript.txt
* Rezidentní štít AV je zapnutý
.
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Nakažená kopie c:\windows\system32\qmgr.dll byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ERDNT\cache\qmgr.dll
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-04-28 do 2011-05-29 )))))))))))))))))))))))))))))))
.
.
2011-05-29 18:31 . 2011-05-29 18:42 -------- d-----w- C:\rsit
2011-05-29 18:15 . 2011-05-29 18:15 -------- d-----w- C:\Downloads
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 16:38 . 2011-05-25 12:09 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-29_19.22.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-25 11:56 . 2011-05-29 19:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-05-25 11:56 . 2011-05-29 19:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-05-29 19:27 . 2011-05-29 19:22 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2011-05-25 11:56 . 2011-05-29 19:15 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-20 13312]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-15 19:02 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-11-15 19:02 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2010-08-12 12:16 2215064 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2002-08-20 13:08 1511453 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QIP Internet Guardian]
2010-06-09 16:35 187904 ----a-w- c:\documents and settings\Petr Dušek\Data aplikací\QipGuard\QipGuard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 13:28 577536 ----a-w- c:\windows\soundman.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-04-20 15:57 2423752 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29. 7. 2010 13:31 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3. 8. 2010 13:28 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17. 2. 2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10. 5. 2010 20:41 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12. 8. 2010 14:16 810144]
S2 Netmanm;Network Connections to Monitor;"c:\windows\system32\crssc.exe" --> c:\windows\system32\crssc.exe [?]
S2 ylvmcwy;fhumogsaj;c:\windows\system32\svchost.exe -k netsvcs [25. 10. 2001 16:00 12800]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ylvmcwy
.
.
------- Doplňkový sken -------
.
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
TCP: DhcpNameServer = 213.46.172.36 213.46.172.37
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Petr Dušek\Data aplikací\Mozilla\Firefox\Profiles\kd80g24z.default\
FF - prefs.js: browser.search.selectedEngine - QIP Search
FF - prefs.js: browser.startup.homepage - hxxp://qip.ru
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-29 21:45
Windows 5.1.2600 Service Pack 1 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ylvmcwy]
"ServiceDll"="c:\windows\System32\lhudgqbq.dll"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'winlogon.exe'(696)
c:\windows\System32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(752)
c:\windows\System32\dssenh.dll
.
- - - - - - - > 'explorer.exe'(1404)
c:\windows\System32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Celkový čas: 2011-05-29 21:46:46 - počítač byl restartován
ComboFix-quarantined-files.txt 2011-05-29 19:46
ComboFix2.txt 2011-05-29 19:23
.
Před spuštěním: Volných bajtů: 66 287 132 672
Po spuštění: Volných bajtů: 66 288 300 032
.
- - End Of File - - CB9D3A6163BFAD802FF1DBFCFCD7A7E8

Mrcha se brani

Stahnete Avenger (viz muj podpis)

Pokud pouzivate Win Vista ci W7, kliknete na Avenger pravym a dejte Run As Administrator ci Spustit jako spravce
Po spusteni Vas program upozorni, ze vse co delate, delate na vlastni riziko - Dejte OK
Po potvrzeni uz na Vas koukne hlavni okno, kam vlozite skript, ktery mate nize

Kód: Vybrat vše

Files to delete:
c:\windows\System32\lhudgqbq.dll

Drivers to delete:
ylvmcwy
Netmanm

Do ctverecku u Scan for rootkits a Automatically disable any rootkits found dejte fajecku
Nyni uz kliknete na Execute a potvrdte Yes v nasledujicim okne - timto potvrdite spusteni skriptu
Na otazku Reboot now odpovezte opet OK - timto se PC restartuje
Po restartu by se mel otevrit poznamkovy blok s logem a jeho obsah vlozte sem. Pokud se tak nestane, naleznete pozadovany dokument v C:\avenger.txt

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "c:\windows\System32\lhudgqbq.dll" not found!
Deletion of file "c:\windows\System32\lhudgqbq.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "ylvmcwy" deleted successfully.
Driver "Netmanm" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

A jeste jeden skript pro ComboFix - postup je stejny

Kód: Vybrat vše

KillAll::

NetSvc::
ylvmcwy

DDS::
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie

Firefox::
FF - ProfilePath - c:\documents and settings\Petr Dušek\Data aplikací\Mozilla\Firefox\Profiles\kd80g24z.default\
FF - prefs.js: browser.search.selectedEngine - QIP Search
FF - prefs.js: browser.startup.homepage - hxxp://qip.ru
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

Reboot::

ComboFix 11-05-28.01 - Petr Dušek . 05. 2011 23:04:21.4.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.1.1250.420.1029.18.1023.729 [GMT 2:00]
Spuštěný z: c:\documents and settings\Petr DuÜek\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Petr DuÜek\Plocha\CFScript.txt
* Rezidentní štít AV je zapnutý
.
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\37.exe
.
Nakažená kopie c:\windows\system32\qmgr.dll byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ERDNT\cache\qmgr.dll
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-04-28 do 2011-05-29 )))))))))))))))))))))))))))))))
.
.
2011-05-29 18:31 . 2011-05-29 18:42 -------- d-----w- C:\rsit
2011-05-29 18:15 . 2011-05-29 18:15 -------- d-----w- C:\Downloads
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 16:38 . 2011-05-25 12:09 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-29_19.22.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-29 20:58 . 2011-05-29 20:58 23360 c:\windows\system32\hnm5.exe
+ 2011-05-25 11:56 . 2011-05-29 20:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-05-25 11:56 . 2011-05-29 19:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-05-29 19:48 . 2011-05-29 20:40 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2011-05-25 11:56 . 2011-05-29 19:15 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-20 13312]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-15 19:02 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-11-15 19:02 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
2010-08-12 12:16 2215064 ----a-w- c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2002-08-20 13:08 1511453 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QIP Internet Guardian]
2010-06-09 16:35 187904 ----a-w- c:\documents and settings\Petr Dušek\Data aplikací\QipGuard\QipGuard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2007-04-16 13:28 577536 ----a-w- c:\windows\soundman.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-04-20 15:57 2423752 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29. 7. 2010 13:31 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3. 8. 2010 13:28 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17. 2. 2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10. 5. 2010 20:41 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12. 8. 2010 14:16 810144]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ylvmcwy
.
.
------- Doplňkový sken -------
.
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
TCP: DhcpNameServer = 213.46.172.36 213.46.172.37
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Petr Dušek\Data aplikací\Mozilla\Firefox\Profiles\kd80g24z.default\
FF - prefs.js: browser.search.selectedEngine - QIP Search
FF - prefs.js: browser.startup.homepage - hxxp://qip.ru
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-29 23:09
Windows 5.1.2600 Service Pack 1 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\windows\System32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(740)
c:\windows\System32\dssenh.dll
.
- - - - - - - > 'explorer.exe'(464)
c:\windows\System32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Celkový čas: 2011-05-29 23:10:11 - počítač byl restartován
ComboFix-quarantined-files.txt 2011-05-29 21:10
ComboFix2.txt 2011-05-29 19:46
ComboFix3.txt 2011-05-29 19:23
.
Před spuštěním: Volných bajtů: 66 277 015 552
Po spuštění: Volných bajtů: 66 278 215 680
.
- - End Of File - - F51F10EC2D56DA7AA905183B481EC0EA

Odinstalujte Combofix

Start - Spustit (nebo pouzijte klavesobou zkratku Win+R)
Napiste ComboFix /Uninstall
Stisknete Enter
Tohle smaze Combofix a jeho slozky

T-Cleaner http://vyosek.ic.cz/pro_usery/T-Cleaner.exe

Stahnete a spustte
Pro potvrzeni volby mackejte A, Enter
Po pouziti utilitu smazte
Antiviry touhou utilitu chybne oznacit jako vir - jedna se o falesny poplach - takze v pohode stahnete (pripadne vypnete pri stahovani antivir)

Stahnete Malwarebytes' Anti-Malware (zkracene MBAM) (viz muj podpis)

Provedte aktualizaci - treti zalozka
Provedte uplny sken - nic nemazte
MBAM miva obcas falesne detekce, proto vlozte log do prispevku a pockejte na posouzeni

U bodu cislo 1 mi to pise ze ComboFix nebyl nalezen.

Prejmenujte tedy ikonu ComboFixu na Uninstall a spustte

Ted koukam na plochu a program ComboFix nikde, pravdepodobne se uz vymazal, nevim jak je to mozne.

Tu je vysledek z testu:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Verze databáze: 6717

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

29. 5. 2011 23:27:10
mbam-log-2011-05-29 (23-27-07).txt

Typ kontroly: Úplný test (C:\|)
Testované objekty: 155571
Uplynulý čas: 5 minut, 23 sekund

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče v registru: 0
Infikované hodnoty v registru: 2
Infikované datové položky v registru: 0
Infikované složky: 0
Infikované soubory: 5

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče v registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované hodnoty v registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spooler SubSystem App (Trojan.Agent) -> Value: Spooler SubSystem App -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DNS Client and Server (Trojan.Agent) -> Value: DNS Client and Server -> No action taken.

Infikované datové položky v registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
c:\WINDOWS\system32\hnm5.exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\petr dušek\data aplikací\spoolsv.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\petr dušek\data aplikací\uzef.exe (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\petr dušek\nigzss.txt (Malware.Trace) -> No action taken.
c:\documents and settings\petr dušek\data aplikací\dnscache.exe (Trojan.Agent) -> No action taken.

VIRY.CZ

Hrozně zanešený počítač

Hrozně zanešený počítač

Re: Hrozně zanešený počítač

Re: Hrozně zanešený počítač

Re: Hrozně zanešený počítač

Re: Hrozně zanešený počítač

Re: Hrozně zanešený počítač

Re: Hrozně zanešený počítač

Re: Hrozně zanešený počítač

Re: Hrozně zanešený počítač

Re: Hrozně zanešený počítač

Re: Hrozně zanešený počítač

Re: Hrozně zanešený počítač

Re: Hrozně zanešený počítač

Re: Hrozně zanešený počítač

Re: Hrozně zanešený počítač