VIRY.CZ

Ahojte. Avast mi našiel v pc nejaké svinstvo a dobré by bolo sa ho zbaviť bez reinstall-u winu.
Za každú radu vopred ďakujem. Prajem pekný deň.

Logfile of random's system information tool 1.06 (written by random/random)
Run by Mato at 2010-02-01 10:41:17
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 16 GB (49%) free of 34 GB
Total RAM: 256 MB (24% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:46, on 1.2.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\anvshell.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\QIP Infium\infium.exe
C:\Documents and Settings\Mato\Plocha\RSIT.exe
C:\Program Files\trend micro\Mato.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.qip.ru/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zoznam.sk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.qip.ru/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: QIPBHO Class - {95289393-33EA-4F8D-B952-483415B9C955} - C:\Documents and Settings\Mato\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: QIPBHO - {95289393-33EA-4F8D-B952-483415B9C955} - C:\Documents and Settings\Mato\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\Mato\LOCALS~1\Temp\herss.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6898014078
O17 - HKLM\System\CCS\Services\Tcpip\..\{8395DE30-2C36-4F06-AA87-BF91837DFE2C}: NameServer = 195.146.128.62 195.146.132.58
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EJUWVU - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Mato\LOCALS~1\Temp\EJUWVU.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAU - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Mato\LOCALS~1\Temp\MBAU.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TEKZV - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Mato\LOCALS~1\Temp\TEKZV.exe
O23 - Service: VQCOJN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Mato\LOCALS~1\Temp\VQCOJN.exe

--
End of file - 7257 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\ParetoLogic Update Version2.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 37808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95289393-33EA-4F8D-B952-483415B9C955}]
QIPBHO Class - C:\Documents and Settings\Mato\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll [2009-02-12 119808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-08-24 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-08-24 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Anvshell"=C:\WINDOWS\anvshell.exe [2003-03-13 348160]
"LiveNote"=C:\WINDOWS\livenote.exe [2002-07-11 40960]
"EPSON Stylus C42 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE [2002-02-19 74240]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]
"Smapp"=C:\Program Files\Analog Devices\SoundMAX\SMTray.exe [2002-10-11 98304]
"HTpatch"=C:\WINDOWS\htpatch.exe [2002-10-30 28672]
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2003-03-20 4616192]
"nwiz"=nwiz.exe /install []
"DAEMON Tools"=C:\Program Files\DAEMON Tools\daemon.exe [2005-12-10 133016]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2006-11-21 35328]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-08-24 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-17 15360]
"NvMediaCenter"=C:\WINDOWS\System32\NVMCTRAY.DLL [2003-03-20 49152]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-17 1667584]
"cdoosoft"=C:\DOCUME~1\Mato\LOCALS~1\Temp\herss.exe [2010-01-31 90624]

C:\Documents and Settings\All Users.WINDOWS\Nabídka Start\Programy\Po spuštění
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Metin2_CZ\metin2.bin"="C:\Program Files\Metin2_CZ\metin2.bin:*:Enabled:metin2"
"C:\Program Files\Valve\Counter-Strike 1.6\hl.exe"="C:\Program Files\Valve\Counter-Strike 1.6\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Microsoft Games\Rise of Nations\rise.exe"="C:\Program Files\Microsoft Games\Rise of Nations\rise.exe:*:Disabled:Rise of Nations"
"C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe"="C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe:*:Enabled:Rise of Nations"
"C:\Program Files\QIP Infium\infium.exe"="C:\Program Files\QIP Infium\infium.exe:*:Enabled:QIP Infium"
"C:\Program Files\Microsoft Games\Rise of Nations\patriots.exe"="C:\Program Files\Microsoft Games\Rise of Nations\patriots.exe:*:Enabled:Rise of Nations"
"C:\Program Files\Java\jre6\launch4j-tmp\frd.exe"="C:\Program Files\Java\jre6\launch4j-tmp\frd.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\Java\jre6\bin\javaw.exe"="C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\ICQ6.5\ICQ.exe"="C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"C:\totalcmd\TOTALCMD.EXE"="C:\totalcmd\TOTALCMD.EXE:*:Disabled:Total Commander 32 bit international version, file manager replacement for Windows"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{053e966e-2a21-11de-be35-000c6e90ae21}]
shell\AutoRun\command - G:\y.exe
shell\open\command - G:\y.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ab61758-3d63-11de-be82-000c6e90ae21}]
shell\AutoRun\command - G:\mvmdh.exe
shell\open\command - G:\mvmdh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7efd4fb-d890-11d2-9a77-806d6172696f}]
shell\AutoRun\command - C:\1hqup.exe
shell\open\command - C:\1hqup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eae54f62-1c33-11de-be13-000c6e90ae21}]
shell\AutoRun\command - F:\setup.exe /autorun
shell\setup\command - F:\setup.exe


======List of files/folders created in the last 1 months======

2010-02-01 10:41:23 ----D---- C:\Program Files\trend micro
2010-02-01 10:41:17 ----D---- C:\rsit
2010-01-31 18:46:28 ----D---- C:\Program Files\CCleaner
2010-01-31 09:31:56 ----RSH---- C:\1hqup.exe
2010-01-22 17:43:29 ----HDC---- C:\WINDOWS\$NtUninstallKB978207$

======List of files/folders modified in the last 1 months======

2010-02-01 10:41:39 ----D---- C:\WINDOWS\Prefetch
2010-02-01 10:41:23 ----RD---- C:\Program Files
2010-02-01 09:01:35 ----D---- C:\WINDOWS\Temp
2010-02-01 09:01:34 ----D---- C:\WINDOWS\system32\CatRoot2
2010-02-01 08:56:29 ----D---- C:\Program Files\Mozilla Firefox
2010-02-01 08:53:50 ----D---- C:\WINDOWS
2010-01-31 21:04:53 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-31 18:50:34 ----D---- C:\WINDOWS\Debug
2010-01-31 18:50:32 ----D---- C:\WINDOWS\Minidump
2010-01-30 11:02:13 ----A---- C:\WINDOWS\NeroDigital.ini
2010-01-29 20:33:12 ----HD---- C:\WINDOWS\inf
2010-01-29 16:21:22 ----D---- C:\Program Files\ICQ6.5
2010-01-29 14:22:58 ----A---- C:\WINDOWS\wincmd.ini
2010-01-22 19:00:57 ----SHD---- C:\WINDOWS\Installer
2010-01-22 17:43:41 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-01-22 17:43:38 ----D---- C:\Program Files\Internet Explorer
2010-01-22 16:44:25 ----HD---- C:\WINDOWS\$hf_mig$
2010-01-22 02:44:44 ----D---- C:\Program Files\DOSBox-0.72
2010-01-05 01:17:46 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-02-05 26944]
R1 ANVIOCTL;ANVIOCTL; C:\WINDOWS\System32\DRIVERS\anvioctl.sys [2003-04-01 232480]
R1 asuskbnt;asuskbnt; C:\WINDOWS\System32\DRIVERS\asuskbnt.sys [2003-04-24 17150]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-02-05 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-02-05 51376]
R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-17 39936]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-02-05 94032]
R2 Prvflder;Prvflder; C:\WINDOWS\system32\DRIVERS\prvflder.sys [2006-04-21 70912]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-02-05 23152]
R3 dtscsi;dtscsi; C:\WINDOWS\System32\Drivers\dtscsi.sys [2009-03-29 223128]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-03-20 1261418]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\sisnic.sys [2002-07-10 32256]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-12-05 534976]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2004-08-04 17024]
S3 EIO;EIO; \??\C:\WINDOWS\system32\drivers\EIO.sys []
S3 hidusb;Ovladač třídy standardu HID; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2003-04-16 9600]
S3 s816bus;Sony Ericsson Device 816 driver (WDM); C:\WINDOWS\System32\DRIVERS\s816bus.sys [2007-06-19 81832]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 EPSONStatusAgent2;EPSON Printer Status Agent2; C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe [2001-10-25 90112]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-08-24 153376]
R2 NVSvc;ASUS Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2003-03-20 69632]
R2 prfldsvc;Private Folder Service; C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe [2006-04-21 69632]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2005-01-28 38912]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EJUWVU;EJUWVU; C:\DOCUME~1\Mato\LOCALS~1\Temp\EJUWVU.exe [2010-01-31 359296]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MBAU;MBAU; C:\DOCUME~1\Mato\LOCALS~1\Temp\MBAU.exe [2010-01-31 387968]
S3 TEKZV;TEKZV; C:\DOCUME~1\Mato\LOCALS~1\Temp\TEKZV.exe [2010-01-31 572288]
S3 VQCOJN;VQCOJN; C:\DOCUME~1\Mato\LOCALS~1\Temp\VQCOJN.exe [2010-01-31 588672]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Zdravim
Ano mas tam malware.
1:pripoj USB-KLUCE

Stiahni na plochu UsbFix
-spust>>zvol Jazyk E-[enter]
-stlac 2-[enter]>po skane log vloz sem

2:

http://download.bleepingcomputer.com/ma ... -setup.exe
Stiahnes>>Malwarebytes' Anti-Malware
sprav komplet skan,,log vloz sem,

log z usbfix:


############################## | UsbFix V6.084 |

User : Mato (Administrators) # HA
Update on 01/02/2010 by El Desaparecido , C_XX & Chimay8
Start at: 11:57:37 | 1.2.2010
Website : http://pagesperso-orange.fr/NosTools/index.html
Contact : FindyKill.Contact@gmail.com

Intel(R) Celeron(R) CPU 2.50GHz
Microsoft Windows XP Home Edition (5.1.2600 32-bit) # Service Pack 2
Internet Explorer 6.0.2900.2180
Windows Firewall Status : Enabled
AV : avast! antivirus 4.8.1335 [VPS 100131-1] 4.8.1335 [ Enabled | Updated ]

A:\ -> Disketová jednotka 3 1/2"
C:\ -> Místní pevný disk # 32,76 Go (15,88 Go free) # NTFS
D:\ -> Disk CD-ROM
E:\ -> Disk CD-ROM
F:\ -> Disk CD-ROM # 623,5 Mo (0 Mo free) [RONX] # CDFS
G:\ -> Vyměnitelný disk # 488,48 Mo (461,7 Mo free) # FAT
J:\ -> Místní pevný disk
K:\ -> Vyměnitelný disk # 7,5 Go (2,96 Go free) [MATKOVE USB] # FAT32

############################## | Active processes |

C:\WINDOWS\System32\smss.exe 472
C:\WINDOWS\system32\csrss.exe 520
C:\WINDOWS\system32\winlogon.exe 544
C:\WINDOWS\system32\services.exe 596
C:\WINDOWS\system32\lsass.exe 608
C:\WINDOWS\system32\svchost.exe 756
C:\WINDOWS\system32\svchost.exe 816
C:\WINDOWS\System32\svchost.exe 908
C:\WINDOWS\System32\svchost.exe 984
C:\WINDOWS\System32\svchost.exe 1092
C:\WINDOWS\Explorer.EXE 1268
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe 1272
C:\Program Files\Alwil Software\Avast4\ashServ.exe 1360
C:\WINDOWS\system32\spoolsv.exe 1772
C:\WINDOWS\System32\svchost.exe 2040
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe 212
C:\Program Files\Java\jre6\bin\jqs.exe 264
C:\WINDOWS\System32\nvsvc32.exe 300
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe 352
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe 380
C:\WINDOWS\System32\svchost.exe 440
C:\WINDOWS\System32\wdfmgr.exe 508
C:\WINDOWS\system32\wuauclt.exe 1108
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe 1448
C:\WINDOWS\system32\wbem\wmiprvse.exe 1504
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe 1544

################## | Files # Infected Folders |

Deleted ! C:\DOCUME~1\Mato\LOCALS~1\Temp\cvasds0.dll
Deleted ! C:\DOCUME~1\Mato\LOCALS~1\Temp\cvasds1.dll
Deleted ! C:\DOCUME~1\Mato\LOCALS~1\Temp\herss.exe
C:\autorun.inf -> Called file : "C:\1hqup.exe" ( Found ! )
Deleted ! C:\1hqup.exe
Deleted ! C:\autorun.inf
Deleted ! C:\Recycler\S-1-5-21-1644491937-1177238915-725345543-1004
F:\autorun.inf -> Called file : "F:\setup.exe" ( Found ! )
Not deleted ! F:\setup.exe
Not deleted ! F:\autorun.inf
G:\autorun.inf -> Called file : "G:\1hqup.exe" ( Found ! )
Deleted ! G:\1hqup.exe
Deleted ! G:\8xcrbho6.exe
Deleted ! G:\c2e.exe
Deleted ! G:\Recycled\ctfmon.exe
Deleted ! G:\y.exe
Deleted ! G:\autorun.inf
K:\autorun.inf -> Called file : "K:\1hqup.exe" ( Found ! )
Deleted ! K:\1hqup.exe
Deleted ! K:\c2e.exe
Deleted ! K:\autorun.inf

################## | Registry # Infected Keys |

Deleted ! [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "cdoosoft"
Deleted ! [HKLM\SOFTWARE\Classes\CLSID\MADOWN]

################## | Registry # Mountpoints2 |

Deleted ! HKCU\...\Explorer\MountPoints2\{053e966e-2a21-11de-be35-000c6e90ae21}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{23ccbdf0-1ccd-11de-be17-000c6e90ae21}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{9ab61758-3d63-11de-be82-000c6e90ae21}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{d7efd4fb-d890-11d2-9a77-806d6172696f}\Shell\AutoRun\Command
Deleted ! HKCU\...\Explorer\MountPoints2\{eae54f62-1c33-11de-be13-000c6e90ae21}\Shell\AutoRun\Command

################## | Listing of the present files |

[06.06.2009 04:56|-r-hs----|211] C:\boot.ini
[16.04.2003 13:00|-rahs----|4952] C:\Bootfont.bin
[06.06.2009 04:56|-r-hs----|0] C:\config.sys
[12.03.2009 15:58|-rahs----|0] C:\IO.SYS
[12.03.2009 15:58|-rahs----|0] C:\MSDOS.SYS
[20.05.2009 13:22|-rahs----|47564] C:\NTDETECT.COM
[20.05.2009 13:22|-rahs----|250048] C:\ntldr
[?|?|?] C:\pagefile.sys
[05.11.2009 04:04|---h-----|155368] C:\treeinfo.wc
[01.02.2010 12:02|--a------|4178] C:\UsbFix.txt
[12.08.2003 01:24|-r-------|1945600] F:\00001.tmp
[19.11.2002 18:38|-r-------|46291] F:\00002.tmp
[31.03.2004 23:11|-r-------|155] F:\Autorun.inf
[23.03.2004 20:32|-r-------|77824] F:\Eulaxp1.dll
[23.04.2003 22:47|-r-------|1078] F:\Gensetup.ico
[13.08.2002 22:47|-r-------|39424] F:\PidGenx.dll
[19.11.2002 18:38|-r-h-----|4000] F:\SSIFSDAT.SYS
[02.05.2004 15:05|-r-------|1990656] F:\Setup.Exe
[17.06.2003 21:22|-r-------|28097] F:\SetupInc.idx
[05.08.2003 05:46|-r-------|81920] F:\Splash.EXE
[02.04.2004 01:57|-r-------|14213120] F:\StpENUx.dll
[30.03.2004 23:34|-r-------|1147838] F:\eulaxp1.rtf
[23.03.2004 21:25|-r-------|77824] F:\mgspidx.dll
[05.04.2004 20:44|-r-------|178796] F:\readmex.rtf
[10.03.2004 22:48|-r-------|921656] F:\splashimage.bmp
[29.01.2010 13:30|--a------|13333] G:\3dc39a6a3e15321a58cf58ca1984772d.jpg
[29.01.2010 13:01|--a------|3534336] G:\Alkoholy adrinky.doc
[29.01.2010 13:38|--a------|238080] G:\K vov tortiźka.doc
[29.01.2010 21:46|--a------|29696] G:\Flambovan‚ maliny.doc
[19.11.2009 18:30|--a------|3244032] G:\SPRµVA Z PRAXE.doc
[26.11.2009 19:39|--a------|8631296] G:\MEXIKO.doc
[11.10.2009 23:05|--a------|96768] G:\praxHA.doc
[11.10.2009 23:06|--a------|52355] G:\zaznam_prax.pdf
[05.11.2009 23:41|--a------|316416] G:\manual.doc
[05.11.2009 23:45|--a------|3155675] G:\normy.pdf
[06.11.2009 00:03|--a------|32256] G:\opera.doc
[06.11.2009 00:09|--a------|88576] G:\historia opery.doc
[06.11.2009 00:30|--a------|307200] G:\opery.doc
[25.01.2010 15:03|--a------|339064] G:\DSC00092.JPG
[25.01.2010 15:03|--a------|361175] G:\DSC00093.JPG
[25.01.2010 15:03|--a------|328703] G:\DSC00091.JPG

################## | Vaccination |

# C:\autorun.inf -> Folder created by UsbFix.
# G:\autorun.inf -> Folder created by UsbFix.
# K:\autorun.inf -> Folder created by UsbFix.

################## | Upload |

Please send the file : C:\UsbFix_Upload_Me_HA.zip : http://chiquitine.changelog.fr/Sample/Upload.php
Thank you for your contribution .

################## | ! End of report # UsbFix V6.084 ! |

pokracuj tak ako som napisal Malwarebytes.

je normálne keď sa cca po 40 sekundách ten program zasekne?

to nezasekne ale skenuje,,,no dobre sprav najprv rychly skan,,ak nepojde pokracujes takto:
1:

Stáhni, nainstaluj program CCleaner - http://www.ccleaner.com/download/downloadpage.aspx?f=2
- PravyKlik na kos-spustit ccleaner ->>>Cakas>>na cistenie,,
PravyKlik na kos-otvorit ccleaner-záložka Windows a stiskni Analyzovat a poté Spustit Cleaner
- Klikni na záložku Aplikace a stiskni Analyzovat a poté Spustit Cleaner
- Klikni na Registry, stiskni Hledej problémy, po dokončení skenování klikni na Opravit vybrané problémy,
-zvol Ano pro vytvoření zálohy, ulož nabídnutý soubor a klikni na Opravit všechny problémy,

Start-spustit-napis cleanmgr ok>>dalsie moznosti-obnova systemu-vycistit,,ok,,ok

2:A skus rychly skan ak nepojde napis,

operácie v prvom bode hotovo ... ten scan nejde približne pri tom istom "bode" to prestalo vykazovat akúkoľvek činnosť a ani sa to nepohlo.

log z Combofix:

ComboFix 10-01-31.03 - Mato 01.02.2010 13:32:00.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.421.1029.18.256.54 [GMT 1:00]
Running from: c:\documents and settings\Mato\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 100131-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ICQ6.5\updates\ICQLRun.exe.91c2e91e127ccb34d0b0bbd8b0533169
c:\windows\system32\ieuinit.inf
c:\windows\system32\twain_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-01 to 2010-02-01 )))))))))))))))))))))))))))))))
.

2010-02-01 11:07 . 2009-12-30 13:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-01 11:07 . 2010-02-01 11:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 11:07 . 2009-12-30 13:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 11:02 . 2010-02-01 11:02 596354 ----a-w- C:\UsbFix_Upload_Me_HA.zip
2010-02-01 10:54 . 2010-02-01 11:02 -------- d-----w- C:\UsbFix
2010-02-01 09:41 . 2010-02-01 09:41 -------- d-----w- c:\program files\trend micro
2010-02-01 09:41 . 2010-02-01 09:41 -------- d-----w- C:\rsit
2010-01-31 17:46 . 2010-01-31 17:46 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-29 15:21 . 2009-09-03 07:21 -------- d-----w- c:\program files\ICQ6.5
2010-01-22 01:44 . 2009-10-17 08:11 -------- d-----w- c:\program files\DOSBox-0.72
2009-12-22 05:42 . 2006-06-23 12:27 663040 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-17 22:49 81920 ------w- c:\windows\system32\ieencode.dll
2009-11-21 16:46 . 2003-04-16 12:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-08-20 15:23 . 2009-08-16 03:26 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-08-20 15:23 . 2009-08-16 03:26 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-08-20 15:23 . 2009-08-18 02:26 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-08-20 15:23 . 2009-08-18 02:26 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-08-20 15:23 . 2009-08-16 03:26 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{95289393-33EA-4F8D-B952-483415B9C955}"= "c:\documents and settings\Mato\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll" [2009-02-12 119808]

[HKEY_CLASSES_ROOT\clsid\{95289393-33ea-4f8d-b952-483415b9c955}]
[HKEY_CLASSES_ROOT\qipbar.QIPBHO.1]
[HKEY_CLASSES_ROOT\TypeLib\{45FF696B-5284-4781-B2CA-ECF3A742A17B}]
[HKEY_CLASSES_ROOT\qipbar.QIPBHO]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95289393-33EA-4F8D-B952-483415B9C955}]
2009-02-12 10:40 119808 ----a-w- c:\documents and settings\Mato\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-03-20 49152]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-17 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Anvshell"="anvshell.exe" [2003-03-13 348160]
"LiveNote"="livenote.exe" [2002-07-11 40960]
"EPSON Stylus C42 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-02-19 74240]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 98304]
"HTpatch"="c:\windows\htpatch.exe" [2002-10-30 28672]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-20 4616192]
"nwiz"="nwiz.exe" [2003-03-20 323584]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-24 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\All Users.WINDOWS\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\QIP Infium\\infium.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\patriots.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=

R1 ANVIOCTL;ANVIOCTL;c:\windows\system32\drivers\anvioctl.sys [20.3.2009 21:28 232480]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12.3.2009 16:57 114768]
R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [21.4.2006 7:22 70912]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [29.3.2009 8:31 642560]
S3 EJUWVU;EJUWVU;c:\docume~1\Mato\LOCALS~1\Temp\EJUWVU.exe --> c:\docume~1\Mato\LOCALS~1\Temp\EJUWVU.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1.2.2010 12:07 38224]
S3 MBAU;MBAU;c:\docume~1\Mato\LOCALS~1\Temp\MBAU.exe --> c:\docume~1\Mato\LOCALS~1\Temp\MBAU.exe [?]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [10.5.2009 14:07 81832]
S3 TEKZV;TEKZV;c:\docume~1\Mato\LOCALS~1\Temp\TEKZV.exe --> c:\docume~1\Mato\LOCALS~1\Temp\TEKZV.exe [?]
S3 VQCOJN;VQCOJN;c:\docume~1\Mato\LOCALS~1\Temp\VQCOJN.exe --> c:\docume~1\Mato\LOCALS~1\Temp\VQCOJN.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mato\Data aplikací\Mozilla\Firefox\Profiles\he2nrsx8.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-01 13:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HTpatch = c:\windows\htpatch.exe?ows\CurrentVersion\Run???\?????%[????`?'[??'[`?'[??????????????%[??%[??'[??'[$?????%[??????????????%[??????????%[???w????(??????w???w???????w ??w??%[:???????d???r?%[1?%[??'[d?????%[?-%[???????w8h%[\2%[?1%[htinst.INI?[?u%[????d???????8G?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-02-01 13:43:23
ComboFix-quarantined-files.txt 2010-02-01 12:43

Pre-Run: Volných bajtů: 17 331 195 904
Post-Run: Volných bajtů: 17 328 087 040

- - End Of File - - 25CD7E06C03F0CAF2FCD35C800B579B3

Pri tejto akcii je nutné mať ComboFix na ploche.

Vypni>FIREWALL>Antivir>Antispyware>vsetko rezidentne.

Otvor Notepad (Poznámkový blok) a zkopíruj do neho celý zeleny tex: Potom klik na Subor -> Uložiť ako.. .. -> Ako je Názov souboru tak do toho riadku napiš:CFScript.txt
Typ súboru tak tam vyberies *všetky súbory
A ulož ho na plochu.> Pozor CFScript.txt>Neotvarat a nemoze byt ani>CFScript.txt.txt A Urobis Toto :


Po skonceni skenu vlož log čo ComboFix vytvorí

log:

ComboFix 10-01-31.03 - Mato 01.02.2010 14:19:07.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.421.1029.18.256.97 [GMT 1:00]
Running from: c:\documents and settings\Mato\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\Mato\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 100131-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\documents and settings\Mato\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mato\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EJUWVU
-------\Legacy_MBAU
-------\Legacy_TEKZV
-------\Legacy_VQCOJN
-------\Service_EJUWVU
-------\Service_MBAU
-------\Service_TEKZV
-------\Service_VQCOJN


((((((((((((((((((((((((( Files Created from 2010-01-01 to 2010-02-01 )))))))))))))))))))))))))))))))
.

2010-02-01 11:07 . 2009-12-30 13:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-01 11:07 . 2010-02-01 11:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 11:07 . 2009-12-30 13:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 11:02 . 2010-02-01 11:02 596354 ----a-w- C:\UsbFix_Upload_Me_HA.zip
2010-02-01 10:54 . 2010-02-01 11:02 -------- d-----w- C:\UsbFix
2010-02-01 09:41 . 2010-02-01 09:41 -------- d-----w- c:\program files\trend micro
2010-02-01 09:41 . 2010-02-01 09:41 -------- d-----w- C:\rsit
2010-01-31 17:46 . 2010-01-31 17:46 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-29 15:21 . 2009-09-03 07:21 -------- d-----w- c:\program files\ICQ6.5
2010-01-22 01:44 . 2009-10-17 08:11 -------- d-----w- c:\program files\DOSBox-0.72
2009-12-22 05:42 . 2006-06-23 12:27 663040 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-17 22:49 81920 ------w- c:\windows\system32\ieencode.dll
2009-11-21 16:46 . 2003-04-16 12:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-08-20 15:23 . 2009-08-16 03:26 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-08-20 15:23 . 2009-08-16 03:26 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-08-20 15:23 . 2009-08-18 02:26 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-08-20 15:23 . 2009-08-18 02:26 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-08-20 15:23 . 2009-08-16 03:26 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-03-20 49152]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-17 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Anvshell"="anvshell.exe" [2003-03-13 348160]
"LiveNote"="livenote.exe" [2002-07-11 40960]
"EPSON Stylus C42 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-02-19 74240]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 98304]
"HTpatch"="c:\windows\htpatch.exe" [2002-10-30 28672]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-20 4616192]
"nwiz"="nwiz.exe" [2003-03-20 323584]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-24 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\All Users.WINDOWS\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\QIP Infium\\infium.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\patriots.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [29.3.2009 8:31 642560]
R1 ANVIOCTL;ANVIOCTL;c:\windows\system32\drivers\anvioctl.sys [20.3.2009 21:28 232480]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12.3.2009 16:57 114768]
R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [21.4.2006 7:22 70912]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1.2.2010 12:07 38224]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [10.5.2009 14:07 81832]
.
.
------- Supplementary Scan -------
.
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mato\Data aplikací\Mozilla\Firefox\Profiles\he2nrsx8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-01 14:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HTpatch = c:\windows\htpatch.exe?ows\CurrentVersion\Run???\?????%[????`?'[??'[`?'[??????????????%[??%[??'[??'[$?????%[??????????????%[??????????%[???w????(??????w???w???????w ??w??%[:???????d???r?%[1?%[??'[d?????%[?-%[???????w8h%[\2%[?1%[htinst.INI?[?u%[????d???????8G?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x81B950E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x81b950e8
\Driver\ACPI -> ACPI.sys @ 0xf9900cb8
\Driver\atapi -> atapi.sys @ 0xf98bd2f0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf97c7af9
PacketIndicateHandler -> NDIS.sys @ 0xf97d2b21
SendHandler -> NDIS.sys @ 0xf97c7938
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2232)
c:\program files\Microsoft Private Folder 1.0\ShellExt.dll
c:\windows\system32\PFLib.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\anvshell.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\program files\Microsoft Private Folder 1.0\PrfldSvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\System32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2010-02-01 14:35:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-01 13:35
ComboFix2.txt 2010-02-01 12:43

Pre-Run: Volných bajtů: 17 327 464 448
Post-Run: Volných bajtů: 17 243 009 024

- - End Of File - - 3160B16AC8167B07D0A88CE5676B888F

Odinstaluj progrm C:\Program Files\DAEMON Tools Lite i pokud mas jine emulatory mechanik, alcohol aspol.

Stahni dle ze stranek SPTD http://www.duplexsecure.com/en/downloads verzi dle sveho operacniho systemu. SPTD for Windows (32 bit) nebo (64b) na plochu
- spust
- zvol moznost Uninstall
- restart PC

stiahni>> MBR - http://www2.gmer.net/mbr/mbr.exe ulož ho na plochu
klik start-klik spustit vloz prikaz
cmd /c mbr.exe -t >log.txt&start log.txt log.txt vloz sem.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys siside.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

ok,ja si myslim ze uz je to ok,skus este raz nainstalovat Malwarebytes a spust,

no predtým sa to zastavovalo po 40 sekundách cca na 5100 súbore ktorý kontroloval ..a teraz po minúte 24 sekundách na cca 5400 súbore ktorý kontroloval ... no neviem teda ...