Vir winesm32.exe

[Filip.3k]

Logfile of random's system information tool 1.06 (written by random/random)
Run by Md.Thrax at 2010-03-01 18:38:56
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 656 MB (7%) free of 10 GB
Total RAM: 3582 MB (78% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:39:16, on 1.3.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WakeMeUp\WMUSvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\WakeMeUp\WMUAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\ICQ6.5\ICQ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\wincmd\TOTALCMD.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
C:\Program Files\VS Revo Group\Revo Uninstaller\revouninstaller.exe
D:\====== DOWNLOAD =====\RSIT.exe
C:\Program Files\trend micro\Md.Thrax.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WMUAgent.exe] C:\Program Files\WakeMeUp\WMUAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Citrus Alarm Clock] C:\Program Files\Citrus Alarm Clock\citrusac.exe
O4 - HKCU\..\Run: [WMUTray.exe] C:\Program Files\WakeMeUp\WMUTray.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: winesm32.exe
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Prameny - aktualizace obsahu (DAUpdaterSvc) - BioWare - D:\Games\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WakeMeUp! Service (svcWMU) - Highspheres.com - C:\Program Files\WakeMeUp\WMUSvc.exe

--
End of file - 8891 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-28 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-28 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-11-28 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{32099AAC-C132-4136-9E9A-4E364A424E17} - DAEMON Tools Toolbar - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll [2008-10-14 863688]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2006-12-18 868352]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-11-25 81000]
"SoundMAX"=C:\Program Files\Analog Devices\SoundMAX\smax4.exe [2006-07-13 729088]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-06-05 292136]
"amd_dc_opt"=C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe [2008-07-22 77824]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792]
"WMUAgent.exe"=C:\Program Files\WakeMeUp\WMUAgent.exe [2006-11-25 160256]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-17 15360]
"RocketDock"=C:\Program Files\RocketDock\RocketDock.exe [2007-09-02 495616]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2009-04-23 691656]
"Citrus Alarm Clock"=C:\Program Files\Citrus Alarm Clock\citrusac.exe []
"WMUTray.exe"=C:\Program Files\WakeMeUp\WMUTray.exe [2006-12-07 745984]

C:\Documents and Settings\Md.Thrax\Nabídka Start\Programy\Po spuštění
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
winesm32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-09-24 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\ICQLite\ICQLite.exe"="C:\Program Files\ICQLite\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\Program Files\Garena\Garena.exe"="C:\Program Files\Garena\Garena.exe:*:Enabled:Garena"
"C:\Program Files\ICQ6\ICQ.exe"="C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Hamachi\hamachi.exe"="C:\Program Files\Hamachi\hamachi.exe:*:Enabled:Hamachi Client"
"C:\Program Files\RelevantKnowledge\rlvknlg.exe"="C:\Program Files\RelevantKnowledge\rlvknlg.exe:*:Enabled:rlvknlg.exe"
"E:\======= Games =======\ Far Cry2\Far Cry 2\bin\FarCry2.exe"="E:\======= Games =======\ Far Cry2\Far Cry 2\bin\FarCry2.exe:*:Enabled:Far Cry 2"
"E:\======= Games =======\ Far Cry2\Far Cry 2\bin\FC2Launcher.exe"="E:\======= Games =======\ Far Cry2\Far Cry 2\bin\FC2Launcher.exe:*:Enabled:Far Cry 2 Updater"
"E:\======= Games =======\ Far Cry2\Far Cry 2\bin\FC2Editor.exe"="E:\======= Games =======\ Far Cry2\Far Cry 2\bin\FC2Editor.exe:*:Enabled:Editor"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\MagicTune Premium\MagicTune.exe"="C:\Program Files\MagicTune Premium\MagicTune.exe:*:Disabled:MagicTune"
"E:\======= Games =======\GH 3\GH3.exe"="E:\======= Games =======\GH 3\GH3.exe:*:Enabled:Guitar Hero III"
"E:\======= Games =======\Zeor hour\game.dat"="E:\======= Games =======\Zeor hour\game.dat:*:Disabled:game"
"E:\======= Games =======\CC Zero\game.dat"="E:\======= Games =======\CC Zero\game.dat:*:Disabled:game"
"\\Fanda_corp\ACERDATA (D)\CC\ZERO HOUR\game.dat"="\\Fanda_corp\ACERDATA (D)\CC\ZERO HOUR\game.dat:*:Disabled:game.dat"
"C:\Documents and Settings\Md.Thrax\Local Settings\Temp\ElectronicArts_Patcher_000.exe"="C:\Documents and Settings\Md.Thrax\Local Settings\Temp\ElectronicArts_Patcher_000.exe:*:Disabled:Red Alert 3 Launcher"
"E:\======= Games =======\ra3\Data\ra3_1.1.game"="E:\======= Games =======\ra3\Data\ra3_1.1.game:*:Enabled:Command & Conquer™ Red Alert™ 3"
"H:\Games\deadspace\Dead Space.exe"="H:\Games\deadspace\Dead Space.exe:*:Enabled:Dead Space ™"
"H:\Games\POP\Prince of Persia.exe"="H:\Games\POP\Prince of Persia.exe:*:Enabled:Prince of Persia Dx"
"H:\Games\POP\PrinceOfPersia_Launcher.exe"="H:\Games\POP\PrinceOfPersia_Launcher.exe:*:Enabled:Prince of Persia Update"
"H:\Games\Gta4\Rockstar Games Social Club\RGSCLauncher.exe"="H:\Games\Gta4\Rockstar Games Social Club\RGSCLauncher.exe:*:Enabled:Rockstar Games Social Club"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"H:\GAMESY\Mirror s Edge\Binaries\MirrorsEdge.exe"="H:\GAMESY\Mirror s Edge\Binaries\MirrorsEdge.exe:*:Enabled:Mirror's Edge™"
"D:\Games\Neverwinter Nights\nwn2main.exe"="D:\Games\Neverwinter Nights\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"D:\Games\Neverwinter Nights\nwn2main_amdxp.exe"="D:\Games\Neverwinter Nights\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"D:\Games\Neverwinter Nights\nwupdate.exe"="D:\Games\Neverwinter Nights\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"D:\Games\Neverwinter Nights\nwn2server.exe"="D:\Games\Neverwinter Nights\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"D:\Heroes of Might and Magic III Complete\Heroes3.exe"="D:\Heroes of Might and Magic III Complete\Heroes3.exe:*:Enabled:Heroes of Might and Magic® III"
"C:\WINDOWS\system32\dplaysvr.exe"="C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"D:\Games\DOW2.exe"="D:\Games\DOW2.exe:*:Enabled:DOW2"
"C:\Program Files\ICQ6.5\ICQ.exe"="C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"E:\======= Games =======\lef4dad\left 4 dead\left4dead.exe"="E:\======= Games =======\lef4dad\left 4 dead\left4dead.exe:*:Enabled:left4dead"
"E:\======= Games =======\lef4dad\left 4 dead\hl2.exe"="E:\======= Games =======\lef4dad\left 4 dead\hl2.exe:*:Enabled:hl2"
"E:\======= Games =======\!!! Heroes of Might and Magic III Complete !!!\Heroes3.exe"="E:\======= Games =======\!!! Heroes of Might and Magic III Complete !!!\Heroes3.exe:*:Enabled:Heroes of Might and Magic® III"
"G:\bin\Demigod.exe"="G:\bin\Demigod.exe:*:Enabled:Demigod Application"
"H:\Games\BurnoutLauncher.exe"="H:\Games\BurnoutLauncher.exe:*:Enabled:Burnout(TM) Paradise The Ultimate Box"
"H:\Games\BurnoutConfigTool.exe"="H:\Games\BurnoutConfigTool.exe:*:Enabled:Burnout(TM) Paradise The Ultimate Box"
"H:\Games\BurnoutParadise.exe"="H:\Games\BurnoutParadise.exe:*:Enabled:Burnout(TM) Paradise The Ultimate Box"
"D:\Games\Liberty Point\Binaries\LTCG-TPGame.exe"="D:\Games\Liberty Point\Binaries\LTCG-TPGame.exe:*:Enabled:Turning Point: Fall of Liberty"
"H:\X-MEN\Binaries\Wolverine.exe"="H:\X-MEN\Binaries\Wolverine.exe:*:Enabled:X-Men Origins - Wolverine"
"D:\Battle Forge\Bootstrapper.exe"="D:\Battle Forge\Bootstrapper.exe:*:Enabled:BattleForge™ Launcher"
"D:\Battle Forge\BattleForge.exe"="D:\Battle Forge\BattleForge.exe:*:Enabled:BattleForge™"
"C:\Program Files\BitSpirit\BitSpirit.exe"="C:\Program Files\BitSpirit\BitSpirit.exe:*:Enabled:The powerful and easy-to-use BitTorrent Client"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"D:\Games\Street Fighter IV\StreetFighterIV.exe"="D:\Games\Street Fighter IV\StreetFighterIV.exe:*:Enabled:STREET FIGHTER IV"
"D:\Games\Fuel\FUEL.exe"="D:\Games\Fuel\FUEL.exe:*:Enabled:FUEL"
"H:\===== I.S.O. ======\Stronghold\Stronghold Crusader.exe"="H:\===== I.S.O. ======\Stronghold\Stronghold Crusader.exe:*:Enabled:Stronghold Crusader"
"H:\======= GAMES =======\SRTT\Stronghold Crusader.exe"="H:\======= GAMES =======\SRTT\Stronghold Crusader.exe:*:Enabled:Stronghold Crusader"
"E:\======= Games =======\Warcraft III\euroloader.exe"="E:\======= Games =======\Warcraft III\euroloader.exe:*:Enabled:euroloader"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"E:\======= Games =======\Warcraft III\Warcraft III.exe"="E:\======= Games =======\Warcraft III\Warcraft III.exe:*:Disabled:Warcraft III"
"E:\======= Games =======\Warcraft III\war3.exe"="E:\======= Games =======\Warcraft III\war3.exe:*:Disabled:Warcraft III"
"E:\======= Games =======\Anno\tools\Anno4Web.exe"="E:\======= Games =======\Anno\tools\Anno4Web.exe:*:Enabled:Anno4Web"
"F:\=====Games=====\Guitar Hero world Tour\GHWT.exe"="F:\=====Games=====\Guitar Hero world Tour\GHWT.exe:*:Disabled:Guitar Hero World Tour"
"C:\Documents and Settings\Md.Thrax\Data aplikací\Facebook\facebook.exe"="C:\Documents and Settings\Md.Thrax\Data aplikací\Facebook\facebook.exe:127.0.0.1/255.255.255.255:Enabled:Facebook"
"E:\======= Games =======\SIns\Stardock Games\Sins of a Solar Empire\Sins of a Solar Empire.exe"="E:\======= Games =======\SIns\Stardock Games\Sins of a Solar Empire\Sins of a Solar Empire.exe:*:Enabled:Sins of a Solar Empire"
"H:\======= GAMES =======\Re 5\RE5DX9.EXE"="H:\======= GAMES =======\Re 5\RE5DX9.EXE:*:Enabled:RESIDENT EVIL 5 (DX9)"
"H:\======= GAMES =======\Re 5\RE5DX10.EXE"="H:\======= GAMES =======\Re 5\RE5DX10.EXE:*:Enabled:RESIDENT EVIL 5 (DX10)"
"F:\=====Games=====\Star Wars CW\Republic Heroes.exe"="F:\=====Games=====\Star Wars CW\Republic Heroes.exe:*:Enabled:Republic Heroes"
"D:\World of Warcraft\World of Warcraft\WoW-3.2.0-enGB-downloader.exe"="D:\World of Warcraft\World of Warcraft\WoW-3.2.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"D:\World of Warcraft\World of Warcraft\Launcher.exe"="D:\World of Warcraft\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher"
"D:\World of Warcraft\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enGB-downloader.exe"="D:\World of Warcraft\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"D:\World of Warcraft\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enGB-downloader.exe"="D:\World of Warcraft\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"D:\World of Warcraft\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enGB-downloader.exe"="D:\World of Warcraft\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"D:\Games\Majesty 2\Majesty2.exe"="D:\Games\Majesty 2\Majesty2.exe:*:Enabled:Majesty 2"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary"
"H:\Warcraft III\War3.exe"="H:\Warcraft III\War3.exe:*:Enabled:Warcraft III"
"D:\Games\Dragon Age\bin_ship\daorigins.exe"="D:\Games\Dragon Age\bin_ship\daorigins.exe:*:Enabled:Dragon Age Prameny Hra"
"D:\Games\Dragon Age\DAOriginsLauncher.exe"="D:\Games\Dragon Age\DAOriginsLauncher.exe:*:Enabled:Dragon Age Prameny Spustit"
"D:\Games\Dragon Age\bin_ship\daupdatersvc.service.exe"="D:\Games\Dragon Age\bin_ship\daupdatersvc.service.exe:*:Enabled:Dragon Age Prameny Aktualizovat"
"D:\Batman\Binaries\ShippingPC-BmGame.exe"="D:\Batman\Binaries\ShippingPC-BmGame.exe:*:Enabled:Batman: Arkham Asylum"
"D:\Mass Effect 2\Binaries\MassEffect2.exe"="D:\Mass Effect 2\Binaries\MassEffect2.exe:*:Enabled:Mass Effect 2 Game"
"D:\Mass Effect 2\MassEffect2Launcher.exe"="D:\Mass Effect 2\MassEffect2Launcher.exe:*:Enabled:Mass Effect 2 Launcher"
"D:\Games\Mass Effect\Binaries\MassEffect.exe"="D:\Games\Mass Effect\Binaries\MassEffect.exe:*:Enabled:Mass Effect Game"
"D:\Games\Mass Effect\MassEffectLauncher.exe"="D:\Games\Mass Effect\MassEffectLauncher.exe:*:Enabled:Mass Effect Launcher"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6474e998-a78d-11dd-882f-001fc6250b4b}]
shell\AutoRun\command - J:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe
shell\open\command - J:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe


======List of files/folders created in the last 1 months======

2010-03-01 18:38:57 ----D---- C:\Program Files\trend micro
2010-03-01 18:38:56 ----D---- C:\rsit
2010-03-01 18:09:00 ----HD---- C:\WINDOWS\PIF
2010-02-27 17:03:36 ----A---- C:\WINDOWS\system32\fjhdyfhsn.bat
2010-02-16 12:12:35 ----D---- C:\Program Files\WakeMeUp
2010-02-04 20:02:27 ----D---- C:\Program Files\PKR

======List of files/folders modified in the last 1 months======

2010-03-01 18:39:04 ----D---- C:\WINDOWS\Prefetch
2010-03-01 18:38:57 ----RD---- C:\Program Files
2010-03-01 18:34:24 ----A---- C:\WINDOWS\wincmd.ini
2010-03-01 18:09:00 ----D---- C:\WINDOWS
2010-03-01 16:32:47 ----D---- C:\Program Files\Mozilla Firefox
2010-02-27 23:23:51 ----D---- C:\Program Files\SpeedFan
2010-02-27 17:03:54 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-02-27 17:03:51 ----D---- C:\WINDOWS\system32\CatRoot2
2010-02-27 17:03:50 ----D---- C:\WINDOWS\system32\drivers
2010-02-27 17:03:36 ----D---- C:\WINDOWS\system32
2010-02-27 16:20:01 ----D---- C:\Documents and Settings\Md.Thrax\Data aplikací\OpenOffice.org2
2010-02-20 06:31:33 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-15 22:37:57 ----SHD---- C:\WINDOWS\Installer
2010-02-15 22:37:57 ----D---- C:\Config.Msi
2010-02-15 22:37:56 ----D---- C:\WINDOWS\WinSxS
2010-02-15 22:37:03 ----D---- C:\Program Files\Common Files\BioWare
2010-02-15 17:36:09 ----D---- C:\Program Files\Citrus Alarm Clock
2010-02-09 15:29:44 ----D---- C:\Documents and Settings\Md.Thrax\Data aplikací\ICQ
2010-02-03 00:57:17 ----AC---- C:\WINDOWS\avisplitter.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-11-25 27408]
R1 AmdK8;Ovladač procesoru AMD; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 43008]
R1 AsIO;AsIO; C:\WINDOWS\system32\drivers\AsIO.sys [2006-10-18 12664]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-11-25 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-11-25 48560]
R1 kbdhid;Ovladač klávesnice standardu HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-17 14848]
R1 NVTCP;NVIDIA TCP/IP Protocol Driver; C:\WINDOWS\System32\DRIVERS\NVTcp.sys [2006-09-11 110592]
R1 PQNTDrv;PQNTDrv; C:\WINDOWS\system32\drivers\PQNTDrv.sys [2002-09-16 4228]
R1 Tcpip6;Ovladač protokolu Microsoft IPv6; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2006-11-08 225664]
R1 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-10-25 12032]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-11-25 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-11-25 94160]
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2009-07-28 281760]
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2009-07-28 25888]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2007-01-16 293888]
R3 AEAudio;AE Audio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2006-08-06 93952]
R3 AmdLLD;AMD Low Level Device Driver; C:\WINDOWS\system32\DRIVERS\AmdLLD.sys [2007-06-29 34304]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-11-25 23120]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-09-24 3331072]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2004-10-27 138240]
R3 hidusb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-10-25 9600]
R3 MagicTune;MagicTune; C:\WINDOWS\system32\drivers\MTiCtwl.sys [2008-03-14 14848]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2006-11-08 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\System32\DRIVERS\NVENETFD.sys [2006-09-11 57856]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\System32\DRIVERS\nvnetbus.sys [2006-09-11 19968]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2006-03-17 392960]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2006-11-08 12416]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Ovladač standardního rozbočovače USB; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
S3 a9tn6dpa;a9tn6dpa; C:\WINDOWS\system32\drivers\a9tn6dpa.sys []
S3 GarenaPEngine;GarenaPEngine; \??\C:\DOCUME~1\MD2FA2~1.THR\LOCALS~1\Temp\ETSF3.tmp []
S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2008-10-25 25280]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2007-02-22 137216]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2007-02-22 8320]
S3 nmwcdcj;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2007-02-22 12288]
S3 nmwcdcm;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2007-02-22 12288]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-06-05 39424]
S3 usbstor;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-15 82688]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;Pomocná služba protokolu IPv6; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-11-25 18752]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-09-24 581632]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-11-25 138680]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe [2006-09-11 172032]
R2 ForcewareWebInterface;Forceware Web Interface; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe [2006-04-13 20543]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-28 152984]
R2 MagicTuneEngine;MagicTuneEngine; C:\Program Files\MagicTune Premium\MagicTuneEngine.exe [2007-08-23 45056]
R2 NMSAccessU;NMSAccessU; C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-10-20 71096]
R2 nSvcIp;ForceWare IP service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe [2006-09-11 135227]
R2 nSvcLog;ForceWare user log service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe [2006-09-11 65599]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2008-10-31 66872]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2008-10-31 107832]
R2 svcWMU;WakeMeUp! Service; C:\Program Files\WakeMeUp\WMUSvc.exe [2007-01-11 370688]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-11-25 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-11-25 352920]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-09-23 593920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 DAUpdaterSvc;Dragon Age: Prameny - aktualizace obsahu; D:\Games\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-06-05 541992]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2007-03-26 292864]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

[Caroprd111]

Zdravím

Na logu se pracuje, prosím o strpení.

[Caroprd111]

Stáhněte a uložte, nejlépe na plochu http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Vypněte všechny rezidentní bezpečnostní programy - firewally, antiviry, antispywary

Vložte do PC všechny flash disky, které používáte.

Spusťte aplikaci pod účtem s oprávněním Administrátora (Správce), ihned po startu se zobrází stránka s licenčnímy podmínkami, pokračujte stisknutím tlačítka "Ano"

Dále postupujte dle pokynů, během scanu nespouštějte jiné aplikace a neklikejte do zobrazujícího se okna

Scan by měl trvat okolo 5 - 10 minut, po dokončení Combofix zobrazí log C:\ComboFix.txt , který sem vložte.

Během skenování může být počítač restartován.

[Filip.3k]

ComboFix 10-03-01.01 - Md.Thrax 01.03.2010 20:04:23.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.3582.3093 [GMT 1:00]
Spuštěný z: c:\documents and settings\Md.Thrax\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091231-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Keenfinder
c:\program files\RelevantKnowledge
c:\program files\RelevantKnowledge\rlservice.exe
c:\windows\system32\ieuinit.inf
c:\windows\system32\wmatime.dll

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-01 do 2010-03-01 )))))))))))))))))))))))))))))))
.

2010-03-01 17:38 . 2010-03-01 17:39 -------- d-----w- c:\program files\trend micro
2010-03-01 17:38 . 2010-03-01 17:39 -------- d-----w- C:\rsit
2010-03-01 17:09 . 2010-03-01 17:09 -------- d--h--w- c:\windows\PIF
2010-02-27 16:03 . 2010-03-01 19:07 792064 ----a-w- c:\windows\system32\drivers\fmehqyc.sys
2010-02-16 11:12 . 2010-02-16 11:12 -------- d-----w- c:\program files\WakeMeUp
2010-02-04 19:02 . 2010-02-04 20:09 -------- d-----w- c:\program files\PKR

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 22:23 . 2008-11-01 02:18 -------- d-----w- c:\program files\SpeedFan
2010-02-15 21:37 . 2009-11-30 19:38 -------- d-----w- c:\program files\Common Files\BioWare
2010-02-15 16:36 . 2008-10-27 23:00 -------- d-----w- c:\program files\Citrus Alarm Clock
2010-01-24 19:18 . 2008-11-29 17:17 -------- d-----w- c:\program files\AGEIA Technologies
2010-01-24 19:18 . 2008-11-29 17:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-17 20:43 . 2008-10-25 15:50 -------- d-----w- c:\program files\Garena
2010-01-06 22:00 . 2010-01-06 22:00 -------- d-----w- c:\program files\MediaMonkey
2010-01-06 21:37 . 2010-01-06 21:37 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-01-06 21:37 . 2010-01-06 21:37 -------- d-----w- c:\program files\DVDVideoSoft
2010-01-06 20:10 . 2010-01-06 20:08 -------- d-----w- c:\program files\Lenogo iPod to PC Transfer
2010-01-06 19:20 . 2010-01-06 19:20 -------- d-----w- c:\program files\WindSolutions
.

------- Sigcheck -------

[-] 2006-11-08 . BB4D3A8E6F7EB1D370BC4AD27AB23368 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-11-08 . 84F5FA7480E5680B8DD5A90CE7D8CA73 . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"WMUTray.exe"="c:\program files\WakeMeUp\WMUTray.exe" [2006-12-07 745984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"WMUAgent.exe"="c:\program files\WakeMeUp\WMUAgent.exe" [2006-11-25 160256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Md.Thrax\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-2-26 393216]
winesm32.exe [2004-8-17 29184]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"e:\\======= Games =======\\ Far Cry2\\Far Cry 2\\bin\\FarCry2.exe"=
"e:\\======= Games =======\\ Far Cry2\\Far Cry 2\\bin\\FC2Launcher.exe"=
"e:\\======= Games =======\\ Far Cry2\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"e:\\======= Games =======\\GH 3\\GH3.exe"=
"e:\\======= Games =======\\Zeor hour\\game.dat"=
"e:\\======= Games =======\\CC Zero\\game.dat"=
"\\\\Fanda_corp\\ACERDATA (D)\\CC\\ZERO HOUR\\game.dat"=
"e:\\======= Games =======\\ra3\\Data\\ra3_1.1.game"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"d:\\Games\\DOW2.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\======= Games =======\\lef4dad\\left 4 dead\\left4dead.exe"=
"e:\\======= Games =======\\lef4dad\\left 4 dead\\hl2.exe"=
"e:\\======= Games =======\\!!! Heroes of Might and Magic III Complete !!!\\Heroes3.exe"=
"c:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Games\\Fuel\\FUEL.exe"=
"h:\\===== I.S.O. ======\\Stronghold\\Stronghold Crusader.exe"=
"h:\\======= GAMES =======\\SRTT\\Stronghold Crusader.exe"=
"e:\\======= Games =======\\Warcraft III\\euroloader.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\======= Games =======\\Warcraft III\\Warcraft III.exe"=
"e:\\======= Games =======\\Warcraft III\\war3.exe"=
"e:\\======= Games =======\\Anno\\tools\\Anno4Web.exe"=
"f:\\=====Games=====\\Guitar Hero world Tour\\GHWT.exe"=
"e:\\======= Games =======\\SIns\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"h:\\======= GAMES =======\\Re 5\\RE5DX9.EXE"=
"h:\\======= GAMES =======\\Re 5\\RE5DX10.EXE"=
"f:\\=====Games=====\\Star Wars CW\\Republic Heroes.exe"=
"d:\\Games\\Majesty 2\\Majesty2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"h:\\Warcraft III\\War3.exe"=
"d:\\Games\\Dragon Age\\bin_ship\\daorigins.exe"=
"d:\\Games\\Dragon Age\\DAOriginsLauncher.exe"=
"d:\\Games\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"d:\\Batman\\Binaries\\ShippingPC-BmGame.exe"=
"d:\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"d:\\Mass Effect 2\\MassEffect2Launcher.exe"=
"d:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"d:\\Games\\Mass Effect\\MassEffectLauncher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"143:TCP"= 143:TCP:f

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [25.10.2008 20:01 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [25.10.2008 20:01 20560]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27.10.2008 12:28 721904]
S3 DAUpdaterSvc;Dragon Age: Prameny - aktualizace obsahu;d:\games\Dragon Age\bin_ship\daupdatersvc.service.exe [30.11.2009 20:53 25832]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\MD2FA2~1.THR\LOCALS~1\Temp\ETSF3.tmp --> c:\docume~1\MD2FA2~1.THR\LOCALS~1\Temp\ETSF3.tmp [?]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - fmehqyc
.
Obsah adresáře 'Naplánované úlohy'

2010-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Download Using &BitSpirit - c:\program files\BitSpirit\bsurl.htm
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: ÓñČĚŘľ«ÁéĎÂÔŘ(&B)
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKCU-Run-Citrus Alarm Clock - c:\program files\Citrus Alarm Clock\citrusac.exe
HKU-Default-RunOnce-nltide3 - rundll32 advpack.dll
HKU-Default-RunOnce-nltide2 - rundll32 advpack.dll
AddRemove-Afree AVI FLV MPEG WMV ASF MOV to MP4 Converter_is1 - c:\program files\Afree AVI FLV MPEG WMV ASF MOV to MP4 Converter\unins000.exe
AddRemove-Allok WMA MP3 Converter_is1 - c:\program files\Allok WMA MP3 Converter\unins000.exe
AddRemove-Audio MP3 Editor_is1 - c:\program files\Audio MP3 Editor\unins000.exe
AddRemove-Crash Bandicoot - c:\program files\Crash Bandicoot\Uninstal.exe
AddRemove-ParadisePoker - c:\progra~1\PARADI~1\UNWISE.EXE
AddRemove-Plants vs. Zombies 1.0.0.1051 - c:\program files\Plants vs. Zombies\Uninstal.exe
AddRemove-VLC media player - c:\program files\VideoLAN\VLC\uninstall.exe
AddRemove-YouTube Video Downloader_is1 - c:\program files\YouTube Video Downloader\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 20:07
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\MD2FA2~1.THR\LOCALS~1\Temp\ETSF3.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fmehqyc]

.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\nvappfilter.dll
.
Celkový čas: 2010-03-01 20:08:59
ComboFix-quarantined-files.txt 2010-03-01 19:08

Před spuštěním: 641 916 928
Po spuštění: 653 385 728

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe

- - End Of File - - 4A2CAB797498321F5138A6BF2D8F1312

[Caroprd111]

Pokud nemáte, přesuňte Combofix na plochu

• otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.

Kód: Vybrat vše

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fmehqyc]

Folder::
c:\Program Files\Garena

Driver::
GarenaPEngine

File::
c:\docume~1\MD2FA2~1.THR\LOCALS~1\Temp\ETSF3.tmp 
c:\windows\system32\drivers\fmehqyc.sys
C:\Documents and Settings\Md.Thrax\Nabídka Start\Programy\Po spuštění\winesm32.exe

• uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
• po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:
  
• po aplikaci na Vás vypadne další log,vložte ho sem

Může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci



Tohle otestujte na http://www.virustotal.com/cs/
c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\sfcfiles.dll

(Soubor nehledejte, jenom vložíte tučně označenou cestu, v případě hlášky "Soubor již byl testován" dejte otestovat znovu. Výsledek analýzy sem vložte.)

[Filip.3k]

ComboFix 10-03-01.01 - Md.Thrax 01.03.2010 20:28:45.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.3582.3116 [GMT 1:00]
Spuštěný z: c:\documents and settings\Md.Thrax\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Md.Thrax\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 091231-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!

FILE ::
"c:\docume~1\MD2FA2~1.THR\LOCALS~1\Temp\ETSF3.tmp"
"c:\documents and settings\Md.Thrax\Nabídka Start\Programy\Po spuštění\winesm32.exe"
"c:\windows\system32\drivers\fmehqyc.sys"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Md.Thrax\Nabídka Start\Programy\Po spuštění\winesm32.exe
c:\program files\Garena
c:\program files\Garena\AESocket.dll
c:\program files\Garena\atl71.dll
c:\program files\Garena\avatar\4357166.gif
c:\program files\Garena\avatar\6161691.gif
c:\program files\Garena\avatar\6320589.gif
c:\program files\Garena\avatar\6630312.gif
c:\program files\Garena\avatar\6661155.gif
c:\program files\Garena\avatar\7439523.gif
c:\program files\Garena\avatar\7717574.gif
c:\program files\Garena\avatar\8048983.gif
c:\program files\Garena\avatar\boy.swf
c:\program files\Garena\avatar\boy_s.swf
c:\program files\Garena\avatar\girl.swf
c:\program files\Garena\avatar\girl_s.swf
c:\program files\Garena\avatar\unknown.swf
c:\program files\Garena\avatar\unknown_s.swf
c:\program files\Garena\Cache\1670077_s.swf
c:\program files\Garena\clients.dat
c:\program files\Garena\clients2.dat
c:\program files\Garena\CommonLib.dll
c:\program files\Garena\config\bs.br.xml
c:\program files\Garena\config\bs.cn.xml
c:\program files\Garena\config\bs.en.xml
c:\program files\Garena\config\bs.id.xml
c:\program files\Garena\config\bs.pp.xml
c:\program files\Garena\config\bs.ru.xml
c:\program files\Garena\config\bs.sd.xml
c:\program files\Garena\config\bs.sp.xml
c:\program files\Garena\config\bs.th.xml
c:\program files\Garena\config\bs.tw.xml
c:\program files\Garena\config\bs.vn.xml
c:\program files\Garena\config\loccn.xml
c:\program files\Garena\config\locen.xml
c:\program files\Garena\config\lockr.xml
c:\program files\Garena\config\loctw.xml
c:\program files\Garena\config\locvn.xml
c:\program files\Garena\CS15Hook.dll
c:\program files\Garena\deps\olgame.gga
c:\program files\Garena\deps\vww.gzp
c:\program files\Garena\deps\webgame.gga
c:\program files\Garena\dlls\CTSys.dll
c:\program files\Garena\dlls\flags.dll
c:\program files\Garena\dlls\FPSHelper.dll
c:\program files\Garena\dlls\GFireMan.dll
c:\program files\Garena\dlls\IPvR.dll
c:\program files\Garena\dlls\PEngine.dll
c:\program files\Garena\dlls\PluginLanguage.dll
c:\program files\Garena\dlls\Sca.dll
c:\program files\Garena\dlls\WC3J.dll
c:\program files\Garena\face\1.bmp
c:\program files\Garena\face\1_m.bmp
c:\program files\Garena\face\10.bmp
c:\program files\Garena\face\10_m.bmp
c:\program files\Garena\face\11.bmp
c:\program files\Garena\face\11_m.bmp
c:\program files\Garena\face\12.bmp
c:\program files\Garena\face\12_m.bmp
c:\program files\Garena\face\13.bmp
c:\program files\Garena\face\13_m.bmp
c:\program files\Garena\face\14.bmp
c:\program files\Garena\face\14_m.bmp
c:\program files\Garena\face\15.bmp
c:\program files\Garena\face\15_m.bmp
c:\program files\Garena\face\16.bmp
c:\program files\Garena\face\16_m.bmp
c:\program files\Garena\face\17.bmp
c:\program files\Garena\face\17_m.bmp
c:\program files\Garena\face\18.bmp
c:\program files\Garena\face\18_m.bmp
c:\program files\Garena\face\19.bmp
c:\program files\Garena\face\19_m.bmp
c:\program files\Garena\face\2.bmp
c:\program files\Garena\face\2_m.bmp
c:\program files\Garena\face\20.bmp
c:\program files\Garena\face\20_m.bmp
c:\program files\Garena\face\21.bmp
c:\program files\Garena\face\21_m.bmp
c:\program files\Garena\face\22.bmp
c:\program files\Garena\face\22_m.bmp
c:\program files\Garena\face\23.bmp
c:\program files\Garena\face\23_m.bmp
c:\program files\Garena\face\24.bmp
c:\program files\Garena\face\24_m.bmp
c:\program files\Garena\face\3.bmp
c:\program files\Garena\face\3_m.bmp
c:\program files\Garena\face\4.bmp
c:\program files\Garena\face\4_m.bmp
c:\program files\Garena\face\5.bmp
c:\program files\Garena\face\5_m.bmp
c:\program files\Garena\face\6.bmp
c:\program files\Garena\face\6_m.bmp
c:\program files\Garena\face\7.bmp
c:\program files\Garena\face\7_m.bmp
c:\program files\Garena\face\8.bmp
c:\program files\Garena\face\8_m.bmp
c:\program files\Garena\face\9.bmp
c:\program files\Garena\face\9_m.bmp
c:\program files\Garena\files\files.ggz
c:\program files\Garena\FPSHook.dll
c:\program files\Garena\Gamecn.dat
c:\program files\Garena\GameConfig.xml
c:\program files\Garena\Gameen.dat
c:\program files\Garena\Gametw.dat
c:\program files\Garena\Gamevn.dat
c:\program files\Garena\Garena.exe
c:\program files\Garena\Garena.RPT
c:\program files\Garena\GarenaSkin.dll
c:\program files\Garena\GarenaSkin1.dll
c:\program files\Garena\GarenaTV.xml
c:\program files\Garena\GarenaTV\0.bmp
c:\program files\Garena\GarenaTV\1.bmp
c:\program files\Garena\GarenaTV\2.bmp
c:\program files\Garena\GarenaTV\3.bmp
c:\program files\Garena\GarenaTV\4.bmp
c:\program files\Garena\GarenaTV\5.bmp
c:\program files\Garena\GarenaTV\6.bmp
c:\program files\Garena\GarenaTV\cn.ggz
c:\program files\Garena\GarenaTV\cn_s.ggz
c:\program files\Garena\GarenaTV\en.ggz
c:\program files\Garena\GarenaTV\en_s.ggz
c:\program files\Garena\GarenaTV\id_s.ggz
c:\program files\Garena\GarenaTV\tw.ggz
c:\program files\Garena\GarenaTV\tw_s.ggz
c:\program files\Garena\GarenaTV_UI.dll
c:\program files\Garena\GarenaTVHook.dll
c:\program files\Garena\GGICON.ico
c:\program files\Garena\Gn.ggz
c:\program files\Garena\gs.dat
c:\program files\Garena\hc.xml
c:\program files\Garena\Inject.dll
c:\program files\Garena\L4DSocket.dll
c:\program files\Garena\langs.xml
c:\program files\Garena\Languages\FPSGame.dll.cn
c:\program files\Garena\Languages\FPSGame.dll.en
c:\program files\Garena\Languages\FPSGame.dll.tw
c:\program files\Garena\Languages\Garena.exe.br
c:\program files\Garena\Languages\Garena.exe.cn
c:\program files\Garena\Languages\Garena.exe.en
c:\program files\Garena\Languages\Garena.exe.id
c:\program files\Garena\Languages\Garena.exe.pp
c:\program files\Garena\Languages\Garena.exe.ru
c:\program files\Garena\Languages\Garena.exe.sd
c:\program files\Garena\Languages\Garena.exe.sp
c:\program files\Garena\Languages\Garena.exe.th
c:\program files\Garena\Languages\Garena.exe.tw
c:\program files\Garena\Languages\Garena.exe.vn
c:\program files\Garena\Languages\GarenaTV_UI.dll.cn
c:\program files\Garena\Languages\GarenaTV_UI.dll.en
c:\program files\Garena\Languages\GarenaTV_UI.dll.id
c:\program files\Garena\Languages\GarenaTV_UI.dll.tw
c:\program files\Garena\Languages\languages.glf
c:\program files\Garena\Languages\OLGame.dll.en
c:\program files\Garena\Languages\OLGame.dll.vn
c:\program files\Garena\Languages\update.exe.cn
c:\program files\Garena\Languages\update.exe.tw
c:\program files\Garena\Languages\update2.exe.cn
c:\program files\Garena\Languages\update2.exe.tw
c:\program files\Garena\Languages\WC3Ass.dll.cn
c:\program files\Garena\Languages\WC3Ass.dll.en
c:\program files\Garena\Languages\WC3Ass.dll.tw
c:\program files\Garena\Languages\WC3Ass.dll.vn
c:\program files\Garena\Languages\WC3Ladder.dll.cn
c:\program files\Garena\Languages\WC3Ladder.dll.en
c:\program files\Garena\Languages\WC3Ladder.dll.tw
c:\program files\Garena\layout\BlackShotView.layout
c:\program files\Garena\layout\layout.ggz
c:\program files\Garena\lib\BlackShot.dll
c:\program files\Garena\lib\common\Language.dll
c:\program files\Garena\lib\exchndl.dll
c:\program files\Garena\lib\GarenaRoomSystem.dll
c:\program files\Garena\lib\GarenaWebService.dll
c:\program files\Garena\lib\HttpLayer.dll
c:\program files\Garena\lib\Language.dll
c:\program files\Garena\lib\Layout.dll
c:\program files\Garena\lib\LibPlugin.ggz
c:\program files\Garena\lib\LoadSwf.dll
c:\program files\Garena\lib\MessagePumpLib.dll
c:\program files\Garena\lib\NetworkLayer.dll
c:\program files\Garena\lib\PKCS.dll
c:\program files\Garena\lib\RSA.dll
c:\program files\Garena\lib\WebCache.dll
c:\program files\Garena\mdata.ggz
c:\program files\Garena\PluginKernel.dll
c:\program files\Garena\plugins\Game\GarenaTVRecorder.dll
c:\program files\Garena\plugins\Game\WC3Ass.dll
c:\program files\Garena\plugins\Game\WC3Ladder.dll
c:\program files\Garena\plugins\Game\WC3VC.dll
c:\program files\Garena\plugins\Plugins.ggz
c:\program files\Garena\plugins\UI\AdPlugin.dll
c:\program files\Garena\plugins\UI\AdPlugin\close_rollout.bmp
c:\program files\Garena\plugins\UI\AdPlugin\close_rollover.bmp
c:\program files\Garena\plugins\UI\AdPlugin\down_rollout.bmp
c:\program files\Garena\plugins\UI\AdPlugin\down_rollover.bmp
c:\program files\Garena\plugins\UI\AdPlugin\skinmsn.bmp
c:\program files\Garena\plugins\UI\AdPlugin\up_rollout.bmp
c:\program files\Garena\plugins\UI\AdPlugin\up_rollover.bmp
c:\program files\Garena\plugins\UI\AvoidCrackPlugin.dll
c:\program files\Garena\plugins\UI\BlackShotPlugin.dll
c:\program files\Garena\plugins\UI\CafeLogin.dll
c:\program files\Garena\plugins\UI\FavListUIPlugin.dll
c:\program files\Garena\plugins\UI\FPSGame.dll
c:\program files\Garena\plugins\UI\GarenaTV.dll
c:\program files\Garena\plugins\UI\GarenaTVRecUI.dll
c:\program files\Garena\plugins\UI\GEngine.dll
c:\program files\Garena\plugins\UI\Chenyx.dll
c:\program files\Garena\plugins\UI\ManagePlugin.dll
c:\program files\Garena\plugins\UI\OLGame.dll
c:\program files\Garena\plugins\UI\StatPlugin.dll
c:\program files\Garena\plugins\UI\ViwawaPlugin.dll
c:\program files\Garena\plugins\UI\WebGameUI.dll
c:\program files\Garena\plugins\UI\zDep.dll
c:\program files\Garena\plugins\UI\zzzPlugin.dll
c:\program files\Garena\RecConfig.xml
c:\program files\Garena\roomCN.dat
c:\program files\Garena\roomEN.dat
c:\program files\Garena\roomTW.dat
c:\program files\Garena\server.xml
c:\program files\Garena\shop\items\1.gif
c:\program files\Garena\shop\items\100.gif
c:\program files\Garena\shop\items\105.gif
c:\program files\Garena\shop\items\150.gif
c:\program files\Garena\shop\items\151.gif
c:\program files\Garena\shop\items\2.gif
c:\program files\Garena\shop\items\200.gif
c:\program files\Garena\shop\items\201.gif
c:\program files\Garena\shop\items\202.gif
c:\program files\Garena\shop\items\203.gif
c:\program files\Garena\shop\items\204.gif
c:\program files\Garena\shop\items\205.gif
c:\program files\Garena\shop\items\206.gif
c:\program files\Garena\shop\items\21.gif
c:\program files\Garena\shop\items\22.gif
c:\program files\Garena\shop\items\23.gif
c:\program files\Garena\shop\items\24.gif
c:\program files\Garena\shop\items\3.gif
c:\program files\Garena\shop\items\300.gif
c:\program files\Garena\shop\items\301.gif
c:\program files\Garena\shop\items\302.gif
c:\program files\Garena\shop\items\303.gif
c:\program files\Garena\shop\items\304.gif
c:\program files\Garena\shop\items\305.gif
c:\program files\Garena\shop\items\306.gif
c:\program files\Garena\shop\items\307.gif
c:\program files\Garena\shop\items\308.gif
c:\program files\Garena\shop\items\309.gif
c:\program files\Garena\shop\items\310.gif
c:\program files\Garena\shop\items\311.gif
c:\program files\Garena\shop\items\312.gif
c:\program files\Garena\shop\items\313.gif
c:\program files\Garena\shop\items\4.gif
c:\program files\Garena\shop\items\40.gif
c:\program files\Garena\shop\items\60.gif
c:\program files\Garena\shop\items\61.gif
c:\program files\Garena\shop\items\62.gif
c:\program files\Garena\shop\items\63.gif
c:\program files\Garena\shop\items\64.gif
c:\program files\Garena\shop\items\65.gif
c:\program files\Garena\shop\items\66.gif
c:\program files\Garena\shop\items\67.gif
c:\program files\Garena\shop\items\68.gif
c:\program files\Garena\shop\items\69.gif
c:\program files\Garena\shop\items\70.gif
c:\program files\Garena\shop\items\8.gif
c:\program files\Garena\Skin\Flags\-.gif
c:\program files\Garena\Skin\Flags\ad.gif
c:\program files\Garena\Skin\Flags\ae.gif
c:\program files\Garena\Skin\Flags\af.gif
c:\program files\Garena\Skin\Flags\ag.gif
c:\program files\Garena\Skin\Flags\ai.gif
c:\program files\Garena\Skin\Flags\al.gif
c:\program files\Garena\Skin\Flags\am.gif
c:\program files\Garena\Skin\Flags\an.gif
c:\program files\Garena\Skin\Flags\ao.gif
c:\program files\Garena\Skin\Flags\aq.gif
c:\program files\Garena\Skin\Flags\ar.gif
c:\program files\Garena\Skin\Flags\as.gif
c:\program files\Garena\Skin\Flags\at.gif
c:\program files\Garena\Skin\Flags\au.gif
c:\program files\Garena\Skin\Flags\aw.gif
c:\program files\Garena\Skin\Flags\az.gif
c:\program files\Garena\Skin\Flags\ba.gif
c:\program files\Garena\Skin\Flags\bb.gif
c:\program files\Garena\Skin\Flags\bd.gif
c:\program files\Garena\Skin\Flags\be.gif
c:\program files\Garena\Skin\Flags\bf.gif
c:\program files\Garena\Skin\Flags\bg.gif
c:\program files\Garena\Skin\Flags\bh.gif
c:\program files\Garena\Skin\Flags\bi.gif
c:\program files\Garena\Skin\Flags\bj.gif
c:\program files\Garena\Skin\Flags\bm.gif
c:\program files\Garena\Skin\Flags\bn.gif
c:\program files\Garena\Skin\Flags\bo.gif
c:\program files\Garena\Skin\Flags\br.gif
c:\program files\Garena\Skin\Flags\bs.gif
c:\program files\Garena\Skin\Flags\bt.gif
c:\program files\Garena\Skin\Flags\bv.gif
c:\program files\Garena\Skin\Flags\bw.gif
c:\program files\Garena\Skin\Flags\by.gif
c:\program files\Garena\Skin\Flags\bz.gif
c:\program files\Garena\Skin\Flags\ca.gif
c:\program files\Garena\Skin\Flags\cd.gif
c:\program files\Garena\Skin\Flags\cf.gif
c:\program files\Garena\Skin\Flags\cg.gif
c:\program files\Garena\Skin\Flags\ci.gif
c:\program files\Garena\Skin\Flags\ck.gif
c:\program files\Garena\Skin\Flags\cl.gif
c:\program files\Garena\Skin\Flags\cm.gif
c:\program files\Garena\Skin\Flags\cn.gif
c:\program files\Garena\Skin\Flags\co.gif
c:\program files\Garena\Skin\Flags\cr.gif
c:\program files\Garena\Skin\Flags\cu.gif
c:\program files\Garena\Skin\Flags\cv.gif
c:\program files\Garena\Skin\Flags\cy.gif
c:\program files\Garena\Skin\Flags\cz.gif
c:\program files\Garena\Skin\Flags\de.gif
c:\program files\Garena\Skin\Flags\dj.gif
c:\program files\Garena\Skin\Flags\dk.gif
c:\program files\Garena\Skin\Flags\dm.gif
c:\program files\Garena\Skin\Flags\do.gif
c:\program files\Garena\Skin\Flags\dz.gif
c:\program files\Garena\Skin\Flags\ec.gif
c:\program files\Garena\Skin\Flags\ee.gif
c:\program files\Garena\Skin\Flags\eg.gif
c:\program files\Garena\Skin\Flags\er.gif
c:\program files\Garena\Skin\Flags\es.gif
c:\program files\Garena\Skin\Flags\et.gif
c:\program files\Garena\Skin\Flags\eu.gif
c:\program files\Garena\Skin\Flags\fi.gif
c:\program files\Garena\Skin\Flags\fj.gif
c:\program files\Garena\Skin\Flags\fk.gif
c:\program files\Garena\Skin\Flags\fm.gif
c:\program files\Garena\Skin\Flags\fo.gif
c:\program files\Garena\Skin\Flags\fr.gif
c:\program files\Garena\Skin\Flags\fx.gif
c:\program files\Garena\Skin\Flags\ga.gif
c:\program files\Garena\Skin\Flags\gb.gif
c:\program files\Garena\Skin\Flags\gd.gif
c:\program files\Garena\Skin\Flags\ge.gif
c:\program files\Garena\Skin\Flags\gh.gif
c:\program files\Garena\Skin\Flags\gi.gif
c:\program files\Garena\Skin\Flags\gl.gif
c:\program files\Garena\Skin\Flags\gm.gif
c:\program files\Garena\Skin\Flags\gn.gif
c:\program files\Garena\Skin\Flags\gp.gif
c:\program files\Garena\Skin\Flags\gq.gif
c:\program files\Garena\Skin\Flags\gr.gif
c:\program files\Garena\Skin\Flags\gt.gif
c:\program files\Garena\Skin\Flags\gu.gif
c:\program files\Garena\Skin\Flags\gw.gif
c:\program files\Garena\Skin\Flags\gy.gif
c:\program files\Garena\Skin\Flags\hk.gif
c:\program files\Garena\Skin\Flags\hm.gif
c:\program files\Garena\Skin\Flags\hn.gif
c:\program files\Garena\Skin\Flags\hr.gif
c:\program files\Garena\Skin\Flags\ht.gif
c:\program files\Garena\Skin\Flags\hu.gif
c:\program files\Garena\Skin\Flags\ch.gif
c:\program files\Garena\Skin\Flags\id.gif
c:\program files\Garena\Skin\Flags\ie.gif
c:\program files\Garena\Skin\Flags\il.gif
c:\program files\Garena\Skin\Flags\im.gif
c:\program files\Garena\Skin\Flags\in.gif
c:\program files\Garena\Skin\Flags\io.gif
c:\program files\Garena\Skin\Flags\iq.gif
c:\program files\Garena\Skin\Flags\ir.gif
c:\program files\Garena\Skin\Flags\is.gif
c:\program files\Garena\Skin\Flags\it.gif
c:\program files\Garena\Skin\Flags\je.gif
c:\program files\Garena\Skin\Flags\jm.gif
c:\program files\Garena\Skin\Flags\jo.gif
c:\program files\Garena\Skin\Flags\jp.gif
c:\program files\Garena\Skin\Flags\ke.gif
c:\program files\Garena\Skin\Flags\kg.gif
c:\program files\Garena\Skin\Flags\kh.gif
c:\program files\Garena\Skin\Flags\ki.gif
c:\program files\Garena\Skin\Flags\km.gif
c:\program files\Garena\Skin\Flags\kn.gif
c:\program files\Garena\Skin\Flags\kp.gif
c:\program files\Garena\Skin\Flags\kr.gif
c:\program files\Garena\Skin\Flags\kw.gif
c:\program files\Garena\Skin\Flags\ky.gif
c:\program files\Garena\Skin\Flags\kz.gif
c:\program files\Garena\Skin\Flags\la.gif
c:\program files\Garena\Skin\Flags\lb.gif
c:\program files\Garena\Skin\Flags\lc.gif
c:\program files\Garena\Skin\Flags\li.gif
c:\program files\Garena\Skin\Flags\lk.gif
c:\program files\Garena\Skin\Flags\lr.gif
c:\program files\Garena\Skin\Flags\ls.gif
c:\program files\Garena\Skin\Flags\lt.gif
c:\program files\Garena\Skin\Flags\lu.gif
c:\program files\Garena\Skin\Flags\lv.gif
c:\program files\Garena\Skin\Flags\ly.gif
c:\program files\Garena\Skin\Flags\ma.gif
c:\program files\Garena\Skin\Flags\mc.gif
c:\program files\Garena\Skin\Flags\md.gif
c:\program files\Garena\Skin\Flags\me.gif
c:\program files\Garena\Skin\Flags\mg.gif
c:\program files\Garena\Skin\Flags\mh.gif
c:\program files\Garena\Skin\Flags\mk.gif
c:\program files\Garena\Skin\Flags\ml.gif
c:\program files\Garena\Skin\Flags\mm.gif
c:\program files\Garena\Skin\Flags\mn.gif
c:\program files\Garena\Skin\Flags\mo.gif
c:\program files\Garena\Skin\Flags\mp.gif
c:\program files\Garena\Skin\Flags\mq.gif
c:\program files\Garena\Skin\Flags\mr.gif
c:\program files\Garena\Skin\Flags\ms.gif
c:\program files\Garena\Skin\Flags\mt.gif
c:\program files\Garena\Skin\Flags\mu.gif
c:\program files\Garena\Skin\Flags\mv.gif
c:\program files\Garena\Skin\Flags\mw.gif
c:\program files\Garena\Skin\Flags\mx.gif
c:\program files\Garena\Skin\Flags\my.gif
c:\program files\Garena\Skin\Flags\mz.gif
c:\program files\Garena\Skin\Flags\na.gif
c:\program files\Garena\Skin\Flags\nc.gif
c:\program files\Garena\Skin\Flags\ne.gif
c:\program files\Garena\Skin\Flags\nf.gif
c:\program files\Garena\Skin\Flags\ng.gif
c:\program files\Garena\Skin\Flags\ni.gif
c:\program files\Garena\Skin\Flags\nl.gif
c:\program files\Garena\Skin\Flags\no.gif
c:\program files\Garena\Skin\Flags\np.gif
c:\program files\Garena\Skin\Flags\nr.gif
c:\program files\Garena\Skin\Flags\nz.gif
c:\program files\Garena\Skin\Flags\om.gif
c:\program files\Garena\Skin\Flags\pa.gif
c:\program files\Garena\Skin\Flags\pe.gif
c:\program files\Garena\Skin\Flags\pf.gif
c:\program files\Garena\Skin\Flags\pg.gif
c:\program files\Garena\Skin\Flags\ph.gif
c:\program files\Garena\Skin\Flags\pk.gif
c:\program files\Garena\Skin\Flags\pl.gif
c:\program files\Garena\Skin\Flags\pm.gif
c:\program files\Garena\Skin\Flags\pr.gif
c:\program files\Garena\Skin\Flags\ps.gif
c:\program files\Garena\Skin\Flags\pt.gif
c:\program files\Garena\Skin\Flags\pw.gif
c:\program files\Garena\Skin\Flags\py.gif
c:\program files\Garena\Skin\Flags\qa.gif
c:\program files\Garena\Skin\Flags\re.gif
c:\program files\Garena\Skin\Flags\ro.gif
c:\program files\Garena\Skin\Flags\rs.gif
c:\program files\Garena\Skin\Flags\ru.gif
c:\program files\Garena\Skin\Flags\rw.gif
c:\program files\Garena\Skin\Flags\sa.gif
c:\program files\Garena\Skin\Flags\sb.gif
c:\program files\Garena\Skin\Flags\sc.gif
c:\program files\Garena\Skin\Flags\sd.gif
c:\program files\Garena\Skin\Flags\se.gif
c:\program files\Garena\Skin\Flags\sg.gif
c:\program files\Garena\Skin\Flags\si.gif
c:\program files\Garena\Skin\Flags\sk.gif
c:\program files\Garena\Skin\Flags\sl.gif
c:\program files\Garena\Skin\Flags\sm.gif
c:\program files\Garena\Skin\Flags\sn.gif
c:\program files\Garena\Skin\Flags\so.gif
c:\program files\Garena\Skin\Flags\sr.gif
c:\program files\Garena\Skin\Flags\st.gif
c:\program files\Garena\Skin\Flags\sv.gif
c:\program files\Garena\Skin\Flags\sy.gif
c:\program files\Garena\Skin\Flags\sz.gif
c:\program files\Garena\Skin\Flags\tc.gif
c:\program files\Garena\Skin\Flags\td.gif
c:\program files\Garena\Skin\Flags\tf.gif
c:\program files\Garena\Skin\Flags\tg.gif
c:\program files\Garena\Skin\Flags\th.gif
c:\program files\Garena\Skin\Flags\tj.gif
c:\program files\Garena\Skin\Flags\tm.gif
c:\program files\Garena\Skin\Flags\tn.gif
c:\program files\Garena\Skin\Flags\to.gif
c:\program files\Garena\Skin\Flags\tp.gif
c:\program files\Garena\Skin\Flags\tr.gif
c:\program files\Garena\Skin\Flags\tt.gif
c:\program files\Garena\Skin\Flags\tv.gif
c:\program files\Garena\Skin\Flags\tw.gif
c:\program files\Garena\Skin\Flags\tz.gif
c:\program files\Garena\Skin\Flags\ua.gif
c:\program files\Garena\Skin\Flags\ug.gif
c:\program files\Garena\Skin\Flags\uk.gif
c:\program files\Garena\Skin\Flags\um.gif
c:\program files\Garena\Skin\Flags\us.gif
c:\program files\Garena\Skin\Flags\uy.gif
c:\program files\Garena\Skin\Flags\uz.gif
c:\program files\Garena\Skin\Flags\va.gif
c:\program files\Garena\Skin\Flags\vc.gif
c:\program files\Garena\Skin\Flags\ve.gif
c:\program files\Garena\Skin\Flags\vg.gif
c:\program files\Garena\Skin\Flags\vi.gif
c:\program files\Garena\Skin\Flags\vn.gif
c:\program files\Garena\Skin\Flags\vu.gif
c:\program files\Garena\Skin\Flags\ws.gif
c:\program files\Garena\Skin\Flags\ye.gif
c:\program files\Garena\Skin\Flags\yu.gif
c:\program files\Garena\Skin\Flags\za.gif
c:\program files\Garena\Skin\Flags\zm.gif
c:\program files\Garena\Skin\Flags\zr.gif
c:\program files\Garena\Skin\Flags\zw.gif
c:\program files\Garena\Skin\garenatv.ggz
c:\program files\Garena\Skin\Skin.ggz
c:\program files\Garena\skin_bs\garenatv.ggz
c:\program files\Garena\skin_bs\Skin.ggz
c:\program files\Garena\Skins.xml
c:\program files\Garena\SocketHook.dll
c:\program files\Garena\sound\folder.wav
c:\program files\Garena\sound\game.wav
c:\program files\Garena\sound\msg.wav
c:\program files\Garena\sound\nudge.wav
c:\program files\Garena\sound\quit.wav
c:\program files\Garena\sound\ring.wav
c:\program files\Garena\sound\sysmsg.wav
c:\program files\Garena\source.xml
c:\program files\Garena\sqlite3.dll
c:\program files\Garena\update.dat
c:\program files\Garena\update.exe
c:\program files\Garena\update.xml
c:\program files\Garena\update2.exe
c:\program files\Garena\user.xml
c:\program files\Garena\user\6263172\ban.dat
c:\program files\Garena\user\6263172\data.dat
c:\program files\Garena\user\6263172\fps.dat
c:\program files\Garena\user\6263172\recent.txt
c:\program files\Garena\user\6630312\ban.dat
c:\program files\Garena\user\6630312\data.dat
c:\program files\Garena\user\6630312\fps.dat
c:\program files\Garena\user\6630312\recent.txt
c:\program files\Garena\user\6630312\system.xml
c:\program files\Garena\user\6661155\ban.dat
c:\program files\Garena\user\6661155\data.dat
c:\program files\Garena\user\6661155\fps.dat
c:\program files\Garena\user\6661155\recent.txt
c:\program files\Garena\viwawa.cn.xml
c:\program files\Garena\viwawa.en.xml
c:\program files\Garena\viwawa.tw.xml
c:\program files\Garena\War3Hook.dll
c:\program files\Garena\web\1.cn.html
c:\program files\Garena\web\1.en.html
c:\program files\Garena\web\1.tw.html
c:\program files\Garena\web\2.cn.html
c:\program files\Garena\web\2.en.html
c:\program files\Garena\web\2.tw.html
c:\program files\Garena\web\3.cn.html
c:\program files\Garena\web\3.en.html
c:\program files\Garena\web\3.tw.html
c:\program files\Garena\web\6.cn.html
c:\program files\Garena\web\6.en.html
c:\program files\Garena\web\6.tw.html
c:\program files\Garena\web\cache\Freesky\css\foemb_2.css
c:\program files\Garena\web\cache\Freesky\img\do_bg2.jpg
c:\program files\Garena\web\cache\Freesky\img\do_btn.jpg
c:\program files\Garena\web\cache\Freesky\img\ggbackground.jpg
c:\program files\Garena\web\cache\ROM\config\css\screen.css
c:\program files\Garena\web\cache\ROM\config\images\bgd_body.gif
c:\program files\Garena\web\cache\ROM\config\images\bgd_dotted_hevertical.gif
c:\program files\Garena\web\cache\ROM\config\images\bgd_dotted_vertical.gif
c:\program files\Garena\web\cache\ROM\config\images\bgd_footer.gif
c:\program files\Garena\web\cache\ROM\config\images\bgd_html.gif
c:\program files\Garena\web\cache\ROM\config\images\header.jpg
c:\program files\Garena\web\cache\ROM\config\images\ico_bullet.gif
c:\program files\Garena\web\cache\ROM\config\images\visu_download.jpg
c:\program files\Garena\web\cache\ROM\config\images\visu_line.gif
c:\program files\Garena\web\cache\ROM\config\images\visu_logo-garena.gif
c:\program files\Garena\web\cache\ROM\config\images\visu_run.gif
c:\program files\Garena\web\cache\ROM\config\images\visu_setting.gif
c:\program files\Garena\web\cache\ROM\css\screen.css
c:\program files\Garena\web\cache\ROM\images\bgd_body.jpg
c:\program files\Garena\web\cache\ROM\images\bgd_html.gif
c:\program files\Garena\web\cache\ROM\images\bgd_news.gif
c:\program files\Garena\web\cache\ROM\images\btn_forum_n.gif
c:\program files\Garena\web\cache\ROM\images\btn_forum_o.gif
c:\program files\Garena\web\cache\ROM\images\btn_support_n.gif
c:\program files\Garena\web\cache\ROM\images\btn_support_o.gif
c:\program files\Garena\web\cache\ROM\images\btn_webiste_n.gif
c:\program files\Garena\web\cache\ROM\images\btn_webiste_o.gif
c:\program files\Garena\web\cache\ROM\images\ico-01.gif
c:\program files\Garena\web\cache\ROM\images\slogan_rom.jpg
c:\program files\Garena\web\cache\ROM\images\visu_banner.gif
c:\program files\Garena\web\cache\ROM\images\visu_banner_01.gif
c:\program files\Garena\web\cache\ROM\images\visu_forum.gif
c:\program files\Garena\web\cache\ROM\images\visu_garena.gif
c:\program files\Garena\web\cache\RUpoker\css\pokerembed.css
c:\program files\Garena\web\cache\RUpoker\img\bg.jpg
c:\program files\Garena\web\cache\RUpoker\img\btn.jpg
c:\program files\Garena\web\cache\RUpoker\img\ggbackground.jpg
c:\program files\Garena\web\embed_game.jpg
c:\program files\Garena\web\embed_game_cn.jpg
c:\program files\Garena\web\embed_game_tw.jpg
c:\program files\Garena\web\embed_garenafire_ZH.jpg
c:\program files\Garena\web\embed_gfire.jpg
c:\program files\Garena\web\gfire.cn.html
c:\program files\Garena\web\gfire.en.html
c:\program files\Garena\web\gfire.tw.html
c:\program files\Garena\web\ggbackground.jpg
c:\program files\Garena\web\loading.gif
c:\program files\Garena\web\loading.html
c:\program files\Garena\YYFileSystem.dll
c:\windows\system32\drivers\fmehqyc.sys

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GARENAPENGINE
-------\Service_GarenaPEngine
-------\Legacy_fmehqyc
-------\Service_fmehqyc


((((((((((((((((((((((((( Soubory vytvořené od 2010-02-01 do 2010-03-01 )))))))))))))))))))))))))))))))
.

2010-03-01 17:38 . 2010-03-01 17:39 -------- d-----w- c:\program files\trend micro
2010-03-01 17:38 . 2010-03-01 17:39 -------- d-----w- C:\rsit
2010-03-01 17:09 . 2010-03-01 17:09 -------- d--h--w- c:\windows\PIF
2010-02-16 11:12 . 2010-02-16 11:12 -------- d-----w- c:\program files\WakeMeUp
2010-02-04 19:02 . 2010-02-04 20:09 -------- d-----w- c:\program files\PKR

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-27 22:23 . 2008-11-01 02:18 -------- d-----w- c:\program files\SpeedFan
2010-02-15 21:37 . 2009-11-30 19:38 -------- d-----w- c:\program files\Common Files\BioWare
2010-02-15 16:36 . 2008-10-27 23:00 -------- d-----w- c:\program files\Citrus Alarm Clock
2010-01-24 19:18 . 2008-11-29 17:17 -------- d-----w- c:\program files\AGEIA Technologies
2010-01-24 19:18 . 2008-11-29 17:17 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-06 22:00 . 2010-01-06 22:00 -------- d-----w- c:\program files\MediaMonkey
2010-01-06 21:37 . 2010-01-06 21:37 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-01-06 21:37 . 2010-01-06 21:37 -------- d-----w- c:\program files\DVDVideoSoft
2010-01-06 20:10 . 2010-01-06 20:08 -------- d-----w- c:\program files\Lenogo iPod to PC Transfer
2010-01-06 19:20 . 2010-01-06 19:20 -------- d-----w- c:\program files\WindSolutions
.

------- Sigcheck -------

[-] 2006-11-08 . BB4D3A8E6F7EB1D370BC4AD27AB23368 . 360576 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys

[-] 2006-11-08 . 84F5FA7480E5680B8DD5A90CE7D8CA73 . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-03-01_19.07.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-01 19:33 . 2010-03-01 19:33 16384 c:\windows\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_698.dat
+ 2010-03-01 19:33 . 2010-03-01 19:33 16384 c:\windows\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_308.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"WMUTray.exe"="c:\program files\WakeMeUp\WMUTray.exe" [2006-12-07 745984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"WMUAgent.exe"="c:\program files\WakeMeUp\WMUAgent.exe" [2006-11-25 160256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\Md.Thrax\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-2-26 393216]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"e:\\======= Games =======\\ Far Cry2\\Far Cry 2\\bin\\FarCry2.exe"=
"e:\\======= Games =======\\ Far Cry2\\Far Cry 2\\bin\\FC2Launcher.exe"=
"e:\\======= Games =======\\ Far Cry2\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"e:\\======= Games =======\\GH 3\\GH3.exe"=
"e:\\======= Games =======\\Zeor hour\\game.dat"=
"e:\\======= Games =======\\CC Zero\\game.dat"=
"\\\\Fanda_corp\\ACERDATA (D)\\CC\\ZERO HOUR\\game.dat"=
"e:\\======= Games =======\\ra3\\Data\\ra3_1.1.game"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"d:\\Games\\DOW2.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\======= Games =======\\lef4dad\\left 4 dead\\left4dead.exe"=
"e:\\======= Games =======\\lef4dad\\left 4 dead\\hl2.exe"=
"e:\\======= Games =======\\!!! Heroes of Might and Magic III Complete !!!\\Heroes3.exe"=
"c:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Games\\Fuel\\FUEL.exe"=
"h:\\===== I.S.O. ======\\Stronghold\\Stronghold Crusader.exe"=
"h:\\======= GAMES =======\\SRTT\\Stronghold Crusader.exe"=
"e:\\======= Games =======\\Warcraft III\\euroloader.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\======= Games =======\\Warcraft III\\Warcraft III.exe"=
"e:\\======= Games =======\\Warcraft III\\war3.exe"=
"e:\\======= Games =======\\Anno\\tools\\Anno4Web.exe"=
"f:\\=====Games=====\\Guitar Hero world Tour\\GHWT.exe"=
"e:\\======= Games =======\\SIns\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"h:\\======= GAMES =======\\Re 5\\RE5DX9.EXE"=
"h:\\======= GAMES =======\\Re 5\\RE5DX10.EXE"=
"f:\\=====Games=====\\Star Wars CW\\Republic Heroes.exe"=
"d:\\Games\\Majesty 2\\Majesty2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"h:\\Warcraft III\\War3.exe"=
"d:\\Games\\Dragon Age\\bin_ship\\daorigins.exe"=
"d:\\Games\\Dragon Age\\DAOriginsLauncher.exe"=
"d:\\Games\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"d:\\Batman\\Binaries\\ShippingPC-BmGame.exe"=
"d:\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"d:\\Mass Effect 2\\MassEffect2Launcher.exe"=
"d:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"d:\\Games\\Mass Effect\\MassEffectLauncher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"143:TCP"= 143:TCP:f

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27.10.2008 12:28 721904]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [25.10.2008 20:01 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [25.10.2008 20:01 20560]
S3 DAUpdaterSvc;Dragon Age: Prameny - aktualizace obsahu;d:\games\Dragon Age\bin_ship\daupdatersvc.service.exe [30.11.2009 20:53 25832]
.
Obsah adresáře 'Naplánované úlohy'

2010-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.cz/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Download Using &BitSpirit - c:\program files\BitSpirit\bsurl.htm
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: ÓñČĚŘľ«ÁéĎÂÔŘ(&B)
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 20:34
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A8421F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3
\Driver\ACPI -> ACPI.sys @ 0xb9e66cb8
\Driver\atapi -> 0x8a8421f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582368
ParseProcedure -> ntkrnlpa.exe @ 0x80581462
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582368
ParseProcedure -> ntkrnlpa.exe @ 0x80581462
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9ba8ba0
PacketIndicateHandler -> NDIS.sys @ 0xb9bb5b21
SendHandler -> NDIS.sys @ 0xb9b9387b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(860)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(2340)
c:\program files\RocketDock\RocketDock.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\WakeMeUp\WMUSvc.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\OpenOffice.org 2.0\program\soffice.exe
c:\program files\OpenOffice.org 2.0\program\soffice.BIN
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\MagicTune Premium\MagicTune.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Celkový čas: 2010-03-01 20:38:02 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-01 19:38
ComboFix2.txt 2010-03-01 19:08

Před spuštěním: 652 988 416
Po spuštění: 525 889 536

- - End Of File - - 4FC0A42F5300789E6CD5564EE955A218

[Filip.3k]

zšiřující informace
File size: 360576 bytes
MD5...: bb4d3a8e6f7eb1d370bc4ad27ab23368
SHA1..: d5f6e65957ab94a0efa59559f89f562810e320bf
SHA256: 6c1496f4f7e1a5a805a5f4ff2825cb94e3ed2e0400117eb5a3d1cba556ecc3fc
ssdeep: 6144:BJdNK+YwGGo8IUgMnxgcFqyFQlRQydc8ZCmu6CZTd1hj5dexlFr/g/aWeg:
BJdjNUM+44/8IAXpPk/+eg

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x509a3
timedatestamp.....: 0x44477c19 (Thu Apr 20 12:18:33 2006)
machinetype.......: 0x14c (I386)

( 10 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x3ed0a 0x3ed80 6.59 3d39eabb5fe6e226f9971059adc60819
.rdata 0x3f100 0x574 0x580 4.43 8f982ab9274e5527a5bf3aecc0e92194
.data 0x3f680 0xa4a4 0xa500 0.06 7fa9cf89c9b147cbb03d6610d7fbb490
PAGE 0x49b80 0x1f2b 0x1f80 6.39 bbf6119ab3b8fd06c3ebe872f8f04726
PAGELK 0x4bb00 0x6f2 0x700 6.21 231535fad227db18635d563f03da08f0
PAGEIPMc 0x4c200 0x2781 0x2800 6.44 c18bc83144fe165bcde2eed11a40575b
.edata 0x4ea00 0x341 0x380 5.24 61d79737bb2c45af685c3155181fa50f
INIT 0x4ed80 0x5926 0x5980 6.20 435303cea88e06792806e00fe9cb417a
.rsrc 0x54700 0x3e0 0x400 3.35 8578c6662bbc74cf560ff8af8948fbdc
.reloc 0x54b00 0x3580 0x3580 6.82 bbc537be0f4cc4ac037f99ea22b61126

( 4 imports )
> HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex
> NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter
> ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile
> TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel

( 31 exports )
ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: TCP/IP Protocol Driver
original name: tcpip.sys
internal name: tcpip.sys
file version.: 5.1.2600.2892 (xpsp.060420-0256)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

[Filip.3k]

Rozšiřující informace
File size: 1548288 bytes
MD5...: 84f5fa7480e5680b8dd5a90ce7d8ca73
SHA1..: 0d1b463f94791e050e0f46aad8c785474c931dc5
SHA256: 1f600ee08e78a8986f0d07fe8020e06d6ec4ddf511e5e38443b295968fdfc991
ssdeep: 3072:pr9go8gaaP3ZlRhuqCC/zqDRnz4yDx8waoaR509vqGa9kSaDJpJ8WFU:p/b
aE9LzqnDxhl9vqG9SaDH

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x120d
timedatestamp.....: 0x41107c2b (Wed Aug 04 06:03:23 2004)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xcbf 0xe00 5.91 42137068c1332859090f264da2f41dad
.data 0x2000 0x16eb48 0x16ec00 3.27 3c3a44bd2be7c083eda4f88de7352461
.rsrc 0x171000 0x418 0x600 2.54 c123fdd41b8b0efeb7beb0a0084a77f0
.reloc 0x172000 0x9a68 0x9c00 5.76 6255caf193acb80badcce29f8698e69c

( 1 imports )
> ntdll.dll: LdrDisableThreadCalloutsForDll, NtClose, NtQueryValueKey, NtOpenKey, RtlInitUnicodeString, RtlGetVersion, NtTerminateProcess, RtlUnhandledExceptionFilter, RtlUnwind, NtQueryVirtualMemory

( 1 exports )
SfcGetFiles

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows 2000 System File Checker
original name: sfcfiles.dll
internal name: sfcfiles.dll
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

[Caroprd111]

Tohle jsou jen rozšiřující informace, po dokončení testu na VT sem zkopírujte jen odkaz.

[Filip.3k]

http://www.virustotal.com/cs/analisis/1 ... 1267472719


http://www.virustotal.com/cs/analisis/6 ... 1267472413

[Caroprd111]

Odinstalujte všechny emulátory virtuálních mechanik

Stáhněte SPTD http://www.duplexsecure.com/en/downloads

• Vyberte verzi podle svého operačního systému (64 & 32b). Uložte na plochu a spusťte.
• zvolte možnost Uninstall a restartujte PC.

Stáhněte MBR na plochu http://www2.gmer.net/mbr/mbr.exe

Start > Spustit (Win + R)

• Vyskočí okénko, zkopírujte do něj:

Kód: Vybrat vše

"%userprofile%\plocha\mbr" -t

• Klikněte na OK

• Vytvoří se log s názvem mbr.log, vložte ho sem.

Dejte log z Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878

[Filip.3k]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A8421F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a8421f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

[Caroprd111]

OK, ještě Gmer.

[Filip.3k]

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-01 21:11:11
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\MD2FA2~1.THR\LOCALS~1\Temp\kxldypow.sys


---- System - GMER 1.0.15 ----

SSDT spne.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT spne.sys ZwEnumerateValueKey [0xB9EC6032]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A7CD1F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

[Caroprd111]

Log 1 je OK, ještě log 2.