pocitac blbne sem tam sa zasekava atd, Dakujem.
Logfile of random's system information tool 1.06 (written by random/random)
Run by User at 2010-03-07 21:16:21
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 12 GB (16%) free of 76 GB
Total RAM: 734 MB (63% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:16:38, on 7. 3. 2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\User\dlvs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\OVISLINK\Common\AirliveUI.exe
c:\program files\adobe\reader 9.0\reader\reader_sl .exe
c:\program files\hpq\quick launch buttons\eabservr .exe
c:\windows\system32\hkcmd .exe
C:\Documents and Settings\User\Desktop\RSIT.exe
C:\Program Files\trend micro\User.exe
c:\program files\internet explorer\wmpscfgs.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
c:\program files\internet explorer\wmpscfgs.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: RadarSync Toolbar - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - C:\Program Files\RadarSync\tbRad0.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\User\dlvs.exe \s
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RadarSync Toolbar - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - C:\Program Files\RadarSync\tbRad0.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: RadarSync Toolbar - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - C:\Program Files\RadarSync\tbRad0.dll
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [djj] C:\WINDOWS\system32\djj.exe \u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-21-606747145-1708537768-854245398-1007\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AirLive 802.11G Wireless Utility.lnk = C:\Program Files\OVISLINK\Common\AirliveUI.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\User\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\User\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: aWPvmnXphxpKAs - {2CBE601E-8614-CAB4-107F-149C5FF532E1} - C:\WINDOWS\system32\gca.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PostgreSQL Server 8.4 (postgresql-8.4) - PostgreSQL Global Development Group - C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe
--
End of file - 5940 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}]
FGCatchUrl - C:\Program Files\FlashGet\jccatch.dll [2007-08-06 94308]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
RadarSync Toolbar - C:\Program Files\RadarSync\tbRad0.dll [2009-07-24 2215960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2009-03-09 320920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F156768E-81EF-470C-9057-481BA8380DBA}]
FlashGet GetFlash Class - C:\Program Files\FlashGet\getflash.dll [2007-05-18 163840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{399d96ca-6f9a-4fff-95fe-284e45ebb935} - RadarSync Toolbar - C:\Program Files\RadarSync\tbRad0.dll [2009-07-24 2215960]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2010-03-07 40448]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2010-03-07 40448]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2010-03-07 40448]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2010-03-07 40448]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2010-03-07 40448]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2010-03-07 40448]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe []
"djj"=C:\WINDOWS\system32\djj.exe [2010-03-07 40448]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2009-10-09 25623336]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2
"hpqwmi"=3
"avg8wd"=2
"avg8emc"=2
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
AirLive 802.11G Wireless Utility.lnk - C:\Program Files\OVISLINK\Common\AirliveUI.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-10-08 344064]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
aWPvmnXphxpKAs - {2CBE601E-8614-CAB4-107F-149C5FF532E1} - C:\WINDOWS\system32\gca.dll [2009-03-21 32768]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\FlashGet\flashget.exe"="C:\Program Files\FlashGet\flashget.exe:*:Enabled:Flashget"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Documents and Settings\User\temp\TeamViewer\Version5\TeamViewer.exe"="C:\Documents and Settings\User\temp\TeamViewer\Version5\TeamViewer.exe:*:Enabled:TeamViewer"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\WINDOWS\system32\djj.exe"="C:\WINDOWS\system32\djj.exe:*:Enabled:ENABLE"
"C:\Documents and Settings\User\dlvs.exe"="C:\Documents and Settings\User\dlvs.exe:*:Enabled:ENABLE"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d777c80-0e02-11de-b9c3-004f6a03ce52}]
shell\AutoRun\command - E:\c2e.exe
shell\open\command - E:\c2e.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97f3a7e0-e0b9-11dd-aed0-004f6a03ce52}]
shell\AutoRun\command - F:\ws.exe
shell\open\command - F:\ws.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b61fd360-2858-11df-ba79-00c09f4d3433}]
shell\AutoRun\command - E:\fk.exe
shell\open\command - E:\fk.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f59fab01-23d2-11df-ba76-00c09f4d3433}]
shell\AutoRun\command - D:\s1.exe
shell\open\command - D:\s1.exe
======List of files/folders created in the last 1 months======
2010-03-02 15:47:26 ----SHD---- C:\RECYCLER
2010-02-27 19:55:31 ----A---- C:\ComboFix.txt
2010-02-27 19:49:27 ----SD---- C:\ComboFix
2010-02-27 19:35:29 ----D---- C:\_OTM
2010-02-27 19:29:54 ----A---- C:\WINDOWS\system32\igfxtray.exe
2010-02-27 15:47:20 ----D---- C:\rsit
2010-02-24 08:00:26 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$
2010-02-20 22:41:13 ----A---- C:\WINDOWS\system32\hkcmd.exe.delme44
2010-02-20 22:41:13 ----A---- C:\WINDOWS\system32\hkcmd.exe
2010-02-10 08:04:45 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-02-10 08:04:38 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-02-10 08:01:38 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-02-10 08:01:31 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-02-10 08:01:25 ----HDC---- C:\WINDOWS\$NtUninstallKB978251$
2010-02-10 08:01:18 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-02-10 08:01:09 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-02-10 08:01:00 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-02-10 08:00:49 ----HDC---- C:\WINDOWS\$NtUninstallKB977165$
2010-02-09 05:38:30 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\XHEO INC
2010-02-09 05:32:20 ----D---- C:\PSQLINSTALL
2010-02-09 05:32:11 ----D---- C:\Program Files\RVG Software
2010-02-09 04:51:46 ----D---- C:\Lestatos hands
2010-02-08 05:02:11 ----A---- C:\WINDOWS\HMHud.INI
2010-02-08 04:15:06 ----D---- C:\Program Files\PostgreSQL
======List of files/folders modified in the last 1 months======
2010-03-07 21:16:41 ----A---- C:\WINDOWS\system32\djj.exe
2010-03-07 21:16:40 ----D---- C:\WINDOWS\system32
2010-03-07 21:16:36 ----D---- C:\Documents and Settings\User\Application Data\Skype
2010-03-07 21:16:34 ----RD---- C:\Program Files
2010-03-07 21:16:24 ----D---- C:\Program Files\Trend Micro
2010-03-07 19:28:22 ----D---- C:\WINDOWS\Prefetch
2010-03-07 19:26:21 ----AD---- C:\WINDOWS\temp
2010-03-07 19:25:16 ----D---- C:\Program Files\PokerStars
2010-03-07 19:23:56 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-07 19:18:44 ----D---- C:\Documents and Settings\User\Application Data\skypePM
2010-03-06 23:44:28 ----D---- C:\Program Files\Full Tilt Poker
2010-03-05 14:12:10 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-04 17:49:42 ----D---- C:\Program Files\FlashGet
2010-03-02 15:48:25 ----D---- C:\Downloads
2010-03-02 10:16:50 ----HD---- C:\WINDOWS\inf
2010-02-27 19:55:33 ----D---- C:\WINDOWS\system32\drivers
2010-02-27 19:55:33 ----D---- C:\Qoobox
2010-02-27 19:53:21 ----D---- C:\WINDOWS
2010-02-27 19:53:21 ----A---- C:\WINDOWS\system.ini
2010-02-24 19:32:37 ----D---- C:\Documents and Settings\User\Application Data\dvdcss
2010-02-19 18:27:32 ----AC---- C:\WINDOWS\wincmd.ini
2010-02-10 08:04:47 ----A---- C:\WINDOWS\imsins.BAK
2010-02-10 08:04:44 ----HD---- C:\WINDOWS\$hf_mig$
2010-02-10 08:04:40 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-02-09 05:49:21 ----D---- C:\HMArchive
2010-02-09 05:34:50 ----D---- C:\Documents and Settings
2010-02-09 05:33:07 ----SHD---- C:\WINDOWS\Installer
2010-02-09 05:32:56 ----SHD---- C:\Config.Msi
2010-02-09 05:32:32 ----D---- C:\WINDOWS\WinSxS
2010-02-09 05:29:53 ----D---- C:\Program Files\Instal
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.5.3.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-11-16 21419]
R3 CAMCAUD;Conexant AMC 3D Environmental Audio; C:\WINDOWS\system32\drivers\camcaud.sys [2004-06-28 292864]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camchal.sys [2004-06-28 276480]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-10-08 752093]
R3 RT73;AirLive WT-2000USB; C:\WINDOWS\system32\DRIVERS\rt73.sys [2007-09-30 451968]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2004-11-04 186016]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 catchme;catchme; \??\C:\DOCUME~1\User\LOCALS~1\Temp\catchme.sys []
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 TVICHW32;TVICHW32; \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 postgresql-8.4;PostgreSQL Server 8.4; C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 -D C:/Program Files/PostgreSQL/8.4/data -w []
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 17408]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 hpqwmi;HP WMI Interface; C:\Program Files\HPQ\SHARED\HPQWMI.exe [2004-11-17 98304]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------
Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz
prosim o kontrolu logu, zarucene tam nieco mam
Moderátor: Moderátoři
Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
-
Caroprd111
- VIP
- Příspěvky: 13492
- Registrován: 22 bře 2009 20:48
- Bydliště: Třebíč
- Kontaktovat uživatele:
-
Caroprd111
- VIP
- Příspěvky: 13492
- Registrován: 22 bře 2009 20:48
- Bydliště: Třebíč
- Kontaktovat uživatele:
Re: prosim o kontrolu logu, zarucene tam nieco mam
Stáhněte a uložte, nejlépe na plochu http://download.bleepingcomputer.com/sUBs/ComboFix.exe Vypněte všechny rezidentní bezpečnostní programy - firewally, antiviry, antispywary Vložte do PC všechny flash disky, které používáte. Spusťte aplikaci pod účtem s oprávněním Administrátora (Správce), ihned po startu se zobrází stránka s licenčnímy podmínkami, pokračujte stisknutím tlačítka "Ano" Dále postupujte dle pokynů, během scanu nespouštějte jiné aplikace a neklikejte do zobrazujícího se okna 
Scan by měl trvat okolo 5 - 10 minut, po dokončení Combofix zobrazí log C:\ComboFix.txt , který sem vložte. Během skenování může být počítač restartován.
Re: prosim o kontrolu logu, zarucene tam nieco mam
ComboFix 10-03-07.02 - User . 03. 2010 21:31:31.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.734.467 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users.WINDOWS\Start Menu\PersonalAV
c:\documents and settings\All Users.WINDOWS\Start Menu\PersonalAV\Personal Antivirus.lnk
c:\documents and settings\All Users.WINDOWS\Start Menu\PersonalAV\Uninstall.lnk
c:\documents and settings\User\hrsrw.exe
c:\documents and settings\User\secupdat.dat
c:\program files\Common Files\Uninstall
c:\program files\Common Files\Uninstall\PersonalAV\Uninstall.lnk
c:\program files\Internet Explorer\wmpscfgs.exe
C:\restore
C:\root
c:\windows\system32\ctfmon .exe
c:\windows\system32\djj .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\secupdat.dat
.
((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.
2010-03-07 20:31 . 2010-03-07 20:31 4 ----a-w- c:\program files\953881.dat
2010-03-07 20:28 . 2010-03-07 20:28 4 ----a-w- c:\program files\757709.dat
2010-03-07 18:17 . 2010-03-07 18:17 4 ----a-w- c:\program files\14715770.dat
2010-02-27 18:35 . 2010-02-27 18:35 -------- d-----w- C:\_OTM
2010-02-27 18:29 . 2010-03-07 20:28 40448 ----a-w- c:\windows\system32\igfxtray.exe
2010-02-27 18:28 . 2010-02-27 18:28 4 ----a-w- c:\program files\130786430.dat
2010-02-27 14:47 . 2010-02-27 14:47 -------- d-----w- C:\rsit
2010-02-26 06:07 . 2010-02-26 06:07 4 ----a-w- c:\program files\462598391.dat
2010-02-20 21:41 . 2010-03-07 20:16 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-02-09 04:38 . 2010-02-09 04:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\XHEO INC
2010-02-09 04:32 . 2010-02-09 04:37 -------- d-----w- C:\PSQLINSTALL
2010-02-09 04:32 . 2010-02-09 04:32 -------- d-----w- c:\program files\RVG Software
2010-02-09 03:51 . 2010-02-09 03:55 -------- d-----w- C:\Lestatos hands
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 20:28 . 2010-01-17 14:35 40448 ----a-w- c:\windows\system32\djj.exe
2010-03-07 20:26 . 2010-01-18 08:28 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-03-07 20:16 . 2009-06-28 08:16 -------- d-----w- c:\program files\Trend Micro
2010-03-07 18:25 . 2009-07-26 05:13 -------- d-----w- c:\program files\PokerStars
2010-03-07 18:18 . 2008-11-10 15:13 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-03-07 12:43 . 2008-11-08 14:13 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-06 22:44 . 2010-02-03 16:22 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-04 16:49 . 2008-09-06 16:23 -------- d-----w- c:\program files\FlashGet
2010-02-24 18:32 . 2009-04-21 07:54 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2010-02-09 04:33 . 2010-02-08 03:15 -------- d-----w- c:\program files\PostgreSQL
2010-02-09 04:29 . 2008-08-25 14:27 -------- d-----w- c:\program files\Instal
2010-02-05 15:30 . 2010-02-05 15:30 4 ----a-w- c:\program files\55993814.dat
2010-02-01 15:50 . 2010-02-01 15:50 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-29 11:36 . 2010-01-29 11:36 4 ----a-w- c:\program files\245954854.dat
2010-01-18 08:28 . 2008-09-05 10:44 -------- d-----r- c:\program files\Skype
2010-01-18 08:28 . 2008-11-10 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2010-01-17 14:34 . 2010-01-17 14:35 58368 ---h--w- c:\documents and settings\User\dlvs.exe
2010-01-15 19:44 . 2008-09-05 10:44 -------- d-----w- c:\program files\Common Files\Skype
2010-01-14 08:13 . 2010-01-14 08:13 -------- d-----w- c:\documents and settings\User\Application Data\TeamViewer
2010-01-12 12:59 . 2009-07-16 05:59 -------- d-----w- c:\program files\Ashampoo
2010-01-05 10:00 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-11-12 02:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-11-12 02:21 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-11-12 02:20 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2008-11-12 02:21 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-11-12 02:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2008-11-12 02:20 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-11-12 02:20 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-06-30 08:29 . 2009-06-30 08:29 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-06-28 08:16 . 2009-06-28 08:16 812344 ----a-w- c:\program files\HJTInstall.exe
2009-06-28 08:09 . 2009-05-26 06:01 31863808 ----a-w- c:\program files\eav_nt32_csy.msi
2009-06-11 06:53 . 2009-06-11 06:53 84 ----a-w- c:\program files\b3348.ram
2009-06-09 14:20 . 2009-06-09 14:14 21646127 ----a-w- c:\program files\scribus-1.3.3.13-win32-install.exe
2009-06-09 12:51 . 2009-06-09 12:49 3371384 ----a-w- c:\program files\mbam-setup.exe
2009-06-09 11:40 . 2009-06-09 11:34 21135160 ----a-w- c:\program files\scribus-1.3.3.13-os2-20090501.zip
2009-06-09 11:34 . 2009-06-09 11:29 11909804 ----a-w- c:\program files\scribus-1.3.3.13.7z
2009-06-07 11:30 . 2009-06-07 11:29 17900221 ----a-w- c:\program files\0108.pdf
2009-06-07 10:24 . 2009-06-07 10:24 1815369 ----a-w- c:\program files\gbgallerylitesetup.exe
2009-05-26 06:42 . 2009-05-26 06:41 1880289 ----a-w- c:\program files\radarsync.exe
2009-05-24 09:16 . 2009-05-24 09:10 12743232 ----a-w- c:\program files\WinMPG_VideoConvert_Setup-20016.exe
2009-05-24 05:35 . 2009-05-24 05:35 453824 ----a-w- c:\program files\driveragent_488.exe
2009-05-19 12:26 . 2009-05-19 12:24 10143072 ----a-w- c:\program files\AbsolutePoker8_7_6.exe
2009-05-18 15:11 . 2009-05-18 15:09 10770432 ----a-w- c:\program files\LogMeIn.msi
2009-05-06 23:25 . 2009-06-29 17:57 546688 ----a-w- c:\program files\autorunsc.exe
2009-05-06 23:25 . 2009-06-29 17:57 654208 ----a-w- c:\program files\autoruns.exe
2008-12-16 14:46 . 2009-06-29 17:57 49244 ----a-w- c:\program files\autoruns.chm
2006-07-28 06:32 . 2009-06-29 17:57 7005 ------w- c:\program files\Eula.txt
.
------- Sigcheck -------
[7] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 14848 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
[7] 2006-02-28 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2009-02-06 . D41D8CD98F00B204E9800998ECF8427E . 113152 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[7] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\services.exe
[7] 2006-02-28 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\services.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 58880 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe
[7] 2006-02-28 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 512000 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2006-02-28 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 17408 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[7] 2006-02-28 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 . 9C17D7CCA3AEE7F83E536ED68F029C27 . 1036288 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2006-02-28 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot_2010-02-27_18.53.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-07 20:15 . 2010-03-07 20:15 16384 c:\windows\temp\Perflib_Perfdata_5e4.dat
+ 2009-06-29 15:27 . 2008-10-16 13:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-29 15:27 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-29 15:27 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-29 15:27 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-29 15:27 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-29 15:27 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-29 15:27 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-29 15:27 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-29 15:27 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-29 15:27 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
- 2008-11-08 13:07 . 2010-02-26 06:08 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-08 13:07 . 2010-03-05 12:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-08 13:07 . 2010-03-05 12:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-08 13:07 . 2010-02-26 06:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-08 13:07 . 2010-03-05 12:56 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-08 13:07 . 2010-02-26 06:08 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-10 18:37 . 2008-11-10 18:37 24576 c:\windows\Installer\320152.msi
+ 2008-07-29 19:07 . 2008-07-29 19:07 23040 c:\windows\Installer\31027c0.msp
+ 2009-08-10 06:05 . 2009-08-10 06:05 88576 c:\windows\Installer\30a8646.msi
+ 2009-06-29 15:27 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-29 15:27 . 2009-04-29 04:56 827392 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-29 15:27 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-29 15:27 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-29 15:27 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-29 15:27 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-29 15:27 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-29 15:27 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-29 15:27 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2008-11-10 14:44 . 2006-02-28 12:00 366080 c:\windows\ServicePackFiles\i386\digreqex.msi
+ 2008-11-10 14:44 . 2006-02-28 12:00 863232 c:\windows\ServicePackFiles\i386\digopt.msi
+ 2009-08-10 06:10 . 2009-08-10 06:10 652800 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.msi
+ 2009-02-12 04:17 . 2009-02-12 04:17 836096 c:\windows\Installer\9e67d12.msi
+ 2009-03-10 20:01 . 2009-03-10 20:01 407040 c:\windows\Installer\97dd6.msi
+ 2008-11-08 13:52 . 2008-11-08 13:52 337408 c:\windows\Installer\80407.msi
+ 2008-12-10 20:37 . 2008-12-10 20:37 562176 c:\windows\Installer\6163b.msi
+ 2008-12-04 20:02 . 2008-12-04 20:02 683008 c:\windows\Installer\4b506.msi
+ 2008-12-13 07:58 . 2008-12-13 07:58 754688 c:\windows\Installer\3121cf6.msp
+ 2009-08-10 06:10 . 2009-08-10 06:10 648192 c:\windows\Installer\3121cd3.msi
+ 2008-07-29 19:23 . 2008-07-29 19:23 250880 c:\windows\Installer\31027c9.msp
+ 2008-07-29 19:28 . 2008-07-29 19:28 278016 c:\windows\Installer\31027c7.msp
+ 2008-07-29 17:40 . 2008-07-29 17:40 291840 c:\windows\Installer\31027c5.msp
+ 2009-08-10 06:09 . 2009-08-10 06:09 137728 c:\windows\Installer\31027bf.msi
+ 2008-07-29 15:35 . 2008-07-29 15:35 553472 c:\windows\Installer\30a864b.msp
+ 2008-07-29 15:33 . 2008-07-29 15:33 506368 c:\windows\Installer\30a8649.msp
+ 2008-07-29 15:37 . 2008-07-29 15:37 911360 c:\windows\Installer\30a8648.msp
+ 2008-11-08 13:41 . 2008-11-08 13:41 264704 c:\windows\Installer\212152.msi
+ 2009-03-20 09:48 . 2009-03-20 09:48 183808 c:\windows\Installer\1928f434.msp
+ 2009-07-20 16:53 . 2009-07-20 16:53 484352 c:\windows\Installer\1883567.msi
+ 2010-02-09 04:32 . 2010-02-09 04:32 228352 c:\windows\Installer\1671869.msi
+ 2006-02-28 12:00 . 2006-02-28 12:00 1326080 c:\windows\system32\webfldrs.msi
+ 2009-06-29 15:27 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-29 15:27 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-29 15:27 . 2009-02-07 17:02 2066048 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-29 15:27 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
+ 2008-11-10 14:45 . 2006-02-28 12:00 1326080 c:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2008-11-10 14:45 . 2006-02-28 12:00 5080576 c:\windows\ServicePackFiles\i386\msnmsgs.msi
+ 2008-11-10 14:35 . 2008-11-10 14:35 2128896 c:\windows\Installer\bf6c8.msi
+ 2009-06-07 11:38 . 2009-06-07 11:38 3938816 c:\windows\Installer\61acfe.msi
+ 2010-01-18 08:28 . 2010-01-18 08:28 1565696 c:\windows\Installer\5c600.msi
+ 2008-12-13 07:57 . 2008-12-13 07:57 8397824 c:\windows\Installer\3121ce1.msp
+ 2008-07-29 17:26 . 2008-07-29 17:26 1043456 c:\windows\Installer\31027c8.msp
+ 2008-07-29 18:37 . 2008-07-29 18:37 2679808 c:\windows\Installer\31027c6.msp
+ 2008-07-29 19:15 . 2008-07-29 19:15 3697664 c:\windows\Installer\31027c4.msp
+ 2008-07-29 17:34 . 2008-07-29 17:34 1448448 c:\windows\Installer\31027c3.msp
+ 2008-07-29 18:22 . 2008-07-29 18:22 4137984 c:\windows\Installer\31027c2.msp
+ 2008-07-29 17:18 . 2008-07-29 17:18 3376640 c:\windows\Installer\31027c1.msp
+ 2008-07-29 15:45 . 2008-07-29 15:45 2543616 c:\windows\Installer\30a864f.msp
+ 2008-07-29 15:29 . 2008-07-29 15:29 2926080 c:\windows\Installer\30a864e.msp
+ 2008-07-29 15:41 . 2008-07-29 15:41 6487040 c:\windows\Installer\30a864d.msp
+ 2008-07-29 15:39 . 2008-07-29 15:39 3403264 c:\windows\Installer\30a864c.msp
+ 2008-07-29 15:43 . 2008-07-29 15:43 1013248 c:\windows\Installer\30a864a.msp
+ 2008-07-29 15:31 . 2008-07-29 15:31 6083072 c:\windows\Installer\30a8647.msp
+ 2009-05-26 10:32 . 2009-05-26 10:32 9780224 c:\windows\Installer\1b25b1.msi
+ 2009-05-26 10:25 . 2009-05-26 10:25 1383424 c:\windows\Installer\1b17ab.msi
+ 2009-07-13 16:04 . 2009-07-13 16:04 6653952 c:\windows\Installer\15e80ace.msp
+ 2009-08-05 09:24 . 2009-08-05 09:24 1697792 c:\windows\Installer\1088f132.msp
+ 2009-03-20 16:15 . 2009-03-20 16:15 14821376 c:\windows\Installer\5f1bc28.msi
+ 2008-12-13 08:21 . 2008-12-13 08:21 10473472 c:\windows\Installer\3121ceb.msp
+ 2009-08-14 19:32 . 2009-08-14 19:32 11110912 c:\windows\Installer\210d827.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
2009-07-24 06:11 2215960 ----a-w- c:\program files\RadarSync\tbRad0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{399D96CA-6F9A-4FFF-95FE-284E45EBB935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"djj"="c:\windows\system32\djj.exe \u" [X]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2010-03-07 40448]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-03-07 40448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-07 40448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-07 40448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-07 40448]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-07 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-07 40448]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AirLive 802.11G Wireless Utility.lnk - c:\program files\OVISLINK\Common\AirliveUI.exe [2008-11-16 1290240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"aWPvmnXphxpKAs"= {2CBE601E-8614-CAB4-107F-149C5FF532E1} - c:\windows\system32\gca.dll [2009-03-21 32768]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"hpqwmi"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\User\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\djj.exe"=
"c:\\Documents and Settings\\User\\dlvs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
S2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [24. 5. 2009 6:35 23600]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\13knlli7.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 21:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(696)
c:\windows\system32\WININET.dll
.
Completion time: 2010-03-07 21:37:45
ComboFix-quarantined-files.txt 2010-03-07 20:37
ComboFix2.txt 2010-02-27 18:55
ComboFix3.txt 2009-06-29 15:28
Pre-Run: 14 374 166 528 bytes free
Post-Run: 14 350 266 368 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin
- - End Of File - - 0604A0BB746B26B3CB8C9B535510DD4D
Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.734.467 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users.WINDOWS\Start Menu\PersonalAV
c:\documents and settings\All Users.WINDOWS\Start Menu\PersonalAV\Personal Antivirus.lnk
c:\documents and settings\All Users.WINDOWS\Start Menu\PersonalAV\Uninstall.lnk
c:\documents and settings\User\hrsrw.exe
c:\documents and settings\User\secupdat.dat
c:\program files\Common Files\Uninstall
c:\program files\Common Files\Uninstall\PersonalAV\Uninstall.lnk
c:\program files\Internet Explorer\wmpscfgs.exe
C:\restore
C:\root
c:\windows\system32\ctfmon .exe
c:\windows\system32\djj .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\secupdat.dat
.
((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.
2010-03-07 20:31 . 2010-03-07 20:31 4 ----a-w- c:\program files\953881.dat
2010-03-07 20:28 . 2010-03-07 20:28 4 ----a-w- c:\program files\757709.dat
2010-03-07 18:17 . 2010-03-07 18:17 4 ----a-w- c:\program files\14715770.dat
2010-02-27 18:35 . 2010-02-27 18:35 -------- d-----w- C:\_OTM
2010-02-27 18:29 . 2010-03-07 20:28 40448 ----a-w- c:\windows\system32\igfxtray.exe
2010-02-27 18:28 . 2010-02-27 18:28 4 ----a-w- c:\program files\130786430.dat
2010-02-27 14:47 . 2010-02-27 14:47 -------- d-----w- C:\rsit
2010-02-26 06:07 . 2010-02-26 06:07 4 ----a-w- c:\program files\462598391.dat
2010-02-20 21:41 . 2010-03-07 20:16 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-02-09 04:38 . 2010-02-09 04:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\XHEO INC
2010-02-09 04:32 . 2010-02-09 04:37 -------- d-----w- C:\PSQLINSTALL
2010-02-09 04:32 . 2010-02-09 04:32 -------- d-----w- c:\program files\RVG Software
2010-02-09 03:51 . 2010-02-09 03:55 -------- d-----w- C:\Lestatos hands
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 20:28 . 2010-01-17 14:35 40448 ----a-w- c:\windows\system32\djj.exe
2010-03-07 20:26 . 2010-01-18 08:28 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-03-07 20:16 . 2009-06-28 08:16 -------- d-----w- c:\program files\Trend Micro
2010-03-07 18:25 . 2009-07-26 05:13 -------- d-----w- c:\program files\PokerStars
2010-03-07 18:18 . 2008-11-10 15:13 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-03-07 12:43 . 2008-11-08 14:13 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-06 22:44 . 2010-02-03 16:22 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-04 16:49 . 2008-09-06 16:23 -------- d-----w- c:\program files\FlashGet
2010-02-24 18:32 . 2009-04-21 07:54 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2010-02-09 04:33 . 2010-02-08 03:15 -------- d-----w- c:\program files\PostgreSQL
2010-02-09 04:29 . 2008-08-25 14:27 -------- d-----w- c:\program files\Instal
2010-02-05 15:30 . 2010-02-05 15:30 4 ----a-w- c:\program files\55993814.dat
2010-02-01 15:50 . 2010-02-01 15:50 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-29 11:36 . 2010-01-29 11:36 4 ----a-w- c:\program files\245954854.dat
2010-01-18 08:28 . 2008-09-05 10:44 -------- d-----r- c:\program files\Skype
2010-01-18 08:28 . 2008-11-10 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2010-01-17 14:34 . 2010-01-17 14:35 58368 ---h--w- c:\documents and settings\User\dlvs.exe
2010-01-15 19:44 . 2008-09-05 10:44 -------- d-----w- c:\program files\Common Files\Skype
2010-01-14 08:13 . 2010-01-14 08:13 -------- d-----w- c:\documents and settings\User\Application Data\TeamViewer
2010-01-12 12:59 . 2009-07-16 05:59 -------- d-----w- c:\program files\Ashampoo
2010-01-05 10:00 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-11-12 02:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-11-12 02:21 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-11-12 02:20 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2008-11-12 02:21 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-11-12 02:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2008-11-12 02:20 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-11-12 02:20 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-06-30 08:29 . 2009-06-30 08:29 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-06-28 08:16 . 2009-06-28 08:16 812344 ----a-w- c:\program files\HJTInstall.exe
2009-06-28 08:09 . 2009-05-26 06:01 31863808 ----a-w- c:\program files\eav_nt32_csy.msi
2009-06-11 06:53 . 2009-06-11 06:53 84 ----a-w- c:\program files\b3348.ram
2009-06-09 14:20 . 2009-06-09 14:14 21646127 ----a-w- c:\program files\scribus-1.3.3.13-win32-install.exe
2009-06-09 12:51 . 2009-06-09 12:49 3371384 ----a-w- c:\program files\mbam-setup.exe
2009-06-09 11:40 . 2009-06-09 11:34 21135160 ----a-w- c:\program files\scribus-1.3.3.13-os2-20090501.zip
2009-06-09 11:34 . 2009-06-09 11:29 11909804 ----a-w- c:\program files\scribus-1.3.3.13.7z
2009-06-07 11:30 . 2009-06-07 11:29 17900221 ----a-w- c:\program files\0108.pdf
2009-06-07 10:24 . 2009-06-07 10:24 1815369 ----a-w- c:\program files\gbgallerylitesetup.exe
2009-05-26 06:42 . 2009-05-26 06:41 1880289 ----a-w- c:\program files\radarsync.exe
2009-05-24 09:16 . 2009-05-24 09:10 12743232 ----a-w- c:\program files\WinMPG_VideoConvert_Setup-20016.exe
2009-05-24 05:35 . 2009-05-24 05:35 453824 ----a-w- c:\program files\driveragent_488.exe
2009-05-19 12:26 . 2009-05-19 12:24 10143072 ----a-w- c:\program files\AbsolutePoker8_7_6.exe
2009-05-18 15:11 . 2009-05-18 15:09 10770432 ----a-w- c:\program files\LogMeIn.msi
2009-05-06 23:25 . 2009-06-29 17:57 546688 ----a-w- c:\program files\autorunsc.exe
2009-05-06 23:25 . 2009-06-29 17:57 654208 ----a-w- c:\program files\autoruns.exe
2008-12-16 14:46 . 2009-06-29 17:57 49244 ----a-w- c:\program files\autoruns.chm
2006-07-28 06:32 . 2009-06-29 17:57 7005 ------w- c:\program files\Eula.txt
.
Kód: Vybrat vše
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\Updater6\adobe_updater .exe
c:\program files\HPQ\Quick Launch Buttons\eabservr .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Synaptics\SynTP\syntplpr .exe
</pre>[7] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 14848 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
[7] 2006-02-28 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2009-02-06 . D41D8CD98F00B204E9800998ECF8427E . 113152 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[7] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\services.exe
[7] 2006-02-28 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\services.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 58880 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe
[7] 2006-02-28 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 512000 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2006-02-28 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 17408 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[7] 2006-02-28 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 . 9C17D7CCA3AEE7F83E536ED68F029C27 . 1036288 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2006-02-28 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot_2010-02-27_18.53.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-07 20:15 . 2010-03-07 20:15 16384 c:\windows\temp\Perflib_Perfdata_5e4.dat
+ 2009-06-29 15:27 . 2008-10-16 13:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-29 15:27 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-29 15:27 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-29 15:27 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-29 15:27 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-29 15:27 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-29 15:27 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-29 15:27 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-29 15:27 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-29 15:27 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
- 2008-11-08 13:07 . 2010-02-26 06:08 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-08 13:07 . 2010-03-05 12:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-08 13:07 . 2010-03-05 12:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-08 13:07 . 2010-02-26 06:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-08 13:07 . 2010-03-05 12:56 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-08 13:07 . 2010-02-26 06:08 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-10 18:37 . 2008-11-10 18:37 24576 c:\windows\Installer\320152.msi
+ 2008-07-29 19:07 . 2008-07-29 19:07 23040 c:\windows\Installer\31027c0.msp
+ 2009-08-10 06:05 . 2009-08-10 06:05 88576 c:\windows\Installer\30a8646.msi
+ 2009-06-29 15:27 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-29 15:27 . 2009-04-29 04:56 827392 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-29 15:27 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-29 15:27 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-29 15:27 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-29 15:27 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-29 15:27 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-29 15:27 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-29 15:27 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2008-11-10 14:44 . 2006-02-28 12:00 366080 c:\windows\ServicePackFiles\i386\digreqex.msi
+ 2008-11-10 14:44 . 2006-02-28 12:00 863232 c:\windows\ServicePackFiles\i386\digopt.msi
+ 2009-08-10 06:10 . 2009-08-10 06:10 652800 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.msi
+ 2009-02-12 04:17 . 2009-02-12 04:17 836096 c:\windows\Installer\9e67d12.msi
+ 2009-03-10 20:01 . 2009-03-10 20:01 407040 c:\windows\Installer\97dd6.msi
+ 2008-11-08 13:52 . 2008-11-08 13:52 337408 c:\windows\Installer\80407.msi
+ 2008-12-10 20:37 . 2008-12-10 20:37 562176 c:\windows\Installer\6163b.msi
+ 2008-12-04 20:02 . 2008-12-04 20:02 683008 c:\windows\Installer\4b506.msi
+ 2008-12-13 07:58 . 2008-12-13 07:58 754688 c:\windows\Installer\3121cf6.msp
+ 2009-08-10 06:10 . 2009-08-10 06:10 648192 c:\windows\Installer\3121cd3.msi
+ 2008-07-29 19:23 . 2008-07-29 19:23 250880 c:\windows\Installer\31027c9.msp
+ 2008-07-29 19:28 . 2008-07-29 19:28 278016 c:\windows\Installer\31027c7.msp
+ 2008-07-29 17:40 . 2008-07-29 17:40 291840 c:\windows\Installer\31027c5.msp
+ 2009-08-10 06:09 . 2009-08-10 06:09 137728 c:\windows\Installer\31027bf.msi
+ 2008-07-29 15:35 . 2008-07-29 15:35 553472 c:\windows\Installer\30a864b.msp
+ 2008-07-29 15:33 . 2008-07-29 15:33 506368 c:\windows\Installer\30a8649.msp
+ 2008-07-29 15:37 . 2008-07-29 15:37 911360 c:\windows\Installer\30a8648.msp
+ 2008-11-08 13:41 . 2008-11-08 13:41 264704 c:\windows\Installer\212152.msi
+ 2009-03-20 09:48 . 2009-03-20 09:48 183808 c:\windows\Installer\1928f434.msp
+ 2009-07-20 16:53 . 2009-07-20 16:53 484352 c:\windows\Installer\1883567.msi
+ 2010-02-09 04:32 . 2010-02-09 04:32 228352 c:\windows\Installer\1671869.msi
+ 2006-02-28 12:00 . 2006-02-28 12:00 1326080 c:\windows\system32\webfldrs.msi
+ 2009-06-29 15:27 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-29 15:27 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-29 15:27 . 2009-02-07 17:02 2066048 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-29 15:27 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
+ 2008-11-10 14:45 . 2006-02-28 12:00 1326080 c:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2008-11-10 14:45 . 2006-02-28 12:00 5080576 c:\windows\ServicePackFiles\i386\msnmsgs.msi
+ 2008-11-10 14:35 . 2008-11-10 14:35 2128896 c:\windows\Installer\bf6c8.msi
+ 2009-06-07 11:38 . 2009-06-07 11:38 3938816 c:\windows\Installer\61acfe.msi
+ 2010-01-18 08:28 . 2010-01-18 08:28 1565696 c:\windows\Installer\5c600.msi
+ 2008-12-13 07:57 . 2008-12-13 07:57 8397824 c:\windows\Installer\3121ce1.msp
+ 2008-07-29 17:26 . 2008-07-29 17:26 1043456 c:\windows\Installer\31027c8.msp
+ 2008-07-29 18:37 . 2008-07-29 18:37 2679808 c:\windows\Installer\31027c6.msp
+ 2008-07-29 19:15 . 2008-07-29 19:15 3697664 c:\windows\Installer\31027c4.msp
+ 2008-07-29 17:34 . 2008-07-29 17:34 1448448 c:\windows\Installer\31027c3.msp
+ 2008-07-29 18:22 . 2008-07-29 18:22 4137984 c:\windows\Installer\31027c2.msp
+ 2008-07-29 17:18 . 2008-07-29 17:18 3376640 c:\windows\Installer\31027c1.msp
+ 2008-07-29 15:45 . 2008-07-29 15:45 2543616 c:\windows\Installer\30a864f.msp
+ 2008-07-29 15:29 . 2008-07-29 15:29 2926080 c:\windows\Installer\30a864e.msp
+ 2008-07-29 15:41 . 2008-07-29 15:41 6487040 c:\windows\Installer\30a864d.msp
+ 2008-07-29 15:39 . 2008-07-29 15:39 3403264 c:\windows\Installer\30a864c.msp
+ 2008-07-29 15:43 . 2008-07-29 15:43 1013248 c:\windows\Installer\30a864a.msp
+ 2008-07-29 15:31 . 2008-07-29 15:31 6083072 c:\windows\Installer\30a8647.msp
+ 2009-05-26 10:32 . 2009-05-26 10:32 9780224 c:\windows\Installer\1b25b1.msi
+ 2009-05-26 10:25 . 2009-05-26 10:25 1383424 c:\windows\Installer\1b17ab.msi
+ 2009-07-13 16:04 . 2009-07-13 16:04 6653952 c:\windows\Installer\15e80ace.msp
+ 2009-08-05 09:24 . 2009-08-05 09:24 1697792 c:\windows\Installer\1088f132.msp
+ 2009-03-20 16:15 . 2009-03-20 16:15 14821376 c:\windows\Installer\5f1bc28.msi
+ 2008-12-13 08:21 . 2008-12-13 08:21 10473472 c:\windows\Installer\3121ceb.msp
+ 2009-08-14 19:32 . 2009-08-14 19:32 11110912 c:\windows\Installer\210d827.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
2009-07-24 06:11 2215960 ----a-w- c:\program files\RadarSync\tbRad0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{399D96CA-6F9A-4FFF-95FE-284E45EBB935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"djj"="c:\windows\system32\djj.exe \u" [X]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2010-03-07 40448]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-03-07 40448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-07 40448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-07 40448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-07 40448]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-07 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-07 40448]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AirLive 802.11G Wireless Utility.lnk - c:\program files\OVISLINK\Common\AirliveUI.exe [2008-11-16 1290240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"aWPvmnXphxpKAs"= {2CBE601E-8614-CAB4-107F-149C5FF532E1} - c:\windows\system32\gca.dll [2009-03-21 32768]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"hpqwmi"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\User\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\djj.exe"=
"c:\\Documents and Settings\\User\\dlvs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
S2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [24. 5. 2009 6:35 23600]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\13knlli7.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 21:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(696)
c:\windows\system32\WININET.dll
.
Completion time: 2010-03-07 21:37:45
ComboFix-quarantined-files.txt 2010-03-07 20:37
ComboFix2.txt 2010-02-27 18:55
ComboFix3.txt 2009-06-29 15:28
Pre-Run: 14 374 166 528 bytes free
Post-Run: 14 350 266 368 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin
- - End Of File - - 0604A0BB746B26B3CB8C9B535510DD4D
-
Caroprd111
- VIP
- Příspěvky: 13492
- Registrován: 22 bře 2009 20:48
- Bydliště: Třebíč
- Kontaktovat uživatele:
Re: prosim o kontrolu logu, zarucene tam nieco mam
Pokud nemáte, přesuňte Combofix na plochu
- Otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.
Kód: Vybrat vše
RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\Updater6\adobe_updater .exe
c:\program files\HPQ\Quick Launch Buttons\eabservr .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Synaptics\SynTP\syntplpr .exe
File::
c:\windows\system32\djj.exe
c:\program files\autorunsc.exe
c:\program files\autoruns.exe
c:\program files\autoruns.chm
c:\Documents and Settings\User\dlvs.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"djj"=-
"SunJavaUpdateSched"=-
RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
Restore::
c:\windows\system32\lsass.exe
c:\windows\system32\services.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\svchost.exe
c:\windows\explorer.exe- Uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
- Po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:
- Po aplikaci na Vás vypadne další log,vložte ho sem
Re: prosim o kontrolu logu, zarucene tam nieco mam
ComboFix 10-03-07.02 - User . 03. 2010 22:10:11.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.734.430 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
FILE ::
"c:\documents and settings\User\dlvs.exe"
"c:\program files\autoruns.exe"
"c:\program files\autoruns.chm"
"c:\program files\autorunsc.exe"
"c:\windows\system32\djj.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\User\dlvs.exe
c:\program files\autoruns.exe
c:\program files\autoruns.chm
c:\program files\autorunsc.exe
c:\windows\system32\djj.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe
Infected copy of c:\windows\system32\lsass.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\lsass.exe
Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\spoolsv.exe
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.
2010-03-07 20:31 . 2010-03-07 20:31 4 ----a-w- c:\program files\953881.dat
2010-03-07 20:28 . 2010-03-07 20:28 4 ----a-w- c:\program files\757709.dat
2010-03-07 18:17 . 2010-03-07 18:17 4 ----a-w- c:\program files\14715770.dat
2010-02-27 18:35 . 2010-02-27 18:35 -------- d-----w- C:\_OTM
2010-02-27 18:29 . 2010-03-07 21:15 40448 ----a-w- c:\windows\system32\igfxtray.exe
2010-02-27 18:29 . 2010-03-07 20:28 40448 ----a-w- c:\windows\system32\igfxtray .exe
2010-02-27 18:28 . 2010-02-27 18:28 4 ----a-w- c:\program files\130786430.dat
2010-02-27 14:47 . 2010-02-27 14:47 -------- d-----w- C:\rsit
2010-02-26 06:07 . 2010-02-26 06:07 4 ----a-w- c:\program files\462598391.dat
2010-02-20 21:41 . 2010-03-07 21:15 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-02-09 04:38 . 2010-02-09 04:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\XHEO INC
2010-02-09 04:32 . 2010-02-09 04:37 -------- d-----w- C:\PSQLINSTALL
2010-02-09 04:32 . 2010-02-09 04:32 -------- d-----w- c:\program files\RVG Software
2010-02-09 03:51 . 2010-02-09 03:55 -------- d-----w- C:\Lestatos hands
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 21:16 . 2010-01-18 08:28 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-03-07 20:16 . 2010-02-20 21:41 40448 ----a-w- c:\windows\system32\hkcmd .exe
2010-03-07 20:16 . 2009-06-28 08:16 -------- d-----w- c:\program files\Trend Micro
2010-03-07 18:25 . 2009-07-26 05:13 -------- d-----w- c:\program files\PokerStars
2010-03-07 18:18 . 2008-11-10 15:13 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-03-07 12:43 . 2008-11-08 14:13 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-06 22:44 . 2010-02-03 16:22 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-04 16:49 . 2008-09-06 16:23 -------- d-----w- c:\program files\FlashGet
2010-02-24 18:32 . 2009-04-21 07:54 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2010-02-09 04:33 . 2010-02-08 03:15 -------- d-----w- c:\program files\PostgreSQL
2010-02-09 04:29 . 2008-08-25 14:27 -------- d-----w- c:\program files\Instal
2010-02-05 15:30 . 2010-02-05 15:30 4 ----a-w- c:\program files\55993814.dat
2010-02-01 15:50 . 2010-02-01 15:50 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-29 11:36 . 2010-01-29 11:36 4 ----a-w- c:\program files\245954854.dat
2010-01-18 08:28 . 2008-09-05 10:44 -------- d-----r- c:\program files\Skype
2010-01-18 08:28 . 2008-11-10 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2010-01-15 19:44 . 2008-09-05 10:44 -------- d-----w- c:\program files\Common Files\Skype
2010-01-14 08:13 . 2010-01-14 08:13 -------- d-----w- c:\documents and settings\User\Application Data\TeamViewer
2010-01-12 12:59 . 2009-07-16 05:59 -------- d-----w- c:\program files\Ashampoo
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-11-12 02:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-11-12 02:21 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-11-12 02:20 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2008-11-12 02:21 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-11-12 02:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2008-11-12 02:20 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-11-12 02:20 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-06-30 08:29 . 2009-06-30 08:29 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-06-28 08:16 . 2009-06-28 08:16 812344 ----a-w- c:\program files\HJTInstall.exe
2009-06-28 08:09 . 2009-05-26 06:01 31863808 ----a-w- c:\program files\eav_nt32_csy.msi
2009-06-11 06:53 . 2009-06-11 06:53 84 ----a-w- c:\program files\b3348.ram
2009-06-09 14:20 . 2009-06-09 14:14 21646127 ----a-w- c:\program files\scribus-1.3.3.13-win32-install.exe
2009-06-09 12:51 . 2009-06-09 12:49 3371384 ----a-w- c:\program files\mbam-setup.exe
2009-06-09 11:40 . 2009-06-09 11:34 21135160 ----a-w- c:\program files\scribus-1.3.3.13-os2-20090501.zip
2009-06-09 11:34 . 2009-06-09 11:29 11909804 ----a-w- c:\program files\scribus-1.3.3.13.7z
2009-06-07 11:30 . 2009-06-07 11:29 17900221 ----a-w- c:\program files\0108.pdf
2009-06-07 10:24 . 2009-06-07 10:24 1815369 ----a-w- c:\program files\gbgallerylitesetup.exe
2009-05-26 06:42 . 2009-05-26 06:41 1880289 ----a-w- c:\program files\radarsync.exe
2009-05-24 09:16 . 2009-05-24 09:10 12743232 ----a-w- c:\program files\WinMPG_VideoConvert_Setup-20016.exe
2009-05-24 05:35 . 2009-05-24 05:35 453824 ----a-w- c:\program files\driveragent_488.exe
2009-05-19 12:26 . 2009-05-19 12:24 10143072 ----a-w- c:\program files\AbsolutePoker8_7_6.exe
2009-05-18 15:11 . 2009-05-18 15:09 10770432 ----a-w- c:\program files\LogMeIn.msi
2006-07-28 06:32 . 2009-06-29 17:57 7005 ------w- c:\program files\Eula.txt
.
------- Sigcheck -------
[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2006-02-28 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot_2010-03-07_20.35.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-07 21:14 . 2010-03-07 21:14 16384 c:\windows\temp\Perflib_Perfdata_564.dat
+ 2008-11-12 02:21 . 2008-04-14 00:12 14336 c:\windows\system32\svchost.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 13312 c:\windows\system32\lsass.exe
+ 2008-11-12 02:20 . 2008-04-14 00:12 507904 c:\windows\system32\winlogon.exe
+ 2008-11-12 02:20 . 2009-02-06 11:06 110592 c:\windows\system32\services.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
2009-07-24 06:11 2215960 ----a-w- c:\program files\RadarSync\tbRad0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{399D96CA-6F9A-4FFF-95FE-284E45EBB935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2010-03-07 40448]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-03-07 40448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-07 40448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-07 40448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-07 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-07 40448]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AirLive 802.11G Wireless Utility.lnk - c:\program files\OVISLINK\Common\AirliveUI.exe [2008-11-16 1290240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"aWPvmnXphxpKAs"= {2CBE601E-8614-CAB4-107F-149C5FF532E1} - c:\windows\system32\gca.dll [2009-03-21 32768]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"hpqwmi"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\User\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [24. 5. 2009 6:35 23600]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\13knlli7.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 22:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\hkcmd .exe 40448 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3720)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PostgreSQL\8.4\bin\pg_ctl.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\windows\system32\wscntfy.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-03-07 22:20:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-07 21:20
ComboFix2.txt 2010-03-07 20:37
ComboFix3.txt 2010-02-27 18:55
ComboFix4.txt 2009-06-29 15:28
Pre-Run: 14 366 040 064 bytes free
Post-Run: 14 305 497 088 bytes free
- - End Of File - - 87C8593C8B19585E979147F735F7D723
Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.734.430 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
FILE ::
"c:\documents and settings\User\dlvs.exe"
"c:\program files\autoruns.exe"
"c:\program files\autoruns.chm"
"c:\program files\autorunsc.exe"
"c:\windows\system32\djj.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\User\dlvs.exe
c:\program files\autoruns.exe
c:\program files\autoruns.chm
c:\program files\autorunsc.exe
c:\windows\system32\djj.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe
Infected copy of c:\windows\system32\lsass.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\lsass.exe
Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\spoolsv.exe
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.
2010-03-07 20:31 . 2010-03-07 20:31 4 ----a-w- c:\program files\953881.dat
2010-03-07 20:28 . 2010-03-07 20:28 4 ----a-w- c:\program files\757709.dat
2010-03-07 18:17 . 2010-03-07 18:17 4 ----a-w- c:\program files\14715770.dat
2010-02-27 18:35 . 2010-02-27 18:35 -------- d-----w- C:\_OTM
2010-02-27 18:29 . 2010-03-07 21:15 40448 ----a-w- c:\windows\system32\igfxtray.exe
2010-02-27 18:29 . 2010-03-07 20:28 40448 ----a-w- c:\windows\system32\igfxtray .exe
2010-02-27 18:28 . 2010-02-27 18:28 4 ----a-w- c:\program files\130786430.dat
2010-02-27 14:47 . 2010-02-27 14:47 -------- d-----w- C:\rsit
2010-02-26 06:07 . 2010-02-26 06:07 4 ----a-w- c:\program files\462598391.dat
2010-02-20 21:41 . 2010-03-07 21:15 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-02-09 04:38 . 2010-02-09 04:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\XHEO INC
2010-02-09 04:32 . 2010-02-09 04:37 -------- d-----w- C:\PSQLINSTALL
2010-02-09 04:32 . 2010-02-09 04:32 -------- d-----w- c:\program files\RVG Software
2010-02-09 03:51 . 2010-02-09 03:55 -------- d-----w- C:\Lestatos hands
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 21:16 . 2010-01-18 08:28 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-03-07 20:16 . 2010-02-20 21:41 40448 ----a-w- c:\windows\system32\hkcmd .exe
2010-03-07 20:16 . 2009-06-28 08:16 -------- d-----w- c:\program files\Trend Micro
2010-03-07 18:25 . 2009-07-26 05:13 -------- d-----w- c:\program files\PokerStars
2010-03-07 18:18 . 2008-11-10 15:13 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-03-07 12:43 . 2008-11-08 14:13 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-06 22:44 . 2010-02-03 16:22 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-04 16:49 . 2008-09-06 16:23 -------- d-----w- c:\program files\FlashGet
2010-02-24 18:32 . 2009-04-21 07:54 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2010-02-09 04:33 . 2010-02-08 03:15 -------- d-----w- c:\program files\PostgreSQL
2010-02-09 04:29 . 2008-08-25 14:27 -------- d-----w- c:\program files\Instal
2010-02-05 15:30 . 2010-02-05 15:30 4 ----a-w- c:\program files\55993814.dat
2010-02-01 15:50 . 2010-02-01 15:50 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-29 11:36 . 2010-01-29 11:36 4 ----a-w- c:\program files\245954854.dat
2010-01-18 08:28 . 2008-09-05 10:44 -------- d-----r- c:\program files\Skype
2010-01-18 08:28 . 2008-11-10 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2010-01-15 19:44 . 2008-09-05 10:44 -------- d-----w- c:\program files\Common Files\Skype
2010-01-14 08:13 . 2010-01-14 08:13 -------- d-----w- c:\documents and settings\User\Application Data\TeamViewer
2010-01-12 12:59 . 2009-07-16 05:59 -------- d-----w- c:\program files\Ashampoo
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-11-12 02:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-11-12 02:21 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-11-12 02:20 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2008-11-12 02:21 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-11-12 02:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2008-11-12 02:20 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-11-12 02:20 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-06-30 08:29 . 2009-06-30 08:29 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-06-28 08:16 . 2009-06-28 08:16 812344 ----a-w- c:\program files\HJTInstall.exe
2009-06-28 08:09 . 2009-05-26 06:01 31863808 ----a-w- c:\program files\eav_nt32_csy.msi
2009-06-11 06:53 . 2009-06-11 06:53 84 ----a-w- c:\program files\b3348.ram
2009-06-09 14:20 . 2009-06-09 14:14 21646127 ----a-w- c:\program files\scribus-1.3.3.13-win32-install.exe
2009-06-09 12:51 . 2009-06-09 12:49 3371384 ----a-w- c:\program files\mbam-setup.exe
2009-06-09 11:40 . 2009-06-09 11:34 21135160 ----a-w- c:\program files\scribus-1.3.3.13-os2-20090501.zip
2009-06-09 11:34 . 2009-06-09 11:29 11909804 ----a-w- c:\program files\scribus-1.3.3.13.7z
2009-06-07 11:30 . 2009-06-07 11:29 17900221 ----a-w- c:\program files\0108.pdf
2009-06-07 10:24 . 2009-06-07 10:24 1815369 ----a-w- c:\program files\gbgallerylitesetup.exe
2009-05-26 06:42 . 2009-05-26 06:41 1880289 ----a-w- c:\program files\radarsync.exe
2009-05-24 09:16 . 2009-05-24 09:10 12743232 ----a-w- c:\program files\WinMPG_VideoConvert_Setup-20016.exe
2009-05-24 05:35 . 2009-05-24 05:35 453824 ----a-w- c:\program files\driveragent_488.exe
2009-05-19 12:26 . 2009-05-19 12:24 10143072 ----a-w- c:\program files\AbsolutePoker8_7_6.exe
2009-05-18 15:11 . 2009-05-18 15:09 10770432 ----a-w- c:\program files\LogMeIn.msi
2006-07-28 06:32 . 2009-06-29 17:57 7005 ------w- c:\program files\Eula.txt
.
Kód: Vybrat vše
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\HPQ\Quick Launch Buttons\eabservr .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Synaptics\SynTP\syntplpr .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe
</pre>[-] 2008-04-14 . D41D8CD98F00B204E9800998ECF8427E . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2006-02-28 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot_2010-03-07_20.35.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-07 21:14 . 2010-03-07 21:14 16384 c:\windows\temp\Perflib_Perfdata_564.dat
+ 2008-11-12 02:21 . 2008-04-14 00:12 14336 c:\windows\system32\svchost.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 13312 c:\windows\system32\lsass.exe
+ 2008-11-12 02:20 . 2008-04-14 00:12 507904 c:\windows\system32\winlogon.exe
+ 2008-11-12 02:20 . 2009-02-06 11:06 110592 c:\windows\system32\services.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
2009-07-24 06:11 2215960 ----a-w- c:\program files\RadarSync\tbRad0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{399D96CA-6F9A-4FFF-95FE-284E45EBB935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2010-03-07 40448]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-03-07 40448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-07 40448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-07 40448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-07 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-07 40448]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AirLive 802.11G Wireless Utility.lnk - c:\program files\OVISLINK\Common\AirliveUI.exe [2008-11-16 1290240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"aWPvmnXphxpKAs"= {2CBE601E-8614-CAB4-107F-149C5FF532E1} - c:\windows\system32\gca.dll [2009-03-21 32768]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"hpqwmi"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\User\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [24. 5. 2009 6:35 23600]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\13knlli7.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 22:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\hkcmd .exe 40448 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3720)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PostgreSQL\8.4\bin\pg_ctl.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\windows\system32\wscntfy.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-03-07 22:20:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-07 21:20
ComboFix2.txt 2010-03-07 20:37
ComboFix3.txt 2010-02-27 18:55
ComboFix4.txt 2009-06-29 15:28
Pre-Run: 14 366 040 064 bytes free
Post-Run: 14 305 497 088 bytes free
- - End Of File - - 87C8593C8B19585E979147F735F7D723
-
Caroprd111
- VIP
- Příspěvky: 13492
- Registrován: 22 bře 2009 20:48
- Bydliště: Třebíč
- Kontaktovat uživatele:
Re: prosim o kontrolu logu, zarucene tam nieco mam
Pokud nemáte, přesuňte Combofix na plochu
- Otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.
Kód: Vybrat vše
RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\HPQ\Quick Launch Buttons\eabservr .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Synaptics\SynTP\syntplpr .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe
FCopy::
c:\windows\$NtServicePackUninstall$\explorer.exe | c:\windows\explorer.exe
RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"aWPvmnXphxpKAs"=-
File::
c:\windows\system32\gca.dll- Uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
- Po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:
- Po aplikaci na Vás vypadne další log,vložte ho sem
Re: prosim o kontrolu logu, zarucene tam nieco mam
ComboFix 10-03-07.04 - User . 03. 2010 6:49.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.734.265 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
FILE ::
"c:\windows\system32\gca.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\gca.dll
.
--------------- FCopy ---------------
c:\windows\$NtServicePackUninstall$\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.
2010-03-08 05:49 . 2010-03-08 05:49 4 ----a-w- c:\program files\30880974.dat
2010-03-07 20:31 . 2010-03-07 20:31 4 ----a-w- c:\program files\953881.dat
2010-03-07 20:28 . 2010-03-07 20:28 4 ----a-w- c:\program files\757709.dat
2010-03-07 18:17 . 2010-03-07 18:17 4 ----a-w- c:\program files\14715770.dat
2010-02-27 18:35 . 2010-02-27 18:35 -------- d-----w- C:\_OTM
2010-02-27 18:29 . 2010-03-08 05:58 40448 ----a-w- c:\windows\system32\igfxtray.exe
2010-02-27 18:28 . 2010-02-27 18:28 4 ----a-w- c:\program files\130786430.dat
2010-02-27 14:47 . 2010-02-27 14:47 -------- d-----w- C:\rsit
2010-02-26 06:07 . 2010-02-26 06:07 4 ----a-w- c:\program files\462598391.dat
2010-02-20 21:41 . 2010-03-08 05:57 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-02-20 21:41 . 2010-03-07 20:16 40448 ----a-w- c:\windows\system32\hkcmd .exe
2010-02-09 04:38 . 2010-02-09 04:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\XHEO INC
2010-02-09 04:32 . 2010-02-09 04:37 -------- d-----w- C:\PSQLINSTALL
2010-02-09 04:32 . 2010-02-09 04:32 -------- d-----w- c:\program files\RVG Software
2010-02-09 03:51 . 2010-02-09 03:55 -------- d-----w- C:\Lestatos hands
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 05:59 . 2010-01-18 08:28 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-03-07 23:05 . 2008-11-10 15:13 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-03-07 21:26 . 2009-07-26 05:13 -------- d-----w- c:\program files\PokerStars
2010-03-07 20:28 . 2010-02-27 18:29 40448 ----a-w- c:\windows\system32\igfxtray .exe
2010-03-07 20:16 . 2009-06-28 08:16 -------- d-----w- c:\program files\Trend Micro
2010-03-07 12:43 . 2008-11-08 14:13 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-06 22:44 . 2010-02-03 16:22 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-04 16:49 . 2008-09-06 16:23 -------- d-----w- c:\program files\FlashGet
2010-02-24 18:32 . 2009-04-21 07:54 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2010-02-09 04:33 . 2010-02-08 03:15 -------- d-----w- c:\program files\PostgreSQL
2010-02-09 04:29 . 2008-08-25 14:27 -------- d-----w- c:\program files\Instal
2010-02-05 15:30 . 2010-02-05 15:30 4 ----a-w- c:\program files\55993814.dat
2010-02-01 15:50 . 2010-02-01 15:50 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-29 11:36 . 2010-01-29 11:36 4 ----a-w- c:\program files\245954854.dat
2010-01-18 08:28 . 2008-09-05 10:44 -------- d-----r- c:\program files\Skype
2010-01-18 08:28 . 2008-11-10 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2010-01-15 19:44 . 2008-09-05 10:44 -------- d-----w- c:\program files\Common Files\Skype
2010-01-14 08:13 . 2010-01-14 08:13 -------- d-----w- c:\documents and settings\User\Application Data\TeamViewer
2010-01-12 12:59 . 2009-07-16 05:59 -------- d-----w- c:\program files\Ashampoo
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-11-12 02:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-11-12 02:21 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-11-12 02:20 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2008-11-12 02:21 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-11-12 02:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2008-11-12 02:20 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-11-12 02:20 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-06-30 08:29 . 2009-06-30 08:29 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-06-28 08:16 . 2009-06-28 08:16 812344 ----a-w- c:\program files\HJTInstall.exe
2009-06-28 08:09 . 2009-05-26 06:01 31863808 ----a-w- c:\program files\eav_nt32_csy.msi
2009-06-11 06:53 . 2009-06-11 06:53 84 ----a-w- c:\program files\b3348.ram
2009-06-09 14:20 . 2009-06-09 14:14 21646127 ----a-w- c:\program files\scribus-1.3.3.13-win32-install.exe
2009-06-09 12:51 . 2009-06-09 12:49 3371384 ----a-w- c:\program files\mbam-setup.exe
2009-06-09 11:40 . 2009-06-09 11:34 21135160 ----a-w- c:\program files\scribus-1.3.3.13-os2-20090501.zip
2009-06-09 11:34 . 2009-06-09 11:29 11909804 ----a-w- c:\program files\scribus-1.3.3.13.7z
2009-06-07 11:30 . 2009-06-07 11:29 17900221 ----a-w- c:\program files\0108.pdf
2009-06-07 10:24 . 2009-06-07 10:24 1815369 ----a-w- c:\program files\gbgallerylitesetup.exe
2009-05-26 06:42 . 2009-05-26 06:41 1880289 ----a-w- c:\program files\radarsync.exe
2009-05-24 09:16 . 2009-05-24 09:10 12743232 ----a-w- c:\program files\WinMPG_VideoConvert_Setup-20016.exe
2009-05-24 05:35 . 2009-05-24 05:35 453824 ----a-w- c:\program files\driveragent_488.exe
2009-05-19 12:26 . 2009-05-19 12:24 10143072 ----a-w- c:\program files\AbsolutePoker8_7_6.exe
2009-05-18 15:11 . 2009-05-18 15:09 10770432 ----a-w- c:\program files\LogMeIn.msi
2006-07-28 06:32 . 2009-06-29 17:57 7005 ------w- c:\program files\Eula.txt
.
((((((((((((((((((((((((((((( SnapShot_2010-03-07_20.35.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-08 05:57 . 2010-03-08 05:57 16384 c:\windows\temp\Perflib_Perfdata_594.dat
+ 2008-11-12 02:21 . 2008-04-14 00:12 14336 c:\windows\system32\svchost.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 13312 c:\windows\system32\lsass.exe
+ 2008-11-12 02:20 . 2008-04-14 00:12 507904 c:\windows\system32\winlogon.exe
+ 2008-11-12 02:20 . 2009-02-06 11:06 110592 c:\windows\system32\services.exe
+ 2008-11-12 02:21 . 2006-02-28 12:00 1032192 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
2009-07-24 06:11 2215960 ----a-w- c:\program files\RadarSync\tbRad0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{399D96CA-6F9A-4FFF-95FE-284E45EBB935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2010-03-08 40448]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-03-08 40448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-08 40448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-08 40448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-08 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-08 40448]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AirLive 802.11G Wireless Utility.lnk - c:\program files\OVISLINK\Common\AirliveUI.exe [2008-11-16 1290240]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"hpqwmi"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\User\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [24. 5. 2009 6:35 23600]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\13knlli7.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 06:57
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\igfxtray .exe 40448 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2060)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PostgreSQL\8.4\bin\pg_ctl.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\windows\system32\wscntfy.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-03-08 07:03:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-08 06:03
ComboFix2.txt 2010-03-07 21:20
ComboFix3.txt 2010-03-07 20:37
ComboFix4.txt 2010-02-27 18:55
ComboFix5.txt 2010-03-08 05:49
Pre-Run: 14 280 146 944 bytes free
Post-Run: 14 220 877 824 bytes free
- - End Of File - - E9FB9323CCE395A440B1D2EF10C68E83
Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.734.265 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
FILE ::
"c:\windows\system32\gca.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\gca.dll
.
--------------- FCopy ---------------
c:\windows\$NtServicePackUninstall$\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.
2010-03-08 05:49 . 2010-03-08 05:49 4 ----a-w- c:\program files\30880974.dat
2010-03-07 20:31 . 2010-03-07 20:31 4 ----a-w- c:\program files\953881.dat
2010-03-07 20:28 . 2010-03-07 20:28 4 ----a-w- c:\program files\757709.dat
2010-03-07 18:17 . 2010-03-07 18:17 4 ----a-w- c:\program files\14715770.dat
2010-02-27 18:35 . 2010-02-27 18:35 -------- d-----w- C:\_OTM
2010-02-27 18:29 . 2010-03-08 05:58 40448 ----a-w- c:\windows\system32\igfxtray.exe
2010-02-27 18:28 . 2010-02-27 18:28 4 ----a-w- c:\program files\130786430.dat
2010-02-27 14:47 . 2010-02-27 14:47 -------- d-----w- C:\rsit
2010-02-26 06:07 . 2010-02-26 06:07 4 ----a-w- c:\program files\462598391.dat
2010-02-20 21:41 . 2010-03-08 05:57 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-02-20 21:41 . 2010-03-07 20:16 40448 ----a-w- c:\windows\system32\hkcmd .exe
2010-02-09 04:38 . 2010-02-09 04:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\XHEO INC
2010-02-09 04:32 . 2010-02-09 04:37 -------- d-----w- C:\PSQLINSTALL
2010-02-09 04:32 . 2010-02-09 04:32 -------- d-----w- c:\program files\RVG Software
2010-02-09 03:51 . 2010-02-09 03:55 -------- d-----w- C:\Lestatos hands
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 05:59 . 2010-01-18 08:28 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-03-07 23:05 . 2008-11-10 15:13 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-03-07 21:26 . 2009-07-26 05:13 -------- d-----w- c:\program files\PokerStars
2010-03-07 20:28 . 2010-02-27 18:29 40448 ----a-w- c:\windows\system32\igfxtray .exe
2010-03-07 20:16 . 2009-06-28 08:16 -------- d-----w- c:\program files\Trend Micro
2010-03-07 12:43 . 2008-11-08 14:13 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-06 22:44 . 2010-02-03 16:22 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-04 16:49 . 2008-09-06 16:23 -------- d-----w- c:\program files\FlashGet
2010-02-24 18:32 . 2009-04-21 07:54 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2010-02-09 04:33 . 2010-02-08 03:15 -------- d-----w- c:\program files\PostgreSQL
2010-02-09 04:29 . 2008-08-25 14:27 -------- d-----w- c:\program files\Instal
2010-02-05 15:30 . 2010-02-05 15:30 4 ----a-w- c:\program files\55993814.dat
2010-02-01 15:50 . 2010-02-01 15:50 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-29 11:36 . 2010-01-29 11:36 4 ----a-w- c:\program files\245954854.dat
2010-01-18 08:28 . 2008-09-05 10:44 -------- d-----r- c:\program files\Skype
2010-01-18 08:28 . 2008-11-10 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2010-01-15 19:44 . 2008-09-05 10:44 -------- d-----w- c:\program files\Common Files\Skype
2010-01-14 08:13 . 2010-01-14 08:13 -------- d-----w- c:\documents and settings\User\Application Data\TeamViewer
2010-01-12 12:59 . 2009-07-16 05:59 -------- d-----w- c:\program files\Ashampoo
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-11-12 02:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-11-12 02:21 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-11-12 02:20 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2008-11-12 02:21 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-11-12 02:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2008-11-12 02:20 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2008-11-12 02:20 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-06-30 08:29 . 2009-06-30 08:29 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-06-28 08:16 . 2009-06-28 08:16 812344 ----a-w- c:\program files\HJTInstall.exe
2009-06-28 08:09 . 2009-05-26 06:01 31863808 ----a-w- c:\program files\eav_nt32_csy.msi
2009-06-11 06:53 . 2009-06-11 06:53 84 ----a-w- c:\program files\b3348.ram
2009-06-09 14:20 . 2009-06-09 14:14 21646127 ----a-w- c:\program files\scribus-1.3.3.13-win32-install.exe
2009-06-09 12:51 . 2009-06-09 12:49 3371384 ----a-w- c:\program files\mbam-setup.exe
2009-06-09 11:40 . 2009-06-09 11:34 21135160 ----a-w- c:\program files\scribus-1.3.3.13-os2-20090501.zip
2009-06-09 11:34 . 2009-06-09 11:29 11909804 ----a-w- c:\program files\scribus-1.3.3.13.7z
2009-06-07 11:30 . 2009-06-07 11:29 17900221 ----a-w- c:\program files\0108.pdf
2009-06-07 10:24 . 2009-06-07 10:24 1815369 ----a-w- c:\program files\gbgallerylitesetup.exe
2009-05-26 06:42 . 2009-05-26 06:41 1880289 ----a-w- c:\program files\radarsync.exe
2009-05-24 09:16 . 2009-05-24 09:10 12743232 ----a-w- c:\program files\WinMPG_VideoConvert_Setup-20016.exe
2009-05-24 05:35 . 2009-05-24 05:35 453824 ----a-w- c:\program files\driveragent_488.exe
2009-05-19 12:26 . 2009-05-19 12:24 10143072 ----a-w- c:\program files\AbsolutePoker8_7_6.exe
2009-05-18 15:11 . 2009-05-18 15:09 10770432 ----a-w- c:\program files\LogMeIn.msi
2006-07-28 06:32 . 2009-06-29 17:57 7005 ------w- c:\program files\Eula.txt
.
Kód: Vybrat vše
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\HPQ\Quick Launch Buttons\eabservr .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Synaptics\SynTP\syntplpr .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe
</pre>.
+ 2010-03-08 05:57 . 2010-03-08 05:57 16384 c:\windows\temp\Perflib_Perfdata_594.dat
+ 2008-11-12 02:21 . 2008-04-14 00:12 14336 c:\windows\system32\svchost.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 13312 c:\windows\system32\lsass.exe
+ 2008-11-12 02:20 . 2008-04-14 00:12 507904 c:\windows\system32\winlogon.exe
+ 2008-11-12 02:20 . 2009-02-06 11:06 110592 c:\windows\system32\services.exe
+ 2008-11-12 02:21 . 2006-02-28 12:00 1032192 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
2009-07-24 06:11 2215960 ----a-w- c:\program files\RadarSync\tbRad0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{399D96CA-6F9A-4FFF-95FE-284E45EBB935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2010-03-08 40448]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-03-08 40448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-08 40448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-08 40448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-08 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-08 40448]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AirLive 802.11G Wireless Utility.lnk - c:\program files\OVISLINK\Common\AirliveUI.exe [2008-11-16 1290240]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"hpqwmi"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\User\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [24. 5. 2009 6:35 23600]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\13knlli7.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 06:57
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\igfxtray .exe 40448 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2060)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PostgreSQL\8.4\bin\pg_ctl.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\windows\system32\wscntfy.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-03-08 07:03:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-08 06:03
ComboFix2.txt 2010-03-07 21:20
ComboFix3.txt 2010-03-07 20:37
ComboFix4.txt 2010-02-27 18:55
ComboFix5.txt 2010-03-08 05:49
Pre-Run: 14 280 146 944 bytes free
Post-Run: 14 220 877 824 bytes free
- - End Of File - - E9FB9323CCE395A440B1D2EF10C68E83
-
Caroprd111
- VIP
- Příspěvky: 13492
- Registrován: 22 bře 2009 20:48
- Bydliště: Třebíč
- Kontaktovat uživatele:
Re: prosim o kontrolu logu, zarucene tam nieco mam
Po tomto kroku bude nutné přeinstalovat některé ovladače a programy (touchpad, grafická karta, Skype, Adobe Reader, atd.)
Pokud nemáte, přesuňte Combofix na plochu
Pokud nemáte, přesuňte Combofix na plochu
- Otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.
Kód: Vybrat vše
File::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\HPQ\Quick Launch Buttons\eabservr .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Synaptics\SynTP\syntplpr .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe- Uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
- Po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:
- Po aplikaci na Vás vypadne další log,vložte ho sem
Re: prosim o kontrolu logu, zarucene tam nieco mam
ComboFix 10-03-08.01 - User . 03. 2010 6:43.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.734.381 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe
.
((((((((((((((((((((((((( Files Created from 2010-02-09 to 2010-03-09 )))))))))))))))))))))))))))))))
.
2010-03-09 05:43 . 2010-03-09 05:43 4 ----a-w- c:\program files\39018445.dat
2010-03-08 05:49 . 2010-03-08 05:49 4 ----a-w- c:\program files\30880974.dat
2010-03-07 20:31 . 2010-03-07 20:31 4 ----a-w- c:\program files\953881.dat
2010-03-07 20:28 . 2010-03-07 20:28 4 ----a-w- c:\program files\757709.dat
2010-03-07 18:17 . 2010-03-07 18:17 4 ----a-w- c:\program files\14715770.dat
2010-02-27 18:35 . 2010-02-27 18:35 -------- d-----w- C:\_OTM
2010-02-27 18:29 . 2010-03-08 18:53 40448 ----a-w- c:\windows\system32\igfxtray.exe
2010-02-27 18:28 . 2010-02-27 18:28 4 ----a-w- c:\program files\130786430.dat
2010-02-27 14:47 . 2010-02-27 14:47 -------- d-----w- C:\rsit
2010-02-26 06:07 . 2010-02-26 06:07 4 ----a-w- c:\program files\462598391.dat
2010-02-20 21:41 . 2010-03-08 18:53 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-02-09 04:38 . 2010-02-09 04:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\XHEO INC
2010-02-09 04:32 . 2010-02-09 04:37 -------- d-----w- C:\PSQLINSTALL
2010-02-09 04:32 . 2010-02-09 04:32 -------- d-----w- c:\program files\RVG Software
2010-02-09 03:51 . 2010-02-09 03:55 -------- d-----w- C:\Lestatos hands
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 05:41 . 2008-09-06 16:23 -------- d-----w- c:\program files\FlashGet
2010-03-08 19:53 . 2010-01-18 08:28 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-03-08 15:04 . 2008-11-10 15:13 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-03-08 14:02 . 2009-07-26 05:13 -------- d-----w- c:\program files\PokerStars
2010-03-07 20:16 . 2009-06-28 08:16 -------- d-----w- c:\program files\Trend Micro
2010-03-07 12:43 . 2008-11-08 14:13 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-06 22:44 . 2010-02-03 16:22 -------- d-----w- c:\program files\Full Tilt Poker
2010-02-24 18:32 . 2009-04-21 07:54 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2010-02-09 04:33 . 2010-02-08 03:15 -------- d-----w- c:\program files\PostgreSQL
2010-02-09 04:29 . 2008-08-25 14:27 -------- d-----w- c:\program files\Instal
2010-02-05 15:30 . 2010-02-05 15:30 4 ----a-w- c:\program files\55993814.dat
2010-02-01 15:50 . 2010-02-01 15:50 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-29 11:36 . 2010-01-29 11:36 4 ----a-w- c:\program files\245954854.dat
2010-01-18 08:28 . 2008-09-05 10:44 -------- d-----r- c:\program files\Skype
2010-01-18 08:28 . 2008-11-10 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2010-01-15 19:44 . 2008-09-05 10:44 -------- d-----w- c:\program files\Common Files\Skype
2010-01-14 08:13 . 2010-01-14 08:13 -------- d-----w- c:\documents and settings\User\Application Data\TeamViewer
2010-01-12 12:59 . 2009-07-16 05:59 -------- d-----w- c:\program files\Ashampoo
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-11-12 02:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-11-12 02:21 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-11-12 02:20 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2008-11-12 02:21 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-11-12 02:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-06-30 08:29 . 2009-06-30 08:29 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-06-28 08:16 . 2009-06-28 08:16 812344 ----a-w- c:\program files\HJTInstall.exe
2009-06-28 08:09 . 2009-05-26 06:01 31863808 ----a-w- c:\program files\eav_nt32_csy.msi
2009-06-11 06:53 . 2009-06-11 06:53 84 ----a-w- c:\program files\b3348.ram
2009-06-09 14:20 . 2009-06-09 14:14 21646127 ----a-w- c:\program files\scribus-1.3.3.13-win32-install.exe
2009-06-09 12:51 . 2009-06-09 12:49 3371384 ----a-w- c:\program files\mbam-setup.exe
2009-06-09 11:40 . 2009-06-09 11:34 21135160 ----a-w- c:\program files\scribus-1.3.3.13-os2-20090501.zip
2009-06-09 11:34 . 2009-06-09 11:29 11909804 ----a-w- c:\program files\scribus-1.3.3.13.7z
2009-06-07 11:30 . 2009-06-07 11:29 17900221 ----a-w- c:\program files\0108.pdf
2009-06-07 10:24 . 2009-06-07 10:24 1815369 ----a-w- c:\program files\gbgallerylitesetup.exe
2009-05-26 06:42 . 2009-05-26 06:41 1880289 ----a-w- c:\program files\radarsync.exe
2009-05-24 09:16 . 2009-05-24 09:10 12743232 ----a-w- c:\program files\WinMPG_VideoConvert_Setup-20016.exe
2009-05-24 05:35 . 2009-05-24 05:35 453824 ----a-w- c:\program files\driveragent_488.exe
2009-05-19 12:26 . 2009-05-19 12:24 10143072 ----a-w- c:\program files\AbsolutePoker8_7_6.exe
2009-05-18 15:11 . 2009-05-18 15:09 10770432 ----a-w- c:\program files\LogMeIn.msi
2006-07-28 06:32 . 2009-06-29 17:57 7005 ------w- c:\program files\Eula.txt
.
((((((((((((((((((((((((((((( SnapShot_2010-03-07_20.35.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-08 18:53 . 2010-03-08 18:53 16384 c:\windows\temp\Perflib_Perfdata_574.dat
+ 2008-11-12 02:21 . 2008-04-14 00:12 14336 c:\windows\system32\svchost.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 13312 c:\windows\system32\lsass.exe
+ 2008-11-12 02:20 . 2008-04-14 00:12 507904 c:\windows\system32\winlogon.exe
+ 2008-11-12 02:20 . 2009-02-06 11:06 110592 c:\windows\system32\services.exe
+ 2008-11-12 02:21 . 2006-02-28 12:00 1032192 c:\windows\system32\dllcache\explorer.exe
+ 2008-11-12 02:21 . 2006-02-28 12:00 1032192 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
2009-07-24 06:11 2215960 ----a-w- c:\program files\RadarSync\tbRad0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{399D96CA-6F9A-4FFF-95FE-284E45EBB935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2010-03-08 40448]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-03-08 40448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-08 40448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-08 40448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-08 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-08 40448]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AirLive 802.11G Wireless Utility.lnk - c:\program files\OVISLINK\Common\AirliveUI.exe [2008-11-16 1290240]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"hpqwmi"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\User\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
S2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [24. 5. 2009 6:35 23600]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\13knlli7.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 06:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2010-03-09 06:52:08
ComboFix-quarantined-files.txt 2010-03-09 05:51
ComboFix2.txt 2010-03-08 06:03
ComboFix3.txt 2010-03-07 21:20
ComboFix4.txt 2010-03-07 20:37
ComboFix5.txt 2010-03-09 05:42
Pre-Run: 14 236 790 784 bytes free
Post-Run: 14 206 496 768 bytes free
- - End Of File - - 0DA9B1811CF32150103C18D18C8440E3
Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.734.381 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe
.
((((((((((((((((((((((((( Files Created from 2010-02-09 to 2010-03-09 )))))))))))))))))))))))))))))))
.
2010-03-09 05:43 . 2010-03-09 05:43 4 ----a-w- c:\program files\39018445.dat
2010-03-08 05:49 . 2010-03-08 05:49 4 ----a-w- c:\program files\30880974.dat
2010-03-07 20:31 . 2010-03-07 20:31 4 ----a-w- c:\program files\953881.dat
2010-03-07 20:28 . 2010-03-07 20:28 4 ----a-w- c:\program files\757709.dat
2010-03-07 18:17 . 2010-03-07 18:17 4 ----a-w- c:\program files\14715770.dat
2010-02-27 18:35 . 2010-02-27 18:35 -------- d-----w- C:\_OTM
2010-02-27 18:29 . 2010-03-08 18:53 40448 ----a-w- c:\windows\system32\igfxtray.exe
2010-02-27 18:28 . 2010-02-27 18:28 4 ----a-w- c:\program files\130786430.dat
2010-02-27 14:47 . 2010-02-27 14:47 -------- d-----w- C:\rsit
2010-02-26 06:07 . 2010-02-26 06:07 4 ----a-w- c:\program files\462598391.dat
2010-02-20 21:41 . 2010-03-08 18:53 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-02-09 04:38 . 2010-02-09 04:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\XHEO INC
2010-02-09 04:32 . 2010-02-09 04:37 -------- d-----w- C:\PSQLINSTALL
2010-02-09 04:32 . 2010-02-09 04:32 -------- d-----w- c:\program files\RVG Software
2010-02-09 03:51 . 2010-02-09 03:55 -------- d-----w- C:\Lestatos hands
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 05:41 . 2008-09-06 16:23 -------- d-----w- c:\program files\FlashGet
2010-03-08 19:53 . 2010-01-18 08:28 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-03-08 15:04 . 2008-11-10 15:13 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-03-08 14:02 . 2009-07-26 05:13 -------- d-----w- c:\program files\PokerStars
2010-03-07 20:16 . 2009-06-28 08:16 -------- d-----w- c:\program files\Trend Micro
2010-03-07 12:43 . 2008-11-08 14:13 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-06 22:44 . 2010-02-03 16:22 -------- d-----w- c:\program files\Full Tilt Poker
2010-02-24 18:32 . 2009-04-21 07:54 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2010-02-09 04:33 . 2010-02-08 03:15 -------- d-----w- c:\program files\PostgreSQL
2010-02-09 04:29 . 2008-08-25 14:27 -------- d-----w- c:\program files\Instal
2010-02-05 15:30 . 2010-02-05 15:30 4 ----a-w- c:\program files\55993814.dat
2010-02-01 15:50 . 2010-02-01 15:50 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-29 11:36 . 2010-01-29 11:36 4 ----a-w- c:\program files\245954854.dat
2010-01-18 08:28 . 2008-09-05 10:44 -------- d-----r- c:\program files\Skype
2010-01-18 08:28 . 2008-11-10 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2010-01-15 19:44 . 2008-09-05 10:44 -------- d-----w- c:\program files\Common Files\Skype
2010-01-14 08:13 . 2010-01-14 08:13 -------- d-----w- c:\documents and settings\User\Application Data\TeamViewer
2010-01-12 12:59 . 2009-07-16 05:59 -------- d-----w- c:\program files\Ashampoo
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-11-12 02:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-11-12 02:21 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-11-12 02:20 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2008-11-12 02:21 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-11-12 02:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-06-30 08:29 . 2009-06-30 08:29 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-06-28 08:16 . 2009-06-28 08:16 812344 ----a-w- c:\program files\HJTInstall.exe
2009-06-28 08:09 . 2009-05-26 06:01 31863808 ----a-w- c:\program files\eav_nt32_csy.msi
2009-06-11 06:53 . 2009-06-11 06:53 84 ----a-w- c:\program files\b3348.ram
2009-06-09 14:20 . 2009-06-09 14:14 21646127 ----a-w- c:\program files\scribus-1.3.3.13-win32-install.exe
2009-06-09 12:51 . 2009-06-09 12:49 3371384 ----a-w- c:\program files\mbam-setup.exe
2009-06-09 11:40 . 2009-06-09 11:34 21135160 ----a-w- c:\program files\scribus-1.3.3.13-os2-20090501.zip
2009-06-09 11:34 . 2009-06-09 11:29 11909804 ----a-w- c:\program files\scribus-1.3.3.13.7z
2009-06-07 11:30 . 2009-06-07 11:29 17900221 ----a-w- c:\program files\0108.pdf
2009-06-07 10:24 . 2009-06-07 10:24 1815369 ----a-w- c:\program files\gbgallerylitesetup.exe
2009-05-26 06:42 . 2009-05-26 06:41 1880289 ----a-w- c:\program files\radarsync.exe
2009-05-24 09:16 . 2009-05-24 09:10 12743232 ----a-w- c:\program files\WinMPG_VideoConvert_Setup-20016.exe
2009-05-24 05:35 . 2009-05-24 05:35 453824 ----a-w- c:\program files\driveragent_488.exe
2009-05-19 12:26 . 2009-05-19 12:24 10143072 ----a-w- c:\program files\AbsolutePoker8_7_6.exe
2009-05-18 15:11 . 2009-05-18 15:09 10770432 ----a-w- c:\program files\LogMeIn.msi
2006-07-28 06:32 . 2009-06-29 17:57 7005 ------w- c:\program files\Eula.txt
.
Kód: Vybrat vše
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\HPQ\Quick Launch Buttons\eabservr .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Synaptics\SynTP\syntplpr .exe
</pre>.
+ 2010-03-08 18:53 . 2010-03-08 18:53 16384 c:\windows\temp\Perflib_Perfdata_574.dat
+ 2008-11-12 02:21 . 2008-04-14 00:12 14336 c:\windows\system32\svchost.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 13312 c:\windows\system32\lsass.exe
+ 2008-11-12 02:20 . 2008-04-14 00:12 507904 c:\windows\system32\winlogon.exe
+ 2008-11-12 02:20 . 2009-02-06 11:06 110592 c:\windows\system32\services.exe
+ 2008-11-12 02:21 . 2006-02-28 12:00 1032192 c:\windows\system32\dllcache\explorer.exe
+ 2008-11-12 02:21 . 2006-02-28 12:00 1032192 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
2009-07-24 06:11 2215960 ----a-w- c:\program files\RadarSync\tbRad0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{399D96CA-6F9A-4FFF-95FE-284E45EBB935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2010-03-08 40448]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-03-08 40448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-08 40448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-08 40448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-08 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-08 40448]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AirLive 802.11G Wireless Utility.lnk - c:\program files\OVISLINK\Common\AirliveUI.exe [2008-11-16 1290240]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"hpqwmi"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\User\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
S2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [24. 5. 2009 6:35 23600]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\13knlli7.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 06:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2010-03-09 06:52:08
ComboFix-quarantined-files.txt 2010-03-09 05:51
ComboFix2.txt 2010-03-08 06:03
ComboFix3.txt 2010-03-07 21:20
ComboFix4.txt 2010-03-07 20:37
ComboFix5.txt 2010-03-09 05:42
Pre-Run: 14 236 790 784 bytes free
Post-Run: 14 206 496 768 bytes free
- - End Of File - - 0DA9B1811CF32150103C18D18C8440E3
Re: prosim o kontrolu logu, zarucene tam nieco mam
ComboFix 10-03-08.01 - User . 03. 2010 6:43.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.734.381 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe
.
((((((((((((((((((((((((( Files Created from 2010-02-09 to 2010-03-09 )))))))))))))))))))))))))))))))
.
2010-03-09 05:43 . 2010-03-09 05:43 4 ----a-w- c:\program files\39018445.dat
2010-03-08 05:49 . 2010-03-08 05:49 4 ----a-w- c:\program files\30880974.dat
2010-03-07 20:31 . 2010-03-07 20:31 4 ----a-w- c:\program files\953881.dat
2010-03-07 20:28 . 2010-03-07 20:28 4 ----a-w- c:\program files\757709.dat
2010-03-07 18:17 . 2010-03-07 18:17 4 ----a-w- c:\program files\14715770.dat
2010-02-27 18:35 . 2010-02-27 18:35 -------- d-----w- C:\_OTM
2010-02-27 18:29 . 2010-03-08 18:53 40448 ----a-w- c:\windows\system32\igfxtray.exe
2010-02-27 18:28 . 2010-02-27 18:28 4 ----a-w- c:\program files\130786430.dat
2010-02-27 14:47 . 2010-02-27 14:47 -------- d-----w- C:\rsit
2010-02-26 06:07 . 2010-02-26 06:07 4 ----a-w- c:\program files\462598391.dat
2010-02-20 21:41 . 2010-03-08 18:53 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-02-09 04:38 . 2010-02-09 04:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\XHEO INC
2010-02-09 04:32 . 2010-02-09 04:37 -------- d-----w- C:\PSQLINSTALL
2010-02-09 04:32 . 2010-02-09 04:32 -------- d-----w- c:\program files\RVG Software
2010-02-09 03:51 . 2010-02-09 03:55 -------- d-----w- C:\Lestatos hands
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 05:41 . 2008-09-06 16:23 -------- d-----w- c:\program files\FlashGet
2010-03-08 19:53 . 2010-01-18 08:28 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-03-08 15:04 . 2008-11-10 15:13 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-03-08 14:02 . 2009-07-26 05:13 -------- d-----w- c:\program files\PokerStars
2010-03-07 20:16 . 2009-06-28 08:16 -------- d-----w- c:\program files\Trend Micro
2010-03-07 12:43 . 2008-11-08 14:13 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-06 22:44 . 2010-02-03 16:22 -------- d-----w- c:\program files\Full Tilt Poker
2010-02-24 18:32 . 2009-04-21 07:54 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2010-02-09 04:33 . 2010-02-08 03:15 -------- d-----w- c:\program files\PostgreSQL
2010-02-09 04:29 . 2008-08-25 14:27 -------- d-----w- c:\program files\Instal
2010-02-05 15:30 . 2010-02-05 15:30 4 ----a-w- c:\program files\55993814.dat
2010-02-01 15:50 . 2010-02-01 15:50 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-29 11:36 . 2010-01-29 11:36 4 ----a-w- c:\program files\245954854.dat
2010-01-18 08:28 . 2008-09-05 10:44 -------- d-----r- c:\program files\Skype
2010-01-18 08:28 . 2008-11-10 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2010-01-15 19:44 . 2008-09-05 10:44 -------- d-----w- c:\program files\Common Files\Skype
2010-01-14 08:13 . 2010-01-14 08:13 -------- d-----w- c:\documents and settings\User\Application Data\TeamViewer
2010-01-12 12:59 . 2009-07-16 05:59 -------- d-----w- c:\program files\Ashampoo
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-11-12 02:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-11-12 02:21 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-11-12 02:20 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2008-11-12 02:21 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-11-12 02:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-06-30 08:29 . 2009-06-30 08:29 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-06-28 08:16 . 2009-06-28 08:16 812344 ----a-w- c:\program files\HJTInstall.exe
2009-06-28 08:09 . 2009-05-26 06:01 31863808 ----a-w- c:\program files\eav_nt32_csy.msi
2009-06-11 06:53 . 2009-06-11 06:53 84 ----a-w- c:\program files\b3348.ram
2009-06-09 14:20 . 2009-06-09 14:14 21646127 ----a-w- c:\program files\scribus-1.3.3.13-win32-install.exe
2009-06-09 12:51 . 2009-06-09 12:49 3371384 ----a-w- c:\program files\mbam-setup.exe
2009-06-09 11:40 . 2009-06-09 11:34 21135160 ----a-w- c:\program files\scribus-1.3.3.13-os2-20090501.zip
2009-06-09 11:34 . 2009-06-09 11:29 11909804 ----a-w- c:\program files\scribus-1.3.3.13.7z
2009-06-07 11:30 . 2009-06-07 11:29 17900221 ----a-w- c:\program files\0108.pdf
2009-06-07 10:24 . 2009-06-07 10:24 1815369 ----a-w- c:\program files\gbgallerylitesetup.exe
2009-05-26 06:42 . 2009-05-26 06:41 1880289 ----a-w- c:\program files\radarsync.exe
2009-05-24 09:16 . 2009-05-24 09:10 12743232 ----a-w- c:\program files\WinMPG_VideoConvert_Setup-20016.exe
2009-05-24 05:35 . 2009-05-24 05:35 453824 ----a-w- c:\program files\driveragent_488.exe
2009-05-19 12:26 . 2009-05-19 12:24 10143072 ----a-w- c:\program files\AbsolutePoker8_7_6.exe
2009-05-18 15:11 . 2009-05-18 15:09 10770432 ----a-w- c:\program files\LogMeIn.msi
2006-07-28 06:32 . 2009-06-29 17:57 7005 ------w- c:\program files\Eula.txt
.
((((((((((((((((((((((((((((( SnapShot_2010-03-07_20.35.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-08 18:53 . 2010-03-08 18:53 16384 c:\windows\temp\Perflib_Perfdata_574.dat
+ 2008-11-12 02:21 . 2008-04-14 00:12 14336 c:\windows\system32\svchost.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 13312 c:\windows\system32\lsass.exe
+ 2008-11-12 02:20 . 2008-04-14 00:12 507904 c:\windows\system32\winlogon.exe
+ 2008-11-12 02:20 . 2009-02-06 11:06 110592 c:\windows\system32\services.exe
+ 2008-11-12 02:21 . 2006-02-28 12:00 1032192 c:\windows\system32\dllcache\explorer.exe
+ 2008-11-12 02:21 . 2006-02-28 12:00 1032192 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
2009-07-24 06:11 2215960 ----a-w- c:\program files\RadarSync\tbRad0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{399D96CA-6F9A-4FFF-95FE-284E45EBB935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2010-03-08 40448]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-03-08 40448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-08 40448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-08 40448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-08 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-08 40448]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AirLive 802.11G Wireless Utility.lnk - c:\program files\OVISLINK\Common\AirliveUI.exe [2008-11-16 1290240]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"hpqwmi"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\User\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
S2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [24. 5. 2009 6:35 23600]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\13knlli7.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 06:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2010-03-09 06:52:08
ComboFix-quarantined-files.txt 2010-03-09 05:51
ComboFix2.txt 2010-03-08 06:03
ComboFix3.txt 2010-03-07 21:20
ComboFix4.txt 2010-03-07 20:37
ComboFix5.txt 2010-03-09 05:42
Pre-Run: 14 236 790 784 bytes free
Post-Run: 14 206 496 768 bytes free
- - End Of File - - 0DA9B1811CF32150103C18D18C8440E3
Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.734.381 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe
.
((((((((((((((((((((((((( Files Created from 2010-02-09 to 2010-03-09 )))))))))))))))))))))))))))))))
.
2010-03-09 05:43 . 2010-03-09 05:43 4 ----a-w- c:\program files\39018445.dat
2010-03-08 05:49 . 2010-03-08 05:49 4 ----a-w- c:\program files\30880974.dat
2010-03-07 20:31 . 2010-03-07 20:31 4 ----a-w- c:\program files\953881.dat
2010-03-07 20:28 . 2010-03-07 20:28 4 ----a-w- c:\program files\757709.dat
2010-03-07 18:17 . 2010-03-07 18:17 4 ----a-w- c:\program files\14715770.dat
2010-02-27 18:35 . 2010-02-27 18:35 -------- d-----w- C:\_OTM
2010-02-27 18:29 . 2010-03-08 18:53 40448 ----a-w- c:\windows\system32\igfxtray.exe
2010-02-27 18:28 . 2010-02-27 18:28 4 ----a-w- c:\program files\130786430.dat
2010-02-27 14:47 . 2010-02-27 14:47 -------- d-----w- C:\rsit
2010-02-26 06:07 . 2010-02-26 06:07 4 ----a-w- c:\program files\462598391.dat
2010-02-20 21:41 . 2010-03-08 18:53 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-02-09 04:38 . 2010-02-09 04:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\XHEO INC
2010-02-09 04:32 . 2010-02-09 04:37 -------- d-----w- C:\PSQLINSTALL
2010-02-09 04:32 . 2010-02-09 04:32 -------- d-----w- c:\program files\RVG Software
2010-02-09 03:51 . 2010-02-09 03:55 -------- d-----w- C:\Lestatos hands
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 05:41 . 2008-09-06 16:23 -------- d-----w- c:\program files\FlashGet
2010-03-08 19:53 . 2010-01-18 08:28 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-03-08 15:04 . 2008-11-10 15:13 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-03-08 14:02 . 2009-07-26 05:13 -------- d-----w- c:\program files\PokerStars
2010-03-07 20:16 . 2009-06-28 08:16 -------- d-----w- c:\program files\Trend Micro
2010-03-07 12:43 . 2008-11-08 14:13 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-06 22:44 . 2010-02-03 16:22 -------- d-----w- c:\program files\Full Tilt Poker
2010-02-24 18:32 . 2009-04-21 07:54 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2010-02-09 04:33 . 2010-02-08 03:15 -------- d-----w- c:\program files\PostgreSQL
2010-02-09 04:29 . 2008-08-25 14:27 -------- d-----w- c:\program files\Instal
2010-02-05 15:30 . 2010-02-05 15:30 4 ----a-w- c:\program files\55993814.dat
2010-02-01 15:50 . 2010-02-01 15:50 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-29 11:36 . 2010-01-29 11:36 4 ----a-w- c:\program files\245954854.dat
2010-01-18 08:28 . 2008-09-05 10:44 -------- d-----r- c:\program files\Skype
2010-01-18 08:28 . 2008-11-10 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2010-01-15 19:44 . 2008-09-05 10:44 -------- d-----w- c:\program files\Common Files\Skype
2010-01-14 08:13 . 2010-01-14 08:13 -------- d-----w- c:\documents and settings\User\Application Data\TeamViewer
2010-01-12 12:59 . 2009-07-16 05:59 -------- d-----w- c:\program files\Ashampoo
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-11-12 02:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-11-12 02:21 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-11-12 02:20 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2008-11-12 02:21 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-11-12 02:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-06-30 08:29 . 2009-06-30 08:29 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-06-28 08:16 . 2009-06-28 08:16 812344 ----a-w- c:\program files\HJTInstall.exe
2009-06-28 08:09 . 2009-05-26 06:01 31863808 ----a-w- c:\program files\eav_nt32_csy.msi
2009-06-11 06:53 . 2009-06-11 06:53 84 ----a-w- c:\program files\b3348.ram
2009-06-09 14:20 . 2009-06-09 14:14 21646127 ----a-w- c:\program files\scribus-1.3.3.13-win32-install.exe
2009-06-09 12:51 . 2009-06-09 12:49 3371384 ----a-w- c:\program files\mbam-setup.exe
2009-06-09 11:40 . 2009-06-09 11:34 21135160 ----a-w- c:\program files\scribus-1.3.3.13-os2-20090501.zip
2009-06-09 11:34 . 2009-06-09 11:29 11909804 ----a-w- c:\program files\scribus-1.3.3.13.7z
2009-06-07 11:30 . 2009-06-07 11:29 17900221 ----a-w- c:\program files\0108.pdf
2009-06-07 10:24 . 2009-06-07 10:24 1815369 ----a-w- c:\program files\gbgallerylitesetup.exe
2009-05-26 06:42 . 2009-05-26 06:41 1880289 ----a-w- c:\program files\radarsync.exe
2009-05-24 09:16 . 2009-05-24 09:10 12743232 ----a-w- c:\program files\WinMPG_VideoConvert_Setup-20016.exe
2009-05-24 05:35 . 2009-05-24 05:35 453824 ----a-w- c:\program files\driveragent_488.exe
2009-05-19 12:26 . 2009-05-19 12:24 10143072 ----a-w- c:\program files\AbsolutePoker8_7_6.exe
2009-05-18 15:11 . 2009-05-18 15:09 10770432 ----a-w- c:\program files\LogMeIn.msi
2006-07-28 06:32 . 2009-06-29 17:57 7005 ------w- c:\program files\Eula.txt
.
Kód: Vybrat vše
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\HPQ\Quick Launch Buttons\eabservr .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Synaptics\SynTP\syntplpr .exe
</pre>.
+ 2010-03-08 18:53 . 2010-03-08 18:53 16384 c:\windows\temp\Perflib_Perfdata_574.dat
+ 2008-11-12 02:21 . 2008-04-14 00:12 14336 c:\windows\system32\svchost.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe
+ 2008-11-12 02:21 . 2008-04-14 00:12 13312 c:\windows\system32\lsass.exe
+ 2008-11-12 02:20 . 2008-04-14 00:12 507904 c:\windows\system32\winlogon.exe
+ 2008-11-12 02:20 . 2009-02-06 11:06 110592 c:\windows\system32\services.exe
+ 2008-11-12 02:21 . 2006-02-28 12:00 1032192 c:\windows\system32\dllcache\explorer.exe
+ 2008-11-12 02:21 . 2006-02-28 12:00 1032192 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
2009-07-24 06:11 2215960 ----a-w- c:\program files\RadarSync\tbRad0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{399D96CA-6F9A-4FFF-95FE-284E45EBB935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2010-03-08 40448]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-03-08 40448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-08 40448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-08 40448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-08 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-08 40448]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AirLive 802.11G Wireless Utility.lnk - c:\program files\OVISLINK\Common\AirliveUI.exe [2008-11-16 1290240]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"hpqwmi"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\User\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
S2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [24. 5. 2009 6:35 23600]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\13knlli7.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 06:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2010-03-09 06:52:08
ComboFix-quarantined-files.txt 2010-03-09 05:51
ComboFix2.txt 2010-03-08 06:03
ComboFix3.txt 2010-03-07 21:20
ComboFix4.txt 2010-03-07 20:37
ComboFix5.txt 2010-03-09 05:42
Pre-Run: 14 236 790 784 bytes free
Post-Run: 14 206 496 768 bytes free
- - End Of File - - 0DA9B1811CF32150103C18D18C8440E3
-
Caroprd111
- VIP
- Příspěvky: 13492
- Registrován: 22 bře 2009 20:48
- Bydliště: Třebíč
- Kontaktovat uživatele:
Re: prosim o kontrolu logu, zarucene tam nieco mam
Po tomto kroku bude nutné přeinstalovat některé ovladače a programy (touchpad, Skype, Adobe Reader, atd.)
Pokud nemáte, přesuňte Combofix na plochu
Pokud nemáte, přesuňte Combofix na plochu
- Otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.
Kód: Vybrat vše
RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\HPQ\Quick Launch Buttons\eabservr .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Synaptics\SynTP\syntplpr .exe
File::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
c:\program files\HPQ\Quick Launch Buttons\eabservr.exe
c:\program files\Skype\Phone\skype.exe
c:\program files\Synaptics\SynTP\syntpenh.exe
c:\program files\Synaptics\SynTP\syntplpr.exe
- Uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
- Po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:
- Po aplikaci na Vás vypadne další log,vložte ho sem
Re: prosim o kontrolu logu, zarucene tam nieco mam
ComboFix 10-03-08.01 - User . 03. 2010 15:33:45.8.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.734.398 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
FILE ::
"c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe"
"c:\program files\HPQ\Quick Launch Buttons\eabservr.exe"
"c:\program files\Skype\Phone\skype.exe"
"c:\program files\Synaptics\SynTP\syntpenh.exe"
"c:\program files\Synaptics\SynTP\syntplpr.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
c:\program files\HPQ\Quick Launch Buttons\eabservr.exe
c:\program files\Skype\Phone\skype.exe
c:\program files\Synaptics\SynTP\syntpenh.exe
c:\program files\Synaptics\SynTP\syntplpr.exe
.
((((((((((((((((((((((((( Files Created from 2010-02-09 to 2010-03-09 )))))))))))))))))))))))))))))))
.
2010-03-09 05:43 . 2010-03-09 05:43 4 ----a-w- c:\program files\39018445.dat
2010-03-08 05:49 . 2010-03-08 05:49 4 ----a-w- c:\program files\30880974.dat
2010-03-07 20:31 . 2010-03-07 20:31 4 ----a-w- c:\program files\953881.dat
2010-03-07 20:28 . 2010-03-07 20:28 4 ----a-w- c:\program files\757709.dat
2010-03-07 18:17 . 2010-03-07 18:17 4 ----a-w- c:\program files\14715770.dat
2010-02-27 18:35 . 2010-02-27 18:35 -------- d-----w- C:\_OTM
2010-02-27 18:29 . 2010-03-09 14:42 40448 ----a-w- c:\windows\system32\igfxtray.exe
2010-02-27 18:28 . 2010-02-27 18:28 4 ----a-w- c:\program files\130786430.dat
2010-02-27 14:47 . 2010-02-27 14:47 -------- d-----w- C:\rsit
2010-02-26 06:07 . 2010-02-26 06:07 4 ----a-w- c:\program files\462598391.dat
2010-02-20 21:41 . 2010-03-09 14:41 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-02-20 21:41 . 2010-03-08 18:53 40448 ----a-w- c:\windows\system32\hkcmd .exe
2010-02-09 04:38 . 2010-02-09 04:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\XHEO INC
2010-02-09 04:32 . 2010-02-09 04:37 -------- d-----w- C:\PSQLINSTALL
2010-02-09 04:32 . 2010-02-09 04:32 -------- d-----w- c:\program files\RVG Software
2010-02-09 03:51 . 2010-02-09 03:55 -------- d-----w- C:\Lestatos hands
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 14:39 . 2008-09-06 16:23 -------- d-----w- c:\program files\FlashGet
2010-03-08 19:53 . 2010-01-18 08:28 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-03-08 18:53 . 2010-02-27 18:29 40448 ----a-w- c:\windows\system32\igfxtray .exe
2010-03-08 15:04 . 2008-11-10 15:13 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-03-08 14:02 . 2009-07-26 05:13 -------- d-----w- c:\program files\PokerStars
2010-03-07 20:16 . 2009-06-28 08:16 -------- d-----w- c:\program files\Trend Micro
2010-03-07 12:43 . 2008-11-08 14:13 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-06 22:44 . 2010-02-03 16:22 -------- d-----w- c:\program files\Full Tilt Poker
2010-02-24 18:32 . 2009-04-21 07:54 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2010-02-09 04:33 . 2010-02-08 03:15 -------- d-----w- c:\program files\PostgreSQL
2010-02-09 04:29 . 2008-08-25 14:27 -------- d-----w- c:\program files\Instal
2010-02-05 15:30 . 2010-02-05 15:30 4 ----a-w- c:\program files\55993814.dat
2010-02-01 15:50 . 2010-02-01 15:50 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-29 11:36 . 2010-01-29 11:36 4 ----a-w- c:\program files\245954854.dat
2010-01-18 08:28 . 2008-09-05 10:44 -------- d-----r- c:\program files\Skype
2010-01-18 08:28 . 2008-11-10 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2010-01-15 19:44 . 2008-09-05 10:44 -------- d-----w- c:\program files\Common Files\Skype
2010-01-14 08:13 . 2010-01-14 08:13 -------- d-----w- c:\documents and settings\User\Application Data\TeamViewer
2010-01-12 12:59 . 2009-07-16 05:59 -------- d-----w- c:\program files\Ashampoo
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-11-12 02:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-11-12 02:21 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-11-12 02:20 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2008-11-12 02:21 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-11-12 02:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-06-30 08:29 . 2009-06-30 08:29 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-06-28 08:16 . 2009-06-28 08:16 812344 ----a-w- c:\program files\HJTInstall.exe
2009-06-28 08:09 . 2009-05-26 06:01 31863808 ----a-w- c:\program files\eav_nt32_csy.msi
2009-06-11 06:53 . 2009-06-11 06:53 84 ----a-w- c:\program files\b3348.ram
2009-06-09 14:20 . 2009-06-09 14:14 21646127 ----a-w- c:\program files\scribus-1.3.3.13-win32-install.exe
2009-06-09 12:51 . 2009-06-09 12:49 3371384 ----a-w- c:\program files\mbam-setup.exe
2009-06-09 11:40 . 2009-06-09 11:34 21135160 ----a-w- c:\program files\scribus-1.3.3.13-os2-20090501.zip
2009-06-09 11:34 . 2009-06-09 11:29 11909804 ----a-w- c:\program files\scribus-1.3.3.13.7z
2009-06-07 11:30 . 2009-06-07 11:29 17900221 ----a-w- c:\program files\0108.pdf
2009-06-07 10:24 . 2009-06-07 10:24 1815369 ----a-w- c:\program files\gbgallerylitesetup.exe
2009-05-26 06:42 . 2009-05-26 06:41 1880289 ----a-w- c:\program files\radarsync.exe
2009-05-24 09:16 . 2009-05-24 09:10 12743232 ----a-w- c:\program files\WinMPG_VideoConvert_Setup-20016.exe
2009-05-24 05:35 . 2009-05-24 05:35 453824 ----a-w- c:\program files\driveragent_488.exe
2009-05-19 12:26 . 2009-05-19 12:24 10143072 ----a-w- c:\program files\AbsolutePoker8_7_6.exe
2009-05-18 15:11 . 2009-05-18 15:09 10770432 ----a-w- c:\program files\LogMeIn.msi
2006-07-28 06:32 . 2009-06-29 17:57 7005 ------w- c:\program files\Eula.txt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
2009-07-24 06:11 2215960 ----a-w- c:\program files\RadarSync\tbRad0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{399D96CA-6F9A-4FFF-95FE-284E45EBB935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 40448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2010-03-09 40448]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-03-09 40448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-09 40448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-09 40448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-09 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-09 40448]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AirLive 802.11G Wireless Utility.lnk - c:\program files\OVISLINK\Common\AirliveUI.exe [2008-11-16 1290240]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"hpqwmi"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\User\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [24. 5. 2009 6:35 23600]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\13knlli7.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 15:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\igfxtray .exe 40448 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2236)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PostgreSQL\8.4\bin\pg_ctl.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\windows\system32\wscntfy.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\internet explorer\wmpscfgs.exe
.
**************************************************************************
.
Completion time: 2010-03-09 15:47:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-09 14:47
ComboFix2.txt 2010-03-09 05:52
ComboFix3.txt 2010-03-08 06:03
ComboFix4.txt 2010-03-07 21:20
ComboFix5.txt 2010-03-09 14:32
Pre-Run: 14 209 953 792 bytes free
Post-Run: 14 140 067 840 bytes free
- - End Of File - - CFC91EE81BED37295AFA1764CB16F3EA
Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.734.398 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
FILE ::
"c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe"
"c:\program files\HPQ\Quick Launch Buttons\eabservr.exe"
"c:\program files\Skype\Phone\skype.exe"
"c:\program files\Synaptics\SynTP\syntpenh.exe"
"c:\program files\Synaptics\SynTP\syntplpr.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
c:\program files\HPQ\Quick Launch Buttons\eabservr.exe
c:\program files\Skype\Phone\skype.exe
c:\program files\Synaptics\SynTP\syntpenh.exe
c:\program files\Synaptics\SynTP\syntplpr.exe
.
((((((((((((((((((((((((( Files Created from 2010-02-09 to 2010-03-09 )))))))))))))))))))))))))))))))
.
2010-03-09 05:43 . 2010-03-09 05:43 4 ----a-w- c:\program files\39018445.dat
2010-03-08 05:49 . 2010-03-08 05:49 4 ----a-w- c:\program files\30880974.dat
2010-03-07 20:31 . 2010-03-07 20:31 4 ----a-w- c:\program files\953881.dat
2010-03-07 20:28 . 2010-03-07 20:28 4 ----a-w- c:\program files\757709.dat
2010-03-07 18:17 . 2010-03-07 18:17 4 ----a-w- c:\program files\14715770.dat
2010-02-27 18:35 . 2010-02-27 18:35 -------- d-----w- C:\_OTM
2010-02-27 18:29 . 2010-03-09 14:42 40448 ----a-w- c:\windows\system32\igfxtray.exe
2010-02-27 18:28 . 2010-02-27 18:28 4 ----a-w- c:\program files\130786430.dat
2010-02-27 14:47 . 2010-02-27 14:47 -------- d-----w- C:\rsit
2010-02-26 06:07 . 2010-02-26 06:07 4 ----a-w- c:\program files\462598391.dat
2010-02-20 21:41 . 2010-03-09 14:41 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-02-20 21:41 . 2010-03-08 18:53 40448 ----a-w- c:\windows\system32\hkcmd .exe
2010-02-09 04:38 . 2010-02-09 04:38 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\XHEO INC
2010-02-09 04:32 . 2010-02-09 04:37 -------- d-----w- C:\PSQLINSTALL
2010-02-09 04:32 . 2010-02-09 04:32 -------- d-----w- c:\program files\RVG Software
2010-02-09 03:51 . 2010-02-09 03:55 -------- d-----w- C:\Lestatos hands
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-09 14:39 . 2008-09-06 16:23 -------- d-----w- c:\program files\FlashGet
2010-03-08 19:53 . 2010-01-18 08:28 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-03-08 18:53 . 2010-02-27 18:29 40448 ----a-w- c:\windows\system32\igfxtray .exe
2010-03-08 15:04 . 2008-11-10 15:13 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-03-08 14:02 . 2009-07-26 05:13 -------- d-----w- c:\program files\PokerStars
2010-03-07 20:16 . 2009-06-28 08:16 -------- d-----w- c:\program files\Trend Micro
2010-03-07 12:43 . 2008-11-08 14:13 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-06 22:44 . 2010-02-03 16:22 -------- d-----w- c:\program files\Full Tilt Poker
2010-02-24 18:32 . 2009-04-21 07:54 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss
2010-02-09 04:33 . 2010-02-08 03:15 -------- d-----w- c:\program files\PostgreSQL
2010-02-09 04:29 . 2008-08-25 14:27 -------- d-----w- c:\program files\Instal
2010-02-05 15:30 . 2010-02-05 15:30 4 ----a-w- c:\program files\55993814.dat
2010-02-01 15:50 . 2010-02-01 15:50 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-29 11:36 . 2010-01-29 11:36 4 ----a-w- c:\program files\245954854.dat
2010-01-18 08:28 . 2008-09-05 10:44 -------- d-----r- c:\program files\Skype
2010-01-18 08:28 . 2008-11-10 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Skype
2010-01-15 19:44 . 2008-09-05 10:44 -------- d-----w- c:\program files\Common Files\Skype
2010-01-14 08:13 . 2010-01-14 08:13 -------- d-----w- c:\documents and settings\User\Application Data\TeamViewer
2010-01-12 12:59 . 2009-07-16 05:59 -------- d-----w- c:\program files\Ashampoo
2010-01-05 10:00 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2008-11-12 02:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2008-11-12 02:21 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-11-12 02:20 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2008-11-12 02:21 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-11-12 02:20 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-06-30 08:29 . 2009-06-30 08:29 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-06-28 08:16 . 2009-06-28 08:16 812344 ----a-w- c:\program files\HJTInstall.exe
2009-06-28 08:09 . 2009-05-26 06:01 31863808 ----a-w- c:\program files\eav_nt32_csy.msi
2009-06-11 06:53 . 2009-06-11 06:53 84 ----a-w- c:\program files\b3348.ram
2009-06-09 14:20 . 2009-06-09 14:14 21646127 ----a-w- c:\program files\scribus-1.3.3.13-win32-install.exe
2009-06-09 12:51 . 2009-06-09 12:49 3371384 ----a-w- c:\program files\mbam-setup.exe
2009-06-09 11:40 . 2009-06-09 11:34 21135160 ----a-w- c:\program files\scribus-1.3.3.13-os2-20090501.zip
2009-06-09 11:34 . 2009-06-09 11:29 11909804 ----a-w- c:\program files\scribus-1.3.3.13.7z
2009-06-07 11:30 . 2009-06-07 11:29 17900221 ----a-w- c:\program files\0108.pdf
2009-06-07 10:24 . 2009-06-07 10:24 1815369 ----a-w- c:\program files\gbgallerylitesetup.exe
2009-05-26 06:42 . 2009-05-26 06:41 1880289 ----a-w- c:\program files\radarsync.exe
2009-05-24 09:16 . 2009-05-24 09:10 12743232 ----a-w- c:\program files\WinMPG_VideoConvert_Setup-20016.exe
2009-05-24 05:35 . 2009-05-24 05:35 453824 ----a-w- c:\program files\driveragent_488.exe
2009-05-19 12:26 . 2009-05-19 12:24 10143072 ----a-w- c:\program files\AbsolutePoker8_7_6.exe
2009-05-18 15:11 . 2009-05-18 15:09 10770432 ----a-w- c:\program files\LogMeIn.msi
2006-07-28 06:32 . 2009-06-29 17:57 7005 ------w- c:\program files\Eula.txt
.
Kód: Vybrat vše
<pre>
c:\program files\Skype\Phone\skype .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe
</pre>.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
2009-07-24 06:11 2215960 ----a-w- c:\program files\RadarSync\tbRad0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{399d96ca-6f9a-4fff-95fe-284e45ebb935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{399D96CA-6F9A-4FFF-95FE-284E45EBB935}"= "c:\program files\RadarSync\tbRad0.dll" [2009-07-24 2215960]
[HKEY_CLASSES_ROOT\clsid\{399d96ca-6f9a-4fff-95fe-284e45ebb935}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 40448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2010-03-09 40448]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2010-03-09 40448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-09 40448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-09 40448]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-09 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-09 40448]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
AirLive 802.11G Wireless Utility.lnk - c:\program files\OVISLINK\Common\AirliveUI.exe [2008-11-16 1290240]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
"hpqwmi"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\User\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 postgresql-8.4;PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [24. 5. 2009 6:35 23600]
.
.
------- Supplementary Scan -------
.
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\13knlli7.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-09 15:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\igfxtray .exe 40448 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\postgresql-8.4]
"ImagePath"="C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"C:/Program Files/PostgreSQL/8.4/data\" -w"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2236)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PostgreSQL\8.4\bin\pg_ctl.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\program files\PostgreSQL\8.4\bin\postgres.exe
c:\windows\system32\wscntfy.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\internet explorer\wmpscfgs.exe
.
**************************************************************************
.
Completion time: 2010-03-09 15:47:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-09 14:47
ComboFix2.txt 2010-03-09 05:52
ComboFix3.txt 2010-03-08 06:03
ComboFix4.txt 2010-03-07 21:20
ComboFix5.txt 2010-03-09 14:32
Pre-Run: 14 209 953 792 bytes free
Post-Run: 14 140 067 840 bytes free
- - End Of File - - CFC91EE81BED37295AFA1764CB16F3EA
-
Caroprd111
- VIP
- Příspěvky: 13492
- Registrován: 22 bře 2009 20:48
- Bydliště: Třebíč
- Kontaktovat uživatele:
Re: prosim o kontrolu logu, zarucene tam nieco mam
Po tomto kroku bude nutné přeinstalovat některé ovladače a programy (grafická karta, Skype, atd.)
Pokud nemáte, přesuňte Combofix na plochu
Pokud nemáte, přesuňte Combofix na plochu
- Otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.
Kód: Vybrat vše
RenV::
c:\program files\Skype\Phone\skype .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe
File::
c:\program files\Skype\Phone\skype.exe
c:\windows\system32\hkcmd.exe
c:\windows\system32\igfxtray.exe
- Uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
- Po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:
- Po aplikaci na Vás vypadne další log,vložte ho sem
Re: prosim o kontrolu logu, zarucene tam nieco mam
Dobry Den, nechcem byt nevdacny ale mam pocit ze nieco nie je v poriadku, stale dookola mazeme combofixom scripty , bud sa to nejako natahuje znova a znova alebo neviem. Prosim neberte to ako kritiku . chcem to len pochopit. Dakujem
Přispějete na provoz fóra?