Laik prosí o radu,když si pustim net tak mi vyskočí vpravo dole na liště hláška něco jako spyware notice nebo co a hned to zmizí a často se stim spustí i internetová stránka na nějakej program,kterej když si ztáhnu,tak mi zkontroluje pc a napíše mi že tam mam nějaký ilegální věci,že sem ohroženej a já nevim kolik že mam napadenejch souborů.
Mam nod 32 a spyware terminátor a oba mi teda našli nějakýho trojáka agenta kterej nejde smazat,tak nevim,ale už mi to leze na nervy.mam sem dát muj log,to umim už mi tu někdo jednou pomáhal.dik
Awast: Upraven nic neříkající název threadu
AntiSpyware
Moderátoři: mozek007, Ryan, Moderátoři
Doporučím oslovit zdejšího moderátora Ryan, nebo rovnou navštívit http://www.viry.cz/forum/
TT Mambo,FSP-400W, DFI Inf. X2 3600+ EE@2.8GHz, 2x1GB Corsair , HD2600XT@860/780, Seagate250GB, LG4167B, SB Audigy4, 5.1 Genius HT, Logitech G5+QCK4Dsteel +MicrosoftDigitalMedia
log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:21:09, on 22.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\HPZipm12.exe
D:\programky\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
D:\programky\nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\SuspenzorPC\mc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Eset\nod32kui.exe
D:\programky\záznamspy\SpyManager20.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 4.3.2.2:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {9113B6A9-13E2-4CE8-AEA2-C93F1C8EC751} - C:\WINDOWS\system32\cryptsv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\programky\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\programky\nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Salestart(3)] "C:\Program Files\Common Files\SuspenzorPC\mc.exe" dm=http://suspenzorpc.com ad=http://suspenzorpc.com sd=http://pinams.suspenzorpc.com
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpyMng] D:\programky\záznamspy\SpyManager20.exe autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRM~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stag ... taller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8EF9E26-0D8F-4E80-BF05-F32DABBAC76F}: NameServer = 212.158.128.2,212.158.128.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFD04F03-5C36-4FF3-B2BD-985F9E34929F}: NameServer = 212.158.128.2,212.158.128.3
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\prográmky\avast\aswUpdSv.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\prográmky\avast\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - D:\prográmky\avast\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\prográmky\avast\ashWebSv.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 6585 bytes
dík
Scan saved at 13:21:09, on 22.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\HPZipm12.exe
D:\programky\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
D:\programky\nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\SuspenzorPC\mc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Eset\nod32kui.exe
D:\programky\záznamspy\SpyManager20.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 4.3.2.2:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {9113B6A9-13E2-4CE8-AEA2-C93F1C8EC751} - C:\WINDOWS\system32\cryptsv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\programky\Winamp\winampa.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\programky\nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Salestart(3)] "C:\Program Files\Common Files\SuspenzorPC\mc.exe" dm=http://suspenzorpc.com ad=http://suspenzorpc.com sd=http://pinams.suspenzorpc.com
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpyMng] D:\programky\záznamspy\SpyManager20.exe autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRM~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stag ... taller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8EF9E26-0D8F-4E80-BF05-F32DABBAC76F}: NameServer = 212.158.128.2,212.158.128.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFD04F03-5C36-4FF3-B2BD-985F9E34929F}: NameServer = 212.158.128.2,212.158.128.3
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\prográmky\avast\aswUpdSv.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\prográmky\avast\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - D:\prográmky\avast\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\prográmky\avast\ashWebSv.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 6585 bytes
dík
-
Ryan
- Čestný člen
- Příspěvky: 316
- Registrován: sob dub 21, 2007 11:05
- Bydliště: tam kde je přístup k netu:-) / Českomoravská Vysočina
- Kontaktovat uživatele:
stahnete a ulozte na plochu ComboFix
pote spustte aplikaci pod uctem s administratorskym opravnenim
hned po startu se zobrazi obrazovka s licencnimi podminkami, klikněte na ANO
v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), postupujte dle pokynu na obrazovce, behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho
behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)
upozorneni: pokud pouzivate Spyware Terminator, prepnete jeho rezidentni stit do Install Mode, pripadne jej po dobu skenu uplne deaktivujte, protoze se pri skenu Combofix pokousi infikovane soubory smazat a Spyware Terminator tomu muze branit
po restartu aplikace vytvori log, ulozeny na C:/Combofix.txt (pri opakovanem pouziti jsou logy oznaceny Combofix2.txt atd.), jeho obsah vlozte sem
pote spustte aplikaci pod uctem s administratorskym opravnenim
hned po startu se zobrazi obrazovka s licencnimi podminkami, klikněte na ANO
v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), postupujte dle pokynu na obrazovce, behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho
behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)
upozorneni: pokud pouzivate Spyware Terminator, prepnete jeho rezidentni stit do Install Mode, pripadne jej po dobu skenu uplne deaktivujte, protoze se pri skenu Combofix pokousi infikovane soubory smazat a Spyware Terminator tomu muze branit
po restartu aplikace vytvori log, ulozeny na C:/Combofix.txt (pri opakovanem pouziti jsou logy oznaceny Combofix2.txt atd.), jeho obsah vlozte sem
snad je to ono
ComboFix 08-02.01.5 - Elevencards 2008-02-01 7:59:09.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.683 [GMT 1:00]
Running from: C:\Documents and Settings\Elevencards\Plocha\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Elevencards\Data aplikací\PCPrivacyTool
C:\Documents and Settings\Elevencards\Data aplikací\PCPrivacyTool\Logs\update.log
C:\Documents and Settings\Elevencards\Data aplikací\SpyGuardPro
C:\Documents and Settings\Elevencards\Data aplikací\SpyGuardPro\avtasks.dat
C:\Documents and Settings\Elevencards\Data aplikací\SpyGuardPro\Logs\av.log
C:\Documents and Settings\Elevencards\Data aplikací\SpyGuardPro\Logs\ga6Support.log
C:\Documents and Settings\Elevencards\Data aplikací\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Elevencards\Data aplikací\SpyGuardPro\PGE.dat
C:\Program Files\Common Files\DriveDefender
C:\Program Files\Common Files\PCPrivacyTool
C:\Program Files\DriveDefender
C:\Program Files\DriveDefender\sr.log
C:\UGA6P
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\5_exception.nls
C:\WINDOWS\system32\ati2ksag.sys . . . . failed to delete
C:\WINDOWS\system32\cryptsv.dll . . . . failed to delete
C:\WINDOWS\system32\hrpdcf.bin . . . . failed to delete
C:\WINDOWS\system32\kl80.bin
C:\WINDOWS\system32\cryptsv.dll . . . . failed to delete
----- BITS: Possible infected sites -----
hxxp://scarddlg.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_ATI2KSAG
-------\LEGACY_NDNET1
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\ati2ksag
-------\NDnet1
-------\runtime
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.
2008-01-16 15:30 . 2008-02-01 08:05 53,876 --a------ C:\WINDOWS\system32\mswrcrt.dll
2008-01-16 15:30 . 2008-01-16 15:30 7,552 --a------ C:\WINDOWS\system32\drivers\SpyMng.sys
2008-01-16 15:21 . 2008-01-16 15:21 300,048 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-01-16 15:21 . 2008-01-16 15:21 245,760 --a------ C:\WINDOWS\system32\imon.dll
2008-01-16 15:21 . 2008-01-16 15:21 114,688 --a------ C:\WINDOWS\system32\nms32.dll
2008-01-16 09:36 . 2008-01-16 09:36 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-01-16 09:30 . 2008-01-16 09:36 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-01-16 09:26 . 2008-01-16 10:48 <DIR> d-------- C:\Program Files\Crawler
2008-01-16 09:25 . 2008-01-30 14:30 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-16 09:10 . 2008-01-16 14:51 <DIR> d-------- C:\Program Files\Common Files\SuspenzorPC
2008-01-09 16:03 . 2008-01-09 16:03 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-01-09 16:03 . 2008-01-09 16:03 <DIR> d-------- C:\Program Files\Dell Computer
2008-01-09 16:02 . 2008-01-09 16:03 <DIR> d-------- C:\Program Files\Dell Photo Printer 720
2008-01-09 16:00 . 2008-01-09 16:00 155 --a------ C:\WINDOWS\dellstat.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 14:02 --------- d-----w C:\Program Files\ICQ6
2008-01-06 10:56 --------- d-----w C:\Program Files\ICQToolbar
2007-12-28 10:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 15:38 --------- d-----w C:\Program Files\DIFX
2007-12-26 15:38 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-12-26 15:38 --------- d-----w C:\Program Files\Common Files\Nokia
2007-12-26 15:37 --------- d-----w C:\Program Files\PC Connectivity Solution
2007-12-19 10:57 --------- d-----w C:\Program Files\GIMP-2.0
2007-12-12 21:02 13,824 ----a-w C:\sysalio.exe
2007-12-07 22:44 19,456 ----a-w C:\WINDOWS\system32\drivers\hwixfwlz.dat
2007-12-02 19:44 --------- d-----w C:\Program Files\Xvid CZ
2007-12-02 19:34 --------- d-----w C:\Program Files\Codec Pack - All In 1
2007-12-02 19:33 737,280 ----a-w C:\WINDOWS\iun6002.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9113B6A9-13E2-4CE8-AEA2-C93F1C8EC751}]
2004-08-17 16:49 96256 --a------ C:\WINDOWS\system32\cryptsv.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 16:49 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"WinampAgent"="D:\programky\Winamp\winampa.exe" [2005-10-27 00:01 33792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]
"PCSuiteTrayApplication"="D:\programky\nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"Salestart(3)"="C:\Program Files\Common Files\SuspenzorPC\mc.exe" [2007-11-07 18:12 429056]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-01-16 09:29 2776576]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-16 15:21 851968]
"SpyMng"="D:\programky\záznamspy\SpyManager20.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 16:49 15360]
"Nokia.PCSync"="D:\programky\nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]
R0 jmbdltdh;jmbdltdh;C:\WINDOWS\system32\drivers\hwixfwlz.dat []
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys [2005-07-12 22:21]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-01-16 09:36]
R1 SpyMng;SpyMng;C:\WINDOWS\system32\Drivers\SpyMng.sys [2008-01-16 15:30]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 00:04]
S3 ICDSX;Sony IC Recorder (SX);C:\WINDOWS\system32\Drivers\ICDSX.sys [2003-10-01 17:44]
S3 kbeepm;kbeepm;C:\DOCUME~1\ELEVEN~1\LOCALS~1\Temp\kbeepm.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df9045c8-bc5a-11dc-990a-0050fc7d54f3}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 08:06:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\imon.dll
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\programky\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\programky\nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\SuspenzorPC\mc.exe
C:\Program Files\Eset\nod32kui.exe
D:\programky\záznamspy\SpyManager20.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
.
**************************************************************************
.
Completion time: 2008-02-01 8:07:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 07:07:03
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.683 [GMT 1:00]
Running from: C:\Documents and Settings\Elevencards\Plocha\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Elevencards\Data aplikací\PCPrivacyTool
C:\Documents and Settings\Elevencards\Data aplikací\PCPrivacyTool\Logs\update.log
C:\Documents and Settings\Elevencards\Data aplikací\SpyGuardPro
C:\Documents and Settings\Elevencards\Data aplikací\SpyGuardPro\avtasks.dat
C:\Documents and Settings\Elevencards\Data aplikací\SpyGuardPro\Logs\av.log
C:\Documents and Settings\Elevencards\Data aplikací\SpyGuardPro\Logs\ga6Support.log
C:\Documents and Settings\Elevencards\Data aplikací\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Elevencards\Data aplikací\SpyGuardPro\PGE.dat
C:\Program Files\Common Files\DriveDefender
C:\Program Files\Common Files\PCPrivacyTool
C:\Program Files\DriveDefender
C:\Program Files\DriveDefender\sr.log
C:\UGA6P
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\5_exception.nls
C:\WINDOWS\system32\ati2ksag.sys . . . . failed to delete
C:\WINDOWS\system32\cryptsv.dll . . . . failed to delete
C:\WINDOWS\system32\hrpdcf.bin . . . . failed to delete
C:\WINDOWS\system32\kl80.bin
C:\WINDOWS\system32\cryptsv.dll . . . . failed to delete
----- BITS: Possible infected sites -----
hxxp://scarddlg.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_ATI2KSAG
-------\LEGACY_NDNET1
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\ati2ksag
-------\NDnet1
-------\runtime
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.
2008-01-16 15:30 . 2008-02-01 08:05 53,876 --a------ C:\WINDOWS\system32\mswrcrt.dll
2008-01-16 15:30 . 2008-01-16 15:30 7,552 --a------ C:\WINDOWS\system32\drivers\SpyMng.sys
2008-01-16 15:21 . 2008-01-16 15:21 300,048 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-01-16 15:21 . 2008-01-16 15:21 245,760 --a------ C:\WINDOWS\system32\imon.dll
2008-01-16 15:21 . 2008-01-16 15:21 114,688 --a------ C:\WINDOWS\system32\nms32.dll
2008-01-16 09:36 . 2008-01-16 09:36 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-01-16 09:30 . 2008-01-16 09:36 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-01-16 09:26 . 2008-01-16 10:48 <DIR> d-------- C:\Program Files\Crawler
2008-01-16 09:25 . 2008-01-30 14:30 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-16 09:10 . 2008-01-16 14:51 <DIR> d-------- C:\Program Files\Common Files\SuspenzorPC
2008-01-09 16:03 . 2008-01-09 16:03 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-01-09 16:03 . 2008-01-09 16:03 <DIR> d-------- C:\Program Files\Dell Computer
2008-01-09 16:02 . 2008-01-09 16:03 <DIR> d-------- C:\Program Files\Dell Photo Printer 720
2008-01-09 16:00 . 2008-01-09 16:00 155 --a------ C:\WINDOWS\dellstat.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 14:02 --------- d-----w C:\Program Files\ICQ6
2008-01-06 10:56 --------- d-----w C:\Program Files\ICQToolbar
2007-12-28 10:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 15:38 --------- d-----w C:\Program Files\DIFX
2007-12-26 15:38 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-12-26 15:38 --------- d-----w C:\Program Files\Common Files\Nokia
2007-12-26 15:37 --------- d-----w C:\Program Files\PC Connectivity Solution
2007-12-19 10:57 --------- d-----w C:\Program Files\GIMP-2.0
2007-12-12 21:02 13,824 ----a-w C:\sysalio.exe
2007-12-07 22:44 19,456 ----a-w C:\WINDOWS\system32\drivers\hwixfwlz.dat
2007-12-02 19:44 --------- d-----w C:\Program Files\Xvid CZ
2007-12-02 19:34 --------- d-----w C:\Program Files\Codec Pack - All In 1
2007-12-02 19:33 737,280 ----a-w C:\WINDOWS\iun6002.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9113B6A9-13E2-4CE8-AEA2-C93F1C8EC751}]
2004-08-17 16:49 96256 --a------ C:\WINDOWS\system32\cryptsv.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 16:49 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"WinampAgent"="D:\programky\Winamp\winampa.exe" [2005-10-27 00:01 33792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]
"PCSuiteTrayApplication"="D:\programky\nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"Salestart(3)"="C:\Program Files\Common Files\SuspenzorPC\mc.exe" [2007-11-07 18:12 429056]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-01-16 09:29 2776576]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-16 15:21 851968]
"SpyMng"="D:\programky\záznamspy\SpyManager20.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 16:49 15360]
"Nokia.PCSync"="D:\programky\nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]
R0 jmbdltdh;jmbdltdh;C:\WINDOWS\system32\drivers\hwixfwlz.dat []
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys [2005-07-12 22:21]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-01-16 09:36]
R1 SpyMng;SpyMng;C:\WINDOWS\system32\Drivers\SpyMng.sys [2008-01-16 15:30]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 00:04]
S3 ICDSX;Sony IC Recorder (SX);C:\WINDOWS\system32\Drivers\ICDSX.sys [2003-10-01 17:44]
S3 kbeepm;kbeepm;C:\DOCUME~1\ELEVEN~1\LOCALS~1\Temp\kbeepm.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df9045c8-bc5a-11dc-990a-0050fc7d54f3}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 08:06:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\imon.dll
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\programky\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\programky\nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\SuspenzorPC\mc.exe
C:\Program Files\Eset\nod32kui.exe
D:\programky\záznamspy\SpyManager20.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
.
**************************************************************************
.
Completion time: 2008-02-01 8:07:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 07:07:03
-
Ryan
- Čestný člen
- Příspěvky: 316
- Registrován: sob dub 21, 2007 11:05
- Bydliště: tam kde je přístup k netu:-) / Českomoravská Vysočina
- Kontaktovat uživatele:
Krásná sbírka šmejdů!
Otevři poznámkový blok a zkopíruj tam tento text:
soubor pak ulož jako CFScript.txt na plochu
následně nastartuj do nouzového režimu, přesuň ComboFix na plochu --> chyť ten texťák, přesuň ho nad ikonu ComboFixu a pušť --> program se spustí a začne mazat... po skončení opět zašli log a kouknem na to.
Otevři poznámkový blok a zkopíruj tam tento text:
Kód: Vybrat vše
File::
C:\WINDOWS\system32\mswrcrt.dll
C:\WINDOWS\dellstat.ini
C:\sysalio.exe
C:\WINDOWS\system32\drivers\hwixfwlz.dat
C:\WINDOWS\iun6002.exe
Driver::
SpyMng
Rootkit::
C:\WINDOWS\system32\drivers\SpyMng.sysnásledně nastartuj do nouzového režimu, přesuň ComboFix na plochu --> chyť ten texťák, přesuň ho nad ikonu ComboFixu a pušť --> program se spustí a začne mazat... po skončení opět zašli log a kouknem na to.
log
ComboFix 08-02.01.5 - Administrator 2008-02-03 13:07:41.2 - NTFSx86 MINIMAL
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.836 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Plocha\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\sysalio.exe
C:\WINDOWS\dellstat.ini
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\drivers\hwixfwlz.dat
C:\WINDOWS\system32\mswrcrt.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\sysalio.exe
C:\WINDOWS\dellstat.ini
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\ati2ksag.sys . . . . failed to delete
C:\WINDOWS\system32\cryptsv.dll
C:\WINDOWS\system32\drivers\hwixfwlz.dat
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\drivers\SpyMng.sys
C:\WINDOWS\system32\hrpdcf.bin . . . . failed to delete
C:\WINDOWS\system32\mswrcrt.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_SPYMNG
-------\SpyMng
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.
2008-01-16 15:21 . 2008-01-16 15:21 300,048 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-01-16 15:21 . 2008-01-16 15:21 245,760 --a------ C:\WINDOWS\system32\imon.dll
2008-01-16 15:21 . 2008-01-16 15:21 114,688 --a------ C:\WINDOWS\system32\nms32.dll
2008-01-16 09:36 . 2008-01-16 09:36 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-01-16 09:30 . 2008-01-16 09:36 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-01-16 09:26 . 2008-01-16 10:48 <DIR> d-------- C:\Program Files\Crawler
2008-01-16 09:25 . 2008-01-30 14:30 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-16 09:10 . 2008-01-16 14:51 <DIR> d-------- C:\Program Files\Common Files\SuspenzorPC
2008-01-09 16:03 . 2008-01-09 16:03 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-01-09 16:03 . 2008-01-09 16:03 <DIR> d-------- C:\Program Files\Dell Computer
2008-01-09 16:02 . 2008-01-09 16:03 <DIR> d-------- C:\Program Files\Dell Photo Printer 720
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 14:02 --------- d-----w C:\Program Files\ICQ6
2008-01-06 10:56 --------- d-----w C:\Program Files\ICQToolbar
2007-12-28 10:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 15:38 --------- d-----w C:\Program Files\DIFX
2007-12-26 15:38 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-12-26 15:38 --------- d-----w C:\Program Files\Common Files\Nokia
2007-12-26 15:37 --------- d-----w C:\Program Files\PC Connectivity Solution
2007-12-19 10:57 --------- d-----w C:\Program Files\GIMP-2.0
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 16:49 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"WinampAgent"="D:\programky\Winamp\winampa.exe" [2005-10-27 00:01 33792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]
"PCSuiteTrayApplication"="D:\programky\nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"Salestart(3)"="C:\Program Files\Common Files\SuspenzorPC\mc.exe" [2007-11-07 18:12 429056]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-01-16 09:29 2776576]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-16 15:21 851968]
"SpyMng"="D:\programky\záznamspy\SpyManager20.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 16:49 15360]
"Nokia.PCSync"="D:\programky\nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys [2005-07-12 22:21]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-01-16 09:36]
R1 SpyMng;SpyMng;C:\WINDOWS\system32\Drivers\SpyMng.sys []
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 00:04]
S0 jmbdltdh;jmbdltdh;C:\WINDOWS\system32\drivers\hwixfwlz.dat []
S3 ICDSX;Sony IC Recorder (SX);C:\WINDOWS\system32\Drivers\ICDSX.sys [2003-10-01 17:44]
S3 kbeepm;kbeepm;C:\DOCUME~1\ELEVEN~1\LOCALS~1\Temp\kbeepm.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df9045c8-bc5a-11dc-990a-0050fc7d54f3}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
*Newly Created Service* - SPYMNG
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 13:14:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\imon.dll
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\programky\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\programky\nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\SuspenzorPC\mc.exe
C:\Program Files\Eset\nod32kui.exe
D:\programky\záznamspy\SpyManager20.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
.
**************************************************************************
.
Completion time: 2008-02-03 13:15:48 - machine was rebooted [Elevencards]
ComboFix-quarantined-files.txt 2008-02-03 12:15:36
ComboFix2.txt 2008-02-01 07:07:09
tak snad to je v pohodě zatim moc děkuju
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.836 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Plocha\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\sysalio.exe
C:\WINDOWS\dellstat.ini
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\drivers\hwixfwlz.dat
C:\WINDOWS\system32\mswrcrt.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\sysalio.exe
C:\WINDOWS\dellstat.ini
C:\WINDOWS\iun6002.exe
C:\WINDOWS\system32\ati2ksag.sys . . . . failed to delete
C:\WINDOWS\system32\cryptsv.dll
C:\WINDOWS\system32\drivers\hwixfwlz.dat
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\drivers\SpyMng.sys
C:\WINDOWS\system32\hrpdcf.bin . . . . failed to delete
C:\WINDOWS\system32\mswrcrt.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_SPYMNG
-------\SpyMng
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.
2008-01-16 15:21 . 2008-01-16 15:21 300,048 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-01-16 15:21 . 2008-01-16 15:21 245,760 --a------ C:\WINDOWS\system32\imon.dll
2008-01-16 15:21 . 2008-01-16 15:21 114,688 --a------ C:\WINDOWS\system32\nms32.dll
2008-01-16 09:36 . 2008-01-16 09:36 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-01-16 09:30 . 2008-01-16 09:36 <DIR> d-------- C:\Program Files\WinClamAVShield
2008-01-16 09:26 . 2008-01-16 10:48 <DIR> d-------- C:\Program Files\Crawler
2008-01-16 09:25 . 2008-01-30 14:30 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-16 09:10 . 2008-01-16 14:51 <DIR> d-------- C:\Program Files\Common Files\SuspenzorPC
2008-01-09 16:03 . 2008-01-09 16:03 <DIR> d-------- C:\Program Files\Jasc Software Inc
2008-01-09 16:03 . 2008-01-09 16:03 <DIR> d-------- C:\Program Files\Dell Computer
2008-01-09 16:02 . 2008-01-09 16:03 <DIR> d-------- C:\Program Files\Dell Photo Printer 720
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 14:02 --------- d-----w C:\Program Files\ICQ6
2008-01-06 10:56 --------- d-----w C:\Program Files\ICQToolbar
2007-12-28 10:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 15:38 --------- d-----w C:\Program Files\DIFX
2007-12-26 15:38 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-12-26 15:38 --------- d-----w C:\Program Files\Common Files\Nokia
2007-12-26 15:37 --------- d-----w C:\Program Files\PC Connectivity Solution
2007-12-19 10:57 --------- d-----w C:\Program Files\GIMP-2.0
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 16:49 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42 32768]
"WinampAgent"="D:\programky\Winamp\winampa.exe" [2005-10-27 00:01 33792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]
"PCSuiteTrayApplication"="D:\programky\nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"Salestart(3)"="C:\Program Files\Common Files\SuspenzorPC\mc.exe" [2007-11-07 18:12 429056]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-01-16 09:29 2776576]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-01-16 15:21 851968]
"SpyMng"="D:\programky\záznamspy\SpyManager20.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 16:49 15360]
"Nokia.PCSync"="D:\programky\nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys [2005-07-12 22:21]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-01-16 09:36]
R1 SpyMng;SpyMng;C:\WINDOWS\system32\Drivers\SpyMng.sys []
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-04 00:04]
S0 jmbdltdh;jmbdltdh;C:\WINDOWS\system32\drivers\hwixfwlz.dat []
S3 ICDSX;Sony IC Recorder (SX);C:\WINDOWS\system32\Drivers\ICDSX.sys [2003-10-01 17:44]
S3 kbeepm;kbeepm;C:\DOCUME~1\ELEVEN~1\LOCALS~1\Temp\kbeepm.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df9045c8-bc5a-11dc-990a-0050fc7d54f3}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE
*Newly Created Service* - SPYMNG
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 13:14:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\imon.dll
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\programky\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\programky\nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\SuspenzorPC\mc.exe
C:\Program Files\Eset\nod32kui.exe
D:\programky\záznamspy\SpyManager20.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
.
**************************************************************************
.
Completion time: 2008-02-03 13:15:48 - machine was rebooted [Elevencards]
ComboFix-quarantined-files.txt 2008-02-03 12:15:36
ComboFix2.txt 2008-02-01 07:07:09
tak snad to je v pohodě zatim moc děkuju
