Nemozem menit registre!

Mam windows XP, cerstvu instalaciu, a vzdy ked nieco zmenim v registroch *(napr cestu k mojim dokumentom na inu, programy ktore startuju s winom) tak sa nic z toho neulozi a po restarte je to tak ako bolo....


Co stym ?????????????????

BTW: je to professional, som admin, mam vsetky patche na win (critical i recondemmed)

Poprosím log z HijackThis, návod ako na to je tu:
http://www.pcforum.sk/postup-pri-cisteni-napadnuteho-pc-vt17087.html

Ten som pozeral medzi prvymi ale nic podozrive som nenasiel


Logfile of HijackThis v1.99.1
Scan saved at 14:39:07, on 13.8.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Xfire\xfire.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Electronic Arts\Command & Conquer 3\CNC3.exe
C:\Program Files\Electronic Arts\Command & Conquer 3\RetailExe\1.6\cnc3game.dat
C:\Program Files\Leaf Networks\Leaf 2006\bin\Leaf 2006.exe
C:\Documents and Settings\iCeFiRe_SR\Desktop\hijackthis_sfx(2).exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.02\RivaTuner.exe" /S
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Infium] "C:\DOCUME~1\ICEFIR~1\LOCALS~1\Temp\Rar$EX00.250\infium.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.sk/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Sú tam programy, ktoré nezaraďujem medzi zrovna tie najlepšie. Prečo ti beží infium.exe z tempu? Toto poznáš: hijackthis_sfx(2).exe ?

infium som este nestihol nainstalovat a to druhe je iba rozbalovaci archiv hijact this (2x som to stahoval) takze este nejake napady??

Stiahni MWAV a preskenuj celý PC --->
ftp://ftp.microworldsystems.com/download/tools/mwav.exe

Treba to mať aktualizované.


Potom vlož log z poľa "Informace o nalezených hrozbách".

Diky za radu naslo zopar veci ALE kedze to nemam kupene nevylieci ich (som myslel ze je to free ) tu je log, skenoval som cely komp so vsetkymi moznostami :
Objekt "flashget Unclassified" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "killavObjekt "savenow Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "holistyc Dialer" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" odkazuje na neplatný objekt "C:\Program Files\Cyberlink\PowerDVD\Sim". Provedené akce: Nic nebylo provedeno.
Záznam "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" odkazuje na neplatný objekt ".BfME2Replay". Provedené akce: Nic nebylo provedeno.
Záznam "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" odkazuje na neplatný objekt ".mds". Provedené akce: Nic nebylo provedeno.
Záznam "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" odkazuje na neplatný objekt ".srt". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB884020". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB886677". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB894395". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB896256". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB896344". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB897338". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB897663". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB903234". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB906569". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB909520". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB910437". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB912461". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB912817". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB917021". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB918005". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB922120". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB923800". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB923845". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB927544". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB927891". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB932590". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB932662". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB933612". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB933811". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB935843". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "KB936357". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "{BFD080F6-3BF0-40E1-9507-9CA969C35870}". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "{C098DAEC-29EF-4A59-B18E-0E950169CA3C}". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}". Provedené akce: Nic nebylo provedeno.
Záznam "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" odkazuje na neplatný objekt "{FE9126DB-5F84-495A-BB46-3C724F1C2D08}". Provedené akce: Nic nebylo provedeno.
Soubor D:\Moje dokumenty\desktop.ini je infikovaný virem VB.CO.Leftover !! Provedené akce: Nic nebylo provedeno.


BTW: neviem ako sa to tam dostalo mal som cesrtvy Win aaaaaaaa

Žiadne strachy kámo, aviro901 si s tým poradí.


Stiahni CCleaner a prečisti celý PC: http://www.ccleaner.com

Pri inštalácii programu CCleaner odškrtni CCleaner Yahoo Toolbar !!!



Stiahni Avenger: http://swandog46.geekstogo.com/avenger.exe

Spustiť – „Input script manually“ – Lupa – Skopírovať kód – „Done“ – Semafor – Potvrdiť – Nasleduje reštart PC

Pri starte:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hvhedeqt

*******************

Script file located at: boqalgou

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!

Vymazal som to manualne cez unlocker, ale neviem ci to bolo vsetko, ci este nieco nemam bo ten program co to zistoval bol share nie?

Postupoval si presne podľa návodu?

jasan ja sa dost vyznam

Skús to napísať ručne a bez medzier.

Files to delete:
D:\Moje dokumenty\desktop.ini

Ak nepôjde, tak v núdzovom režime.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ptstkpxc

*******************

Script file located at: \??\C:\Documents and Settings\rcueebbv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file D:\Moje dokumenty\desktop.ini for deletion
Deletion of file D:\Moje dokumenty\desktop.ini failed!

Could not process line:
D:\Moje dokumenty\desktop.ini
Status: 0xc000003a


Completed script processing.

*******************

Finished! Terminate.

Asi preto ze som to dal rucne prec

ale STALE NEMOZEM MENIT REGISTER

pustil som aj SmitFraudFix a SDFix

Stiahni ComboFix –->
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Riaď sa inštrukciami na obrazovke, neklikaj, počítač môže byť reštartovaný.


Chcem ten véééľkýý log.

dklu pripadam si ako pokusny kralik este mi bezi sdfix nasiel sam seba ako riskware

Poznámka: Oba nástroje sa používajú v núdzovom režime.

ComboFix 07-08-09.3 - "iCeFiRe_SR" 2007-08-13 22:20:18.1 - NTFSx86
Syst‚m Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.403 [GMT 2:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\regedit.com
C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000013_.tmp.dll
C:\WINDOWS\system32\_000026_.tmp.dll
C:\WINDOWS\system32\_000111_.tmp.dll
C:\WINDOWS\system32\taskmgr.com


((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))


2007-08-13 22:17 <DIR> d-------- C:\DOCUME~1\ICEFIR~1\APPLIC~1\GetRight
2007-08-13 21:58 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-13 21:58 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-13 21:58 1,318 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-13 17:43 <DIR> d-a------ C:\WINDOWS\zts2.exe
2007-08-13 17:43 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-08-13 17:43 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-08-13 17:43 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2007-08-13 17:43 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2007-08-13 17:43 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2007-08-13 17:42 146,432 --a------ C:\WINDOWS\R.COM
2007-08-13 17:42 135,680 --a------ C:\WINDOWS\system32\T.COM
2007-08-13 11:07 3,327 --a------ C:\WINDOWS\system32\sdbackup.reg
2007-08-13 10:58 <DIR> d-------- C:\Program Files\Orbitdownloader
2007-08-13 10:58 <DIR> d-------- C:\DOCUME~1\ICEFIR~1\APPLIC~1\Orbit
2007-08-13 10:40 <DIR> d-------- C:\Program Files\FlashGet
2007-08-12 22:46 <DIR> d-------- C:\DOCUME~1\ICEFIR~1\APPLIC~1\Media Player Classic
2007-08-12 20:27 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-08-12 20:27 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-08-12 20:27 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-08-12 20:05 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-08-12 19:56 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-08-12 19:45 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-12 19:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-12 19:41 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-12 19:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-12 19:13 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Xfire
2007-08-12 17:59 <DIR> d-------- C:\Program Files\Electronic Arts
2007-08-12 17:56 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-08-12 17:56 740,442 --a------ C:\WINDOWS\system32\divx.dll
2007-08-12 17:56 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-08-12 17:56 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-08-12 17:56 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-08-12 17:56 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-08-12 17:56 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-08-12 17:56 163,840 --a------ C:\WINDOWS\system32\unrar.dll
2007-08-12 17:56 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-08-12 17:54 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Xfire
2007-08-12 17:53 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-08-12 17:51 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-12 17:47 <DIR> d-------- C:\Program Files\CCleaner
2007-08-12 17:44 <DIR> d-------- C:\Program Files\Leaf Networks
2007-08-12 17:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-08-12 17:41 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-08-12 17:41 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-12 17:41 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-08-12 17:41 <DIR> d-------- C:\Program Files\Nokia
2007-08-12 17:41 <DIR> d-------- C:\Program Files\Lock Folder XP 3.2
2007-08-12 17:41 <DIR> d-------- C:\Program Files\DIFX
2007-08-12 17:41 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-08-12 17:41 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-08-12 17:41 <DIR> d-------- C:\DOCUME~1\ICEFIR~1\APPLIC~1\PC Suite
2007-08-12 17:41 <DIR> d-------- C:\DOCUME~1\ICEFIR~1\APPLIC~1\Nokia
2007-08-12 17:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations
2007-08-12 17:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-08-12 17:38 <DIR> d-------- C:\Program Files\CyberLink
2007-08-12 17:36 <DIR> d-------- C:\Program Files\PowerISO
2007-08-12 17:29 62,592 -----c--- C:\WINDOWS\system32\dllcache\cdrom.sys
2007-08-12 17:29 464,384 -----c--- C:\WINDOWS\system32\dllcache\imapi2fs.dll
2007-08-12 17:29 464,384 --------- C:\WINDOWS\system32\imapi2fs.dll
2007-08-12 17:29 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-08-12 17:29 317,952 -----c--- C:\WINDOWS\system32\dllcache\imapi2.dll
2007-08-12 17:29 317,952 --------- C:\WINDOWS\system32\imapi2.dll
2007-08-12 17:29 178,176 -----c--- C:\WINDOWS\system32\dllcache\repdrvfs.dll
2007-08-12 17:29 <DIR> d-------- C:\WINDOWS\system32\bits
2007-08-12 17:28 86,528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-08-12 17:28 85,504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-08-12 17:28 510,976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-08-12 17:28 144,896 -----c--- C:\WINDOWS\system32\dllcache\schannel.dll
2007-08-12 17:28 1,314,816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-08-12 17:27 96,256 -----c--- C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-12 17:27 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-08-12 17:27 665,600 -----c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-12 17:27 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-08-12 17:27 616,960 -----c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-12 17:27 55,808 -----c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-12 17:27 532,480 -----c--- C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-12 17:27 474,112 -----c--- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-12 17:27 449,024 -----c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-12 17:27 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-08-12 17:27 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-08-12 17:27 39,424 -----c--- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-12 17:27 357,888 -----c--- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-12 17:27 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-08-12 17:27 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-08-12 17:27 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-08-12 17:27 3,064,320 -----c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-12 17:27 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-08-12 17:27 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-08-12 17:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-08-12 17:27 251,904 -----c--- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-12 17:27 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-08-12 17:27 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-08-12 17:27 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-08-12 17:27 209,280 --a------ C:\WINDOWS\system32\drivers\update.sys
2007-08-12 17:27 205,312 -----c--- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-12 17:27 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-08-12 17:27 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-08-12 17:27 18,432 -----c--- C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-12 17:27 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-13 11:07 3327 --a------ C:\WINDOWS\system32\sdbackup.reg
2007-08-12 17:37 505392 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-06-13 11:10 77824 --a------ C:\WINDOWS\system32\OnlineScannerUninstaller.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dit"="Dit.exe" [2004-01-29 09:31 C:\WINDOWS\Dit.exe]
"WheelMouse"="C:\Program Files\A4Tech\Mouse\Amoumain.exe" [2006-02-17 11:14]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 17:23 C:\WINDOWS\StartupMonitor.exe]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 19:19]
"RivaTunerStartupDaemon"="C:\Program Files\RivaTuner v2.02\RivaTuner.exe" [2007-07-01 21:20]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-12 20:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 00:29]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\iCeFiRe_SR\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2007-08-06 20:25:14]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
"Leaf 2006"=C:\Program Files\Leaf Networks\Leaf 2006\bin\Leaf 2006.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
"PCSuiteTrayApplication"=C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"nwiz"=nwiz.exe /install
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R1 nod32drv;nod32drv;C:\WINDOWS\system32\drivers\nod32drv.sys
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\C:\Program Files\CyberLink\PowerDVD\000.fcl
R2 lf;lf;\??\C:\Program Files\Lock Folder XP 3.2\UniShieldXP.sys
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 CardReaderFilter;Card Reader Filter;\??\C:\WINDOWS\system32\Drivers\USBCRFT.SYS
R3 leafnets;Leaf Networks Adapter;C:\WINDOWS\system32\DRIVERS\leafnets.sys
R3 PSched;QoS Packet Scheduler;C:\WINDOWS\system32\DRIVERS\psched.sys
R3 RivaTuner32;RivaTuner32;\??\C:\Program Files\RivaTuner v2.02\RivaTuner32.sys
S2 rspndr;Link-Layer Topology Discovery Responder;C:\WINDOWS\system32\DRIVERS\rspndr.sys
S3 FwHookDrv;FwHookDrv;\??\C:\WINDOWS\system32\drivers\FwHookDrv.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 nm;Network Monitor Driver;C:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 WPRO_40_755;WinPcap Packet Driver (WPRO_40_755);C:\WINDOWS\system32\drivers\WPRO_40_755.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Schedule
UxTuneUp


Contents of the 'Scheduled Tasks' folder
2007-08-12 15:15:17 C:\WINDOWS\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-14 12:01:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-14 12:03:16 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-14 12:03

--- E O F ---

Šmejdy útočia, aviro901 vracia úder.

Stiahni Avenger -–>
http://swandog46.geekstogo.com/avenger.exe

Spustiť – „Input script manually“ – Lupa – Skopírovať kód – „Done“ – Semafor – Potvrdiť – Nasleduje reštart PC




Súbory mi aj pošli na threat.samples@gmail.com

Ďakujem

Dakujem ja : log
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\scntxlky

*******************

Script file located at: \??\C:\WINDOWS\system32\pinuoydb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\SrchSTS.exe deleted successfully.
File C:\WINDOWS\system32\tmp.reg deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

BTW:registre nemozem menit stale

Začínam robiť záver, že šmejdom to nebude.

Možno nejaký rootkit ešte, inak neviem. Nie je to len niekde v nastaveniach zakázané?

Este som sa nestretol s nicim co by mohlo kompletne zablokovat registre, po instalacke som dal akurat vsetky updaty na OS a zopar programov (a.k.a winamp atd).... TAK NEVIEM

ASI REINSTAL?

Ahoj,
skus si vytvorit uplne novy ucet s pravami administratora a skus to cez ten.
Vypni obnovenie systemu.

diky skusim obnovenie mam tak ci tak vzdy vypnute...

btw:nestratim tym nastavenia?

Nie, starý účet zostáva.

Sice zostava ale vsetky nastavenia su v ****. Inac to nepomohlo, nemozem ich stale menit . Mne sa vazne nechce dat znova reinstall winu ked tam uz vsetko mam pokope.

Robí to hneď od čerstvej inštalácie?