Poprosim kontrolu logu

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:15:55, on 22. 8. 2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\Windows\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEC13D50-3318-45E6-8047-CE42C351EDBE}: NameServer = 195.146.128.62 195.146.132.59
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3327 bytes

ok

Este prikladam Combofix lebo zas zmrzol:
ComboFix 08-08-21.02 - Cibicek 2008-08-23 11:26:00.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1250.1.1051.18.196 [GMT 2:00]
Running from: C:\Users\Cibicek\Desktop\SysInspectors\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-23 to 2008-08-23 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 09:26 --------- d-----w C:\Users\Cibicek\AppData\Roaming\uTorrent
2008-08-22 21:15 --------- d-----w C:\Program Files\Trend Micro
2008-08-22 19:16 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-08-21 20:28 --------- d-----w C:\Users\Cibicek\AppData\Roaming\Skype
2008-08-21 19:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-20 20:08 --------- d-----w C:\Program Files\Windows Doctor
2008-08-20 11:11 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-20 10:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-20 09:16 --------- d-----w C:\Program Files\Lightsmark 2008
2008-08-18 18:30 --------- d-----w C:\Program Files\EA GAMES
2008-08-18 09:01 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-08-17 17:52 --------- d-----w C:\ProgramData\ashampoo
2008-08-17 17:52 --------- d-----w C:\Program Files\Ashampoo
2008-08-17 14:56 --------- d-----w C:\Program Files\Jowood
2008-08-17 14:54 --------- d-----w C:\Program Files\Opera
2008-08-17 11:29 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-08-17 10:45 --------- d-----w C:\Users\Cibicek\AppData\Roaming\Thunderbird
2008-08-17 09:22 --------- d-----w C:\Program Files\AusLogics Disk Defrag
2008-08-16 23:20 --------- d-----w C:\Program Files\THQ
2008-08-16 22:46 --------- d-----w C:\ProgramData\NVIDIA
2008-08-16 22:44 174 --sha-w C:\Program Files\desktop.ini
2008-08-16 22:35 --------- d-----w C:\Program Files\Windows Sidebar
2008-08-16 22:35 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-08-16 22:35 --------- d-----w C:\Program Files\Windows Mail
2008-08-16 22:35 --------- d-----w C:\Program Files\Windows Defender
2008-08-16 22:35 --------- d-----w C:\Program Files\Windows Collaboration
2008-08-16 22:35 --------- d-----w C:\Program Files\Windows Calendar
2008-08-16 22:11 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-08-16 22:11 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-08-16 21:32 --------- d-----w C:\ProgramData\Avira
2008-08-16 21:32 --------- d-----w C:\Program Files\Avira
2008-08-16 21:19 1 ----a-w C:\DXOkay.bin
2008-08-16 21:07 --------- d-----w C:\Program Files\Sierra
2008-08-16 21:06 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-16 20:54 --------- d-----w C:\Program Files\CCleaner
2008-08-16 20:38 --------- d-----w C:\Users\Cibicek\AppData\Roaming\GRETECH
2008-08-16 20:36 --------- d-----w C:\Program Files\GRETECH
2008-08-16 20:35 --------- d-----w C:\Program Files\Lavalys
2008-08-16 20:29 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-08-16 20:16 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-16 20:11 --------- d-----w C:\Program Files\7-Zip
2008-08-16 20:07 --------- d-----w C:\Program Files\Google
2008-08-16 19:57 --------- d-----w C:\Users\Cibicek\AppData\Roaming\Ashampoo
2008-08-16 19:56 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-08-16 19:56 --------- d-----w C:\Users\Cibicek\AppData\Roaming\DAEMON Tools
2008-08-16 19:56 --------- d-----w C:\ProgramData\Skype
2008-08-16 19:56 --------- d-----w C:\Program Files\Skype
2008-08-16 19:55 --------- d-----w C:\Program Files\Alwil Software
2008-08-16 19:30 269,312 ----a-w C:\Windows\System32\es.dll
2008-08-16 19:13 61,440 ----a-w C:\Windows\System32\winipsec.dll
2008-08-16 19:13 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL
2008-08-16 19:13 28,672 ----a-w C:\Windows\System32\FwRemoteSvr.dll
2008-08-16 19:13 272,896 ----a-w C:\Windows\System32\polstore.dll
2008-08-16 19:10 --------- d-----w C:\Program Files\uTorrent
2008-08-16 19:01 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-08-16 18:46 988,216 ----a-w C:\Windows\System32\winload.exe
2008-08-16 18:46 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-08-16 18:46 615,992 ----a-w C:\Windows\System32\ci.dll
2008-08-16 18:46 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-08-16 18:46 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-08-16 18:46 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-08-16 18:46 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-08-16 18:46 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-08-16 18:46 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-08-16 18:46 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-08-16 18:44 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-08-16 18:43 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-08-16 18:41 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-08-16 18:41 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-08-16 18:39 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-08-16 18:39 458,752 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-08-16 18:39 4,240,384 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-08-16 18:39 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-08-16 18:39 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-08-16 18:39 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-08-16 18:39 1,695,744 ----a-w C:\Windows\System32\gameux.dll
2008-08-16 18:38 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-08-16 18:38 738,304 ----a-w C:\Windows\System32\inetcomm.dll
2008-08-16 18:38 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-07-19 05:10 53,448 ----a-w C:\Windows\System32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\Windows\System32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\Windows\System32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\Windows\System32\wuapi.dll
2008-07-19 05:09 1,811,656 ----a-w C:\Windows\System32\wuaueng.dll
2008-07-19 03:44 83,456 ----a-w C:\Windows\System32\wudriver.dll
2008-07-19 03:44 1,524,736 ----a-w C:\Windows\System32\wucltux.dll
2008-07-18 20:08 163,904 ----a-w C:\Windows\System32\wuwebv.dll
2008-07-18 18:44 31,232 ----a-w C:\Windows\System32\wuapp.exe
2008-06-21 11:49 830,464 ----a-w C:\Windows\System32\wininet.dll
2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll
2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll
2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll
2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll
2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll
2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll
2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll
2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll
2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll
2006-11-02 12:34 248,320 ----a-w C:\Program Files\mozilla firefox\plugins\mpvis.DLL
2006-11-02 12:34 99,328 ----a-w C:\Program Files\mozilla firefox\plugins\wmpband.dll
2006-11-02 12:34 194,560 ----a-w C:\Program Files\mozilla firefox\plugins\wmpnssci.dll
2006-11-02 12:34 158,720 ----a-w C:\Program Files\mozilla firefox\plugins\wmpsyncmgr.dll
2006-11-02 12:34 16,384 ----a-w C:\Program Files\mozilla firefox\plugins\wmssetup.dll
2006-11-02 12:34 248,320 ----a-w C:\Program Files\opera\program\plugins\mpvis.DLL
2006-11-02 12:34 99,328 ----a-w C:\Program Files\opera\program\plugins\wmpband.dll
2006-11-02 12:34 194,560 ----a-w C:\Program Files\opera\program\plugins\wmpnssci.dll
2006-11-02 12:34 158,720 ----a-w C:\Program Files\opera\program\plugins\wmpsyncmgr.dll
2006-11-02 12:34 16,384 ----a-w C:\Program Files\opera\program\plugins\wmssetup.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 09:33 1233920]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-08-16 21:10 267056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-07-24 17:02 490952 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-12 05:28 8497696 C:\Windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-12 05:28 81920 C:\Windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
--a------ 2007-09-12 05:28 86016 C:\Windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-19 09:38 1008184 C:\Program Files\Windows Defender\MSASCui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E7A26A12-2A39-46C3-B586-6273D2CDA243}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{04E4D76A-73B1-4378-840A-D09060BDA40C}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{7D5A4C3B-D017-441F-A231-4CD76FBD3439}"= C:\Program Files\Skype\Phone\Skype.exe:Skype
"{1CD50388-FC24-4A73-8079-D5E2F4D2DEAD}"= UDP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{98CC0581-A963-4C3D-942C-5300362B4EBB}"= TCP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{ECFE4CBE-F073-49E7-852C-67EFAD4F0B16}"= UDP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{25743821-48BD-4A6B-9E6E-2F01977FA36C}"= TCP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{159EB373-1E19-4275-AAD0-72E7AFB04224}"= UDP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"{A2DC1DEF-033E-4ABE-9DF1-457A1758CB10}"= TCP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2

R1 PSched;QoS Packet Scheduler;C:\Windows\system32\DRIVERS\pacer.sys [2008-04-05 03:21]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-06-12 14:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bccaa23e-6bcf-11dd-8f67-0019dbe5624e}]
\shell\AutoRun\command - B:\setup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Cibicek\AppData\Roaming\Mozilla\Firefox\Profiles\y3p2nh71.default\
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdrmv2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdsplay.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npwmsdrm.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\np32dsw.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\npdrmv2.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\npnul32.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\nppdf32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 11:29:31
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 11:31:00
ComboFix-quarantined-files.txt 2008-08-23 09:30:55

Pre-Run: Systém nenašiel žiadne hlásenie pod číslom 0x2379 v súbore hlásenia Application.
Post-Run: 25,455,837,184 bytes free

194 --- E O F --- 2008-08-21 18:33:59