log z combofixu po spusteni scriptu ...
ComboFix 08-05-29.1 - Viki a Tanicka 2008-05-30 12:28:24.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.507 [GMT 2:00]
Running from: D:\matus\ComboFix.exe
Command switches used :: C:\Documents and Settings\Viki a Tanicka\Plocha\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.
2008-05-28 20:39 . 2008-05-30 12:20 <DIR> d-------- C:\!KillBox
2008-05-27 15:35 . 2008-05-27 15:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-27 12:54 . 2008-05-27 12:57 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-05-26 11:44 . 2008-05-30 08:23 186 --a------ C:\MicroSoft.vbs
2008-05-26 11:44 . 2008-05-30 08:23 30 --a------ C:\MicroSoft.bat
2008-05-23 06:53 . 2008-05-23 06:53 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\PDFCreator
2008-05-23 06:40 . 2008-05-23 06:47 <DIR> d-------- C:\Program Files\PDFCreator
2008-05-15 19:19 . 2008-05-17 18:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-15 19:19 . 2008-05-15 19:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-14 13:40 . 2008-05-14 13:40 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\ABBYY
2008-05-14 13:34 . 2008-05-14 13:35 <DIR> d-------- C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2008-05-14 13:34 . 2008-05-14 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ABBYY
2008-05-13 12:55 . 2008-05-13 12:55 <DIR> d-------- C:\Program Files\NIVEAklub
2008-04-25 13:09 . 2008-05-14 16:26 19 --a------ C:\Documents and Settings\Viki a Tanicka\Data aplikací\mdbu.bin
2008-04-25 13:08 . 2008-04-25 13:08 <DIR> d-------- C:\Program Files\HappyFoto
2008-04-19 15:52 . 2008-04-19 16:17 <DIR> d-------- C:\Program Files\ICQ6
2008-04-19 15:51 . 2008-04-19 15:51 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\InstallShield
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 10:11 9,216 ----a-w C:\WINDOWS\AppPatch\AcXtrnel.dll
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\skypePM
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\Skype
2008-05-26 09:49 --------- d-----w C:\Program Files\ESET
2008-05-21 18:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-20 13:32 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\uTorrent
2008-05-20 08:50 --------- d-----w C:\Program Files\uTorrent
2008-05-15 06:24 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\ICQ
2008-05-10 09:47 --------- d-----w C:\Program Files\rc10
2008-05-08 10:06 --------- d-----w C:\Program Files\ICQLite
2008-04-19 13:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-19 13:53 --------- d-----w C:\Program Files\Opera
2008-04-19 13:50 --------- d-----w C:\Program Files\QIP
2008-03-29 16:37 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-29 16:37 --------- d--h--r C:\Documents and Settings\Viki a Tanicka\Data aplikací\SecuROM
2008-02-07 09:52 168,592 ----a-w C:\WINDOWS\FotoFusion Uninstaller.exe
2008-02-06 21:05 271,429 ----a-w C:\WINDOWS\FotoFusionV4 Uninstaller.exe
2008-02-01 21:48 32 ----a-w C:\Documents and Settings\All Users\Data aplikací\ezsid.dat
2008-02-01 20:18 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-01 19:40 274,432 ----a-w C:\WINDOWS\system32\imon.dll
.
((((((((((((((((((((((((((((( snapshot@2008-05-30_11.49.58,59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 06:06:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 10:22:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-29 21:57:27 1,925 ----a-w C:\WINDOWS\system32\imon1.dat
+ 2008-05-30 10:21:17 2,863 ----a-w C:\WINDOWS\system32\imon1.dat
- 2008-05-30 06:06:43 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d8.dat
+ 2008-05-30 10:22:21 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 14:05 486856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 04:07 843776]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 06:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 06:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 06:22 86016]
"MagicRotation"="C:\Program Files\MagicRotation\MagicPvt.exe" [2005-12-26 18:23 1089536]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-01 21:40 921600]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 18:34 213936]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 21:21 57344]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 12:41 507904]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 18:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 18:30 864256]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 13:06 40048]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]
"FineReader7NewsReaderPro"="C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" [2003-12-10 00:19 278528]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 15:49 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\rc10\\StrongDC.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\QIP\\qip.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"D:\\instalacky\\qipinfium9000full_slovak\\infium.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 magicpvt;magicpvt;C:\WINDOWS\system32\drivers\magicpvt.sys [2005-11-14 04:26]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 13:50]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 05:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-05-30 12:30:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-05-30 12:30:32
ComboFix-quarantined-files.txt 2008-05-30 10:30:22
ComboFix2.txt 2008-05-30 09:50:14
Adresářů: 9, Volných bajtů: 75,778,506,752
Adresářů: 11, Volných bajtů: 75,769,786,368
136
v hijacku fixnute a zaroven aj pomocou killboxu mazane (tie tri procesy) ... neviem ci trebalo
ale stalo sa