Dobrý den,
mám v pc vir win32 trojan gen other, můžete mi proísm poradit, jak se toho zabvit? Avas mi ho najde, smažu ho, pár dní pc jede a pak zase nic:( Podle toho co jsem se tady na fóru dočetl jsem projel pc Combofixem, posílám výpis:
ComboFix 09-04-25.A1 - Iveta 25.04.2009 20:27.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1023.526 [GMT 2:00]
Spuštěný z: c:\documents and settings\Iveta\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090425-0] *On-access scanning enabled* (Updated)
FW: Sunbelt Personal Firewall *disabled*
* Vytvořen nový Bod Obnovení
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Iveta\LOCALS~1\Temp\tmp1.tmp
c:\program files\altcmd
c:\program files\altcmd\altcmd.inf
c:\program files\altcmd\uninstall.bat
c:\windows\alxvdvm.dll
c:\windows\cookies.ini
c:\windows\fvkwdrt.exe
c:\windows\jestertb.dll
c:\windows\mrvtdpqe.exe
c:\windows\search_res.txt
c:\windows\system32\acvisqwx.ini
c:\windows\system32\cbtffwew.ini
c:\windows\system32\kycwctdu.ini
c:\windows\system32\leeddwae.ini
c:\windows\system32\lwgeynax.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\sex1.ico
c:\windows\system32\sex2.ico
c:\windows\system32\vyehwreq.ini
c:\windows\system32\wEhNnnnn.ini
c:\windows\system32\wEhNnnnn.ini2
.
((((((((((((((((((((((((( Soubory vytvořené od 2009-05-25 do 2009-4-25 )))))))))))))))))))))))))))))))
.
2009-04-24 19:30 . 2009-04-24 19:30 165 ----a-w c:\windows\system32\drivers\fwdrv.err
2009-04-19 19:01 . 2009-04-19 19:00 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-19 17:21 . 2009-04-19 17:21 -------- d-----w c:\documents and settings\Iveta\Local Settings\Data aplikací\Sun
2009-04-17 20:21 . 2008-04-21 21:28 216576 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 20:20 . 2005-07-26 04:42 60416 -c----w c:\windows\system32\dllcache\colbact.dll
2009-04-17 20:20 . 2009-02-06 16:39 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 20:20 . 2009-03-06 14:47 283648 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 20:20 . 2009-02-09 10:22 473088 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 20:20 . 2009-02-09 10:22 399360 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 20:20 . 2009-02-09 10:11 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 20:20 . 2009-02-09 10:22 683520 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 20:20 . 2009-02-09 10:22 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 20:20 . 2009-02-09 10:22 709632 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-09 20:53 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-09 20:25 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-09 20:24 . 2009-04-09 20:24 -------- dc-h--w c:\documents and settings\All Users\Data aplikací\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-05 18:06 . 2009-03-10 20:18 454024 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-05 18:06 . 2009-02-09 16:51 13502 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-05 18:06 . 2009-04-05 18:06 -------- d-----w c:\windows\system32\KB905474
2009-04-05 18:06 . 2009-03-10 20:26 1435008 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-03 19:43 . 2009-04-03 19:43 -------- d-----w c:\windows\system32\xlib254.dll
2009-04-03 19:43 . 2009-04-03 19:43 -------- d-----w c:\windows\system32\append.dll
2009-04-03 19:40 . 2006-08-23 07:12 57344 ----a-w c:\windows\system32\digest32.dll
2009-03-30 19:10 . 2006-08-25 17:56 581632 ----a-w c:\windows\system32\snapapi32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 18:34 . 2009-04-22 18:45 1340 ----a-w C:\aaw7boot.log
2009-04-25 18:16 . 2001-10-25 12:00 525236 ----a-w c:\windows\system32\perfh005.dat
2009-04-25 18:16 . 2001-10-25 12:00 112518 ----a-w c:\windows\system32\perfc005.dat
2009-04-19 19:00 . 2006-05-20 22:49 -------- d-----w c:\program files\Java
2009-04-19 18:14 . 2009-03-22 20:49 -------- d-----w c:\program files\Rapidown
2009-04-19 18:14 . 2008-02-01 23:36 -------- d-s---w c:\program files\Xfire
2009-04-19 18:14 . 2007-12-16 18:23 -------- d-----w c:\documents and settings\Iveta\Data aplikací\uTorrent
2009-04-19 18:12 . 2007-07-05 20:27 -------- d-----w c:\program files\TuneUp Utilities 2006
2009-04-17 21:12 . 2008-02-12 17:38 -------- d-----w c:\documents and settings\All Users\Data aplikací\Microsoft Help
2009-04-09 20:24 . 2009-04-09 20:24 -------- d-----w c:\program files\Lavasoft
2009-04-09 20:24 . 2007-07-05 20:27 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-22 15:31 . 2009-03-22 15:31 -------- d-----w c:\documents and settings\All Users\Data aplikací\Firefly Studios
2009-03-22 15:23 . 2006-08-20 11:42 108144 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-17 17:50 . 2006-03-18 22:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 16:31 . 2008-02-13 15:49 -------- d-----w c:\program files\ICQ6
2009-03-06 14:47 . 2001-10-25 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:14 . 2001-10-25 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 17:13 . 2006-03-18 23:08 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:19 . 2001-10-25 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:52 . 2001-10-24 11:46 2059904 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:52 . 2001-10-25 12:00 2182656 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 10:22 . 2001-10-25 12:00 722432 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:22 . 2001-10-25 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:22 . 2001-10-25 12:00 709632 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:22 . 2001-10-25 12:00 683520 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:11 . 2001-10-25 12:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2001-10-25 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 20:11 . 2001-10-25 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-04-13 19:45 . 2006-03-18 23:13 69688 -c--a-w c:\documents and settings\Iveta\Local Settings\Data aplikací\GDIPFONTCACHEV1.DAT
2008-04-13 19:43 . 2008-04-13 19:43 159216 -c--a-w c:\documents and settings\LocalService\Local Settings\Data aplikací\FontCache3.0.0.0.dat
2008-02-01 19:45 . 2008-02-01 19:45 32 -c--a-w c:\documents and settings\All Users\Data aplikací\ezsid.dat
2008-01-24 21:13 . 2008-01-24 21:13 22328 -c--a-w c:\documents and settings\Iveta\Data aplikací\PnkBstrK.sys
2007-12-12 15:48 . 2007-06-26 16:45 17920 -c--a-w c:\documents and settings\Iveta\Data aplikací\GDIPFONTCACHEV1.DAT
2007-04-21 23:42 . 2008-07-18 19:06 232448 ----a-w c:\documents and settings\Administrator\nnncleaner.exe
2006-03-19 08:58 . 2006-03-19 08:58 125 -c--a-w c:\documents and settings\Iveta\Local Settings\Data aplikací\fusioncache.dat
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\jar50.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\jsd3250.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\myspell.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\spellchk.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\xpinstal.dll
2006-03-20 19:00 . 2006-03-20 19:00 56 -csh--r c:\windows\system32\979BA2816D.sys
2008-02-22 16:43 . 2008-02-22 16:43 8 -csh--r c:\windows\system32\E6ECD67B1F.sys
2008-02-22 16:43 . 2008-02-22 16:43 952 -csha-w c:\windows\system32\KGyGaAvL.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TuneUp MemOptimizer"="c:\program files\TuneUp Utilities 2006\MemOptimizer.exe" [2006-10-22 304640]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="e:\programy\avast!\ashDisp.exe" [2009-02-05 81000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="e:\programy\quicktime\qttask.exe" [2007-08-16 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-19 148888]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-10-30 16269312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 1 (0x1)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, snapapi32.dll, digest32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe"
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ICQ"="c:\program files\ICQ6\ICQ.exe" silent
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe"
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="e:\programy\quicktime\qttask.exe" -atboottime
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" /s
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
"ConMet"=c:\program files\ConMet\ConMet.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"Eprogramylot0"=e:\programy\lotus\orgreg\prtStart.exe 10 21 5 10 2008 "e:\programy\lotus\orgreg\orgprt.exe"
"34bad4dd"=rundll32.exe "c:\windows\system32\eawddeel.dll",b
"HydraVisionDesktopManager"=c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
"SoundMan"=SOUNDMAN.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"e:\\hry\\crysis\\Bin32\\Crysis.exe"=
"e:\\hry\\crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\hry\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\programy\\sopcast\\SopCast.exe"=
"e:\\programy\\sopcast\\adv\\SopAdver.exe"=
"e:\\programy\\sopcast\\sopvod.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"g:\\filmy\\AnyTV\\anyTV.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\launch4j-tmp\\JDownloader.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\hry\\Stronghold 2\\Stronghold2.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\WINDOWS\\System32\\wbem\\wmiprvse.exe"= c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4719:TCP"= 4719:TCP:4719
R2 SPF4;Sunbelt Personal Firewall 4; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\System32\drivers\sfsync03.sys [2005-12-06 35328]
S1 aswSP;avast! Self Protection; [x]
S1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-04-26 302000]
S1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-04-26 72624]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\DRIVERS\psched.sys [2004-08-03 69120]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ccc621a-233a-11dc-a56b-0015f240e7c9}]
\Shell\AutoRun\command - F:\Autorun.exe
.
Obsah adresáře 'Naplánované úlohy'
2009-02-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2006-10-05 12:17]
2009-04-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
2009-04-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-05 20:18]
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
BHO-{140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
HKU-Default-Run-Nokia.PCSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
Notify-awttqrQJ - awttqrQJ.dll
Notify-jkkLCSkH - jkkLCSkH.dll
Notify-qoMccCvv - qoMccCvv.dll
Notify-vtUnopME - vtUnopME.dll
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{B4E30F61-16D9-11D3-85D1-005004229569} - {85E0B172-04FA-11D1-B7DA-00A0C90348D6} - e:\programy\lotus\organize\bandobjs.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 20:36
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-1644491937-220523388-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1644491937-220523388-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e0,2a,8e,c9,e5,88,d4,db,22,8a,6f,11,53,69,f6,d6,92,6a,e5,e9,13,b9,38,
1c,48,c2,9c,f1,b4,17,e1,88,85,51,8a,a5,05,ed,da,a1,c2,b1,19,20,18,c1,55,7a,\
"??"=hex:c7,b6,43,bd,5c,0b,4f,bc,38,2b,09,7f,61,9c,31,d3
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,f8,39,46,e0,dd,
89,ac,42,e2,63,26,f1,3f,c8,ff,68,98,d5,2c,73,35,bf,e5,36,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,62,be,61,a0,50,
b8,2f,5f,6a,9c,d6,61,af,45,84,18,05,ba,ba,03,84,3e,d5,4e,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,05,72,8c,2d,fc,
a1,01,c3,ff,7c,85,e0,43,d4,0e,fe,c0,5b,0b,e3,20,24,38,2a,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,2e,98,d5,90,75,
0a,08,18,86,8c,21,01,be,91,eb,e7,86,a4,37,84,9f,d2,83,22,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,e5,f8,52,89,fa,
9a,2c,9b,f5,1d,4d,73,a8,13,5c,05,0b,80,38,36,d6,8c,39,35,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,34,e2,51,23,43,
45,a9,da,df,20,58,62,78,6b,cf,c8,9b,02,1f,a0,96,0e,e1,1a,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,eb,af,86,74,8a,
06,38,22,fb,a7,78,e6,12,2f,9a,ea,78,bb,49,ea,d0,91,6e,2e,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,58,71,18,f4,fd,
4e,c0,e2,01,3a,48,fc,e8,04,4a,f1,e7,9a,61,68,de,f4,9a,20,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,df,97,3c,1b,32,
0d,86,3b,f6,0f,4e,58,98,5b,89,c9,19,ef,2d,87,da,93,55,bc,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,01,51,06,5e,ad,
90,18,b9,3d,ce,ea,26,2d,45,aa,78,45,0d,a7,20,9e,1e,4a,99,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,5f,d9,82,68,fd,
08,3e,76,2a,b7,cc,b5,b9,7f,41,e7,db,07,a7,86,4b,80,b8,de,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,52,43,a1,b3,31,
7e,66,1f,6c,43,2d,1e,aa,22,2f,9c,ee,82,73,fb,2b,1c,3e,9a,6c,43,2d,1e,aa,22,\
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
- - - - - - - > 'lsass.exe'(1024)
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
- - - - - - - > 'explorer.exe'(1848)
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
e:\programy\avast!\aswUpdSv.exe
e:\programy\avast!\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
e:\programy\avast!\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
e:\programy\avast!\ashWebSv.exe
.
**************************************************************************
.
Celkový čas: 2009-04-25 20:40 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-04-25 18:40
Před spuštěním: 775 733 248
Po spuštění: 723 664 896
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /TUTag=LCI9TT /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (TuneUp Záloha)" /fastdetect /NoExecute=OptIn /TUTag=LCI9TT-BAK
Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
354 --- E O F --- 2009-04-24 21:37
win32 trojan gen other
-
jaro3
- člen Security týmu
-
Guru Level 15
- Příspěvky: 43293
- Registrován: červen 07
- Bydliště: Jižní Čechy
- Pohlaví:
- Stav:
Offline
Re: win32 trojan gen other
Toto otestuj na Virustotal
c:\windows\system32\KB905474\wgasetup.exe
c:\windows\system32\KB905474\wganotifypackageinner.exe
c:\windows\system32\eawddeel.dll
Vlož sem pak odkazy výsledků.
Potom udělám script.
c:\windows\system32\KB905474\wgasetup.exe
c:\windows\system32\KB905474\wganotifypackageinner.exe
c:\windows\system32\eawddeel.dll
Vlož sem pak odkazy výsledků.
Potom udělám script.
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Re: win32 trojan gen other
http://www.virustotal.com/cs/analisis/0 ... 477a5461a7
http://www.virustotal.com/cs/analisis/0 ... 470028316c
ještě musím najít ten třetí soubor...
http://www.virustotal.com/cs/analisis/0 ... 470028316c
ještě musím najít ten třetí soubor...
Naposledy upravil(a) troleybus dne 25 dub 2009 22:03, celkem upraveno 2 x.
-
jaro3
- člen Security týmu
-
Guru Level 15
- Příspěvky: 43293
- Registrován: červen 07
- Bydliště: Jižní Čechy
- Pohlaví:
- Stav:
Offline
Re: win32 trojan gen other
Nemusíš to sem kopírovat dej jen odkaz na stránku s výsledky všech antivirů, zejména co se týká tohoto:
c:\windows\system32\eawddeel.dll
c:\windows\system32\eawddeel.dll
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
-
jaro3
- člen Security týmu
-
Guru Level 15
- Příspěvky: 43293
- Registrován: červen 07
- Bydliště: Jižní Čechy
- Pohlaví:
- Stav:
Offline
Re: win32 trojan gen other
To jsem myslel, ale ten soubor , co jsem psal výše:
eawddeel.dll
ten si vkládal, protože je tam místo toho: wga_eula.txt
Když tak vlož jen cestu do toho políčka:
c:\windows\system32\eawddeel.dll
eawddeel.dll
ten si vkládal, protože je tam místo toho: wga_eula.txt
Když tak vlož jen cestu do toho políčka:
c:\windows\system32\eawddeel.dll
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Re: win32 trojan gen other
tenhle soubor ..c:\windows\system32\eawddeel.dll nemám v pc:(
-
jaro3
- člen Security týmu
-
Guru Level 15
- Příspěvky: 43293
- Registrován: červen 07
- Bydliště: Jižní Čechy
- Pohlaví:
- Stav:
Offline
Re: win32 trojan gen other
O.K. je skrytý...
Takže:
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE
Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.
Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT
Podívám se zítra a budeme pokračovat.
Takže:
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE
Kód: Vybrat vše
File::
c:\windows\system32\snapapi32.dll
c:\windows\system32\digest32.dll
c:\windows\system32\append.dll
c:\windows\system32\xlib254.dll
c:\windows\system32\979BA2816D.sys
c:\windows\system32\E6ECD67B1F.sys
c:\windows\system32\KGyGaAvL.sys
F:\Autorun.exe
c:\windows\system32\eawddeel.dll
Folder::
c:\windows\system32\append.dll
c:\windows\system32\xlib254.dll
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=-
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ccc621a-233a-11dc-a56b-0015f240e7c9}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"34bad4dd"=-
Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.
Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT
Podívám se zítra a budeme pokračovat.
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Re: win32 trojan gen other
tady je nový log:
ComboFix 09-04-25.A1 - Iveta 25.04.2009 22:15.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1023.535 [GMT 2:00]
Spuštěný z: e:\programy\ComboFix.exe
Použité ovládací přepínače :: e:\programy\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090425-0] *On-access scanning disabled* (Updated)
FW: Sunbelt Personal Firewall *disabled*
* Vytvořen nový Bod Obnovení
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\append.dll
c:\windows\system32\xlib254.dll
.
((((((((((((((((((((((((( Soubory vytvořené od 2009-05-25 do 2009-4-25 )))))))))))))))))))))))))))))))
.
2009-04-24 19:30 . 2009-04-24 19:30 165 ----a-w c:\windows\system32\drivers\fwdrv.err
2009-04-19 19:01 . 2009-04-19 19:00 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-19 17:21 . 2009-04-19 17:21 -------- d-----w c:\documents and settings\Iveta\Local Settings\Data aplikací\Sun
2009-04-17 20:21 . 2008-04-21 21:28 216576 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 20:20 . 2005-07-26 04:42 60416 -c----w c:\windows\system32\dllcache\colbact.dll
2009-04-17 20:20 . 2009-02-06 16:39 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 20:20 . 2009-03-06 14:47 283648 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 20:20 . 2009-02-09 10:22 473088 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 20:20 . 2009-02-09 10:22 399360 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 20:20 . 2009-02-09 10:11 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 20:20 . 2009-02-09 10:22 683520 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 20:20 . 2009-02-09 10:22 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 20:20 . 2009-02-09 10:22 709632 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-09 20:53 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-09 20:25 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-09 20:24 . 2009-04-09 20:24 -------- dc-h--w c:\documents and settings\All Users\Data aplikací\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-05 18:06 . 2009-03-10 20:18 454024 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-05 18:06 . 2009-02-09 16:51 13502 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-05 18:06 . 2009-04-05 18:06 -------- d-----w c:\windows\system32\KB905474
2009-04-05 18:06 . 2009-03-10 20:26 1435008 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-03 19:40 . 2006-08-23 07:12 57344 ----a-w c:\windows\system32\digest32.dll
2009-03-30 19:10 . 2006-08-25 17:56 581632 ----a-w c:\windows\system32\snapapi32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 18:39 . 2001-10-25 12:00 525564 ----a-w c:\windows\system32\perfh005.dat
2009-04-25 18:39 . 2001-10-25 12:00 112630 ----a-w c:\windows\system32\perfc005.dat
2009-04-25 18:34 . 2009-04-22 18:45 1340 ----a-w C:\aaw7boot.log
2009-04-19 19:00 . 2006-05-20 22:49 -------- d-----w c:\program files\Java
2009-04-19 18:14 . 2009-03-22 20:49 -------- d-----w c:\program files\Rapidown
2009-04-19 18:14 . 2008-02-01 23:36 -------- d-s---w c:\program files\Xfire
2009-04-19 18:14 . 2007-12-16 18:23 -------- d-----w c:\documents and settings\Iveta\Data aplikací\uTorrent
2009-04-19 18:12 . 2007-07-05 20:27 -------- d-----w c:\program files\TuneUp Utilities 2006
2009-04-17 21:12 . 2008-02-12 17:38 -------- d-----w c:\documents and settings\All Users\Data aplikací\Microsoft Help
2009-04-09 20:24 . 2009-04-09 20:24 -------- d-----w c:\program files\Lavasoft
2009-04-09 20:24 . 2007-07-05 20:27 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-22 15:31 . 2009-03-22 15:31 -------- d-----w c:\documents and settings\All Users\Data aplikací\Firefly Studios
2009-03-22 15:23 . 2006-08-20 11:42 108144 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-17 17:50 . 2006-03-18 22:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 16:31 . 2008-02-13 15:49 -------- d-----w c:\program files\ICQ6
2009-03-06 14:47 . 2001-10-25 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:14 . 2001-10-25 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 17:13 . 2006-03-18 23:08 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:19 . 2001-10-25 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:52 . 2001-10-24 11:46 2059904 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:52 . 2001-10-25 12:00 2182656 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 10:22 . 2001-10-25 12:00 722432 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:22 . 2001-10-25 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:22 . 2001-10-25 12:00 709632 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:22 . 2001-10-25 12:00 683520 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:11 . 2001-10-25 12:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2001-10-25 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 20:11 . 2001-10-25 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-04-13 19:45 . 2006-03-18 23:13 69688 -c--a-w c:\documents and settings\Iveta\Local Settings\Data aplikací\GDIPFONTCACHEV1.DAT
2008-04-13 19:43 . 2008-04-13 19:43 159216 -c--a-w c:\documents and settings\LocalService\Local Settings\Data aplikací\FontCache3.0.0.0.dat
2008-02-01 19:45 . 2008-02-01 19:45 32 -c--a-w c:\documents and settings\All Users\Data aplikací\ezsid.dat
2008-01-24 21:13 . 2008-01-24 21:13 22328 -c--a-w c:\documents and settings\Iveta\Data aplikací\PnkBstrK.sys
2007-12-12 15:48 . 2007-06-26 16:45 17920 -c--a-w c:\documents and settings\Iveta\Data aplikací\GDIPFONTCACHEV1.DAT
2007-04-21 23:42 . 2008-07-18 19:06 232448 ----a-w c:\documents and settings\Administrator\nnncleaner.exe
2006-03-19 08:58 . 2006-03-19 08:58 125 -c--a-w c:\documents and settings\Iveta\Local Settings\Data aplikací\fusioncache.dat
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\jar50.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\jsd3250.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\myspell.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\spellchk.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\xpinstal.dll
2006-03-20 19:00 . 2006-03-20 19:00 56 -csh--r c:\windows\system32\979BA2816D.sys
2008-02-22 16:43 . 2008-02-22 16:43 8 -csh--r c:\windows\system32\E6ECD67B1F.sys
2008-02-22 16:43 . 2008-02-22 16:43 952 -csha-w c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-25_18.36.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-10-25 12:00 . 2009-04-25 18:39 523684 c:\windows\system32\perfh009.dat
+ 2001-10-25 12:00 . 2009-04-25 18:39 101964 c:\windows\system32\perfc009.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TuneUp MemOptimizer"="c:\program files\TuneUp Utilities 2006\MemOptimizer.exe" [2006-10-22 304640]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="e:\programy\avast!\ashDisp.exe" [2009-02-05 81000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="e:\programy\quicktime\qttask.exe" [2007-08-16 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-19 148888]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-10-30 16269312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 1 (0x1)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe"
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ICQ"="c:\program files\ICQ6\ICQ.exe" silent
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe"
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="e:\programy\quicktime\qttask.exe" -atboottime
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" /s
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
"ConMet"=c:\program files\ConMet\ConMet.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"Eprogramylot0"=e:\programy\lotus\orgreg\prtStart.exe 10 21 5 10 2008 "e:\programy\lotus\orgreg\orgprt.exe"
"HydraVisionDesktopManager"=c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
"SoundMan"=SOUNDMAN.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"e:\\hry\\crysis\\Bin32\\Crysis.exe"=
"e:\\hry\\crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\hry\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\programy\\sopcast\\SopCast.exe"=
"e:\\programy\\sopcast\\adv\\SopAdver.exe"=
"e:\\programy\\sopcast\\sopvod.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"g:\\filmy\\AnyTV\\anyTV.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\launch4j-tmp\\JDownloader.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\hry\\Stronghold 2\\Stronghold2.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\WINDOWS\\System32\\wbem\\wmiprvse.exe"= c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4719:TCP"= 4719:TCP:4719
R2 SPF4;Sunbelt Personal Firewall 4; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\System32\drivers\sfsync03.sys [2005-12-06 35328]
S1 aswSP;avast! Self Protection; [x]
S1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-04-26 302000]
S1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-04-26 72624]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\DRIVERS\psched.sys [2004-08-03 69120]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'
2009-02-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2006-10-05 12:17]
2009-04-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
2009-04-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-05 20:18]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{B4E30F61-16D9-11D3-85D1-005004229569} - {85E0B172-04FA-11D1-B7DA-00A0C90348D6} - e:\programy\lotus\organize\bandobjs.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 22:20
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-1644491937-220523388-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1644491937-220523388-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e0,2a,8e,c9,e5,88,d4,db,22,8a,6f,11,53,69,f6,d6,92,6a,e5,e9,13,b9,38,
1c,48,c2,9c,f1,b4,17,e1,88,85,51,8a,a5,05,ed,da,a1,c2,b1,19,20,18,c1,55,7a,\
"??"=hex:c7,b6,43,bd,5c,0b,4f,bc,38,2b,09,7f,61,9c,31,d3
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,f8,39,46,e0,dd,
89,ac,42,e2,63,26,f1,3f,c8,ff,68,98,d5,2c,73,35,bf,e5,36,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,62,be,61,a0,50,
b8,2f,5f,6a,9c,d6,61,af,45,84,18,05,ba,ba,03,84,3e,d5,4e,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,05,72,8c,2d,fc,
a1,01,c3,ff,7c,85,e0,43,d4,0e,fe,c0,5b,0b,e3,20,24,38,2a,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,2e,98,d5,90,75,
0a,08,18,86,8c,21,01,be,91,eb,e7,86,a4,37,84,9f,d2,83,22,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,e5,f8,52,89,fa,
9a,2c,9b,f5,1d,4d,73,a8,13,5c,05,0b,80,38,36,d6,8c,39,35,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,34,e2,51,23,43,
45,a9,da,df,20,58,62,78,6b,cf,c8,9b,02,1f,a0,96,0e,e1,1a,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,eb,af,86,74,8a,
06,38,22,fb,a7,78,e6,12,2f,9a,ea,78,bb,49,ea,d0,91,6e,2e,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,58,71,18,f4,fd,
4e,c0,e2,01,3a,48,fc,e8,04,4a,f1,e7,9a,61,68,de,f4,9a,20,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,df,97,3c,1b,32,
0d,86,3b,f6,0f,4e,58,98,5b,89,c9,19,ef,2d,87,da,93,55,bc,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,01,51,06,5e,ad,
90,18,b9,3d,ce,ea,26,2d,45,aa,78,45,0d,a7,20,9e,1e,4a,99,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,5f,d9,82,68,fd,
08,3e,76,2a,b7,cc,b5,b9,7f,41,e7,db,07,a7,86,4b,80,b8,de,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,52,43,a1,b3,31,
7e,66,1f,6c,43,2d,1e,aa,22,2f,9c,ee,82,73,fb,2b,1c,3e,9a,6c,43,2d,1e,aa,22,\
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
- - - - - - - > 'lsass.exe'(1024)
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
- - - - - - - > 'explorer.exe'(2612)
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Celkový čas: 2009-04-25 22:23
ComboFix-quarantined-files.txt 2009-04-25 20:23
ComboFix2.txt 2009-04-25 18:41
Před spuštěním: 704 659 456
Po spuštění: 685 469 696
Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
301 --- E O F --- 2009-04-24 21:37
ComboFix 09-04-25.A1 - Iveta 25.04.2009 22:15.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1023.535 [GMT 2:00]
Spuštěný z: e:\programy\ComboFix.exe
Použité ovládací přepínače :: e:\programy\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090425-0] *On-access scanning disabled* (Updated)
FW: Sunbelt Personal Firewall *disabled*
* Vytvořen nový Bod Obnovení
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\append.dll
c:\windows\system32\xlib254.dll
.
((((((((((((((((((((((((( Soubory vytvořené od 2009-05-25 do 2009-4-25 )))))))))))))))))))))))))))))))
.
2009-04-24 19:30 . 2009-04-24 19:30 165 ----a-w c:\windows\system32\drivers\fwdrv.err
2009-04-19 19:01 . 2009-04-19 19:00 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-19 17:21 . 2009-04-19 17:21 -------- d-----w c:\documents and settings\Iveta\Local Settings\Data aplikací\Sun
2009-04-17 20:21 . 2008-04-21 21:28 216576 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 20:20 . 2005-07-26 04:42 60416 -c----w c:\windows\system32\dllcache\colbact.dll
2009-04-17 20:20 . 2009-02-06 16:39 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 20:20 . 2009-03-06 14:47 283648 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 20:20 . 2009-02-09 10:22 473088 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 20:20 . 2009-02-09 10:22 399360 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 20:20 . 2009-02-09 10:11 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 20:20 . 2009-02-09 10:22 683520 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 20:20 . 2009-02-09 10:22 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 20:20 . 2009-02-09 10:22 709632 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-09 20:53 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-09 20:25 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-09 20:24 . 2009-04-09 20:24 -------- dc-h--w c:\documents and settings\All Users\Data aplikací\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-05 18:06 . 2009-03-10 20:18 454024 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-05 18:06 . 2009-02-09 16:51 13502 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-05 18:06 . 2009-04-05 18:06 -------- d-----w c:\windows\system32\KB905474
2009-04-05 18:06 . 2009-03-10 20:26 1435008 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-03 19:40 . 2006-08-23 07:12 57344 ----a-w c:\windows\system32\digest32.dll
2009-03-30 19:10 . 2006-08-25 17:56 581632 ----a-w c:\windows\system32\snapapi32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 18:39 . 2001-10-25 12:00 525564 ----a-w c:\windows\system32\perfh005.dat
2009-04-25 18:39 . 2001-10-25 12:00 112630 ----a-w c:\windows\system32\perfc005.dat
2009-04-25 18:34 . 2009-04-22 18:45 1340 ----a-w C:\aaw7boot.log
2009-04-19 19:00 . 2006-05-20 22:49 -------- d-----w c:\program files\Java
2009-04-19 18:14 . 2009-03-22 20:49 -------- d-----w c:\program files\Rapidown
2009-04-19 18:14 . 2008-02-01 23:36 -------- d-s---w c:\program files\Xfire
2009-04-19 18:14 . 2007-12-16 18:23 -------- d-----w c:\documents and settings\Iveta\Data aplikací\uTorrent
2009-04-19 18:12 . 2007-07-05 20:27 -------- d-----w c:\program files\TuneUp Utilities 2006
2009-04-17 21:12 . 2008-02-12 17:38 -------- d-----w c:\documents and settings\All Users\Data aplikací\Microsoft Help
2009-04-09 20:24 . 2009-04-09 20:24 -------- d-----w c:\program files\Lavasoft
2009-04-09 20:24 . 2007-07-05 20:27 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-22 15:31 . 2009-03-22 15:31 -------- d-----w c:\documents and settings\All Users\Data aplikací\Firefly Studios
2009-03-22 15:23 . 2006-08-20 11:42 108144 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-17 17:50 . 2006-03-18 22:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 16:31 . 2008-02-13 15:49 -------- d-----w c:\program files\ICQ6
2009-03-06 14:47 . 2001-10-25 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:14 . 2001-10-25 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 17:13 . 2006-03-18 23:08 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:19 . 2001-10-25 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:52 . 2001-10-24 11:46 2059904 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:52 . 2001-10-25 12:00 2182656 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 10:22 . 2001-10-25 12:00 722432 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:22 . 2001-10-25 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:22 . 2001-10-25 12:00 709632 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:22 . 2001-10-25 12:00 683520 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:11 . 2001-10-25 12:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2001-10-25 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 20:11 . 2001-10-25 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-04-13 19:45 . 2006-03-18 23:13 69688 -c--a-w c:\documents and settings\Iveta\Local Settings\Data aplikací\GDIPFONTCACHEV1.DAT
2008-04-13 19:43 . 2008-04-13 19:43 159216 -c--a-w c:\documents and settings\LocalService\Local Settings\Data aplikací\FontCache3.0.0.0.dat
2008-02-01 19:45 . 2008-02-01 19:45 32 -c--a-w c:\documents and settings\All Users\Data aplikací\ezsid.dat
2008-01-24 21:13 . 2008-01-24 21:13 22328 -c--a-w c:\documents and settings\Iveta\Data aplikací\PnkBstrK.sys
2007-12-12 15:48 . 2007-06-26 16:45 17920 -c--a-w c:\documents and settings\Iveta\Data aplikací\GDIPFONTCACHEV1.DAT
2007-04-21 23:42 . 2008-07-18 19:06 232448 ----a-w c:\documents and settings\Administrator\nnncleaner.exe
2006-03-19 08:58 . 2006-03-19 08:58 125 -c--a-w c:\documents and settings\Iveta\Local Settings\Data aplikací\fusioncache.dat
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\jar50.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\jsd3250.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\myspell.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\spellchk.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\xpinstal.dll
2006-03-20 19:00 . 2006-03-20 19:00 56 -csh--r c:\windows\system32\979BA2816D.sys
2008-02-22 16:43 . 2008-02-22 16:43 8 -csh--r c:\windows\system32\E6ECD67B1F.sys
2008-02-22 16:43 . 2008-02-22 16:43 952 -csha-w c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-25_18.36.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-10-25 12:00 . 2009-04-25 18:39 523684 c:\windows\system32\perfh009.dat
+ 2001-10-25 12:00 . 2009-04-25 18:39 101964 c:\windows\system32\perfc009.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TuneUp MemOptimizer"="c:\program files\TuneUp Utilities 2006\MemOptimizer.exe" [2006-10-22 304640]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="e:\programy\avast!\ashDisp.exe" [2009-02-05 81000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="e:\programy\quicktime\qttask.exe" [2007-08-16 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-19 148888]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-10-30 16269312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 1 (0x1)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe"
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ICQ"="c:\program files\ICQ6\ICQ.exe" silent
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe"
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="e:\programy\quicktime\qttask.exe" -atboottime
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" /s
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
"ConMet"=c:\program files\ConMet\ConMet.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"Eprogramylot0"=e:\programy\lotus\orgreg\prtStart.exe 10 21 5 10 2008 "e:\programy\lotus\orgreg\orgprt.exe"
"HydraVisionDesktopManager"=c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
"SoundMan"=SOUNDMAN.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"e:\\hry\\crysis\\Bin32\\Crysis.exe"=
"e:\\hry\\crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\hry\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\programy\\sopcast\\SopCast.exe"=
"e:\\programy\\sopcast\\adv\\SopAdver.exe"=
"e:\\programy\\sopcast\\sopvod.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"g:\\filmy\\AnyTV\\anyTV.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\launch4j-tmp\\JDownloader.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\hry\\Stronghold 2\\Stronghold2.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\WINDOWS\\System32\\wbem\\wmiprvse.exe"= c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4719:TCP"= 4719:TCP:4719
R2 SPF4;Sunbelt Personal Firewall 4; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\System32\drivers\sfsync03.sys [2005-12-06 35328]
S1 aswSP;avast! Self Protection; [x]
S1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-04-26 302000]
S1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-04-26 72624]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\DRIVERS\psched.sys [2004-08-03 69120]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'
2009-02-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2006-10-05 12:17]
2009-04-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
2009-04-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-05 20:18]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{B4E30F61-16D9-11D3-85D1-005004229569} - {85E0B172-04FA-11D1-B7DA-00A0C90348D6} - e:\programy\lotus\organize\bandobjs.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 22:20
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-1644491937-220523388-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1644491937-220523388-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e0,2a,8e,c9,e5,88,d4,db,22,8a,6f,11,53,69,f6,d6,92,6a,e5,e9,13,b9,38,
1c,48,c2,9c,f1,b4,17,e1,88,85,51,8a,a5,05,ed,da,a1,c2,b1,19,20,18,c1,55,7a,\
"??"=hex:c7,b6,43,bd,5c,0b,4f,bc,38,2b,09,7f,61,9c,31,d3
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,f8,39,46,e0,dd,
89,ac,42,e2,63,26,f1,3f,c8,ff,68,98,d5,2c,73,35,bf,e5,36,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,62,be,61,a0,50,
b8,2f,5f,6a,9c,d6,61,af,45,84,18,05,ba,ba,03,84,3e,d5,4e,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,05,72,8c,2d,fc,
a1,01,c3,ff,7c,85,e0,43,d4,0e,fe,c0,5b,0b,e3,20,24,38,2a,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,2e,98,d5,90,75,
0a,08,18,86,8c,21,01,be,91,eb,e7,86,a4,37,84,9f,d2,83,22,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,e5,f8,52,89,fa,
9a,2c,9b,f5,1d,4d,73,a8,13,5c,05,0b,80,38,36,d6,8c,39,35,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,34,e2,51,23,43,
45,a9,da,df,20,58,62,78,6b,cf,c8,9b,02,1f,a0,96,0e,e1,1a,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,eb,af,86,74,8a,
06,38,22,fb,a7,78,e6,12,2f,9a,ea,78,bb,49,ea,d0,91,6e,2e,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,58,71,18,f4,fd,
4e,c0,e2,01,3a,48,fc,e8,04,4a,f1,e7,9a,61,68,de,f4,9a,20,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,df,97,3c,1b,32,
0d,86,3b,f6,0f,4e,58,98,5b,89,c9,19,ef,2d,87,da,93,55,bc,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,01,51,06,5e,ad,
90,18,b9,3d,ce,ea,26,2d,45,aa,78,45,0d,a7,20,9e,1e,4a,99,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,5f,d9,82,68,fd,
08,3e,76,2a,b7,cc,b5,b9,7f,41,e7,db,07,a7,86,4b,80,b8,de,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,52,43,a1,b3,31,
7e,66,1f,6c,43,2d,1e,aa,22,2f,9c,ee,82,73,fb,2b,1c,3e,9a,6c,43,2d,1e,aa,22,\
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
- - - - - - - > 'lsass.exe'(1024)
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
- - - - - - - > 'explorer.exe'(2612)
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Celkový čas: 2009-04-25 22:23
ComboFix-quarantined-files.txt 2009-04-25 20:23
ComboFix2.txt 2009-04-25 18:41
Před spuštěním: 704 659 456
Po spuštění: 685 469 696
Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
301 --- E O F --- 2009-04-24 21:37
-
jaro3
- člen Security týmu
-
Guru Level 15
- Příspěvky: 43293
- Registrován: červen 07
- Bydliště: Jižní Čechy
- Pohlaví:
- Stav:
Offline
Re: win32 trojan gen other
Tak ještě jeden script v CF , postup stejný:
Zase log z CF a HJT.
Zítra..
Kód: Vybrat vše
KillAll::
File::
c:\windows\system32\digest32.dll
c:\windows\system32\snapapi32.dll
c:\windows\system32\979BA2816D.sys
c:\windows\system32\E6ECD67B1F.sys
c:\windows\system32\KGyGaAvL.sysZase log z CF a HJT.
Zítra..
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Re: win32 trojan gen other
zdravím...tady je ten nový log:
ComboFix 09-04-25.A1 - Iveta 26.04.2009 9:35.3 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1023.575 [GMT 2:00]
Spuštěný z: e:\programy\ComboFix.exe
Použité ovládací přepínače :: e:\programy\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090425-0] *On-access scanning disabled* (Updated)
FW: Sunbelt Personal Firewall *disabled*
* Vytvořen nový Bod Obnovení
FILE ::
c:\windows\system32\979BA2816D.sys
c:\windows\system32\digest32.dll
c:\windows\system32\E6ECD67B1F.sys
c:\windows\system32\KGyGaAvL.sys
c:\windows\system32\snapapi32.dll
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\979BA2816D.sys
c:\windows\system32\digest32.dll
c:\windows\system32\E6ECD67B1F.sys
c:\windows\system32\KGyGaAvL.sys
c:\windows\system32\snapapi32.dll
.
((((((((((((((((((((((((( Soubory vytvořené od 2009-05-26 do 2009-4-26 )))))))))))))))))))))))))))))))
.
2009-04-24 19:30 . 2009-04-24 19:30 165 ----a-w c:\windows\system32\drivers\fwdrv.err
2009-04-19 19:01 . 2009-04-19 19:00 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-19 17:21 . 2009-04-19 17:21 -------- d-----w c:\documents and settings\Iveta\Local Settings\Data aplikací\Sun
2009-04-17 20:21 . 2008-04-21 21:28 216576 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 20:20 . 2005-07-26 04:42 60416 -c----w c:\windows\system32\dllcache\colbact.dll
2009-04-17 20:20 . 2009-02-06 16:39 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 20:20 . 2009-03-06 14:47 283648 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 20:20 . 2009-02-09 10:22 473088 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 20:20 . 2009-02-09 10:22 399360 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 20:20 . 2009-02-09 10:11 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 20:20 . 2009-02-09 10:22 683520 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 20:20 . 2009-02-09 10:22 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 20:20 . 2009-02-09 10:22 709632 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-09 20:53 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-09 20:25 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-09 20:24 . 2009-04-09 20:24 -------- dc-h--w c:\documents and settings\All Users\Data aplikací\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-05 18:06 . 2009-03-10 20:18 454024 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-05 18:06 . 2009-02-09 16:51 13502 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-05 18:06 . 2009-04-05 18:06 -------- d-----w c:\windows\system32\KB905474
2009-04-05 18:06 . 2009-03-10 20:26 1435008 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 07:40 . 2009-04-22 18:45 1788 ----a-w C:\aaw7boot.log
2009-04-26 07:32 . 2001-10-25 12:00 525892 ----a-w c:\windows\system32\perfh005.dat
2009-04-26 07:32 . 2001-10-25 12:00 112742 ----a-w c:\windows\system32\perfc005.dat
2009-04-19 19:00 . 2006-05-20 22:49 -------- d-----w c:\program files\Java
2009-04-19 18:14 . 2009-03-22 20:49 -------- d-----w c:\program files\Rapidown
2009-04-19 18:14 . 2008-02-01 23:36 -------- d-s---w c:\program files\Xfire
2009-04-19 18:14 . 2007-12-16 18:23 -------- d-----w c:\documents and settings\Iveta\Data aplikací\uTorrent
2009-04-19 18:12 . 2007-07-05 20:27 -------- d-----w c:\program files\TuneUp Utilities 2006
2009-04-17 21:12 . 2008-02-12 17:38 -------- d-----w c:\documents and settings\All Users\Data aplikací\Microsoft Help
2009-04-09 20:24 . 2009-04-09 20:24 -------- d-----w c:\program files\Lavasoft
2009-04-09 20:24 . 2007-07-05 20:27 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-22 15:31 . 2009-03-22 15:31 -------- d-----w c:\documents and settings\All Users\Data aplikací\Firefly Studios
2009-03-22 15:23 . 2006-08-20 11:42 108144 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-17 17:50 . 2006-03-18 22:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 16:31 . 2008-02-13 15:49 -------- d-----w c:\program files\ICQ6
2009-03-06 14:47 . 2001-10-25 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:14 . 2001-10-25 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 17:13 . 2006-03-18 23:08 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:19 . 2001-10-25 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:52 . 2001-10-24 11:46 2059904 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:52 . 2001-10-25 12:00 2182656 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 10:22 . 2001-10-25 12:00 722432 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:22 . 2001-10-25 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:22 . 2001-10-25 12:00 709632 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:22 . 2001-10-25 12:00 683520 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:11 . 2001-10-25 12:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2001-10-25 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 20:11 . 2001-10-25 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-04-13 19:45 . 2006-03-18 23:13 69688 -c--a-w c:\documents and settings\Iveta\Local Settings\Data aplikací\GDIPFONTCACHEV1.DAT
2008-04-13 19:43 . 2008-04-13 19:43 159216 -c--a-w c:\documents and settings\LocalService\Local Settings\Data aplikací\FontCache3.0.0.0.dat
2008-02-01 19:45 . 2008-02-01 19:45 32 -c--a-w c:\documents and settings\All Users\Data aplikací\ezsid.dat
2008-01-24 21:13 . 2008-01-24 21:13 22328 -c--a-w c:\documents and settings\Iveta\Data aplikací\PnkBstrK.sys
2007-12-12 15:48 . 2007-06-26 16:45 17920 -c--a-w c:\documents and settings\Iveta\Data aplikací\GDIPFONTCACHEV1.DAT
2007-04-21 23:42 . 2008-07-18 19:06 232448 ----a-w c:\documents and settings\Administrator\nnncleaner.exe
2006-03-19 08:58 . 2006-03-19 08:58 125 -c--a-w c:\documents and settings\Iveta\Local Settings\Data aplikací\fusioncache.dat
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\jar50.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\jsd3250.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\myspell.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\spellchk.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-04-25_18.36.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-26 07:28 . 2009-04-26 07:28 16384 c:\windows\Temp\Perflib_Perfdata_7fc.dat
+ 2009-04-26 07:41 . 2009-04-26 07:41 16384 c:\windows\Temp\Perflib_Perfdata_604.dat
+ 2009-04-26 07:41 . 2009-04-26 07:41 16384 c:\windows\Temp\Perflib_Perfdata_11c.dat
+ 2001-10-25 12:00 . 2009-04-26 07:32 523992 c:\windows\system32\perfh009.dat
+ 2001-10-25 12:00 . 2009-04-26 07:32 102080 c:\windows\system32\perfc009.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TuneUp MemOptimizer"="c:\program files\TuneUp Utilities 2006\MemOptimizer.exe" [2006-10-22 304640]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="e:\programy\avast!\ashDisp.exe" [2009-02-05 81000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="e:\programy\quicktime\qttask.exe" [2007-08-16 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-19 148888]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-10-30 16269312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 1 (0x1)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe"
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ICQ"="c:\program files\ICQ6\ICQ.exe" silent
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe"
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="e:\programy\quicktime\qttask.exe" -atboottime
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" /s
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
"ConMet"=c:\program files\ConMet\ConMet.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"Eprogramylot0"=e:\programy\lotus\orgreg\prtStart.exe 10 21 5 10 2008 "e:\programy\lotus\orgreg\orgprt.exe"
"HydraVisionDesktopManager"=c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
"SoundMan"=SOUNDMAN.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"e:\\hry\\crysis\\Bin32\\Crysis.exe"=
"e:\\hry\\crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\hry\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\programy\\sopcast\\SopCast.exe"=
"e:\\programy\\sopcast\\adv\\SopAdver.exe"=
"e:\\programy\\sopcast\\sopvod.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"g:\\filmy\\AnyTV\\anyTV.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\launch4j-tmp\\JDownloader.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\hry\\Stronghold 2\\Stronghold2.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\WINDOWS\\System32\\wbem\\wmiprvse.exe"= c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4719:TCP"= 4719:TCP:4719
R2 SPF4;Sunbelt Personal Firewall 4; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\System32\drivers\sfsync03.sys [2005-12-06 35328]
S1 aswSP;avast! Self Protection; [x]
S1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-04-26 302000]
S1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-04-26 72624]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\DRIVERS\psched.sys [2004-08-03 69120]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'
2009-02-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2006-10-05 12:17]
2009-04-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
2009-04-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-05 20:18]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{B4E30F61-16D9-11D3-85D1-005004229569} - {85E0B172-04FA-11D1-B7DA-00A0C90348D6} - e:\programy\lotus\organize\bandobjs.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 09:42
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-1644491937-220523388-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1644491937-220523388-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e0,2a,8e,c9,e5,88,d4,db,22,8a,6f,11,53,69,f6,d6,92,6a,e5,e9,13,b9,38,
1c,48,c2,9c,f1,b4,17,e1,88,85,51,8a,a5,05,ed,da,a1,c2,b1,19,20,18,c1,55,7a,\
"??"=hex:c7,b6,43,bd,5c,0b,4f,bc,38,2b,09,7f,61,9c,31,d3
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,f8,39,46,e0,dd,
89,ac,42,e2,63,26,f1,3f,c8,ff,68,98,d5,2c,73,35,bf,e5,36,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,62,be,61,a0,50,
b8,2f,5f,6a,9c,d6,61,af,45,84,18,05,ba,ba,03,84,3e,d5,4e,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,05,72,8c,2d,fc,
a1,01,c3,ff,7c,85,e0,43,d4,0e,fe,c0,5b,0b,e3,20,24,38,2a,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,2e,98,d5,90,75,
0a,08,18,86,8c,21,01,be,91,eb,e7,86,a4,37,84,9f,d2,83,22,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,e5,f8,52,89,fa,
9a,2c,9b,f5,1d,4d,73,a8,13,5c,05,0b,80,38,36,d6,8c,39,35,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,34,e2,51,23,43,
45,a9,da,df,20,58,62,78,6b,cf,c8,9b,02,1f,a0,96,0e,e1,1a,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,eb,af,86,74,8a,
06,38,22,fb,a7,78,e6,12,2f,9a,ea,78,bb,49,ea,d0,91,6e,2e,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,58,71,18,f4,fd,
4e,c0,e2,01,3a,48,fc,e8,04,4a,f1,e7,9a,61,68,de,f4,9a,20,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,df,97,3c,1b,32,
0d,86,3b,f6,0f,4e,58,98,5b,89,c9,19,ef,2d,87,da,93,55,bc,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,01,51,06,5e,ad,
90,18,b9,3d,ce,ea,26,2d,45,aa,78,45,0d,a7,20,9e,1e,4a,99,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,5f,d9,82,68,fd,
08,3e,76,2a,b7,cc,b5,b9,7f,41,e7,db,07,a7,86,4b,80,b8,de,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,52,43,a1,b3,31,
7e,66,1f,6c,43,2d,1e,aa,22,2f,9c,ee,82,73,fb,2b,1c,3e,9a,6c,43,2d,1e,aa,22,\
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
- - - - - - - > 'lsass.exe'(1024)
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
- - - - - - - > 'explorer.exe'(3288)
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
e:\programy\avast!\aswUpdSv.exe
e:\programy\avast!\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
e:\programy\avast!\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
e:\programy\avast!\ashWebSv.exe
.
**************************************************************************
.
Celkový čas: 2009-04-26 9:47 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-04-26 07:47
ComboFix2.txt 2009-04-25 20:23
ComboFix3.txt 2009-04-25 18:41
Před spuštěním: 668 491 776
Po spuštění: 648 318 976
Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
328 --- E O F --- 2009-04-24 21:37
ComboFix 09-04-25.A1 - Iveta 26.04.2009 9:35.3 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1023.575 [GMT 2:00]
Spuštěný z: e:\programy\ComboFix.exe
Použité ovládací přepínače :: e:\programy\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090425-0] *On-access scanning disabled* (Updated)
FW: Sunbelt Personal Firewall *disabled*
* Vytvořen nový Bod Obnovení
FILE ::
c:\windows\system32\979BA2816D.sys
c:\windows\system32\digest32.dll
c:\windows\system32\E6ECD67B1F.sys
c:\windows\system32\KGyGaAvL.sys
c:\windows\system32\snapapi32.dll
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\979BA2816D.sys
c:\windows\system32\digest32.dll
c:\windows\system32\E6ECD67B1F.sys
c:\windows\system32\KGyGaAvL.sys
c:\windows\system32\snapapi32.dll
.
((((((((((((((((((((((((( Soubory vytvořené od 2009-05-26 do 2009-4-26 )))))))))))))))))))))))))))))))
.
2009-04-24 19:30 . 2009-04-24 19:30 165 ----a-w c:\windows\system32\drivers\fwdrv.err
2009-04-19 19:01 . 2009-04-19 19:00 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-19 17:21 . 2009-04-19 17:21 -------- d-----w c:\documents and settings\Iveta\Local Settings\Data aplikací\Sun
2009-04-17 20:21 . 2008-04-21 21:28 216576 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 20:20 . 2005-07-26 04:42 60416 -c----w c:\windows\system32\dllcache\colbact.dll
2009-04-17 20:20 . 2009-02-06 16:39 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 20:20 . 2009-03-06 14:47 283648 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 20:20 . 2009-02-09 10:22 473088 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 20:20 . 2009-02-09 10:22 399360 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 20:20 . 2009-02-09 10:11 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 20:20 . 2009-02-09 10:22 683520 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 20:20 . 2009-02-09 10:22 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 20:20 . 2009-02-09 10:22 709632 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-09 20:53 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-09 20:25 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-09 20:24 . 2009-04-09 20:24 -------- dc-h--w c:\documents and settings\All Users\Data aplikací\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-05 18:06 . 2009-03-10 20:18 454024 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-05 18:06 . 2009-02-09 16:51 13502 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-05 18:06 . 2009-04-05 18:06 -------- d-----w c:\windows\system32\KB905474
2009-04-05 18:06 . 2009-03-10 20:26 1435008 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 07:40 . 2009-04-22 18:45 1788 ----a-w C:\aaw7boot.log
2009-04-26 07:32 . 2001-10-25 12:00 525892 ----a-w c:\windows\system32\perfh005.dat
2009-04-26 07:32 . 2001-10-25 12:00 112742 ----a-w c:\windows\system32\perfc005.dat
2009-04-19 19:00 . 2006-05-20 22:49 -------- d-----w c:\program files\Java
2009-04-19 18:14 . 2009-03-22 20:49 -------- d-----w c:\program files\Rapidown
2009-04-19 18:14 . 2008-02-01 23:36 -------- d-s---w c:\program files\Xfire
2009-04-19 18:14 . 2007-12-16 18:23 -------- d-----w c:\documents and settings\Iveta\Data aplikací\uTorrent
2009-04-19 18:12 . 2007-07-05 20:27 -------- d-----w c:\program files\TuneUp Utilities 2006
2009-04-17 21:12 . 2008-02-12 17:38 -------- d-----w c:\documents and settings\All Users\Data aplikací\Microsoft Help
2009-04-09 20:24 . 2009-04-09 20:24 -------- d-----w c:\program files\Lavasoft
2009-04-09 20:24 . 2007-07-05 20:27 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-22 15:31 . 2009-03-22 15:31 -------- d-----w c:\documents and settings\All Users\Data aplikací\Firefly Studios
2009-03-22 15:23 . 2006-08-20 11:42 108144 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-17 17:50 . 2006-03-18 22:52 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 16:31 . 2008-02-13 15:49 -------- d-----w c:\program files\ICQ6
2009-03-06 14:47 . 2001-10-25 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:14 . 2001-10-25 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 17:13 . 2006-03-18 23:08 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:19 . 2001-10-25 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:52 . 2001-10-24 11:46 2059904 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:52 . 2001-10-25 12:00 2182656 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 10:22 . 2001-10-25 12:00 722432 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:22 . 2001-10-25 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:22 . 2001-10-25 12:00 709632 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:22 . 2001-10-25 12:00 683520 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:11 . 2001-10-25 12:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2001-10-25 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 20:11 . 2001-10-25 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-04-13 19:45 . 2006-03-18 23:13 69688 -c--a-w c:\documents and settings\Iveta\Local Settings\Data aplikací\GDIPFONTCACHEV1.DAT
2008-04-13 19:43 . 2008-04-13 19:43 159216 -c--a-w c:\documents and settings\LocalService\Local Settings\Data aplikací\FontCache3.0.0.0.dat
2008-02-01 19:45 . 2008-02-01 19:45 32 -c--a-w c:\documents and settings\All Users\Data aplikací\ezsid.dat
2008-01-24 21:13 . 2008-01-24 21:13 22328 -c--a-w c:\documents and settings\Iveta\Data aplikací\PnkBstrK.sys
2007-12-12 15:48 . 2007-06-26 16:45 17920 -c--a-w c:\documents and settings\Iveta\Data aplikací\GDIPFONTCACHEV1.DAT
2007-04-21 23:42 . 2008-07-18 19:06 232448 ----a-w c:\documents and settings\Administrator\nnncleaner.exe
2006-03-19 08:58 . 2006-03-19 08:58 125 -c--a-w c:\documents and settings\Iveta\Local Settings\Data aplikací\fusioncache.dat
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\jar50.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\jsd3250.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\myspell.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\spellchk.dll
2007-03-12 09:2007-07-05 21:47 10:41 . c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-04-25_18.36.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-26 07:28 . 2009-04-26 07:28 16384 c:\windows\Temp\Perflib_Perfdata_7fc.dat
+ 2009-04-26 07:41 . 2009-04-26 07:41 16384 c:\windows\Temp\Perflib_Perfdata_604.dat
+ 2009-04-26 07:41 . 2009-04-26 07:41 16384 c:\windows\Temp\Perflib_Perfdata_11c.dat
+ 2001-10-25 12:00 . 2009-04-26 07:32 523992 c:\windows\system32\perfh009.dat
+ 2001-10-25 12:00 . 2009-04-26 07:32 102080 c:\windows\system32\perfc009.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TuneUp MemOptimizer"="c:\program files\TuneUp Utilities 2006\MemOptimizer.exe" [2006-10-22 304640]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="e:\programy\avast!\ashDisp.exe" [2009-02-05 81000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="e:\programy\quicktime\qttask.exe" [2007-08-16 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-19 148888]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-10-30 16269312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 1 (0x1)
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe"
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ICQ"="c:\program files\ICQ6\ICQ.exe" silent
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe"
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="e:\programy\quicktime\qttask.exe" -atboottime
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" /s
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
"ConMet"=c:\program files\ConMet\ConMet.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"Eprogramylot0"=e:\programy\lotus\orgreg\prtStart.exe 10 21 5 10 2008 "e:\programy\lotus\orgreg\orgprt.exe"
"HydraVisionDesktopManager"=c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
"SoundMan"=SOUNDMAN.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"e:\\hry\\crysis\\Bin32\\Crysis.exe"=
"e:\\hry\\crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\hry\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\programy\\sopcast\\SopCast.exe"=
"e:\\programy\\sopcast\\adv\\SopAdver.exe"=
"e:\\programy\\sopcast\\sopvod.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"g:\\filmy\\AnyTV\\anyTV.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\launch4j-tmp\\JDownloader.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\hry\\Stronghold 2\\Stronghold2.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\WINDOWS\\system32\\Ati2evxx.exe"=
"c:\\WINDOWS\\System32\\wbem\\wmiprvse.exe"= c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4719:TCP"= 4719:TCP:4719
R2 SPF4;Sunbelt Personal Firewall 4; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\System32\drivers\sfsync03.sys [2005-12-06 35328]
S1 aswSP;avast! Self Protection; [x]
S1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-04-26 302000]
S1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-04-26 72624]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\DRIVERS\psched.sys [2004-08-03 69120]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'
2009-02-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2006-10-05 12:17]
2009-04-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
2009-04-24 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-05 20:18]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{B4E30F61-16D9-11D3-85D1-005004229569} - {85E0B172-04FA-11D1-B7DA-00A0C90348D6} - e:\programy\lotus\organize\bandobjs.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 09:42
Windows 5.1.2600 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-1644491937-220523388-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1644491937-220523388-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e0,2a,8e,c9,e5,88,d4,db,22,8a,6f,11,53,69,f6,d6,92,6a,e5,e9,13,b9,38,
1c,48,c2,9c,f1,b4,17,e1,88,85,51,8a,a5,05,ed,da,a1,c2,b1,19,20,18,c1,55,7a,\
"??"=hex:c7,b6,43,bd,5c,0b,4f,bc,38,2b,09,7f,61,9c,31,d3
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,f8,39,46,e0,dd,
89,ac,42,e2,63,26,f1,3f,c8,ff,68,98,d5,2c,73,35,bf,e5,36,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,62,be,61,a0,50,
b8,2f,5f,6a,9c,d6,61,af,45,84,18,05,ba,ba,03,84,3e,d5,4e,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,05,72,8c,2d,fc,
a1,01,c3,ff,7c,85,e0,43,d4,0e,fe,c0,5b,0b,e3,20,24,38,2a,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,2e,98,d5,90,75,
0a,08,18,86,8c,21,01,be,91,eb,e7,86,a4,37,84,9f,d2,83,22,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,e5,f8,52,89,fa,
9a,2c,9b,f5,1d,4d,73,a8,13,5c,05,0b,80,38,36,d6,8c,39,35,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,34,e2,51,23,43,
45,a9,da,df,20,58,62,78,6b,cf,c8,9b,02,1f,a0,96,0e,e1,1a,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,eb,af,86,74,8a,
06,38,22,fb,a7,78,e6,12,2f,9a,ea,78,bb,49,ea,d0,91,6e,2e,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,58,71,18,f4,fd,
4e,c0,e2,01,3a,48,fc,e8,04,4a,f1,e7,9a,61,68,de,f4,9a,20,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,df,97,3c,1b,32,
0d,86,3b,f6,0f,4e,58,98,5b,89,c9,19,ef,2d,87,da,93,55,bc,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,01,51,06,5e,ad,
90,18,b9,3d,ce,ea,26,2d,45,aa,78,45,0d,a7,20,9e,1e,4a,99,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,5f,d9,82,68,fd,
08,3e,76,2a,b7,cc,b5,b9,7f,41,e7,db,07,a7,86,4b,80,b8,de,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,52,43,a1,b3,31,
7e,66,1f,6c,43,2d,1e,aa,22,2f,9c,ee,82,73,fb,2b,1c,3e,9a,6c,43,2d,1e,aa,22,\
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
- - - - - - - > 'lsass.exe'(1024)
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
- - - - - - - > 'explorer.exe'(3288)
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
e:\programy\avast!\aswUpdSv.exe
e:\programy\avast!\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
e:\programy\avast!\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
e:\programy\avast!\ashWebSv.exe
.
**************************************************************************
.
Celkový čas: 2009-04-26 9:47 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-04-26 07:47
ComboFix2.txt 2009-04-25 20:23
ComboFix3.txt 2009-04-25 18:41
Před spuštěním: 668 491 776
Po spuštění: 648 318 976
Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
328 --- E O F --- 2009-04-24 21:37
-
jaro3
- člen Security týmu
-
Guru Level 15
- Příspěvky: 43293
- Registrován: červen 07
- Bydliště: Jižní Čechy
- Pohlaví:
- Stav:
Offline
Re: win32 trojan gen other
Ještě nový log z HJT.
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Re: win32 trojan gen other
tady:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:02:08, on 26.4.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
E:\programy\avast!\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
E:\programy\avast!\ashServ.exe
C:\WINDOWS\Explorer.EXE
E:\programy\avast!\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
E:\programy\avast!\ashMaiSv.exe
E:\programy\avast!\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] E:\programy\avast!\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "E:\programy\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - e:\programy\lotus\organize\bandobjs.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.cz
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\programy\avast!\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\programy\avast!\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\programy\avast!\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\programy\avast!\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Unknown owner - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe (file missing)
--
End of file - 7034 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:02:08, on 26.4.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
E:\programy\avast!\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
E:\programy\avast!\ashServ.exe
C:\WINDOWS\Explorer.EXE
E:\programy\avast!\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
E:\programy\avast!\ashMaiSv.exe
E:\programy\avast!\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] E:\programy\avast!\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "E:\programy\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - e:\programy\lotus\organize\bandobjs.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.cz
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\programy\avast!\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\programy\avast!\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\programy\avast!\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\programy\avast!\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Unknown owner - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe (file missing)
--
End of file - 7034 bytes
Zpět na “Viry, antiviry, firewally…”
Kdo je online
Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 5 hostů