Pokud chceš pokračovat, udělej ten sken mbamem
Winlogon.exe - vir? - 100 CPU ? další blbosti?
Re: Winlogon.exe - vir? - 100 CPU ? další blbosti?
Když myslíš, že už je to v pořádku, ale já myslím že ještě není..Nod taky nemusí najít všechno, a ten vir winlogon tam nebyl jediný.
Pokud chceš pokračovat, udělej ten sken mbamem
Pokud chceš pokračovat, udělej ten sken mbamem
Re: Winlogon.exe - vir? - 100 CPU ? další blbosti?
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Verze databáze: 4331
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
20.7.2010 15:38:19
mbam-log-2010-07-20 (15-38-19).txt
Typ skenu: Rychlý sken
Skenované objekty: 135311
Uplynulý čas: 7 minuta(y), 15 sekunda(y)
Infikované procesy v paměti: 1
Infikované moduly v paměti: 0
Infikované klíče registru: 4
Infikované hodnoty registru: 5
Infikované datové položky registru: 0
Infikované složky: 4
Infikované soubory: 23
Infikované procesy v paměti:
E:\Documents and Settings\Administrator\Data aplikací\nvdisp.exe (Trojan.Banker) -> No action taken.
Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)
Infikované klíče registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{xq881j2h-07ya-wrbn-4p25-xn85w68vyevt} (Generic.Bot.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\advantage (Adware.Vomba) -> No action taken.
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> No action taken.
Infikované hodnoty registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvidia (Trojan.Banker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvidia (Trojan.Banker) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\isass (Worm.Brontok) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\isass (Worm.Brontok) -> No action taken.
Infikované datové položky registru:
(Žádné škodlivé položky nebyly zjištěny)
Infikované složky:
E:\Documents and Settings\Administrator\Data aplikací\advantage (Adware.Vomba) -> No action taken.
E:\Program Files\Advantage (Adware.Advantage) -> No action taken.
E:\Program Files\RelevantKnowledge (Spyware.MarketScore) -> No action taken.
E:\Documents and Settings\All Users\Nabídka Start\Programy\RelevantKnowledge (Spyware.MarketScore) -> No action taken.
Infikované soubory:
E:\Program Files\Mozilla Firefox\Components\AdVComponent.dll (Adware.Vomba) -> No action taken.
E:\RECYCLER\S-1-5-21-3191564356-9195284611-998139079-7127\rundll32.exe (Worm.Autorun.B) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\advantage\about_AdVantage.mht (Adware.Vomba) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\advantage\advantage.cfg (Adware.Vomba) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\advantage\advantage.mht (Adware.Vomba) -> No action taken.
E:\Program Files\RelevantKnowledge\rlservice.exe (Spyware.MarketScore) -> No action taken.
E:\Documents and Settings\All Users\Nabídka Start\Programy\RelevantKnowledge\About RelevantKnowledge.lnk (Spyware.MarketScore) -> No action taken.
E:\Documents and Settings\All Users\Nabídka Start\Programy\RelevantKnowledge\Privacy Policy and User License Agreement.lnk (Spyware.MarketScore) -> No action taken.
E:\Documents and Settings\All Users\Nabídka Start\Programy\RelevantKnowledge\Support.lnk (Spyware.MarketScore) -> No action taken.
E:\Documents and Settings\All Users\Nabídka Start\Programy\RelevantKnowledge\Uninstall Instructions.lnk (Spyware.MarketScore) -> No action taken.
E:\Program Files\Common Files\WUDHost.exe (Backdoor.Agent.Gen) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\chrtmp (Malware.Trace) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\data.dat (Stolen.Data) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\logs.dat (Bifrose.Trace) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\Microsoft\svchost.exe (Backdoor.Bot) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\nvdisp.exe (Trojan.Banker) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\winlogon.exe (Trojan.Agent) -> No action taken.
E:\Documents and Settings\Administrator\Local Settings\Temp\IEPASS.abc (Malware.Trace) -> No action taken.
E:\Documents and Settings\Administrator\Local Settings\Temp\MSN.abc (Malware.Trace) -> No action taken.
E:\Documents and Settings\Administrator\Local Settings\Temp\test.exe (Trojan.Zlob) -> No action taken.
E:\Documents and Settings\Administrator\Local Settings\Temp\XxX.xXx (Malware.Trace) -> No action taken.
E:\Documents and Settings\Administrator\Local Settings\Temp\xxxyyyzzz.dat (Malware.Trace) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\Isass.Exe (Worm.Brontok) -> No action taken.
www.malwarebytes.org
Verze databáze: 4331
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
20.7.2010 15:38:19
mbam-log-2010-07-20 (15-38-19).txt
Typ skenu: Rychlý sken
Skenované objekty: 135311
Uplynulý čas: 7 minuta(y), 15 sekunda(y)
Infikované procesy v paměti: 1
Infikované moduly v paměti: 0
Infikované klíče registru: 4
Infikované hodnoty registru: 5
Infikované datové položky registru: 0
Infikované složky: 4
Infikované soubory: 23
Infikované procesy v paměti:
E:\Documents and Settings\Administrator\Data aplikací\nvdisp.exe (Trojan.Banker) -> No action taken.
Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)
Infikované klíče registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{xq881j2h-07ya-wrbn-4p25-xn85w68vyevt} (Generic.Bot.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\advantage (Adware.Vomba) -> No action taken.
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> No action taken.
Infikované hodnoty registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvidia (Trojan.Banker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvidia (Trojan.Banker) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\isass (Worm.Brontok) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\isass (Worm.Brontok) -> No action taken.
Infikované datové položky registru:
(Žádné škodlivé položky nebyly zjištěny)
Infikované složky:
E:\Documents and Settings\Administrator\Data aplikací\advantage (Adware.Vomba) -> No action taken.
E:\Program Files\Advantage (Adware.Advantage) -> No action taken.
E:\Program Files\RelevantKnowledge (Spyware.MarketScore) -> No action taken.
E:\Documents and Settings\All Users\Nabídka Start\Programy\RelevantKnowledge (Spyware.MarketScore) -> No action taken.
Infikované soubory:
E:\Program Files\Mozilla Firefox\Components\AdVComponent.dll (Adware.Vomba) -> No action taken.
E:\RECYCLER\S-1-5-21-3191564356-9195284611-998139079-7127\rundll32.exe (Worm.Autorun.B) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\advantage\about_AdVantage.mht (Adware.Vomba) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\advantage\advantage.cfg (Adware.Vomba) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\advantage\advantage.mht (Adware.Vomba) -> No action taken.
E:\Program Files\RelevantKnowledge\rlservice.exe (Spyware.MarketScore) -> No action taken.
E:\Documents and Settings\All Users\Nabídka Start\Programy\RelevantKnowledge\About RelevantKnowledge.lnk (Spyware.MarketScore) -> No action taken.
E:\Documents and Settings\All Users\Nabídka Start\Programy\RelevantKnowledge\Privacy Policy and User License Agreement.lnk (Spyware.MarketScore) -> No action taken.
E:\Documents and Settings\All Users\Nabídka Start\Programy\RelevantKnowledge\Support.lnk (Spyware.MarketScore) -> No action taken.
E:\Documents and Settings\All Users\Nabídka Start\Programy\RelevantKnowledge\Uninstall Instructions.lnk (Spyware.MarketScore) -> No action taken.
E:\Program Files\Common Files\WUDHost.exe (Backdoor.Agent.Gen) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\chrtmp (Malware.Trace) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\data.dat (Stolen.Data) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\logs.dat (Bifrose.Trace) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\Microsoft\svchost.exe (Backdoor.Bot) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\nvdisp.exe (Trojan.Banker) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\winlogon.exe (Trojan.Agent) -> No action taken.
E:\Documents and Settings\Administrator\Local Settings\Temp\IEPASS.abc (Malware.Trace) -> No action taken.
E:\Documents and Settings\Administrator\Local Settings\Temp\MSN.abc (Malware.Trace) -> No action taken.
E:\Documents and Settings\Administrator\Local Settings\Temp\test.exe (Trojan.Zlob) -> No action taken.
E:\Documents and Settings\Administrator\Local Settings\Temp\XxX.xXx (Malware.Trace) -> No action taken.
E:\Documents and Settings\Administrator\Local Settings\Temp\xxxyyyzzz.dat (Malware.Trace) -> No action taken.
E:\Documents and Settings\Administrator\Data aplikací\Isass.Exe (Worm.Brontok) -> No action taken.
Re: Winlogon.exe - vir? - 100 CPU ? další blbosti?
V mbamu vše smaž.
Stáhni na plochu ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- Před použitím vypni všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary
-Zavři všechna aktivní okna a spusť ho pod učtem s právy administrátora
- Po spuštění se zobrazí podmínky použití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování, se vytvoří log C:\ComboFix.txt, zkopíruj celý jeho obsah sem.
Stáhni na plochu ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- Před použitím vypni všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary
-Zavři všechna aktivní okna a spusť ho pod učtem s právy administrátora
- Po spuštění se zobrazí podmínky použití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování, se vytvoří log C:\ComboFix.txt, zkopíruj celý jeho obsah sem.
Re: Winlogon.exe - vir? - 100 CPU ? další blbosti?
ComboFix 10-07-19.05 - Administrator 20.07.2010 18:02:10.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1023.384 [GMT 2:00]
Spuštěný z: e:\documents and settings\Administrator\Dokumenty\Downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
e:\documents and settings\Administrator\Data aplikací\Microsoft\svchost.exe
e:\documents and settings\Administrator\Dokumenty\cc_20100719_175617.reg
e:\program files\RelevantKnowledge
e:\program files\RelevantKnowledge\rlservice.exe
e:\windows\settings.reg
e:\windows\system32\Data
e:\windows\wpe pro.INI
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-20 do 2010-07-20 )))))))))))))))))))))))))))))))
.
2010-07-20 13:29 . 2010-04-29 13:39 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 13:29 . 2010-04-29 13:39 20952 ----a-w- e:\windows\system32\drivers\mbam.sys
2010-07-20 13:29 . 2010-07-20 13:29 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2010-07-19 17:10 . 2010-07-19 17:10 -------- d-----w- e:\program files\Hijack
2010-07-19 15:45 . 2010-07-19 15:45 -------- d-----w- e:\program files\CCleaner
2010-07-15 12:45 . 2010-07-15 12:45 -------- d--h--w- e:\windows\system32\GroupPolicy
2010-07-14 06:03 . 2010-06-14 14:31 744448 -c----w- e:\windows\system32\dllcache\helpsvc.exe
2010-07-11 18:01 . 2010-07-11 18:01 26624 ---h--w- e:\windows\system32\audiohd.exe
2010-07-11 18:01 . 2010-07-11 18:01 26624 ---h--w- e:\program files\Common Files\WUDHost.exe
2010-06-30 14:47 . 2010-06-30 14:47 -------- d-----w- e:\windows\1C4551A64743409391E41477CD655043.TMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-20 16:09 . 2010-04-10 16:08 -------- d-----w- e:\program files\Common Files\Akamai
2010-07-16 18:18 . 2010-03-10 15:17 -------- d-----w- e:\program files\NCSoft
2010-06-30 14:47 . 2009-10-16 13:27 -------- d-----w- e:\program files\Common Files\Wise Installation Wizard
2010-06-30 14:45 . 2009-08-14 18:33 -------- d--h--w- e:\program files\InstallShield Installation Information
2010-06-23 19:52 . 2001-10-25 14:00 85556 ----a-w- e:\windows\system32\perfc005.dat
2010-06-23 19:52 . 2001-10-25 14:00 446580 ----a-w- e:\windows\system32\perfh005.dat
2010-06-17 11:22 . 2009-11-08 17:19 -------- d-----w- e:\program files\Common Files\Adobe
2010-06-14 14:31 . 2009-08-14 18:17 744448 ----a-w- e:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-25 16:14 . 2010-05-25 16:14 -------- d-----w- e:\program files\DIFX
2010-05-06 10:35 . 2004-08-17 13:49 916480 ----a-w- e:\windows\system32\wininet.dll
2010-05-02 08:09 . 2004-08-17 13:44 1851264 ----a-w- e:\windows\system32\win32k.sys
2010-04-28 09:53 . 2010-04-27 18:02 96 ---ha-w- e:\windows\system32\HsInfo.dat
2009-10-26 13:51 . 2009-10-26 13:56 0 ----a-w- e:\program files\5b513cd108dc1c0eb8ffc39b495d82ba.db
2009-09-07 17:33 . 2009-09-07 17:33 227696 ----a-w- e:\program files\mozilla firefox\components\AdVComponent.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="e:\documents and settings\Administrator\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2009-08-15 133104]
"Skype"="e:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]
"LightScribe Control Panel"="e:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 451872]
"Steam"="c:\program files\steam\steam.exe" [2010-07-20 1238352]
"CTRegRun"="e:\windows\CTRegRun.EXE" [2006-10-06 53248]
"DriverUpdaterPro"="e:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe" [2009-10-30 2765860]
"NVIDIA"="e:\documents and settings\Administrator\Data aplikací\nvdisp.exe" [2010-07-19 139145]
"Isass"="e:\documents and settings\Administrator\Data aplikací\Isass.exe" [2010-07-19 221704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"P17Helper"="P17.dll" [2005-05-03 64512]
"UpdReg"="e:\windows\UpdReg.EXE" [2000-05-11 90112]
"egui"="e:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
"diagent"="e:\program files\Creative\Diagnostics\diagent.exe" [2002-04-03 135264]
"C-Media Mixer"="Mixer.exe" [2002-10-15 1818624]
"Lachesis"="c:\program files\Razer\Lachesis\razerhid.exe" [2007-09-12 172032]
"NVIDIA"="e:\documents and settings\Administrator\Data aplikací\nvdisp.exe" [2010-07-19 139145]
"Isass"="e:\documents and settings\Administrator\Data aplikací\Isass.exe" [2010-07-19 221704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MixerDef"="MixerDef.Exe" [2002-05-09 24576]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Isass"="e:\documents and settings\Administrator\Data aplikací\Isass.exe" [2010-07-19 221704]
e:\documents and settings\Administrator\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
hamachi.lnk - e:\program files\Hamachi\hamachi.exe [2009-11-17 624416]
e:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Orbit.lnk - e:\program files\Orbitdownloader\orbitdm.exe [2009-8-27 1719568]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"e:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"e:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"e:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"e:\\Program Files\\AresTorrentDownloader\\AresTorrentDownloader.exe"=
"e:\\Program Files\\Metin2_CZ\\metin2.bin"=
"e:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WOW 3.2.2!\\WoW-3.1.3.9947-to-3.2.0.10192-enGB-downloader.exe"=
"c:\\WOW 3.2.2!\\Launcher.exe"=
"c:\\WOW 3.2.2!\\WoW-3.2.0.10192-to-3.2.0.10314-enGB-downloader.exe"=
"c:\\WOW 3.2.2!\\WoW-3.2.0.10314-to-3.2.2.10482-enGB-downloader.exe"=
"c:\\WOW 3.2.2!\\WoW-3.2.2.10482-to-3.2.2.10505-enGB-downloader.exe"=
"e:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"e:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Documents and Settings\\Administrator\\Data aplikací\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"e:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\steamapps\\nardeuss\\condition zero deleted scenes\\hl.exe"=
"c:\\Games\\Counter-Strike Source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\nardeuss\\counter-strike beta\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\srcds.exe"=
"c:\\Program Files\\Steam\\steamapps\\nardeuss\\condition zero\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\shattered_horizon\\client_exe\\shattered_horizon.exe"=
"Microsoft Windows Hosting Service Login"= e:\docume~1\ADMINI~1\LOCALS~1\Temp\scvhost.exe
"c:\\Program Files\\FlatOut2\\FlatOut2.exe"=
"Windows SafeAssign"= e:\documents and settings\Administrator\Data aplikací\winlogon.exe
"Microsoft SecureAssist"= e:\documents and settings\Administrator\Data aplikací\winlogon.exe
"e:\\Documents and Settings\\Administrator\\Data aplikací\\Isass.exe"=
"e:\\Documents and Settings\\Administrator\\Data aplikací\\Application Updater.exe"=
"e:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\nardeuss\\counter-strike\\hl.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3306:TCP"= 3306:TCP:MySQL Server
"2788:TCP"= 2788:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R1 epfwtdir;epfwtdir;e:\windows\system32\drivers\epfwtdir.sys [18.8.2008 13:27 35168]
R2 Akamai;Akamai NetSession Interface;e:\windows\System32\svchost.exe -k Akamai [17.8.2004 15:49 14336]
R2 ekrn;Eset Service;e:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [7.10.2009 10:16 472280]
R3 LachesisFltr;Lachesis Mouse Driver;e:\windows\system32\drivers\Lachesis.sys [25.5.2010 18:14 12032]
S2 MySQL4;MySQL4;"e:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="e:\program files\MySQL\MySQL Server 5.0\my.ini" MySQL4 --> e:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt [?]
S2 MySQL41;MySQL41;"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\MySQL\MySQL Server 5.0\my.ini" MySQL41 --> c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt [?]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;"e:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe" --> e:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [?]
S2 XAMPP;XAMPP Service;e:\program files\xampp\service.exe --> e:\program files\xampp\service.exe [?]
S3 BeSk81;BeSk81;\??\e:\documents and settings\Administrator\Dokumenty\Downloads\Let_s_Engine_3.0__Auto-delete___Double_Kill_hack___Damage_Hack___Delay_Hack\Let's Engine 3.0 +Auto-delete + Double Kill hack + Damage Hack + Delay Hack\BeSk8.sys --> e:\documents and settings\Administrator\Dokumenty\Downloads\Let_s_Engine_3.0__Auto-delete___Double_Kill_hack___Damage_Hack___Delay_Hack\Let's Engine 3.0 +Auto-delete + Double Kill hack + Damage Hack + Delay Hack\BeSk8.sys [?]
S3 CEDRIVER53;CEDRIVER53;\??\e:\program files\Cheat Enginee\dbk32.sys --> e:\program files\Cheat Enginee\dbk32.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);e:\windows\system32\drivers\vcsvad.sys [13.3.2010 17:17 17792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-06-20 10:47 451872 ----a-w- e:\program files\Common Files\LightScribe\LSRunOnce.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1AAEE6FF-3DF7-AF7E-EE5B-FCF7BED2CDE2}]
2010-07-19 17:17 221704 ---h--w- e:\documents and settings\Administrator\Data aplikací\Isass.Exe
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{1AAEE6FF-3DF7-AF7E-EE5B-FCF7BED2CDE2}]
2010-07-19 17:17 221704 ---h--w- e:\documents and settings\Administrator\Data aplikací\Isass.Exe
.
Obsah adresáře 'Naplánované úlohy'
2010-06-23 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.zaparit.cz/
IE: &Download by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/202
FF - ProfilePath - e:\documents and settings\Administrator\Data aplikací\Mozilla\Firefox\Profiles\o6tnuthg.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - component: e:\program files\Mozilla Firefox\components\AdVComponent.dll
FF - plugin: c:\opera\program\plugins\npdsplay.dll
FF - plugin: c:\opera\program\plugins\npqtplugin.dll
FF - plugin: c:\opera\program\plugins\npqtplugin2.dll
FF - plugin: c:\opera\program\plugins\npqtplugin3.dll
FF - plugin: c:\opera\program\plugins\npqtplugin4.dll
FF - plugin: c:\opera\program\plugins\npqtplugin5.dll
FF - plugin: c:\opera\program\plugins\npqtplugin6.dll
FF - plugin: c:\opera\program\plugins\npqtplugin7.dll
FF - plugin: c:\opera\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-PlayNC Launcher - (no file)
HKLM-Run-CmPCIaudio - CMICNFG3.cpl
ActiveSetup-{FC5FED00-A76C-D0CE-E95D-C2200E1380F7} - e:\windows\system32\svhost.exe
AddRemove-Czech Soccer Manager 2002 - e:\program files\CSM2002\DeIsL1.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-20 18:09
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
MixerDef = MixerDef.Exe????.?@??1@????????
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"e:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"e:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL4]
"ImagePath"="\"e:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"e:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL4"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL41]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL41"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-507921405-725345543-680672661-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b8,e7,e3,d0,34,79,a6,47,a4,77,56,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b8,e7,e3,d0,34,79,a6,47,a4,77,56,\
[HKEY_USERS\S-1-5-21-507921405-725345543-680672661-500\Software\SecuROM\License information*]
"datasecu"=hex:30,3b,b9,9a,e6,dc,7e,ae,d2,4a,c6,32,54,0e,3b,42,52,03,ed,f2,a8,
a2,5b,80,b4,45,23,17,52,75,c5,9c,17,96,db,6f,09,f7,9e,47,61,23,b4,b2,48,ac,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(764)
e:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2010-07-20 18:11:24
ComboFix-quarantined-files.txt 2010-07-20 16:11
Před spuštěním: Volných bajtů: 55 063 334 912
Po spuštění: Volných bajtů: 58 058 170 368
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 52D6709DB88274A19CF7DD286357C5BA
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1023.384 [GMT 2:00]
Spuštěný z: e:\documents and settings\Administrator\Dokumenty\Downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
e:\documents and settings\Administrator\Data aplikací\Microsoft\svchost.exe
e:\documents and settings\Administrator\Dokumenty\cc_20100719_175617.reg
e:\program files\RelevantKnowledge
e:\program files\RelevantKnowledge\rlservice.exe
e:\windows\settings.reg
e:\windows\system32\Data
e:\windows\wpe pro.INI
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-20 do 2010-07-20 )))))))))))))))))))))))))))))))
.
2010-07-20 13:29 . 2010-04-29 13:39 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 13:29 . 2010-04-29 13:39 20952 ----a-w- e:\windows\system32\drivers\mbam.sys
2010-07-20 13:29 . 2010-07-20 13:29 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2010-07-19 17:10 . 2010-07-19 17:10 -------- d-----w- e:\program files\Hijack
2010-07-19 15:45 . 2010-07-19 15:45 -------- d-----w- e:\program files\CCleaner
2010-07-15 12:45 . 2010-07-15 12:45 -------- d--h--w- e:\windows\system32\GroupPolicy
2010-07-14 06:03 . 2010-06-14 14:31 744448 -c----w- e:\windows\system32\dllcache\helpsvc.exe
2010-07-11 18:01 . 2010-07-11 18:01 26624 ---h--w- e:\windows\system32\audiohd.exe
2010-07-11 18:01 . 2010-07-11 18:01 26624 ---h--w- e:\program files\Common Files\WUDHost.exe
2010-06-30 14:47 . 2010-06-30 14:47 -------- d-----w- e:\windows\1C4551A64743409391E41477CD655043.TMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-20 16:09 . 2010-04-10 16:08 -------- d-----w- e:\program files\Common Files\Akamai
2010-07-16 18:18 . 2010-03-10 15:17 -------- d-----w- e:\program files\NCSoft
2010-06-30 14:47 . 2009-10-16 13:27 -------- d-----w- e:\program files\Common Files\Wise Installation Wizard
2010-06-30 14:45 . 2009-08-14 18:33 -------- d--h--w- e:\program files\InstallShield Installation Information
2010-06-23 19:52 . 2001-10-25 14:00 85556 ----a-w- e:\windows\system32\perfc005.dat
2010-06-23 19:52 . 2001-10-25 14:00 446580 ----a-w- e:\windows\system32\perfh005.dat
2010-06-17 11:22 . 2009-11-08 17:19 -------- d-----w- e:\program files\Common Files\Adobe
2010-06-14 14:31 . 2009-08-14 18:17 744448 ----a-w- e:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-25 16:14 . 2010-05-25 16:14 -------- d-----w- e:\program files\DIFX
2010-05-06 10:35 . 2004-08-17 13:49 916480 ----a-w- e:\windows\system32\wininet.dll
2010-05-02 08:09 . 2004-08-17 13:44 1851264 ----a-w- e:\windows\system32\win32k.sys
2010-04-28 09:53 . 2010-04-27 18:02 96 ---ha-w- e:\windows\system32\HsInfo.dat
2009-10-26 13:51 . 2009-10-26 13:56 0 ----a-w- e:\program files\5b513cd108dc1c0eb8ffc39b495d82ba.db
2009-09-07 17:33 . 2009-09-07 17:33 227696 ----a-w- e:\program files\mozilla firefox\components\AdVComponent.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="e:\documents and settings\Administrator\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2009-08-15 133104]
"Skype"="e:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]
"LightScribe Control Panel"="e:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 451872]
"Steam"="c:\program files\steam\steam.exe" [2010-07-20 1238352]
"CTRegRun"="e:\windows\CTRegRun.EXE" [2006-10-06 53248]
"DriverUpdaterPro"="e:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe" [2009-10-30 2765860]
"NVIDIA"="e:\documents and settings\Administrator\Data aplikací\nvdisp.exe" [2010-07-19 139145]
"Isass"="e:\documents and settings\Administrator\Data aplikací\Isass.exe" [2010-07-19 221704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"P17Helper"="P17.dll" [2005-05-03 64512]
"UpdReg"="e:\windows\UpdReg.EXE" [2000-05-11 90112]
"egui"="e:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
"diagent"="e:\program files\Creative\Diagnostics\diagent.exe" [2002-04-03 135264]
"C-Media Mixer"="Mixer.exe" [2002-10-15 1818624]
"Lachesis"="c:\program files\Razer\Lachesis\razerhid.exe" [2007-09-12 172032]
"NVIDIA"="e:\documents and settings\Administrator\Data aplikací\nvdisp.exe" [2010-07-19 139145]
"Isass"="e:\documents and settings\Administrator\Data aplikací\Isass.exe" [2010-07-19 221704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MixerDef"="MixerDef.Exe" [2002-05-09 24576]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Isass"="e:\documents and settings\Administrator\Data aplikací\Isass.exe" [2010-07-19 221704]
e:\documents and settings\Administrator\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
hamachi.lnk - e:\program files\Hamachi\hamachi.exe [2009-11-17 624416]
e:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Orbit.lnk - e:\program files\Orbitdownloader\orbitdm.exe [2009-8-27 1719568]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"e:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"e:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"e:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"e:\\Program Files\\AresTorrentDownloader\\AresTorrentDownloader.exe"=
"e:\\Program Files\\Metin2_CZ\\metin2.bin"=
"e:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WOW 3.2.2!\\WoW-3.1.3.9947-to-3.2.0.10192-enGB-downloader.exe"=
"c:\\WOW 3.2.2!\\Launcher.exe"=
"c:\\WOW 3.2.2!\\WoW-3.2.0.10192-to-3.2.0.10314-enGB-downloader.exe"=
"c:\\WOW 3.2.2!\\WoW-3.2.0.10314-to-3.2.2.10482-enGB-downloader.exe"=
"c:\\WOW 3.2.2!\\WoW-3.2.2.10482-to-3.2.2.10505-enGB-downloader.exe"=
"e:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"e:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Documents and Settings\\Administrator\\Data aplikací\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"e:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\steamapps\\nardeuss\\condition zero deleted scenes\\hl.exe"=
"c:\\Games\\Counter-Strike Source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\nardeuss\\counter-strike beta\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\srcds.exe"=
"c:\\Program Files\\Steam\\steamapps\\nardeuss\\condition zero\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\shattered_horizon\\client_exe\\shattered_horizon.exe"=
"Microsoft Windows Hosting Service Login"= e:\docume~1\ADMINI~1\LOCALS~1\Temp\scvhost.exe
"c:\\Program Files\\FlatOut2\\FlatOut2.exe"=
"Windows SafeAssign"= e:\documents and settings\Administrator\Data aplikací\winlogon.exe
"Microsoft SecureAssist"= e:\documents and settings\Administrator\Data aplikací\winlogon.exe
"e:\\Documents and Settings\\Administrator\\Data aplikací\\Isass.exe"=
"e:\\Documents and Settings\\Administrator\\Data aplikací\\Application Updater.exe"=
"e:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\nardeuss\\counter-strike\\hl.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3306:TCP"= 3306:TCP:MySQL Server
"2788:TCP"= 2788:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R1 epfwtdir;epfwtdir;e:\windows\system32\drivers\epfwtdir.sys [18.8.2008 13:27 35168]
R2 Akamai;Akamai NetSession Interface;e:\windows\System32\svchost.exe -k Akamai [17.8.2004 15:49 14336]
R2 ekrn;Eset Service;e:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [7.10.2009 10:16 472280]
R3 LachesisFltr;Lachesis Mouse Driver;e:\windows\system32\drivers\Lachesis.sys [25.5.2010 18:14 12032]
S2 MySQL4;MySQL4;"e:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="e:\program files\MySQL\MySQL Server 5.0\my.ini" MySQL4 --> e:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt [?]
S2 MySQL41;MySQL41;"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\MySQL\MySQL Server 5.0\my.ini" MySQL41 --> c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt [?]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;"e:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe" --> e:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [?]
S2 XAMPP;XAMPP Service;e:\program files\xampp\service.exe --> e:\program files\xampp\service.exe [?]
S3 BeSk81;BeSk81;\??\e:\documents and settings\Administrator\Dokumenty\Downloads\Let_s_Engine_3.0__Auto-delete___Double_Kill_hack___Damage_Hack___Delay_Hack\Let's Engine 3.0 +Auto-delete + Double Kill hack + Damage Hack + Delay Hack\BeSk8.sys --> e:\documents and settings\Administrator\Dokumenty\Downloads\Let_s_Engine_3.0__Auto-delete___Double_Kill_hack___Damage_Hack___Delay_Hack\Let's Engine 3.0 +Auto-delete + Double Kill hack + Damage Hack + Delay Hack\BeSk8.sys [?]
S3 CEDRIVER53;CEDRIVER53;\??\e:\program files\Cheat Enginee\dbk32.sys --> e:\program files\Cheat Enginee\dbk32.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);e:\windows\system32\drivers\vcsvad.sys [13.3.2010 17:17 17792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-06-20 10:47 451872 ----a-w- e:\program files\Common Files\LightScribe\LSRunOnce.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1AAEE6FF-3DF7-AF7E-EE5B-FCF7BED2CDE2}]
2010-07-19 17:17 221704 ---h--w- e:\documents and settings\Administrator\Data aplikací\Isass.Exe
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{1AAEE6FF-3DF7-AF7E-EE5B-FCF7BED2CDE2}]
2010-07-19 17:17 221704 ---h--w- e:\documents and settings\Administrator\Data aplikací\Isass.Exe
.
Obsah adresáře 'Naplánované úlohy'
2010-06-23 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.zaparit.cz/
IE: &Download by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - e:\program files\Orbitdownloader\orbitmxt.dll/202
FF - ProfilePath - e:\documents and settings\Administrator\Data aplikací\Mozilla\Firefox\Profiles\o6tnuthg.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - component: e:\program files\Mozilla Firefox\components\AdVComponent.dll
FF - plugin: c:\opera\program\plugins\npdsplay.dll
FF - plugin: c:\opera\program\plugins\npqtplugin.dll
FF - plugin: c:\opera\program\plugins\npqtplugin2.dll
FF - plugin: c:\opera\program\plugins\npqtplugin3.dll
FF - plugin: c:\opera\program\plugins\npqtplugin4.dll
FF - plugin: c:\opera\program\plugins\npqtplugin5.dll
FF - plugin: c:\opera\program\plugins\npqtplugin6.dll
FF - plugin: c:\opera\program\plugins\npqtplugin7.dll
FF - plugin: c:\opera\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-PlayNC Launcher - (no file)
HKLM-Run-CmPCIaudio - CMICNFG3.cpl
ActiveSetup-{FC5FED00-A76C-D0CE-E95D-C2200E1380F7} - e:\windows\system32\svhost.exe
AddRemove-Czech Soccer Manager 2002 - e:\program files\CSM2002\DeIsL1.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-20 18:09
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
MixerDef = MixerDef.Exe????.?@??1@????????
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"e:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"e:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL4]
"ImagePath"="\"e:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"e:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL4"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL41]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL41"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-507921405-725345543-680672661-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b8,e7,e3,d0,34,79,a6,47,a4,77,56,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b8,e7,e3,d0,34,79,a6,47,a4,77,56,\
[HKEY_USERS\S-1-5-21-507921405-725345543-680672661-500\Software\SecuROM\License information*]
"datasecu"=hex:30,3b,b9,9a,e6,dc,7e,ae,d2,4a,c6,32,54,0e,3b,42,52,03,ed,f2,a8,
a2,5b,80,b4,45,23,17,52,75,c5,9c,17,96,db,6f,09,f7,9e,47,61,23,b4,b2,48,ac,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(764)
e:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2010-07-20 18:11:24
ComboFix-quarantined-files.txt 2010-07-20 16:11
Před spuštěním: Volných bajtů: 55 063 334 912
Po spuštění: Volných bajtů: 58 058 170 368
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 52D6709DB88274A19CF7DD286357C5BA
Re: Winlogon.exe - vir? - 100 CPU ? další blbosti?
Otestuj na http://www.virustotal.com
e:\documents and settings\Administrator\Dokumenty\Downloads\Let_s_Engine_3.0__Auto-delete___Double_Kill_hack___Damage_Hack___Delay_Hack\Let's Engine 3.0 +Auto-delete + Double Kill hack + Damage Hack + Delay Hack\BeSk8.sys
e:\windows\system32\dllcache\helpsvc.exe
e:\windows\system32\audiohd.exe
- e:\program files\Common Files\WUDHost.exe
-Do okénka zkopíruj cestu k souboru , pokud napíše, že soubor byl už testován, dej otestovat znovu.
-Sem vlož link s výsledky.
e:\documents and settings\Administrator\Dokumenty\Downloads\Let_s_Engine_3.0__Auto-delete___Double_Kill_hack___Damage_Hack___Delay_Hack\Let's Engine 3.0 +Auto-delete + Double Kill hack + Damage Hack + Delay Hack\BeSk8.sys
e:\windows\system32\dllcache\helpsvc.exe
e:\windows\system32\audiohd.exe
- e:\program files\Common Files\WUDHost.exe
-Do okénka zkopíruj cestu k souboru , pokud napíše, že soubor byl už testován, dej otestovat znovu.
-Sem vlož link s výsledky.
Re: Winlogon.exe - vir? - 100 CPU ? další blbosti?
HELP . SVC -
Antivirus Verze Poslední aktualizace Výsledek
AhnLab-V3 2010.07.20.02 2010.07.20 -
AntiVir 8.2.4.12 2010.07.20 -
Antiy-AVL 2.0.3.7 2010.07.15 -
Authentium 5.2.0.5 2010.07.20 -
Avast 4.8.1351.0 2010.07.20 -
Avast5 5.0.332.0 2010.07.20 -
AVG 9.0.0.836 2010.07.20 -
BitDefender 7.2 2010.07.20 -
CAT-QuickHeal 11.00 2010.07.20 -
ClamAV 0.96.0.3-git 2010.07.20 -
Comodo 5487 2010.07.20 -
DrWeb 5.0.2.03300 2010.07.20 -
Emsisoft 5.0.0.34 2010.07.20 -
eSafe 7.0.17.0 2010.07.20 -
eTrust-Vet 36.1.7723 2010.07.20 -
F-Prot 4.6.1.107 2010.07.19 -
F-Secure 9.0.15370.0 2010.07.20 -
Fortinet 4.1.143.0 2010.07.20 -
GData 21 2010.07.20 -
Ikarus T3.1.1.84.0 2010.07.20 -
Jiangmin 13.0.900 2010.07.20 -
Kaspersky 7.0.0.125 2010.07.20 -
McAfee 5.400.0.1158 2010.07.20 -
McAfee-GW-Edition 2010.1 2010.07.20 -
Microsoft 1.6004 2010.07.20 -
NOD32 5295 2010.07.20 -
Norman 6.05.11 2010.07.20 -
nProtect 2010-07-20.02 2010.07.20 -
Panda 10.0.2.7 2010.07.20 -
PCTools 7.0.3.5 2010.07.20 -
Prevx 3.0 2010.07.20 -
Rising 22.57.01.04 2010.07.20 -
Sophos 4.55.0 2010.07.20 -
Sunbelt 6608 2010.07.20 -
SUPERAntiSpyware 4.40.0.1006 2010.07.20 -
Symantec 20101.1.1.7 2010.07.20 -
TheHacker 6.5.2.1.320 2010.07.19 -
TrendMicro 9.120.0.1004 2010.07.20 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.20 -
VBA32 3.12.12.6 2010.07.20 -
ViRobot 2010.6.21.3896 2010.07.20 -
VirusBuster 5.0.27.0 2010.07.20 -
Rozšiřující informace
File size: 744448 bytes
MD5...: e5517d0908ca75eef9633a93ff3f0408
SHA1..: f8f38dee458d4ed6d5f98830f2578a2bca517e89
SHA256: adbf3948908ab0c487d2b536e2f8e0c0803ef2bde109ac525677582549f7a7e2
ssdeep: 12288:45JGtd310QtVgo9bD1Hm/uylJbUWdV55cMFMgNo4UwT9jCYNcTu3FpQp/4
jXsbJm:4Kz0QtVgo9bD1Hm/uylJbnz55cMFMgUJ
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x26d11
timedatestamp.....: 0x4c163d2d (Mon Jun 14 14:31:09 2010)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x9f518 0x9f600 6.22 1c7916a80e692f507458adcb37282f6f
.data 0xa1000 0x5dd4 0x5a00 5.49 0e652c4fabca0c3fa8f0fa85b828edf5
.rsrc 0xa7000 0x10720 0x10800 4.81 ff52c1e7c1c0c3c9333fe987c5731b74
( 8 imports )
> msvcrt.dll: memmove, _strnicoll, iswcntrl, _controlfp, _onexit, _errno, remove, _open, _read, _write, _close, _lseek, _tempnam, __dllonexit, __1type_info@@UAE@XZ, _terminate@@YAXXZ, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __wgetmainargs, _wcmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, wcschr, wcsncpy, _wcsnicmp, wcsrchr, _wtoi, _stricmp, _wcsdup, memchr, wcscat, wcscpy, iswspace, _ftol, _beginthreadex, _vsnwprintf, _CxxThrowException, wcscmp, swscanf, swprintf, _purecall, _wcsicmp, wcslen, realloc, free, malloc, __CxxFrameHandler, __doserrno
> ADVAPI32.dll: SetSecurityDescriptorDacl, CryptAcquireContextW, CryptCreateHash, CryptHashData, CryptDeriveKey, CryptEncrypt, CryptDecrypt, CryptDestroyHash, CryptDestroyKey, CryptReleaseContext, ReportEventW, DeregisterEventSource, RegisterEventSourceW, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW, RegGetKeySecurity, GetFileSecurityW, GetSecurityDescriptorOwner, GetSecurityDescriptorGroup, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, LsaOpenPolicy, LsaAddAccountRights, LsaNtStatusToWinError, CryptVerifySignatureW, CryptImportKey, LogonUserW, CreateProcessAsUserW, DuplicateTokenEx, CreateServiceW, ChangeServiceConfig2W, ControlService, DeleteService, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerW, SetServiceStatus, OpenSCManagerW, OpenServiceW, CloseServiceHandle, RevertToSelf, LsaClose, RegSetKeySecurity, SetFileSecurityW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegOpenKeyExW, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, InitializeAcl, InitializeSecurityDescriptor, MakeAbsoluteSD, RegQueryValueExW, IsValidSecurityDescriptor, MakeSelfRelativeSD, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, AddAccessDeniedAce, GetAce, AddAccessAllowedAce, GetLengthSid, GetAclInformation, IsValidAcl, GetSecurityDescriptorDacl, DeleteAce, EqualSid, LookupAccountNameW, FreeSid, AllocateAndInitializeSid, RegConnectRegistryW, RegEnumKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, AddAce, ConvertSecurityDescriptorToStringSecurityDescriptorW, GetSecurityDescriptorControl, SetSecurityDescriptorControl, SetThreadToken, AccessCheck, MapGenericMask, CopySid, GetTokenInformation, OpenThreadToken, ConvertStringSidToSidW, LookupAccountSidW, AddAccessAllowedAceEx, AddAccessDeniedAceEx, AddAuditAccessAceEx, AddAccessAllowedObjectAce, AddAccessDeniedObjectAce, AddAuditAccessObjectAce
> KERNEL32.dll: CreateFileMappingW, OpenFileMappingW, MapViewOfFile, lstrcpyW, lstrcatW, GetProcAddress, CreateThread, FindCloseChangeNotification, FindFirstChangeNotificationW, FindNextChangeNotification, GetLocaleInfoW, IsDBCSLeadByte, CompareStringA, SetThreadPriority, FormatMessageW, GetWindowsDirectoryW, LocalAlloc, LoadLibraryA, RaiseException, ResetEvent, MoveFileW, ReleaseMutex, FlushViewOfFile, UnmapViewOfFile, OpenMutexW, SetLastError, lstrcmpiA, MultiByteToWideChar, lstrlenW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, lstrcmpiW, lstrcpynW, HeapDestroy, InterlockedIncrement, InterlockedDecrement, FreeLibrary, lstrlenA, SizeofResource, LoadResource, FindResourceW, GetLastError, LoadLibraryExW, GetShortPathNameW, GetModuleFileNameW, GetVersionExW, GetCommandLineW, GetPrivateProfileStringW, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InterlockedExchange, Sleep, LoadLibraryW, WaitForMultipleObjects, SetEvent, CloseHandle, CreateEventW, WaitForSingleObject, GetCurrentThread, SetEnvironmentVariableW, GetTempPathW, GetEnvironmentVariableW, CopyFileW, SetFileAttributesW, DeleteFileW, MoveFileExW, GetFileAttributesExW, CreateDirectoryW, FindClose, FindNextFileW, FindFirstFileW, RemoveDirectoryW, CreateFileW, CompareFileTime, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetSystemTime, GetLocalTime, OpenProcess, GlobalMemoryStatusEx, GetSystemDirectoryW, GlobalUnlock, GlobalLock, GlobalSize, GlobalAlloc, FileTimeToSystemTime, GetUserDefaultLCID, GetTimeZoneInformation, GetCurrentDirectoryW, GetFullPathNameW, ExpandEnvironmentStringsW, GetDiskFreeSpaceW, GetTempFileNameW, WideCharToMultiByte, LocalFree, DuplicateHandle, WriteFile, SetFilePointer, ReadFile, GetFileInformationByHandle, GlobalFree, GetModuleHandleA, GetStartupInfoW, GetFileAttributesA, FileTimeToDosDateTime, FileTimeToLocalFileTime, CreateFileA, HeapAlloc, HeapReAlloc, GetThreadPriority, IsDBCSLeadByteEx, GetSystemDefaultLangID, GetLocaleInfoA, GetACP, HeapFree, GetProcessHeap, CreateMutexW
> USER32.dll: CharUpperBuffW, CharUpperW, CharNextA, GetSystemMetrics, GetMessageW, DispatchMessageW, MsgWaitForMultipleObjects, LoadStringW, CharNextW, PostThreadMessageW, TranslateMessage, PeekMessageW
> ole32.dll: CLSIDFromString, CoSuspendClassObjects, CoRegisterClassObject, StringFromCLSID, CoSetProxyBlanket, GetHGlobalFromStream, StgOpenStorageEx, StgCreateStorageEx, CoGetCallContext, CreateStreamOnHGlobal, CoCreateGuid, StringFromGUID2, CoCreateInstanceEx, CoInitializeEx, CoInitializeSecurity, CoUninitialize, CoTaskMemRealloc, CoTaskMemAlloc, CoTaskMemFree, CoCreateInstance, CoRevokeClassObject
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> ntdll.dll: wcsncmp, sprintf, strrchr, tolower, strchr, _wtol, _itow, _ltow, wcsstr, _snwprintf, towlower, strtoul, wcstoul, NtQueryInformationProcess, strncpy
> RPCRT4.dll: I_RpcBindingInqLocalClientPID
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Microsoft Help Center Service
original name: HELPSVC.EXE
internal name: HELPSVC.EXE
file version.: 5.1.2600.5997 (xpsp_sp3_gdr.100614-1759)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Antivirus Verze Poslední aktualizace Výsledek
AhnLab-V3 2010.07.20.02 2010.07.20 -
AntiVir 8.2.4.12 2010.07.20 -
Antiy-AVL 2.0.3.7 2010.07.15 -
Authentium 5.2.0.5 2010.07.20 -
Avast 4.8.1351.0 2010.07.20 -
Avast5 5.0.332.0 2010.07.20 -
AVG 9.0.0.836 2010.07.20 -
BitDefender 7.2 2010.07.20 -
CAT-QuickHeal 11.00 2010.07.20 -
ClamAV 0.96.0.3-git 2010.07.20 -
Comodo 5487 2010.07.20 -
DrWeb 5.0.2.03300 2010.07.20 -
Emsisoft 5.0.0.34 2010.07.20 -
eSafe 7.0.17.0 2010.07.20 -
eTrust-Vet 36.1.7723 2010.07.20 -
F-Prot 4.6.1.107 2010.07.19 -
F-Secure 9.0.15370.0 2010.07.20 -
Fortinet 4.1.143.0 2010.07.20 -
GData 21 2010.07.20 -
Ikarus T3.1.1.84.0 2010.07.20 -
Jiangmin 13.0.900 2010.07.20 -
Kaspersky 7.0.0.125 2010.07.20 -
McAfee 5.400.0.1158 2010.07.20 -
McAfee-GW-Edition 2010.1 2010.07.20 -
Microsoft 1.6004 2010.07.20 -
NOD32 5295 2010.07.20 -
Norman 6.05.11 2010.07.20 -
nProtect 2010-07-20.02 2010.07.20 -
Panda 10.0.2.7 2010.07.20 -
PCTools 7.0.3.5 2010.07.20 -
Prevx 3.0 2010.07.20 -
Rising 22.57.01.04 2010.07.20 -
Sophos 4.55.0 2010.07.20 -
Sunbelt 6608 2010.07.20 -
SUPERAntiSpyware 4.40.0.1006 2010.07.20 -
Symantec 20101.1.1.7 2010.07.20 -
TheHacker 6.5.2.1.320 2010.07.19 -
TrendMicro 9.120.0.1004 2010.07.20 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.20 -
VBA32 3.12.12.6 2010.07.20 -
ViRobot 2010.6.21.3896 2010.07.20 -
VirusBuster 5.0.27.0 2010.07.20 -
Rozšiřující informace
File size: 744448 bytes
MD5...: e5517d0908ca75eef9633a93ff3f0408
SHA1..: f8f38dee458d4ed6d5f98830f2578a2bca517e89
SHA256: adbf3948908ab0c487d2b536e2f8e0c0803ef2bde109ac525677582549f7a7e2
ssdeep: 12288:45JGtd310QtVgo9bD1Hm/uylJbUWdV55cMFMgNo4UwT9jCYNcTu3FpQp/4
jXsbJm:4Kz0QtVgo9bD1Hm/uylJbnz55cMFMgUJ
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x26d11
timedatestamp.....: 0x4c163d2d (Mon Jun 14 14:31:09 2010)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x9f518 0x9f600 6.22 1c7916a80e692f507458adcb37282f6f
.data 0xa1000 0x5dd4 0x5a00 5.49 0e652c4fabca0c3fa8f0fa85b828edf5
.rsrc 0xa7000 0x10720 0x10800 4.81 ff52c1e7c1c0c3c9333fe987c5731b74
( 8 imports )
> msvcrt.dll: memmove, _strnicoll, iswcntrl, _controlfp, _onexit, _errno, remove, _open, _read, _write, _close, _lseek, _tempnam, __dllonexit, __1type_info@@UAE@XZ, _terminate@@YAXXZ, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __wgetmainargs, _wcmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, wcschr, wcsncpy, _wcsnicmp, wcsrchr, _wtoi, _stricmp, _wcsdup, memchr, wcscat, wcscpy, iswspace, _ftol, _beginthreadex, _vsnwprintf, _CxxThrowException, wcscmp, swscanf, swprintf, _purecall, _wcsicmp, wcslen, realloc, free, malloc, __CxxFrameHandler, __doserrno
> ADVAPI32.dll: SetSecurityDescriptorDacl, CryptAcquireContextW, CryptCreateHash, CryptHashData, CryptDeriveKey, CryptEncrypt, CryptDecrypt, CryptDestroyHash, CryptDestroyKey, CryptReleaseContext, ReportEventW, DeregisterEventSource, RegisterEventSourceW, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW, RegGetKeySecurity, GetFileSecurityW, GetSecurityDescriptorOwner, GetSecurityDescriptorGroup, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, LsaOpenPolicy, LsaAddAccountRights, LsaNtStatusToWinError, CryptVerifySignatureW, CryptImportKey, LogonUserW, CreateProcessAsUserW, DuplicateTokenEx, CreateServiceW, ChangeServiceConfig2W, ControlService, DeleteService, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerW, SetServiceStatus, OpenSCManagerW, OpenServiceW, CloseServiceHandle, RevertToSelf, LsaClose, RegSetKeySecurity, SetFileSecurityW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegOpenKeyExW, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, InitializeAcl, InitializeSecurityDescriptor, MakeAbsoluteSD, RegQueryValueExW, IsValidSecurityDescriptor, MakeSelfRelativeSD, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, AddAccessDeniedAce, GetAce, AddAccessAllowedAce, GetLengthSid, GetAclInformation, IsValidAcl, GetSecurityDescriptorDacl, DeleteAce, EqualSid, LookupAccountNameW, FreeSid, AllocateAndInitializeSid, RegConnectRegistryW, RegEnumKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, AddAce, ConvertSecurityDescriptorToStringSecurityDescriptorW, GetSecurityDescriptorControl, SetSecurityDescriptorControl, SetThreadToken, AccessCheck, MapGenericMask, CopySid, GetTokenInformation, OpenThreadToken, ConvertStringSidToSidW, LookupAccountSidW, AddAccessAllowedAceEx, AddAccessDeniedAceEx, AddAuditAccessAceEx, AddAccessAllowedObjectAce, AddAccessDeniedObjectAce, AddAuditAccessObjectAce
> KERNEL32.dll: CreateFileMappingW, OpenFileMappingW, MapViewOfFile, lstrcpyW, lstrcatW, GetProcAddress, CreateThread, FindCloseChangeNotification, FindFirstChangeNotificationW, FindNextChangeNotification, GetLocaleInfoW, IsDBCSLeadByte, CompareStringA, SetThreadPriority, FormatMessageW, GetWindowsDirectoryW, LocalAlloc, LoadLibraryA, RaiseException, ResetEvent, MoveFileW, ReleaseMutex, FlushViewOfFile, UnmapViewOfFile, OpenMutexW, SetLastError, lstrcmpiA, MultiByteToWideChar, lstrlenW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, lstrcmpiW, lstrcpynW, HeapDestroy, InterlockedIncrement, InterlockedDecrement, FreeLibrary, lstrlenA, SizeofResource, LoadResource, FindResourceW, GetLastError, LoadLibraryExW, GetShortPathNameW, GetModuleFileNameW, GetVersionExW, GetCommandLineW, GetPrivateProfileStringW, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InterlockedExchange, Sleep, LoadLibraryW, WaitForMultipleObjects, SetEvent, CloseHandle, CreateEventW, WaitForSingleObject, GetCurrentThread, SetEnvironmentVariableW, GetTempPathW, GetEnvironmentVariableW, CopyFileW, SetFileAttributesW, DeleteFileW, MoveFileExW, GetFileAttributesExW, CreateDirectoryW, FindClose, FindNextFileW, FindFirstFileW, RemoveDirectoryW, CreateFileW, CompareFileTime, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetSystemTime, GetLocalTime, OpenProcess, GlobalMemoryStatusEx, GetSystemDirectoryW, GlobalUnlock, GlobalLock, GlobalSize, GlobalAlloc, FileTimeToSystemTime, GetUserDefaultLCID, GetTimeZoneInformation, GetCurrentDirectoryW, GetFullPathNameW, ExpandEnvironmentStringsW, GetDiskFreeSpaceW, GetTempFileNameW, WideCharToMultiByte, LocalFree, DuplicateHandle, WriteFile, SetFilePointer, ReadFile, GetFileInformationByHandle, GlobalFree, GetModuleHandleA, GetStartupInfoW, GetFileAttributesA, FileTimeToDosDateTime, FileTimeToLocalFileTime, CreateFileA, HeapAlloc, HeapReAlloc, GetThreadPriority, IsDBCSLeadByteEx, GetSystemDefaultLangID, GetLocaleInfoA, GetACP, HeapFree, GetProcessHeap, CreateMutexW
> USER32.dll: CharUpperBuffW, CharUpperW, CharNextA, GetSystemMetrics, GetMessageW, DispatchMessageW, MsgWaitForMultipleObjects, LoadStringW, CharNextW, PostThreadMessageW, TranslateMessage, PeekMessageW
> ole32.dll: CLSIDFromString, CoSuspendClassObjects, CoRegisterClassObject, StringFromCLSID, CoSetProxyBlanket, GetHGlobalFromStream, StgOpenStorageEx, StgCreateStorageEx, CoGetCallContext, CreateStreamOnHGlobal, CoCreateGuid, StringFromGUID2, CoCreateInstanceEx, CoInitializeEx, CoInitializeSecurity, CoUninitialize, CoTaskMemRealloc, CoTaskMemAlloc, CoTaskMemFree, CoCreateInstance, CoRevokeClassObject
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> ntdll.dll: wcsncmp, sprintf, strrchr, tolower, strchr, _wtol, _itow, _ltow, wcsstr, _snwprintf, towlower, strtoul, wcstoul, NtQueryInformationProcess, strncpy
> RPCRT4.dll: I_RpcBindingInqLocalClientPID
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Microsoft Help Center Service
original name: HELPSVC.EXE
internal name: HELPSVC.EXE
file version.: 5.1.2600.5997 (xpsp_sp3_gdr.100614-1759)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Re: Winlogon.exe - vir? - 100 CPU ? další blbosti?
AudioHd.exe
hnLab-V3 2010.07.20.02 2010.07.20 -
AntiVir 8.2.4.12 2010.07.20 -
Antiy-AVL 2.0.3.7 2010.07.15 Worm/MSIL.Arcdoor.gen
Authentium 5.2.0.5 2010.07.20 -
Avast 4.8.1351.0 2010.07.20 Win32:Trojan-gen
Avast5 5.0.332.0 2010.07.20 Win32:Trojan-gen
AVG 9.0.0.836 2010.07.20 Worm/Generic.BMEC
BitDefender 7.2 2010.07.20 Worm.Generic.264500
CAT-QuickHeal 11.00 2010.07.20 -
ClamAV 0.96.0.3-git 2010.07.20 -
Comodo 5487 2010.07.20 -
DrWeb 5.0.2.03300 2010.07.20 -
Emsisoft 5.0.0.34 2010.07.20 Worm.MSIL!IK
eSafe 7.0.17.0 2010.07.20 -
eTrust-Vet 36.1.7723 2010.07.20 -
F-Prot 4.6.1.107 2010.07.19 -
F-Secure 9.0.15370.0 2010.07.20 Worm.Generic.264500
Fortinet 4.1.143.0 2010.07.20 -
GData 21 2010.07.20 Worm.Generic.264500
Ikarus T3.1.1.84.0 2010.07.20 Worm.MSIL
Jiangmin 13.0.900 2010.07.20 -
Kaspersky 7.0.0.125 2010.07.20 Worm.MSIL.Arcdoor.ae
McAfee 5.400.0.1158 2010.07.20 -
McAfee-GW-Edition 2010.1 2010.07.20 -
Microsoft 1.6004 2010.07.20 -
NOD32 5295 2010.07.20 -
Norman 6.05.11 2010.07.20 -
nProtect 2010-07-20.02 2010.07.20 Worm.Generic.264500
Panda 10.0.2.7 2010.07.20 -
PCTools 7.0.3.5 2010.07.20 Backdoor.Trojan
Prevx 3.0 2010.07.20 High Risk Cloaked Malware
Rising 22.57.01.04 2010.07.20 -
Sophos 4.55.0 2010.07.20 -
Sunbelt 6608 2010.07.20 -
SUPERAntiSpyware 4.40.0.1006 2010.07.20 -
Symantec 20101.1.1.7 2010.07.20 Backdoor.Trojan
TheHacker 6.5.2.1.322 2010.07.20 Trojan/Arcdoor.ae
TrendMicro 9.120.0.1004 2010.07.20 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.20 -
VBA32 3.12.12.6 2010.07.20 -
ViRobot 2010.6.21.3896 2010.07.20 -
VirusBuster 5.0.27.0 2010.07.20 -
Rozšiřující informace
File size: 26624 bytes
MD5...: 475589512877fa5125d43ee092930c3d
SHA1..: 6f8a3343cd8384d70cc7a1751d885168d49b5e47
SHA256: 06eed3b00ea1d6164f0e8da83a3391c7dfbe1527e18539eebdec174ab8b0c2b2
ssdeep: 384:tD5bUAt3Huy/lTCF6mGSi4llrdnXpo+deYZwlx9O9SwOtV2+25jP:t1bz3Hu
hHl7nXObV9O9Wto5jP
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x7c0e
timedatestamp.....: 0x4c171bf8 (Tue Jun 15 06:21:44 2010)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2000 0x5c14 0x5e00 5.58 8c1963ebb84e3e70578bf060b98a4f68
.rsrc 0x8000 0x590 0x600 4.00 3d34a70772fdaabf5107b262cb34dae0
.reloc 0xa000 0xc 0x200 2.24 99450401d354ca98ca6365476d62075c
( 1 imports )
> mscoree.dll: _CorExeMain
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic CIL Executable (.NET, Mono, etc.) (78.4%)
Win32 Executable Generic (9.1%)
Win32 Dynamic Link Library (generic) (8.1%)
Generic Win/DOS Executable (2.1%)
DOS Executable Generic (2.1%)
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=ABD3EDED00E2BD5668EE008B2583DD001DEE87CD' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=ABD3EDED00E2BD5668EE008B2583DD001DEE87CD</a>
sigcheck:
publisher....: n/a
copyright....: Copyright (c) Microsoft 2010
product......: SystemDriver
description..: SysDriver
original name: SysDriver.exe
internal name: SysDriver.exe
file version.: 1.0.0.0
comments.....: SystemDriver
signers......: -
signing date.: -
verified.....: Unsigned
hnLab-V3 2010.07.20.02 2010.07.20 -
AntiVir 8.2.4.12 2010.07.20 -
Antiy-AVL 2.0.3.7 2010.07.15 Worm/MSIL.Arcdoor.gen
Authentium 5.2.0.5 2010.07.20 -
Avast 4.8.1351.0 2010.07.20 Win32:Trojan-gen
Avast5 5.0.332.0 2010.07.20 Win32:Trojan-gen
AVG 9.0.0.836 2010.07.20 Worm/Generic.BMEC
BitDefender 7.2 2010.07.20 Worm.Generic.264500
CAT-QuickHeal 11.00 2010.07.20 -
ClamAV 0.96.0.3-git 2010.07.20 -
Comodo 5487 2010.07.20 -
DrWeb 5.0.2.03300 2010.07.20 -
Emsisoft 5.0.0.34 2010.07.20 Worm.MSIL!IK
eSafe 7.0.17.0 2010.07.20 -
eTrust-Vet 36.1.7723 2010.07.20 -
F-Prot 4.6.1.107 2010.07.19 -
F-Secure 9.0.15370.0 2010.07.20 Worm.Generic.264500
Fortinet 4.1.143.0 2010.07.20 -
GData 21 2010.07.20 Worm.Generic.264500
Ikarus T3.1.1.84.0 2010.07.20 Worm.MSIL
Jiangmin 13.0.900 2010.07.20 -
Kaspersky 7.0.0.125 2010.07.20 Worm.MSIL.Arcdoor.ae
McAfee 5.400.0.1158 2010.07.20 -
McAfee-GW-Edition 2010.1 2010.07.20 -
Microsoft 1.6004 2010.07.20 -
NOD32 5295 2010.07.20 -
Norman 6.05.11 2010.07.20 -
nProtect 2010-07-20.02 2010.07.20 Worm.Generic.264500
Panda 10.0.2.7 2010.07.20 -
PCTools 7.0.3.5 2010.07.20 Backdoor.Trojan
Prevx 3.0 2010.07.20 High Risk Cloaked Malware
Rising 22.57.01.04 2010.07.20 -
Sophos 4.55.0 2010.07.20 -
Sunbelt 6608 2010.07.20 -
SUPERAntiSpyware 4.40.0.1006 2010.07.20 -
Symantec 20101.1.1.7 2010.07.20 Backdoor.Trojan
TheHacker 6.5.2.1.322 2010.07.20 Trojan/Arcdoor.ae
TrendMicro 9.120.0.1004 2010.07.20 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.20 -
VBA32 3.12.12.6 2010.07.20 -
ViRobot 2010.6.21.3896 2010.07.20 -
VirusBuster 5.0.27.0 2010.07.20 -
Rozšiřující informace
File size: 26624 bytes
MD5...: 475589512877fa5125d43ee092930c3d
SHA1..: 6f8a3343cd8384d70cc7a1751d885168d49b5e47
SHA256: 06eed3b00ea1d6164f0e8da83a3391c7dfbe1527e18539eebdec174ab8b0c2b2
ssdeep: 384:tD5bUAt3Huy/lTCF6mGSi4llrdnXpo+deYZwlx9O9SwOtV2+25jP:t1bz3Hu
hHl7nXObV9O9Wto5jP
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x7c0e
timedatestamp.....: 0x4c171bf8 (Tue Jun 15 06:21:44 2010)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2000 0x5c14 0x5e00 5.58 8c1963ebb84e3e70578bf060b98a4f68
.rsrc 0x8000 0x590 0x600 4.00 3d34a70772fdaabf5107b262cb34dae0
.reloc 0xa000 0xc 0x200 2.24 99450401d354ca98ca6365476d62075c
( 1 imports )
> mscoree.dll: _CorExeMain
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic CIL Executable (.NET, Mono, etc.) (78.4%)
Win32 Executable Generic (9.1%)
Win32 Dynamic Link Library (generic) (8.1%)
Generic Win/DOS Executable (2.1%)
DOS Executable Generic (2.1%)
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=ABD3EDED00E2BD5668EE008B2583DD001DEE87CD' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=ABD3EDED00E2BD5668EE008B2583DD001DEE87CD</a>
sigcheck:
publisher....: n/a
copyright....: Copyright (c) Microsoft 2010
product......: SystemDriver
description..: SysDriver
original name: SysDriver.exe
internal name: SysDriver.exe
file version.: 1.0.0.0
comments.....: SystemDriver
signers......: -
signing date.: -
verified.....: Unsigned
Re: Winlogon.exe - vir? - 100 CPU ? další blbosti?
Vlož sem adresy WWW (na ty výsledky) 
Re: Winlogon.exe - vir? - 100 CPU ? další blbosti?
Ještě čekám na tento a pak to smažeme
e:\documents and settings\Administrator\Dokumenty\Downloads\Let_s_Engine_3.0__Auto-delete___Double_Kill_hack___Damage_Hack___Delay_Hack\Let's Engine 3.0 +Auto-delete + Double Kill hack + Damage Hack + Delay Hack\BeSk8.sys
ten program znáš?
e:\documents and settings\Administrator\Dokumenty\Downloads\Let_s_Engine_3.0__Auto-delete___Double_Kill_hack___Damage_Hack___Delay_Hack\Let's Engine 3.0 +Auto-delete + Double Kill hack + Damage Hack + Delay Hack\BeSk8.sys
ten program znáš?
Re: Winlogon.exe - vir? - 100 CPU ? další blbosti?
J znám.
Na ten soubor mi to píše že neplatná cesta.
Na ten soubor mi to píše že neplatná cesta.
Re: Winlogon.exe - vir? - 100 CPU ? další blbosti?
místo 'e' napiš 'c'
Zpět na “Viry, antiviry, firewally…”
Kdo je online
Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 2 hosti