HJT:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:40:38, on 23.8.2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\FRAPS 3.2.3\FRAPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\QIP Infium\infium.exe
C:\Program Files\Garena\Garena.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.qip.ru/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.qip.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://seznam.cz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.qip.ru/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: QIPBHO Class - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Documents and Settings\login\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: XML module - {500bca15-57a7-4eaf-8143-8c619470b13d} - (no file)
O2 - BHO: QIPBHO - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Documents and Settings\login\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [XA5RJ9EADJ] C:\DOCUME~1\login\LOCALS~1\Temp\Svr.exe
O4 - HKCU\..\Run: [Fraps] C:\FRAPS 3.2.3\FRAPS.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: QIP Infium - {1EF681F7-A04B-4D6D-9012-A307CCA55610} - C:\Program Files\QIP Infium\infium.exe (HKCU)
O16 - DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://C:\Program Files\AutoCAD 2002 Cz\InstFred.ocx
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Ovládací prvek AcDcToday) - file://C:\Program Files\AutoCAD 2002 Cz\AcDcToday.ocx
O16 - DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002 Cz\InstBanr.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Prvek AcPreview) - file://C:\Program Files\AutoCAD 2002 Cz\AcPreview.ocx
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Služba inteligentního přenosu na pozadí (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\System32\GameMon.des.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Automatické aktualizace (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 6948 bytes
Malware:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Verze databáze: 4466
Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106
23.8.2010 19:37:07
mbam-log-2010-08-23 (19-37-07).txt
Typ skenu: Úplný sken (C:\|D:\|)
Skenované objekty: 168081
Uplynulý čas: 38 minuta(y), 40 sekunda(y)
Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 13
Infikované hodnoty registru: 1
Infikované datové položky registru: 2
Infikované složky: 0
Infikované soubory: 11
Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)
Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)
Infikované klíče registru:
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{c20ee2d6-81c3-6a08-79c5-1989da43bc19} (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\{5617ECA9-488D-4BA2-8562-9710B9AB78D2} (Adware.DoubleD) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\TG0PTF86JH (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XA5RJ9EADJ (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> No action taken.
Infikované hodnoty registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xa5rj9eadj (Trojan.FakeAlert) -> No action taken.
Infikované datové položky registru:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.
Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)
Infikované soubory:
C:\WINDOWS\Snotaa.exe (Trojan.FraudPack) -> No action taken.
C:\System Volume Information\_restore{51C474C0-AC6D-46CB-87C7-266C0AF73433}\RP176\A0096440.exe (Trojan.FraudPack) -> No action taken.
D:\WPAkill.exe (Trojan.Hacktool) -> No action taken.
D:\Downloads\win xp\Win XP Activation Crack English.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\login\Data aplikací\avdrn.dat (Malware.Trace) -> No action taken.
C:\Documents and Settings\login\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> No action taken.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.
Nevím co smazat a co nechat.
Kontrola logu
Re: Kontrola logu
Ahoj,
V mbamu vše smaž.
Máš to krásně zavirovaný
Stáhni na plochu ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- Před použitím vypni všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary
-Zavři všechna aktivní okna a spusť ho pod učtem s právy administrátora
- Po spuštění se zobrazí podmínky použití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování, se vytvoří log C:\ComboFix.txt, zkopíruj celý jeho obsah sem.
V mbamu vše smaž.
Máš to krásně zavirovaný
Stáhni na plochu ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- Před použitím vypni všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary
-Zavři všechna aktivní okna a spusť ho pod učtem s právy administrátora
- Po spuštění se zobrazí podmínky použití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování, se vytvoří log C:\ComboFix.txt, zkopíruj celý jeho obsah sem.
Re: Kontrola logu
ComboFix 10-08-22.07 - login 23.08.2010 22:03:12.1.1 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.1.1250.420.1029.18.510.285 [GMT 2:00]
Spuštěný z: c:\documents and settings\login\Dokumenty\Stažené soubory\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\_003621_.tmp.dll
c:\windows\system32\_003624_.tmp.dll
c:\windows\system32\_003627_.tmp.dll
c:\windows\system32\_003802_.tmp.dll
c:\windows\system32\_003803_.tmp.dll
c:\windows\system32\_003804_.tmp.dll
c:\windows\system32\_003805_.tmp.dll
c:\windows\system32\_003812_.tmp.dll
c:\windows\system32\_003813_.tmp.dll
c:\windows\system32\_003814_.tmp.dll
c:\windows\system32\_003816_.tmp.dll
c:\windows\system32\_003817_.tmp.dll
c:\windows\system32\_003820_.tmp.dll
c:\windows\system32\_003821_.tmp.dll
c:\windows\system32\_003824_.tmp.dll
c:\windows\system32\_003825_.tmp.dll
c:\windows\system32\_003827_.tmp.dll
c:\windows\system32\_003828_.tmp.dll
c:\windows\system32\_003829_.tmp.dll
c:\windows\system32\_003830_.tmp.dll
c:\windows\system32\_003831_.tmp.dll
c:\windows\system32\_003836_.tmp.dll
c:\windows\system32\_003838_.tmp.dll
c:\windows\system32\_003839_.tmp.dll
c:\windows\system32\_003841_.tmp.dll
c:\windows\system32\_003843_.tmp.dll
c:\windows\system32\_003844_.tmp.dll
c:\windows\system32\_003845_.tmp.dll
c:\windows\system32\_003846_.tmp.dll
c:\windows\system32\_003847_.tmp.dll
c:\windows\system32\_003850_.tmp.dll
c:\windows\system32\_003851_.tmp.dll
c:\windows\system32\_003852_.tmp.dll
c:\windows\system32\_003853_.tmp.dll
c:\windows\system32\_003854_.tmp.dll
c:\windows\system32\_003859_.tmp.dll
c:\windows\system32\_004750_.tmp.dll
c:\windows\system32\_004753_.tmp.dll
c:\windows\system32\_004756_.tmp.dll
c:\windows\system32\_004931_.tmp.dll
c:\windows\system32\_004932_.tmp.dll
c:\windows\system32\_004933_.tmp.dll
c:\windows\system32\_004934_.tmp.dll
c:\windows\system32\_004941_.tmp.dll
c:\windows\system32\_004942_.tmp.dll
c:\windows\system32\_004943_.tmp.dll
c:\windows\system32\_004944_.tmp.dll
c:\windows\system32\_004946_.tmp.dll
c:\windows\system32\_004947_.tmp.dll
c:\windows\system32\_004950_.tmp.dll
c:\windows\system32\_004951_.tmp.dll
c:\windows\system32\_004954_.tmp.dll
c:\windows\system32\_004955_.tmp.dll
c:\windows\system32\_004957_.tmp.dll
c:\windows\system32\_004958_.tmp.dll
c:\windows\system32\_004959_.tmp.dll
c:\windows\system32\_004960_.tmp.dll
c:\windows\system32\_004961_.tmp.dll
c:\windows\system32\_004966_.tmp.dll
c:\windows\system32\_004968_.tmp.dll
c:\windows\system32\_004969_.tmp.dll
c:\windows\system32\_004971_.tmp.dll
c:\windows\system32\_004973_.tmp.dll
c:\windows\system32\_004974_.tmp.dll
c:\windows\system32\_004975_.tmp.dll
c:\windows\system32\_004976_.tmp.dll
c:\windows\system32\_004977_.tmp.dll
c:\windows\system32\_004980_.tmp.dll
c:\windows\system32\_004981_.tmp.dll
c:\windows\system32\_004982_.tmp.dll
c:\windows\system32\_004983_.tmp.dll
c:\windows\system32\_004984_.tmp.dll
c:\windows\system32\_004989_.tmp.dll
c:\windows\system32\winlogon.bak
D:\install.exe
Nakažená kopie c:\windows\system32\winlogon.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ServicePackFiles\i386\winlogon.exe
c:\windows\system32\qmgr.dll . . . je infikován!!
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SSHNAS
((((((((((((((((((((((((( Soubory vytvořené od 2010-07-23 do 2010-08-23 )))))))))))))))))))))))))))))))
.
2010-08-23 21:07 . 2010-08-23 21:07 -------- d-----w- c:\documents and settings\Administrator
2010-08-23 21:06 . 2010-08-23 21:06 -------- d-----w- C:\FOUND.011
2010-08-23 20:18 . 2010-08-23 20:18 -------- d-----w- C:\FOUND.010
2010-08-23 17:39 . 2010-08-23 17:39 -------- d-----w- c:\program files\Trend Micro
2010-08-23 16:37 . 2010-03-29 13:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-23 16:37 . 2010-03-29 13:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-23 16:37 . 2010-08-23 16:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-15 01:01 . 2010-08-15 01:01 -------- d-----w- c:\program files\PhotoFiltre Studio X
2010-08-15 00:54 . 2010-08-15 00:54 -------- d-----w- c:\program files\TopStyle 4
2010-08-15 00:45 . 2010-08-15 00:45 -------- d-----w- c:\program files\PSPad editor
2010-08-14 08:33 . 2010-08-14 08:33 -------- d-----w- C:\FOUND.009
2010-07-31 09:39 . 2010-07-31 09:40 -------- d-----w- C:\Python27
2010-07-31 09:35 . 2010-07-31 09:35 -------- d-----w- c:\program files\Blender Foundation
2010-07-30 10:54 . 2010-07-30 10:54 -------- d-----w- c:\program files\particleIllusion_3
2010-07-29 18:36 . 2010-07-29 18:36 -------- d-----w- c:\program files\ESET
2010-07-27 14:20 . 2010-07-27 14:20 -------- d-----w- c:\program files\AviSynth 2.5
2010-07-27 14:17 . 2010-07-27 14:17 -------- d-----w- c:\program files\MeGui
2010-07-26 10:20 . 2010-07-26 10:20 -------- d-----w- C:\Fraps 3.2.3
2010-07-25 20:30 . 2001-10-25 10:00 79360 ----a-w- c:\windows\system32\dllcache\diantz.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-23 21:08 . 2001-10-25 10:00 516608 ----a-w- c:\windows\system32\winlogon.exe
2010-08-23 20:10 . 2001-10-25 10:00 68736 ----a-w- c:\windows\system32\perfc005.dat
2010-08-23 20:10 . 2001-10-25 10:00 389664 ----a-w- c:\windows\system32\perfh005.dat
2010-07-25 20:16 . 2010-07-25 20:16 0 ----a-w- c:\windows\000001_.tmp
2010-07-19 20:45 . 2009-01-18 10:37 2410 ----a-w- c:\windows\PCHEALTH\HELPCTR\PackageStore\SkuStore.bin
2010-07-19 16:01 . 2010-07-19 16:01 -------- d-----w- c:\program files\CCleaner
2010-07-19 15:51 . 2010-07-19 15:51 -------- d-----w- c:\program files\Common Files\Java
2010-07-04 07:03 . 2010-07-04 07:03 2286080 ----a-w- c:\windows\system32\python27.dll
2010-07-02 10:43 . 2010-07-02 10:43 95896 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2010-07-02 10:43 . 2010-07-02 10:43 140752 ----a-w- c:\windows\system32\drivers\eamon.sys
2010-06-30 21:26 . 2010-06-30 21:26 65536 ----a-w- c:\windows\IFinst27.exe
2010-06-22 15:48 . 2010-06-22 15:48 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-06-15 02:16 . 2010-06-15 02:16 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-07-06 19:40 . 2009-07-06 19:40 33280 --sha-w- c:\program files\Thumbs.db
2009-10-05 16:34 . 2010-01-07 15:13 118000 ----a-w- c:\program files\mozilla firefox\components\qippipe.dll
.
------- Sigcheck -------
[-] 2010-08-23 . 32903EC0600863D5B90DDD5FDA70F375 . 516608 . . [5.1.2600.1106] . . c:\windows\system32\winlogon.exe
[7] 2002-09-21 . FF8857D1AF59071F172C0FAD0FD33E87 . 516608 . . [5.1.2600.1106] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2004-07-09 02:27 . 0E51BD586D186F61A9E4453DB8AEC774 . 1703936 . . [5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)] . . c:\windows\system32\d3d9.dll
c:\windows\System32\wscntfy.exe ... chybí !!
c:\windows\System32\xmlprov.dll ... chybí !!
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fraps"="c:\fraps 3.2.3\FRAPS.EXE" [2010-06-15 2320304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 69632]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-07-02 2202704]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-21 13312]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2001-10-2 65588]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [28.4.2010 8:17 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2.7.2010 12:43 95896]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2.7.2010 12:43 810144]
S1 1236da4d;1236da4d;c:\windows\system32\drivers\1236da4d.sys [7.7.2009 10:08 16384]
S3 dump_wmimmc;dump_wmimmc;\??\d:\luna online\GameGuard\dump_wmimmc.sys --> d:\luna online\GameGuard\dump_wmimmc.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\login\LOCALS~1\Temp\SVQ62D.tmp --> c:\docume~1\login\LOCALS~1\Temp\SVQ62D.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\System32\GameMon.des -service --> c:\windows\System32\GameMon.des -service [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.5.2009 18:25 721904]
.
Obsah adresáře 'Naplánované úlohy'
2010-08-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-25 12:58]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://seznam.cz/
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} - file://c:\program files\AutoCAD 2002 Cz\InstFred.ocx
DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\AutoCAD 2002 Cz\InstBanr.ocx
FF - ProfilePath - c:\documents and settings\login\Data aplikací\Mozilla\Firefox\Profiles\0wblb4jw.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}\components\FFAlert.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- Asociace souborů -------
.
.scr=AutoCADScriptFile
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Notify-dimsntfy - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-23 23:11
Windows 5.1.2600 Service Pack 1 FAT NTAPI
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\login\LOCALS~1\Temp\SVQ62D.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\npggsvc]
"ImagePath"="c:\windows\System32\GameMon.des -service"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(620)
c:\windows\System32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(676)
c:\windows\System32\dssenh.dll
- - - - - - - > 'explorer.exe'(3844)
c:\windows\System32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SOUNDMAN.EXE
c:\windows\System32\DRIVERS\CDANTSRV.EXE
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Celkový čas: 2010-08-23 23:13:03 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-08-23 21:13
Před spuštěním: Volných bajtů: 16 745 889 792
Po spuštění: Volných bajtů: 16 585 785 344
winxpsp1_cs_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=AlwaysOff
Current=6 Default=6 Failed=1 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - C235145603E16823E01134D8384FF4DF
Systém Microsoft Windows XP Professional 5.1.2600.1.1250.420.1029.18.510.285 [GMT 2:00]
Spuštěný z: c:\documents and settings\login\Dokumenty\Stažené soubory\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\_003621_.tmp.dll
c:\windows\system32\_003624_.tmp.dll
c:\windows\system32\_003627_.tmp.dll
c:\windows\system32\_003802_.tmp.dll
c:\windows\system32\_003803_.tmp.dll
c:\windows\system32\_003804_.tmp.dll
c:\windows\system32\_003805_.tmp.dll
c:\windows\system32\_003812_.tmp.dll
c:\windows\system32\_003813_.tmp.dll
c:\windows\system32\_003814_.tmp.dll
c:\windows\system32\_003816_.tmp.dll
c:\windows\system32\_003817_.tmp.dll
c:\windows\system32\_003820_.tmp.dll
c:\windows\system32\_003821_.tmp.dll
c:\windows\system32\_003824_.tmp.dll
c:\windows\system32\_003825_.tmp.dll
c:\windows\system32\_003827_.tmp.dll
c:\windows\system32\_003828_.tmp.dll
c:\windows\system32\_003829_.tmp.dll
c:\windows\system32\_003830_.tmp.dll
c:\windows\system32\_003831_.tmp.dll
c:\windows\system32\_003836_.tmp.dll
c:\windows\system32\_003838_.tmp.dll
c:\windows\system32\_003839_.tmp.dll
c:\windows\system32\_003841_.tmp.dll
c:\windows\system32\_003843_.tmp.dll
c:\windows\system32\_003844_.tmp.dll
c:\windows\system32\_003845_.tmp.dll
c:\windows\system32\_003846_.tmp.dll
c:\windows\system32\_003847_.tmp.dll
c:\windows\system32\_003850_.tmp.dll
c:\windows\system32\_003851_.tmp.dll
c:\windows\system32\_003852_.tmp.dll
c:\windows\system32\_003853_.tmp.dll
c:\windows\system32\_003854_.tmp.dll
c:\windows\system32\_003859_.tmp.dll
c:\windows\system32\_004750_.tmp.dll
c:\windows\system32\_004753_.tmp.dll
c:\windows\system32\_004756_.tmp.dll
c:\windows\system32\_004931_.tmp.dll
c:\windows\system32\_004932_.tmp.dll
c:\windows\system32\_004933_.tmp.dll
c:\windows\system32\_004934_.tmp.dll
c:\windows\system32\_004941_.tmp.dll
c:\windows\system32\_004942_.tmp.dll
c:\windows\system32\_004943_.tmp.dll
c:\windows\system32\_004944_.tmp.dll
c:\windows\system32\_004946_.tmp.dll
c:\windows\system32\_004947_.tmp.dll
c:\windows\system32\_004950_.tmp.dll
c:\windows\system32\_004951_.tmp.dll
c:\windows\system32\_004954_.tmp.dll
c:\windows\system32\_004955_.tmp.dll
c:\windows\system32\_004957_.tmp.dll
c:\windows\system32\_004958_.tmp.dll
c:\windows\system32\_004959_.tmp.dll
c:\windows\system32\_004960_.tmp.dll
c:\windows\system32\_004961_.tmp.dll
c:\windows\system32\_004966_.tmp.dll
c:\windows\system32\_004968_.tmp.dll
c:\windows\system32\_004969_.tmp.dll
c:\windows\system32\_004971_.tmp.dll
c:\windows\system32\_004973_.tmp.dll
c:\windows\system32\_004974_.tmp.dll
c:\windows\system32\_004975_.tmp.dll
c:\windows\system32\_004976_.tmp.dll
c:\windows\system32\_004977_.tmp.dll
c:\windows\system32\_004980_.tmp.dll
c:\windows\system32\_004981_.tmp.dll
c:\windows\system32\_004982_.tmp.dll
c:\windows\system32\_004983_.tmp.dll
c:\windows\system32\_004984_.tmp.dll
c:\windows\system32\_004989_.tmp.dll
c:\windows\system32\winlogon.bak
D:\install.exe
Nakažená kopie c:\windows\system32\winlogon.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ServicePackFiles\i386\winlogon.exe
c:\windows\system32\qmgr.dll . . . je infikován!!
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SSHNAS
((((((((((((((((((((((((( Soubory vytvořené od 2010-07-23 do 2010-08-23 )))))))))))))))))))))))))))))))
.
2010-08-23 21:07 . 2010-08-23 21:07 -------- d-----w- c:\documents and settings\Administrator
2010-08-23 21:06 . 2010-08-23 21:06 -------- d-----w- C:\FOUND.011
2010-08-23 20:18 . 2010-08-23 20:18 -------- d-----w- C:\FOUND.010
2010-08-23 17:39 . 2010-08-23 17:39 -------- d-----w- c:\program files\Trend Micro
2010-08-23 16:37 . 2010-03-29 13:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-23 16:37 . 2010-03-29 13:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-23 16:37 . 2010-08-23 16:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-15 01:01 . 2010-08-15 01:01 -------- d-----w- c:\program files\PhotoFiltre Studio X
2010-08-15 00:54 . 2010-08-15 00:54 -------- d-----w- c:\program files\TopStyle 4
2010-08-15 00:45 . 2010-08-15 00:45 -------- d-----w- c:\program files\PSPad editor
2010-08-14 08:33 . 2010-08-14 08:33 -------- d-----w- C:\FOUND.009
2010-07-31 09:39 . 2010-07-31 09:40 -------- d-----w- C:\Python27
2010-07-31 09:35 . 2010-07-31 09:35 -------- d-----w- c:\program files\Blender Foundation
2010-07-30 10:54 . 2010-07-30 10:54 -------- d-----w- c:\program files\particleIllusion_3
2010-07-29 18:36 . 2010-07-29 18:36 -------- d-----w- c:\program files\ESET
2010-07-27 14:20 . 2010-07-27 14:20 -------- d-----w- c:\program files\AviSynth 2.5
2010-07-27 14:17 . 2010-07-27 14:17 -------- d-----w- c:\program files\MeGui
2010-07-26 10:20 . 2010-07-26 10:20 -------- d-----w- C:\Fraps 3.2.3
2010-07-25 20:30 . 2001-10-25 10:00 79360 ----a-w- c:\windows\system32\dllcache\diantz.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-23 21:08 . 2001-10-25 10:00 516608 ----a-w- c:\windows\system32\winlogon.exe
2010-08-23 20:10 . 2001-10-25 10:00 68736 ----a-w- c:\windows\system32\perfc005.dat
2010-08-23 20:10 . 2001-10-25 10:00 389664 ----a-w- c:\windows\system32\perfh005.dat
2010-07-25 20:16 . 2010-07-25 20:16 0 ----a-w- c:\windows\000001_.tmp
2010-07-19 20:45 . 2009-01-18 10:37 2410 ----a-w- c:\windows\PCHEALTH\HELPCTR\PackageStore\SkuStore.bin
2010-07-19 16:01 . 2010-07-19 16:01 -------- d-----w- c:\program files\CCleaner
2010-07-19 15:51 . 2010-07-19 15:51 -------- d-----w- c:\program files\Common Files\Java
2010-07-04 07:03 . 2010-07-04 07:03 2286080 ----a-w- c:\windows\system32\python27.dll
2010-07-02 10:43 . 2010-07-02 10:43 95896 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2010-07-02 10:43 . 2010-07-02 10:43 140752 ----a-w- c:\windows\system32\drivers\eamon.sys
2010-06-30 21:26 . 2010-06-30 21:26 65536 ----a-w- c:\windows\IFinst27.exe
2010-06-22 15:48 . 2010-06-22 15:48 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-06-15 02:16 . 2010-06-15 02:16 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-07-06 19:40 . 2009-07-06 19:40 33280 --sha-w- c:\program files\Thumbs.db
2009-10-05 16:34 . 2010-01-07 15:13 118000 ----a-w- c:\program files\mozilla firefox\components\qippipe.dll
.
------- Sigcheck -------
[-] 2010-08-23 . 32903EC0600863D5B90DDD5FDA70F375 . 516608 . . [5.1.2600.1106] . . c:\windows\system32\winlogon.exe
[7] 2002-09-21 . FF8857D1AF59071F172C0FAD0FD33E87 . 516608 . . [5.1.2600.1106] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2004-07-09 02:27 . 0E51BD586D186F61A9E4453DB8AEC774 . 1703936 . . [5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)] . . c:\windows\system32\d3d9.dll
c:\windows\System32\wscntfy.exe ... chybí !!
c:\windows\System32\xmlprov.dll ... chybí !!
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fraps"="c:\fraps 3.2.3\FRAPS.EXE" [2010-06-15 2320304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 69632]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-07-02 2202704]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-21 13312]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2001-10-2 65588]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [28.4.2010 8:17 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2.7.2010 12:43 95896]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2.7.2010 12:43 810144]
S1 1236da4d;1236da4d;c:\windows\system32\drivers\1236da4d.sys [7.7.2009 10:08 16384]
S3 dump_wmimmc;dump_wmimmc;\??\d:\luna online\GameGuard\dump_wmimmc.sys --> d:\luna online\GameGuard\dump_wmimmc.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\login\LOCALS~1\Temp\SVQ62D.tmp --> c:\docume~1\login\LOCALS~1\Temp\SVQ62D.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\System32\GameMon.des -service --> c:\windows\System32\GameMon.des -service [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.5.2009 18:25 721904]
.
Obsah adresáře 'Naplánované úlohy'
2010-08-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-25 12:58]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://seznam.cz/
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} - file://c:\program files\AutoCAD 2002 Cz\InstFred.ocx
DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\AutoCAD 2002 Cz\InstBanr.ocx
FF - ProfilePath - c:\documents and settings\login\Data aplikací\Mozilla\Firefox\Profiles\0wblb4jw.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}\components\FFAlert.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- Asociace souborů -------
.
.scr=AutoCADScriptFile
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Notify-dimsntfy - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-23 23:11
Windows 5.1.2600 Service Pack 1 FAT NTAPI
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\login\LOCALS~1\Temp\SVQ62D.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\npggsvc]
"ImagePath"="c:\windows\System32\GameMon.des -service"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(620)
c:\windows\System32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(676)
c:\windows\System32\dssenh.dll
- - - - - - - > 'explorer.exe'(3844)
c:\windows\System32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SOUNDMAN.EXE
c:\windows\System32\DRIVERS\CDANTSRV.EXE
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Celkový čas: 2010-08-23 23:13:03 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-08-23 21:13
Před spuštěním: Volných bajtů: 16 745 889 792
Po spuštění: Volných bajtů: 16 585 785 344
winxpsp1_cs_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=AlwaysOff
Current=6 Default=6 Failed=1 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - C235145603E16823E01134D8384FF4DF
Re: Kontrola logu
Stahni AVPtool http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
-nainstaluj, nech provést sken všechn jednotek
-co najde nech léčit
-pak sem vlož log.
Re: Kontrola logu
program stazen, ale nelze nainstalovat jedna z knihoven. Hlasi chybu:"Aplikace nemohla být spuštěna, protože součást FLTLIB.DLL nelze najít. Potíže pravděpodobně odstraníte opětovnou instalací aplikace". 3x sem instaloval a pokaždé stejná chyba.
Re: Kontrola logu
Nevadí, uděláme to jinak. Máš tam toho ještě asi dost.
Combofix přesuň na plochu
-otevři si Poznámkový blok
-Do něj zkopíruj text z tohoto okénka
-vytvořený TXT soubor ulož jako CFScript.txt na plochu a levým myšítkem přesuň nad ikonu Combofixu, kde ho upustíš
-Po proběhnutí skenu a ukončení combofixu by se měl objevit log, vlož ho zde.
Upozornění : Může se stát, že po aplikaci skriptu a restartu počítače Windows nenaběhnou, pak znovu restartuj počítač, mačkej F8 a pak zvol poslední známou funkční konfiguraci.
Otestuj na http://www.virustotal.com
c:\windows\System32\dssenh.dll
c:\windows\IFinst27.exe
c:\windows\system32\python27.dll
c:\windows\system32\dllcache\diantz.exe
-Do okénka zkopíruj cestu k souboru , pokud napíše, že soubor byl už testován, dej otestovat znovu.
-Sem vlož link s výsledky.
Combofix přesuň na plochu
-otevři si Poznámkový blok
-Do něj zkopíruj text z tohoto okénka
Kód: Vybrat vše
MIA::
c:\windows\System32\wscntfy.exe
c:\windows\System32\xmlprov.dll
Restore::
c:\windows\system32\qmgr.dll
Srpeek::
c:\windows\System32\wscntfy.exe
c:\windows\System32\xmlprov.dll
c:\windows\system32\qmgr.dll
FCOPY::
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
DDS::
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
file::
c:\windows\000001_.tmp
-vytvořený TXT soubor ulož jako CFScript.txt na plochu a levým myšítkem přesuň nad ikonu Combofixu, kde ho upustíš
-Po proběhnutí skenu a ukončení combofixu by se měl objevit log, vlož ho zde.
Upozornění : Může se stát, že po aplikaci skriptu a restartu počítače Windows nenaběhnou, pak znovu restartuj počítač, mačkej F8 a pak zvol poslední známou funkční konfiguraci.
Otestuj na http://www.virustotal.com
c:\windows\System32\dssenh.dll
c:\windows\IFinst27.exe
c:\windows\system32\python27.dll
c:\windows\system32\dllcache\diantz.exe
-Do okénka zkopíruj cestu k souboru , pokud napíše, že soubor byl už testován, dej otestovat znovu.
-Sem vlož link s výsledky.
Re: Kontrola logu
Combo fix:
ComboFix 10-08-22.07 - login 25.08.2010 10:47:43.2.1 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.1.1250.420.1029.18.510.258 [GMT 2:00]
Spuštěný z: c:\documents and settings\login\Dokumenty\Stažené soubory\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\login\Plocha\CFScript.txt
* Vytvořen nový Bod Obnovení
* Rezidentní štít AV je zapnutý
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\qmgr.dll . . . je infikován!!
Nakažená kopie c:\windows\system32\winlogon.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ServicePackFiles\i386\winlogon.exe
c:\windows\System32\wscntfy.exe . . . chybí !!
c:\windows\System32\xmlprov.dll . . . chybí !!
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-07-25 do 2010-08-25 )))))))))))))))))))))))))))))))
.
2010-08-23 21:24 . 2010-08-23 21:24 -------- d-----w- c:\program files\Common Files\Java
2010-08-23 21:18 . 2010-08-23 21:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-23 21:07 . 2010-08-23 21:07 -------- d-----w- c:\documents and settings\Administrator
2010-08-23 21:06 . 2010-08-23 21:06 -------- d-----w- C:\FOUND.011
2010-08-23 20:18 . 2010-08-23 20:18 -------- d-----w- C:\FOUND.010
2010-08-23 17:39 . 2010-08-23 17:39 -------- d-----w- c:\program files\Trend Micro
2010-08-23 16:37 . 2010-03-29 13:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-23 16:37 . 2010-03-29 13:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-23 16:37 . 2010-08-23 16:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-15 01:01 . 2010-08-15 01:01 -------- d-----w- c:\program files\PhotoFiltre Studio X
2010-08-15 00:54 . 2010-08-15 00:54 -------- d-----w- c:\program files\TopStyle 4
2010-08-15 00:45 . 2010-08-15 00:45 -------- d-----w- c:\program files\PSPad editor
2010-08-14 08:33 . 2010-08-14 08:33 -------- d-----w- C:\FOUND.009
2010-07-31 09:39 . 2010-07-31 09:40 -------- d-----w- C:\Python27
2010-07-31 09:35 . 2010-07-31 09:35 -------- d-----w- c:\program files\Blender Foundation
2010-07-30 10:54 . 2010-07-30 10:54 -------- d-----w- c:\program files\particleIllusion_3
2010-07-29 18:36 . 2010-07-29 18:36 -------- d-----w- c:\program files\ESET
2010-07-27 14:20 . 2010-07-27 14:20 -------- d-----w- c:\program files\AviSynth 2.5
2010-07-27 14:17 . 2010-07-27 14:17 -------- d-----w- c:\program files\MeGui
2010-07-26 10:20 . 2010-07-26 10:20 -------- d-----w- C:\Fraps 3.2.3
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 08:58 . 2001-10-25 10:00 516608 ----a-w- c:\windows\system32\winlogon.exe
2010-08-23 20:10 . 2001-10-25 10:00 68736 ----a-w- c:\windows\system32\perfc005.dat
2010-08-23 20:10 . 2001-10-25 10:00 389664 ----a-w- c:\windows\system32\perfh005.dat
2010-07-25 20:16 . 2010-07-25 20:16 0 ----a-w- c:\windows\000001_.tmp
2010-07-19 20:45 . 2009-01-18 10:37 2410 ----a-w- c:\windows\PCHEALTH\HELPCTR\PackageStore\SkuStore.bin
2010-07-19 16:01 . 2010-07-19 16:01 -------- d-----w- c:\program files\CCleaner
2010-07-17 03:00 . 2010-07-19 15:50 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-04 07:03 . 2010-07-04 07:03 2286080 ----a-w- c:\windows\system32\python27.dll
2010-07-02 10:43 . 2010-07-02 10:43 95896 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2010-07-02 10:43 . 2010-07-02 10:43 140752 ----a-w- c:\windows\system32\drivers\eamon.sys
2010-06-30 21:26 . 2010-06-30 21:26 65536 ----a-w- c:\windows\IFinst27.exe
2010-06-22 15:48 . 2010-06-22 15:48 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-06-15 02:16 . 2010-06-15 02:16 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-07-06 19:40 . 2009-07-06 19:40 33280 --sha-w- c:\program files\Thumbs.db
2009-10-05 16:34 . 2010-01-07 15:13 118000 ----a-w- c:\program files\mozilla firefox\components\qippipe.dll
.
(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
[7] D8681F65568AC0C6C7ED11E028EE3503 221184 c:\windows\System32\qmgr.dll
[7] D8681F65568AC0C6C7ED11E028EE3503 221184 \RP189\A0108187.dll
.
------- Sigcheck -------
[-] 2010-08-25 . 32903EC0600863D5B90DDD5FDA70F375 . 516608 . . [5.1.2600.1106] . . c:\windows\system32\winlogon.exe
[7] 2002-09-21 . FF8857D1AF59071F172C0FAD0FD33E87 . 516608 . . [5.1.2600.1106] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2004-07-09 02:27 . 0E51BD586D186F61A9E4453DB8AEC774 . 1703936 . . [5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)] . . c:\windows\system32\d3d9.dll
c:\windows\System32\wscntfy.exe ... chybí !!
c:\windows\System32\xmlprov.dll ... chybí !!
.
((((((((((((((((((((((((((((( SnapShot@2010-08-23_21.10.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-21 18:09 . 2009-12-21 18:09 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\ViewerPS.dll
+ 2009-12-21 23:57 . 2009-12-21 23:57 35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\reader_sl.exe
+ 2009-12-21 18:02 . 2009-12-21 18:02 79280 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\PDFPrevHndlr.dll
+ 2009-12-21 21:21 . 2009-12-21 21:21 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\eula.exe
+ 2009-12-11 13:57 . 2009-12-11 13:57 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\adobeextractfiles.dll
+ 2009-12-21 21:37 . 2009-12-21 21:37 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\acrotextextractor.exe
+ 2009-12-21 16:39 . 2009-12-21 16:39 15288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AcroRd32Info.exe
+ 2009-12-21 16:27 . 2009-12-21 16:27 75200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\acroiehelpershim.dll
+ 2009-12-21 16:27 . 2009-12-21 16:27 61888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AcroIEHelper.dll
- 2010-08-22 08:54 . 2010-08-22 08:54 5120 c:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
+ 2010-08-23 21:14 . 2010-08-23 21:14 5120 c:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
+ 2010-08-23 21:24 . 2010-07-17 03:00 153376 c:\windows\system32\javaws.exe
- 2010-07-19 15:50 . 2010-04-12 15:29 153376 c:\windows\system32\javaws.exe
- 2010-07-19 15:50 . 2010-04-12 15:29 145184 c:\windows\system32\javaw.exe
+ 2010-08-23 21:24 . 2010-07-17 03:00 145184 c:\windows\system32\javaw.exe
- 2010-07-19 15:50 . 2010-04-12 15:29 145184 c:\windows\system32\java.exe
+ 2010-08-23 21:24 . 2010-07-17 03:00 145184 c:\windows\system32\java.exe
+ 2010-08-23 21:24 . 2010-08-23 21:24 180224 c:\windows\Installer\45bfa.msi
+ 2009-12-11 13:57 . 2009-12-11 13:57 326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\readerupdater.exe
+ 2009-12-21 16:35 . 2009-12-21 16:35 378264 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\pdfshell.dll
+ 2009-12-21 18:05 . 2009-12-21 18:05 116168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\PDFPrevHndlrShim.exe
+ 2009-12-21 16:34 . 2009-12-21 16:34 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\nppdf32.dll
+ 2009-11-09 17:18 . 2009-11-09 17:18 684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\JP2KLib.dll
+ 2009-12-21 18:02 . 2009-12-21 18:02 542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AdobeCollabSync.exe
+ 2009-12-11 13:57 . 2009-12-11 13:57 948672 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\adobearm.exe
+ 2009-12-21 16:43 . 2009-12-21 16:43 120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AcroRdIF.dll
+ 2009-12-21 23:57 . 2009-12-21 23:57 349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AcroRd32.exe
+ 2009-12-21 16:15 . 2009-12-21 16:15 660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AcroPDF.dll
+ 2009-12-21 17:32 . 2009-12-21 17:32 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\acrobroker.exe
+ 2009-12-11 13:57 . 2009-12-11 13:57 326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\acrobatupdater.exe
+ 2009-12-21 17:15 . 2009-12-21 17:15 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\a3dutility.exe
+ 2010-06-20 08:01 . 2010-06-20 08:01 8040960 c:\windows\Installer\45bdf.msp
+ 2010-08-23 21:19 . 2010-08-23 21:19 3948032 c:\windows\Installer\45b00.msi
+ 2009-12-21 16:29 . 2009-12-21 16:29 2409880 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\rt3d.dll
+ 2009-12-21 17:00 . 2009-12-21 17:00 1298996 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\JSByteCodeWin.bin
+ 2009-10-27 18:34 . 2009-10-27 18:34 5009408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\authplay.dll
+ 2009-12-21 21:31 . 2009-12-21 21:31 5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AGM.dll
+ 2010-04-04 06:54 . 2010-04-04 06:54 11850240 c:\windows\Installer\45be0.msp
+ 2010-08-13 18:09 . 2010-08-13 18:09 12263936 c:\windows\Installer\45bde.msp
+ 2009-12-21 21:21 . 2009-12-21 21:21 20436408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AcroRd32.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fraps"="c:\fraps 3.2.3\FRAPS.EXE" [2010-06-15 2320304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 69632]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-07-02 2202704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-21 13312]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2001-10-2 65588]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [28.4.2010 8:17 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2.7.2010 12:43 95896]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2.7.2010 12:43 810144]
S1 1236da4d;1236da4d;c:\windows\system32\drivers\1236da4d.sys [7.7.2009 10:08 16384]
S3 dump_wmimmc;dump_wmimmc;\??\d:\luna online\GameGuard\dump_wmimmc.sys --> d:\luna online\GameGuard\dump_wmimmc.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\login\LOCALS~1\Temp\ZDB10B.tmp --> c:\docume~1\login\LOCALS~1\Temp\ZDB10B.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\System32\GameMon.des -service --> c:\windows\System32\GameMon.des -service [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.5.2009 18:25 721904]
.
Obsah adresáře 'Naplánované úlohy'
2010-08-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-25 12:58]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://seznam.cz/
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} - file://c:\program files\AutoCAD 2002 Cz\InstFred.ocx
DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\AutoCAD 2002 Cz\InstBanr.ocx
FF - ProfilePath - c:\documents and settings\login\Data aplikací\Mozilla\Firefox\Profiles\0wblb4jw.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}\components\FFAlert.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-25 11:01
Windows 5.1.2600 Service Pack 1 FAT NTAPI
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\login\LOCALS~1\Temp\ZDB10B.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\npggsvc]
"ImagePath"="c:\windows\System32\GameMon.des -service"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(620)
c:\windows\System32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(676)
c:\windows\System32\dssenh.dll
- - - - - - - > 'explorer.exe'(3860)
c:\windows\System32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SOUNDMAN.EXE
c:\windows\System32\DRIVERS\CDANTSRV.EXE
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Celkový čas: 2010-08-25 11:03:05 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-08-25 09:03
ComboFix2.txt 2010-08-23 21:13
Před spuštěním: Volných bajtů: 15 845 572 608
Po spuštění: Volných bajtů: 15 842 017 280
Current=6 Default=6 Failed=1 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 2525D31332B2B66704BFE415853BADF2
Virus Total:
(c:\windows\System32\dssenh.dll)- http://www.virustotal.com/file-scan/rep ... 1282727212
(c:\windows\IFinst27.exe)- http://www.virustotal.com/file-scan/rep ... 1282727755
(c:\windows\system32\python27.dll)- http://www.virustotal.com/file-scan/rep ... 1282727492
(c:\windows\system32\dllcache\diantz.exe)- http://www.virustotal.com/file-scan/rep ... 1282727628
ComboFix 10-08-22.07 - login 25.08.2010 10:47:43.2.1 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.1.1250.420.1029.18.510.258 [GMT 2:00]
Spuštěný z: c:\documents and settings\login\Dokumenty\Stažené soubory\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\login\Plocha\CFScript.txt
* Vytvořen nový Bod Obnovení
* Rezidentní štít AV je zapnutý
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\qmgr.dll . . . je infikován!!
Nakažená kopie c:\windows\system32\winlogon.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ServicePackFiles\i386\winlogon.exe
c:\windows\System32\wscntfy.exe . . . chybí !!
c:\windows\System32\xmlprov.dll . . . chybí !!
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-07-25 do 2010-08-25 )))))))))))))))))))))))))))))))
.
2010-08-23 21:24 . 2010-08-23 21:24 -------- d-----w- c:\program files\Common Files\Java
2010-08-23 21:18 . 2010-08-23 21:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-23 21:07 . 2010-08-23 21:07 -------- d-----w- c:\documents and settings\Administrator
2010-08-23 21:06 . 2010-08-23 21:06 -------- d-----w- C:\FOUND.011
2010-08-23 20:18 . 2010-08-23 20:18 -------- d-----w- C:\FOUND.010
2010-08-23 17:39 . 2010-08-23 17:39 -------- d-----w- c:\program files\Trend Micro
2010-08-23 16:37 . 2010-03-29 13:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-23 16:37 . 2010-03-29 13:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-23 16:37 . 2010-08-23 16:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-15 01:01 . 2010-08-15 01:01 -------- d-----w- c:\program files\PhotoFiltre Studio X
2010-08-15 00:54 . 2010-08-15 00:54 -------- d-----w- c:\program files\TopStyle 4
2010-08-15 00:45 . 2010-08-15 00:45 -------- d-----w- c:\program files\PSPad editor
2010-08-14 08:33 . 2010-08-14 08:33 -------- d-----w- C:\FOUND.009
2010-07-31 09:39 . 2010-07-31 09:40 -------- d-----w- C:\Python27
2010-07-31 09:35 . 2010-07-31 09:35 -------- d-----w- c:\program files\Blender Foundation
2010-07-30 10:54 . 2010-07-30 10:54 -------- d-----w- c:\program files\particleIllusion_3
2010-07-29 18:36 . 2010-07-29 18:36 -------- d-----w- c:\program files\ESET
2010-07-27 14:20 . 2010-07-27 14:20 -------- d-----w- c:\program files\AviSynth 2.5
2010-07-27 14:17 . 2010-07-27 14:17 -------- d-----w- c:\program files\MeGui
2010-07-26 10:20 . 2010-07-26 10:20 -------- d-----w- C:\Fraps 3.2.3
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 08:58 . 2001-10-25 10:00 516608 ----a-w- c:\windows\system32\winlogon.exe
2010-08-23 20:10 . 2001-10-25 10:00 68736 ----a-w- c:\windows\system32\perfc005.dat
2010-08-23 20:10 . 2001-10-25 10:00 389664 ----a-w- c:\windows\system32\perfh005.dat
2010-07-25 20:16 . 2010-07-25 20:16 0 ----a-w- c:\windows\000001_.tmp
2010-07-19 20:45 . 2009-01-18 10:37 2410 ----a-w- c:\windows\PCHEALTH\HELPCTR\PackageStore\SkuStore.bin
2010-07-19 16:01 . 2010-07-19 16:01 -------- d-----w- c:\program files\CCleaner
2010-07-17 03:00 . 2010-07-19 15:50 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-04 07:03 . 2010-07-04 07:03 2286080 ----a-w- c:\windows\system32\python27.dll
2010-07-02 10:43 . 2010-07-02 10:43 95896 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2010-07-02 10:43 . 2010-07-02 10:43 140752 ----a-w- c:\windows\system32\drivers\eamon.sys
2010-06-30 21:26 . 2010-06-30 21:26 65536 ----a-w- c:\windows\IFinst27.exe
2010-06-22 15:48 . 2010-06-22 15:48 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-06-15 02:16 . 2010-06-15 02:16 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-07-06 19:40 . 2009-07-06 19:40 33280 --sha-w- c:\program files\Thumbs.db
2009-10-05 16:34 . 2010-01-07 15:13 118000 ----a-w- c:\program files\mozilla firefox\components\qippipe.dll
.
(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
[7] D8681F65568AC0C6C7ED11E028EE3503 221184 c:\windows\System32\qmgr.dll
[7] D8681F65568AC0C6C7ED11E028EE3503 221184 \RP189\A0108187.dll
.
------- Sigcheck -------
[-] 2010-08-25 . 32903EC0600863D5B90DDD5FDA70F375 . 516608 . . [5.1.2600.1106] . . c:\windows\system32\winlogon.exe
[7] 2002-09-21 . FF8857D1AF59071F172C0FAD0FD33E87 . 516608 . . [5.1.2600.1106] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2004-07-09 02:27 . 0E51BD586D186F61A9E4453DB8AEC774 . 1703936 . . [5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)] . . c:\windows\system32\d3d9.dll
c:\windows\System32\wscntfy.exe ... chybí !!
c:\windows\System32\xmlprov.dll ... chybí !!
.
((((((((((((((((((((((((((((( SnapShot@2010-08-23_21.10.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-21 18:09 . 2009-12-21 18:09 16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\ViewerPS.dll
+ 2009-12-21 23:57 . 2009-12-21 23:57 35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\reader_sl.exe
+ 2009-12-21 18:02 . 2009-12-21 18:02 79280 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\PDFPrevHndlr.dll
+ 2009-12-21 21:21 . 2009-12-21 21:21 99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\eula.exe
+ 2009-12-11 13:57 . 2009-12-11 13:57 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\adobeextractfiles.dll
+ 2009-12-21 21:37 . 2009-12-21 21:37 27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\acrotextextractor.exe
+ 2009-12-21 16:39 . 2009-12-21 16:39 15288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AcroRd32Info.exe
+ 2009-12-21 16:27 . 2009-12-21 16:27 75200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\acroiehelpershim.dll
+ 2009-12-21 16:27 . 2009-12-21 16:27 61888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AcroIEHelper.dll
- 2010-08-22 08:54 . 2010-08-22 08:54 5120 c:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
+ 2010-08-23 21:14 . 2010-08-23 21:14 5120 c:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
+ 2010-08-23 21:24 . 2010-07-17 03:00 153376 c:\windows\system32\javaws.exe
- 2010-07-19 15:50 . 2010-04-12 15:29 153376 c:\windows\system32\javaws.exe
- 2010-07-19 15:50 . 2010-04-12 15:29 145184 c:\windows\system32\javaw.exe
+ 2010-08-23 21:24 . 2010-07-17 03:00 145184 c:\windows\system32\javaw.exe
- 2010-07-19 15:50 . 2010-04-12 15:29 145184 c:\windows\system32\java.exe
+ 2010-08-23 21:24 . 2010-07-17 03:00 145184 c:\windows\system32\java.exe
+ 2010-08-23 21:24 . 2010-08-23 21:24 180224 c:\windows\Installer\45bfa.msi
+ 2009-12-11 13:57 . 2009-12-11 13:57 326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\readerupdater.exe
+ 2009-12-21 16:35 . 2009-12-21 16:35 378264 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\pdfshell.dll
+ 2009-12-21 18:05 . 2009-12-21 18:05 116168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\PDFPrevHndlrShim.exe
+ 2009-12-21 16:34 . 2009-12-21 16:34 103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\nppdf32.dll
+ 2009-11-09 17:18 . 2009-11-09 17:18 684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\JP2KLib.dll
+ 2009-12-21 18:02 . 2009-12-21 18:02 542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AdobeCollabSync.exe
+ 2009-12-11 13:57 . 2009-12-11 13:57 948672 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\adobearm.exe
+ 2009-12-21 16:43 . 2009-12-21 16:43 120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AcroRdIF.dll
+ 2009-12-21 23:57 . 2009-12-21 23:57 349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AcroRd32.exe
+ 2009-12-21 16:15 . 2009-12-21 16:15 660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AcroPDF.dll
+ 2009-12-21 17:32 . 2009-12-21 17:32 280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\acrobroker.exe
+ 2009-12-11 13:57 . 2009-12-11 13:57 326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\acrobatupdater.exe
+ 2009-12-21 17:15 . 2009-12-21 17:15 251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\a3dutility.exe
+ 2010-06-20 08:01 . 2010-06-20 08:01 8040960 c:\windows\Installer\45bdf.msp
+ 2010-08-23 21:19 . 2010-08-23 21:19 3948032 c:\windows\Installer\45b00.msi
+ 2009-12-21 16:29 . 2009-12-21 16:29 2409880 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\rt3d.dll
+ 2009-12-21 17:00 . 2009-12-21 17:00 1298996 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\JSByteCodeWin.bin
+ 2009-10-27 18:34 . 2009-10-27 18:34 5009408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\authplay.dll
+ 2009-12-21 21:31 . 2009-12-21 21:31 5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AGM.dll
+ 2010-04-04 06:54 . 2010-04-04 06:54 11850240 c:\windows\Installer\45be0.msp
+ 2010-08-13 18:09 . 2010-08-13 18:09 12263936 c:\windows\Installer\45bde.msp
+ 2009-12-21 21:21 . 2009-12-21 21:21 20436408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA79201B7449A0300000010\9.3.0\AcroRd32.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fraps"="c:\fraps 3.2.3\FRAPS.EXE" [2010-06-15 2320304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 69632]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-07-02 2202704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-21 13312]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2001-10-2 65588]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [28.4.2010 8:17 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2.7.2010 12:43 95896]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2.7.2010 12:43 810144]
S1 1236da4d;1236da4d;c:\windows\system32\drivers\1236da4d.sys [7.7.2009 10:08 16384]
S3 dump_wmimmc;dump_wmimmc;\??\d:\luna online\GameGuard\dump_wmimmc.sys --> d:\luna online\GameGuard\dump_wmimmc.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\login\LOCALS~1\Temp\ZDB10B.tmp --> c:\docume~1\login\LOCALS~1\Temp\ZDB10B.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\System32\GameMon.des -service --> c:\windows\System32\GameMon.des -service [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.5.2009 18:25 721904]
.
Obsah adresáře 'Naplánované úlohy'
2010-08-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-25 12:58]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://seznam.cz/
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} - file://c:\program files\AutoCAD 2002 Cz\InstFred.ocx
DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\AutoCAD 2002 Cz\InstBanr.ocx
FF - ProfilePath - c:\documents and settings\login\Data aplikací\Mozilla\Firefox\Profiles\0wblb4jw.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}\components\FFAlert.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-25 11:01
Windows 5.1.2600 Service Pack 1 FAT NTAPI
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\login\LOCALS~1\Temp\ZDB10B.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\npggsvc]
"ImagePath"="c:\windows\System32\GameMon.des -service"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(620)
c:\windows\System32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(676)
c:\windows\System32\dssenh.dll
- - - - - - - > 'explorer.exe'(3860)
c:\windows\System32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\SOUNDMAN.EXE
c:\windows\System32\DRIVERS\CDANTSRV.EXE
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Celkový čas: 2010-08-25 11:03:05 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-08-25 09:03
ComboFix2.txt 2010-08-23 21:13
Před spuštěním: Volných bajtů: 15 845 572 608
Po spuštění: Volných bajtů: 15 842 017 280
Current=6 Default=6 Failed=1 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 2525D31332B2B66704BFE415853BADF2
Virus Total:
(c:\windows\System32\dssenh.dll)- http://www.virustotal.com/file-scan/rep ... 1282727212
(c:\windows\IFinst27.exe)- http://www.virustotal.com/file-scan/rep ... 1282727755
(c:\windows\system32\python27.dll)- http://www.virustotal.com/file-scan/rep ... 1282727492
(c:\windows\system32\dllcache\diantz.exe)- http://www.virustotal.com/file-scan/rep ... 1282727628
Re: Kontrola logu
Ještě otestuj na virustotalu
c:\windows\system32\winlogon.exe
Vzhledem k tomu, že máš jen sp1, tak na ty náhradní soubory fakt nemám
. Můžeš doinstalovat aspon sp2?
Jinak to ani nemá cenu opravovat, těma bezpečnostníma dírama Ti to naleze hned zpět.
c:\windows\system32\winlogon.exe
Vzhledem k tomu, že máš jen sp1, tak na ty náhradní soubory fakt nemám
. Můžeš doinstalovat aspon sp2?Jinak to ani nemá cenu opravovat, těma bezpečnostníma dírama Ti to naleze hned zpět.
Re: Kontrola logu
winlogon je cisty viz. http://www.virustotal.com/file-scan/rep ... 1282736196
Po SP2 se zkusim nekde podivat, kdyz sezenu, tak napisu. Dekuji moc za pomoc
Po SP2 se zkusim nekde podivat, kdyz sezenu, tak napisu. Dekuji moc za pomoc
Re: Kontrola logu
Tak ho doinstaluj, jinak to nemá opravdu cenu.
Zpět na “Viry, antiviry, firewally…”
Kdo je online
Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 4 hosti