Hoj lidi - kontrola HJT-log Vyřešeno

[peacoq]

Ahoj, prosim o kontrolu
Pocitac je pravidelne cisten (laptop Dell Inspiron, Dual Core AMD Turion, Vista Busisess - 32bit english);
Ccleaner (smetak i registry) vzdy po odchodu z internetu (venuji tomu ony 2 minuty), Spy Bot, SAS, Reg Cleaner for Vista, (podle potreby a podezreji, jinka cca. co 14 dni Spy bot, 1x mesicne SAS a Auslogic na defragmentaci. V pripade, ze do komplu flakne vir, hned projedu A-Virem, jinak cca co 14 dni.
Ccleaner akorat pravidelne maze zapis v registrech:

Mozilla nekdy zamrzne - nikoli 'not responding', ale prave otevreny otevreny tag se zacne nacitat, a kdyz prekliknu na jine okno, tak to se take neobnovi, a tak se vsechny okna jen nacitaji a nic. Mozilla jde zavrit 'vykrizkovat', a v task-managery je take pryc. Pri opetovnem pokusu Mozillu otevrit se neotevre home-page, jakoze se nenacte nic ani jina stranka. Kdyz zkusim v tomto pripade otevrit Flock, tak se taky neotevre. Jiny prohlizec nepouzivam (ale jako default/ni je nastaven IE).
Po restartu je jiz vse v poradku.
Jinak s komplem nejsou problemy.
Dekuji
...
Logfile of HijackThis v1.99.1
Scan saved at 19:29:20, on 11/12/2008
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\sttray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\V0250Mon.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SndVol.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Flock\flock\flock.exe
C:\Users\Dell\hi jack this\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [V0250Mon.exe] C:\Windows\V0250Mon.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

[Reklama]

[jaro3]

Dáváš sem starou verzi HJT:nová ke stažení:
http://www.trendsecure.com/portal/en-US ... ckThis.exe
Zavři ostatní aplikace a prohlížeče, odpoj se od netu a fixni v HJT:

Kód: Vybrat vše

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O13 - Gopher Prefix:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" –atboottime


Stáhni si Malwarebytes' Anti-Malware
Nainstaluj a spusť ho
- na konci instalace se ujisti že máš zvoleny/zatrhnuty obě možnosti:
Update Malwarebytes' Anti-Malware (Aktualizace Malwarebytes' Anti-Malware) a Launch Malwarebytes' Anti-Malware (Spustit aplikaci Malwarebytes' Anti-Malware), pokud jo tak klikni na tlačítko Finish
- pokud bude nalezena aktualizace, tak se stáhne a nainstaluje
- program se po té spustí a nech vybranou možnost Perform Quick Scan (Provést rychlý sken) a klikni na tlačítko Scan (Skenovat)
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Show Results
- pak zvol možnost Save Logfile a ulož si log na plochu
- po té klikni na tlačítko Exit, objeví se ti hláška tak zvol Ano
(zatím nic nemaž!).
Vlož sem pak obsah toho logu.

[peacoq]

Ahoj,
HJT toto hlasi vzdy, fixnuto. Pouzivam tuto verzi; vzdy, kdyz se pusti, udela a ulozi so slozky novy log. S tou novejsi, jak pises, mam zkusenost, ze se neprepsal stary log (a tak jsem HJT vzdy odinstaloval - nainstaloval, abych pri dalsim scan/u dostal novy log).
Malware: nemusel jsem klikat na zadne Show REsult, log rovnou vyskocil, a dal jsem ho na plochu.
...
Malwarebytes' Anti-Malware 1.31
Database version: 1490
Windows 6.0.6001 Service Pack 1

11/12/2008 20:47:57
mbam-log-2008-12-11 (20-47-57).txt

Scan type: Quick Scan
Objects scanned: 41527
Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[jaro3]

Ta mozzila může být infikovaná, nestahoval jsi pluginy z neověřených stránek?
Z tohoto to nepoznám.
Vypni ochranu u Aviry.
vypni rez. ochranu u SpyBota:
- spusť Spybot - Search & Destroy
- nahoře v menu zvol: Režim => Pro pokročilé
- objeví se ti varovné okno kde zvol Ano
- okno programu se ti přepne do pokročilého zobrazení a tam zvol: Nástroje => Rezidentní
- tam zruš zatržení pokud bude u položky: Rezidentní program "TeaTimer" (Ochrana ...)
- zavři program
Restartuj PC.
Po té si stáhni ResetTeaTimer.bat(viz. Poznámka)
a ulož si ho na disku.
- spusť ho a po vyzvání zmáčkni libovolnou klávesu
- po proběhnutí a výzvě opět zmáčkni libovolnou klávesu a program se zavře.
Poznámka:
- pokud používáš Operu, tak klikni pravým tlačítkem myši na odkaz a zvol možnost Uložit cíl odkazu jako...
- pokud používáš Firefox tak klikni pravým tlačítkem myši na odkaz a zvol možnost Uložit odkaz jako...

Stáhni si ComboFix (by sUBs)
a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah
Dnes musím končit, podívám se zítra..

[peacoq]

tak jo, aspon mam cas se podivat na to co a jak dela Spy Bot a coze to mam vse udelat ...snad pojede aji zitra

[peacoq]

ahoj zpatky

1, vypnul jsem Aviru (po nastaveni Spy-botu a restartu se zase sama zapla)
2, nastavil Spy bot, jak jsi si pral :) doporucil vyskrknout residentni ochranu. Zaskrknute zustalo Resident 'SD Helper', odskrknute Resident 'TeaTimer'.

3, soubor .bat stahnut na 'C' a spusten, ale... k pokracovani si vyzadal klik klavesy (press any key to continue) ..a okno zhaslo, ale 'po probehnuti a vyzve opet zmackni klavesu', tak tento krom se neudal. Okno zhaslo hned, jak jsem kliknul klavesou.

Cekal jsem asi 10 minut a nic se nedelo. Tak to zkusil znova, se stejnym vysledkem. Zase pockal asi 5 minut a tak jsem pokracoval Combo Fixem;
4, ulozil na plochu, zavrel vse i net a spustil
5, firewall si vyzadal povoleni pro PING.EXE
6, behem chodu CF Avira hlasi, dal jsem zamitnout vstup (jako normalne):
Virus or unwanted program 'Eicar-Test-Signature [virus]'
detected in file 'C:\ComboFix\N_\17885.

7, firewall zada povoleni pro ipconfig.exe
8, Find String (QGREP) Utility zastavil cinnost

9, CF ukoncil cinnost, vytvoril slozku na 'C' a logaritmus

...
Zapl jsem net, vlozil log a PC vypnul. Nic vic jsem nedelal, nevim jeslti se ma zpet prenastavit Resident Spy bot, snazat to .bat, (na ikon-tray tedy jiz neni ikova SP s tim zamkem), atd., ani na netu uz nebyl, ICQ,..nic. Vypnul jsem ho,..a zapnul az rano tedy bez S-bot TeaTimer.
...
ComboFix 08-12-11.01 - Dell 2008-12-11 21:33:44.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.321 [GMT 1:00]
Running from: c:\users\Dell\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.

2008-12-11 21:23 . 2008-12-11 21:23 9,123 --a------ C:\ResetTeaTimer.bat
2008-12-11 20:40 . 2008-12-11 20:40 <DIR> d-------- c:\users\Dell\AppData\Roaming\Malwarebytes
2008-12-11 20:40 . 2008-12-11 20:40 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-11 20:40 . 2008-12-11 20:40 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-11 20:40 . 2008-12-11 20:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-11 20:40 . 2008-12-03 19:59 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-11 20:40 . 2008-12-03 19:59 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-11 16:55 . 2008-12-11 16:55 <DIR> d-------- c:\program files\Microsoft Games
2008-12-10 20:52 . 2008-10-22 02:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-10 20:32 . 2008-11-01 02:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-10 20:32 . 2008-10-21 06:25 296,960 --a------ c:\windows\System32\gdi32.dll
2008-12-10 20:32 . 2008-11-01 04:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-05 23:58 . 2008-12-05 23:57 410,984 --a------ c:\windows\System32\deploytk.dll
2008-12-05 13:16 . 2008-02-23 05:38 170,496 --a------ c:\windows\System32\tcpipcfg.dll
2008-12-05 13:16 . 2008-02-23 03:41 22,528 --a------ c:\windows\System32\netiougc.exe
2008-12-05 13:15 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\System32\zpeng25.dll
2008-11-26 12:02 . 2008-10-22 04:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-26 12:01 . 2008-10-21 06:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-26 12:01 . 2008-08-28 04:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-26 12:01 . 2008-08-28 04:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-26 12:01 . 2008-08-28 04:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-23 02:40 . 2007-09-04 17:56 164,352 --a------ c:\windows\System32\unrar.dll
2008-11-23 02:40 . 2008-07-30 20:09 38 --a------ c:\windows\avisplitter.ini
2008-11-23 02:39 . 2008-11-23 02:39 <DIR> d-------- c:\users\All Users\Real
2008-11-23 02:39 . 2008-11-23 02:39 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-11-23 02:39 . 2008-09-24 19:41 839,680 --a------ c:\windows\System32\lameACM.acm
2008-11-23 02:39 . 2008-01-10 13:15 755,027 --a------ c:\windows\System32\xvidcore.dll
2008-11-23 02:39 . 2004-01-25 17:18 217,088 --a------ c:\windows\System32\yv12vfw.dll
2008-11-23 02:39 . 2008-01-10 13:16 159,839 --a------ c:\windows\System32\xvidvfw.dll
2008-11-23 02:39 . 2007-09-21 01:52 118,784 --a------ c:\windows\System32\ac3acm.acm
2008-11-23 02:39 . 2008-11-02 15:02 7,680 --a------ c:\windows\System32\ff_vfw.dll
2008-11-23 02:39 . 2007-07-10 17:10 547 --a------ c:\windows\System32\ff_vfw.dll.manifest
2008-11-23 02:39 . 2008-10-03 13:30 414 --a------ c:\windows\System32\lame_acm.xml
2008-11-22 18:13 . 2008-11-22 18:13 <DIR> d-------- c:\program files\Cenega Czech
2008-11-21 11:51 . 2008-10-16 22:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-21 11:51 . 2008-10-16 21:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-21 11:51 . 2008-10-16 22:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-21 11:51 . 2008-10-16 21:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-21 11:51 . 2008-10-16 22:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-21 11:51 . 2008-10-16 22:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-21 11:51 . 2008-10-16 22:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-21 11:50 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-21 11:50 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-20 16:03 . 2008-11-20 16:03 <DIR> d-------- c:\users\All Users\ATI
2008-11-20 16:03 . 2008-11-20 16:03 <DIR> d-------- c:\programdata\ATI
2008-11-13 10:18 . 2008-09-10 04:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-13 10:18 . 2008-09-05 06:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-13 10:18 . 2008-08-27 02:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 20:18 348,370 ---ha-w c:\windows\system32\drivers\vsconfig.xml
2008-12-11 20:12 --------- d-----w c:\programdata\Spybot - Search & Destroy
2008-12-11 09:47 --------- d-----w c:\users\Dell\AppData\Roaming\Skype
2008-12-11 09:01 --------- d-----w c:\users\Dell\AppData\Roaming\skypePM
2008-12-10 20:00 --------- d-----w c:\program files\Windows Mail
2008-12-09 11:41 --------- d-----w c:\users\Dell\AppData\Roaming\uTorrent
2008-12-08 22:04 32,822,877 ----a-w c:\windows\Internet Logs\vsmon_on_demand_thread_2008_12_08_22_05_56_full.dmp.zip
2008-12-08 14:55 611,352 ----a-w c:\windows\Internet Logs\vsmon_on_demand_thread_2008_12_08_15_54_03_full.dmp.zip
2008-12-05 22:56 --------- d-----w c:\program files\Java
2008-12-05 21:38 --------- d-----w c:\program files\QIP
2008-11-30 12:20 --------- d-----w c:\users\Dell\AppData\Roaming\ICQ
2008-11-23 01:23 --------- d-----w c:\program files\Real
2008-11-23 01:23 --------- d-----w c:\program files\Common Files\Real
2008-11-20 21:36 --------- d-----w c:\program files\ATI
2008-11-20 14:57 --------- d-----w c:\program files\ATI Technologies
2008-11-19 18:19 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-19 17:26 1,939,968 ----a-w c:\windows\Internet Logs\xDB75BC.tmp
2008-11-18 21:59 --------- d-----w c:\program files\Call of Duty
2008-11-13 14:19 293,776 ----a-w c:\windows\system32\drivers\vsdatant.sys
2008-11-07 13:16 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-03 20:39 --------- d-----w c:\program files\JLC's Software
2008-11-01 11:42 --------- d-----w c:\users\Dell\AppData\Roaming\JLC's Software
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-29 03:11 4,017,152 ----a-w c:\windows\system32\drivers\atikmdag.sys
2008-10-29 02:21 425,984 ----a-w c:\windows\System32\ATIDEMGX.dll
2008-10-29 02:20 331,776 ----a-w c:\windows\System32\atipdlxx.dll
2008-10-29 02:20 262,144 ----a-w c:\windows\System32\Oemdspif.dll
2008-10-29 02:20 159,744 ----a-w c:\windows\System32\atitmmxx.dll
2008-10-29 02:19 43,520 ----a-w c:\windows\System32\ati2edxx.dll
2008-10-29 02:19 274,432 ----a-w c:\windows\System32\Ati2evxx.dll
2008-10-29 02:18 712,704 ----a-w c:\windows\System32\Ati2evxx.exe
2008-10-29 02:03 3,955,712 ----a-w c:\windows\System32\atiumdag.dll
2008-10-29 01:47 10,629,120 ----a-w c:\windows\System32\atioglxx.dll
2008-10-29 01:41 4,730,880 ----a-w c:\windows\System32\atiumdva.dll
2008-10-29 01:27 54,272 ----a-w c:\windows\System32\atiadlxx.dll
2008-10-29 01:27 50,688 ----a-w c:\windows\System32\amdpcom32.dll
2008-10-29 01:10 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-10-27 20:23 --------- d-----w c:\users\Dell\AppData\Roaming\OpenOffice.org
2008-10-27 20:08 --------- d-----w c:\program files\OpenOffice.org 3
2008-10-27 20:08 --------- d-----w c:\program files\JRE
2008-10-27 19:47 --------- d-----w c:\users\Dell\AppData\Roaming\OpenOffice.org2
2008-10-25 15:52 --------- d-----w c:\users\Dell\AppData\Roaming\XnView
2008-10-24 20:42 --------- d-----w c:\users\Dell\AppData\Roaming\vlc
2008-10-22 19:23 3,035,074 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-10-21 17:51 118,784 ----a-w c:\windows\System32\atibrtmon.exe
2008-10-20 21:05 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-20 17:02 --------- d-----w c:\programdata\NOS
2008-10-16 04:47 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-09-14 10:02 2,201,600 ----a-w c:\windows\Internet Logs\xDB7203.tmp
2008-07-20 17:52 174 --sha-w c:\program files\desktop.ini
2008-07-18 02:32 56 ---ha-w c:\users\All Users\ezsidmv.dat
2008-07-18 02:32 56 ---ha-w c:\programdata\ezsidmv.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2006-05-31 143360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-22 266497]
"V0250Mon.exe"="c:\windows\V0250Mon.exe" [2006-06-08 32768]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-12 c:\windows\sttray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-18 9117696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-09-01 21:27 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4FE7EC16-90C3-4DF6-A550-035F37455790}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{DA9A6868-810D-437D-8E1A-B2E91910966F}"= UDP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{7252612B-BA6E-4980-A8F1-C97A7E3447C6}"= TCP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{719856C9-0F8A-4E90-A8A0-95AA7B99290A}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{13C78979-3DEF-43ED-A09B-F96C2D32B829}"= UDP:c:\program files\uTorrent\utorrent.exe:µTorrent (TCP-In)
"{0674E638-0F9B-4BE9-A9FE-625C23D43839}"= TCP:c:\program files\uTorrent\utorrent.exe:µTorrent (UDP-In)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-28 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\DRIVERS\s115bus.sys [2007-04-23 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s115mdfl.sys [2007-04-23 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s115mdm.sys [2007-04-23 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s115mgmt.sys [2007-04-23 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s115obex.sys [2007-04-23 98568]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\DRIVERS\V0250Dev.sys [2008-07-23 169696]
S3 V0250Vfx;V0250Vfx;c:\windows\system32\DRIVERS\V0250Vfx.sys [2008-07-23 6272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 21:39:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP00000055C1E5B3DC93D653E3 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-12-11 21:46:30
ComboFix-quarantined-files.txt 2008-12-11 20:46:26

Pre-Run: 14,428,868,608 bytes free
Post-Run: 15,158,972,416 bytes free

194 --- E O F --- 2008-12-11 15:51:10

[jaro3]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
c:\windows\avisplitter.ini
c:\windows\Internet Logs\xDB75BC.tmp
c:\windows\Internet Logs\xDB7203.tmp
c:\users\All Users\ezsidmv.dat
c:\programdata\ezsidmv.dat

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

Pokud toto neznáš:
c:\windows\Internet Logs\vsmon_on_demand_thread_2008_12_08_22_05_56_full.dmp.zip
c:\windows\Internet Logs\vsmon_on_demand_thread_2008_12_08_15_54_03_full.dmp.zip
c:\windows\TEMP\TMP00000055C1E5B3DC93D653E3
otestuj na Virustotal
Vlož sem pak výsledky, pokud to má velkou kapacitu , koukni se , co to je.

[peacoq]

Ahoj,
od deviti tady tancim esi se objevis ...takze, jakoze te rad vidim.
...
1, ConboFix; pri prekryti nabidnul novou verzi k instalaci (klik jsem OK a download -asi pochopitelne- selhal, nabidnutu pokracovat ve stavajici verzi)
2, behem chodu CF hlasi AV (stejne jako predtim, jen jine cislo):
Virus or unwanted program 'Eicar-Test-Signature [virus]'
detected in file 'C:\ComboFix\N_\23020.
3, behem chodu CF Find String (QGREP) Utility -zase- ukoncil cinnost (Close Program) ...vyjel log, konec.
........................................................................................................................................
ComboFix 08-12-11.04 - Dell 2008-12-12 11:40:24.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.404 [GMT 1:00]
Running from: c:\users\Dell\Desktop\ComboFix.exe
Command switches used :: c:\users\Dell\Desktop\CFScript.txt

FILE ::
c:\programdata\ezsidmv.dat
c:\users\All Users\ezsidmv.dat
c:\windows\avisplitter.ini
c:\windows\Internet Logs\xDB7203.tmp
c:\windows\Internet Logs\xDB75BC.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\ezsidmv.dat
c:\windows\avisplitter.ini
c:\windows\Internet Logs\xDB7203.tmp
c:\windows\Internet Logs\xDB75BC.tmp

.
((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.

2008-12-11 21:23 . 2008-12-11 21:23 9,123 --a------ C:\ResetTeaTimer.bat
2008-12-11 20:40 . 2008-12-11 20:40 <DIR> d-------- c:\users\Dell\AppData\Roaming\Malwarebytes
2008-12-11 20:40 . 2008-12-11 20:40 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-11 20:40 . 2008-12-11 20:40 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-11 20:40 . 2008-12-11 20:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-11 20:40 . 2008-12-03 19:59 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-11 20:40 . 2008-12-03 19:59 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-11 16:55 . 2008-12-11 16:55 <DIR> d-------- c:\program files\Microsoft Games
2008-12-10 20:52 . 2008-10-22 02:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-10 20:32 . 2008-11-01 02:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-10 20:32 . 2008-10-21 06:25 296,960 --a------ c:\windows\System32\gdi32.dll
2008-12-10 20:32 . 2008-11-01 04:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-05 23:58 . 2008-12-05 23:57 410,984 --a------ c:\windows\System32\deploytk.dll
2008-12-05 13:16 . 2008-02-23 05:38 170,496 --a------ c:\windows\System32\tcpipcfg.dll
2008-12-05 13:16 . 2008-02-23 03:41 22,528 --a------ c:\windows\System32\netiougc.exe
2008-12-05 13:15 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\System32\zpeng25.dll
2008-11-26 12:02 . 2008-10-22 04:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-26 12:01 . 2008-10-21 06:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-26 12:01 . 2008-08-28 04:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-26 12:01 . 2008-08-28 04:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-26 12:01 . 2008-08-28 04:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-23 02:40 . 2007-09-04 17:56 164,352 --a------ c:\windows\System32\unrar.dll
2008-11-23 02:39 . 2008-11-23 02:39 <DIR> d-------- c:\users\All Users\Real
2008-11-23 02:39 . 2008-11-23 02:39 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-11-23 02:39 . 2008-09-24 19:41 839,680 --a------ c:\windows\System32\lameACM.acm
2008-11-23 02:39 . 2008-01-10 13:15 755,027 --a------ c:\windows\System32\xvidcore.dll
2008-11-23 02:39 . 2004-01-25 17:18 217,088 --a------ c:\windows\System32\yv12vfw.dll
2008-11-23 02:39 . 2008-01-10 13:16 159,839 --a------ c:\windows\System32\xvidvfw.dll
2008-11-23 02:39 . 2007-09-21 01:52 118,784 --a------ c:\windows\System32\ac3acm.acm
2008-11-23 02:39 . 2008-11-02 15:02 7,680 --a------ c:\windows\System32\ff_vfw.dll
2008-11-23 02:39 . 2007-07-10 17:10 547 --a------ c:\windows\System32\ff_vfw.dll.manifest
2008-11-23 02:39 . 2008-10-03 13:30 414 --a------ c:\windows\System32\lame_acm.xml
2008-11-22 18:13 . 2008-11-22 18:13 <DIR> d-------- c:\program files\Cenega Czech
2008-11-21 11:51 . 2008-10-16 22:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-21 11:51 . 2008-10-16 21:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-21 11:51 . 2008-10-16 22:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-21 11:51 . 2008-10-16 21:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-21 11:51 . 2008-10-16 22:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-21 11:51 . 2008-10-16 22:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-21 11:51 . 2008-10-16 22:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-21 11:50 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-21 11:50 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-20 16:03 . 2008-11-20 16:03 <DIR> d-------- c:\users\All Users\ATI
2008-11-20 16:03 . 2008-11-20 16:03 <DIR> d-------- c:\programdata\ATI
2008-11-13 10:18 . 2008-09-10 04:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-13 10:18 . 2008-09-05 06:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-13 10:18 . 2008-08-27 02:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 08:08 348,370 ---ha-w c:\windows\system32\drivers\vsconfig.xml
2008-12-11 21:18 --------- d-----w c:\programdata\Spybot - Search & Destroy
2008-12-11 09:47 --------- d-----w c:\users\Dell\AppData\Roaming\Skype
2008-12-11 09:01 --------- d-----w c:\users\Dell\AppData\Roaming\skypePM
2008-12-10 20:00 --------- d-----w c:\program files\Windows Mail
2008-12-09 11:41 --------- d-----w c:\users\Dell\AppData\Roaming\uTorrent
2008-12-08 22:04 32,822,877 ----a-w c:\windows\Internet Logs\vsmon_on_demand_thread_2008_12_08_22_05_56_full.dmp.zip
2008-12-08 14:55 611,352 ----a-w c:\windows\Internet Logs\vsmon_on_demand_thread_2008_12_08_15_54_03_full.dmp.zip
2008-12-05 22:56 --------- d-----w c:\program files\Java
2008-12-05 21:38 --------- d-----w c:\program files\QIP
2008-11-30 12:20 --------- d-----w c:\users\Dell\AppData\Roaming\ICQ
2008-11-23 01:23 --------- d-----w c:\program files\Real
2008-11-23 01:23 --------- d-----w c:\program files\Common Files\Real
2008-11-20 21:36 --------- d-----w c:\program files\ATI
2008-11-20 14:57 --------- d-----w c:\program files\ATI Technologies
2008-11-19 18:19 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-18 21:59 --------- d-----w c:\program files\Call of Duty
2008-11-13 14:19 293,776 ----a-w c:\windows\system32\drivers\vsdatant.sys
2008-11-07 13:16 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-03 20:39 --------- d-----w c:\program files\JLC's Software
2008-11-01 11:42 --------- d-----w c:\users\Dell\AppData\Roaming\JLC's Software
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-29 03:11 4,017,152 ----a-w c:\windows\system32\drivers\atikmdag.sys
2008-10-29 02:21 425,984 ----a-w c:\windows\System32\ATIDEMGX.dll
2008-10-29 02:20 331,776 ----a-w c:\windows\System32\atipdlxx.dll
2008-10-29 02:20 262,144 ----a-w c:\windows\System32\Oemdspif.dll
2008-10-29 02:20 159,744 ----a-w c:\windows\System32\atitmmxx.dll
2008-10-29 02:19 43,520 ----a-w c:\windows\System32\ati2edxx.dll
2008-10-29 02:19 274,432 ----a-w c:\windows\System32\Ati2evxx.dll
2008-10-29 02:18 712,704 ----a-w c:\windows\System32\Ati2evxx.exe
2008-10-29 02:03 3,955,712 ----a-w c:\windows\System32\atiumdag.dll
2008-10-29 01:47 10,629,120 ----a-w c:\windows\System32\atioglxx.dll
2008-10-29 01:41 4,730,880 ----a-w c:\windows\System32\atiumdva.dll
2008-10-29 01:27 54,272 ----a-w c:\windows\System32\atiadlxx.dll
2008-10-29 01:27 50,688 ----a-w c:\windows\System32\amdpcom32.dll
2008-10-29 01:10 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-10-27 20:23 --------- d-----w c:\users\Dell\AppData\Roaming\OpenOffice.org
2008-10-27 20:08 --------- d-----w c:\program files\OpenOffice.org 3
2008-10-27 20:08 --------- d-----w c:\program files\JRE
2008-10-27 19:47 --------- d-----w c:\users\Dell\AppData\Roaming\OpenOffice.org2
2008-10-25 15:52 --------- d-----w c:\users\Dell\AppData\Roaming\XnView
2008-10-24 20:42 --------- d-----w c:\users\Dell\AppData\Roaming\vlc
2008-10-22 19:23 3,035,074 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-10-21 17:51 118,784 ----a-w c:\windows\System32\atibrtmon.exe
2008-10-20 21:05 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-20 17:02 --------- d-----w c:\programdata\NOS
2008-10-16 04:47 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-07-20 17:52 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2008-12-11_21.40.12.72 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-11 20:18:39 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-12 08:08:30 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-12-11 20:18:39 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-12-12 08:08:30 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-12-11 20:38:38 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-12 08:11:00 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-12 08:11:00 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-12-11 20:38:33 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-12 08:10:55 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-12 08:10:55 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-12-11 20:18:39 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-12 08:08:37 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-11 20:18:39 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-12 08:08:37 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-11 20:18:39 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-12 08:08:37 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-11 20:33:35 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-12-12 10:39:52 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2008-12-11 20:20:34 10,112 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1598581666-763728536-1650842332-1000_UserData.bin
+ 2008-12-12 08:10:24 10,112 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1598581666-763728536-1650842332-1000_UserData.bin
- 2008-12-11 20:20:34 62,568 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-12 08:10:24 62,654 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-12-11 20:20:32 38,866 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-12 08:10:23 38,866 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2006-05-31 143360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-22 266497]
"V0250Mon.exe"="c:\windows\V0250Mon.exe" [2006-06-08 32768]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-12 c:\windows\sttray.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-18 9117696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-09-01 21:27 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4FE7EC16-90C3-4DF6-A550-035F37455790}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{DA9A6868-810D-437D-8E1A-B2E91910966F}"= UDP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{7252612B-BA6E-4980-A8F1-C97A7E3447C6}"= TCP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{719856C9-0F8A-4E90-A8A0-95AA7B99290A}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{13C78979-3DEF-43ED-A09B-F96C2D32B829}"= UDP:c:\program files\uTorrent\utorrent.exe:µTorrent (TCP-In)
"{0674E638-0F9B-4BE9-A9FE-625C23D43839}"= TCP:c:\program files\uTorrent\utorrent.exe:µTorrent (UDP-In)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-28 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\DRIVERS\s115bus.sys [2007-04-23 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s115mdfl.sys [2007-04-23 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s115mdm.sys [2007-04-23 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s115mgmt.sys [2007-04-23 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s115obex.sys [2007-04-23 98568]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\DRIVERS\V0250Dev.sys [2008-07-23 169696]
S3 V0250Vfx;V0250Vfx;c:\windows\system32\DRIVERS\V0250Vfx.sys [2008-07-23 6272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 11:44:57
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000005146CE115CCAE84985 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-12-12 11:51:55
ComboFix-quarantined-files.txt 2008-12-12 10:51:52
ComboFix2.txt 2008-12-11 20:46:31

Pre-Run: 14,538,768,384 bytes free
Post-Run: 13,869,809,664 bytes free

227 --- E O F --- 2008-12-11 15:51:10
........................................................................................................................................
Logfile of HijackThis v1.99.1
Scan saved at 11:52:57, on 12/12/2008
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\sttray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\V0250Mon.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\totalcmd\TOTALCMD.EXE
D:\- Downloads\Spyware Test\hijackthis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [V0250Mon.exe] C:\Windows\V0250Mon.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
.........................................................................................................................................
SOUBORY TESTOVANE NA VirusTotal:
- jeslti je to velke, jak pises -ja nevim:
soubor c.1: 32,822,877 (odesilal se 15 minut --> neprosel testem: Bigger than max permited size / mam ho roz-zipovat a poslat screen co tam je ?)
soubor c.2: 611,352
soubor c.3: ...tento soubor tam neni. Ve slozce pouze ZLT007d6.TMP, vel. 256, dat 12/12 2008, cas 9:08
...
1, c:\windows\Internet Logs\vsmon_on_demand_thread_2008_12_08_22_05_56_full.dmp.zip
- neprosel testem, prilis velky
...
2, c:\windows\Internet Logs\vsmon_on_demand_thread_2008_12_08_15_54_03_full.dmp.zip

Soubor vsmon_on_demand_thread_2008_12_08 přijatý 2008.12.12 12:16:02 (CET)
Současný stav: Čekejte ... Ve frontě Čekání Testování Dokončeno NENALEZENO ZASTAVENO
Výsledek: 0/38 (0%)
Načítám informace ze serveru...
Váš soubor čeká ve frontě na pozici: 2.
Odhadovaný čas začátku mezi 52 a 75 sekundami.
Nezavírejte toto okno dokud nebude test dokončen.
Právě testující program byl je zastaven, probíhá čekání na program.
Za chvíli bude proveden další pokus o otestování souboru.
Pokud budete čekat déle než-li pět minut odešlete Váš soubor znovu.
Váš soubor je nyní testován pomocí VirusTotal,
výsledky budou zobrazeny po dokončení.
Formátované Formátované
Vytisknout výsledky Vytisknout výsledky
Váš soubor není platný, nebo neexistuje.
Služba je pozastavena v tuto chvíli, váš soubor čeká na otestování (pozice: ) po nespecifikovanou dobu.

Nyní čekejte na odezvu webu (automatické obnovení), nebo napište email do pole a klikněte na "vyžádat" a systém Vám zašle email s výsledky až bude test hotov.
Email:

Antivirus Verze Poslední aktualizace Výsledek
AhnLab-V3 2008.12.12.2 2008.12.12 -
AntiVir 7.9.0.45 2008.12.12 -
Authentium 5.1.0.4 2008.12.11 -
Avast 4.8.1281.0 2008.12.11 -
AVG 8.0.0.199 2008.12.12 -
BitDefender 7.2 2008.12.12 -
CAT-QuickHeal 10.00 2008.12.12 -
ClamAV 0.94.1 2008.12.12 -
Comodo 733 2008.12.11 -
DrWeb 4.44.0.09170 2008.12.12 -
eSafe 7.0.17.0 2008.12.11 -
eTrust-Vet 31.6.6257 2008.12.12 -
Ewido 4.0 2008.12.11 -
F-Prot 4.4.4.56 2008.12.11 -
F-Secure 8.0.14332.0 2008.12.12 -
Fortinet 3.117.0.0 2008.12.12 -
GData 19 2008.12.12 -
Ikarus T3.1.1.45.0 2008.12.12 -
K7AntiVirus 7.10.551 2008.12.11 -
Kaspersky 7.0.0.125 2008.12.12 -
McAfee 5461 2008.12.11 -
McAfee+Artemis 5461 2008.12.11 -
Microsoft 1.4205 2008.12.12 -
NOD32 3686 2008.12.12 -
Norman 5.80.02 2008.12.11 -
Panda 9.0.0.4 2008.12.11 -
PCTools 4.4.2.0 2008.12.11 -
Prevx1 V2 2008.12.12 -
Rising 21.07.42.00 2008.12.12 -
SecureWeb-Gateway 6.7.6 2008.12.12 -
Sophos 4.36.0 2008.12.12 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.12 -
TheHacker 6.3.1.2.184 2008.12.11 -
TrendMicro 8.700.0.1004 2008.12.12 -
VBA32 3.12.8.10 2008.12.11 -
ViRobot 2008.12.12.1515 2008.12.12 -
VirusBuster 4.5.11.0 2008.12.11 -
Rozšiřující informace
File size: 611352 bytes
MD5...: 6fe7bc4c02b85b5a52f2a63b9691e8de
SHA1..: c5221ff93581f67d993e9349df2e30cf4eca148e
SHA256: 972ebed3d4550d7c66fe60e40abcddd570aedf6e3949c1125606dac35572d040
SHA512: 0ccca9ec53e3d6ae701fb0bde3bdbf095f13de2e0cfaaba34a3ac14e605f7e85
b8472cc689d38bc64e1fe84405a8a03427c4ab363d57831b98f59b0d3498218c
ssdeep: 12288:y3cNpb6E40lBQWEqfn17wU3U805X7XtQeHymktZ+t7mWr:1pb6E4gsqf17
5k8A7/Smo7c
PEiD..: -
TrID..: File type identification
ZIP compressed archive (100.0%)
PEInfo: -
...
3, c:\windows\TEMP\TMP00000055C1E5B3DC93D653E3
- nenalezen ve slozce
..........................................................................................................................................

[peacoq]

Obsah slozky c:\windows\Internet Logs\
Pri 'vygugleni' je vsmon slozka Zone Alarmu a lide maji problem akorat s vsmon.exe a vyuzivtim CPU. Ohledne toho co to jako konkretne je nic, nevim, proc je tam soubor koncovky .old a potom ty dalsi dva .zip, z nichz je den je tak velky. Jestli odstranins vse co podle tveho nazoru vyresit jde, treba staci odinstalovat ZA, podivat se, zda ty slozky zmizely, odmazat je, a dat zpet ZA ...chces-li, roz-zipuji je, aby ses podival. Jinak nemam 2krat duveru to roz-zipovat, aby se z toho nevysypal treba nejakej nerad, ..jakoze.


Task Mngr vypada takto: 55 procesu, CPU 15 %, pamet 62%


A vypis vsech procesu:

[jaro3]

Momentálně mám málo času.Je divné , že Ti ten HJT a CF dělají takové problémy.Zkus přejmenovat HJT třeba na 1234.exe spustit.
Ohledně c:\windows\Internet Logs\
Zkus stáhnout toto:
http://www.internetrotsyourbrain.com/wi ... inapp2.zip
Rozbal a dej do stejného adresáře , kde máš CCleaner, pak zkus vyčistit comp CCleanerem, v konf. je přidána i sekce Internet Logs.
Jinak by to vše mělo patřit k ZA, ale já ho nemám , takže nevím. Nebo bych vysypal koš, v nouz. režimu smazal celý adresář ( koš nevysypávat -zatím) a zkusit. Když budou problémy tak budeš muset buď z koše a nebo nainstalovat ZA znovu.

[peacoq]

1, [b]CCleaner:[/b]
- po rozbaleni ve slozce tedy pribyl soubor winapp2.ini ...spusten jako administrator;

Cisteni, a detail smazanych souboru:



Registry:


U registru bych uvedl, ze stale cisti tyto zapisy, mezi nimiz je i ten co se tyka ZoneAlarm/u. Tento se zacal objevovat -stale-, projedu cisteni, vysype se vse, projedu znova a zapis ohledne ZA je tam zase, tj. kdyz jsem drive dal cisteni registru zapis zmizel a neobjevil se pri druhem - ihned po sobe nasledujicim, cisteni. Tedkom se objevuje stale.


........................................................................................................................................
2, [b]HJT:[/b]

...nevim, jestli je to spravne, ale od pocatku mi behem spusteni scan/u dava tyto dve hlaseni nasledujici po sobe, jakmile prvni odkliknu Ok hned skoci dalsi:



HJT prejmenovan na 1234.exe a spusten z plochy (ocekaval jsem, ze udela log s nazvem 1234, ale log ma stale nazev hijackthis);
...
Logfile of HijackThis v1.99.1
Scan saved at 14:29:58, on 12/12/2008
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\sttray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\V0250Mon.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Dell\Desktop\1234.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [V0250Mon.exe] C:\Windows\V0250Mon.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
........................................................................................................................................

3, Zone Alarm::

...muzu (?) ho odinstalovat, ale nevim co s tema slozkama: odinstalovat ZA, pustit Ccleaner a podivat se, jeslti tam jsou ty soubory, pripadne je smazat rucne, restart a instalovat ZA
...akorat to pisi a divam se, a po Ccleaneru zmizely ty soubory vsmon... .zip a zustala jen jedna s koncovkou .old.
Zmizelo i vice souboru ze slozky c:\windows\InternetLogs\ , a naopak jeden pribyl: ...prosim, porovnej, puvodni a nyni:

........................................................................................................................................

Prozatim ti tedy dekuji, ..ZA Alarm (zatim) ponechavam, Spy bot mam stala nastaven 'odskrknuty' Residet SD Helper a 'ne-odskrnuty' Resident Tea Timer. Stejne tak mam na C stale soubor ResetTeaTimer.bat.
Vice s komplem nedelam

[jaro3]

Asi tam máš víc HJT, zkus vše odinstalovat, popř. smaž všechny co máš v compu- píše to že jich máš víc (.exe) v jednom adresáři) a stáhnout znovu.

ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix[mezera]/u
Najdi a smaž složky:
'C:\ComboFix
C:\qoobox
Stáhni nový Combofix a dej na plochu.
Přejmenuj ComboFix.exe na abcd.exe , rozjeď ho a potom sem dej nový log. Můžeš raději rozjet v nouzovém režimu.