Prosím o kontrolu logu

marocasnocha · Příspěvekod **marocasnocha** » 24 črc 2011 10:53

Dobrý den,
prosím o kontrolu logu mám tam nejspíše virus z chatu z facebooku
ComboFix 11-07-21.02 - Power 23.07.2011 21:31:24.2.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.420.1029.18.4094.2802 [GMT 2:00]
Spuštěný z: c:\users\Power\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\proc_list1.log
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-06-23 do 2011-07-23 )))))))))))))))))))))))))))))))
.
.
2011-07-23 19:53 . 2011-07-23 19:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-22 07:15 . 2011-07-13 04:53 8578896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{30E1B9BF-C84C-43D2-A24A-35F22B5A8809}\mpengine.dll
2011-07-21 13:55 . 2011-07-21 13:55 -------- d-----w- c:\program files (x86)\FDRLab
2011-07-21 13:16 . 2011-07-21 13:16 -------- d-----w- c:\windows\av_ico
2011-07-21 13:15 . 2011-07-23 19:04 -------- d--h--w- c:\windows\update.tray-5-0
2011-07-21 13:15 . 2011-07-21 13:15 -------- d--h--w- c:\windows\update.tray-5-0-lnk
2011-07-19 20:47 . 2011-07-19 20:53 -------- d-----w- c:\users\Power\Bloom
2011-07-19 20:27 . 2011-07-19 20:27 -------- d-----w- c:\users\Power\AppData\Roaming\Applied Recognition Inc
2011-07-19 20:27 . 2011-07-19 20:27 -------- d-----w- c:\users\Power\AppData\Roaming\Fotobounce
2011-07-19 20:26 . 2011-07-19 20:26 -------- d-----w- c:\program files (x86)\fotobounce
2011-07-19 20:25 . 2011-07-19 20:25 -------- d-----w- c:\users\Power\AppData\Roaming\Downloaded Installations
2011-07-16 19:19 . 2011-07-16 19:19 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-07-13 08:19 . 2011-06-11 03:07 3137536 ----a-w- c:\windows\system32\win32k.sys
2011-07-12 10:21 . 2011-07-12 10:22 -------- d-----w- c:\program files (x86)\Microsoft WebMatrix
2011-07-12 10:14 . 2011-07-12 10:14 -------- d-----w- c:\windows\SysWow64\1033
2011-07-12 10:14 . 2011-07-12 10:14 -------- d-----w- c:\windows\system32\1033
2011-07-12 10:14 . 2011-07-12 10:14 -------- d-----w- c:\program files\Microsoft SQL Server
2011-07-12 10:12 . 2011-07-12 10:12 -------- d-----w- c:\program files (x86)\Microsoft SQL Server
2011-07-12 10:10 . 2011-07-20 11:24 -------- d-----w- c:\program files (x86)\IIS Express
2011-07-12 10:07 . 2011-07-12 10:07 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-07-12 10:06 . 2011-07-12 10:06 -------- d-----w- c:\program files (x86)\Microsoft ASP.NET
2011-07-12 09:49 . 2011-07-12 09:49 -------- d-----w- c:\users\Power\AppData\Local\SmallBasic
2011-07-12 09:48 . 2009-03-16 12:18 69448 ----a-w- c:\windows\SysWow64\XAPOFX1_3.dll
2011-07-12 09:48 . 2009-03-16 12:18 517448 ----a-w- c:\windows\SysWow64\XAudio2_4.dll
2011-07-12 09:48 . 2009-03-16 12:18 235352 ----a-w- c:\windows\SysWow64\xactengine3_4.dll
2011-07-12 09:48 . 2009-03-16 12:18 22360 ----a-w- c:\windows\SysWow64\X3DAudio1_6.dll
2011-07-12 09:48 . 2011-07-12 09:48 -------- d-----w- c:\program files (x86)\Microsoft XNA
2011-07-12 09:46 . 2009-03-09 13:27 5425496 ----a-w- c:\windows\system32\D3DX9_41.dll
2011-07-12 09:46 . 2009-03-09 13:27 4178264 ----a-w- c:\windows\SysWow64\D3DX9_41.dll
2011-07-11 15:20 . 2011-07-21 15:19 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-11 15:16 . 2011-07-11 15:20 -------- dc----w- C:\UXFiles
2011-06-29 07:56 . 2011-05-24 11:42 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-06-29 07:56 . 2011-05-24 10:40 64512 ----a-w- c:\windows\SysWow64\devobj.dll
2011-06-29 07:56 . 2011-05-24 10:40 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
2011-06-29 07:56 . 2011-05-24 10:39 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
2011-06-29 07:56 . 2011-05-24 10:37 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
2011-06-25 17:43 . 2011-06-25 17:43 -------- d-----w- c:\users\Power\AppData\Local\uTorrent
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-11 14:17 . 2010-12-29 00:42 363560 ----a-w- c:\windows\system32\guard64.dll
2011-07-11 14:17 . 2010-12-29 00:42 285256 ----a-w- c:\windows\SysWow64\guard32.dll
2011-07-11 14:17 . 2011-01-06 16:37 92688 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-07-11 14:17 . 2011-01-06 16:37 41712 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-07-11 14:17 . 2011-01-06 16:36 16016 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-07-11 14:17 . 2011-01-06 16:36 252344 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-06-08 09:23 . 2011-04-22 08:38 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-07 14:05 . 2011-03-02 18:13 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
2011-06-07 14:05 . 2011-03-02 18:13 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2011-06-07 13:56 . 2011-06-07 13:56 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2011-06-07 13:56 . 2011-06-07 13:56 484160 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-06-06 19:55 . 2011-06-06 19:55 53656 ----a-w- c:\windows\system32\AdobePDF.dll
2011-06-06 19:55 . 2011-06-06 19:55 24984 ----a-w- c:\windows\system32\AdobePDFUI.dll
2011-06-04 18:01 . 2011-06-04 18:00 833024 ----a-w- c:\windows\SysWow64\user32.dll
2011-06-04 18:01 . 2011-06-04 18:00 410624 ----a-w- c:\windows\SysWow64\systemcpl.dll
2011-06-04 18:00 . 2011-06-04 18:00 113543 ----a-w- c:\windows\SysWow64\slmgr.vbs
2011-06-04 17:56 . 2011-06-04 17:55 79872 ----a-w- c:\windows\SysWow64\winver.exe
2011-06-04 17:54 . 2011-06-04 17:54 113543 ----a-w- c:\windows\system32\slmgr.vbs
2011-06-03 05:57 . 2011-07-13 08:19 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-05-24 17:14 . 2011-03-02 17:47 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-04 02:52 . 2011-03-02 18:30 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-05-03 05:29 . 2011-06-16 06:53 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-03 04:30 . 2011-06-16 06:53 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-04-29 03:06 . 2011-06-16 06:54 467456 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-29 03:05 . 2011-06-16 06:54 410112 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-29 03:05 . 2011-06-16 06:54 168448 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-27 02:40 . 2011-06-16 06:56 158208 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-27 02:39 . 2011-06-16 06:56 289280 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-27 02:39 . 2011-06-16 06:56 128000 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-25 05:33 . 2011-06-16 06:56 1923968 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-04-25 02:34 . 2011-06-16 06:56 499200 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-20 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2010-11-20 . E573BD9AB55C8E333C202B9E255F972E . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2011-06-04 . 2C9CC9F492CA596B1B9FC1AE5E916356 . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-20 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-07-23_19.07.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-02 17:18 . 2011-07-23 19:16 43580 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-07-23 19:16 29472 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-07-23 19:08 29472 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-03-02 17:06 . 2011-07-23 19:16 11688 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4280071232-3556127559-1776207863-1000_UserData.bin
+ 2011-03-14 20:35 . 2011-07-23 19:14 1896 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2011-07-23 19:53 . 2011-07-23 19:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-07-23 19:06 . 2011-07-23 19:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-07-23 19:06 . 2011-07-23 19:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-23 19:53 . 2011-07-23 19:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2011-07-23 18:55 650858 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-07-23 19:22 650858 c:\windows\system32\perfh009.dat
+ 2009-07-26 18:41 . 2011-07-23 19:22 665666 c:\windows\system32\perfh005.dat
- 2009-07-26 18:41 . 2011-07-23 18:55 665666 c:\windows\system32\perfh005.dat
- 2009-07-14 02:36 . 2011-07-23 18:55 119928 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-07-23 19:22 119928 c:\windows\system32\perfc009.dat
+ 2009-07-26 18:41 . 2011-07-23 19:22 139178 c:\windows\system32\perfc005.dat
- 2009-07-26 18:41 . 2011-07-23 18:55 139178 c:\windows\system32\perfc005.dat
- 2009-07-14 05:01 . 2011-07-23 19:05 476608 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-07-23 19:53 476608 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-03-02 20:06 . 2011-07-23 19:53 1474832 c:\windows\system32\drivers\sfi.dat
- 2011-03-02 20:06 . 2011-07-23 19:05 1474832 c:\windows\system32\drivers\sfi.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 4"="c:\program files (x86)\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-05-28 412560]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"RemoteControl11"="c:\program files (x86)\CyberLink\PowerDVD11\PDVD11Serv.exe" [2011-05-19 234792]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-06-06 36760]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-06-06 2903448]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"DisableThumbnailCache"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 ALSysIO;ALSysIO;c:\users\Power\AppData\Local\Temp\ALSysIO64.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-12-27 31124344]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [x]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Služba Technologie aktivace Windows;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S1 VD_FileDisk;VD_FileDisk; [x]
S2 {329F96B6-DF1E-4328-BFDA-39EA953C1312};Power Control [2011/04/27 17:31];c:\program files (x86)\CyberLink\PowerDVD11\Common\NavFilter\000.fcl [2011-05-20 13:31 148976]
S2 ABBYY.Licensing.FineReader.Professional.10.0;ABBYY FineReader 10 PE Licensing Service;c:\program files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\PE\NetworkLicenseServer.exe [2009-12-22 814344]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files (x86)\IObit\Advanced SystemCare 4\ASCService.exe [2011-05-28 353168]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 CLHNServiceForPowerDVD;CLHNServiceForPowerDVD;c:\program files (x86)\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe [2011-05-19 83240]
S2 CyberLink PowerDVD 11.0 Monitor Service;CyberLink PowerDVD 11.0 Monitor Service;c:\program files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe [2011-05-12 70952]
S2 CyberLink PowerDVD 11.0 Service;CyberLink PowerDVD 11.0 Service;c:\program files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSServer.exe [2011-05-12 312616]
S2 ntk_PowerDVD;ntk_PowerDVD;c:\program files (x86)\CyberLink\PowerDVD11\Kernel\DMP\ntk_PowerDVD_64.sys [2011-05-19 75248]
S2 UnsignedThemes;Unsigned Themes;c:\windows\UnsignedThemesSvc.exe [2009-07-12 24168]
S2 uxpatch;uxpatch;c:\windows\system32\drivers\uxpatch.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
.
.
Obsah adresáře 'Naplánované úlohy'
.
2011-07-23 c:\windows\Tasks\SLOW-PCfighter64-Power-Startup.job
- c:\program files\Fighters\SLOW-PCfighter\SLOW-PCfighter64.exe [2011-04-07 16:08]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [BU]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Doplňkový sken -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.seznam.cz/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Od&eslat do aplikace OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {{7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - c:\program files (x86)\ICQ7.5\ICQ.exe
TCP: DhcpNameServer = 62.129.50.20 85.135.32.100
FF - ProfilePath - c:\users\Power\AppData\Roaming\Mozilla\Firefox\Profiles\1d1mbpkj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&o ... &gfns=1&q=
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{329F96B6-DF1E-4328-BFDA-39EA953C1312}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD11\Common\NavFilter\000.fcl"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_USERS\S-1-5-21-4280071232-3556127559-1776207863-1000\Software\SecuROM\License information*]
"datasecu"=hex:6a,4b,29,26,90,7b,7d,ab,d3,01,a3,fb,15,4f,55,11,52,48,05,79,19,
cf,79,d4,0c,3c,5d,9f,1f,79,84,ce,96,48,8f,73,5b,fc,9d,6a,d7,1b,d5,91,9b,cc,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\MHotKey.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\ChiFuncExt.exe
.
**************************************************************************
.
Celkový čas: 2011-07-23 21:59:45 - počítač byl restartován
ComboFix-quarantined-files.txt 2011-07-23 19:59
.
Před spuštěním: Volných bajtů: 912 094 265 344
Po spuštění: Volných bajtů: 911 688 069 120
.
- - End Of File - - B875BE92945F69545AADE452A2EE9230

Reklama

marocasnocha · Příspěvekod **marocasnocha** » 24 črc 2011 11:57

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Verze databáze: 7260

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 9.0.8112.16421

24.7.2011 11:54:45
mbam-log-2011-07-24 (11-54-14).txt

Typ: Úplná kontrola (C:\|Z:\|)
Kontrolované objekty: 359610
Uplynulý čas: 32 minut, 30 sekund

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče v registru: 1
Infikované hodnoty v registru: 2
Infikované datové položky v registru: 3
Infikované složky: 0
Infikované soubory: 9

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče v registru:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpdrivers (Trojan.Dropper) -> No action taken.

Infikované hodnoty v registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxpdrv (Backdoor.Agent) -> Value: wxpdrv -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpDrivers\ImagePath (Trojan.Agent) -> Value: ImagePath -> No action taken.

Infikované datové položky v registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
c:\Windows\update.1\svchost.exe (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\Windows\services32.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\Windows\update.1\svchost.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\Windows\update.tray-5-0\svchost.exe.vir (Trojan.Dropper) -> No action taken.
c:\Users\Power\AppData\Roaming\thinstall\microsoft office enterprise 2007\%local appdata%\thinstall\Cache\Stubs\184e236ea88dfe642f196923eb5226d106dfa3d\mdm.exe.10201a64.tmp (Trojan.Backdoor) -> No action taken.
c:\Users\Power\AppData\Roaming\thinstall\microsoft office enterprise 2007\%local appdata%\thinstall\Cache\Stubs\184e236ea88dfe642f196923eb5226d106dfa3d\mdm.exe.12381910.tmp (Trojan.Backdoor) -> No action taken.
c:\Users\Power\AppData\Roaming\thinstall\microsoft office enterprise 2007\%local appdata%\thinstall\Cache\Stubs\184e236ea88dfe642f196923eb5226d106dfa3d\mdm.exe.14fc98c.tmp (Trojan.Backdoor) -> No action taken.
c:\Users\Power\AppData\Roaming\thinstall\microsoft office enterprise 2007\%local appdata%\thinstall\Cache\Stubs\184e236ea88dfe642f196923eb5226d106dfa3d\mdm.exe.68083c.tmp (Trojan.Backdoor) -> No action taken.
c:\Windows\update.tray-5-0-lnk\svchost.exe (Trojan.Dropper) -> No action taken.

bledulka · Příspěvekod **bledulka** » 24 črc 2011 12:21

Ahoj,
v mbamu vše smaž.

Otestuj na www.virustotal.com
c:\windows\SysWOW64\user32.dll

marocasnocha · Příspěvekod **marocasnocha** » 24 črc 2011 12:44

http://www.virustotal.com/file-scan/rep ... 1311503996

marocasnocha · Příspěvekod **marocasnocha** » 24 črc 2011 12:45

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Verze databáze: 7260

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 9.0.8112.16421

24.7.2011 12:45:01
mbam-log-2011-07-24 (12-45-01).txt

Typ: Úplná kontrola (C:\|Z:\|)
Kontrolované objekty: 359563
Uplynulý čas: 30 minut, 31 sekund

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče v registru: 0
Infikované hodnoty v registru: 0
Infikované datové položky v registru: 0
Infikované složky: 0
Infikované soubory: 0

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče v registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované hodnoty v registru:
(Žádné škodlivé položky nebyly zjištěny)

Příspěvekod **Žbeky** » 24 črc 2011 14:18

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

KillAll::

Folder::
c:\windows\av_ico
c:\windows\update.tray-5-0
c:\windows\update.tray-5-0-lnk

File::
c:\windows\system32\perfh009.dat
c:\windows\system32\perfh005.dat
c:\windows\system32\perfc009.dat
c:\windows\system32\perfc005.dat
c:\users\Power\AppData\Local\Temp\ALSysIO64.sys
c:\windows\Tasks\SLOW-PCfighter64-Power-Startup.job

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000000
"DisableThumbnailCache"=dword:00000000

Driver::
ALSysIO

Firefox::
FF - ProfilePath - c:\users\Power\AppData\Roaming\Mozilla\Firefox\Profiles\1d1mbpkj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu

Prosím o kontrolu logu

Prosím o kontrolu logu

Re: Prosím o kontrolu logu

Re: Prosím o kontrolu logu

Re: Prosím o kontrolu logu

Re: Prosím o kontrolu logu

Re: Prosím o kontrolu logu

Kdo je online