Prosím o kontrolu logu Vyřešeno

Místo pro vaše HiJackThis logy a logy z dalších programů…

Moderátoři: Mods_senior, Security team

Zamčeno
Uživatelský avatar
jaro3
člen Security týmu
Guru Level 15
Guru Level 15
Příspěvky: 43298
Registrován: červen 07
Bydliště: Jižní Čechy
Pohlaví: Muž
Stav:
Offline

Re: Prosím o kontrolu logu

Příspěvekod jaro3 » 10 čer 2012 23:06

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:

Kód: Vybrat vše

Folder::
C:\TDSSKiller_Quarantine
c:\documents and settings\Bisovi\Data aplikací\AskToolbar
c:\documents and settings\Bisovi\Local Settings\Data aplikací\Conduit

DirLook::
c:\documents and settings\Bisovi\Local Settings\Data aplikací\CRE

Driver::
AppleChargerSrv

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000

Firefox::
FF - ProfilePath - c:\documents and settings\Bisovi\Data aplikací\Mozilla\Firefox\Profiles\okm78hap.default\
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.as ... ource=2&q=


Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

Upozornění : Může se stát, že po aplikaci Combofixu a restartu počítače, Windows nenaběhnou , nebo nenajede plocha , budou problémy s připojením, pak znovu restartuj počítač, pokud to nepomůže , po restartu mačkej klávesu F8 a pak zvol poslední známou funkční konfiguraci. , či použij bod obnovy.

Stáhni si z některého odkazu SystemLook
a ulož si ho na plochu.

Poklepej na stažený SystemLook , zkopíruj do hlavního text. okna tento následující text:

Kód: Vybrat vše

:filefind
yyivvkmo.*

Klikni na Look ke startu skenu. Když program skončí objeví se v poznámkovém bloku zpráva skenu. Zkopíruj sem celý jeho obsah. Log se také nachází na ploše pod názvem SystemLook.txt.
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Nahoru
Reklama
Top
LaB
Level 3.5
Level 3.5
Příspěvky: 842
Registrován: duben 09
Pohlaví: Muž
Stav:
Offline

Re: Prosím o kontrolu logu

Příspěvekod LaB » 11 čer 2012 08:15

ComboFix 12-06-08.02 - Bisovi 11.06.2012 8:04.6.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2813.2211 [GMT 2:00]
Spuštěný z: c:\documents and settings\Bisovi\Plocha\ComboFix.exe
Použité ovládací přepínače :: D:\CFScript.txt
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\TDSSKiller_Quarantine
c:\tdsskiller_quarantine\09.06.2012_10.44.58\susp0000\object.ini
c:\tdsskiller_quarantine\09.06.2012_10.44.58\susp0000\svc0000\object.ini
.
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_AppleChargerSrv
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2012-05-11 do 2012-06-11 )))))))))))))))))))))))))))))))
.
.
2012-06-09 17:01 . 2012-06-09 17:01 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-06-09 08:21 . 2012-06-09 08:21 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2012-06-09 08:21 . 2010-03-10 11:28 602912 ----a-w- c:\windows\system32\drivers\RTL8192su.sys
2012-06-09 08:21 . 2012-06-09 08:21 -------- d-----w- c:\windows\system32\RtlGina
2012-06-09 08:21 . 2009-02-05 00:49 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2012-06-06 18:00 . 2012-06-06 17:22 388608 ----a-w- c:\program files\HijackThis.exe
2012-06-06 17:11 . 2012-06-06 17:11 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\602XML
2012-06-06 17:11 . 2012-06-06 17:11 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\602Installer
2012-06-06 17:11 . 2012-06-06 17:18 -------- d-----w- c:\program files\Common Files\soft602
2012-06-06 17:11 . 2012-06-06 17:11 -------- d-----w- c:\program files\Software602
2012-06-05 15:14 . 2012-06-05 15:14 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\AskToolbar
2012-06-04 17:51 . 2012-06-04 17:51 -------- d-----w- c:\documents and settings\All Users\Data aplikací\boost_interprocess
2012-06-04 16:39 . 2010-04-30 13:28 911800 ----a-w- c:\windows\system32\drivers\etc\amtlib.dll
2012-06-04 14:28 . 2012-06-04 15:02 -------- d-----w- c:\program files\YourFileDownloader
2012-06-04 14:28 . 2012-06-04 14:30 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\YourFileDownloader
2012-06-03 09:04 . 2012-06-03 09:04 -------- d-----w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\CRE
2012-06-03 09:04 . 2012-06-06 17:20 -------- d-----w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\Conduit
2012-06-03 09:04 . 2012-06-03 09:04 -------- d-----w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\Temp
2012-06-03 08:49 . 2012-06-03 08:49 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2012-06-02 06:55 . 2012-06-05 16:10 -------- d-----w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\AskToolbar
2012-06-02 06:52 . 2012-06-02 06:52 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\Avira
2012-06-02 06:46 . 2012-06-02 06:47 -------- d-----w- c:\documents and settings\Default User\Local Settings\Data aplikací\AskToolbar
2012-06-02 06:46 . 2012-04-27 08:20 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-06-02 06:46 . 2012-04-24 22:32 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-06-02 06:46 . 2012-04-16 19:18 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-06-02 06:46 . 2012-06-02 06:47 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Avira
2012-06-02 06:46 . 2012-06-02 06:46 -------- d-----w- c:\program files\Avira
2012-05-30 17:14 . 2012-05-30 17:14 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-05-30 17:13 . 2012-05-30 17:13 -------- d-----w- c:\program files\Microsoft.NET
2012-05-30 17:13 . 2012-05-30 17:13 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-05-30 17:13 . 2012-05-30 17:13 -------- d-----w- c:\documents and settings\All Users\Microsoft
2012-05-30 17:08 . 2012-05-30 17:08 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-05-30 16:54 . 2008-04-14 06:53 299520 -c----w- c:\windows\system32\dllcache\drmclien.dll
2012-05-30 16:52 . 2008-04-13 22:10 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2012-05-25 17:42 . 2008-04-14 06:51 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-05-25 17:42 . 2008-04-14 05:59 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-05-24 17:32 . 2001-08-17 19:47 12928 -c--a-w- c:\windows\system32\dllcache\dot4prt.sys
2012-05-24 17:32 . 2001-08-17 19:47 12928 ----a-w- c:\windows\system32\drivers\Dot4Prt.sys
2012-05-24 17:32 . 2001-10-24 09:43 23808 -c--a-w- c:\windows\system32\dllcache\dot4usb.sys
2012-05-24 17:32 . 2001-10-24 09:43 23808 ----a-w- c:\windows\system32\drivers\Dot4usb.sys
2012-05-24 17:32 . 2008-04-13 22:09 206976 ----a-w- c:\windows\system32\drivers\dot4.sys
2012-05-20 17:47 . 2012-05-20 17:47 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\OpenCandy
2012-05-18 11:25 . 2012-05-18 11:25 -------- d-----r- c:\documents and settings\LocalService\Oblíbené položky
2012-05-18 09:36 . 2012-06-09 17:02 -------- d-----w- c:\windows\system32\NtmsData
2012-05-16 16:26 . 2008-04-13 22:15 20608 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2012-05-14 16:30 . 2010-01-05 01:31 1714176 ----a-w- c:\windows\system32\drivers\athuw.sys
2012-05-14 16:30 . 2012-05-14 16:30 -------- d-----w- c:\windows\Options
2012-05-14 16:30 . 2010-01-05 01:31 1714176 ----a-w- c:\windows\system32\athuw.sys
2012-05-14 16:29 . 2012-05-14 16:29 -------- d-----w- c:\documents and settings\All Users\Data aplikací\TP-LINK
2012-05-13 09:36 . 2012-05-13 09:36 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\Publish Providers
2012-05-13 09:36 . 2012-05-18 08:46 -------- d---a-w- c:\documents and settings\All Users\Data aplikací\TEMP
2012-05-13 09:36 . 2012-05-13 09:36 -------- d-----w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\Sony
2012-05-13 09:36 . 2012-05-13 09:36 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\Sony
2012-05-13 09:31 . 2012-05-13 09:31 -------- d-----w- c:\program files\Vstplugins
2012-05-13 09:31 . 2012-05-13 09:31 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Sony
2012-05-13 09:29 . 2012-05-17 16:35 -------- d-----w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\Ahead
2012-05-13 09:14 . 2012-05-13 09:31 -------- d-----w- c:\program files\Sony
2012-05-13 09:11 . 2012-05-13 09:11 -------- d-----w- c:\program files\Sony Setup
2012-05-13 09:07 . 2012-05-13 09:07 -------- d-----w- c:\program files\Terminal Reality
2012-05-13 09:01 . 2012-05-18 11:27 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\Ahead
2012-05-13 09:00 . 2012-05-13 09:00 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Nero
2012-05-13 09:00 . 2012-05-13 09:01 -------- d-----w- c:\program files\Common Files\Ahead
2012-05-13 09:00 . 2012-05-13 09:00 -------- d-----w- c:\program files\Nero
2012-05-12 17:44 . 2012-05-12 17:44 -------- d-----w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\WMTools Downloaded Files
2012-05-12 17:29 . 2008-04-14 06:52 54272 ----a-w- c:\windows\system32\vfwwdm32.dll
2012-05-12 17:29 . 2008-04-13 22:16 38912 ----a-w- c:\windows\system32\drivers\avc.sys
2012-05-12 17:29 . 2008-04-13 22:16 48128 ----a-w- c:\windows\system32\drivers\61883.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-10 18:11 . 2012-04-02 17:55 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-10 18:11 . 2012-04-02 17:55 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-14 17:26 . 2012-04-02 15:32 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2012-04-14 17:26 . 2012-04-02 16:54 17488 ----a-w- c:\windows\gdrv.sys
2012-04-14 14:59 . 2012-04-02 16:54 17488 ----a-w- c:\windows\etdrv.sys
2012-04-11 15:35 . 2012-04-11 15:35 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2012-04-11 15:35 . 2012-04-10 13:56 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2012-04-11 15:35 . 2012-04-11 15:35 132224 ----a-w- c:\windows\system32\drivers\snapman.sys
2012-04-11 15:35 . 2012-04-10 13:56 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2012-04-11 13:33 . 2012-04-10 15:39 125472 ----a-w- c:\windows\system32\drivers\vididr.sys
2012-04-11 13:33 . 2012-04-11 13:33 83392 ----a-w- c:\windows\system32\drivers\vsflt53.sys
2012-04-10 16:41 . 2012-04-10 15:39 76768 ----a-w- c:\windows\system32\drivers\fltsrv.sys
2012-04-04 13:56 . 2012-04-03 16:32 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-02 19:20 . 2012-04-02 19:20 65536 ----a-r- c:\documents and settings\Bisovi\Data aplikací\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-04-28 09:07 . 2012-04-02 17:01 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Bisovi\Local Settings\Data aplikací\CRE ----
.
2012-04-17 15:42 . 2012-04-17 15:42 889356 ----a-w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-09_06.05.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-06-09 08:21 . 2009-06-24 16:11 65536 c:\windows\system32\RtlGina\RtlGina.dll
- 2001-10-25 12:00 . 2012-06-09 05:46 68156 c:\windows\system32\perfc009.dat
+ 2001-10-25 12:00 . 2012-06-11 06:01 68156 c:\windows\system32\perfc009.dat
- 2001-10-25 12:00 . 2012-06-09 05:46 79062 c:\windows\system32\perfc005.dat
+ 2001-10-25 12:00 . 2012-06-11 06:01 79062 c:\windows\system32\perfc005.dat
- 2001-10-25 12:00 . 2012-06-09 05:46 435260 c:\windows\system32\perfh009.dat
+ 2001-10-25 12:00 . 2012-06-11 06:01 435260 c:\windows\system32\perfh009.dat
- 2001-10-25 12:00 . 2012-06-09 05:46 432004 c:\windows\system32\perfh005.dat
+ 2001-10-25 12:00 . 2012-06-11 06:01 432004 c:\windows\system32\perfh005.dat
+ 2012-06-10 18:11 . 2012-06-10 18:11 686280 c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
+ 2012-06-10 18:11 . 2012-06-10 18:11 465096 c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.dll
+ 2012-04-02 17:55 . 2012-06-10 18:11 257224 c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-06-09 08:21 . 2010-03-10 11:28 602912 c:\windows\Options\Cabs\rtl8192su.sys
+ 2012-04-02 23:03 . 2012-06-09 20:56 3569376 c:\windows\system32\FNTCACHE.DAT
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-06 102400]
"RTHDCPL"="RTHDCPL.EXE" [2011-08-09 20055144]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-03-19 73360]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-05 188416]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-01 348624]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-03-16 738944]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\
REALTEK 11n USB Wireless LAN Utility.lnk - c:\program files\Realtek\11n USB Wireless LAN Utility\RtWLan.exe [2012-6-9 937984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-11 20:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 00:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2012-06-07 17:54 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-04-04 13:56 462408 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 06:52 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-01-26 15:05 15026056 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Realtek\\11n USB Wireless LAN Utility\\RtWLan.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot
.
R0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\drivers\fltsrv.sys [10.4.2012 17:39 76768]
R0 vidsflt53;Acronis Disk Storage Filter (53);c:\windows\system32\drivers\vsflt53.sys [11.4.2012 15:33 83392]
R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [2.4.2012 17:29 18544]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2.6.2012 8:46 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2.6.2012 8:46 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [2.6.2012 8:46 465360]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [25.4.2012 19:33 24328]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [16.3.2012 18:06 27016]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [16.3.2012 18:07 497280]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3.4.2012 18:32 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3.4.2012 18:32 22344]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [9.6.2012 10:21 602912]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2.4.2012 18:18 30392]
S2 yyivvkmo;Helper Image;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 14:00 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2.4.2012 18:44 1691480]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [11.4.2012 18:23 25728]
S3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [14.5.2012 18:30 1714176]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [10.4.2012 16:04 8704]
S3 etdrv;etdrv;c:\windows\etdrv.sys [2.4.2012 18:54 17488]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [10.4.2012 16:04 3072]
S3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2.4.2012 17:39 75504]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9.6.2012 19:01 40776]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [28.4.2012 11:07 129976]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9.1.2010 21:37 4640000]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [11.4.2012 18:23 106752]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
yyivvkmo
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.idnes.cz/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Převést cíl vazby do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Převést do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Připojit cíl vazby k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Připojit k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 109.108.107.106 109.108.109.108
TCP: Interfaces\{D25446CA-C0F1-4978-AAFA-8BE11186FF5B}: NameServer = 89.111.106.2,89.111.107.249
FF - ProfilePath - c:\documents and settings\Bisovi\Data aplikací\Mozilla\Firefox\Profiles\okm78hap.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-11 08:11
Windows 5.1.2600 Service Pack 3 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(892)
c:\program files\Avira\AntiVir Desktop\avsda.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(1728)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\RTHDCPL.EXE
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Celkový čas: 2012-06-11 08:13:53 - počítač byl restartován
ComboFix-quarantined-files.txt 2012-06-11 06:13
ComboFix2.txt 2012-06-10 13:12
ComboFix3.txt 2012-06-09 06:08
.
Před spuštěním: Volných bajtů: 46 527 602 688
Po spuštění: Volných bajtů: 46 453 940 224
.
- - End Of File - - E6E1FEF0B028E2D79B4EB84B14B406FE





SystemLook 30.07.11 by jpshortstuff
Log created at 08:15 on 11/06/2012 by Bisovi
Administrator - Elevation successful

========== filefind ==========

Searching for "yyivvkmo.*"
No files found.

-= EOF =-
Nahoru
Uživatelský avatar
bledulka
Level 5
Level 5
Příspěvky: 2242
Registrován: srpen 09
Pohlaví: Žena
Stav:
Offline

Re: Prosím o kontrolu logu

Příspěvekod bledulka » 12 čer 2012 22:21

Prosím tě otestuj na http://www.virustotal.com
c:\documents and settings\Bisovi\Local Settings\Data aplikací\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx
Nahoru
LaB
Level 3.5
Level 3.5
Příspěvky: 842
Registrován: duben 09
Pohlaví: Muž
Stav:
Offline

Re: Prosím o kontrolu logu

Příspěvekod LaB » 13 čer 2012 19:01

Dopadlo to 0/42
By mě docela zajímalo, k čemu ten soubor patří...
Každopádně děkuju.
Nahoru
Uživatelský avatar
bledulka
Level 5
Level 5
Příspěvky: 2242
Registrován: srpen 09
Pohlaví: Žena
Stav:
Offline

Re: Prosím o kontrolu logu

Příspěvekod bledulka » 13 čer 2012 23:18

Nepoužíváš torrenty?

Combofix přesuň na plochu
-otevři si Poznámkový blok
-Do něj zkopíruj text z tohoto okénka

Kód: Vybrat vše

Driver::
yyivvkmo

Netsvc::
yyivvkmo


 

-vytvořený TXT soubor ulož jako CFScript.txt na plochu a levým myšítkem přesuň nad ikonu Combofixu, kde ho upustíš

-Po proběhnutí skenu a ukončení combofixu by se měl objevit log, vlož ho zde.

Upozornění : Může se stát, že po aplikaci skriptu a restartu počítače Windows nenaběhnou, pak znovu restartuj počítač, mačkej F8 a pak zvol poslední známou funkční konfiguraci.
Nahoru
LaB
Level 3.5
Level 3.5
Příspěvky: 842
Registrován: duben 09
Pohlaví: Muž
Stav:
Offline

Re: Prosím o kontrolu logu

Příspěvekod LaB » 14 čer 2012 05:38

Použil jsem ho asi jednou. Odpoledne udělám CF. Díky.
Nahoru
Uživatelský avatar
jaro3
člen Security týmu
Guru Level 15
Guru Level 15
Příspěvky: 43298
Registrován: červen 07
Bydliště: Jižní Čechy
Pohlaví: Muž
Stav:
Offline

Re: Prosím o kontrolu logu

Příspěvekod jaro3 » 14 čer 2012 10:26

Ten script udělej s tímto:

Kód: Vybrat vše

KillAll::
File::
c:\documents and settings\Bisovi\Local Settings\Data aplikací\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx

Folder::
c:\documents and settings\Bisovi\Local Settings\Data aplikací\CRE

Driver::
yyivvkmo

Netsvc::
yyivvkmo
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Nahoru
LaB
Level 3.5
Level 3.5
Příspěvky: 842
Registrován: duben 09
Pohlaví: Muž
Stav:
Offline

Re: Prosím o kontrolu logu

Příspěvekod LaB » 14 čer 2012 17:26

ComboFix 12-06-14.01 - Bisovi 14.06.2012 17:15:52.7.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2813.2052 [GMT 2:00]
Spuštěný z: c:\documents and settings\Bisovi\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Bisovi\Plocha\CFScript.txt
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
FILE ::
"c:\documents and settings\Bisovi\Local Settings\Data aplikací\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx"
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Mozilla Maintenance Service
c:\program files\Mozilla Maintenance Service\maintenanceservice.exe
c:\program files\Mozilla Maintenance Service\Uninstall.exe
c:\windows\XSxS
.
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_YYIVVKMO
-------\Service_yyivvkmo
-------\Service_MozillaMaintenance
-------\Service_MozillaMaintenance
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2012-05-14 do 2012-06-14 )))))))))))))))))))))))))))))))
.
.
2012-06-11 11:06 . 2012-06-11 11:06 -------- d-----w- c:\program files\Xenocode
2012-06-09 08:21 . 2012-06-09 08:21 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2012-06-09 08:21 . 2010-03-10 11:28 602912 ----a-w- c:\windows\system32\drivers\RTL8192su.sys
2012-06-09 08:21 . 2012-06-09 08:21 -------- d-----w- c:\windows\system32\RtlGina
2012-06-09 08:21 . 2009-02-05 00:49 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2012-06-06 18:00 . 2012-06-06 17:22 388608 ----a-w- c:\program files\HijackThis.exe
2012-06-06 17:11 . 2012-06-06 17:11 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\602XML
2012-06-06 17:11 . 2012-06-06 17:11 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\602Installer
2012-06-06 17:11 . 2012-06-06 17:18 -------- d-----w- c:\program files\Common Files\soft602
2012-06-06 17:11 . 2012-06-06 17:11 -------- d-----w- c:\program files\Software602
2012-06-05 15:14 . 2012-06-05 15:14 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\AskToolbar
2012-06-04 17:51 . 2012-06-04 17:51 -------- d-----w- c:\documents and settings\All Users\Data aplikací\boost_interprocess
2012-06-04 16:39 . 2010-04-30 13:28 911800 ----a-w- c:\windows\system32\drivers\etc\amtlib.dll
2012-06-04 14:28 . 2012-06-04 15:02 -------- d-----w- c:\program files\YourFileDownloader
2012-06-04 14:28 . 2012-06-04 14:30 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\YourFileDownloader
2012-06-03 09:04 . 2012-06-03 09:04 -------- d-----w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\CRE
2012-06-03 09:04 . 2012-06-06 17:20 -------- d-----w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\Conduit
2012-06-03 09:04 . 2012-06-03 09:04 -------- d-----w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\Temp
2012-06-03 08:49 . 2012-06-03 08:49 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2012-06-02 06:55 . 2012-06-05 16:10 -------- d-----w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\AskToolbar
2012-06-02 06:52 . 2012-06-02 06:52 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\Avira
2012-06-02 06:46 . 2012-06-02 06:47 -------- d-----w- c:\documents and settings\Default User\Local Settings\Data aplikací\AskToolbar
2012-06-02 06:46 . 2012-04-27 08:20 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-06-02 06:46 . 2012-04-24 22:32 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-06-02 06:46 . 2012-04-16 19:18 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-06-02 06:46 . 2012-06-02 06:47 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Avira
2012-06-02 06:46 . 2012-06-02 06:46 -------- d-----w- c:\program files\Avira
2012-05-30 17:14 . 2012-05-30 17:14 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-05-30 17:13 . 2012-05-30 17:13 -------- d-----w- c:\program files\Microsoft.NET
2012-05-30 17:13 . 2012-05-30 17:13 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-05-30 17:13 . 2012-05-30 17:13 -------- d-----w- c:\documents and settings\All Users\Microsoft
2012-05-30 17:08 . 2012-05-30 17:08 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-05-30 16:54 . 2008-04-14 06:53 299520 -c----w- c:\windows\system32\dllcache\drmclien.dll
2012-05-30 16:52 . 2008-04-13 22:10 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2012-05-25 17:42 . 2008-04-14 06:51 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-05-25 17:42 . 2008-04-14 05:59 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-05-24 17:32 . 2001-08-17 19:47 12928 -c--a-w- c:\windows\system32\dllcache\dot4prt.sys
2012-05-24 17:32 . 2001-08-17 19:47 12928 ----a-w- c:\windows\system32\drivers\Dot4Prt.sys
2012-05-24 17:32 . 2001-10-24 09:43 23808 -c--a-w- c:\windows\system32\dllcache\dot4usb.sys
2012-05-24 17:32 . 2001-10-24 09:43 23808 ----a-w- c:\windows\system32\drivers\Dot4usb.sys
2012-05-24 17:32 . 2008-04-13 22:09 206976 ----a-w- c:\windows\system32\drivers\dot4.sys
2012-05-20 17:47 . 2012-05-20 17:47 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\OpenCandy
2012-05-18 11:25 . 2012-05-18 11:25 -------- d-----r- c:\documents and settings\LocalService\Oblíbené položky
2012-05-18 09:36 . 2012-06-09 17:02 -------- d-----w- c:\windows\system32\NtmsData
2012-05-16 16:26 . 2008-04-13 22:15 20608 ----a-w- c:\windows\system32\drivers\usbuhci.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-10 18:11 . 2012-04-02 17:55 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-10 18:11 . 2012-04-02 17:55 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-14 17:26 . 2012-04-02 15:32 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2012-04-14 17:26 . 2012-04-02 16:54 17488 ----a-w- c:\windows\gdrv.sys
2012-04-14 14:59 . 2012-04-02 16:54 17488 ----a-w- c:\windows\etdrv.sys
2012-04-11 15:35 . 2012-04-11 15:35 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2012-04-11 15:35 . 2012-04-10 13:56 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2012-04-11 15:35 . 2012-04-11 15:35 132224 ----a-w- c:\windows\system32\drivers\snapman.sys
2012-04-11 15:35 . 2012-04-10 13:56 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2012-04-11 13:33 . 2012-04-10 15:39 125472 ----a-w- c:\windows\system32\drivers\vididr.sys
2012-04-11 13:33 . 2012-04-11 13:33 83392 ----a-w- c:\windows\system32\drivers\vsflt53.sys
2012-04-10 16:41 . 2012-04-10 15:39 76768 ----a-w- c:\windows\system32\drivers\fltsrv.sys
2012-04-04 13:56 . 2012-04-03 16:32 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-02 19:20 . 2012-04-02 19:20 65536 ----a-r- c:\documents and settings\Bisovi\Data aplikací\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-04-28 09:07 . 2012-04-02 17:01 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-06 102400]
"RTHDCPL"="RTHDCPL.EXE" [2011-08-09 20055144]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-03-19 73360]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-05 188416]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-01 348624]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-03-16 738944]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-06-07 500208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\
REALTEK 11n USB Wireless LAN Utility.lnk - c:\program files\Realtek\11n USB Wireless LAN Utility\RtWLan.exe [2012-6-9 937984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-02 21:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-01-26 15:05 15026056 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Realtek\\11n USB Wireless LAN Utility\\RtWLan.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot
.
R0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\drivers\fltsrv.sys [10.4.2012 17:39 76768]
R0 vidsflt53;Acronis Disk Storage Filter (53);c:\windows\system32\drivers\vsflt53.sys [11.4.2012 15:33 83392]
R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [2.4.2012 17:29 18544]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2.6.2012 8:46 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2.6.2012 8:46 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [2.6.2012 8:46 465360]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [25.4.2012 19:33 24328]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [16.3.2012 18:06 27016]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [16.3.2012 18:07 497280]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3.4.2012 18:32 654408]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2.4.2012 17:39 75504]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3.4.2012 18:32 22344]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2.4.2012 18:18 30392]
S1 tdx;@%SystemRoot%\system32\tcpipcfg.dll,-50004;c:\windows\system32\DRIVERS\tdx.sys --> c:\windows\system32\DRIVERS\tdx.sys [?]
S2 iphlpsvc;@%SystemRoot%\system32\iphlpsvc.dll,-200;c:\windows\System32\svchost.exe -k NetSvcs [25.10.2001 14:00 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2.4.2012 18:44 1691480]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [11.4.2012 18:23 25728]
S3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [14.5.2012 18:30 1714176]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [10.4.2012 16:04 8704]
S3 etdrv;etdrv;c:\windows\etdrv.sys [2.4.2012 18:54 17488]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [10.4.2012 16:04 3072]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9.1.2010 21:37 4640000]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [9.6.2012 10:21 602912]
S3 WinDefend;Windows Defender;c:\windows\System32\svchost.exe -k secsvcs [25.10.2001 14:00 14336]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [11.4.2012 18:23 106752]
.
--- Ostatní služby/ovladače v paměti ---
.
*NewlyCreated* - IPHLPSVC
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.idnes.cz/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Převést cíl vazby do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Převést do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Připojit cíl vazby k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Připojit k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: Interfaces\{D25446CA-C0F1-4978-AAFA-8BE11186FF5B}: NameServer = 89.111.106.2,89.111.107.249
FF - ProfilePath - c:\documents and settings\Bisovi\Data aplikací\Mozilla\Firefox\Profiles\okm78hap.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.as ... ource=2&q=
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
AddRemove-MozillaMaintenanceService - c:\program files\Mozilla Maintenance Service\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-14 17:21
Windows 5.1.2600 Service Pack 3 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(928)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(1996)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Celkový čas: 2012-06-14 17:24:59 - počítač byl restartován
ComboFix-quarantined-files.txt 2012-06-14 15:24
.
Před spuštěním: Volných bajtů: 45 543 747 584
Po spuštění: Volných bajtů: 45 454 979 072
.
- - End Of File - - D9FB69F3E0BC7CE82E705C94515F1B79
Nahoru
Uživatelský avatar
jaro3
člen Security týmu
Guru Level 15
Guru Level 15
Příspěvky: 43298
Registrován: červen 07
Bydliště: Jižní Čechy
Pohlaví: Muž
Stav:
Offline

Re: Prosím o kontrolu logu

Příspěvekod jaro3 » 14 čer 2012 22:23

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:

Kód: Vybrat vše

Folder::
c:\documents and settings\Bisovi\Local Settings\Data aplikací\Conduit
c:\documents and settings\Bisovi\Local Settings\Data aplikací\AskToolbar
c:\documents and settings\Default User\Local Settings\Data aplikací\AskToolbar

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000

Firefox::
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.as ... ource=2&q=



Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

Upozornění : Může se stát, že po aplikaci Combofixu a restartu počítače, Windows nenaběhnou , nebo nenajede plocha , budou problémy s připojením, pak znovu restartuj počítač, pokud to nepomůže , po restartu mačkej klávesu F8 a pak zvol poslední známou funkční konfiguraci. , či použij bod obnovy.

Stáhni AVP Tools
na svojí plochu.

Zaškrtni :
Hidden startup objects
System Memory
Disk boot sectors
Dokumenty
My email
Počítač
Místní disk C
Místní disk D
Jednotka DVD-Rom (E)
Jednotka BD-ROM (G)
A jiné , např. Flash disky , které máš připojeny.

Pokračuj podle instrukcí.Na konci se objeví textový soubor , který si hned ulož (save log) na svojí plochu pod názvem KAS.txt .Poté sem vlož celý obsah toho logu.

Pokud se Ti log nezobrazí:
Pokud máš AVPtool stále zapnutý, zkus zmáčknout tlačítko Zpráva (Report).
Pokud se Ti zobrazí tabulka, klikni na ní pravým myšítkem a dej Maximalize a měli by se Ti zobrazit výsledky.

http://www.sosej.cz/Download/Kaspersky- ... nload.html
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Nahoru
LaB
Level 3.5
Level 3.5
Příspěvky: 842
Registrován: duben 09
Pohlaví: Muž
Stav:
Offline

Re: Prosím o kontrolu logu

Příspěvekod LaB » 17 čer 2012 19:59

ComboFix 12-06-16.02 - Bisovi 17.06.2012 19:44:02.8.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2813.2165 [GMT 2:00]
Spuštěný z: c:\documents and settings\Bisovi\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Bisovi\Plocha\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Vytvořen nový Bod Obnovení
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2012-05-17 do 2012-06-17 )))))))))))))))))))))))))))))))
.
.
2012-06-17 16:50 . 2012-06-17 16:50 -------- d-----w- c:\program files\Microsoft
2012-06-17 16:49 . 2012-06-17 16:49 -------- d-----w- c:\program files\Common Files\Skype
2012-06-14 15:36 . 2012-06-14 15:36 -------- d-----w- c:\program files\DsNET Corp
2012-06-14 15:36 . 2012-06-14 15:36 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Ask
2012-06-11 11:06 . 2012-06-11 11:06 -------- d-----w- c:\program files\Xenocode
2012-06-09 08:21 . 2012-06-09 08:21 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2012-06-09 08:21 . 2010-03-10 11:28 602912 ----a-w- c:\windows\system32\drivers\RTL8192su.sys
2012-06-09 08:21 . 2012-06-09 08:21 -------- d-----w- c:\windows\system32\RtlGina
2012-06-09 08:21 . 2009-02-05 00:49 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2012-06-06 18:00 . 2012-06-06 17:22 388608 ----a-w- c:\program files\HijackThis.exe
2012-06-06 17:11 . 2012-06-06 17:11 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\602XML
2012-06-06 17:11 . 2012-06-06 17:11 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\602Installer
2012-06-06 17:11 . 2012-06-06 17:18 -------- d-----w- c:\program files\Common Files\soft602
2012-06-06 17:11 . 2012-06-06 17:11 -------- d-----w- c:\program files\Software602
2012-06-05 15:14 . 2012-06-05 15:14 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\AskToolbar
2012-06-04 17:51 . 2012-06-04 17:51 -------- d-----w- c:\documents and settings\All Users\Data aplikací\boost_interprocess
2012-06-04 16:39 . 2010-04-30 13:28 911800 ----a-w- c:\windows\system32\drivers\etc\amtlib.dll
2012-06-04 14:28 . 2012-06-04 15:02 -------- d-----w- c:\program files\YourFileDownloader
2012-06-04 14:28 . 2012-06-04 14:30 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\YourFileDownloader
2012-06-03 09:04 . 2012-06-03 09:04 -------- d-----w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\CRE
2012-06-03 09:04 . 2012-06-06 17:20 -------- d-----w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\Conduit
2012-06-03 09:04 . 2012-06-03 09:04 -------- d-----w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\Temp
2012-06-03 08:49 . 2012-06-03 08:49 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2012-06-02 06:55 . 2012-06-05 16:10 -------- d-----w- c:\documents and settings\Bisovi\Local Settings\Data aplikací\AskToolbar
2012-06-02 06:52 . 2012-06-02 06:52 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\Avira
2012-06-02 06:46 . 2012-06-02 06:47 -------- d-----w- c:\documents and settings\Default User\Local Settings\Data aplikací\AskToolbar
2012-06-02 06:46 . 2012-04-27 08:20 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-06-02 06:46 . 2012-04-24 22:32 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-06-02 06:46 . 2012-04-16 19:18 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-06-02 06:46 . 2012-06-02 06:47 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Avira
2012-06-02 06:46 . 2012-06-02 06:46 -------- d-----w- c:\program files\Avira
2012-05-30 17:14 . 2012-05-30 17:14 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-05-30 17:13 . 2012-05-30 17:13 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-05-30 17:13 . 2012-05-30 17:13 -------- d-----w- c:\documents and settings\All Users\Microsoft
2012-05-30 17:08 . 2012-05-30 17:08 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-05-30 16:54 . 2008-04-14 06:53 299520 -c----w- c:\windows\system32\dllcache\drmclien.dll
2012-05-30 16:52 . 2008-04-13 22:10 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2012-05-30 11:59 . 2012-05-30 11:59 4966600 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2012-05-25 17:42 . 2008-04-14 06:51 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-05-25 17:42 . 2008-04-14 05:59 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-05-24 17:32 . 2001-08-17 19:47 12928 -c--a-w- c:\windows\system32\dllcache\dot4prt.sys
2012-05-24 17:32 . 2001-08-17 19:47 12928 ----a-w- c:\windows\system32\drivers\Dot4Prt.sys
2012-05-24 17:32 . 2001-10-24 09:43 23808 -c--a-w- c:\windows\system32\dllcache\dot4usb.sys
2012-05-24 17:32 . 2001-10-24 09:43 23808 ----a-w- c:\windows\system32\drivers\Dot4usb.sys
2012-05-24 17:32 . 2008-04-13 22:09 206976 ----a-w- c:\windows\system32\drivers\dot4.sys
2012-05-20 17:47 . 2012-05-20 17:47 -------- d-----w- c:\documents and settings\Bisovi\Data aplikací\OpenCandy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-10 18:11 . 2012-04-02 17:55 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-10 18:11 . 2012-04-02 17:55 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-14 17:26 . 2012-04-02 15:32 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2012-04-14 17:26 . 2012-04-02 16:54 17488 ----a-w- c:\windows\gdrv.sys
2012-04-14 14:59 . 2012-04-02 16:54 17488 ----a-w- c:\windows\etdrv.sys
2012-04-11 15:35 . 2012-04-11 15:35 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2012-04-11 15:35 . 2012-04-10 13:56 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2012-04-11 15:35 . 2012-04-11 15:35 132224 ----a-w- c:\windows\system32\drivers\snapman.sys
2012-04-11 15:35 . 2012-04-10 13:56 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2012-04-11 13:33 . 2012-04-10 15:39 125472 ----a-w- c:\windows\system32\drivers\vididr.sys
2012-04-11 13:33 . 2012-04-11 13:33 83392 ----a-w- c:\windows\system32\drivers\vsflt53.sys
2012-04-10 16:41 . 2012-04-10 15:39 76768 ----a-w- c:\windows\system32\drivers\fltsrv.sys
2012-04-04 13:56 . 2012-04-03 16:32 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-02 19:20 . 2012-04-02 19:20 65536 ----a-r- c:\documents and settings\Bisovi\Data aplikací\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-04-28 09:07 . 2012-04-02 17:01 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-14_15.21.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-10-25 12:00 . 2012-06-14 15:14 68156 c:\windows\system32\perfc009.dat
+ 2001-10-25 12:00 . 2012-06-17 16:38 68156 c:\windows\system32\perfc009.dat
- 2001-10-25 12:00 . 2012-06-14 15:14 79062 c:\windows\system32\perfc005.dat
+ 2001-10-25 12:00 . 2012-06-17 16:38 79062 c:\windows\system32\perfc005.dat
+ 2008-08-19 00:18 . 2008-08-19 00:18 77824 c:\windows\system32\fmcodec.DLL
+ 2001-10-25 12:00 . 2012-06-17 16:38 435260 c:\windows\system32\perfh009.dat
- 2001-10-25 12:00 . 2012-06-14 15:14 435260 c:\windows\system32\perfh009.dat
- 2001-10-25 12:00 . 2012-06-14 15:14 432004 c:\windows\system32\perfh005.dat
+ 2001-10-25 12:00 . 2012-06-17 16:38 432004 c:\windows\system32\perfh005.dat
+ 2012-06-17 16:51 . 2012-06-17 16:51 447488 c:\windows\Installer\151f8c.msi
+ 2012-06-17 16:49 . 2012-06-17 16:49 371272 c:\windows\Installer\{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}\SkypeIcon.exe
+ 2012-06-17 16:49 . 2012-06-17 16:49 1259008 c:\windows\Installer\151f85.msi
+ 2012-06-17 16:49 . 2012-06-17 16:49 1648128 c:\windows\Installer\151f7e.msi
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-06 102400]
"RTHDCPL"="RTHDCPL.EXE" [2011-08-09 20055144]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-03-19 73360]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-05 188416]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-01 348624]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-03-16 738944]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-06-07 500208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\
REALTEK 11n USB Wireless LAN Utility.lnk - c:\program files\Realtek\11n USB Wireless LAN Utility\RtWLan.exe [2012-6-9 937984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-02 21:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2012-06-05 13:23 17344176 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"AdobeFlashPlayerUpdateSvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Realtek\\11n USB Wireless LAN Utility\\RtWLan.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot
.
R0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\drivers\fltsrv.sys [10.4.2012 17:39 76768]
R0 vidsflt53;Acronis Disk Storage Filter (53);c:\windows\system32\drivers\vsflt53.sys [11.4.2012 15:33 83392]
R1 AppleCharger;AppleCharger;c:\windows\system32\drivers\AppleCharger.sys [2.4.2012 17:29 18544]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2.6.2012 8:46 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2.6.2012 8:46 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [2.6.2012 8:46 465360]
R2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.362.0\BBSvc.EXE [13.2.2012 21:19 193816]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [25.4.2012 19:33 24328]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [16.3.2012 18:06 27016]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [16.3.2012 18:07 497280]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3.4.2012 18:32 654408]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Data aplikací\Skype\Toolbars\Skype C2C Service\c2c_service.exe [30.5.2012 13:56 3048136]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3.4.2012 18:32 22344]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [9.6.2012 10:21 602912]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2.4.2012 18:18 30392]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [5.6.2012 15:17 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2.4.2012 18:44 1691480]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [11.4.2012 18:23 25728]
S3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [14.5.2012 18:30 1714176]
S3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.362.0\SeaPort.EXE [13.2.2012 21:19 240408]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [10.4.2012 16:04 8704]
S3 etdrv;etdrv;c:\windows\etdrv.sys [2.4.2012 18:54 17488]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [10.4.2012 16:04 3072]
S3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2.4.2012 17:39 75504]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [9.1.2010 21:37 4640000]
S3 WinDefend;Windows Defender;c:\windows\System32\svchost.exe -k secsvcs [25.10.2001 14:00 14336]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [11.4.2012 18:23 106752]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.idnes.cz/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Převést cíl vazby do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Převést do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Připojit cíl vazby k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Připojit k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 109.108.107.106 109.108.109.108
TCP: Interfaces\{D25446CA-C0F1-4978-AAFA-8BE11186FF5B}: NameServer = 89.111.106.2,89.111.107.249
FF - ProfilePath - c:\documents and settings\Bisovi\Data aplikací\Mozilla\Firefox\Profiles\okm78hap.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.as ... ource=2&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-17 19:50
Windows 5.1.2600 Service Pack 3 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(880)
c:\program files\Avira\AntiVir Desktop\avsda.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(3544)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Celkový čas: 2012-06-17 19:53:39 - počítač byl restartován
ComboFix-quarantined-files.txt 2012-06-17 17:53
ComboFix2.txt 2012-06-14 15:24
.
Před spuštěním: Volných bajtů: 45 086 593 024
Po spuštění: Volných bajtů: 45 175 697 408
.
- - End Of File - - 50E892F9C4CD1EDCB021070B9725A1F4
Nahoru
LaB
Level 3.5
Level 3.5
Příspěvky: 842
Registrován: duben 09
Pohlaví: Muž
Stav:
Offline

Re: Prosím o kontrolu logu

Příspěvekod LaB » 17 čer 2012 20:20

Nevím, jestli to je dobře, ale kašperský mi vyhodil tohle:

Results of system analysis
Kaspersky Virus Removal Tool 11.0.0.1245 (database released 14/06/2012; 10:07)

List of processes
File name PID Description Copyright MD5 Information
c:\program files\avira\antivir desktop\avguard.exe
Script: Quarantine, Delete, BC delete, Terminate 716 Avira On-Access Service © 2000 - 2011 Avira Operations GmbH & Co. KG and its Licensors ?? 107.45 kb, rsAh,
created: 02.06.2012 08:46:19,
modified: 02.05.2012 00:34:37
Command line:
"C:\Program Files\Avira\AntiVir Desktop\avguard.exe"
c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate 2524 Internet Explorer © Microsoft Corporation. All rights reserved. ?? 623.84 kb, rsAh,
created: 02.04.2012 17:13:32,
modified: 08.03.2009 14:09:26
Command line:
c:\program files\realtek\11n usb wireless lan utility\rtwlan.exe
Script: Quarantine, Delete, BC delete, Terminate 2736 RtWLan ( For XP/2003) Application Copyright (C) 2003-2010 ?? 916.00 kb, rsAh,
created: 09.06.2012 10:21:23,
modified: 25.03.2010 21:14:30
Command line:
"C:\Program Files\Realtek\11n USB Wireless LAN Utility\RtWLan.exe" /H
Detected:45, recognized as trusted 45
Module name Handle Description Copyright MD5 Used by processes
C:\Program Files\Avira\AntiVir Desktop\aeexp.dll
Script: Quarantine, Delete, BC delete 32309248 Avira Engine Module for Windows Copyright © 2012 Avira Operations GmbH & Co. KG. All rights reserved. -- 716
C:\Program Files\Avira\AntiVir Desktop\aeoffice.dll
Script: Quarantine, Delete, BC delete 26083328 Avira Engine Module for Windows Copyright © 2012 Avira Operations GmbH & Co. KG. All rights reserved. -- 716
C:\Program Files\Avira\AntiVir Desktop\aesbx.dll
Script: Quarantine, Delete, BC delete 23724032 Avira Engine Module for Windows Copyright © 2012 Avira Operations GmbH & Co. KG. All rights reserved. -- 716
C:\Program Files\Avira\AntiVir Desktop\aescript.dll
Script: Quarantine, Delete, BC delete 22937600 Avira Engine Module for Windows Copyright © 2012 Avira Operations GmbH & Co. KG. All rights reserved. -- 716
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.CZE
Script: Quarantine, Delete, BC delete 54919168 -- 2524
C:\Program Files\Realtek\11n USB Wireless LAN Utility\RtlLib.dll
Script: Quarantine, Delete, BC delete 5439488 RtlLib(Aegisp4.1) DLL Copyright (C) 2002-2010 -- 2736
Modules detected:629, recognized as trusted 623

Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\ComboFix\catchme.sys
Script: Quarantine, Delete, BC delete BA420000 008000 (32768)
Combo-Fix.sys
Script: Quarantine, Delete, BC delete BA0F8000 00F000 (61440)
C:\WINDOWS\System32\Drivers\dump_atapi.sys
Script: Quarantine, Delete, BC delete A8406000 018000 (98304)
C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Script: Quarantine, Delete, BC delete BA606000 002000 (8192)
C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Script: Quarantine, Delete, BC delete BA624000 002000 (8192)
Modules detected - 140, recognized as trusted - 135

Services
Service Description Status File Group Dependencies
Detected - 103, recognized as trusted - 103

Drivers
Service Description Status File Group Dependencies
catchme
Driver: Unload, Delete, Disable, BC delete catchme Running C:\ComboFix\catchme.sys
Script: Quarantine, Delete, BC delete Base
Abiosdsk
Driver: Unload, Delete, Disable, BC delete Abiosdsk Not started Abiosdsk.sys
Script: Quarantine, Delete, BC delete Primary disk
abp480n5
Driver: Unload, Delete, Disable, BC delete abp480n5 Not started abp480n5.sys
Script: Quarantine, Delete, BC delete SCSI miniport
adpu160m
Driver: Unload, Delete, Disable, BC delete adpu160m Not started adpu160m.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Aha154x
Driver: Unload, Delete, Disable, BC delete Aha154x Not started Aha154x.sys
Script: Quarantine, Delete, BC delete SCSI miniport
aic78u2
Driver: Unload, Delete, Disable, BC delete aic78u2 Not started aic78u2.sys
Script: Quarantine, Delete, BC delete SCSI miniport
aic78xx
Driver: Unload, Delete, Disable, BC delete aic78xx Not started aic78xx.sys
Script: Quarantine, Delete, BC delete SCSI miniport
AliIde
Driver: Unload, Delete, Disable, BC delete AliIde Not started AliIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
amsint
Driver: Unload, Delete, Disable, BC delete amsint Not started amsint.sys
Script: Quarantine, Delete, BC delete SCSI miniport
asc
Driver: Unload, Delete, Disable, BC delete asc Not started asc.sys
Script: Quarantine, Delete, BC delete SCSI miniport
asc3350p
Driver: Unload, Delete, Disable, BC delete asc3350p Not started asc3350p.sys
Script: Quarantine, Delete, BC delete SCSI miniport
asc3550
Driver: Unload, Delete, Disable, BC delete asc3550 Not started asc3550.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Atdisk
Driver: Unload, Delete, Disable, BC delete Atdisk Not started Atdisk.sys
Script: Quarantine, Delete, BC delete Primary disk
cd20xrnt
Driver: Unload, Delete, Disable, BC delete cd20xrnt Not started cd20xrnt.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Changer
Driver: Unload, Delete, Disable, BC delete Changer Not started Changer.sys
Script: Quarantine, Delete, BC delete Filter
CmdIde
Driver: Unload, Delete, Disable, BC delete CmdIde Not started CmdIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
Cpqarray
Driver: Unload, Delete, Disable, BC delete Cpqarray Not started Cpqarray.sys
Script: Quarantine, Delete, BC delete SCSI miniport
dac960nt
Driver: Unload, Delete, Disable, BC delete dac960nt Not started dac960nt.sys
Script: Quarantine, Delete, BC delete SCSI miniport
dpti2o
Driver: Unload, Delete, Disable, BC delete dpti2o Not started dpti2o.sys
Script: Quarantine, Delete, BC delete SCSI miniport
hpn
Driver: Unload, Delete, Disable, BC delete hpn Not started hpn.sys
Script: Quarantine, Delete, BC delete SCSI miniport
hpt3xx
Driver: Unload, Delete, Disable, BC delete hpt3xx Not started hpt3xx.sys
Script: Quarantine, Delete, BC delete SCSI miniport
i2omgmt
Driver: Unload, Delete, Disable, BC delete i2omgmt Not started i2omgmt.sys
Script: Quarantine, Delete, BC delete SCSI Class
i2omp
Driver: Unload, Delete, Disable, BC delete i2omp Not started i2omp.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ini910u
Driver: Unload, Delete, Disable, BC delete ini910u Not started ini910u.sys
Script: Quarantine, Delete, BC delete SCSI miniport
IntelIde
Driver: Unload, Delete, Disable, BC delete IntelIde Not started IntelIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
lbrtfdc
Driver: Unload, Delete, Disable, BC delete lbrtfdc Not started lbrtfdc.sys
Script: Quarantine, Delete, BC delete System Bus Extender
mraid35x
Driver: Unload, Delete, Disable, BC delete mraid35x Not started mraid35x.sys
Script: Quarantine, Delete, BC delete SCSI miniport
PCIDump
Driver: Unload, Delete, Disable, BC delete PCIDump Not started PCIDump.sys
Script: Quarantine, Delete, BC delete PCI Configuration
PDCOMP
Driver: Unload, Delete, Disable, BC delete PDCOMP Not started PDCOMP.sys
Script: Quarantine, Delete, BC delete
PDFRAME
Driver: Unload, Delete, Disable, BC delete PDFRAME Not started PDFRAME.sys
Script: Quarantine, Delete, BC delete
PDRELI
Driver: Unload, Delete, Disable, BC delete PDRELI Not started PDRELI.sys
Script: Quarantine, Delete, BC delete
PDRFRAME
Driver: Unload, Delete, Disable, BC delete PDRFRAME Not started PDRFRAME.sys
Script: Quarantine, Delete, BC delete
perc2
Driver: Unload, Delete, Disable, BC delete perc2 Not started perc2.sys
Script: Quarantine, Delete, BC delete SCSI miniport
perc2hib
Driver: Unload, Delete, Disable, BC delete perc2hib Not started perc2hib.sys
Script: Quarantine, Delete, BC delete Filter
ql1080
Driver: Unload, Delete, Disable, BC delete ql1080 Not started ql1080.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Ql10wnt
Driver: Unload, Delete, Disable, BC delete Ql10wnt Not started Ql10wnt.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ql12160
Driver: Unload, Delete, Disable, BC delete ql12160 Not started ql12160.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ql1240
Driver: Unload, Delete, Disable, BC delete ql1240 Not started ql1240.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ql1280
Driver: Unload, Delete, Disable, BC delete ql1280 Not started ql1280.sys
Script: Quarantine, Delete, BC delete SCSI miniport
Simbad
Driver: Unload, Delete, Disable, BC delete Simbad Not started Simbad.sys
Script: Quarantine, Delete, BC delete Filter
Sparrow
Driver: Unload, Delete, Disable, BC delete Sparrow Not started Sparrow.sys
Script: Quarantine, Delete, BC delete SCSI miniport
sym_hi
Driver: Unload, Delete, Disable, BC delete sym_hi Not started sym_hi.sys
Script: Quarantine, Delete, BC delete SCSI miniport
sym_u3
Driver: Unload, Delete, Disable, BC delete sym_u3 Not started sym_u3.sys
Script: Quarantine, Delete, BC delete SCSI miniport
symc810
Driver: Unload, Delete, Disable, BC delete symc810 Not started symc810.sys
Script: Quarantine, Delete, BC delete SCSI miniport
symc8xx
Driver: Unload, Delete, Disable, BC delete symc8xx Not started symc8xx.sys
Script: Quarantine, Delete, BC delete SCSI miniport
TosIde
Driver: Unload, Delete, Disable, BC delete TosIde Not started TosIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
ultra
Driver: Unload, Delete, Disable, BC delete ultra Not started ultra.sys
Script: Quarantine, Delete, BC delete SCSI miniport
ViaIde
Driver: Unload, Delete, Disable, BC delete ViaIde Not started ViaIde.sys
Script: Quarantine, Delete, BC delete System Bus Extender
WDICA
Driver: Unload, Delete, Disable, BC delete WDICA Not started WDICA.sys
Script: Quarantine, Delete, BC delete
Detected - 211, recognized as trusted - 162

Autoruns
File name Status Startup method Description
C:\Documents and Settings\Bisovi\Local Settings\Temp\_uninst_08185572.bat
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Documents and Settings\Bisovi\Nabнdka Start\Programy\Po spuљtмnн\, C:\Documents and Settings\Bisovi\Nabнdka Start\Programy\Po spuљtмnн\_uninst_08185572.lnk,
C:\Documents and Settings\Bisovi\Local Settings\Temp\{7AE68443-1395-4555-AD38-4125FF4BBBE5}\fsgk.sys
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\F-Secure Gatekeeper, EventMessageFile
C:\Program Files\Common Files\Adobe\OOBE\PDApp\DWA\resources\libraries\EventMessages.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Adobe Setup, EventMessageFile
C:\Program Files\Common Files\soft602\602updsvc\602updsvc.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\602XML Updater, EventMessageFile
C:\Program Files\\Windows Defender\mpsvc.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinDefend\Parameters, ServiceDll
Delete
C:\WINDOWS\System32\Drivers\AliIde.sys
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\aliide, EventMessageFile
C:\WINDOWS\System32\Drivers\CmdIde.sys
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\cmdide, EventMessageFile
C:\WINDOWS\System32\Drivers\IntelIde.sys
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\intelide, EventMessageFile
C:\WINDOWS\System32\Drivers\TosIde.sys
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\toside, EventMessageFile
C:\WINDOWS\System32\Drivers\ViaIde.sys
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\viaide, EventMessageFile
C:\WINDOWS\System32\Drivers\lbrtfdc.sys
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\lbrtfdc, EventMessageFile
C:\WINDOWS\System32\PrintFilterPipelineSvc.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PrintFilterPipelineSvc, EventMessageFile
C:\WINDOWS\System32\igmpv2.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
C:\WINDOWS\System32\ipbootp.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
C:\WINDOWS\System32\iprip2.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
C:\WINDOWS\System32\mspmspsv.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WmdmPmSp, EventMessageFile
C:\WINDOWS\System32\ospf.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF, EventMessageFile
C:\WINDOWS\System32\ospfmib.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib, EventMessageFile
C:\WINDOWS\System32\polagent.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent, EventMessageFile
C:\WINDOWS\System32\tssdis.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir, EventMessageFile
C:\WINDOWS\system32\AegisE5.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\AegisP, EventMessageFile
C:\WINDOWS\system32\MsSip1.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL
Delete
C:\WINDOWS\system32\MsSip2.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL
Delete
C:\WINDOWS\system32\MsSip3.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL
Delete
C:\WINDOWS\system32\psxss.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
C:\WINDOWS\system32\stisvc.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System, EventMessageFile
deskpan.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, {42071714-76d4-11d1-8b24-00a0c9068ff3}
Delete
kbd101.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver JPN
Delete
kbd101a.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver KOR
Delete
mvfs32.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB
Delete
mvfs32.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-19\Control Panel\IOProcs, MVB
Delete
mvfs32.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB
Delete
mvfs32.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB
Delete
mvfs32.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_USERS, S-1-5-21-1547161642-117609710-839522115-1003\Control Panel\IOProcs, MVB
Delete
vgafix.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon
Delete
vgaoem.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon
Delete
vgasys.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon
Delete
Autoruns items detected - 856, recognized as trusted - 819

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
Explorer Bar {32683183-48a0-441b-a342-7c2a440a9478}
Delete
Elements detected - 9, recognized as trusted - 8

Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
deskpan.dll
Script: Quarantine, Delete, BC delete Rozљншenн panelu Zobrazenн pro panoramatickй zobrazenн {42071714-76d4-11d1-8b24-00a0c9068ff3}
Delete
Rozљншenн prostшedн pro kompresi souborщ {764BF0E1-F219-11ce-972D-00AA00A14F56}
Delete
Kontextovб nabнdka љifrovбnн {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}
Delete
Hlavnн panel a nabнdka Start {0DF44EAA-FF21-4412-828E-260A8728E7F1}
Delete
Media Band {32683183-48a0-441b-a342-7c2a440a9478}
Delete
Uћivatelskй ъиty {7A9D77BD-5403-11d2-8785-2E0420524153}
Delete
Elements detected - 218, recognized as trusted - 212

Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
Elements detected - 10, recognized as trusted - 10

Task Scheduler jobs
File name Job name Job status Description Manufacturer
Elements detected - 0, recognized as trusted - 0

SPI/LSP settings
Namespace providers (NSP) Provider Status EXE file Description GUID
Detected - 3, recognized as trusted - 3
Transport protocol providers (TSP, LSP) Provider EXE file Description
Detected - 24, recognized as trusted - 24
Results of automatic SPI settings check LSP settings checked. No errors detected


TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [1128] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 2276 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 246 [4] System
Script: Quarantine, Delete, BC delete, Terminate
1031 LISTENING 0.0.0.0 0 [1908] c:\windows\system32\alg.exe
Script: Quarantine, Delete, BC delete, Terminate
1726 TIME_WAIT 157.56.229.75 80 [0]
1729 TIME_WAIT 65.55.239.168 80 [0]
1731 TIME_WAIT 65.55.100.9 443 [0]
44080 LISTENING 0.0.0.0 0 [3212] c:\program files\avira\antivir desktop\avwebgrd.exe
Script: Quarantine, Delete, BC delete, Terminate
44081 LISTENING 0.0.0.0 0 [3212] c:\program files\avira\antivir desktop\avwebgrd.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123 LISTENING -- -- [1168] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
123 LISTENING -- -- [1168] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [880] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
1025 LISTENING -- -- [1268] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1074 LISTENING -- -- [2524] c:\program files\internet explorer\iexplore.exe
Script: Quarantine, Delete, BC delete, Terminate
1087 LISTENING -- -- [1268] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1088 LISTENING -- -- [1268] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1105 LISTENING -- -- [1268] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1197 LISTENING -- -- [1268] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1296] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1296] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [880] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
Elements detected - 0, recognized as trusted - 0

Control Panel Applets (CPL)
File name Description Manufacturer
Elements detected - 28, recognized as trusted - 28

Active Setup
File name Description Manufacturer CLSID
Elements detected - 15, recognized as trusted - 15

HOSTS file
Hosts file record
127.0.0.1 localhost


Clear Hosts file

Protocols and handlers
File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 32, recognized as trusted - 29

Suspicious objects
File Description Type
C:\WINDOWS\System32\vsdatant.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook


--------------------------------------------------------------------------------

Main script of analysis
Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
System Restore: enabled
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:OpenProcess (632) intercepted, method APICodeHijack.JmpTo[20CB8462]
IAT modification detected: CreateProcessA - 00ED0010<>7C80236B
IAT modification detected: GetModuleFileNameA - 00ED0080<>7C80B55F
IAT modification detected: FreeLibrary - 00ED00F0<>7C80AC6E
IAT modification detected: GetModuleFileNameW - 00ED0160<>7C80B465
IAT modification detected: CreateProcessW - 00ED01D0<>7C802336
IAT modification detected: LoadLibraryW - 00ED02B0<>7C80AEDB
IAT modification detected: LoadLibraryA - 00ED0320<>7C801D7B
IAT modification detected: GetProcAddress - 00ED0390<>7C80AE30
Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:NtAccessCheckByType (89) intercepted, method APICodeHijack.JmpTo[20CB8787]
Function ntdll.dll:NtImpersonateClientOfPort (178) intercepted, method APICodeHijack.JmpTo[20CB8D4E]
Function ntdll.dll:NtSetInformationProcess (319) intercepted, method APICodeHijack.JmpTo[20CB89A1]
Function ntdll.dll:ZwAccessCheckByType (899) intercepted, method APICodeHijack.JmpTo[20CB8787]
Function ntdll.dll:ZwImpersonateClientOfPort (987) intercepted, method APICodeHijack.JmpTo[20CB8D4E]
Function ntdll.dll:ZwSetInformationProcess (1128) intercepted, method APICodeHijack.JmpTo[20CB89A1]
Analysis: user32.dll, export table found in section .text
Function user32.dll:FindWindowA (228) intercepted, method APICodeHijack.JmpTo[20CB8285]
Function user32.dll:FindWindowW (231) intercepted, method APICodeHijack.JmpTo[20CB8250]
Analysis: advapi32.dll, export table found in section .text
Function advapi32.dll:ImpersonateNamedPipeClient (304) intercepted, method APICodeHijack.JmpTo[20CB8E53]
Function advapi32.dll:SetThreadToken (573) intercepted, method APICodeHijack.JmpTo[20CB902C]
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=085700)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055C700
KiST = 80504450 (284)
Functions checked: 284, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
CmpCallCallBacks = 00093D84
Disable callback - уже нейтирализованы
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking of IRP handlers
Driver loaded successfully
\driver\tcpip[IRP_MJ_CREATE] = A868BF5E -> C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_CLOSE] = A868BF5E -> C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_DEVICE_CONTROL] = A868BF5E -> C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_INTERNAL_DEVICE_CONTROL] = A868BF5E -> C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
\driver\tcpip[IRP_MJ_CLEANUP] = A868BF5E -> C:\WINDOWS\System32\vsdatant.sys, driver recognized as trusted
Checking - complete
>> Services: potentially dangerous service allowed: RemoteRegistry (Vzdбlenэ registr)
>> Services: potentially dangerous service allowed: TermService (Terminбlovб sluћba)
>> Services: potentially dangerous service allowed: SSDPSRV (Sluћba rozpoznбvбnн pomocн protokolu SSDP)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Schedule (Plбnovaи ъloh)
>> Services: potentially dangerous service allowed: RDSessMgr (Sprбvce relacн nбpovмdy ke vzdбlenй ploљe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
>> Windows Explorer - show extensions of known file types
System Analysis in progress
System Analysis - complete

Script commands
Add commands to script:Blocking hooks using Anti-RootkitEnable AVZGuardOperations with AVZPM (true=enable,false=disable)BootCleaner - import list of deleted filesBootCleaner - import allRegistry cleanup after deleting filesExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizardBootCleaner - activateRebootInsert template for QuarantineFile() - quarantining fileInsert template for BC_QrFile() - quarantining file via BootCleanerInsert template for DeleteFile() - deleting fileInsert template for DelCLSID() - deleting CLSID item from registryAdditional operations:Performance tweaking: disable service RemoteRegistry (Vzdбlenэ registr)Performance tweaking: disable service TermService (Terminбlovб sluћba)Performance tweaking: disable service SSDPSRV (Sluћba rozpoznбvбnн pomocн protokolu SSDP)Performance tweaking: disable service TlntSvr (Telnet)Performance tweaking: disable service Schedule (Plбnovaи ъloh)Performance tweaking: disable service RDSessMgr (Sprбvce relacн nбpovмdy ke vzdбlenй ploљe)Security tweaking: disable CD autorunSecurity tweaking: disable administrative sharesSecurity tweaking: disable anonymous user access--------------------------------------------------------------------------------
File list
Nahoru
Uživatelský avatar
jaro3
člen Security týmu
Guru Level 15
Guru Level 15
Příspěvky: 43298
Registrován: červen 07
Bydliště: Jižní Čechy
Pohlaví: Muž
Stav:
Offline

Re: Prosím o kontrolu logu

Příspěvekod jaro3 » 17 čer 2012 23:31

ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix /Uninstall

Vyčisti systém CCleanerem
a použij i T-Cleaner
smaže vše po Combu,MWAVu atd.-stáhneš>spustíš

pozn. před stažením T-Cleaneru a po dobu čištění deaktivuj antivir a antispyware ,následně T-Cleaner smaž a zapni si znovu antivir a antispyware.


Jak to vypadá nyní? Dost se toho smazalo v AVP..

c:\documents and settings\Bisovi\Local Settings\Data aplikací\CRE
c:\documents and settings\Bisovi\Local Settings\Data aplikací\Conduit
Smaž ručně tyto zvýrazněné složky.
Při práci s programy HJT, ComboFix,MbAM, SDFix aj. zavřete všechny ostatní aplikace a prohlížeče!
Neposílejte logy do soukromých zpráv.Po dobu mé nepřítomnosti mě zastupuje memphisto , Žbeky a Orcus.
Pokud budete spokojeni , můžete podpořit naše forum:Podpora fóra
Nahoru
Zamčeno

Zpět na “HiJackThis”

Kdo je online

Uživatelé prohlížející si toto fórum: Žádní registrovaní uživatelé a 63 hostů