Automaticke zmeny hesel

[TomZ]

Neco mi automaticky meni hesla - centrum mail, gmail, facebook.
Kdyz se to stalo poprve, zmenil jsem vsechny tyto hesla, takze mam jistotu, ze je nidko jiny nezna. Do danych mailu jsem pristupoval pouze z tohoto pc. Nicmene rano opet se mi samo zmenilo heslo u centrum mail.
Podezreni, ze neco odesila informace o tom co delam nejakemu robotovi/clovekovi.
EDIT: mam ulozena hesla v opere. Ovsem po prvni zmene hesla na centrum mail jsem jiz nove heslo neukladala a vkladal pouze rucne.
Dekuji





Logfile of random's system information tool 1.09 (written by random/random)
Run by Karcoollka at 2012-08-15 08:58:09
Microsoft Windows 7 Professional Service Pack 1
System drive C: has 177 GB (78%) free of 226 GB
Total RAM: 3003 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:58:18, on 15.8.2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\Karcoollka\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Opera\opera.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe
C:\Users\Karcoollka\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Software - instalace\Antivirus\RSIT.exe
C:\Program Files\trend micro\Karcoollka.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.qip.ru/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.qip.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.qip.ru/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: QIPBHO - {95289393-33EA-4F8D-B952-483415B9C955} - C:\Users\Karcoollka\AppData\Roaming\Microsoft\Internet Explorer\qipsearchbar.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Karcoollka\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [googletalk] C:\Users\Karcoollka\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

--
End of file - 7608 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Adobe Flash Player Updater.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4253506702-3322326859-3136526999-1000Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4253506702-3322326859-3136526999-1000UA.job

=========Mozilla firefox=========

ProfilePath - C:\Users\Karcoollka\AppData\Roaming\Mozilla\Firefox\Profiles\m1ipysh2.default

prefs.js - "browser.search.useDBForOrder" - true
prefs.js - "browser.startup.homepage" - "http://search.babylon.com/?affID=111304 ... 1e6405d8a2"
prefs.js - "keyword.URL" - "http://search.babylon.com/?affID=111304 ... 405d8a2&q="

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Description"=Adobe® Flash® Player 11.3.300.270 Plugin
"Path"=C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_270.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/GENUINE]
"Description"=
"Path"=disabled

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0]
"Description"=Ag Player Plugin
"Path"=c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\Adobe Reader]
"Description"=Handles PDFs in-place in Firefox
"Path"=C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org
{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
{972ce4c6-7e08-4474-a285-3208198ce6fd}

C:\Program Files\Mozilla Firefox\components\
AskHPRFF.js
browser.xpt
FeedConverter.js
FeedProcessor.js
FeedWriter.js
jar50.dll
jsconsole-clhandler.js
jsd3250.dll
myspell.dll
nsBookmarkTransactionManager.js
nsBrowserContentHandler.js
nsBrowserGlue.js
nsCloseAllWindows.js
nsDictionary.js
nsExtensionManager.js
nsHelperAppDlg.js
nsMicrosummaryService.js
nsPostUpdateWin.js
nsProxyAutoConfig.js
nsSafebrowsingApplication.js
nsSearchService.js
nsSearchSuggestions.js
nsSessionStartup.js
nsSessionStore.js
nsSetDefaultBrowser.js
nsSidebar.js
nsUpdateService.js
nsUrlClassifierLib.js
nsUrlClassifierListManager.js
nsUrlClassifierTable.js
nsURLFormatter.js
nsXmlRpcClient.js
spellchk.dll
WebContentConverter.js
xpinstal.dll

C:\Program Files\Mozilla Firefox\plugins\
npnul32.dll
NPOFF12.DLL
nppdf32.dll

C:\Program Files\Mozilla Firefox\searchplugins\
babylon.xml
centrum-cz.xml
google.xml
jyxo-cz.xml
mall-cz.xml
seznam-cz.xml
slunecnice-cz.xml

C:\Users\Karcoollka\AppData\Roaming\Mozilla\Firefox\Profiles\m1ipysh2.default\extensions\
ffxtlbr@babylon.com
{32a1fd71-835e-4b11-8e54-886fda0b4c89}

C:\Users\Karcoollka\AppData\Roaming\Mozilla\Firefox\Profiles\m1ipysh2.default\searchplugins\
askcom.xml
qip-search.xml

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-06-06 63912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26 2217832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95289393-33EA-4F8D-B952-483415B9C955}]
QIPBHO Class - C:\Users\Karcoollka\AppData\Roaming\Microsoft\Internet Explorer\qipsearchbar.dll [2010-12-23 141184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}]
Skype Browser Helper - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2012-07-05 4018888]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MSC"=c:\Program Files\Microsoft Security Client\msseces.exe [2012-03-26 931200]
"VirtualCloneDrive"=C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [2011-03-07 89456]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2009-02-26 30040]
"MobileConnect"=C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe [2009-09-18 2412032]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2009-09-02 135168]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2009-09-02 167424]
"Persistence"=C:\Windows\system32\igfxpers.exe [2009-09-02 144384]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2011-06-06 937920]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update"=C:\Users\Karcoollka\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-22 116648]
"OEXPRESS"= []
"googletalk"=C:\Users\Karcoollka\AppData\Roaming\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2009-09-02 217088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26 2217832]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=5
"ConsentPromptBehaviorUser"=3
"EnableUIADesktopToggle"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.msadpcm"=msadp32.acm
"midimapper"=midimap.dll
"wavemapper"=msacm32.drv
"VIDC.UYVY"=msyuv.dll
"VIDC.YUY2"=msyuv.dll
"VIDC.YVYU"=msyuv.dll
"VIDC.IYUV"=iyuv_32.dll
"vidc.i420"=iyuv_32.dll
"VIDC.YVU9"=tsbyuv.dll
"msacm.l3acm"=C:\Windows\System32\l3codeca.acm
"vidc.cvid"=iccvid.dll
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv
"wave1"=wdmaud.drv
"midi1"=wdmaud.drv
"mixer1"=wdmaud.drv
"aux1"=wdmaud.drv
"MSVideo8"=VfWWDM32.dll

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 month======

2012-08-15 08:58:10 ----D---- C:\Program Files\trend micro
2012-08-15 08:58:09 ----D---- C:\rsit
2012-08-13 09:00:17 ----D---- C:\ProgramData\Spybot - Search & Destroy
2012-08-13 09:00:17 ----D---- C:\Program Files\Spybot - Search & Destroy
2012-07-28 00:15:08 ----D---- C:\Program Files\Common Files\Adobe
2012-07-28 00:14:06 ----D---- C:\ProgramData\Adobe
2012-07-27 23:50:58 ----A---- C:\Windows\APDFPRP.INI
2012-07-27 23:50:54 ----D---- C:\Program Files\ElcomSoft
2012-07-24 20:51:17 ----D---- C:\Users\Karcoollka\AppData\Roaming\AdobeUM
2012-07-24 12:27:01 ----D---- C:\Users\Karcoollka\AppData\Roaming\pdfforge
2012-07-24 12:26:48 ----A---- C:\Windows\system32\pdfcmon.dll
2012-07-24 12:26:46 ----D---- C:\Program Files\PDFCreator
2012-07-24 12:26:46 ----A---- C:\Windows\system32\MSMPIDE.DLL

======List of files/folders modified in the last 1 month======

2012-08-15 08:58:18 ----D---- C:\Windows\Prefetch
2012-08-15 08:58:10 ----RD---- C:\Program Files
2012-08-15 08:46:58 ----D---- C:\Windows\system32\config
2012-08-15 08:40:59 ----D---- C:\Windows\Temp
2012-08-15 08:37:11 ----D---- C:\Windows\System32
2012-08-15 08:37:11 ----D---- C:\Windows\inf
2012-08-15 08:37:11 ----A---- C:\Windows\system32\PerfStringBackup.INI
2012-08-14 20:10:57 ----SHD---- C:\System Volume Information
2012-08-14 09:09:05 ----D---- C:\Users\Karcoollka\AppData\Roaming\Skype
2012-08-13 22:10:53 ----HD---- C:\ProgramData
2012-08-13 09:56:46 ----SD---- C:\Users\Karcoollka\AppData\Roaming\Microsoft
2012-08-13 06:52:38 ----D---- C:\Windows\system32\catroot2
2012-08-12 11:17:00 ----SHD---- C:\Windows\Installer
2012-08-12 11:16:57 ----D---- C:\Users\Karcoollka\AppData\Roaming\Mozilla
2012-08-03 20:59:24 ----A---- C:\Windows\system32\FlashPlayerApp.exe
2012-07-28 00:16:03 ----D---- C:\Users\Karcoollka\AppData\Roaming\Adobe
2012-07-28 00:15:41 ----D---- C:\Windows\winsxs
2012-07-28 00:15:08 ----D---- C:\Program Files\Common Files
2012-07-28 00:15:08 ----D---- C:\Program Files\Adobe
2012-07-28 00:07:26 ----RSD---- C:\Windows\Fonts
2012-07-27 23:53:30 ----D---- C:\Windows\system32\Tasks
2012-07-27 23:50:58 ----D---- C:\Windows
2012-07-24 22:57:33 ----D---- C:\Windows\Tasks
2012-07-24 12:27:15 ----A---- C:\user.js
2012-07-23 14:09:55 ----D---- C:\ProgramData\Skype
2012-07-23 14:09:44 ----RD---- C:\Program Files\Skype
2012-07-16 14:15:29 ----D---- C:\Windows\system32\wdi

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [2012-03-20 171064]
R0 PxHelp20;PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [2006-08-25 36528]
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2010-11-20 173440]
R0 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\Windows\system32\drivers\vmbus.sys [2010-11-20 175360]
R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys [2010-11-20 388096]
R1 ElbyCDIO;ElbyCDIO Driver; C:\Windows\System32\Drivers\ElbyCDIO.sys [2010-12-17 31088]
R1 vwififlt;Virtual WiFi Filter Driver; C:\Windows\system32\DRIVERS\vwififlt.sys [2009-07-14 48128]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2009-09-02 5946368]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20); C:\Windows\system32\DRIVERS\L1C62x86.sys [2009-07-14 50688]
R3 NETw5s32;Ovladač adaptéru Intel(R) Wireless WiFi Link pro systém Windows 7 32 Bit; C:\Windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
R3 VClone;VClone; C:\Windows\system32\DRIVERS\VClone.sys [2011-01-15 30208]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service; C:\Windows\system32\DRIVERS\vwifimp.sys [2009-07-14 14336]
S2 Parvdm;Parvdm; C:\Windows\system32\DRIVERS\parvdm.sys [2009-07-14 8704]
S3 aic78xx;aic78xx; C:\Windows\system32\DRIVERS\djsvs.sys [2009-07-14 70720]
S3 amdagp;Ovladač filtru AMD portu AGP; C:\Windows\system32\drivers\amdagp.sys [2009-07-14 53312]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2009-07-14 229888]
S3 ewusbnet;HUAWEI USB-NDIS miniport; C:\Windows\system32\DRIVERS\ewusbnet.sys [2009-07-23 112128]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\Windows\system32\DRIVERS\ewusbmdm.sys [2009-07-23 102912]
S3 hwusbfake;Huawei DataCard USB Fake; C:\Windows\system32\DRIVERS\ewusbfake.sys [2009-07-23 100736]
S3 NisDrv;Microsoft Network Inspection System; C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 74112]
S3 pciide;pciide; C:\Windows\system32\drivers\pciide.sys [2009-07-14 12368]
S3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys [2010-11-20 133632]
S3 s3cap;s3cap; C:\Windows\system32\drivers\vms3cap.sys [2010-11-20 5632]
S3 sisagp;Filtr SIS sběrnice AGP; C:\Windows\system32\drivers\sisagp.sys [2009-07-14 52304]
S3 storvsc;storvsc; C:\Windows\system32\drivers\storvsc.sys [2010-11-20 28032]
S3 TsUsbFlt;@%SystemRoot%\system32\drivers\tsusbflt.sys,-1; C:\Windows\System32\drivers\tsusbflt.sys [2010-11-20 52224]
S3 viaagp;Filtr VIA sběrnice AGP; C:\Windows\system32\drivers\viaagp.sys [2009-07-14 53328]
S3 ViaC7;VIA C7 Processor Driver; C:\Windows\system32\DRIVERS\viac7.sys [2009-07-14 52736]
S3 VMBusHID;VMBusHID; C:\Windows\system32\drivers\VMBusHID.sys [2010-11-20 17920]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AdobeARMservice;Adobe Acrobat Update Service; C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-14 20992]
R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Client\MsMpEng.exe [2012-03-26 11552]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 Skype C2C Service;Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-07-05 3048136]
R2 VMCService;Vodafone Mobile Connect Service; C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2009-09-18 9216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 SkypeUpdate;Skype Updater; C:\Program Files\Skype\Updater\Updater.exe [2012-06-07 160944]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2012-06-22 69632]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service; C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 250056]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-14 20992]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2009-02-26 64856]
S3 NisSrv;@c:\Program Files\Microsoft Security Client\MpAsDesc.dll,-243; c:\Program Files\Microsoft Security Client\NisSrv.exe [2012-03-26 214952]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2011-07-20 440696]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-14 20992]
S3 StorSvc;@%SystemRoot%\System32\StorSvc.dll,-100; C:\Windows\System32\svchost.exe [2009-07-14 20992]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-14 20992]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [2012-06-25 1343400]

-----------------EOF-----------------

[vyosek]

Zdravim a pekne rano preji

OdinstalujteSpybot - Search & Destroy - program ma uz nejlepsi leta davno za sebou a posledni cca 4 roky neni schopen celit aktualnim hrozbam

Udelejte sken AVPTool-em http://forum.viry.cz/viewtopic.php?f=29&t=58179

[TomZ]

Diky za tip. Tady je vystup.





Status: Deleted (events: 2)
15.8.2012 11:10:47 Deleted Trojan program Trojan-Dropper.Win32.VB.ativ C:\Software - instalace\Antivirus\NOD%funguje i na win7\Eset Special Key Finder\Eset Special Key Finder V.1.exe High
15.8.2012 11:14:51 Deleted Trojan program Trojan.Win32.Genome.bnjf C:\Software - instalace\Audio\Traktor DJ studio\TRAKTOR_DJ_STUDIO_3_KEYGEN.EXE High
Status: Detected (events: 4)
15.8.2012 11:09:01 Detected Trojan program Trojan-PSW.Win32.Dybalom.dhx C:\Software - instalace\Antivirus\Nod32\Best.way.online.info_Eset.Nod.32_I.S_A.V.part2.rar//Eset Nod 32 Internet Security & Antivirus/ess_nt64_enu/ess_nt64_enu/ess_nt64_enu.exe//new.exe High
15.8.2012 11:09:24 Detected Trojan program Trojan-PSW.Win32.Dybalom.dhx C:\Software - instalace\Antivirus\Nod32\Best.way.online.info_Eset.Nod.32_I.S_A.V.part1.rar//Eset Nod 32 Internet Security & Antivirus/eav_nt32_enu/eav_nt32_enu/eav_nt32_enu.exe//new.exe High
15.8.2012 11:13:33 Detected Trojan program Trojan-PSW.Win32.Dybalom.dhx C:\Software - instalace\Antivirus\Nod32\Best.way.online.info_Eset.Nod.32_I.S_A.V.part1.rar//Eset Nod 32 Internet Security & Antivirus/eav_nt64_enu/eav_nt64_enu/eav_nt64_enu.exe//new.exe High
15.8.2012 11:13:50 Detected Trojan program Trojan-PSW.Win32.Dybalom.dhx C:\Software - instalace\Antivirus\Nod32\Best.way.online.info_Eset.Nod.32_I.S_A.V.part1.rar//Eset Nod 32 Internet Security & Antivirus/ess_nt32_enu/ess_nt32_enu/ess_nt32_enu.exe//new.exe High


Navic jsem udelal jeste scan pomoci Win antiviru a ten ukazal - viz obrazek. Oboje jsem odebral.

[vyosek]

Nalezy avp toolu smazat - fuj crackovat bezpecnostni SW - nasledne avp tool odinstalovat

Nalez MSE tez smazat

Stahnete Malwarebytes' Anti-Malware (zkracene MBAM) http://forum.viry.cz/viewtopic.php?f=29&t=115222

• Provedte aktualizaci
• Provedte uplny sken - nic nemazte
• MBAM miva obcas falesne detekce, proto vlozte log do prispevku a pockejte na posouzeni

[TomZ]

Nj to jsou nejake zbytky z minulosti.

Tady je report.





Malwarebytes Anti-Malware (Zkušební verze Malwarebytes Anti-Malware) 1.62.0.1300
www.malwarebytes.org

Verze databáze: v2012.08.15.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Karcoollka :: KARCOOLLKA-PC [administrátor]

Ochrana: Povolena

15.8.2012 15:19:57
mbam-log-2012-08-15 (16-15-33).txt

Typ: Úplná kontrola (C:\|)
Nastavení kontroly povoleno: Paměť | Po spuštění | Registr | Systémové soubory | Heuristická analýza Extra | Heuristická analýza Shuriken | PUP | PUM
Nastavení kontroly zakázáno: P2P
Kontrolované objekty: 269427
Uplynulý čas: 50 minut, 17 sekund

Nalezené procesy v paměti: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené moduly v paměti: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené klíče v registru: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené hodnoty v registru: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené datové položky v registru: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené složky: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené soubory: 5
C:\Program Files\BSplayer Pro\bsplayer.exe (Malware.Packer.Gen) -> Žádná instrukce nebyla provedena.
C:\Software - instalace\Net\installer_qip.exe (PUP.BundleInstaller.BT) -> Žádná instrukce nebyla provedena.
C:\Software - instalace\Antivirus\NOD32.Antivirus.WinNT2kXPx64.v2.51.8-nsane.[www.yahaa.org]\NOD32.FiX.v2.1-nsane.exe (PUP.RiskWareTool.CK) -> Žádná instrukce nebyla provedena.
C:\Software - instalace\Office\MSOffice2003\crack.v2\fff-o3v2.exe (RiskWare.Tool.CK) -> Žádná instrukce nebyla provedena.
C:\Software - instalace\windows install\DownloadSetup.exe (Affiliate.Downloader) -> Žádná instrukce nebyla provedena.

(konec)

[TomZ]

@KubaKolacek (nemohu odesilat PM), takze vam nemuzu podat vysvetleni.

[vyosek]

incident uzivatele KubaKolacek resen jiz v interni sekci MODeratoru

Nasledujici soubory otestujte na VirusTotalu https://www.virustotal.com/cs/

• C:\Program Files\BSplayer Pro\bsplayer.exe
  C:\Software - instalace\Net\installer_qip.exe
  C:\Software - instalace\windows install\DownloadSetup.exe
• Kliknete na Choose file
• Soubor nehledejte, jen vlozte cestu souboru, ktery chci otestovat
• Kliknete na Scan It
• Pokud na Vas vyskoci obrazovka jako je nize, tak kliknete na ReAnalyse
  
• Vysledek analyzy sem vlozte (jako odkaz)

[TomZ]

Zde jsou vystupy:

1/ https://www.virustotal.com/file/cd6e787 ... 345067490/
2/ https://www.virustotal.com/file/b57192b ... 345067644/
3/ https://www.virustotal.com/file/de25615 ... 345067748/

[vyosek]

Spustte HJT a provedeme fixnuti polozek

• HJT najdete zde C:\Program Files\trend micro\Karcoollka.exe
• Otevre se Vam okno, kliknete na Do a system scan only
• V dalsim okne najdete radky které jsem Vam vypsal nize, vedle nich je ctverecek, do ktereho udelate zatrzitko
• R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qip.ru
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.qip.ru/ie
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.qip.ru
  R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.qip.ru/ie
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
  R3 - URLSearchHook: (no name) - - (no file)
  O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
  O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  O4 - HKCU\..\Run: [Google Update] "C:\Users\Karcoollka\AppData\Local\Google\Update\GoogleUpdate.exe" /c
  O4 - HKCU\..\Run: [googletalk] C:\Users\Karcoollka\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
• Kliknete na Fix checked (vlevo dole)
• HJT se Vas zepta zda opravdu ANO, s tim souhlasite a je hotovo

PROSIM CTETE DUKLADNE NAVOD - TATO UTILITA MA VELKOU SCHOPNOST MAZAT A JE NUTNE JI APLIKOVAT JEN NA DOPORUCENI, JINAK VAM MUZE JIT SYSTEM DO KYTEK
Stahnete a ulozte na plochu Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

• Vypnete vsechny rezidentni bezpecnostní programy - firewally, antiviry, antispywary apod.
• Pokud mate Win XP spustte pod uctem Spravce\Administratora
• Pokud mate Win Vista ci Win 7, kliknete na Combofix pravym a dejte Run As Administrator ci Spustit jako spravce
• Ihned po startu se zobrazi stranka s licencnim ujednanim, pokracujte kliknutim na Ano
• Pokud Vam CF nabidne instalaci Konzoly pro zotaveni, tak souhlaste
• Dale postupujte dle pokynu, behem scanu nechte PC naprosto v klidu - nespoustejte zadne aplikace a neklikejte do zobrazujiciho se okna
• Scan by mel trvat cca 10 min, ale pokud bude PC hodne zaneseno, muze se cas prodlouzit
• Po dokonceni skenu a pripadnem restartu CF zobrazi log, pripadne jej najdete zde C:\ComboFix.txt, jeho obsah sem vlozte
• Detailni postup vc. obrazku mate zde http://www.bleepingcomputer.com/combofi ... t-combofix

[TomZ]

Pri Do a system scan only mi ukazalo jednu hlasku = viz obrazek. Pouze jsem dal OK a manualne s tim nic nedelal.

Vystup z ComboFixu:


ComboFix 12-08-15.02 - Karcoollka 16.08.2012 7:24.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1250.420.1029.18.3003.2073 [GMT 2:00]
Spuštěný z: c:\users\Karcoollka\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Vytvořen nový Bod Obnovení
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Karcoollka\AppData\Local\Microsoft\Windows\Temporary Internet Files\WDICT32.INI
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2012-07-16 do 2012-08-16 )))))))))))))))))))))))))))))))
.
.
2012-08-16 05:29 . 2012-08-16 05:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-15 18:47 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DBE575B5-23DA-47DD-B95E-7C601703BA19}\mpengine.dll
2012-08-15 13:17 . 2012-08-15 13:17 -------- d-----w- c:\users\Karcoollka\AppData\Roaming\Malwarebytes
2012-08-15 13:13 . 2012-08-15 13:13 -------- d-----w- c:\programdata\Malwarebytes
2012-08-15 13:12 . 2012-08-15 13:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-15 13:12 . 2012-07-03 11:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-15 07:51 . 2012-08-15 07:51 -------- d-----w- c:\programdata\Kaspersky Lab
2012-08-15 06:58 . 2012-08-15 06:58 -------- d-----w- c:\program files\trend micro
2012-08-15 06:58 . 2012-08-15 06:58 -------- d-----w- C:\rsit
2012-08-14 18:11 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-13 07:00 . 2012-08-16 04:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-08-13 07:00 . 2012-08-15 07:38 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-07-27 22:15 . 2012-07-27 22:15 -------- d-----w- c:\program files\Common Files\Adobe
2012-07-27 21:50 . 2012-07-27 21:52 -------- d-----w- c:\program files\ElcomSoft
2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-07-24 18:51 . 2012-07-24 18:51 -------- d-----w- c:\users\Karcoollka\AppData\Roaming\AdobeUM
2012-07-24 10:27 . 2012-07-24 10:27 -------- d-----w- c:\users\Karcoollka\AppData\Roaming\pdfforge
2012-07-24 10:26 . 1998-06-23 23:00 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2012-07-24 10:26 . 2012-03-14 16:23 54784 ----a-w- c:\windows\system32\pdfcmon.dll
2012-07-24 10:26 . 2004-03-08 23:00 662288 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2012-07-24 10:26 . 2012-07-24 10:27 -------- d-----w- c:\program files\PDFCreator
2012-07-24 10:26 . 1998-07-05 23:00 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 11:59 . 2012-06-21 21:38 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-15 11:59 . 2012-06-21 21:38 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-29 22:34 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-06-25 14:31 . 2012-06-25 14:31 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-06-25 14:31 . 2012-06-25 14:31 161792 ----a-w- c:\windows\system32\msls31.dll
2012-06-25 14:31 . 2012-06-25 14:31 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-06-25 14:31 . 2012-06-25 14:31 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-06-25 14:31 . 2012-06-25 14:31 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-06-25 14:31 . 2012-06-25 14:31 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-06-25 14:31 . 2012-06-25 14:31 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-06-25 14:31 . 2012-06-25 14:31 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-06-25 14:31 . 2012-06-25 14:31 367104 ----a-w- c:\windows\system32\html.iec
2012-06-25 14:31 . 2012-06-25 14:31 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-06-25 14:31 . 2012-06-25 14:31 152064 ----a-w- c:\windows\system32\wextract.exe
2012-06-25 14:31 . 2012-06-25 14:31 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-06-25 14:31 . 2012-06-25 14:31 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-06-25 14:31 . 2012-06-25 14:31 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-06-25 14:31 . 2012-06-25 14:31 11776 ----a-w- c:\windows\system32\mshta.exe
2012-06-25 14:31 . 2012-06-25 14:31 101888 ----a-w- c:\windows\system32\admparse.dll
2012-06-22 15:28 . 2012-06-22 15:28 516096 ----a-w- c:\windows\UN32.EXE
2012-06-21 22:22 . 2012-07-04 18:42 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-06-21 22:22 . 2012-07-04 18:42 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0477D601-DA77-4C65-A383-F671AF1A9D72}\gapaengine.dll
2012-06-18 01:14 . 2012-06-21 21:28 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{49F0A754-A6B3-4F74-8798-D1B7E6AFC216}\mpengine.dll
2012-06-12 02:40 . 2012-07-11 10:03 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-06-06 05:05 . 2012-07-11 08:02 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05 . 2012-07-11 08:02 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03 . 2012-07-11 08:02 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:19 . 2012-06-21 21:05 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 21:05 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 21:05 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 21:05 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 21:05 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 21:05 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 21:05 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 13:19 . 2012-06-21 21:05 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 13:12 . 2012-06-21 21:05 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33 . 2012-07-11 10:06 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25 . 2012-07-11 10:06 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25 . 2012-07-11 10:06 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20 . 2012-07-11 10:06 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16 . 2012-07-11 10:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45 . 2012-07-11 08:02 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45 . 2012-07-11 08:02 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40 . 2012-07-11 08:02 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40 . 2012-07-11 08:02 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39 . 2012-07-11 08:02 219136 ----a-w- c:\windows\system32\ncrypt.dll
2006-12-13 03:12 . 2012-06-22 14:30 66648 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 03:12 . 2012-06-22 14:30 54352 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 03:12 . 2012-06-22 14:30 34928 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 03:12 . 2012-06-22 14:30 46696 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 03:12 . 2012-06-22 14:30 172120 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-09-18 2412032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 167424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 144384]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Kontrola sítě Microsoft;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Služba Technologie aktivace Windows;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [x]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NETw5s32;Ovladač adaptéru Intel(R) Wireless WiFi Link pro systém Windows 7 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Ostatní služby/ovladače v paměti ---
.
*Deregistered* - 31187242
.
Obsah adresáře 'Naplánované úlohy'
.
2012-08-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-21 11:59]
.
2012-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4253506702-3322326859-3136526999-1000Core.job
- c:\users\Karcoollka\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-22 15:06]
.
2012-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4253506702-3322326859-3136526999-1000UA.job
- c:\users\Karcoollka\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-22 15:06]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.138
FF - ProfilePath - c:\users\Karcoollka\AppData\Roaming\Mozilla\Firefox\Profiles\m1ipysh2.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=111304&tt=3012_3&babsrc=HP_ss&mntrId=cefe2e6e000000000000001e6405d8a2
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=111304&tt=3012_3&babsrc=KW_ss&mntrId=cefe2e6e000000000000001e6405d8a2&q=
FF - user.js: extensions.BabylonToolbar_i.id - cefe2e6e000000000000001e6405d8a2
FF - user.js: extensions.BabylonToolbar_i.hardId - cefe2e6e000000000000001e6405d8a2
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15545
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1712:27
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=111304&tt=3012_3
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-OEXPRESS - (no file)
.
.
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Celkový čas: 2012-08-16 07:32:14
ComboFix-quarantined-files.txt 2012-08-16 05:32
.
Před spuštěním: Volných bajtů: 191 332 765 696
Po spuštění: Volných bajtů: 191 368 974 336
.
- - End Of File - - AA9226225938D5175AE1150C207B9E23

[vyosek]

Pokud nemate, tak presunte Combofix na plochu

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  KillAll::
  
  RegLock::
  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
  
  Firefox::
  FF - ProfilePath - c:\users\Karcoollka\AppData\Roaming\Mozilla\Firefox\Profiles\m1ipysh2.default\
  FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
  FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=111304 ... 1e6405d8a2
  FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=111304 ... 405d8a2&q=
  FF - user.js: extensions.BabylonToolbar_i.id - cefe2e6e000000000000001e6405d8a2
  FF - user.js: extensions.BabylonToolbar_i.hardId - cefe2e6e000000000000001e6405d8a2
  FF - user.js: extensions.BabylonToolbar_i.instlDay - 15545
  FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
  FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
  FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1712:27
  FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
  FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
  FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
  FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
  FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
  FF - user.js: extensions.BabylonToolbar_i.newTab - false
  FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=111304&tt=3012_3
  FF - user.js: extensions.BabylonToolbar_i.babExt -
  FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
  FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
  
  File::
  c:\windows\Tasks\Adobe Flash Player Updater.job
  c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4253506702-3322326859-3136526999-1000Core.job
  c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4253506702-3322326859-3136526999-1000UA.job
  
  Registry::
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "VirtualCloneDrive"=-
  "Adobe ARM"=-
  "Malwarebytes' Anti-Malware"=-
  
  Folder::
  c:\programdata\Kaspersky Lab
  c:\program files\Spybot - Search & Destroy
  c:\programdata\Spybot - Search & Destroy
  
  ClearJavaCache::
  
  Reboot::

• Ulozte vytvoreny TXT jako CFScript.txt
• Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
  
• Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Pokud vyskoci hlaska "Pokus pouzit neplatnou operaci na klic registru, ktery je oznacen pro odstraneni", tak jen restartujte PC - registr se da do kupy - jedna se o vnitrni chybu, kterou zpusobuje CF a autor ji zatim neumi bohuzel opravit

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

[TomZ]

Log:





ComboFix 12-08-15.02 - Karcoollka 16.08.2012 11:16:36.2.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1250.420.1029.18.3003.1965 [GMT 2:00]
Spuštěný z: c:\users\Karcoollka\Desktop\ComboFix.exe
Použité ovládací přepínače :: c:\users\Karcoollka\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\Tasks\Adobe Flash Player Updater.job"
"c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4253506702-3322326859-3136526999-1000Core.job"
"c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4253506702-3322326859-3136526999-1000UA.job"
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Spybot - Search & Destroy
c:\program files\Spybot - Search & Destroy\advcheck.dll
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\program files\Spybot - Search & Destroy\TeaTimer.exe
c:\programdata\Kaspersky Lab
c:\programdata\Kaspersky Lab\~PRCustomProps#4dd.dat
c:\programdata\Kaspersky Lab\~PRObjects#4dd.dat
c:\programdata\Spybot - Search & Destroy
c:\programdata\Spybot - Search & Destroy\Logs\Fixes.120813-0957.txt
c:\programdata\Spybot - Search & Destroy\Logs\Fixes.120813-1102.txt
c:\programdata\Spybot - Search & Destroy\Logs\Fixes.120813-2131.txt
c:\programdata\Spybot - Search & Destroy\Logs\Fixes.120813-2210.txt
c:\programdata\Spybot - Search & Destroy\Logs\Checks.120813-0904.log
c:\programdata\Spybot - Search & Destroy\Logs\Checks.120813-0950.txt
c:\programdata\Spybot - Search & Destroy\Logs\Checks.120813-1008.log
c:\programdata\Spybot - Search & Destroy\Logs\Checks.120813-1056.txt
c:\programdata\Spybot - Search & Destroy\Logs\Checks.120813-2032.log
c:\programdata\Spybot - Search & Destroy\Logs\Checks.120813-2108.txt
c:\programdata\Spybot - Search & Destroy\Logs\Checks.120813-2132.log
c:\programdata\Spybot - Search & Destroy\Logs\Checks.120813-2155.txt
c:\programdata\Spybot - Search & Destroy\Logs\Checks.120815-0839.log
c:\programdata\Spybot - Search & Destroy\Logs\Checks.120815-0905.txt
c:\programdata\Spybot - Search & Destroy\Logs\Resident.log
c:\programdata\Spybot - Search & Destroy\ProcCache.sbc
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar1.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar10.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar11.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar12.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar13.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar14.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar15.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar16.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar17.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar18.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar19.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar2.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar20.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar21.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar22.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar23.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar24.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar25.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar26.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar27.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar28.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar29.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar3.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar30.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar31.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar32.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar33.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar34.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar35.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar36.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar37.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar38.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar39.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar4.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar40.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar41.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar42.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar43.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar44.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar45.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar46.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar47.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar48.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar49.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar5.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar50.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar51.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar52.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar53.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar54.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar55.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar56.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar57.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar58.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar59.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar6.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar60.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar61.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar62.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar63.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar64.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar65.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar66.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar67.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar68.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar69.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar7.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar70.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar71.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar72.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar73.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar74.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar75.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar76.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar8.zip
c:\programdata\Spybot - Search & Destroy\Recovery\BabylonToolbar9.zip
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2012-07-16 do 2012-08-16 )))))))))))))))))))))))))))))))
.
.
2012-08-16 09:22 . 2012-08-16 09:24 -------- d-----w- c:\users\Karcoollka\AppData\Local\temp
2012-08-16 09:22 . 2012-08-16 09:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-16 05:40 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{90710964-9C83-448E-98B1-B96CA5801AB4}\mpengine.dll
2012-08-15 13:17 . 2012-08-15 13:17 -------- d-----w- c:\users\Karcoollka\AppData\Roaming\Malwarebytes
2012-08-15 13:13 . 2012-08-15 13:13 -------- d-----w- c:\programdata\Malwarebytes
2012-08-15 13:12 . 2012-08-15 13:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-15 13:12 . 2012-07-03 11:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-15 06:58 . 2012-08-15 06:58 -------- d-----w- c:\program files\trend micro
2012-08-15 06:58 . 2012-08-15 06:58 -------- d-----w- C:\rsit
2012-08-14 18:11 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-27 22:15 . 2012-07-27 22:15 -------- d-----w- c:\program files\Common Files\Adobe
2012-07-27 21:50 . 2012-07-27 21:52 -------- d-----w- c:\program files\ElcomSoft
2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-07-24 18:51 . 2012-07-24 18:51 -------- d-----w- c:\users\Karcoollka\AppData\Roaming\AdobeUM
2012-07-24 10:27 . 2012-07-24 10:27 -------- d-----w- c:\users\Karcoollka\AppData\Roaming\pdfforge
2012-07-24 10:26 . 1998-06-23 23:00 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2012-07-24 10:26 . 2012-03-14 16:23 54784 ----a-w- c:\windows\system32\pdfcmon.dll
2012-07-24 10:26 . 2004-03-08 23:00 662288 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2012-07-24 10:26 . 2012-07-24 10:27 -------- d-----w- c:\program files\PDFCreator
2012-07-24 10:26 . 1998-07-05 23:00 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 11:59 . 2012-06-21 21:38 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-15 11:59 . 2012-06-21 21:38 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-29 22:34 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-06-25 14:31 . 2012-06-25 14:31 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-06-25 14:31 . 2012-06-25 14:31 161792 ----a-w- c:\windows\system32\msls31.dll
2012-06-25 14:31 . 2012-06-25 14:31 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-06-25 14:31 . 2012-06-25 14:31 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-06-25 14:31 . 2012-06-25 14:31 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-06-25 14:31 . 2012-06-25 14:31 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-06-25 14:31 . 2012-06-25 14:31 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-06-25 14:31 . 2012-06-25 14:31 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-06-25 14:31 . 2012-06-25 14:31 367104 ----a-w- c:\windows\system32\html.iec
2012-06-25 14:31 . 2012-06-25 14:31 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-06-25 14:31 . 2012-06-25 14:31 152064 ----a-w- c:\windows\system32\wextract.exe
2012-06-25 14:31 . 2012-06-25 14:31 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-06-25 14:31 . 2012-06-25 14:31 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-06-25 14:31 . 2012-06-25 14:31 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-06-25 14:31 . 2012-06-25 14:31 11776 ----a-w- c:\windows\system32\mshta.exe
2012-06-25 14:31 . 2012-06-25 14:31 101888 ----a-w- c:\windows\system32\admparse.dll
2012-06-22 15:28 . 2012-06-22 15:28 516096 ----a-w- c:\windows\UN32.EXE
2012-06-21 22:22 . 2012-07-04 18:42 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-06-21 22:22 . 2012-07-04 18:42 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0477D601-DA77-4C65-A383-F671AF1A9D72}\gapaengine.dll
2012-06-18 01:14 . 2012-06-21 21:28 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{49F0A754-A6B3-4F74-8798-D1B7E6AFC216}\mpengine.dll
2012-06-12 02:40 . 2012-07-11 10:03 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-06-06 05:05 . 2012-07-11 08:02 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05 . 2012-07-11 08:02 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03 . 2012-07-11 08:02 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:19 . 2012-06-21 21:05 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 21:05 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 21:05 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 21:05 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 21:05 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 21:05 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 21:05 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 13:19 . 2012-06-21 21:05 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 13:12 . 2012-06-21 21:05 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33 . 2012-07-11 10:06 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25 . 2012-07-11 10:06 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25 . 2012-07-11 10:06 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20 . 2012-07-11 10:06 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16 . 2012-07-11 10:07 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45 . 2012-07-11 08:02 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45 . 2012-07-11 08:02 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40 . 2012-07-11 08:02 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40 . 2012-07-11 08:02 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39 . 2012-07-11 08:02 219136 ----a-w- c:\windows\system32\ncrypt.dll
2006-12-13 03:12 . 2012-06-22 14:30 66648 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-12-13 03:12 . 2012-06-22 14:30 54352 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-12-13 03:12 . 2012-06-22 14:30 34928 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-12-13 03:12 . 2012-06-22 14:30 46696 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-12-13 03:12 . 2012-06-22 14:30 172120 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-09-18 2412032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 167424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 144384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Kontrola sítě Microsoft;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Služba Technologie aktivace Windows;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
S2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [x]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NETw5s32;Ovladač adaptéru Intel(R) Wireless WiFi Link pro systém Windows 7 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Ostatní služby/ovladače v paměti ---
.
*NewlyCreated* - WS2IFSL
.
Obsah adresáře 'Naplánované úlohy'
.
2012-08-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-21 11:59]
.
2012-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4253506702-3322326859-3136526999-1000Core.job
- c:\users\Karcoollka\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-22 15:06]
.
2012-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4253506702-3322326859-3136526999-1000UA.job
- c:\users\Karcoollka\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-22 15:06]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.138
FF - ProfilePath - c:\users\Karcoollka\AppData\Roaming\Mozilla\Firefox\Profiles\m1ipysh2.default\
.
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Celkový čas: 2012-08-16 11:28:02 - počítač byl restartován
ComboFix-quarantined-files.txt 2012-08-16 09:28
ComboFix2.txt 2012-08-16 05:32
.
Před spuštěním: Volných bajtů: 191 043 907 584
Po spuštění: Volných bajtů: 190 987 558 912
.
- - End Of File - - F222BA8AD1DFE457F9CE340382920D79

[vyosek]

Log jiz vypada cisty, nyni to chce pozorovat ci hesla budou dale mizet

[TomZ]

Moc dekuji za rychlou a profesionalni pomoc. Urcite nejakym zpusobem rad podporim forum.

[vyosek]

Tak jeste uklidime

Odinstalujte Combofix

• Prejmenujte ComboFix na Uninstall
• Spustte jej
• Tohle smaze Combofix a jeho slozky

T-Cleaner http://vyosek.ic.cz/pro_usery/T-Cleaner.exe

• Stahnete a spustte
• Pro potvrzeni volby mackejte A, Enter
• Po pouziti utilitu smazte
• Antiviry touhou utilitu chybne oznacit jako vir - jedna se o falesny poplach - takze v pohode stahnete (pripadne vypnete pri stahovani antivir)

OTC http://oldtimer.geekstogo.com/OTC.exe

• Stahnete a spustte
• Kliknete na CleanUp a potvrdte YES
• Program uklidi a restartuje PC

TFC http://oldtimer.geekstogo.com/TFC.exe

• Stahnete a spustte
• Kliknete na Start a potvrdte OK
• Program uklidi a restartuje pc
• Po pouziti utilitu smazte

Stahnete Ccleaner http://forum.viry.cz/viewtopic.php?t=7478
Panel čistič

• Vse nechte jak je, jen dejte Analyzovat a pote Spustit CCleaner

Panel registry

• dejte Hledej problémy
• nasledne Opravit problémy - zalohu registru doporucuji udelat, opravte vsechny problemy
• postup opakujte dokud nebude bez problemu - vetsinou cca 3x

Panel nástroje

• Zde muzete odinstalovat nepotrebne programy

CCleaner doporucuji pouzivat cca jednou za tyden

Za podporu fora jmenem celeho tymu dekuji

Pak napiste ci hesla jeste mizi