Srdecne zdravim a moc prosim o pomoc. Mam v pocitaci win 32 Malware-gen, nasel mi ho Avast. Prisel jsem na to tak, ze pocitac zacal pracovat pomalu, nesly mi otevrit soubory v Acrobatu a nesel mi otevrit Explorer. Avast mi dal infikovane soubory do truhly, ale havet tam evidentne porad je, porad pracuje pocitac silene pomalu (je teprve 2 mesice stary). Zkousel jsem najit postup v jiz zverejnenych radach, ale neasel. Posilam muj log
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 0:06:04, on 8.4.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\pdf24\pdf24.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: monsxw32.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: WikiKomentáře Google... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Služba Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 8659 bytes
Moc dekuju. Kocour
Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz
Prosim o pomoc s Malwarem
Moderátor: Moderátoři
Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]
Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.
!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Re: Prosim o pomoc s Malwarem
Zdravim,
CTETE POZORNE NAVOD,TENTO SOFT NETOLERUJE CHYBY V POSTUPU APLIKOVANI!
Klidne si nasledujici radky vytisknete,at vite,co se bude na obrazovce odehravat.
Budte prihlasen na pc s administratorskymi pravy.
stahnete a ulozte nejlepe na plochu ComboFix
v pripade,ze nepujde stranka nacist-stahnete odtud download , popr. nepujde ComboFix spustit - prejmenujte jej na grinder.com a postupujte dale dle instrukci.
hned po startu se zobrazi Zreknuti se prava zaruky na funkcnost software, pokracujte kliknutim na tlacitko Ano:
pote muze nasledovat upozorneni na nainstalovane emulatory CD mechanik,typicky Daemon Tools nebo Alcohol 120
odklepnout OK
Souhlasit s instalaci Recovery console(Konzola pro zotaveni)-nutno funkcni internet
v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho
behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)
upozorneni: upozorneni: Vypnete rezidentni stit u antiviru a antispywaru a zakazte docasne firewall-ComboFix by nemusel fungovat korektne-pokud budete mit stity vypnute a Combofix zahlasi,ze nejsou,pokracujte dal a potvrdte.
po restartu aplikace vytvori log, ulozeny na C:/Combofix.txt (pri opakovanem pouziti jsou logy oznaceny Combofix2.txt atd.), jeho obsah vlozte sem
CTETE POZORNE NAVOD,TENTO SOFT NETOLERUJE CHYBY V POSTUPU APLIKOVANI!Klidne si nasledujici radky vytisknete,at vite,co se bude na obrazovce odehravat.
Budte prihlasen na pc s administratorskymi pravy.
stahnete a ulozte nejlepe na plochu ComboFix
v pripade,ze nepujde stranka nacist-stahnete odtud download , popr. nepujde ComboFix spustit - prejmenujte jej na grinder.com a postupujte dale dle instrukci.
hned po startu se zobrazi Zreknuti se prava zaruky na funkcnost software, pokracujte kliknutim na tlacitko Ano:
pote muze nasledovat upozorneni na nainstalovane emulatory CD mechanik,typicky Daemon Tools nebo Alcohol 120
odklepnout OK
Souhlasit s instalaci Recovery console(Konzola pro zotaveni)-nutno funkcni internet
v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho
behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)
upozorneni: upozorneni: Vypnete rezidentni stit u antiviru a antispywaru a zakazte docasne firewall-ComboFix by nemusel fungovat korektne-pokud budete mit stity vypnute a Combofix zahlasi,ze nejsou,pokracujte dal a potvrdte.
po restartu aplikace vytvori log, ulozeny na C:/Combofix.txt (pri opakovanem pouziti jsou logy oznaceny Combofix2.txt atd.), jeho obsah vlozte sem
Autoruns + HitmanPro + UPM + Avenger + GMER + OTM + AVPTool + RSIT + RootRepeal
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!
ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!
NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU!
___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU! ___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
Re: Prosim o pomoc s Malwarem
Vyborne, moc dekuju, provedl jsem a pripojuji log z Combofixu
ComboFix 10-04-07.04 - Petr 08.04.2010 11:31:59.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1919.1160 [GMT 2:00]
Spuštěný z: c:\documents and settings\Petr\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100407-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-03-08 do 2010-04-08 )))))))))))))))))))))))))))))))
.
2010-04-07 22:04 . 2010-04-07 22:04 -------- d-----w- c:\program files\TrendMicro
2010-04-07 19:26 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-07 00:37 . 2008-04-13 22:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-07 00:37 . 2008-04-13 22:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-07 00:36 . 2008-04-13 22:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-07 00:35 . 2008-04-13 22:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-03-25 05:01 . 2010-03-25 05:01 -------- d-----w- C:\digibib3
2010-03-25 05:00 . 1998-02-06 22:35 304128 ----a-w- c:\windows\unin0407.exe
2010-03-25 05:00 . 2010-03-25 05:00 -------- d-----w- c:\documents and settings\Petr\WINDOWS
2010-03-10 20:35 . 2010-03-10 20:35 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-10 20:32 . 2010-03-10 20:32 -------- d-----w- c:\program files\Common Files\Skype
2010-03-10 20:32 . 2010-03-10 20:33 -------- d-----r- c:\program files\Skype
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 13:00 . 2008-04-14 12:00 46220 ----a-w- c:\windows\system32\perfc005.dat
2010-04-07 13:00 . 2008-04-14 12:00 310046 ----a-w- c:\windows\system32\perfh005.dat
2010-04-07 12:51 . 2010-02-10 15:40 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-10 20:33 . 2010-02-12 16:07 -------- d-----w- c:\program files\Google
2010-02-27 16:21 . 2010-02-13 15:07 -------- d-----w- c:\program files\pdf24
2010-02-25 06:18 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 09:16 . 2010-02-10 15:11 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-22 04:15 . 2010-02-10 16:01 -------- d-----w- c:\program files\BOINC
2010-02-21 00:36 . 2010-02-21 00:36 -------- d-----w- c:\program files\Common Files\LightScribe
2010-02-21 00:35 . 2010-02-21 00:33 -------- d-----w- c:\program files\Common Files\Ahead
2010-02-21 00:33 . 2010-02-10 15:47 -------- d-----w- c:\program files\Nero
2010-02-21 00:32 . 2010-02-21 00:32 -------- d-----w- c:\program files\AskTBar
2010-02-17 03:21 . 2010-02-17 03:21 -------- d-----w- c:\program files\AVS4YOU
2010-02-17 03:21 . 2010-02-17 03:21 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-02-17 03:05 . 2010-02-17 03:05 -------- d-----w- c:\program files\QuickTime
2010-02-17 03:05 . 2010-02-17 03:05 -------- d-----w- c:\program files\Common Files\Apple
2010-02-17 03:05 . 2010-02-17 03:05 -------- d-----w- c:\program files\Apple Software Update
2010-02-12 21:48 . 2010-02-10 15:57 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-02-12 21:48 . 2010-02-12 21:48 -------- d-----w- c:\program files\LizardTech
2010-02-12 21:48 . 2010-02-09 14:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-12 21:48 . 2010-02-09 14:59 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-12 16:12 . 2010-02-12 16:07 -------- d-----w- c:\program files\IrfanView
2010-02-12 16:04 . 2010-02-12 16:04 -------- d-----w- c:\program files\Caminova
2010-02-11 14:31 . 2010-02-11 14:31 -------- d-----w- c:\program files\MSXML 4.0
2010-02-11 12:59 . 2010-02-11 12:59 -------- d-----w- c:\program files\Microsoft.NET
2010-02-11 10:55 . 2010-02-11 10:55 0 ----a-w- c:\windows\nsreg.dat
2010-02-11 10:25 . 2010-02-11 10:24 -------- d-----w- c:\program files\Canon
2010-02-10 15:54 . 2010-02-10 15:54 -------- d-----w- c:\program files\OpenOffice.org 3
2010-02-10 15:48 . 2010-02-10 15:47 -------- d-----w- c:\program files\Common Files\Nero
2010-02-10 15:45 . 2010-02-10 15:45 -------- d-----w- c:\program files\Ashampoo
2010-02-10 15:43 . 2010-02-10 15:43 -------- d-----w- c:\program files\Codec Pack - All In 1
2010-02-10 15:42 . 2010-02-10 15:43 737280 ----a-w- c:\windows\iun6002.exe
2010-02-10 15:42 . 2010-02-10 15:42 -------- d-----w- c:\program files\Windows Media Connect 2
2010-02-10 15:37 . 2010-02-10 15:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-10 15:11 . 2010-02-10 15:11 -------- d-----w- c:\program files\Windows Defender
2010-02-10 15:03 . 2010-02-10 15:03 -------- d-----w- c:\program files\Alwil Software
2010-02-09 15:04 . 2010-02-09 15:04 -------- d-----w- c:\program files\Setup Files
2010-02-09 15:01 . 2010-02-09 15:01 -------- d-----w- c:\program files\MSI
2010-02-09 15:01 . 2010-02-09 15:01 -------- d-----w- c:\program files\AMD
2010-02-09 14:59 . 2010-02-09 14:59 -------- d-----w- c:\program files\Realtek
2010-02-09 13:48 . 2010-02-09 13:09 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-09 13:48 . 2010-02-09 13:09 2378 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2010-02-09 13:48 . 2010-02-09 13:09 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2010-02-09 13:10 . 2010-02-09 13:10 -------- d-----w- c:\program files\microsoft frontpage
2010-02-09 13:08 . 2010-02-09 13:08 21812 ----a-w- c:\windows\system32\emptyregdb.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9CB65206-89C4-402c-BA80-02D8C59F9B1D}"= "c:\program files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" [2010-02-21 57344]
[HKEY_CLASSES_ROOT\clsid\{9cb65206-89c4-402c-ba80-02d8c59f9b1d}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-12 39408]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 451872]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"BrowserChoice"="c:\windows\system32\browserchoice.exe" [2010-02-12 293376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2009-04-30 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-12 17531392]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"PDFPrint"="c:\program files\pdf24\pdf24.exe" [2010-02-22 207504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Petr\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-9-16 384512]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\CNAB4RPK.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 135664]
R3 MSICDSetup;MSICDSetup;H:\CDriver.sys [x]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-06-20 11:47 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'
2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 16:08]
2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 16:08]
2010-04-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: WikiKomentáře Google... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
FF - ProfilePath - c:\documents and settings\Petr\Data aplikací\Mozilla\Firefox\Profiles\ssbobjdy.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-08 11:37
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'explorer.exe'(712)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Celkový čas: 2010-04-08 11:39:55
ComboFix-quarantined-files.txt 2010-04-08 09:39
Před spuštěním: Volných bajtů: 201 915 162 624
Po spuštění: Volných bajtů: 202 985 635 840
- - End Of File - - 9D35B918E98A039607F0201A65203050
Je to OK?
Moc dekuju.
Kocour
ComboFix 10-04-07.04 - Petr 08.04.2010 11:31:59.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1919.1160 [GMT 2:00]
Spuštěný z: c:\documents and settings\Petr\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100407-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-03-08 do 2010-04-08 )))))))))))))))))))))))))))))))
.
2010-04-07 22:04 . 2010-04-07 22:04 -------- d-----w- c:\program files\TrendMicro
2010-04-07 19:26 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-07 00:37 . 2008-04-13 22:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-07 00:37 . 2008-04-13 22:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-07 00:36 . 2008-04-13 22:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-07 00:35 . 2008-04-13 22:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-03-25 05:01 . 2010-03-25 05:01 -------- d-----w- C:\digibib3
2010-03-25 05:00 . 1998-02-06 22:35 304128 ----a-w- c:\windows\unin0407.exe
2010-03-25 05:00 . 2010-03-25 05:00 -------- d-----w- c:\documents and settings\Petr\WINDOWS
2010-03-10 20:35 . 2010-03-10 20:35 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-10 20:32 . 2010-03-10 20:32 -------- d-----w- c:\program files\Common Files\Skype
2010-03-10 20:32 . 2010-03-10 20:33 -------- d-----r- c:\program files\Skype
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 13:00 . 2008-04-14 12:00 46220 ----a-w- c:\windows\system32\perfc005.dat
2010-04-07 13:00 . 2008-04-14 12:00 310046 ----a-w- c:\windows\system32\perfh005.dat
2010-04-07 12:51 . 2010-02-10 15:40 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-10 20:33 . 2010-02-12 16:07 -------- d-----w- c:\program files\Google
2010-02-27 16:21 . 2010-02-13 15:07 -------- d-----w- c:\program files\pdf24
2010-02-25 06:18 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 09:16 . 2010-02-10 15:11 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-22 04:15 . 2010-02-10 16:01 -------- d-----w- c:\program files\BOINC
2010-02-21 00:36 . 2010-02-21 00:36 -------- d-----w- c:\program files\Common Files\LightScribe
2010-02-21 00:35 . 2010-02-21 00:33 -------- d-----w- c:\program files\Common Files\Ahead
2010-02-21 00:33 . 2010-02-10 15:47 -------- d-----w- c:\program files\Nero
2010-02-21 00:32 . 2010-02-21 00:32 -------- d-----w- c:\program files\AskTBar
2010-02-17 03:21 . 2010-02-17 03:21 -------- d-----w- c:\program files\AVS4YOU
2010-02-17 03:21 . 2010-02-17 03:21 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-02-17 03:05 . 2010-02-17 03:05 -------- d-----w- c:\program files\QuickTime
2010-02-17 03:05 . 2010-02-17 03:05 -------- d-----w- c:\program files\Common Files\Apple
2010-02-17 03:05 . 2010-02-17 03:05 -------- d-----w- c:\program files\Apple Software Update
2010-02-12 21:48 . 2010-02-10 15:57 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-02-12 21:48 . 2010-02-12 21:48 -------- d-----w- c:\program files\LizardTech
2010-02-12 21:48 . 2010-02-09 14:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-12 21:48 . 2010-02-09 14:59 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-12 16:12 . 2010-02-12 16:07 -------- d-----w- c:\program files\IrfanView
2010-02-12 16:04 . 2010-02-12 16:04 -------- d-----w- c:\program files\Caminova
2010-02-11 14:31 . 2010-02-11 14:31 -------- d-----w- c:\program files\MSXML 4.0
2010-02-11 12:59 . 2010-02-11 12:59 -------- d-----w- c:\program files\Microsoft.NET
2010-02-11 10:55 . 2010-02-11 10:55 0 ----a-w- c:\windows\nsreg.dat
2010-02-11 10:25 . 2010-02-11 10:24 -------- d-----w- c:\program files\Canon
2010-02-10 15:54 . 2010-02-10 15:54 -------- d-----w- c:\program files\OpenOffice.org 3
2010-02-10 15:48 . 2010-02-10 15:47 -------- d-----w- c:\program files\Common Files\Nero
2010-02-10 15:45 . 2010-02-10 15:45 -------- d-----w- c:\program files\Ashampoo
2010-02-10 15:43 . 2010-02-10 15:43 -------- d-----w- c:\program files\Codec Pack - All In 1
2010-02-10 15:42 . 2010-02-10 15:43 737280 ----a-w- c:\windows\iun6002.exe
2010-02-10 15:42 . 2010-02-10 15:42 -------- d-----w- c:\program files\Windows Media Connect 2
2010-02-10 15:37 . 2010-02-10 15:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-10 15:11 . 2010-02-10 15:11 -------- d-----w- c:\program files\Windows Defender
2010-02-10 15:03 . 2010-02-10 15:03 -------- d-----w- c:\program files\Alwil Software
2010-02-09 15:04 . 2010-02-09 15:04 -------- d-----w- c:\program files\Setup Files
2010-02-09 15:01 . 2010-02-09 15:01 -------- d-----w- c:\program files\MSI
2010-02-09 15:01 . 2010-02-09 15:01 -------- d-----w- c:\program files\AMD
2010-02-09 14:59 . 2010-02-09 14:59 -------- d-----w- c:\program files\Realtek
2010-02-09 13:48 . 2010-02-09 13:09 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-09 13:48 . 2010-02-09 13:09 2378 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2010-02-09 13:48 . 2010-02-09 13:09 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2010-02-09 13:10 . 2010-02-09 13:10 -------- d-----w- c:\program files\microsoft frontpage
2010-02-09 13:08 . 2010-02-09 13:08 21812 ----a-w- c:\windows\system32\emptyregdb.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9CB65206-89C4-402c-BA80-02D8C59F9B1D}"= "c:\program files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" [2010-02-21 57344]
[HKEY_CLASSES_ROOT\clsid\{9cb65206-89c4-402c-ba80-02d8c59f9b1d}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-12 39408]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 451872]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"BrowserChoice"="c:\windows\system32\browserchoice.exe" [2010-02-12 293376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2009-04-30 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-12 17531392]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"PDFPrint"="c:\program files\pdf24\pdf24.exe" [2010-02-22 207504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Petr\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-9-16 384512]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\CNAB4RPK.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 135664]
R3 MSICDSetup;MSICDSetup;H:\CDriver.sys [x]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-06-20 11:47 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'
2010-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 16:08]
2010-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 16:08]
2010-04-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: WikiKomentáře Google... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
FF - ProfilePath - c:\documents and settings\Petr\Data aplikací\Mozilla\Firefox\Profiles\ssbobjdy.default\
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-08 11:37
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'explorer.exe'(712)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Celkový čas: 2010-04-08 11:39:55
ComboFix-quarantined-files.txt 2010-04-08 09:39
Před spuštěním: Volných bajtů: 201 915 162 624
Po spuštění: Volných bajtů: 202 985 635 840
- - End Of File - - 9D35B918E98A039607F0201A65203050
Je to OK?
Moc dekuju.
Kocour
Re: Prosim o pomoc s Malwarem
Odinstalujte Spybot-ma zastaraly engine a navic mate Defender. Odinstalujte pres Pridat odebrat programy AskTBar:arrow:Otestujte na VIRUSTOTALu a JOTTISCANu
c:\windows\system32\browserchoice.exe
(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet , najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor; dejte skenerum nejakych deset minut; vysledky sem vlozte)
Pokud skener napíše, že soubor již byl testován, dejte otestovat znovu.
Stahnete si OTM , spustte (pokud mate vistu spuste run as administrator) a do leveho policka se zlutym hornim okrajem Paste Instructions for Items to be Moved zkopirujte toto:
Kód: Vybrat vše
:processes
explorer.exe
:files
C:\Documents and Settings\Petr\Nabídka Start\Programy\Po spuštění\monsxw32.exe
C:\Program Files\AskTBar
:services
:reg
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9CB65206-89C4-402c-BA80-02D8C59F9B1D}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CB65201-89C4-402c-BA80-02D8C59F9B1D}]
:commands
[emptytemp]
[start explorer]
[reboot]
Kliknete na MoveIt, v okne se zelenym hornim okrajem Results se objevi vysledek,obsah okna zkopirujte sem. Kdyby OTMoveIt vyzadoval restart - povolit. Nasledujici log najdete v C:\_OTMoveIt\MovedFiles\xxxxx.log (x je zastupny znak) ktery otevrete v poznamkovem bloku.
Autoruns + HitmanPro + UPM + Avenger + GMER + OTM + AVPTool + RSIT + RootRepeal
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!
ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!
NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU!
___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU! ___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
Re: Prosim o pomoc s Malwarem
Moc dekuji za navodne informace.
Spybot jsem odinstaloval, ale AskTbar jsem v zalozce Pridat/odebrat programy nenasel.
Virustotal ani Jottiscan podle vseho nic nenasly, pripojuji vysledky.
Virustotal:
Soubor browserchoice.exe přijatý 2010.04.10 20:00:09 (UTC)
Antivirus Verze Poslední aktualizace Výsledek
a-squared 4.5.0.50 2010.04.10 -
AhnLab-V3 5.0.0.2 2010.04.10 -
AntiVir 7.10.6.55 2010.04.09 -
Antiy-AVL 2.0.3.7 2010.04.09 -
Authentium 5.2.0.5 2010.04.10 -
Avast 4.8.1351.0 2010.04.10 -
Avast5 5.0.332.0 2010.04.10 -
AVG 9.0.0.787 2010.04.10 -
BitDefender 7.2 2010.04.10 -
CAT-QuickHeal 10.00 2010.04.10 -
ClamAV 0.96.0.3-git 2010.04.10 -
Comodo 4558 2010.04.10 -
DrWeb 5.0.2.03300 2010.04.10 -
eSafe 7.0.17.0 2010.04.08 -
eTrust-Vet 35.2.7418 2010.04.09 -
F-Prot 4.5.1.85 2010.04.10 -
F-Secure 9.0.15370.0 2010.04.10 -
Fortinet 4.0.14.0 2010.04.10 -
GData 19 2010.04.10 -
Ikarus T3.1.1.80.0 2010.04.10 -
Jiangmin 13.0.900 2010.04.10 -
Kaspersky 7.0.0.125 2010.04.10 -
McAfee-GW-Edition 6.8.5 2010.04.09 -
Microsoft 1.5605 2010.04.10 -
NOD32 5016 2010.04.10 -
Norman 6.04.11 2010.04.10 -
nProtect 2009.1.8.0 2010.04.06 -
Panda 10.0.2.2 2010.04.10 -
PCTools 7.0.3.5 2010.04.10 -
Prevx 3.0 2010.04.10 -
Rising 22.42.04.03 2010.04.09 -
Sophos 4.52.0 2010.04.10 -
Sunbelt 6161 2010.04.10 -
Symantec 20091.2.0.41 2010.04.10 -
TheHacker 6.5.2.0.259 2010.04.10 -
TrendMicro 9.120.0.1004 2010.04.10 -
VBA32 3.12.12.4 2010.04.09 -
ViRobot 2010.4.10.2270 2010.04.10 -
VirusBuster 5.0.27.0 2010.04.10 -
Rozšiřující informace
File size: 293376 bytes
MD5...: da1919d896dbd5895e138932ae9e398b
SHA1..: 361bee6e2535d9fc10a01ac6686be55d854fc5ba
SHA256: 4c5fb3c35ca7c2e10ae2920afd40e854c123219901c15a80941ac9f53eef97d7
ssdeep: 6144:IEesYclzRCayeopvGE0zM6s4D8e8FIBK86dNvMXfAo:IEerclzRCayeopvG<BR>NzM6s4D8e8FIBK8f<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x3363<BR>timedatestamp.....: 0x4b737c6f (Thu Feb 11 03:41:35 2010)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 4 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x34ca 0x3600 6.18 e0356f94745647bc2bed78b680e83512<BR>.data 0x5000 0x68c 0x400 5.80 28fcfd5ab0eb9c208220c87444240f30<BR>.rsrc 0x6000 0x44000 0x43400 6.41 1370a78bf18215c408206d0638b25934<BR>.reloc 0x4a000 0x648 0x800 2.72 cb9cda0ca1762d2b27ddcf4dd8860ae5<BR><BR>( 10 imports ) <BR>> ADVAPI32.dll: RegCloseKey, RegCreateKeyExW, GetTokenInformation, OpenProcessToken, CreateProcessAsUserW, SetTokenInformation, GetLengthSid, ConvertStringSidToSidW, DuplicateTokenEx<BR>> KERNEL32.dll: GetLastError, VerifyVersionInfoW, VerSetConditionMask, FreeLibrary, GetProcAddress, LoadLibraryW, CloseHandle, GetCurrentProcess, GetUserGeoID, GetExitCodeProcess, WaitForSingleObject, LocalFree, GetModuleHandleW, lstrcmpA, GetModuleFileNameW, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoA, InterlockedCompareExchange, Sleep, InterlockedExchange<BR>> USER32.dll: LoadStringW<BR>> msvcrt.dll: _controlfp, _vsnwprintf, memset, __3@YAXPAX@Z, wcschr, _wcsnicmp, _terminate@@YAXXZ, __set_app_type, __p__fmode, __p__commode, __setusermatherr, _amsg_exit, _initterm, _acmdln, exit, _ismbblead, _XcptFilter, _exit, _cexit, __getmainargs, _wtoi, __2@YAPAXI@Z<BR>> ole32.dll: CoUninitialize, CoTaskMemFree, CoCreateInstance, CoInitializeEx<BR>> ntdll.dll: RtlUnwind<BR>> SHELL32.dll: -, SHGetFolderPathW, -, -, ShellExecuteW, SHBindToParent<BR>> SHLWAPI.dll: PathCombineW, PathAddExtensionW, -, SHRegGetBoolUSValueW, SHRegGetUSValueW, SHDeleteValueW, PathFindFileNameW, -, SHRegSetUSValueW, SHSetValueW<BR>> WININET.dll: InternetGetCookieW, InternetSetCookieW<BR>> OLEAUT32.dll: -, -<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)<BR>Win32 Dynamic Link Library (generic) (37.6%)<BR>Generic Win/DOS Executable (9.9%)<BR>DOS Executable Generic (9.9%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:<BR>publisher....: Microsoft Corporation<BR>copyright....: (c) Microsoft Corporation. All rights reserved.<BR>product......: Microsoft_ Windows_ Operating System<BR>description..: Browser Choice<BR>original name: browserchoice.exe<BR>internal name: Browser Choice<BR>file version.: 6.1.7600.16526 (win7_gdr.100210-1504)<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>
A tady je odkaz na vysledek Jottisscanu: http://virusscan.jotti.org/cs/scanresul ... eeeb6df345
A na zaver pripojuji log z OTM
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
File/Folder C:\Documents and Settings\Petr\Nabídka Start\Programy\Po spuštění\monsxw32.exe not found.
C:\Program Files\AskTBar\SrchAstt\1.bin folder moved successfully.
C:\Program Files\AskTBar\SrchAstt folder moved successfully.
C:\Program Files\AskTBar\bar\1.bin folder moved successfully.
C:\Program Files\AskTBar\bar folder moved successfully.
C:\Program Files\AskTBar folder moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\\{9CB65206-89C4-402c-BA80-02D8C59F9B1D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9CB65206-89C4-402c-BA80-02D8C59F9B1D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CB65201-89C4-402c-BA80-02D8C59F9B1D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9CB65201-89C4-402c-BA80-02D8C59F9B1D}\ deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 3216 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Petr
->Temp folder emptied: 1057915 bytes
->Temporary Internet Files folder emptied: 78931134 bytes
->FireFox cache emptied: 41755846 bytes
->Google Chrome cache emptied: 6138516 bytes
->Flash cache emptied: 7089 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2351732 bytes
%systemroot%\System32 .tmp files removed: 902088 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 39288 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 125,00 mb
OTM by OldTimer - Version 3.1.10.1 log created on 04102010_221642
Files moved on Reboot...
File C:\Documents and Settings\Petr\Local Settings\Temp\~DF10DE.tmp not found!
File C:\Documents and Settings\Petr\Local Settings\Temp\~DF10F5.tmp not found!
File C:\Documents and Settings\Petr\Local Settings\Temp\~DFEDD.tmp not found!
File C:\Documents and Settings\Petr\Local Settings\Temp\~DFEFA.tmp not found!
File C:\Documents and Settings\Petr\Local Settings\Temp\~DFFB2.tmp not found!
File C:\Documents and Settings\Petr\Local Settings\Temp\~DFFC9.tmp not found!
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\WKABNL3R\ads[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\TIHTS6GX\honeypot_export[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\RLLQE83F\afr[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\QZ6JQ927\4c5fb3c35ca7c2e10ae2920afd40e854c123219901c15a80941ac9f53eef97d7-1270929609[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\QZ6JQ927\compacto[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\I5K3QXQP\tv_seznam_cz[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\CTIGHJNP\01faa0e7161e9b680bbbc40c1c3a8feeeb6df345[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\9C9TFLTF\ads[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\61VSHWB6\afr[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\49S9AJOL\afr[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\49S9AJOL\viewtopic[1].htm moved successfully.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_5ec.dat moved successfully.
Registry entries deleted on Reboot...
Moc dekuju, je to tak v poradku?
Zdravi Kocour
Spybot jsem odinstaloval, ale AskTbar jsem v zalozce Pridat/odebrat programy nenasel.
Virustotal ani Jottiscan podle vseho nic nenasly, pripojuji vysledky.
Virustotal:
Soubor browserchoice.exe přijatý 2010.04.10 20:00:09 (UTC)
Antivirus Verze Poslední aktualizace Výsledek
a-squared 4.5.0.50 2010.04.10 -
AhnLab-V3 5.0.0.2 2010.04.10 -
AntiVir 7.10.6.55 2010.04.09 -
Antiy-AVL 2.0.3.7 2010.04.09 -
Authentium 5.2.0.5 2010.04.10 -
Avast 4.8.1351.0 2010.04.10 -
Avast5 5.0.332.0 2010.04.10 -
AVG 9.0.0.787 2010.04.10 -
BitDefender 7.2 2010.04.10 -
CAT-QuickHeal 10.00 2010.04.10 -
ClamAV 0.96.0.3-git 2010.04.10 -
Comodo 4558 2010.04.10 -
DrWeb 5.0.2.03300 2010.04.10 -
eSafe 7.0.17.0 2010.04.08 -
eTrust-Vet 35.2.7418 2010.04.09 -
F-Prot 4.5.1.85 2010.04.10 -
F-Secure 9.0.15370.0 2010.04.10 -
Fortinet 4.0.14.0 2010.04.10 -
GData 19 2010.04.10 -
Ikarus T3.1.1.80.0 2010.04.10 -
Jiangmin 13.0.900 2010.04.10 -
Kaspersky 7.0.0.125 2010.04.10 -
McAfee-GW-Edition 6.8.5 2010.04.09 -
Microsoft 1.5605 2010.04.10 -
NOD32 5016 2010.04.10 -
Norman 6.04.11 2010.04.10 -
nProtect 2009.1.8.0 2010.04.06 -
Panda 10.0.2.2 2010.04.10 -
PCTools 7.0.3.5 2010.04.10 -
Prevx 3.0 2010.04.10 -
Rising 22.42.04.03 2010.04.09 -
Sophos 4.52.0 2010.04.10 -
Sunbelt 6161 2010.04.10 -
Symantec 20091.2.0.41 2010.04.10 -
TheHacker 6.5.2.0.259 2010.04.10 -
TrendMicro 9.120.0.1004 2010.04.10 -
VBA32 3.12.12.4 2010.04.09 -
ViRobot 2010.4.10.2270 2010.04.10 -
VirusBuster 5.0.27.0 2010.04.10 -
Rozšiřující informace
File size: 293376 bytes
MD5...: da1919d896dbd5895e138932ae9e398b
SHA1..: 361bee6e2535d9fc10a01ac6686be55d854fc5ba
SHA256: 4c5fb3c35ca7c2e10ae2920afd40e854c123219901c15a80941ac9f53eef97d7
ssdeep: 6144:IEesYclzRCayeopvGE0zM6s4D8e8FIBK86dNvMXfAo:IEerclzRCayeopvG<BR>NzM6s4D8e8FIBK8f<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x3363<BR>timedatestamp.....: 0x4b737c6f (Thu Feb 11 03:41:35 2010)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 4 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x34ca 0x3600 6.18 e0356f94745647bc2bed78b680e83512<BR>.data 0x5000 0x68c 0x400 5.80 28fcfd5ab0eb9c208220c87444240f30<BR>.rsrc 0x6000 0x44000 0x43400 6.41 1370a78bf18215c408206d0638b25934<BR>.reloc 0x4a000 0x648 0x800 2.72 cb9cda0ca1762d2b27ddcf4dd8860ae5<BR><BR>( 10 imports ) <BR>> ADVAPI32.dll: RegCloseKey, RegCreateKeyExW, GetTokenInformation, OpenProcessToken, CreateProcessAsUserW, SetTokenInformation, GetLengthSid, ConvertStringSidToSidW, DuplicateTokenEx<BR>> KERNEL32.dll: GetLastError, VerifyVersionInfoW, VerSetConditionMask, FreeLibrary, GetProcAddress, LoadLibraryW, CloseHandle, GetCurrentProcess, GetUserGeoID, GetExitCodeProcess, WaitForSingleObject, LocalFree, GetModuleHandleW, lstrcmpA, GetModuleFileNameW, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoA, InterlockedCompareExchange, Sleep, InterlockedExchange<BR>> USER32.dll: LoadStringW<BR>> msvcrt.dll: _controlfp, _vsnwprintf, memset, __3@YAXPAX@Z, wcschr, _wcsnicmp, _terminate@@YAXXZ, __set_app_type, __p__fmode, __p__commode, __setusermatherr, _amsg_exit, _initterm, _acmdln, exit, _ismbblead, _XcptFilter, _exit, _cexit, __getmainargs, _wtoi, __2@YAPAXI@Z<BR>> ole32.dll: CoUninitialize, CoTaskMemFree, CoCreateInstance, CoInitializeEx<BR>> ntdll.dll: RtlUnwind<BR>> SHELL32.dll: -, SHGetFolderPathW, -, -, ShellExecuteW, SHBindToParent<BR>> SHLWAPI.dll: PathCombineW, PathAddExtensionW, -, SHRegGetBoolUSValueW, SHRegGetUSValueW, SHDeleteValueW, PathFindFileNameW, -, SHRegSetUSValueW, SHSetValueW<BR>> WININET.dll: InternetGetCookieW, InternetSetCookieW<BR>> OLEAUT32.dll: -, -<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)<BR>Win32 Dynamic Link Library (generic) (37.6%)<BR>Generic Win/DOS Executable (9.9%)<BR>DOS Executable Generic (9.9%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:<BR>publisher....: Microsoft Corporation<BR>copyright....: (c) Microsoft Corporation. All rights reserved.<BR>product......: Microsoft_ Windows_ Operating System<BR>description..: Browser Choice<BR>original name: browserchoice.exe<BR>internal name: Browser Choice<BR>file version.: 6.1.7600.16526 (win7_gdr.100210-1504)<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR>
A tady je odkaz na vysledek Jottisscanu: http://virusscan.jotti.org/cs/scanresul ... eeeb6df345
A na zaver pripojuji log z OTM
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
File/Folder C:\Documents and Settings\Petr\Nabídka Start\Programy\Po spuštění\monsxw32.exe not found.
C:\Program Files\AskTBar\SrchAstt\1.bin folder moved successfully.
C:\Program Files\AskTBar\SrchAstt folder moved successfully.
C:\Program Files\AskTBar\bar\1.bin folder moved successfully.
C:\Program Files\AskTBar\bar folder moved successfully.
C:\Program Files\AskTBar folder moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\\{9CB65206-89C4-402c-BA80-02D8C59F9B1D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9CB65206-89C4-402c-BA80-02D8C59F9B1D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CB65201-89C4-402c-BA80-02D8C59F9B1D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9CB65201-89C4-402c-BA80-02D8C59F9B1D}\ deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 3216 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Petr
->Temp folder emptied: 1057915 bytes
->Temporary Internet Files folder emptied: 78931134 bytes
->FireFox cache emptied: 41755846 bytes
->Google Chrome cache emptied: 6138516 bytes
->Flash cache emptied: 7089 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2351732 bytes
%systemroot%\System32 .tmp files removed: 902088 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 39288 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 125,00 mb
OTM by OldTimer - Version 3.1.10.1 log created on 04102010_221642
Files moved on Reboot...
File C:\Documents and Settings\Petr\Local Settings\Temp\~DF10DE.tmp not found!
File C:\Documents and Settings\Petr\Local Settings\Temp\~DF10F5.tmp not found!
File C:\Documents and Settings\Petr\Local Settings\Temp\~DFEDD.tmp not found!
File C:\Documents and Settings\Petr\Local Settings\Temp\~DFEFA.tmp not found!
File C:\Documents and Settings\Petr\Local Settings\Temp\~DFFB2.tmp not found!
File C:\Documents and Settings\Petr\Local Settings\Temp\~DFFC9.tmp not found!
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\WKABNL3R\ads[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\TIHTS6GX\honeypot_export[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\RLLQE83F\afr[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\QZ6JQ927\4c5fb3c35ca7c2e10ae2920afd40e854c123219901c15a80941ac9f53eef97d7-1270929609[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\QZ6JQ927\compacto[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\I5K3QXQP\tv_seznam_cz[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\CTIGHJNP\01faa0e7161e9b680bbbc40c1c3a8feeeb6df345[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\9C9TFLTF\ads[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\61VSHWB6\afr[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\49S9AJOL\afr[1].htm moved successfully.
C:\Documents and Settings\Petr\Local Settings\Temporary Internet Files\Content.IE5\49S9AJOL\viewtopic[1].htm moved successfully.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_5ec.dat moved successfully.
Registry entries deleted on Reboot...
Moc dekuju, je to tak v poradku?
Zdravi Kocour
Re: Prosim o pomoc s Malwarem
Ok.
Jak se chova pc nyni?
Jak se chova pc nyni?
Autoruns + HitmanPro + UPM + Avenger + GMER + OTM + AVPTool + RSIT + RootRepeal
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!
ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!
NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU!
___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU! ___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
Re: Prosim o pomoc s Malwarem
Pocitac se chova podle vnejsiho dojmu v poradku, jdou otvirat soubory v Acrobatu, coz v dobe plne infikace neslo, rychlost je zda se normalni. Jak mohu vyjadrit podekovani za pomoc financni podporou fora?
Dekuji.
Kocour
Dekuji.
Kocour
Re: Prosim o pomoc s Malwarem
Jeste docistime po procesu odvirovani:
Start - spustit - napiste ComboFix /Uninstall - a klepnout na OK,
pokud to takto nepujde,tak přejmenovat ComboFix.exe na Uninstall.exe a spustit ho.
-----------------------------------------------------------------------------------------------------------------
Pouzijte T-Cleaner na vycisteni pc po utilitach pouzitych pri odvirovani.Postupujte dle instrukci na obrazovce.Pri detekci antivirem se jedna o falesny poplach.
-----------------------------------------------------------------------------------------------------------------
Vycistete pc Ccleanerem.
Vzdy nejprve Analyzovat a pak Spustit Cleaner.2x po sobe.
Windows-odskrtnout historii a historii automatickeho vyplnovani formularu - prisel byste o historii navstivenych stranek a o ulozena hesla ve formularich
(je to sice z pohledu zabezpeceni spatne,ale aspon pak uzivatel nenadava,kam ze mu to zmizelo
)
Aplikace-u prohlizecu internetu odskrtnout Historii internetu.
Registry-nechat vse zaskrtle,Hledej problemy,Opravit vybrane problemy
(nechat ho udelat zalohu-ta je ulozena v Dokumentech-DULEZITE).
Taktez 2x-3x po sobe.
Klepnete v mem podpisu na Podporte forum - zde jsou veskere informace.
Nemate zac a my zaroven dekujeme.
Start - spustit - napiste ComboFix /Uninstall - a klepnout na OK,pokud to takto nepujde,tak přejmenovat ComboFix.exe na Uninstall.exe a spustit ho.
-----------------------------------------------------------------------------------------------------------------
Pouzijte T-Cleaner na vycisteni pc po utilitach pouzitych pri odvirovani.Postupujte dle instrukci na obrazovce.Pri detekci antivirem se jedna o falesny poplach. -----------------------------------------------------------------------------------------------------------------
Vycistete pc Ccleanerem.Vzdy nejprve Analyzovat a pak Spustit Cleaner.2x po sobe.
Windows-odskrtnout historii a historii automatickeho vyplnovani formularu - prisel byste o historii navstivenych stranek a o ulozena hesla ve formularich
(je to sice z pohledu zabezpeceni spatne,ale aspon pak uzivatel nenadava,kam ze mu to zmizelo
)Aplikace-u prohlizecu internetu odskrtnout Historii internetu.
Registry-nechat vse zaskrtle,Hledej problemy,Opravit vybrane problemy
(nechat ho udelat zalohu-ta je ulozena v Dokumentech-DULEZITE).
Taktez 2x-3x po sobe.
Klepnete v mem podpisu na Podporte forum - zde jsou veskere informace.Nemate zac a my zaroven dekujeme.
Autoruns + HitmanPro + UPM + Avenger + GMER + OTM + AVPTool + RSIT + RootRepeal
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!
ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!
NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU!
___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU! ___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
Re: Prosim o pomoc s Malwarem
Tak jsem vse udelal dle instrukci, jeste jednou moc dekuju, podporil jsem viry.cz formou SMS.
Zdravi
Kocour
Zdravi
Kocour
Re: Prosim o pomoc s Malwarem
NZ a my THX 
Autoruns + HitmanPro + UPM + Avenger + GMER + OTM + AVPTool + RSIT + RootRepeal
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!
ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!
NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU!
___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
________________________________________________________________________________________
AKTUALIZOVANY ANTIVIR A PERSONALNI FIREWALL JSOU DVE NEZBYTNE OCHRANNE KOMPONENTY KAZDEHO PC,PRIPOJENEHO DO INTERNETU!!!ZALOHOVANIM OSOBNICH DAT O NE NEPRIJDETE V PRIPADE FATALNICH PROBLEMU SE SOFTWAREM I HARDWAREM!!NEPOUZIVEJTE COMBOFIX NA VLASTNI PEST, POUZE, POKUD K TOMU BUDETE VYZVANI.PRI NESPRAVNE MANIPULACI S NIM MUZE DOJIT K ZNEFUNKCNENI SYSTEMU! ___________________________________________________________
----------------------earl@forum.viry.cz-----------------------
Přispějete na provoz fóra?