Prosím o kontrolu Logu !!!

[Baggio]

Jo tak jsem tu složku AVZ z daným názvem našel, co s ní? Děkuji

[Baggio]

Ten virusinfo_syscure.zip Vám nkde nevyskočil? Mkrněte, jestli není ve složce AVZ

=======================================================

Jo tak jsem tu složku AVZ z daným názvem našel, co s ní? Děkuji

[Baggio]

Results of system analysis

AVZ 4.32 http://z-oleg.com/secur/avz/
Process List
File name PID Description Copyright MD5 Information
c:\windows\system32\atservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate 1776 AFSS Service Copyright (C) 2000-2008, AuthenTec. All rights reserved. ?? 1641.24 kb, rsAh,
created: 19.3.2009 5:48:34,
modified: 19.3.2009 5:48:34
Command line:
C:\WINDOWS\system32\AtService.exe
c:\program files\alwil software\avast5\avastsvc.exe
Script: Quarantine, Delete, Delete via BC, Terminate 1988 avast! Service Copyright (c) 2010 ALWIL Software ?? 39.44 kb, rsAh,
created: 5.4.2010 14:48:15,
modified: 9.3.2010 12:24:08
Command line:
"C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"
c:\progra~1\alwils~1\avast5\avastui.exe
Script: Quarantine, Delete, Delete via BC, Terminate 3036 avast! Antivirus Copyright (c) 2010 ALWIL Software ?? 2704.43 kb, rsAh,
created: 5.4.2010 14:48:15,
modified: 9.3.2010 12:24:10
Command line:
"C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe" /nogui
c:\program files\thinkpad\bluetooth software\bin\btwdins.exe
Script: Quarantine, Delete, Delete via BC, Terminate 340 Bluetooth Support Server Copyright 2000-2008, Broadcom Corporation. ?? 334.59 kb, rsAh,
created: 29.5.2008 0:23:00,
modified: 29.5.2008 0:23:00
Command line:
"C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe"
c:\windows\system32\ccm\ccmexec.exe
Script: Quarantine, Delete, Delete via BC, Terminate 3920 CCM Executive Copyright (C) Microsoft Corporation. 2004 ?? 565.22 kb, rsAh,
created: 9.2.2006 11:50:00,
modified: 9.2.2006 11:50:00
Command line:
C:\WINDOWS\system32\CCM\CcmExec.exe
c:\windows\system32\dts.exe
Script: Quarantine, Delete, Delete via BC, Terminate 1736 Data Transfer Service ©AuthenTec, Inc. All rights reserved. ?? 96.00 kb, rsAh,
created: 19.3.2009 5:53:02,
modified: 19.3.2009 5:53:02
Command line:
C:\WINDOWS\system32\DTS.exe
c:\windows\explorer.exe
Script: Quarantine, Delete, Delete via BC, Terminate 3444 Windows Explorer © Microsoft Corporation. All rights reserved. ?? 1008.00 kb, rsah,
created: 24.9.2009 4:50:45,
modified: 4.8.2004 14:00:00
Command line:
C:\WINDOWS\Explorer.EXE
c:\windows\temp\fdd447.exe
Script: Quarantine, Delete, Delete via BC, Terminate 2732 ?? 168.07 kb, rsAh,
created: 11.4.2010 14:02:58,
modified: 7.2.2006 16:10:04
Command line:
"C:\WINDOWS\TEMP\FDD447.EXE"
c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe
Script: Quarantine, Delete, Delete via BC, Terminate 3056 pdfFactory Copyright (c) 2001-2005 FinePrint Software, LLC ?? 480.00 kb, rsAh,
created: 8.8.2006 22:08:25,
modified: 24.11.2005 11:12:34
Command line:
"C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKCU
c:\program files\common files\microsoft shared\vs7debug\mdm.exe
Script: Quarantine, Delete, Delete via BC, Terminate 2068 Machine Debug Manager © Microsoft Corporation. All rights reserved. ?? 314.57 kb, rsAh,
created: 20.6.2003 8:25:00,
modified: 20.6.2003 8:25:00
Command line:
"C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
c:\program files\pc connectivity solution\transports\nclbcbtsrv.exe
Script: Quarantine, Delete, Delete via BC, Terminate 4424 Broadcomm Bluetooth Media Server Copyright (c) 2007 - 2009 Nokia. All Rights Reserved. ?? 156.00 kb, rsAh,
created: 29.10.2009 14:03:34,
modified: 29.10.2009 14:03:34
Command line:
{29CD04CD-A72D-4231-B18B-B84D653A2C05}
c:\program files\thinkpad\utilities\pwmdbsvc.exe
Script: Quarantine, Delete, Delete via BC, Terminate 3860 PWMDBSVC Module Copyright 2008 ?? 92.00 kb, rsah,
created: 16.12.2009 13:58:21,
modified: 25.9.2008 2:47:00
Command line:
"C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE"
c:\program files\common files\research in motion\auto update\rimautoupdate.exe
Script: Quarantine, Delete, Delete via BC, Terminate 3052 RIM Auto Update © 1997-2010 Research In Motion Limited. ?? 633.34 kb, rsAh,
created: 10.3.2010 22:32:26,
modified: 10.3.2010 22:32:26
Command line:
"C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" /background
c:\windows\system32\rundll32.exe
Script: Quarantine, Delete, Delete via BC, Terminate 2024 Run a DLL as an App © Microsoft Corporation. All rights reserved. ?? 32.50 kb, rsAh,
created: 24.9.2009 4:51:25,
modified: 4.8.2004 14:00:00
Command line:
"C:\WINDOWS\system32\rundll32.exe" C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
c:\windows\system32\spoolsv.exe
Script: Quarantine, Delete, Delete via BC, Terminate 1236 Spooler SubSystem App © Microsoft Corporation. All rights reserved. ?? 56.50 kb, rsah,
created: 24.9.2009 4:51:29,
modified: 11.6.2005 1:53:32
Command line:
C:\WINDOWS\system32\spoolsv.exe
c:\program files\trend micro\officescan client\tmlisten.exe
Script: Quarantine, Delete, Delete via BC, Terminate 3288 Copyright (C) 1998-2006 Trend Micro Incorporated. All rights reserved. ?? 600.09 kb, rsAh,
created: 7.2.2006 15:48:52,
modified: 7.2.2006 15:48:52
Command line:
"C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe"
c:\program files\lenovo\npdirect\tpfnf7sp.exe
Script: Quarantine, Delete, Delete via BC, Terminate 2136 Presentation Director Fn+F7 handler Copyright (C) Lenovo 2006. ?? 58.78 kb, rsah,
created: 16.12.2009 13:58:34,
modified: 31.7.2008 5:01:00
Command line:
"C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" /r
c:\windows\system32\winlogon.exe
Script: Quarantine, Delete, Delete via BC, Terminate 1460 Windows NT Logon Application © Microsoft Corporation. All rights reserved. ?? 490.50 kb, rsah,
created: 24.9.2009 4:51:39,
modified: 4.8.2004 14:00:00
Command line:
winlogon.exe
Detected:68, recognized as trusted 59
Module name Handle Description Copyright MD5 Used by processes
C:\Program Files\Alwil Software\Avast5\1029\Base.dll
Script: Quarantine, Delete, Delete via BC 1711800320 avast! Czech Basic Module Copyright (c) 2010 ALWIL Software -- 1988, 3036
C:\Program Files\Alwil Software\Avast5\defs\10041001\algo.dll
Script: Quarantine, Delete, Delete via BC 1665138688 -- 1988
C:\Program Files\Alwil Software\Avast5\defs\10041001\aswCmnBS.dll
Script: Quarantine, Delete, Delete via BC 1678245888 Common functions Copyright (c) 2010 ALWIL Software -- 1988
C:\Program Files\Alwil Software\Avast5\defs\10041001\aswCmnIS.dll
Script: Quarantine, Delete, Delete via BC 1678770176 Antivirus independent functions Copyright (c) 2010 ALWIL Software -- 1988
C:\Program Files\Alwil Software\Avast5\defs\10041001\aswCmnOS.dll
Script: Quarantine, Delete, Delete via BC 1677721600 Antivirus HW dependent library Copyright (c) 2010 ALWIL Software -- 1988
C:\Program Files\Alwil Software\Avast5\defs\10041001\aswEngin.dll
Script: Quarantine, Delete, Delete via BC 1680080896 High level antivirus engine Copyright (c) 2010 ALWIL Software -- 1988
C:\Program Files\Alwil Software\Avast5\defs\10041001\aswScan.dll
Script: Quarantine, Delete, Delete via BC 1679818752 Low level antivirus engine Copyright (c) 2010 ALWIL Software -- 1988
C:\Program Files\Alwil Software\Avast5\defs\10041100\algo.dll
Script: Quarantine, Delete, Delete via BC 130285568 -- 1988
C:\Program Files\Alwil Software\Avast5\defs\10041100\aswCmnBS.dll
Script: Quarantine, Delete, Delete via BC 128712704 Common functions Copyright (c) 2010 ALWIL Software -- 1988
C:\Program Files\Alwil Software\Avast5\defs\10041100\aswCmnIS.dll
Script: Quarantine, Delete, Delete via BC 90767360 Antivirus independent functions Copyright (c) 2010 ALWIL Software -- 1988
C:\Program Files\Alwil Software\Avast5\defs\10041100\aswCmnOS.dll
Script: Quarantine, Delete, Delete via BC 90570752 Antivirus HW dependent library Copyright (c) 2010 ALWIL Software -- 1988
C:\Program Files\Alwil Software\Avast5\defs\10041100\aswEngin.dll
Script: Quarantine, Delete, Delete via BC 127533056 High level antivirus engine Copyright (c) 2010 ALWIL Software -- 1988
C:\Program Files\Alwil Software\Avast5\defs\10041100\aswScan.dll
Script: Quarantine, Delete, Delete via BC 104005632 Low level antivirus engine Copyright (c) 2010 ALWIL Software -- 1988
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MSDBG2.DLL
Script: Quarantine, Delete, Delete via BC 1364721664 Active Debugging Proxy/Stub © Microsoft Corporation. All rights reserved. -- 2068
C:\Program Files\Common Files\Research In Motion\Auto Update\AutoUpdateRes1029.dll
Script: Quarantine, Delete, Delete via BC 268435456 RIM Auto Update © 1997-2010 Research In Motion Limited. -- 3052
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
Script: Quarantine, Delete, Delete via BC 4194304 RIM Auto Update © 1997-2010 Research In Motion Limited. ?? 3052
C:\Program Files\Internet Explorer\mui\0405\browselc.dll
Script: Quarantine, Delete, Delete via BC 1916862464 Shell Browser UI Library © Microsoft Corporation. Vљechna prбva vyhrazena. -- 3444
C:\Program Files\Lenovo Fingerprint Software\ATCSSINT.DLL
Script: Quarantine, Delete, Delete via BC 17301504 Fingerprint Authentication Interfaces (C) AuthenTec Inc. All rights reserved. -- 1460
C:\Program Files\Lenovo Fingerprint Software\FPResource.dll
Script: Quarantine, Delete, Delete via BC 21233664 Multilingual Resource Dynamic Link Library © AuthenTec, Inc. All rights reserved. -- 1460
C:\Program Files\Lenovo Fingerprint Software\SharedResources.dll
Script: Quarantine, Delete, Delete via BC 15925248 Fingerprint Shared Resources Dynamic Link Library Copyright (C) 2006 -- 1460
C:\Program Files\Lenovo\NPDIRECT\tpfnf7.dll
Script: Quarantine, Delete, Delete via BC 11403264 Presentation Director Fn+F7 handler Copyright (C) Lenovo 2006. -- 2136
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
Script: Quarantine, Delete, Delete via BC 4194304 Presentation Director Fn+F7 handler Copyright (C) Lenovo 2006. ?? 2136
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
Script: Quarantine, Delete, Delete via BC 4194304 Bluetooth Support Server Copyright 2000-2008, Broadcom Corporation. ?? 340
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
Script: Quarantine, Delete, Delete via BC 4194304 PWMDBSVC Module Copyright 2008 ?? 3860
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
Script: Quarantine, Delete, Delete via BC 4194304 Copyright (C) 1998-2006 Trend Micro Incorporated. All rights reserved. ?? 3288
C:\PROGRA~1\ALWILS~1\Avast5\1029\UILangRes.dll
Script: Quarantine, Delete, Delete via BC 1712062464 UILangRes Copyright (c) 2010 ALWIL Software -- 3036
C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRIF.DLL
Script: Quarantine, Delete, Delete via BC 47579136 -- 3444, 3860, 2024
C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL
Script: Quarantine, Delete, Delete via BC 45940736 ThinkPad Power Manager Background Monitor and Tray Battery Gauge Copyright (C) Lenovo 2005,2007. -- 3444, 2024
C:\PROGRA~1\ThinkPad\UTILIT~1\US\PWRMGRRT.DLL
Script: Quarantine, Delete, Delete via BC 47513600 -- 3444, 2024
C:\WINDOWS\system32\AFSSClientLib.dll
Script: Quarantine, Delete, Delete via BC 26148864 AFSS Client Library Copyright (C) 2000-2008, AuthenTec. All rights reserved. -- 1460
C:\WINDOWS\system32\ATGinaHook.dll
Script: Quarantine, Delete, Delete via BC 268435456 Fingerprint system pass-through GINA Copyright (C) 2009 AuthenTec Inc. -- 1460
C:\WINDOWS\system32\AtService.exe
Script: Quarantine, Delete, Delete via BC 4194304 AFSS Service Copyright (C) 2000-2008, AuthenTec. All rights reserved. ?? 1776
C:\WINDOWS\system32\bthcrp.dll
Script: Quarantine, Delete, Delete via BC 15532032 bthcrp DLL Copyright 2000-2008, Broadcom Corporation. -- 1236
C:\WINDOWS\system32\CCM\ccmhttp.dll
Script: Quarantine, Delete, Delete via BC 404160512 CCM HTTP Services Copyright (C) Microsoft Corporation. 2004 -- 3920
C:\WINDOWS\system32\DTS.exe
Script: Quarantine, Delete, Delete via BC 4194304 Data Transfer Service ©AuthenTec, Inc. All rights reserved. ?? 1736
C:\WINDOWS\system32\FpWinLogonNp.dll
Script: Quarantine, Delete, Delete via BC 29229056 Fingerprint Winlogon Dynamic Link Library ©AuthenTec, Inc. All rights reserved. -- 1460
C:\WINDOWS\system32\lmdimon.dll
Script: Quarantine, Delete, Delete via BC 12910592 Microsoft® Live Meeting Copyright (C) Microsoft Corp. 2001-2004 -- 1236
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
Script: Quarantine, Delete, Delete via BC 553648128 pdfFactory Copyright (c) 2001-2005 FinePrint Software, LLC ?? 3056
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppgraf2.dll
Script: Quarantine, Delete, Delete via BC 603979776 pdfFactory Copyright (c) 2001-2005 FinePrint Software, LLC -- 3056
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppint2.dll
Script: Quarantine, Delete, Delete via BC 620756992 pdfFactory Copyright (c) 2001-2005 FinePrint Software, LLC -- 3056
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppr232.dll
Script: Quarantine, Delete, Delete via BC 1090519040 pdfFactory Copyright (c) 2001-2005 FinePrint Software, LLC -- 3056
C:\WINDOWS\System32\spool\PRTPROCS\W32X86\lmdippr.dll
Script: Quarantine, Delete, Delete via BC 16711680 Microsoft® Live Meeting Copyright (C) Microsoft Corp. 2001-2004 -- 1236
C:\WINDOWS\system32\wbtapi.dll
Script: Quarantine, Delete, Delete via BC 268435456 WBTApi DLL Copyright 2000-2008, Broadcom Corporation. -- 4424, 1236
C:\WINDOWS\system32\WidcommSdk.dll
Script: Quarantine, Delete, Delete via BC 21037056 WidcommSdk DLL Copyright 2000-2008, Broadcom Corporation. -- 1236
C:\WINDOWS\TEMP\FDD447.EXE
Script: Quarantine, Delete, Delete via BC 4194304 ?? 2732
Modules found:533, recognized as trusted 488
Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Script: Quarantine, Delete, Delete via BC AC4C9000 0DA000 (892928)
spfs.sys
Script: Quarantine, Delete, Delete via BC B9EB4000 0F3000 (995328)
C:\WINDOWS\system32\DRIVERS\TPHKDRV.sys
Script: Quarantine, Delete, Delete via BC B8D9F000 005000 (20480) ThinkPad Hotkey Driver (C) Lenovo 2005-2008, (C) IBM Corporation 1999-2005.
Modules found - 215, recognized as trusted - 212
Services
Service Description Status File Group Dependencies
ATService
Service: Stop, Delete, Disable AuthenTec Fingerprint Service Running C:\WINDOWS\system32\AtService.exe
Script: Quarantine, Delete, Delete via BC Pointer Class
btwdins
Service: Stop, Delete, Disable Bluetooth Service Running C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
Script: Quarantine, Delete, Delete via BC PlugPlay
dtsvc
Service: Stop, Delete, Disable Data Transfer Service Running C:\WINDOWS\system32\DTS.exe
Script: Quarantine, Delete, Delete via BC Base
Power Manager DBC Service
Service: Stop, Delete, Disable Power Manager DBC Service Running C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
Script: Quarantine, Delete, Delete via BC RPCSS
tmlisten
Service: Stop, Delete, Disable OfficeScanNT Listener Running C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
Script: Quarantine, Delete, Delete via BC
ADMonitor
Service: Stop, Delete, Disable AD Monitor Not started C:\WINDOWS\system32\ADMonitor.exe
Script: Quarantine, Delete, Delete via BC Base
FingerprintServer
Service: Stop, Delete, Disable Fingerprint Server Not started C:\WINDOWS\system32\FpLogonServ.exe
Script: Quarantine, Delete, Delete via BC Pointer Class
Roxio UPnP Renderer 9
Service: Stop, Delete, Disable Roxio UPnP Renderer 9 Not started C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
Script: Quarantine, Delete, Delete via BC
Roxio Upnp Server 9
Service: Stop, Delete, Disable Roxio Upnp Server 9 Not started C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
Script: Quarantine, Delete, Delete via BC
RoxLiveShare9
Service: Stop, Delete, Disable LiveShare P2P Server 9 Not started C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
Script: Quarantine, Delete, Delete via BC RPCSS
RoxMediaDB9
Service: Stop, Delete, Disable RoxMediaDB9 Not started C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
Script: Quarantine, Delete, Delete via BC
RoxWatch9
Service: Stop, Delete, Disable Roxio Hard Drive Watcher 9 Not started C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
Script: Quarantine, Delete, Delete via BC
Detected - 120, recognized as trusted - 108
Drivers
Service Description Status File Group Dependencies
sptd
Driver: Unload, Delete, Disable sptd Running C:\WINDOWS\System32\Drivers\sptd.sys
Script: Quarantine, Delete, Delete via BC Boot Bus Extender
TPHKDRV
Driver: Unload, Delete, Disable TPHKDRV Running C:\WINDOWS\system32\DRIVERS\TPHKDRV.sys
Script: Quarantine, Delete, Delete via BC
Abiosdsk
Driver: Unload, Delete, Disable Abiosdsk Not started Abiosdsk.sys
Script: Quarantine, Delete, Delete via BC Primary disk
Atdisk
Driver: Unload, Delete, Disable Atdisk Not started Atdisk.sys
Script: Quarantine, Delete, Delete via BC Primary disk
catchme
Driver: Unload, Delete, Disable catchme Not started C:\DOCUME~1\ROBERT~1.JAN\LOCALS~1\Temp\catchme.sys
Script: Quarantine, Delete, Delete via BC Base
Changer
Driver: Unload, Delete, Disable Changer Not started Changer.sys
Script: Quarantine, Delete, Delete via BC Filter
lbrtfdc
Driver: Unload, Delete, Disable lbrtfdc Not started lbrtfdc.sys
Script: Quarantine, Delete, Delete via BC System Bus Extender
PCIDump
Driver: Unload, Delete, Disable PCIDump Not started PCIDump.sys
Script: Quarantine, Delete, Delete via BC PCI Configuration
PDCOMP
Driver: Unload, Delete, Disable PDCOMP Not started PDCOMP.sys
Script: Quarantine, Delete, Delete via BC
PDFRAME
Driver: Unload, Delete, Disable PDFRAME Not started PDFRAME.sys
Script: Quarantine, Delete, Delete via BC
PDRELI
Driver: Unload, Delete, Disable PDRELI Not started PDRELI.sys
Script: Quarantine, Delete, Delete via BC
PDRFRAME
Driver: Unload, Delete, Disable PDRFRAME Not started PDRFRAME.sys
Script: Quarantine, Delete, Delete via BC
prepdrvr
Driver: Unload, Delete, Disable SMS Process Event Driver Not started C:\WINDOWS\system32\CCM\prepdrv.sys
Script: Quarantine, Delete, Delete via BC
Simbad
Driver: Unload, Delete, Disable Simbad Not started Simbad.sys
Script: Quarantine, Delete, Delete via BC Filter
WDICA
Driver: Unload, Delete, Disable WDICA Not started WDICA.sys
Script: Quarantine, Delete, Delete via BC
Detected - 251, recognized as trusted - 236
Autoruns
File name Status Startup method Description
ATGinaHook.dll
Script: Quarantine, Delete, Delete via BC -- Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, GinaDLL
C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\RapidShareManager.exe
Script: Quarantine, Delete, Delete via BC Active File in Startup folder C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\RapidShareManager.exe,
C:\Documents and Settings\robert.janota\Local Settings\Temp\NEventMessages.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Nokia Software Installer, EventMessageFile
Delete
C:\Jean\jean.exe
Script: Quarantine, Delete, Delete via BC Active Shortcut in Startup folder C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\JEAN.lnk,
C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, PWRMGRTR
Delete
C:\Program Files\Ashampoo\Ashampoo Burning Studio 6 FREE\burningstudio.exe
Script: Quarantine, Delete, Delete via BC Active Shortcut in Startup folder C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\Ashampoo Burning Studio 6 FREE.lnk,
C:\Program Files\Bonjour\mDNSResponder.exe
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Bonjour Service, EventMessageFile
Delete
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, BlackBerryAutoUpdate
Delete
C:\Program Files\Essentials Codec Pack\update.exe
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Media Codec Update Service
Delete
C:\Program Files\Lenovo Fingerprint Software\fpapp.exe
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, FingerPrintSoftware
Delete
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows\CurrentVersion\Run, TPFNF7
Delete
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Synchronize, EventMessageFile
Delete
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
Script: Quarantine, Delete, Delete via BC Active Shortcut in Startup folder C:\Documents and Settings\All Users\Start Menu\Programs\Startup\, C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlackBerry Desktop Manager.lnk,
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
Script: Quarantine, Delete, Delete via BC Active Shortcut in Startup folder C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\BlackBerry Desktop Manager.lnk,
C:\Program Files\Roxio\Media Manager 9\MediaManager9.exe
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\RIMDeviceFileAccess, EventMessageFile
Delete
C:\Program Files\Zoner\Photo Studio 9\Program\Zps9.exe
Script: Quarantine, Delete, Delete via BC Active Shortcut in Startup folder C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\Zoner Photo Studio 9.lnk,
C:\Program Files\pdaBusiness\Qlock\Qlock.exe
Script: Quarantine, Delete, Delete via BC Active Shortcut in Startup folder C:\Documents and Settings\All Users\Start Menu\Programs\Startup\, C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Qlock.lnk,
C:\WINDOWS\Installer\{075F852B-6A58-44D0-A46F-81B13589C637}\Icon075F852B.exe
Script: Quarantine, Delete, Delete via BC Active Shortcut in Startup folder C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\, C:\Documents and Settings\robert.janota\Application Data\Microsoft\Internet Explorer\Quick Launch\PC Translator 2004.lnk,
C:\WINDOWS\System32\PrintFilterPipelineSvc.exe
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PrintFilterPipelineSvc, EventMessageFile
Delete
C:\WINDOWS\System32\hidserv.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\HidServ\Parameters, ServiceDll
Delete
C:\WINDOWS\System32\igmpv2.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
Delete
C:\WINDOWS\System32\ipbootp.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
Delete
C:\WINDOWS\System32\iprip2.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
Delete
C:\WINDOWS\System32\ospf.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPF, EventMessageFile
Delete
C:\WINDOWS\System32\ospfmib.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\OSPFMib, EventMessageFile
Delete
C:\WINDOWS\System32\polagent.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\PolicyAgent, EventMessageFile
Delete
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, pdfFactory Pro Dispatcher v2
Delete
C:\WINDOWS\System32\tssdis.exe
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\TermServSessDir, EventMessageFile
Delete
C:\WINDOWS\system
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\ATService, EventMessageFile
Delete
C:\WINDOWS\system32\FpWinLogonNp.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ATFUS, DLLName
Delete
C:\WINDOWS\system32\MsSip1.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1, $DLL
Delete
C:\WINDOWS\system32\MsSip2.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2, $DLL
Delete
C:\WINDOWS\system32\MsSip3.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3, $DLL
Delete
C:\WINDOWS\system32\dfrg.msc %c:
Script: Quarantine, Delete, Delete via BC -- Registry key HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath,
C:\WINDOWS\system32\psxss.exe
Script: Quarantine, Delete, Delete via BC -- Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
C:\WINDOWS\system32\stisvc.exe
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System, EventMessageFile
Delete
SDEvents.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile
Delete
kbd101.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver JPN
Delete
kbd101a.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\i8042prt\Parameters, LayerDriver KOR
Delete
mvfs32.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_USERS, .DEFAULT\Control Panel\IOProcs, MVB
Delete
mvfs32.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_USERS, S-1-5-19\Control Panel\IOProcs, MVB
Delete
mvfs32.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_USERS, S-1-5-20\Control Panel\IOProcs, MVB
Delete
mvfs32.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_USERS, S-1-5-18\Control Panel\IOProcs, MVB
Delete
mvfs32.dll
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_CURRENT_USER, Control Panel\IOProcs, MVB
Delete
vgafix.fon
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon
Delete
vgaoem.fon
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon
Delete
vgasys.fon
Script: Quarantine, Delete, Delete via BC Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon
Delete
Autoruns items found - 631, recognized as trusted - 584
Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
C:\TRANSLAT\WEBIE.DL_
Script: Quarantine, Delete, Delete via BC Toolbar WebTranslator Module Copyright 2002 {BFC32E1D-EE75-4A48-BC60-104E11EE2431}
Delete
Toolbar {855F3B16-6D32-4FE6-8A56-BBB695989046}
Delete
C:\TRANSLAT\WEBIE.DL_
Script: Quarantine, Delete, Delete via BC Extension module WebTranslator Module Copyright 2002 {BFC32E1D-EE75-4A48-BC60-104E11EE2431}
Delete
C:\TRANSLAT\WEBIE.DL_
Script: Quarantine, Delete, Delete via BC Extension module WebTranslator Module Copyright 2002 {CC963627-B1DC-40E0-B52A-CF21EE748450}
Delete
C:\TRANSLAT\WEBIE.DL_
Script: Quarantine, Delete, Delete via BC Extension module WebTranslator Module Copyright 2002 {CC963627-B1DC-40E0-B52A-CF21EE748451}
Delete
C:\TRANSLAT\WEBIE.DL_
Script: Quarantine, Delete, Delete via BC Extension module WebTranslator Module Copyright 2002 {CC963627-B1DC-40E0-B52A-CF21EE748452}
Delete
C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
Script: Quarantine, Delete, Delete via BC Extension module {CCA281CA-C863-46ef-9331-5C8D4460577F}
Delete
URLSearchHook {855F3B16-6D32-4fe6-8A56-BBB695989046}
Delete
Items found - 17, recognized as trusted - 9
Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
deskpan.dll
Script: Quarantine, Delete, Delete via BC Display Panning CPL Extension {42071714-76d4-11d1-8b24-00a0c9068ff3}
Delete
Shell extensions for file compression {764BF0E1-F219-11ce-972D-00AA00A14F56}
Delete
Encryption Context Menu {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}
Delete
Taskbar and Start Menu {0DF44EAA-FF21-4412-828E-260A8728E7F1}
Delete
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_COMServer {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
Script: Quarantine, Delete, Delete via BC Autoplay for SlideShow {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
Delete
User Accounts {7A9D77BD-5403-11d2-8785-2E0420524153}
Delete

C:\WINDOWS\system32\BTNEIG~1.DLL
Script: Quarantine, Delete, Delete via BC My Bluetooth Places BTNeighborhood DLL Copyright 2000-2008, Broadcom Corporation. {6af09ec9-b429-11d4-a1fb-0090960218cb}
Delete
C:\WINDOWS\system32\btncopy.dll
Script: Quarantine, Delete, Delete via BC Monitor BTNCopy Module Copyright 2000-2008, Broadcom Corporation. {7842554E-6BED-11D2-8CDB-B05550C10000}
Delete
Microsoft Office Metadata Handler {993BE281-6695-4BA5-8A2A-7AACBFAAB69E}
Delete
Microsoft Office Thumbnail Handler {C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}
Delete
IE User Assist {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}
Delete
Items found - 220, recognized as trusted - 208
Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
C:\WINDOWS\system32\lmdimon.dll
Script: Quarantine, Delete, Delete via BC Monitor Microsoft Office Live Meeting Document Writer Monitor Microsoft® Live Meeting Copyright (C) Microsoft Corp. 2001-2004
C:\WINDOWS\system32\bthcrp.dll
Script: Quarantine, Delete, Delete via BC Monitor Port tiskбrny Bluetooth bthcrp DLL Copyright 2000-2008, Broadcom Corporation.
Items found - 13, recognized as trusted - 11
Task Scheduler jobs
File name Job name Job state Description Manufacturer
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
Script: Quarantine, Delete, Delete via BC PMTask.job The task will not run at the scheduled times because it has been disabled.
Items found - 4, recognized as trusted - 3
SPI/LSP settings
Namespace providers (NSP)
Manufacturer Status EXE file Description GUID
Detected - 3, recognized as trusted - 3
Transport protocol providers (TSP, LSP)
Manufacturer EXE file Description
Detected - 23, recognized as trusted - 23
Results of automatic SPI settings check

LSP settings checked. No errors detected

TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 18636 [1912] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING 0.0.0.0 38974 [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
1025 ESTABLISHED 127.0.0.1 5550 [1460] \??\c:\windows\system32\winlogon.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1033 ESTABLISHED 127.0.0.1 27015 [3020] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1068 LISTENING 0.0.0.0 49273 [4192] c:\windows\system32\alg.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5550 LISTENING 0.0.0.0 24789 [1776] c:\windows\system32\atservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
5550 ESTABLISHED 127.0.0.1 1025 [1776] c:\windows\system32\atservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
27015 LISTENING 0.0.0.0 24792 [1060] c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
27015 ESTABLISHED 127.0.0.1 1033 [1060] c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
Script: Quarantine, Delete, Delete via BC, Terminate
62514 LISTENING 0.0.0.0 8300 [1140] c:\program files\cisco systems\vpn client\cvpnd.exe
Script: Quarantine, Delete, Delete via BC, Terminate
65394 LISTENING 0.0.0.0 20716 [3288] c:\program files\trend micro\officescan client\tmlisten.exe
Script: Quarantine, Delete, Delete via BC, Terminate
UDP ports
123 LISTENING -- -- [296] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
445 LISTENING -- -- [4] System
Script: Quarantine, Delete, Delete via BC, Terminate
500 LISTENING -- -- [1520] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, Delete via BC, Terminate
1900 LISTENING -- -- [980] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, Delete via BC, Terminate
4500 LISTENING -- -- [1520] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, Delete via BC, Terminate
62514 LISTENING -- -- [1140] c:\program files\cisco systems\vpn client\cvpnd.exe
Script: Quarantine, Delete, Delete via BC, Terminate
Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
Items found - 4, recognized as trusted - 4
Control Panel Applets (CPL)
File name Description Manufacturer
C:\WINDOWS\system32\btcpl.cpl
Script: Quarantine, Delete, Delete via BC Bluetooth Control Panel Copyright 2000-2008, Broadcom Corporation.
Items found - 29, recognized as trusted - 28
Active Setup
File name Description Manufacturer CLSID
Items found - 15, recognized as trusted - 15
HOSTS file
Hosts file record


127.0.0.1 localhost

Protocols and handlers
File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, Delete via BC Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Items found - 31, recognized as trusted - 28
Suspicious objects
File Description Type
C:\WINDOWS\System32\Drivers\aswSP.SYS
Script: Quarantine, Delete, Delete via BC Suspicion for Rootkit Kernel-mode hook
C:\System Volume Information\_restore{9AB2435C-DE2B-4478-9105-C7393117FEFB}\RP31\A0046811.exe
Script: Quarantine, Delete, Delete via BC Suspicion by File scanner Suspicion for Backdoor.Win32.Eclypse ( 0041F192 00186D09 00178E59 0009F1EA 40960)
C:\System Volume Information\_restore{9AB2435C-DE2B-4478-9105-C7393117FEFB}\RP31\A0046813.exe
Script: Quarantine, Delete, Delete via BC Suspicion by File scanner Suspicion for Backdoor.Win32.Eclypse ( 0041F192 00186D09 00178E59 0009F1EA 40960)

AVZ Antiviral Toolkit log; AVZ version is 4.32
Scanning started at 11.4.2010 14:10:12
Database loaded: signatures - 270034, NN profile(s) - 2, malware removal microprograms - 56, signature database released 10.04.2010 22:53
Heuristic microprograms loaded: 382
PVS microprograms loaded: 9
Digital signatures of system files loaded: 194145
Heuristic analyzer mode: Medium heuristics mode
Malware removal mode: enabled
Windows version is: 5.1.2600, Service Pack 2 ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=0846E0)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055B6E0
KiST = 80503960 (284)
Functions checked: 284, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
Analyzing CPU 1
Analyzing CPU 2
CmpCallCallBacks = 00092D3C
Disable callback - ??? ???????????????
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = AC5DFFEE -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_CLOSE] = AC5E002E -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_WRITE] = AC5E010A -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8A5C91F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = AC5E014A -> C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8A5C91F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 8A5C91F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8A5C91F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8A5C91F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8A5C91F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8A5C91F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8A5C91F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8A5C91F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8A5C91F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8A5C91F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 8A5C91F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CREATE] = 892191F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CLOSE] = 892191F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_WRITE] = 892191F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 892191F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 892191F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_EA] = 892191F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_EA] = 892191F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 892191F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 892191F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 892191F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 892191F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 892191F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 892191F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_PNP] = 892191F8 -> hook not defined
Checking - complete
2. Scanning RAM
Number of processes found: 66
Number of modules loaded: 474
Scanning RAM - complete
3. Scanning disks
C:\System Volume Information\_restore{9AB2435C-DE2B-4478-9105-C7393117FEFB}\RP31\A0046811.exe >>> suspicion for Backdoor.Win32.Eclypse ( 0041F192 00186D09 00178E59 0009F1EA 40960)
C:\System Volume Information\_restore{9AB2435C-DE2B-4478-9105-C7393117FEFB}\RP31\A0046813.exe >>> suspicion for Backdoor.Win32.Eclypse ( 0041F192 00186D09 00178E59 0009F1EA 40960)
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000002.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000004.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\00000001.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\0000000H.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000009.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\000000BX.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\00000001.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\0000000P.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000001.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000005.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000006.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\0000000W.msg
Direct reading: C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\0000003O.msg
Direct reading: C:\WINDOWS\system32\drivers\sptd.sys
Direct reading: C:\WINDOWS\system32\kbdblrr.dll
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
Checking - disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: TlntSvr (Telnet)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun is allowed
>> Network drives autorun is allowed
>> Removable media autorun is allowed
Checking - complete
Files scanned: 173345, extracted from archives: 149714, malicious software found 0, suspicions - 2
Scanning finished at 11.4.2010 14:45:52
Time of scanning: 00:35:41
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
Creating archive of files from Quarantine
Creating archive of files from Quarantine - complete
System Analysis in progress


Script commands

Add commands to script:

* Blocking hooks using Anti-Rootkit
* Enable AVZGuard
* Operations with AVZPM (true=enable,false=disable)
* BootCleaner - import list of deleted files
* Remove traces of deleted files
* BootCleaner - activate
* Reboot
* Insert template for QuarantineFile() - quarantining a file
* Insert template for BC_QrFile() - quarantining file via BootCleaner
* Insert template for DeleteFile() - deleting a file
* Insert template for DelCLSID() - removing a CLSID item from registry

Additional operations:

* Performance tweaking: disable service RemoteRegistry (Remote Registry)
* Performance tweaking: disable service TermService (Terminal Services)
* Performance tweaking: disable service SSDPSRV (SSDP Discovery Service)
* Performance tweaking: disable service TlntSvr (Telnet)
* Performance tweaking: disable service Schedule (Task Scheduler)
* Performance tweaking: disable service mnmsrvc (NetMeeting Remote Desktop Sharing)
* Performance tweaking: disable service RDSessMgr (Remote Desktop Help Session Manager)
* Security tweaking: disable CD autorun
* Security tweaking: disable administrative shares
* Security tweaking: disable anonymous user access
* Security: disable sending Remote Assistant queries

[motji]

Tu složku sem přidejte jako přílohu

[Baggio]

Slozka v RARu poslána...

[motji]

Než ten log dočtu, jak dlouho máte AVAST5? Zkuste ho odinstalovat, jestli za to nemůže on

Otestujte na www.virustotal.com
c:\windows\temp\fdd447.exe
C:\WINDOWS\TEMP\HLA504.EXE

[Baggio]

Dobrý večer,

Avasta mám cca týden, naistaloval jsem si ho právě, aby mi tu "myšku chytil" , ale zatím nic, ok, odinstaluji ho. Mám firemní notebook, kde je naistalovám antivir (OfficeScan Client - TREND MICRO - osobně jsem tohle neznal)

Co se týče těch dvou souboru, tak mi u obou hlásí, že je nemůže najít...

Děkuji

[motji]

Tak už tam nejsou.
Vypněte obnovu systému - návod viz můj podpis - SVI.

U toho Trend micra máte zapnutý pouze firewall?


:arrow:Stáhněte OTM http://oldtimer.geekstogo.com/OTM.exe
Stáhněte na plochu Otm, 2krát klikněte na Otm,spustí se program,
Do levého okna "Paste Instructions for Items to be Moved" pod žlutou čáru zkopírujete skript

Kód: Vybrat vše

:processes
explorer.exe
 
:files
C:\WINDOWS\system32\*.tmp.dll /s
C:\WINDOWS\system32\SET*.tmp /s
C:\WINDOWS\*.tmp /s
c:\windows\temp\*.exe /s
C:\WINDOWS\TEMP\HLA504.EXE

:commands
[emptytemp]
[EMPTYFLASH]
[clearallrestorepoints]
[Reboot]

-klikněte na červené tlačítko Moveit!
-sem vložte obsah zeleného okénka
-Pokud se bude chtít restartovat pc, dejte YES,log pak najdete C:\_OTM\MovedFiles. Log vložte sem


Poprosím o nový log ze Rsitu

[Baggio]

Když ja nevím, jak se vypíná obnova systému, ani kde bych ten návod našel? Někde v diskuzním foru pod SVI? Promiňte...

[motji]

http://www.viry.cz/forum/viewtopic.php?f=11&t=47040

[Baggio]

Ok, děkuji. U toho trendu mám "fajfku" u enable firewall, takže asi jo. OTM log prosím zde:

===================================================================================

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
File/Folder C:\WINDOWS\system32\*.tmp.dll not found.
C:\WINDOWS\system32\SET501.tmp moved successfully.
C:\WINDOWS\system32\SET50D.tmp moved successfully.
C:\WINDOWS\system32\SET51A.tmp moved successfully.
C:\WINDOWS\CSC\csc1.tmp moved successfully.
C:\WINDOWS\Installer\MSI1E5.tmp moved successfully.
C:\WINDOWS\system32\CONFIG.TMP moved successfully.
c:\windows\temp\DC71D2.EXE moved successfully.
c:\windows\temp\NQ7766.EXE moved successfully.
File/Folder C:\WINDOWS\TEMP\HLA504.EXE not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 3204742 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: robert.janota
->Temp folder emptied: 751988 bytes
->Temporary Internet Files folder emptied: 1566700 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 41941857 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1930 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 609 bytes

Total Files Cleaned = 45,00 mb


Restore points cleared and new OTM Restore Point set!

OTM by OldTimer - Version 3.1.10.1 log created on 04112010_225022

Files moved on Reboot...

Registry entries deleted on Reboot...

[motji]

Poprosím o nový log ze Rsitu.
Nepamatujete si, jestli jste neinstaloval nový program, než to začalo mrznout?
Jak to ted vypadá s počítačem?

[Baggio]

Rsit je HiJackThis? Záčínám v tom mít guláš. Začalo mi to blbnout cca v době, kdy jsem nainstaloval nové ICQ, z Atlasu. Já to moc nepoužívám, ale spíš mé dítko...

Jinak zatím nevím jak notebook, protože ho, nebo se, stále každou chvíli restartuje, tak chvíli počkám a uvidím...

=======================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:06:30, on 11.4.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\DTS.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\AtService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\TEMP\RZ69BF.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\pdaBusiness\Qlock\Qlock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Documents and Settings\robert.janota\My Documents\Stažené soubory\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\TRANSLAT\WEBIE.DL_
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - (no file)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [SetCacheMode] Rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [FingerPrintSoftware] "C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKCU\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKCU
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BlackBerry Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Qlock.lnk = C:\Program Files\pdaBusiness\Qlock\Qlock.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Odeslat do zařízení &Bluetooth... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Odeslat do zařízení Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: WebTran - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\TRANSLAT\WEBIE.DL_
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\TRANSLAT\WEBIE.DL_
O9 - Extra 'Tools' menuitem: &Nastavit překladač - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\TRANSLAT\WEBIE.DL_
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\TRANSLAT\WEBIE.DL_
O9 - Extra 'Tools' menuitem: Přeložit &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\TRANSLAT\WEBIE.DL_
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\TRANSLAT\WEBIE.DL_
O9 - Extra 'Tools' menuitem: Přeložit &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\TRANSLAT\WEBIE.DL_
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.valeantvision.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Valeant.Corp.vrx
O17 - HKLM\Software\..\Telephony: DomainName = Valeant.Corp.vrx
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Valeant.Corp.vrx
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ICNPHARM.COM
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ICNPHARM.COM
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O23 - Service: AD Monitor (ADMonitor) - Unknown owner - C:\WINDOWS\system32\ADMonitor.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\WINDOWS\system32\AtService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Data Transfer Service (dtsvc) - Unknown owner - C:\WINDOWS\system32\DTS.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe
O23 - Service: Služba Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe (file missing)
O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\winvnc4.exe

--
End of file - 13034 bytes

[motji]

Ne, Rsit je trochu jiný program, určitě ho někde najdete. Ale jeho součástí je i HJt, jen rsit toho ukáže víc


Otestujte na www.virustotal.com
C:\WINDOWS\TEMP\RZ69BF.EXE

Zkuste ICQ odinstalovat a vyčistit registry CCleanerem

Odinstalujte AVZ
- v menu File -> Standard script zvolte možnost "6"
- klikněte na Execute selected scripts, potvrďte "Yes"


Odinstalujte combofix přes Start - Spustit
- zkopírujte do okénka:

ComboFix /Uninstall

-stiskněte Enter
-To odinstaluje ComboFix a smaže s ním související soubory a složky.


***********


Stáhněte T-Cleaner
http://sweb.cz/Marinus/T-Cleaner.exe

-Spusťte,pro potvrzení volby mačkejte klávesu A, Enter
-po použití prográmek vymažte.Pozor,antiviry ho mohou falešně označit za vir



***********


Z mého podpisu stahněte Ccleaner
- nainstalujte, při výběru, co se má nainstalovat, dejte pryč fajfku u instalace yahoo toolbaru

záložka čistič
- nechejte v levém sloupečku zatrhnuté vše jak je, klikněte na analyzovat
- po analýze klikněte na Spustit Ccleaner

záložka Registry
- klikněte na hledej problémy
- pak klikněte na opravit vybrané problémy -- udělat zálohu registrů - nemusíte
- kliknete opravit všechny problémy ok zavřít

Záložka Nástroje
- zde můžete odinstalovat programy. Je to důkladnější odinstalace než u přidat/odebrat programy ve Windows.

Ccleaner - čistič doporučuji používat, krásně pročistí pc od dočasných souborů.
Registry pročistí třeba po odinstalaci nějakého programu.


***********



Stahněte OTC a použijte
http://oldtimer.geekstogo.com/OTC.exe
-vyčistí tempy a po použitých programech

[Baggio]

Ok, děkuji, výsledek testu je zde:

Soubor RZ69BF.EXE přijatý 2010.04.11 21:23:58 (UTC)
Současný stav: Čekejte ... Ve frontě Čekání Testování Dokončeno NENALEZENO ZASTAVENO
Výsledek: 1/39 (2.57%)
Načítám informace ze serveru...
Váš soubor čeká ve frontě na pozici: 2.
Odhadovaný čas začátku mezi 46 a 66 sekundami.
Nezavírejte toto okno dokud nebude test dokončen.
Právě testující program byl je zastaven, probíhá čekání na program.
Za chvíli bude proveden další pokus o otestování souboru.
Pokud budete čekat déle než-li pět minut odešlete Váš soubor znovu.
Váš soubor je nyní testován pomocí VirusTotal,
výsledky budou zobrazeny po dokončení.
Formátované Formátované
Vytisknout výsledky Vytisknout výsledky
Váš soubor není platný, nebo neexistuje.
Služba je pozastavena v tuto chvíli, váš soubor čeká na otestování (pozice: ) po nespecifikovanou dobu.

Nyní čekejte na odezvu webu (automatické obnovení), nebo napište email do pole a klikněte na "vyžádat" a systém Vám zašle email s výsledky až bude test hotov.
Email:

Antivirus Verze Poslední aktualizace Výsledek
a-squared 4.5.0.50 2010.04.11 -
AhnLab-V3 5.0.0.2 2010.04.10 -
AntiVir 7.10.6.55 2010.04.09 -
Antiy-AVL 2.0.3.7 2010.04.09 -
Authentium 5.2.0.5 2010.04.11 -
Avast 4.8.1351.0 2010.04.11 -
Avast5 5.0.332.0 2010.04.11 -
AVG 9.0.0.787 2010.04.11 -
BitDefender 7.2 2010.04.11 -
CAT-QuickHeal 10.00 2010.04.10 -
ClamAV 0.96.0.3-git 2010.04.11 -
Comodo 4572 2010.04.11 -
DrWeb 5.0.2.03300 2010.04.11 -
eSafe 7.0.17.0 2010.04.11 -
eTrust-Vet 35.2.7418 2010.04.09 -
F-Prot 4.5.1.85 2010.04.11 -
F-Secure 9.0.15370.0 2010.04.11 -
Fortinet 4.0.14.0 2010.04.10 -
GData 19 2010.04.11 -
Ikarus T3.1.1.80.0 2010.04.11 -
Jiangmin 13.0.900 2010.04.11 -
Kaspersky 7.0.0.125 2010.04.11 -
McAfee-GW-Edition 6.8.5 2010.04.11 Heuristic.BehavesLike.Win32.Suspicious.H
Microsoft 1.5605 2010.04.11 -
NOD32 5018 2010.04.11 -
Norman 6.04.11 2010.04.10 -
nProtect 2009.1.8.0 2010.04.06 -
Panda 10.0.2.2 2010.04.11 -
PCTools 7.0.3.5 2010.04.11 -
Prevx 3.0 2010.04.11 -
Rising 22.42.06.04 2010.04.11 -
Sophos 4.52.0 2010.04.11 -
Sunbelt 6164 2010.04.11 -
Symantec 20091.2.0.41 2010.04.11 -
TheHacker 6.5.2.0.259 2010.04.11 -
TrendMicro 9.120.0.1004 2010.04.11 -
VBA32 3.12.12.4 2010.04.09 -
ViRobot 2010.4.10.2270 2010.04.11 -
VirusBuster 5.0.27.0 2010.04.11 -
Rozšiřující informace
File size: 172099 bytes
MD5...: 3d4a3262f183d37dcc975d933dd732fe
SHA1..: 3247311c21078002cf1a635d8d2b7bce7ee0a38e
SHA256: a3ef116edcfefdb5fbc22f2eda07a3b93c173d0250daf1000965cf6a55d8bdee
ssdeep: 3072:aiKS9TgqUYW+kXxmD7aMb2MEsFqRa7DaLjcUEoi90ye0bHJq:aiKWTgApaB
sFDnatye0bHg
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xdeb2
timedatestamp.....: 0x43e855d9 (Tue Feb 07 08:10:01 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1cf8a 0x1d000 6.63 1bf3020cc59b6359057b770603572919
.rdata 0x1e000 0x54c3 0x6000 4.61 82c5d5196e54ea98d2e6d0308f61cc4f
.data 0x24000 0x8cfc 0x5000 2.99 1dec71163e617005ee6deca1fe63c27b
.rsrc 0x2d000 0x508 0x1000 0.88 4100801f13f4cf5e263fef8a7634138d

Jdu na ten zbytek...