Prosim o kontrolu logu

Zpráva

honza3m · #1 Příspěvek od **honza3m** » 03 srp 2010 19:18

ComboFix 10-08-02.03 - Honza 03.08.2010 19:36:44.1.1 - x86
Spuštěný z: c:\documents and settings\Honza\Plocha\ComboFix.exe
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr1.dat
C:\Thumbs.db
c:\windows\d.ini
c:\windows\system32\Thumbs.db

----- BITS: Možné infikované stránky -----

hxxp://au.download.windowsupdatej+|Cv+@J:NGD_DQ{zcxLJS@hLLG+O
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-07-03 do 2010-08-03 )))))))))))))))))))))))))))))))
.

2010-07-29 15:54 . 2010-08-03 18:05 585472 ----a-w- c:\windows\system32\drivers\sybdkpg.sys
2010-07-28 19:57 . 2010-08-03 18:05 767488 ----a-w- c:\windows\system32\drivers\qpitbj.sys
2010-07-28 19:57 . 2010-07-28 19:57 767488 ----a-w- c:\windows\system32\drivers\siudxvfh.sys
2010-07-14 16:48 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-02 20:20 . 2007-09-04 10:44 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000C-00001102-00000002-80651102}.dat
2010-08-02 20:20 . 2007-09-04 10:44 288 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000C-00001102-00000002-80651102}.dat
2010-07-21 20:28 . 2006-02-09 18:08 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-07-13 21:42 . 2001-10-25 13:00 83562 ----a-w- c:\windows\system32\perfc005.dat
2010-07-13 21:42 . 2001-10-25 13:00 440812 ----a-w- c:\windows\system32\perfh005.dat
2010-07-04 15:56 . 2008-06-05 18:57 -------- d-----w- c:\program files\Dude
2010-06-14 14:31 . 2006-02-09 17:06 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-07 18:30 . 2010-01-03 17:43 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-06 10:35 . 2004-08-17 14:49 916480 ----a-w- c:\windows\system32\wininet.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QIP2005"="c:\program files\QIP\qip.exe" [2009-08-13 3276288]
"ATnotes.exe"="c:\program files\ATnotes\ATnotes.exe" [2005-01-05 1015808]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-05-07 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2003-06-23 1297408]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-28 28672]
"AudioHQU"="c:\program files\Creative\SBLive\AudioHQ\AHQTBU.EXE" [2002-01-17 176128]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-01-22 949376]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0SsiEfr.ex\0OODBS

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Kaspersky Anti-Hacker.lnk]
backup=c:\windows\pss\Kaspersky Anti-Hacker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Honza^Nabídka Start^Programy^Po spuštění^EarthView.lnk]
backup=c:\windows\pss\EarthView.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Honza^Nabídka Start^Programy^Po spuštění^FreeRapid 0.82.lnk]
path=c:\documents and settings\Honza\Nabídka Start\Programy\Po spuštění\FreeRapid 0.82.lnk
backup=c:\windows\pss\FreeRapid 0.82.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Honza^Nabídka Start^Programy^Po spuštění^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Honza\Nabídka Start\Programy\Po spuštění\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-02-01 15:45 98304 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-06-09 02:07 28672 ----a-w- c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FmctrlTray]
2001-11-06 13:57 270336 ----a-w- c:\windows\system32\fmctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-11-20 19:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-11-20 19:32 110184 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 23:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-02 19:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 12:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
2001-10-25 13:00 3072 ----a-w- c:\windows\system32\systray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-05-07 12:36 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-10 23:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe"=
"c:\\Jan Marek\\WC_400\\WINCMD32.EXE"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Documents and Settings\\Honza\\Plocha\\strong\\StrongDC.exe"=
"c:\\Documents and Settings\\Honza\\Plocha\\Strong DC10\\StrongDC.exe"=
"c:\\Program Files\\Dude\\dude.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\PC Connectivity Solution\\ServiceLayer.exe"=
"c:\\Program Files\\Eset\\nod32krn.exe"=
"c:\\Documents and Settings\\Honza\\Plocha\\winbox.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Documents and Settings\\Honza\\Plocha\\Inet\\sms_5.1e.exe"=
"c:\\Documents and Settings\\Honza\\Plocha\\Inet\\Mikrotik\\winbox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26852:TCP"= 26852:TCP:BitComet 26852 TCP
"26852:UDP"= 26852:UDP:BitComet 26852 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 siudxvfh;siudxvfh; [x]
R2 gupdate1c8c1bba7e9e5a0;Google Update Service (gupdate1c8c1bba7e9e5a0);c:\program files\Google\Update\GoogleUpdate.exe [2008-08-30 133104]
R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160]
R3 cpuz;cpuz;c:\docume~1\Honza\LOCALS~1\Temp\cpuz.sys [x]
R3 cpuz130;cpuz130;c:\docume~1\Honza\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [x]
R3 gameport;Genius SM-Live Series PCI Joystick;c:\windows\system32\DRIVERS\fmjoy.sys [x]
R3 gtcdcmdm;GTRAN USB CDC Driver (PID 3196);c:\windows\system32\DRIVERS\gtusbmdm_gpc6400.sys [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 wdm_fm801;Genius SM-Live Series PCI Audio (WDM);c:\windows\system32\drivers\fm801.sys [x]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-01-22 15424]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-05-07 92008]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - qpitbj
*Deregistered* - sybdkpg
.
Obsah adresáře 'Naplánované úlohy'

2010-08-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-16 17:39]

2010-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-16 15:55]

2010-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-16 15:55]

2010-08-03 c:\windows\Tasks\User_Feed_Synchronization-{7CA6EA0A-229B-4842-B905-8676DF705C9E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.play.cz/listen/listen.php?sh=evropa ... &stype=WMA
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Stáhnout odkaz s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: Stáhnout všechna videa s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Stáhnout všechny odkazy s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
LSP: c:\windows\system32\imon.dll
DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} - hxxp://62.204.230.2/RtspVaPgDec.cab
DPF: {50E43D86-A74D-11D0-98CE-004005249458} - hxxps://www.mojebanka.cz/jars/confwiz/MVSGif.cab
DPF: {5F509E42-537E-482B-B66C-145BC170054C} - hxxp://sberna.fotostar.cz/snadno-vlozit-fotografie/fs/FotoStarPhotoUploader.dll
DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} - hxxp://192.168.217.44/AL/WinWebPush.cab
DPF: {7D3E6F54-6B9E-4AA6-857D-9278E2023602} - hxxp://172.16.38.19/admin/viewcam.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab
DPF: {A4150320-98EC-4DB6-9BFB-EBF4B6FBEB16} - hxxp://192.168.199.22/codebase/DVM_IPCam2.ocx
DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} - hxxp://asp.photoprintit.de/microsite/11466/defaults/activex/ips/IPSUploader4.cab
FF - ProfilePath - c:\documents and settings\Honza\Data aplikací\Mozilla\Firefox\Profiles\depex8rv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - component: c:\documents and settings\Honza\Data aplikací\Mozilla\Firefox\Profiles\depex8rv.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1739.5352\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdap.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-Slovak Racer_is1 - c:\hry\Slovak Racer\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-03 20:04
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\qpitbj]

--

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sybdkpg]

.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="208C5C66670E3EA7084516CD111545577435B38A11A6D18F4681688A7509422B14FDF0F5329D2F2420CCA9E202CDACD59A14791D8884574A383E077C5BB8B998974E41CAC487F8D2703E3C3C67E059081D78D6F223BD08CC70D13118586E445F52A4F88072F5C652BEEB7E64C1ED0BCC807AA1A6AC0A5A58CBBC84A9A5FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A9C6AECB7A5D1407A9C6AECB7A5D1407A9C6AECB7A5D14074E733A0C07634AB13CD5AC0178725B8102251435DF60A283BE409570CAC77E1B534FCE164658DC8961CFAB3A218D9265D0F7BE843D3A456CEC6534E47061DE9B8E9ECD1AF9D7139DD261708106C77B086DC847C23AECB5657CB66C3C61B82194F598AD4F1233A27321F7D2EDFDB47A5B21D70504BA70A96E8FEA38A9A8CD6EB3288B2927630B42830294EECB483D7745D87D17910492DAF96CCBD48FB570EE18E355C0422656ACBBCD4B259A069BDEA0A8A1DCE73F7307EDFDBA458B5C4752D40D6B377776E022FB8146190DBB61A23AC4C37C38FC076FA6D32ACE67D34CCBF32B5592525649E699BDC3B20CD3F037D48775DF65AE97DA7321A17C27374D11EEE9319F90A781C2DCC8149FB11B8295A5EEDE32092AC01216BA3C1C7F076A5E391A2DEBA5B3508005091CCD4EC32238581D3866EF2A74E2469DA8BFD8251BEFB32F0F4C3628D070C08DD6F3E4E1AE22095750301ACDF69DAF68ABBCD25A298B3841AED61E1472E536074F88ADEFDD574C090A0ABB17DF1AEFDC1BAFBD5032F3910CF7E66CEC77B8FEC8284793CA3560A4BD5BAFBD6C9DB11B63E2731F98287780EEEB1BE1097643A6CD96B1B73491498E284EA33D1971C03805012D31A550E2B9EF9D5876A7D9E62F31E20C6B5123A2F820022A8949EC2AC1F28BC0E04DC388E33437C2D467E1870EB56CDCB6ABEC03439C27CCA8117C5327FE275A4FCD71409B89F249D94D200B2BBE22F1D5B1C781453D855951665B25CB9E906652C41B64715EA2181A407B5EE3D58AD938B25D3A4744F5DF7124998D856F9697F3B5D5D2E848A8235A0FADF009A63F6A01E42F4F8817E8362A871D7E20AE1D6572888B6F797E7F2217E84836E004EC3A87E211E3BB3E5EF44DB49EED5BBF9A873D887B9F115B32907CE1AB25246254A6D828AA2207E9EE79E530AAD4E7291A7D7B6435CE8D61E02CEF748F3BFDD94CCEB218F63602EA42E4B06621B16F163B0A06B09F6BC333417884F9FEF691A8BC19887746503D37989C9BA4B8050C55B233E9E3F4E77B181A3E083458DB72AD23AA046EBBA5B9E8C24ACD1C7855CC5AC4C0E9DA413C717DC706F647CE722A6F90717E0B50EDED3D29D91E653EAC343BCF44FAD2E86155713CA1043DE745B695AB9D883F4F674396C37D"

[HKEY_LOCAL_MACHINE\software\Xanthic\{EAC0842F-9764-03DD-A0B6-5FFFB48AD6EB}*_]
"fr"="078F7446435557"
"lr"="078F7276435555"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'lsass.exe'(1064)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
Celkový čas: 2010-08-03 20:12:24
ComboFix-quarantined-files.txt 2010-08-03 18:12

Před spuštěním: Volných bajtů: 16 111 415 296
Po spuštění: Volných bajtů: 16 231 047 168

WindowsXP-KB310994-SP2-Home-BootDisk-CSY.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - CC06DABA36A7E0A991DEFF63BA4B8B47

#2 Příspěvek od **Rudy** » 03 srp 2010 19:41

Ještě dočistíme. Otevřte poznámkový blok a zkopírujte do něj:

Collect::
c:\windows\system32\drivers\sybdkpg.sys
c:\windows\system32\drivers\qpitbj.sys
c:\windows\system32\drivers\siudxvfh.sys

Driver::
siudxvfh
qpitbj
sybdkpg

Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.

Obrázek

honza3m · #3 Příspěvek od **honza3m** » 03 srp 2010 21:00

Provedeno. Je zde ještě něco co by stálo za prověření?

Díky moc za snahu

honza3m · #4 Příspěvek od **honza3m** » 05 srp 2010 18:02

Tak script se jaksi neprovede. Hlasi to chybu viz priloha. Počítač je strašně pomalý. V procesech bezi svchost.exe skoro neustále na 90%. A je spuštěn 7x

Log prikladam

ComboFix 10-08-03.01 - Honza 05.08.2010 18:09:40.3.1 - x86
Spuštěný z: c:\documents and settings\Honza\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Honza\Plocha\CFScript.txt
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((( Soubory vytvořené od 2010-07-05 do 2010-08-05 )))))))))))))))))))))))))))))))
.

2010-08-03 20:42 . 2010-08-05 16:44 765440 ----a-w- c:\windows\system32\drivers\isjrg.sys
2010-08-03 20:42 . 2010-08-05 16:44 585472 ----a-w- c:\windows\system32\drivers\scwedx.sys
2010-07-14 16:48 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 15:41 . 2007-09-04 10:44 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-0000000C-00001102-00000002-80651102}.dat
2010-08-05 15:41 . 2007-09-04 10:44 288 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-0000000C-00001102-00000002-80651102}.dat
2010-08-03 20:06 . 2007-12-12 19:28 -------- d-----w- c:\program files\Opera
2010-08-03 18:28 . 2009-12-20 20:55 -------- d-----w- c:\program files\Spyware Terminator
2010-07-21 20:28 . 2006-02-09 18:08 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-07-13 21:42 . 2001-10-25 13:00 83562 ----a-w- c:\windows\system32\perfc005.dat
2010-07-13 21:42 . 2001-10-25 13:00 440812 ----a-w- c:\windows\system32\perfh005.dat
2010-07-04 15:56 . 2008-06-05 18:57 -------- d-----w- c:\program files\Dude
2010-06-14 14:31 . 2006-02-09 17:06 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-07 18:30 . 2010-01-03 17:43 -------- d-----w- c:\program files\Microsoft Silverlight
.

((((((((((((((((((((((((((((( SnapShot@2010-08-03_18.04.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-05 15:43 . 2010-08-05 15:43 16384 c:\windows\Temp\Perflib_Perfdata_36c.dat
+ 2006-02-09 17:13 . 2010-08-03 20:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-02-09 17:13 . 2010-07-29 15:54 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-02-09 17:13 . 2010-08-03 20:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-02-09 17:13 . 2010-07-29 15:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATnotes.exe"="c:\program files\ATnotes\ATnotes.exe" [2005-01-05 1015808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DU Meter"="c:\program files\DU Meter\DUMeter.exe" [2003-06-23 1297408]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-28 28672]
"AudioHQU"="c:\program files\Creative\SBLive\AudioHQ\AHQTBU.EXE" [2002-01-17 176128]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-01-22 949376]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0SsiEfr.ex\0OODBS

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Kaspersky Anti-Hacker.lnk]
backup=c:\windows\pss\Kaspersky Anti-Hacker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Honza^Nabídka Start^Programy^Po spuštění^EarthView.lnk]
backup=c:\windows\pss\EarthView.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Honza^Nabídka Start^Programy^Po spuštění^FreeRapid 0.82.lnk]
path=c:\documents and settings\Honza\Nabídka Start\Programy\Po spuštění\FreeRapid 0.82.lnk
backup=c:\windows\pss\FreeRapid 0.82.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Honza^Nabídka Start^Programy^Po spuštění^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Honza\Nabídka Start\Programy\Po spuštění\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-02-01 15:45 98304 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-06-09 02:07 28672 ----a-w- c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FmctrlTray]
2001-11-06 13:57 270336 ----a-w- c:\windows\system32\fmctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-11-20 19:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-11-20 19:32 110184 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QIP2005]
2009-08-13 09:43 3276288 ----a-w- c:\program files\QIP\qip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 23:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-02 19:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 12:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 09:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
2001-10-25 13:00 3072 ----a-w- c:\windows\system32\systray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-05-07 12:36 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-10 23:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe"=
"c:\\Jan Marek\\WC_400\\WINCMD32.EXE"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Documents and Settings\\Honza\\Plocha\\strong\\StrongDC.exe"=
"c:\\Documents and Settings\\Honza\\Plocha\\Strong DC10\\StrongDC.exe"=
"c:\\Program Files\\Dude\\dude.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\PC Connectivity Solution\\ServiceLayer.exe"=
"c:\\Program Files\\Eset\\nod32krn.exe"=
"c:\\Documents and Settings\\Honza\\Plocha\\winbox.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Documents and Settings\\Honza\\Plocha\\Inet\\sms_5.1e.exe"=
"c:\\Documents and Settings\\Honza\\Plocha\\Inet\\Mikrotik\\winbox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26852:TCP"= 26852:TCP:BitComet 26852 TCP
"26852:UDP"= 26852:UDP:BitComet 26852 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R2 gupdate1c8c1bba7e9e5a0;Google Update Service (gupdate1c8c1bba7e9e5a0);c:\program files\Google\Update\GoogleUpdate.exe [2008-08-30 133104]
R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160]
R3 cpuz;cpuz;c:\docume~1\Honza\LOCALS~1\Temp\cpuz.sys [x]
R3 cpuz130;cpuz130;c:\docume~1\Honza\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [x]
R3 gameport;Genius SM-Live Series PCI Joystick;c:\windows\system32\DRIVERS\fmjoy.sys [x]
R3 gtcdcmdm;GTRAN USB CDC Driver (PID 3196);c:\windows\system32\DRIVERS\gtusbmdm_gpc6400.sys [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 wdm_fm801;Genius SM-Live Series PCI Audio (WDM);c:\windows\system32\drivers\fm801.sys [x]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-01-22 15424]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-05-07 92008]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - isjrg
*Deregistered* - scwedx
.
Obsah adresáře 'Naplánované úlohy'

2010-08-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-16 17:39]

2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-16 15:55]

2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-16 15:55]

2010-08-05 c:\windows\Tasks\User_Feed_Synchronization-{7CA6EA0A-229B-4842-B905-8676DF705C9E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.play.cz/listen/listen.php?sh=evropa ... &stype=WMA
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Stáhnout odkaz s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: Stáhnout všechna videa s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Stáhnout všechny odkazy s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
LSP: c:\windows\system32\imon.dll
DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} - hxxp://62.204.230.2/RtspVaPgDec.cab
DPF: {50E43D86-A74D-11D0-98CE-004005249458} - hxxps://www.mojebanka.cz/jars/confwiz/MVSGif.cab
DPF: {5F509E42-537E-482B-B66C-145BC170054C} - hxxp://sberna.fotostar.cz/snadno-vlozit-fotografie/fs/FotoStarPhotoUploader.dll
DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} - hxxp://192.168.217.44/AL/WinWebPush.cab
DPF: {7D3E6F54-6B9E-4AA6-857D-9278E2023602} - hxxp://172.16.38.19/admin/viewcam.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab
DPF: {A4150320-98EC-4DB6-9BFB-EBF4B6FBEB16} - hxxp://192.168.199.22/codebase/DVM_IPCam2.ocx
DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} - hxxp://asp.photoprintit.de/microsite/11466/defaults/activex/ips/IPSUploader4.cab
FF - ProfilePath - c:\documents and settings\Honza\Data aplikací\Mozilla\Firefox\Profiles\depex8rv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - component: c:\documents and settings\Honza\Data aplikací\Mozilla\Firefox\Profiles\depex8rv.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1739.5352\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdap.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-05 18:43
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\isjrg]

--

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\scwedx]

.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="208C5C66670E3EA7084516CD111545577435B38A11A6D18F4681688A7509422B14FDF0F5329D2F2420CCA9E202CDACD59A14791D8884574A383E077C5BB8B998974E41CAC487F8D2703E3C3C67E059081D78D6F223BD08CC70D13118586E445F52A4F88072F5C652BEEB7E64C1ED0BCC807AA1A6AC0A5A58CBBC84A9A5FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A9C6AECB7A5D1407A9C6AECB7A5D1407A9C6AECB7A5D14074E733A0C07634AB13CD5AC0178725B8102251435DF60A283BE409570CAC77E1B534FCE164658DC8961CFAB3A218D9265D0F7BE843D3A456CEC6534E47061DE9B8E9ECD1AF9D7139DD261708106C77B086DC847C23AECB5657CB66C3C61B82194F598AD4F1233A27321F7D2EDFDB47A5B21D70504BA70A96E8FEA38A9A8CD6EB3288B2927630B42830294EECB483D7745D87D17910492DAF96CCBD48FB570EE18E355C0422656ACBBCD4B259A069BDEA0A8A1DCE73F7307EDFDBA458B5C4752D40D6B377776E022FB8146190DBB61A23AC4C37C38FC076FA6D32ACE67D34CCBF32B5592525649E699BDC3B20CD3F037D48775DF65AE97DA7321A17C27374D11EEE9319F90A781C2DCC8149FB11B8295A5EEDE32092AC01216BA3C1C7F076A5E391A2DEBA5B3508005091CCD4EC32238581D3866EF2A74E2469DA8BFD8251BEFB32F0F4C3628D070C08DD6F3E4E1AE22095750301ACDF69DAF68ABBCD25A298B3841AED61E1472E536074F88ADEFDD574C090A0ABB17DF1AEFDC1BAFBD5032F3910CF7E66CEC77B8FEC8284793CA3560A4BD5BAFBD6C9DB11B63E2731F98287780EEEB1BE1097643A6CD96B1B73491498E284EA33D1971C03805012D31A550E2B9EF9D5876A7D9E62F31E20C6B5123A2F820022A8949EC2AC1F28BC0E04DC388E33437C2D467E1870EB56CDCB6ABEC03439C27CCA8117C5327FE275A4FCD71409B89F249D94D200B2BBE22F1D5B1C781453D855951665B25CB9E906652C41B64715EA2181A407B5EE3D58AD938B25D3A4744F5DF7124998D856F9697F3B5D5D2E848A8235A0FADF009A63F6A01E42F4F8817E8362A871D7E20AE1D6572888B6F797E7F2217E84836E004EC3A87E211E3BB3E5EF44DB49EED5BBF9A873D887B9F115B32907CE1AB25246254A6D828AA2207E9EE79E530AAD4E7291A7D7B6435CE8D61E02CEF748F3BFDD94CCEB218F63602EA42E4B06621B16F163B0A06B09F6BC333417884F9FEF691A8BC19887746503D37989C9BA4B8050C55B233E9E3F4E77B181A3E083458DB72AD23AA046EBBA5B9E8C24ACD1C7855CC5AC4C0E9DA413C717DC706F647CE722A6F90717E0B50EDED3D29D91E653EAC343BCF44FAD2E86155713CA1043DE745B695AB9D883F4F674396C37D"

[HKEY_LOCAL_MACHINE\software\Xanthic\{EAC0842F-9764-03DD-A0B6-5FFFB48AD6EB}*_]
"fr"="078F7446435557"
"lr"="078F7276435555"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'lsass.exe'(1060)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll

- - - - - - - > 'explorer.exe'(1536)
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Celkový čas: 2010-08-05 18:56:29
ComboFix-quarantined-files.txt 2010-08-05 16:56
ComboFix2.txt 2010-08-03 20:48
ComboFix3.txt 2010-08-03 18:12

Před spuštěním: Volných bajtů: 16 003 026 944
Po spuštění: Volných bajtů: 15 982 047 232

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - CC3AC09186E41EE3998A7E090AE78855

#5 Příspěvek od **Rudy** » 05 srp 2010 18:07

Zkuste to v nouz. režimu.

honza3m · #6 Příspěvek od **honza3m** » 05 srp 2010 22:47

V nouzaku je to bohužel to samé viz obrázek.
Po restartu je spuštěn svchost.exe 8x a vytížení 100% při mé nečinosti.
Pokud to pomůže tak vir byl stažen při pouhém prohlížení webu POZOR !!!!! http://www.skoda110r.cz/forum.php?thread=0 POZOR!!!!
lze to nalézt v diskuzi vir

#7 Příspěvek od **Rudy** » 06 srp 2010 17:14

OK. Odinstalujte CF. Start>spustit>(napsat) combofix /uninstall>OK. Pak stáhněte nový a zkuste ho tím skriptem spustit.

VIRY.CZ

Prosim o kontrolu logu

Prosim o kontrolu logu

Re: Prosim o kontrolu logu

Re: Prosim o kontrolu logu

Re: Prosim o kontrolu logu

Re: Prosim o kontrolu logu

Re: Prosim o kontrolu logu

Re: Prosim o kontrolu logu