win32:malware-gen (a kdoan.sys + mjvpvgz.sys)

[fotoduki]

mám v pc dvou soubory - kdoan.sys a mjvpvgz.sys které neumí avast odstarnit.
děkuji za radu co s tím.

výpis logu:

ComboFix 10-10-22.05 - admin 23.10.2010 20:01:00.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.895.389 [GMT 2:00]
Spuštěný z: d:\_download\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 101023-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\mjvpvgz.sys

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_mjvpvgz
-------\Service_mjvpvgz


((((((((((((((((((((((((( Soubory vytvořené od 2010-09-23 do 2010-10-23 )))))))))))))))))))))))))))))))
.

2010-10-23 17:33 . 2010-10-23 17:33 -------- d-----w- c:\documents and settings\admin\Local Settings\Data aplikací\AskToolbar
2010-10-22 17:56 . 2010-10-23 18:12 756224 ----a-w- c:\windows\system32\drivers\kdoan.sys
2010-10-19 09:47 . 2010-10-19 09:47 -------- d-----w- c:\program files\Ask.com
2010-10-07 18:42 . 2010-10-07 18:42 -------- d-----w- c:\documents and settings\admin\Data aplikací\Malwarebytes
2010-10-07 18:42 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-07 18:41 . 2010-10-07 18:41 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Malwarebytes
2010-10-07 18:41 . 2010-10-07 18:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-07 18:41 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-07 08:42 . 2010-10-07 11:04 -------- d-----w- c:\documents and settings\admin\Data aplikací\AIMP
2010-10-07 08:29 . 2010-10-07 08:29 -------- d-----w- c:\program files\AIMP2

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-01 07:07 . 2010-09-01 07:07 22558023 ----a-w- c:\windows\system32\CDSM_CDSM Designer_uninstaller.exe
2010-08-06 12:22 . 2007-10-28 18:08 94208 ----a-w- c:\windows\DUMP50b0.tmp
.

((((((((((((((((((((((((((((( SnapShot@2010-10-15_08.01.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-23 18:04 . 2010-10-23 18:04 16384 c:\windows\Temp\Perflib_Perfdata_734.dat
+ 2010-10-23 09:40 . 2010-10-23 09:40 16384 c:\windows\Temp\Perflib_Perfdata_72c.dat
+ 2010-10-23 18:04 . 2010-10-23 18:04 16384 c:\windows\Temp\Perflib_Perfdata_220.dat
+ 2010-10-15 18:48 . 2010-10-23 18:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-10-15 08:01 . 2010-10-15 08:01 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-10-28 17:28 . 2010-10-15 08:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-28 17:28 . 2010-10-23 18:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-10-15 18:48 . 2010-10-23 18:05 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-10-28 17:28 . 2010-10-15 08:01 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-10-19 09:47 . 2010-10-19 09:47 102400 c:\windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe
+ 2010-10-19 09:47 . 2010-10-19 09:47 1904640 c:\windows\Installer\b56557.msi
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-17 16:43 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-17 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-17 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SMail"="c:\program files\Seznam\Postak\Postak.exe" [2006-05-18 450560]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\admin\Nabˇdka Start\Programy\Po spuçtŘnˇ\AutorunsDisabled
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-9-11 393216]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\AutorunsDisabled
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6.4.2008 0:13 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6.4.2008 0:13 20560]
S3 5249569c070ed6b5;5249569c070ed6b5;\??\c:\windows\TEMP\940037ac3795 --> c:\windows\TEMP\940037ac3795 [?]
S3 af36d2516e9b5b2d;af36d2516e9b5b2d;\??\c:\windows\TEMP\92405e34f161 --> c:\windows\TEMP\92405e34f161 [?]
S3 AF9035BDA;GIGABYTE U7200 DVB-T Devices;c:\windows\system32\drivers\AF9035BDA.sys [29.5.2008 15:39 244096]
S4 078f0aba1620ca71;078f0aba1620ca71;\??\c:\windows\TEMP\9200682dd558 --> c:\windows\TEMP\9200682dd558 [?]
S4 0f971ebf42779f9b;0f971ebf42779f9b;\??\c:\windows\TEMP\9320c235a74a --> c:\windows\TEMP\9320c235a74a [?]
S4 10270bb7faa2f395;10270bb7faa2f395;\??\c:\windows\TEMP\92804bdbc8e5 --> c:\windows\TEMP\92804bdbc8e5 [?]
S4 159048c36599f5fd;159048c36599f5fd;\??\c:\windows\TEMP\92007631051 --> c:\windows\TEMP\92007631051 [?]
S4 1f3193a667460dca;1f3193a667460dca;\??\c:\windows\TEMP\9200ed1318db --> c:\windows\TEMP\9200ed1318db [?]
S4 21daad4a110130e9;21daad4a110130e9;\??\c:\windows\TEMP\9320aa22c075 --> c:\windows\TEMP\9320aa22c075 [?]
S4 2baebbe02e20191d;2baebbe02e20191d;\??\c:\windows\TEMP\92003da71f91 --> c:\windows\TEMP\92003da71f91 [?]
S4 35179bebb8e8cab3;35179bebb8e8cab3;\??\c:\windows\TEMP\92003a05f677 --> c:\windows\TEMP\92003a05f677 [?]
S4 4ccc71471f0eab03;4ccc71471f0eab03;\??\c:\windows\TEMP\92005d95e76d --> c:\windows\TEMP\92005d95e76d [?]
S4 53d3e5734868f3ba;53d3e5734868f3ba;\??\c:\windows\TEMP\9200aee16eaa --> c:\windows\TEMP\9200aee16eaa [?]
S4 61e6fb59dfa2c3e9;61e6fb59dfa2c3e9;\??\c:\windows\TEMP\92007d903262 --> c:\windows\TEMP\92007d903262 [?]
S4 64e9ca2ec768e6de;64e9ca2ec768e6de;\??\c:\windows\TEMP\920021cc7eb9 --> c:\windows\TEMP\920021cc7eb9 [?]
S4 71231cead0956b8d;71231cead0956b8d;\??\c:\windows\TEMP\9200ca3f533d --> c:\windows\TEMP\9200ca3f533d [?]
S4 9e7d78327bbd610e;9e7d78327bbd610e;\??\c:\windows\TEMP\9240dc18d502 --> c:\windows\TEMP\9240dc18d502 [?]
S4 b61e06d104588609;b61e06d104588609;\??\c:\windows\TEMP\9240ed8981c5 --> c:\windows\TEMP\9240ed8981c5 [?]
S4 bf7a9dc80811dafa;bf7a9dc80811dafa;\??\c:\windows\TEMP\92009089621e --> c:\windows\TEMP\92009089621e [?]
S4 c69e8e8de2f496ec;c69e8e8de2f496ec;\??\c:\windows\TEMP\9200e6037d68 --> c:\windows\TEMP\9200e6037d68 [?]
S4 cf5ecafa7c2ed4d4;cf5ecafa7c2ed4d4;\??\c:\windows\TEMP\92401b04169b --> c:\windows\TEMP\92401b04169b [?]
S4 cffc5fdfcd0d8579;cffc5fdfcd0d8579;\??\c:\windows\TEMP\92004085f092 --> c:\windows\TEMP\92004085f092 [?]
S4 d667dcbe3929be43;d667dcbe3929be43;\??\c:\windows\TEMP\9280c5fa95f0 --> c:\windows\TEMP\9280c5fa95f0 [?]
S4 dd24e9cc406a726a;dd24e9cc406a726a;\??\c:\windows\TEMP\9200583b6812 --> c:\windows\TEMP\9200583b6812 [?]
S4 f3c68bc4c8f51a06;f3c68bc4c8f51a06;\??\c:\windows\TEMP\92405952bbbf --> c:\windows\TEMP\92405952bbbf [?]
S4 f42efddd14a91613;f42efddd14a91613;\??\c:\windows\TEMP\9200be4dfcf0 --> c:\windows\TEMP\9200be4dfcf0 [?]
S4 fdf9c64d7c0e7240;fdf9c64d7c0e7240;\??\c:\windows\TEMP\932028d180da --> c:\windows\TEMP\932028d180da [?]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - kdoan
.
Obsah adresáře 'Naplánované úlohy'

2010-10-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-17 16:43]
.
.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\admin\Data aplikací\Mozilla\Firefox\Profiles\pwbdbsdi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8 ... &gfns=1&q=
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

Toolbar-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-23 20:12
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\078f0aba1620ca71]
"ImagePath"="\??\c:\windows\TEMP\9200682dd558"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\0f971ebf42779f9b]
"ImagePath"="\??\c:\windows\TEMP\9320c235a74a"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\10270bb7faa2f395]
"ImagePath"="\??\c:\windows\TEMP\92804bdbc8e5"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\159048c36599f5fd]
"ImagePath"="\??\c:\windows\TEMP\92007631051"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\1f3193a667460dca]
"ImagePath"="\??\c:\windows\TEMP\9200ed1318db"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\21daad4a110130e9]
"ImagePath"="\??\c:\windows\TEMP\9320aa22c075"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\2baebbe02e20191d]
"ImagePath"="\??\c:\windows\TEMP\92003da71f91"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\35179bebb8e8cab3]
"ImagePath"="\??\c:\windows\TEMP\92003a05f677"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4ccc71471f0eab03]
"ImagePath"="\??\c:\windows\TEMP\92005d95e76d"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\5249569c070ed6b5]
"ImagePath"="\??\c:\windows\TEMP\940037ac3795"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\53d3e5734868f3ba]
"ImagePath"="\??\c:\windows\TEMP\9200aee16eaa"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\61e6fb59dfa2c3e9]
"ImagePath"="\??\c:\windows\TEMP\92007d903262"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\64e9ca2ec768e6de]
"ImagePath"="\??\c:\windows\TEMP\920021cc7eb9"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\71231cead0956b8d]
"ImagePath"="\??\c:\windows\TEMP\9200ca3f533d"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\9e7d78327bbd610e]
"ImagePath"="\??\c:\windows\TEMP\9240dc18d502"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\af36d2516e9b5b2d]
"ImagePath"="\??\c:\windows\TEMP\92405e34f161"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b61e06d104588609]
"ImagePath"="\??\c:\windows\TEMP\9240ed8981c5"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bf7a9dc80811dafa]
"ImagePath"="\??\c:\windows\TEMP\92009089621e"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\c69e8e8de2f496ec]
"ImagePath"="\??\c:\windows\TEMP\9200e6037d68"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cf5ecafa7c2ed4d4]
"ImagePath"="\??\c:\windows\TEMP\92401b04169b"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cffc5fdfcd0d8579]
"ImagePath"="\??\c:\windows\TEMP\92004085f092"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\d667dcbe3929be43]
"ImagePath"="\??\c:\windows\TEMP\9280c5fa95f0"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dd24e9cc406a726a]
"ImagePath"="\??\c:\windows\TEMP\9200583b6812"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\f3c68bc4c8f51a06]
"ImagePath"="\??\c:\windows\TEMP\92405952bbbf"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\f42efddd14a91613]
"ImagePath"="\??\c:\windows\TEMP\9200be4dfcf0"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fdf9c64d7c0e7240]
"ImagePath"="\??\c:\windows\TEMP\932028d180da"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kdoan]

.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1732)
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Celkový čas: 2010-10-23 20:14:52 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-10-23 18:14
ComboFix2.txt 2010-10-15 08:04

Před spuštěním: Volných bajtů: 25 932 341 248
Po spuštění: Volných bajtů: 25 914 732 544

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - DAB0BCBC02F9F5A1221DBB26DDB48B19

[earl]

Zdravim,

vidim v pc nainstalovany MBAM,takze -

Pouzijte MBAM

instalace,uplny sken,vlozit sem log-NIC NEMAZAT!

[fotoduki]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Verze databáze: 4929

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

23.10.2010 23:09:55
mbam-log-2010-10-23 (23-09-55).txt

Typ skenu: Úplný sken (C:\|D:\|)
Skenované objekty: 204764
Uplynulý čas: 57 minuta(y), 34 sekunda(y)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 0
Infikované hodnoty registru: 0
Infikované datové položky registru: 0
Infikované složky: 0
Infikované soubory: 3

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované hodnoty registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
C:\Program Files\Google\Google Earth Pro\crack.exe (Malware.Packer.Gen) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\mjvpvgz.sys.vir (Rootkit.Bubnix) -> No action taken.
C:\System Volume Information\_restore{1D5D4DDE-784C-4EC3-9551-161AE02D9F46}\RP736\A0076892.sys (Rootkit.Bubnix) -> No action taken.

[earl]

Smazte co MBAM nasel.

Stahnete OTL

spustte, oznacte "Pro vsechny uzivatele,30 dnů zmente na 7,kliknete na Prohledat,

po skonceni skenu sem vlozte obsah logu z OTL.txt.

[fotoduki]

OTL logfile created on: 25.10.2010 10:46:59 - Run 1
OTL by OldTimer - Version 3.2.17.1 Folder = D:\_download
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

895,00 Mb Total Physical Memory | 458,00 Mb Available Physical Memory | 51,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 83,00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48,83 Gb Total Space | 24,09 Gb Free Space | 49,33% Space Free | Partition Type: NTFS
Drive D: | 184,05 Gb Total Space | 108,99 Gb Free Space | 59,22% Space Free | Partition Type: NTFS

Computer Name: USER-3FF90EED51 | User Name: admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 7 Days

========== Processes (SafeList) ==========

PRC - [2010.10.25 09:46:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- D:\_download\OTL.exe
PRC - [2009.11.25 00:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009.11.25 00:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009.11.25 00:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009.11.25 00:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009.11.25 00:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009.11.09 05:17:50 | 000,180,224 | ---- | M] (PowerISO Computing, Inc.) -- C:\Program Files\PowerISO\PWRISOVM.EXE
PRC - [2007.07.24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2006.05.18 15:36:14 | 000,450,560 | ---- | M] (Seznam.cz a.s.) -- C:\Program Files\Seznam\Postak\Postak.exe
PRC - [2006.04.29 15:21:28 | 000,094,208 | ---- | M] (Elaborate Bytes AG) -- C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
PRC - [2005.09.24 08:05:26 | 000,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
PRC - [2004.09.29 13:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2004.08.17 15:49:24 | 001,032,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010.10.25 09:46:53 | 000,575,488 | ---- | M] (OldTimer Tools) -- D:\_download\OTL.exe
MOD - [2006.05.03 23:53:54 | 000,174,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\framedyn.dll
MOD - [2004.08.17 15:48:02 | 001,050,624 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2009.11.25 00:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009.11.25 00:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009.11.25 00:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009.11.25 00:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2007.07.24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2004.09.29 13:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\rtl8185.sys -- (rtl8185)
DRV - File not found [Kernel | Disabled | Stopped] -- E:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2009.11.25 00:50:59 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009.11.25 00:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2009.11.25 00:50:00 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009.11.25 00:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009.11.25 00:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009.11.25 00:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009.11.09 05:21:18 | 000,059,388 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2009.02.28 13:06:44 | 000,005,632 | ---- | M] () [File_System | System | Running] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2008.05.29 15:39:42 | 000,244,096 | ---- | M] (AfaTech ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AF9035BDA.sys -- (AF9035BDA)
DRV - [2007.09.05 12:04:34 | 000,079,408 | ---- | M] (PACE Anti-Piracy, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\TPkd.sys -- (TPkd)
DRV - [2007.08.07 21:48:33 | 000,025,160 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2007.06.16 23:16:39 | 000,031,616 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VClone.sys -- (VClone)
DRV - [2007.04.10 13:04:40 | 004,397,568 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007.03.14 03:57:50 | 001,972,736 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007.02.16 02:56:49 | 000,011,984 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyDelay.sys -- (ElbyDelay)
DRV - [2007.02.06 18:43:26 | 000,090,880 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007.02.05 11:23:20 | 003,624,128 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtHDMI.sys -- (RTHDMIAzAudService)
DRV - [2006.07.01 23:42:58 | 000,043,008 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2005.01.07 18:07:18 | 000,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004.08.03 23:10:14 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.defaulturl: "http://search.sweetim.com/search.asp?src=2&q="
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.seznam.cz/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&o ... &gfns=1&q="
FF - prefs.js..sweetim.toolbar.previous.browser.search.defaultenginename: "chrome://browser-region/locale/region.properties"
FF - prefs.js..browser.startup.homepage: "http://www.seznam.cz/"
FF - prefs.js..sweetim.toolbar.previous.keyword.URL: "http://search.yahoo.com/search?ei=UTF-8 ... e=vdio5&p="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.10.20 17:53:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.10.20 17:53:51 | 000,000,000 | ---D | M]

[2008.12.05 21:23:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Data aplikací\Mozilla\Extensions
[2010.10.19 20:15:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Data aplikací\Mozilla\Firefox\Profiles\pwbdbsdi.default\extensions
[2010.10.23 20:34:06 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010.07.09 11:31:52 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010.07.09 11:31:36 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2007.06.11 14:34:00 | 002,115,816 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll
[2010.09.09 08:25:16 | 000,000,638 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\jyxo-cz.xml
[2010.09.09 08:25:16 | 000,001,687 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\mall-cz.xml
[2010.09.09 08:25:16 | 000,001,367 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\seznam-cz.xml
[2010.09.09 08:25:16 | 000,000,654 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\slunecnice-cz.xml
[2010.09.09 08:25:16 | 000,001,179 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-cz.xml

O1 HOSTS File: ([2010.10.23 20:12:11 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (&S-Rank) - {B71B15CF-3093-459C-B764-AEB2486F2273} - C:\Program Files\Seznam\Postak\SRank.dll (Seznam.cz a.s.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [SMail] C:\Program Files\Seznam\Postak\Postak.exe (Seznam.cz a.s.)
O4 - HKLM..\Run: [VirtualCloneDrive] C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)
O4 - Startup: C:\Documents and Settings\admin\Nabídka Start\Programy\Po spuštění\AutorunsDisabled [2010.08.06 19:33:17 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\AutorunsDisabled [2010.08.06 19:26:25 | 000,000,000 | -H-D | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.108.44.6 89.185.242.100
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll ()
O24 - Desktop Components:0 (Aktuální domovská stránka) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\admin\Local Settings\Data aplikací\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\admin\Local Settings\Data aplikací\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007.10.28 19:24:55 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010.08.06 19:30:22 | 000,000,000 | ---D | M] - D:\autoruns -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 7 Days ==========

[2010.10.23 20:00:20 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010.10.23 19:33:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Local Settings\Data aplikací\AskToolbar
[2010.10.23 12:01:47 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\admin\Recent
[2010.10.19 11:47:43 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 7 Days ==========

[2010.10.25 10:49:22 | 000,756,224 | ---- | M] () -- C:\WINDOWS\System32\drivers\kdoan.sys
[2010.10.25 10:45:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.10.25 10:01:01 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010.10.25 09:35:18 | 000,000,465 | ---- | M] () -- C:\Documents and Settings\admin\Data aplikací\burnaware.ini
[2010.10.23 20:12:11 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010.10.23 20:00:24 | 000,000,339 | RHS- | M] () -- C:\boot.ini
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.10.23 20:00:24 | 000,000,223 | ---- | C] () -- C:\Boot.bak
[2010.10.23 20:00:21 | 000,261,312 | RHS- | C] () -- C:\cmldr
[2010.10.22 19:56:09 | 000,756,224 | ---- | C] () -- C:\WINDOWS\System32\drivers\kdoan.sys
[2010.10.19 11:47:49 | 000,000,234 | ---- | C] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010.07.29 20:36:35 | 000,000,491 | ---- | C] () -- C:\Documents and Settings\admin\Data aplikací\ImageTuner.ini
[2010.07.24 19:29:51 | 000,814,080 | ---- | C] () -- C:\WINDOWS\System32\semtempl.dll
[2010.07.24 19:29:51 | 000,688,128 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2010.07.24 19:29:51 | 000,343,040 | ---- | C] () -- C:\WINDOWS\System32\arcdll.dll
[2010.07.24 19:29:51 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2010.07.24 19:29:51 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\hashfunc.dll
[2010.06.16 13:02:15 | 000,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI
[2010.05.10 07:39:00 | 000,000,550 | ---- | C] () -- C:\Documents and Settings\admin\Data aplikací\AutoGK.ini
[2009.05.08 18:57:09 | 000,000,465 | ---- | C] () -- C:\Documents and Settings\admin\Data aplikací\burnaware.ini
[2009.03.29 11:16:02 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2009.03.29 11:09:32 | 000,014,694 | ---- | C] () -- C:\WINDOWS\System32\Main.ini
[2009.01.25 23:10:48 | 000,179,200 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009.01.09 01:01:22 | 000,629,760 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009.01.05 21:41:20 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Data aplikací\LauncherAccess.dt
[2008.12.03 19:29:58 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2008.09.06 00:31:14 | 000,190,976 | ---- | C] () -- C:\WINDOWS\System32\WgaLogon.dll
[2008.09.06 00:30:06 | 001,481,728 | ---- | C] () -- C:\WINDOWS\System32\LegitCheckControl.dll
[2008.08.26 21:52:57 | 000,002,516 | -HS- | C] () -- C:\Documents and Settings\All Users\Data aplikací\KGyGaAvL.sys
[2008.08.26 21:52:57 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\Data aplikací\0D794BEC5C.sys
[2008.06.29 09:37:15 | 000,024,501 | ---- | C] () -- C:\Documents and Settings\admin\Data aplikací\Update_HP_RedboxHprblog_HPSU.log
[2008.06.29 09:37:15 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2008.06.12 21:51:07 | 002,829,592 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Data aplikací\FontCache3.0.0.0.dat
[2008.03.23 11:47:39 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2008.01.19 22:13:01 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\admin\Local Settings\Data aplikací\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008.01.16 07:33:07 | 000,000,851 | ---- | C] () -- C:\WINDOWS\wcx_ftp.ini
[2008.01.16 07:31:40 | 000,003,070 | ---- | C] () -- C:\WINDOWS\wincmd.ini
[2007.11.28 21:30:02 | 000,003,944 | ---- | C] () -- C:\Documents and Settings\All Users\Data aplikací\hpzinstall.log
[2007.11.16 23:01:37 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Data aplikací\ezsid.dat
[2007.11.14 06:57:54 | 000,223,744 | ---- | C] () -- C:\WINDOWS\System32\b4fm.dll
[2007.10.28 20:16:29 | 000,004,249 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005.02.01 16:10:30 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\exasd_.dll
[2004.07.17 11:36:38 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2002.10.16 00:54:04 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2001.07.06 16:30:00 | 000,003,165 | ---- | C] () -- C:\WINDOWS\System32\HPTCPMON.INI
[2001.01.12 11:49:38 | 000,021,504 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 1217 bytes -> C:\Program Files\WindowsUpdate:ycScuhsOuQnmUUHlbGAz
@Alternate Data Stream - 1190 bytes -> C:\Documents and Settings\All Users\Data aplikací\Microsoft:YMYXsPJ5WGx6cx12oiF7
@Alternate Data Stream - 1025 bytes -> C:\Documents and Settings\All Users\Data aplikací\Microsoft:qsByR42oCZOQSuP8PKWx8

< End of report >

[earl]

Odinstalujte Ask toolbar.

otestujte na VIRUSTOTALu

C:\WINDOWS\System32\semtempl.dll

C:\WINDOWS\System32\exasd_.dll

(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet , najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor; dejte skenerum nejakych deset minut; vysledek sem vlozte)

Pokud skener napíše, že soubor již byl testován, dejte otestovat znovu.

Potom vam napisu skript na docisteni pc.

[fotoduki]

nevím, zda sem vložím správná data (ne úplně jsem se orientoval)

report pro C:\WINDOWS\System32\semtempl.dll

Antivirus Version Last Update Result
AhnLab-V3 2010.10.25.00 2010.10.25 -
AntiVir 7.10.13.37 2010.10.25 -
Antiy-AVL 2.0.3.7 2010.10.25 -
Authentium 5.2.0.5 2010.10.24 -
Avast 4.8.1351.0 2010.10.25 -
Avast5 5.0.594.0 2010.10.25 -
AVG 9.0.0.851 2010.10.25 -
BitDefender 7.2 2010.10.25 -
CAT-QuickHeal 11.00 2010.10.25 -
ClamAV 0.96.2.0-git 2010.10.25 PUA.Packed.ASPack
Comodo 6504 2010.10.25 -
DrWeb 5.0.2.03300 2010.10.25 -
Emsisoft 5.0.0.50 2010.10.25 -
eSafe 7.0.17.0 2010.10.25 -
eTrust-Vet 36.1.7933 2010.10.25 -
F-Prot 4.6.2.117 2010.10.24 -
F-Secure 9.0.16160.0 2010.10.25 -
Fortinet 4.2.249.0 2010.10.25 -
GData 21 2010.10.25 -
Ikarus T3.1.1.90.0 2010.10.25 -
Jiangmin 13.0.900 2010.10.25 -
K7AntiVirus 9.66.2830 2010.10.25 -
Kaspersky 7.0.0.125 2010.10.25 -
McAfee 5.400.0.1158 2010.10.25 -
McAfee-GW-Edition 2010.1C 2010.10.25 -
Microsoft 1.6301 2010.10.25 -
NOD32 5562 2010.10.25 -
Norman 6.06.10 2010.10.25 -
nProtect 2010-10-25.01 2010.10.25 -
Panda 10.0.2.7 2010.10.25 -
PCTools 7.0.3.5 2010.10.25 -
Prevx 3.0 2010.10.25 -
Rising 22.70.06.04 2010.10.25 -
Sophos 4.58.0 2010.10.25 -
Sunbelt 7138 2010.10.25 -
SUPERAntiSpyware 4.40.0.1006 2010.10.25 -
Symantec 20101.2.0.161 2010.10.25 -
TheHacker 6.7.0.1.066 2010.10.25 -
TrendMicro 9.120.0.1004 2010.10.25 -
TrendMicro-HouseCall 9.120.0.1004 2010.10.25 -
VBA32 3.12.14.1 2010.10.25 -
ViRobot 2010.10.25.4110 2010.10.25 -
VirusBuster 12.70.4.0 2010.10.25 -


Additional information:

MD5 : 51a8745d31ef66635848d037e8c76dd2
SHA1 : 744ed0cb3f81293933a26e26df966df00ce7ecef
SHA256: 2ca9dd00bf7c8f01986d2b9a330c92eadc24b325c0522b5fe84abc8fba47f8a2
ssdeep: 24576:mrkwnfPW+/PKWnz4GIE8l6UpsHgBshtd:Gkkf+fWnnIE8l6nHgE
File size : 814080 bytes
First seen: 2010-07-13 05:59:44
Last seen : 2010-10-25 17:48:18
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
VXD Driver (0.1%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD: ASProtect v1.23 RC4 build 08.07 (dll) -> Alexey Solodovnikov (h)
packers (F-Prot): Aspack
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1D7001
timedatestamp....: 0x4C3A0761 (Sun Jul 11 18:03:13 2010)
machinetype......: 0x14c (I386)

[[ 9 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
, 0x1000, 0x142000, 0x61000, 8.00, e07a7a90a82c9cf71ce2e7a3be2d9166
, 0x143000, 0x44000, 0xDC00, 7.99, 973ee800e33b1c9bd482bd54bab47512
, 0x187000, 0x1000, 0x200, 0.00, bf619eac0cdf3f68d496ea9344137e8b
, 0x188000, 0x4000, 0x3800, 7.98, 7cfafadc65699f01b8b289a8be94417f
, 0x18C000, 0x6000, 0x5C00, 5.88, 602e36b87d5d2ec5cb21ac509f496a69
.rsrc, 0x192000, 0x31000, 0x30600, 5.26, e43f07d08cd7781538c91ed5c98f98a3
, 0x1C3000, 0x14000, 0xB600, 7.99, d7295d0688bce94562d598ea1cfc0233
.data, 0x1D7000, 0x13000, 0x12800, 7.81, 208570e88e486b4e89a91ee867ec727a
.adata, 0x1EA000, 0x1000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e

[[ 12 import(s) ]]
kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
borlndmm.dll: -
wininet.dll: DeleteUrlCacheEntry
advapi32.dll: RegCloseKey
version.dll: GetFileVersionInfoA
comctl32.dll: ImageList_Add
gdi32.dll: BitBlt
user32.dll: ActivateKeyboardLayout
ole32.dll: CoCreateInstance
oleaut32.dll: GetActiveObject
cc3250mt.dll: @$bdele$qpv
oleaut32.dll: VariantChangeTypeEx

[[ 474 export(s) ]]
@$xp$14Zlibex@TZError, @$xp$15Swinhttp@TSwURL, @$xp$17Swinhttp@TSwProxy, @$xp$17Zlibex@EZLibError, @$xp$17Zlibex@TZStrategy, @$xp$18Swinhttp@TSwNotify, @$xp$18Swinhttp@TSwinHttp, @$xp$18Zlibex@TZStreamRec, @$xp$19Swinhttp@TSwProxies, @$xp$19Swinhttp@TSwRequest, @$xp$20Swinhttp@TSwResponse, @$xp$21Zlibex@TCustomZStream, @$xp$22Zlibex@EZLibErrorClass, @$xp$25Zlibex@EZCompressionError, @$xp$25Zlibex@TZCompressionLevel, @$xp$26Shdocvw_tlb@TCppWebBrowser, @$xp$26Shdocvw_tlb@TCppWebBrowser, @$xp$26Shdocvw_tlb@TCppWebBrowser, @$xp$26Shdocvw_tlb@TCppWebBrowser, @$xp$26Shdocvw_tlb@TCppWebBrowser, @$xp$26Swinhttp@TSwProxyProtocols, @$xp$26Zlibex@TZCompressionStream, @$xp$27Zlibex@EZDecompressionError, @$xp$28Shdocvw_tlb@TCppShellWindows, @$xp$28Shdocvw_tlb@TCppShellWindows, @$xp$28Shdocvw_tlb@TCppShellWindows, @$xp$28Shdocvw_tlb@TCppShellWindows, @$xp$28Shdocvw_tlb@TCppShellWindows, @$xp$28Zlibex@TZDecompressionStream, @$xp$29Shdocvw_tlb@TCppShellUIHelper, @$xp$29Shdocvw_tlb@TCppShellUIHelper, @$xp$29Shdocvw_tlb@TCppShellUIHelper, @$xp$29Shdocvw_tlb@TCppShellUIHelper, @$xp$29Shdocvw_tlb@TCppShellUIHelper, @$xp$29Shdocvw_tlb@TCppWebBrowser_V1, @$xp$29Shdocvw_tlb@TCppWebBrowser_V1, @$xp$29Shdocvw_tlb@TCppWebBrowser_V1, @$xp$29Shdocvw_tlb@TCppWebBrowser_V1, @$xp$29Shdocvw_tlb@TCppWebBrowser_V1, @$xp$32Shdocvw_tlb@TCppInternetExplorer, @$xp$32Shdocvw_tlb@TCppInternetExplorer, @$xp$32Shdocvw_tlb@TCppInternetExplorer, @$xp$32Shdocvw_tlb@TCppInternetExplorer, @$xp$32Shdocvw_tlb@TCppInternetExplorer, @$xp$36Shdocvw_tlb@TShellFavoritesNameSpace, @$xp$36Shdocvw_tlb@TShellFavoritesNameSpace, @$xp$36Shdocvw_tlb@TShellFavoritesNameSpace, @$xp$36Shdocvw_tlb@TShellFavoritesNameSpace, @$xp$36Shdocvw_tlb@TShellFavoritesNameSpace, @@Fs_csvparser@Finalize, @@Fs_csvparser@Finalize, @@Fs_csvparser@Initialize, @@Fs_csvparser@Initialize, @@Fs_google@Finalize, @@Fs_google@Initialize, @@Fs_google_captcha@Finalize, @@Fs_google_captcha@Initialize, @@Fs_google_wmt@Finalize, @@Fs_google_wmt@Initialize, @@Fs_internet@Finalize, @@Fs_internet@Initialize, @@Fs_mail_captcha@Finalize, @@Fs_mail_captcha@Initialize, @@Fs_yandex@Finalize, @@Fs_yandex@Initialize, @@Parser@Finalize, @@Parser@Initialize, @@Rambler_adwords@Finalize, @@Rambler_adwords@Initialize, @@Rambler_adwords_unit@Finalize, @@Rambler_adwords_unit@Initialize, @@Shdocvw_ocx@Finalize, @@Shdocvw_ocx@Initialize, @@Shdocvw_tlb@Finalize, @@Shdocvw_tlb@Initialize, @@Yahoo_explorer@Finalize, @@Yahoo_explorer@Initialize, @@Yahoo_search@Finalize, @@Yahoo_search@Initialize, @GoogleWebmasterLinks@$bctr$qp16Classes@TStringst1t1t1rx17System@AnsiStringt5pouiynpqi$vt1, @GoogleWebmasterLinks@$bdtr$qqrv, @GoogleWebmasterLinks@DoFinish$qqrp14System@TObject, @GoogleWebmasterLinks@Finished$qv, @GoogleWebmasterLinks@ReturnValue$qv, @MailParseCaptcha, @Ruschar@ALT2ISO$qqruc, @Ruschar@ALT2KOI$qqruc, @Ruschar@ALT2MAC$qqruc, @Ruschar@ALT2WIN$qqruc, @Ruschar@ConvertString$qqr17System@AnsiStringuc, @Ruschar@ConvertString$qqrrpciuc, @Ruschar@Finalization$qqrv, @Ruschar@ISO2ALT$qqruc, @Ruschar@ISO2KOI$qqruc, @Ruschar@ISO2MAC$qqruc, @Ruschar@ISO2WIN$qqruc, @Ruschar@KOI2ALT$qqruc, @Ruschar@KOI2ISO$qqruc, @Ruschar@KOI2MAC$qqruc, @Ruschar@KOI2WIN$qqruc, @Ruschar@MAC2ALT$qqruc, @Ruschar@MAC2ISO$qqruc, @Ruschar@MAC2KOI$qqruc, @Ruschar@MAC2WIN$qqruc, @Ruschar@WIN2ALT$qqruc, @Ruschar@WIN2ISO$qqruc, @Ruschar@WIN2KOI$qqruc, @Ruschar@WIN2MAC$qqruc, @Ruschar@WhatEncodeType$qqr17System@AnsiString, @Ruschar@initialization$qqrv, @Shdocvw_ocx@Register$qqrv, @Shdocvw_tlb@CLSID_CScriptErrorList, @Shdocvw_tlb@CLSID_CppInternetExplorer, @Shdocvw_tlb@CLSID_CppSearchAssistantOC, @Shdocvw_tlb@CLSID_CppShellBrowserWindow, @Shdocvw_tlb@CLSID_CppShellUIHelper, @Shdocvw_tlb@CLSID_CppShellWindows, @Shdocvw_tlb@CLSID_CppWebBrowser, @Shdocvw_tlb@CLSID_CppWebBrowser_V1, @Shdocvw_tlb@CLSID_ShellFavoritesNameSpace, @Shdocvw_tlb@DIID_DShellWindowsEvents, @Shdocvw_tlb@DIID_DWebBrowserEvents, @Shdocvw_tlb@DIID_DWebBrowserEvents2, @Shdocvw_tlb@DIID__SearchAssistantEvents, @Shdocvw_tlb@DIID__ShellFavoritesNameSpaceEvents, @Shdocvw_tlb@IID_IScriptErrorList, @Shdocvw_tlb@IID_ISearch, @Shdocvw_tlb@IID_ISearchAssistantOC, @Shdocvw_tlb@IID_ISearchAssistantOC2, @Shdocvw_tlb@IID_ISearches, @Shdocvw_tlb@IID_IShellFavoritesNameSpace, @Shdocvw_tlb@IID_IShellUIHelper, @Shdocvw_tlb@IID_IShellWindows, @Shdocvw_tlb@IID_IWebBrowser, @Shdocvw_tlb@IID_IWebBrowser2, @Shdocvw_tlb@IID_IWebBrowserApp, @Shdocvw_tlb@LIBID_SHDocVw, @Shdocvw_tlb@TCppInternetExplorer@, @Shdocvw_tlb@TCppInternetExplorer@, @Shdocvw_tlb@TCppInternetExplorer@, @Shdocvw_tlb@TCppInternetExplorer@, @Shdocvw_tlb@TCppInternetExplorer@, @Shdocvw_tlb@TCppInternetExplorer@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppInternetExplorer@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppInternetExplorer@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppInternetExplorer@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppInternetExplorer@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppInternetExplorer@BeforeDestruction$qqrv, @Shdocvw_tlb@TCppInternetExplorer@Connect$qqrv, @Shdocvw_tlb@TCppInternetExplorer@ConnectTo$qqr69_TComInterface$24Shdocvw_tlb@IWebBrowser2px5_GUID$gIID_IWebBrowser2$_, @Shdocvw_tlb@TCppInternetExplorer@Disconnect$qqrv, @Shdocvw_tlb@TCppInternetExplorer@GetDefaultInterface$qv, @Shdocvw_tlb@TCppInternetExplorer@GetDunk$qqrv, @Shdocvw_tlb@TCppInternetExplorer@InitServerData$qqrv, @Shdocvw_tlb@TCppInternetExplorer@InvokeEvent$qqrir42System@_DynamicArray$t17System@OleVariant_, @Shdocvw_tlb@TCppShellUIHelper@, @Shdocvw_tlb@TCppShellUIHelper@, @Shdocvw_tlb@TCppShellUIHelper@, @Shdocvw_tlb@TCppShellUIHelper@, @Shdocvw_tlb@TCppShellUIHelper@, @Shdocvw_tlb@TCppShellUIHelper@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppShellUIHelper@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppShellUIHelper@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppShellUIHelper@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppShellUIHelper@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppShellUIHelper@BeforeDestruction$qqrv, @Shdocvw_tlb@TCppShellUIHelper@Connect$qqrv, @Shdocvw_tlb@TCppShellUIHelper@ConnectTo$qqr73_TComInterface$26Shdocvw_tlb@IShellUIHelperpx5_GUID$gIID_IShellUIHelper$_, @Shdocvw_tlb@TCppShellUIHelper@Disconnect$qqrv, @Shdocvw_tlb@TCppShellUIHelper@GetDefaultInterface$qv, @Shdocvw_tlb@TCppShellUIHelper@GetDunk$qqrv, @Shdocvw_tlb@TCppShellUIHelper@InitServerData$qqrv, @Shdocvw_tlb@TCppShellWindows@, @Shdocvw_tlb@TCppShellWindows@, @Shdocvw_tlb@TCppShellWindows@, @Shdocvw_tlb@TCppShellWindows@, @Shdocvw_tlb@TCppShellWindows@, @Shdocvw_tlb@TCppShellWindows@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppShellWindows@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppShellWindows@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppShellWindows@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppShellWindows@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppShellWindows@BeforeDestruction$qqrv, @Shdocvw_tlb@TCppShellWindows@Connect$qqrv, @Shdocvw_tlb@TCppShellWindows@ConnectTo$qqr71_TComInterface$25Shdocvw_tlb@IShellWindowspx5_GUID$gIID_IShellWindows$_, @Shdocvw_tlb@TCppShellWindows@Disconnect$qqrv, @Shdocvw_tlb@TCppShellWindows@GetDefaultInterface$qv, @Shdocvw_tlb@TCppShellWindows@GetDunk$qqrv, @Shdocvw_tlb@TCppShellWindows@InitServerData$qqrv, @Shdocvw_tlb@TCppShellWindows@InvokeEvent$qqrir42System@_DynamicArray$t17System@OleVariant_, @Shdocvw_tlb@TCppWebBrowser@, @Shdocvw_tlb@TCppWebBrowser@, @Shdocvw_tlb@TCppWebBrowser@, @Shdocvw_tlb@TCppWebBrowser@, @Shdocvw_tlb@TCppWebBrowser@, @Shdocvw_tlb@TCppWebBrowser@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppWebBrowser@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppWebBrowser@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppWebBrowser@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppWebBrowser@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppWebBrowser@$bctr$qqrpv, @Shdocvw_tlb@TCppWebBrowser@$bctr$qqrpv, @Shdocvw_tlb@TCppWebBrowser@$bctr$qqrpv, @Shdocvw_tlb@TCppWebBrowser@$bctr$qqrpv, @Shdocvw_tlb@TCppWebBrowser@$bctr$qqrpv, @Shdocvw_tlb@TCppWebBrowser@CControlData, @Shdocvw_tlb@TCppWebBrowser@ClientToWindow$qqrpit1, @Shdocvw_tlb@TCppWebBrowser@CreateControl$qqrv, @Shdocvw_tlb@TCppWebBrowser@DEF_CTL_INTF, @Shdocvw_tlb@TCppWebBrowser@EventDispIDs, @Shdocvw_tlb@TCppWebBrowser@ExecWB$qqr20Shdocvw_tlb@OLECMDID25Shdocvw_tlb@OLECMDEXECOPTp24_TVariantT$10tagVARIANT_t3, @Shdocvw_tlb@TCppWebBrowser@GetDefaultInterface$qqrv, @Shdocvw_tlb@TCppWebBrowser@GetProperty$qqrpb, @Shdocvw_tlb@TCppWebBrowser@GetWordBoolProp$qqri, @Shdocvw_tlb@TCppWebBrowser@GetWordBoolProp$qqri, @Shdocvw_tlb@TCppWebBrowser@GetWordBoolProp$qqri, @Shdocvw_tlb@TCppWebBrowser@GetWordBoolProp$qqri, @Shdocvw_tlb@TCppWebBrowser@GetWordBoolProp$qqri, @Shdocvw_tlb@TCppWebBrowser@Get_Application$qqrv, @Shdocvw_tlb@TCppWebBrowser@Get_Container$qqrv, @Shdocvw_tlb@TCppWebBrowser@Get_Document$qqrv, @Shdocvw_tlb@TCppWebBrowser@Get_Parent$qqrv, @Shdocvw_tlb@TCppWebBrowser@GoBack$qqrv, @Shdocvw_tlb@TCppWebBrowser@GoForward$qqrv, @Shdocvw_tlb@TCppWebBrowser@GoHome$qqrv, @Shdocvw_tlb@TCppWebBrowser@GoSearch$qqrv, @Shdocvw_tlb@TCppWebBrowser@InitControlData$qqrv, @Shdocvw_tlb@TCppWebBrowser@Navigate$qqrpbp24_TVariantT$10tagVARIANT_t2t2t2, @Shdocvw_tlb@TCppWebBrowser@Navigate2$qqrp24_TVariantT$10tagVARIANT_t1t1t1t1, @Shdocvw_tlb@TCppWebBrowser@OptParam, @Shdocvw_tlb@TCppWebBrowser@PutProperty$qqrpb31_TVariantInParamT$10tagVARIANT_, @Shdocvw_tlb@TCppWebBrowser@QueryStatusWB$qqr20Shdocvw_tlb@OLECMDID, @Shdocvw_tlb@TCppWebBrowser@Quit$qqrv, @Shdocvw_tlb@TCppWebBrowser@Refresh$qqrv, @Shdocvw_tlb@TCppWebBrowser@Refresh2$qqrp24_TVariantT$10tagVARIANT_, @Shdocvw_tlb@TCppWebBrowser@SetWordBoolProp$qqrio, @Shdocvw_tlb@TCppWebBrowser@SetWordBoolProp$qqrio, @Shdocvw_tlb@TCppWebBrowser@SetWordBoolProp$qqrio, @Shdocvw_tlb@TCppWebBrowser@SetWordBoolProp$qqrio, @Shdocvw_tlb@TCppWebBrowser@SetWordBoolProp$qqrio, @Shdocvw_tlb@TCppWebBrowser@ShowBrowserBar$qqrp24_TVariantT$10tagVARIANT_t1t1, @Shdocvw_tlb@TCppWebBrowser@Stop$qqrv, @Shdocvw_tlb@TCppWebBrowser_V1@, @Shdocvw_tlb@TCppWebBrowser_V1@, @Shdocvw_tlb@TCppWebBrowser_V1@, @Shdocvw_tlb@TCppWebBrowser_V1@, @Shdocvw_tlb@TCppWebBrowser_V1@, @Shdocvw_tlb@TCppWebBrowser_V1@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppWebBrowser_V1@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppWebBrowser_V1@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppWebBrowser_V1@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppWebBrowser_V1@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TCppWebBrowser_V1@$bctr$qqrpv, @Shdocvw_tlb@TCppWebBrowser_V1@$bctr$qqrpv, @Shdocvw_tlb@TCppWebBrowser_V1@$bctr$qqrpv, @Shdocvw_tlb@TCppWebBrowser_V1@$bctr$qqrpv, @Shdocvw_tlb@TCppWebBrowser_V1@$bctr$qqrpv, @Shdocvw_tlb@TCppWebBrowser_V1@CControlData, @Shdocvw_tlb@TCppWebBrowser_V1@CreateControl$qqrv, @Shdocvw_tlb@TCppWebBrowser_V1@DEF_CTL_INTF, @Shdocvw_tlb@TCppWebBrowser_V1@EventDispIDs, @Shdocvw_tlb@TCppWebBrowser_V1@GetDefaultInterface$qqrv, @Shdocvw_tlb@TCppWebBrowser_V1@Get_Application$qqrv, @Shdocvw_tlb@TCppWebBrowser_V1@Get_Container$qqrv, @Shdocvw_tlb@TCppWebBrowser_V1@Get_Document$qqrv, @Shdocvw_tlb@TCppWebBrowser_V1@Get_Parent$qqrv, @Shdocvw_tlb@TCppWebBrowser_V1@GoBack$qqrv, @Shdocvw_tlb@TCppWebBrowser_V1@GoForward$qqrv, @Shdocvw_tlb@TCppWebBrowser_V1@GoHome$qqrv, @Shdocvw_tlb@TCppWebBrowser_V1@GoSearch$qqrv, @Shdocvw_tlb@TCppWebBrowser_V1@InitControlData$qqrv, @Shdocvw_tlb@TCppWebBrowser_V1@Navigate$qqrpbp24_TVariantT$10tagVARIANT_t2t2t2, @Shdocvw_tlb@TCppWebBrowser_V1@OptParam, @Shdocvw_tlb@TCppWebBrowser_V1@Refresh$qqrv, @Shdocvw_tlb@TCppWebBrowser_V1@Refresh2$qqrp24_TVariantT$10tagVARIANT_, @Shdocvw_tlb@TCppWebBrowser_V1@Stop$qqrv, @Shdocvw_tlb@TShellFavoritesNameSpace@, @Shdocvw_tlb@TShellFavoritesNameSpace@, @Shdocvw_tlb@TShellFavoritesNameSpace@, @Shdocvw_tlb@TShellFavoritesNameSpace@, @Shdocvw_tlb@TShellFavoritesNameSpace@, @Shdocvw_tlb@TShellFavoritesNameSpace@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TShellFavoritesNameSpace@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TShellFavoritesNameSpace@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TShellFavoritesNameSpace@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TShellFavoritesNameSpace@$bctr$qqrp18Classes@TComponent, @Shdocvw_tlb@TShellFavoritesNameSpace@BeforeDestruction$qqrv, @Shdocvw_tlb@TShellFavoritesNameSpace@Connect$qqrv, @Shdocvw_tlb@TShellFavoritesNameSpace@ConnectTo$qqr93_TComInterface$36Shdocvw_tlb@IShellFavoritesNameSpacepx5_GUID$gIID_IShellFavoritesNameSpace$_, @Shdocvw_tlb@TShellFavoritesNameSpace@Disconnect$qqrv, @Shdocvw_tlb@TShellFavoritesNameSpace@GetDefaultInterface$qv, @Shdocvw_tlb@TShellFavoritesNameSpace@GetDunk$qqrv, @Shdocvw_tlb@TShellFavoritesNameSpace@InitServerData$qqrv, @Shdocvw_tlb@TShellFavoritesNameSpace@InvokeEvent$qqrir42System@_DynamicArray$t17System@OleVariant_, @Swinhttp@Finalization$qqrv, @Swinhttp@Register$qqrv, @Swinhttp@TSwProxies@, @Swinhttp@TSwProxies@$bctr$qqrv, @Swinhttp@TSwProxies@$bdtr$qqrv, @Swinhttp@TSwProxies@List$qqrv, @Swinhttp@TSwProxy@, @Swinhttp@TSwProxy@AssignTo$qqrp19Classes@TPersistent, @Swinhttp@TSwProxy@ProxyStr$qqrv, @Swinhttp@TSwRequest@, @Swinhttp@TSwRequest@$bctr$qqrv, @Swinhttp@TSwRequest@$bdtr$qqrv, @Swinhttp@TSwRequest@AssignTo$qqrp19Classes@TPersistent, @Swinhttp@TSwRequest@Clear$qqrv, @Swinhttp@TSwResponse@, @Swinhttp@TSwResponse@$bctr$qqrv, @Swinhttp@TSwResponse@$bdtr$qqrv, @Swinhttp@TSwResponse@Clear$qqrv, @Swinhttp@TSwResponse@FillResponse$qqrpv, @Swinhttp@TSwResponse@GetBody$qqrv, @Swinhttp@TSwResponse@GetContent$qqrv, @Swinhttp@TSwResponse@SetContent$qqrpx15Classes@TStream, @Swinhttp@TSwURL@, @Swinhttp@TSwURL@$bctr$qqrv, @Swinhttp@TSwURL@AssignTo$qqrp19Classes@TPersistent, @Swinhttp@TSwURL@Clear$qqrv, @Swinhttp@TSwURL@GetSSL$qqrv, @Swinhttp@TSwURL@GetUrl$qqrv, @Swinhttp@TSwURL@SetSSL$qqrxo, @Swinhttp@TSwURL@SetUrl$qqrx17System@AnsiString, @Swinhttp@TSwinHttp@, @Swinhttp@TSwinHttp@$bctr$qqrp18Classes@TComponent, @Swinhttp@TSwinHttp@$bdtr$qqrv, @Swinhttp@TSwinHttp@AssignTo$qqrp19Classes@TPersistent, @Swinhttp@TSwinHttp@Clear$qqrv, @Swinhttp@TSwinHttp@Close$qqrv, @Swinhttp@TSwinHttp@DoRequest$qqrv, @Swinhttp@TSwinHttp@Get$qqr17System@AnsiString, @Swinhttp@TSwinHttp@Open$qqrv, @Swinhttp@TSwinHttp@OpenRequest$qqrv, @Swinhttp@TSwinHttp@Post$qqr17System@AnsiStringt1, @Swinhttp@TSwinHttp@Read$qqrpvui, @Swinhttp@TSwinHttp@ReceiveAll$qqrv, @Swinhttp@TSwinHttp@SyncEvent$qqrynpqqrp18Swinhttp@TSwinHttpp19Swinhttp@TSwRequest$v, @Swinhttp@initialization$qqrv, @YandexParseCaptcha, @YandexWebmasterLinks@$bctr$qp16Classes@TStringst1t1t1rx17System@AnsiStringt5poxuixoynpqi$vt1, @YandexWebmasterLinks@$bdtr$qqrv, @YandexWebmasterLinks@DoFinish$qqrp14System@TObject, @YandexWebmasterLinks@Finished$qv, @YandexWebmasterLinks@ReturnValue$qv, @Zlibex@EZCompressionError@, @Zlibex@EZDecompressionError@, @Zlibex@EZLibError@, @Zlibex@EZLibError@$bctr$qqr14Zlibex@TZErrorx17System@AnsiString, @Zlibex@EZLibError@$bctr$qqrix17System@AnsiString, @Zlibex@Finalization$qqrv, @Zlibex@TCustomZStream@, @Zlibex@TCustomZStream@$bctr$qqrp15Classes@TStream, @Zlibex@TCustomZStream@DoProgress$qqrv, @Zlibex@TZCompressionStream@, @Zlibex@TZCompressionStream@$bctr$qqrp15Classes@TStream25Zlibex@TZCompressionLevel, @Zlibex@TZCompressionStream@$bctr$qqrp15Classes@TStream25Zlibex@TZCompressionLevelii17Zlibex@TZStrategy, @Zlibex@TZCompressionStream@$bdtr$qqrv, @Zlibex@TZCompressionStream@GetCompressionRate$qqrv, @Zlibex@TZCompressionStream@Read$qqrpvi, @Zlibex@TZCompressionStream@Seek$qqrius, @Zlibex@TZCompressionStream@Write$qqrpxvi, @Zlibex@TZDecompressionStream@, @Zlibex@TZDecompressionStream@$bctr$qqrp15Classes@TStream, @Zlibex@TZDecompressionStream@$bctr$qqrp15Classes@TStreami, @Zlibex@TZDecompressionStream@$bdtr$qqrv, @Zlibex@TZDecompressionStream@Read$qqrpvi, @Zlibex@TZDecompressionStream@Seek$qqrius, @Zlibex@TZDecompressionStream@Write$qqrpxvi, @Zlibex@ZAdler32$qqripxvi, @Zlibex@ZCompress$qqrpxvirpvri25Zlibex@TZCompressionLevel, @Zlibex@ZCompress2$qqrpxvirpvri25Zlibex@TZCompressionLevelii17Zlibex@TZStrategy, @Zlibex@ZCompressStr$qqrx17System@AnsiString25Zlibex@TZCompressionLevel, @Zlibex@ZCompressStr2$qqrx17System@AnsiString25Zlibex@TZCompressionLevelii17Zlibex@TZStrategy, @Zlibex@ZCompressStrEx$qqrx17System@AnsiString25Zlibex@TZCompressionLevel, @Zlibex@ZCompressStrWeb$qqrx17System@AnsiString, @Zlibex@ZCompressStream$qqrp15Classes@TStreamt125Zlibex@TZCompressionLevel, @Zlibex@ZCompressStream2$qqrp15Classes@TStreamt125Zlibex@TZCompressionLevelii17Zlibex@TZStrategy, @Zlibex@ZCompressStreamWeb$qqrp15Classes@TStreamt1, @Zlibex@ZCrc32$qqripxvi, @Zlibex@ZDecompress$qqrpxvirpvrii, @Zlibex@ZDecompress2$qqrpxvirpvriii, @Zlibex@ZDecompressStr$qqrx17System@AnsiString, @Zlibex@ZDecompressStr2$qqrx17System@AnsiStringi, @Zlibex@ZDecompressStrEx$qqrx17System@AnsiString, @Zlibex@ZDecompressStream$qqrp15Classes@TStreamt1, @Zlibex@ZDecompressStream2$qqrp15Classes@TStreamt1i, @Zlibex@initialization$qqrv, @Zlibexgz@Finalization$qqrv, @Zlibexgz@GZCompressStr$qqrx17System@AnsiString, @Zlibexgz@GZCompressStr$qqrx17System@AnsiStringt1t116System@TDateTime, @Zlibexgz@GZCompressStream$qqrp15Classes@TStreamt1, @Zlibexgz@GZCompressStream$qqrp15Classes@TStreamt1x17System@AnsiStringt316System@TDateTime, @Zlibexgz@GZDecompressStr$qqrx17System@AnsiString, @Zlibexgz@GZDecompressStr$qqrx17System@AnsiStringr17System@AnsiStringt2r16System@TDateTime, @Zlibexgz@GZDecompressStream$qqrp15Classes@TStreamt1, @Zlibexgz@GZDecompressStream$qqrp15Classes@TStreamt1r17System@AnsiStringt3r16System@TDateTime, @Zlibexgz@ZCompressStrG$qqrx17System@AnsiString, @Zlibexgz@ZCompressStrG$qqrx17System@AnsiStringt1t116System@TDateTime, @Zlibexgz@ZCompressStreamG$qqrp15Classes@TStreamt1, @Zlibexgz@ZCompressStreamG$qqrp15Classes@TStreamt1x17System@AnsiStringt316System@TDateTime, @Zlibexgz@ZDecompressStrG$qqrx17System@AnsiString, @Zlibexgz@ZDecompressStrG$qqrx17System@AnsiStringr17System@AnsiStringt2r16System@TDateTime, @Zlibexgz@ZDecompressStreamG$qqrp15Classes@TStreamt1, @Zlibexgz@ZDecompressStreamG$qqrp15Classes@TStreamt1r17System@AnsiStringt3r16System@TDateTime, @Zlibexgz@initialization$qqrv, _AOLPage, _AlexaPage, _AlexaRankPage, _AllByPage, _AllTheWebPage, _AltavistaPage, _AportIndexPage, _AportPage, _AskJeevesKwPage, _AskJeevesPage, _AtlasPage, _BigmirPage, _CentrumPage, _DMOZPage, _FireballPage, _GetRamblerAdWords, _GigablastPage, _GoGoPage, _GoogleDCPage, _GoogleDesPage, _GoogleDirPage, _GoogleIndexation, _GoogleLinksPage, _GooglePage, _HotBotPage, _IndexFunction, _KazzoomPage, _LiberoPage, _LoadYandexTree, _LycosPage, _MSNLinksPage, _MSNPage, _MailPage, _MailRuKwPage, _MetaPage, _MsnRNumberLinks, _OnetPage, _OvertureKeyword, _ProxyCheck, _RamblerKwPage, _RamblerPage, _SeznamPage, _TOnlinePage, _TutByPage, _VirgilioPage, _VoilaPage, _WebPage, _WebaltaPage, _WordtrackerKeyword, _WordtrackerKwPage, _WpPage, _YahooDesPage, _YahooDirPage, _YahooKwPage, _YahooLinksPage, _YahooPage, _YandexCYPage, _YandexDesPage, _YandexDirPage, _YandexIndexPage, _YandexIndexation, _YandexKeyword, _YandexKwPage, _YandexLinksPage, _YandexPage, ___CPPdebugHook, _fsGoogleWMTPageType, _fsYandexWMTPageType
ExifTool:
file metadata
CodeSize: 1318912
EntryPoint: 0x1d7001
FileSize: 795 kB
FileType: Win32 DLL
ImageVersion: 0.0
InitializedDataSize: 278528
LinkerVersion: 5.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
PEType: PE32
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2010:07:11 20:03:13+02:00
UninitializedDataSize: 0

>>>>>>>

report pro C:\WINDOWS\System32\exasd_.dll

Additional information:

Show all
MD5 : d2042a3348856fcd613f29c2fc3736dd
SHA1 : 433328eb9d4add2c9c0d7d76be8de3859094dc24
SHA256: c457f1c0a5afe516e32aadd4dbe89c01b4705632bb6c5a00c73099013a661b84
ssdeep: 3:6rlvhllln:6xT
File size : 16 bytes
First seen: 2010-10-25 17:59:00
Last seen : 2010-10-25 17:59:00
TrID:
Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
ExifTool:
file metadata
Error: File format error
FileSize: 16 bytes


ExifTool:
file metadata
Error: File format error
FileSize: 16 bytes

[earl]

Ted jdu do prace,zitra vam napisu ten skript.

[earl]

pokud jste tak jeste neucinil(a), presunte Combofix na plochu

otevrete si Poznamkovy blok

do nej zkopirujte skript z nasledujiciho okna:

Kód: Vybrat vše

KillAll::
Collect::
C:\WINDOWS\System32\drivers\kdoan.sys
C:\Documents and Settings\All Users\Data aplikací\0D794BEC5C.sys
C:\WINDOWS\System32\exasd_.dll
c:\windows\TEMP\940037ac3795
c:\windows\TEMP\92405e34f161
c:\windows\TEMP\9200682dd558
c:\windows\TEMP\9320c235a74a
c:\windows\TEMP\92804bdbc8e5
c:\windows\TEMP\92007631051
c:\windows\TEMP\9200ed1318db
c:\windows\TEMP\9320aa22c075
c:\windows\TEMP\92003da71f91
c:\windows\TEMP\92003a05f677
c:\windows\TEMP\92005d95e76d
c:\windows\TEMP\9200aee16eaa
c:\windows\TEMP\92007d903262
 c:\windows\TEMP\920021cc7eb9
c:\windows\TEMP\9200ca3f533d
c:\windows\TEMP\9240dc18d502
 c:\windows\TEMP\9240ed8981c5
c:\windows\TEMP\92009089621e
c:\windows\TEMP\9200e6037d68
c:\windows\TEMP\92401b04169b
 c:\windows\TEMP\92004085f092
c:\windows\TEMP\9280c5fa95f0
c:\windows\TEMP\9200583b6812
 c:\windows\TEMP\92405952bbbf
c:\windows\TEMP\9200be4dfcf0
c:\windows\TEMP\932028d180da
Driver::
5249569c070ed6b5
af36d2516e9b5b2d
078f0aba1620ca71
0f971ebf42779f9b
10270bb7faa2f395
159048c36599f5fd
1f3193a667460dca
21daad4a110130e9
2baebbe02e20191d
35179bebb8e8cab3
4ccc71471f0eab03
53d3e5734868f3ba
61e6fb59dfa2c3e9
64e9ca2ec768e6de
71231cead0956b8d
9e7d78327bbd610e
b61e06d104588609
bf7a9dc80811dafa
c69e8e8de2f496ec
cf5ecafa7c2ed4d4
cffc5fdfcd0d8579
d667dcbe3929be43
dd24e9cc406a726a
f3c68bc4c8f51a06
f42efddd14a91613
fdf9c64d7c0e7240
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kdoan]
Reboot::

ulozte vami vytvoreny textovy soubor jako CFScript.txt na plochu

po ulozeni uchopte vami vytvoreny skript levym tlacitkem mysi a presunte jej nad ikonu Combofixu, nad niz skript upustte:



po aplikaci by na vas mel vyskocit dalsi log, vlozte jej sem

Upozorneni: je mozne, ze po aplikaci skriptu a restartu nenabehnou Windows,

v takovem pripade znovu restartujte, po restartu mackejte F8 a zvolte Posledni znamou funkcni konfiguraci

[fotoduki]

windows nabehly v pohode napoprve.

----------------------------------

ComboFix 10-10-22.05 - admin 26.10.2010 19:16:02.3.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.895.516 [GMT 2:00]
Spuštěný z: d:\_download\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\admin\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 101026-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\documents and settings\All Users\Data aplikací\0D794BEC5C.sys
file zipped: c:\windows\System32\drivers\kdoan.sys
file zipped: c:\windows\System32\exasd_.dll
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\drivers\kdoan.sys
c:\windows\System32\exasd_.dll

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_078f0aba1620ca71
-------\Service_0f971ebf42779f9b
-------\Service_10270bb7faa2f395
-------\Service_159048c36599f5fd
-------\Service_1f3193a667460dca
-------\Service_21daad4a110130e9
-------\Service_2baebbe02e20191d
-------\Service_35179bebb8e8cab3
-------\Service_4ccc71471f0eab03
-------\Service_5249569c070ed6b5
-------\Service_53d3e5734868f3ba
-------\Service_61e6fb59dfa2c3e9
-------\Service_64e9ca2ec768e6de
-------\Service_71231cead0956b8d
-------\Service_9e7d78327bbd610e
-------\Service_af36d2516e9b5b2d
-------\Service_b61e06d104588609
-------\Service_bf7a9dc80811dafa
-------\Service_c69e8e8de2f496ec
-------\Service_cf5ecafa7c2ed4d4
-------\Service_cffc5fdfcd0d8579
-------\Service_d667dcbe3929be43
-------\Service_dd24e9cc406a726a
-------\Service_f3c68bc4c8f51a06
-------\Service_f42efddd14a91613
-------\Service_fdf9c64d7c0e7240
-------\Legacy_kdoan
-------\Service_kdoan


((((((((((((((((((((((((( Soubory vytvořené od 2010-09-26 do 2010-10-26 )))))))))))))))))))))))))))))))
.

2010-10-07 18:42 . 2010-10-07 18:42 -------- d-----w- c:\documents and settings\admin\Data aplikací\Malwarebytes
2010-10-07 18:42 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-07 18:41 . 2010-10-07 18:41 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Malwarebytes
2010-10-07 18:41 . 2010-10-07 18:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-07 18:41 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-07 08:42 . 2010-10-07 11:04 -------- d-----w- c:\documents and settings\admin\Data aplikací\AIMP
2010-10-07 08:29 . 2010-10-07 08:29 -------- d-----w- c:\program files\AIMP2

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-01 07:07 . 2010-09-01 07:07 22558023 ----a-w- c:\windows\system32\CDSM_CDSM Designer_uninstaller.exe
2010-08-06 12:22 . 2007-10-28 18:08 94208 ----a-w- c:\windows\DUMP50b0.tmp
.

((((((((((((((((((((((((((((( SnapShot@2010-10-15_08.01.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-25 07:39 . 2010-10-25 07:39 16384 c:\windows\Temp\Perflib_Perfdata_718.dat
+ 2010-10-26 17:19 . 2010-10-26 17:19 16384 c:\windows\Temp\Perflib_Perfdata_64c.dat
+ 2010-10-26 17:19 . 2010-10-26 17:19 16384 c:\windows\Temp\Perflib_Perfdata_14c.dat
- 2010-10-15 08:01 . 2010-10-15 08:01 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-10-26 17:19 . 2010-10-26 17:19 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-10-28 17:28 . 2010-10-15 08:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-28 17:28 . 2010-10-26 17:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-10-15 18:48 . 2010-10-26 17:19 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-10-28 17:28 . 2010-10-15 08:01 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SMail"="c:\program files\Seznam\Postak\Postak.exe" [2006-05-18 450560]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\admin\Nabˇdka Start\Programy\Po spuçtŘnˇ\AutorunsDisabled
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-9-11 393216]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\AutorunsDisabled
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6.4.2008 0:13 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6.4.2008 0:13 20560]
S3 AF9035BDA;GIGABYTE U7200 DVB-T Devices;c:\windows\system32\drivers\AF9035BDA.sys [29.5.2008 15:39 244096]
.
.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\admin\Data aplikací\Mozilla\Firefox\Profiles\pwbdbsdi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8 ... &gfns=1&q=
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

Toolbar-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-26 19:20
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3444)
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Celkový čas: 2010-10-26 19:22:34 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-10-26 17:22
ComboFix2.txt 2010-10-23 18:14
ComboFix3.txt 2010-10-15 08:04

Před spuštěním: Volných bajtů: 25 758 609 408
Po spuštění: Volných bajtů: 25 751 142 400

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 36700AAD70F8D3853E39D0919D61C84A

[earl]

otestujte na VIRSCANu

c:\windows\system32\CDSM_CDSM Designer_uninstaller.exe

c:\windows\DUMP50b0.tmp

(navod: po nacteni stranky kliknete na tlacitko Prochazet , najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor; dejte skenerum nejakych deset minut; vysledek sem vlozte)

Pokud skener napíše, že soubor již byl testován, dejte otestovat znovu.

A popiste chovani pc.

[fotoduki]

c:\windows\system32\CDSM_CDSM Designer_uninstaller.exe

po zadani cesty k souboru hlaska:

error: maximalni velikost souboru 20 prekrocena. upload prerusen.
(velikost souboru je 22 558 023)


c:\windows\DUMP50b0.tmp

po zadani cesty k souboru hlaska:

error: maximalni velikost souboru 20 prekrocena. upload prerusen.
(velikost souboru nevim, souborovy manager ho nevidi)

[earl]

c:\windows\DUMP50b0.tmp - tento soubor smazte.

Jak se chova pc nyni.

[fotoduki]

behem hodinoveho brouzdani po internetu firefoxem, se zadne problemy neprojevily. (jiny sw i cinnost se v pc skoro nepouziva).

[earl]

Start - spustit - napiste ComboFix /Uninstall - a klepnout na OK,

pokud to takto nepujde,tak přejmenovat ComboFix.exe na Uninstall.exe a spustit ho

Stahnete OTC

spustte a klepnete na CleanUp.



Vycistete pc Ccleanerem.

Vzdy nejprve Analyzovat a pak Spustit Cleaner.2x po sobe.

Windows-odskrtnout historii a historii automatickeho vyplnovani formularu - prisel byste o historii navstivenych stranek a o ulozena hesla ve formularich

(je to sice z pohledu zabezpeceni spatne,ale aspon pak uzivatel nenadava,kam ze mu to zmizelo )

Aplikace-u prohlizecu internetu odskrtnout Historii internetu.

Registry-nechat vse zaskrtle,Hledej problemy,Opravit vybrane problemy

(nechat ho udelat zalohu-ta je ulozena v Dokumentech-DULEZITE).

Taktez 2x-3x po sobe.

A hotovo.