Vir v explorer.exe atd.

[vyosek]

Zkusime to tedy jinak

Nabootujte z instalacniho CD a provedte opravnou instalaci, tim by se tam meli dostat ciste systemove soubory, bohuzel byly poskozene coz zjistil i CF ale jelikoz havet napadla i jej, tak nedokazal je vylecit

Navod na opravnou instalaci http://www.viry.cz/forum/viewtopic.php?f=46&t=41036

[Herbalife]

Dobry den, prepacte, ze som nenapisal uz vcera ale mal som pracu plus som par hodin hladal instalacku od home edition. WIN je opraveny ale da sa lognut len v safe mode, ostatne vyzaduju okamzitu registraciu. Mam poslat log z beruska.com?

[Herbalife]

ComboFix 11-02-05.01 - Administrator 06.02.2011 21:25:45.2.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1250.420.1029.18.1023.849 [GMT 1:00]
Spuštěný z: c:\documents and settings\Administrator.HUDCOVCE-2A7DB1.000\Plocha\Beruska.com.exe

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\config\software.sav
.
---- Předchozí spuštění -------
.
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\1.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\a.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\b.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\c.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\d.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\e.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\f.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\g.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\h.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\i.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\J.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\k.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\l.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\m.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\mru.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\n.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\o.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\p.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\q.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\r.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\s.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\t.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\u.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\v.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\w.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\x.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\y.xml
c:\documents and settings\Vlado\Data aplikací\PriceGong\Data\z.xml
c:\windows\system32\zx.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
D:\AUTORUN.INF

-- Předchozí spuštění --

c:\windows\explorer.exe . . . je infikován!!

c:\windows\explorer.exe . . . je infikován!!

c:\windows\system32\winlogon.exe . . . je infikován!!

--------

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Soubory vytvořené od 2011-01-06 do 2011-02-06 )))))))))))))))))))))))))))))))
.

2011-02-06 03:09 . 2011-02-06 03:11 -------- d-----w- c:\windows\LastGood
2011-02-06 03:04 . 2004-08-18 12:00 36927 -c--a-w- c:\windows\system32\dllcache\padrs411.dll
2011-02-06 03:03 . 2004-08-18 12:00 330752 -c--a-w- c:\windows\system32\dllcache\aqueue.dll
2011-02-06 02:57 . 2004-08-03 22:00 87424 ----a-w- c:\windows\system32\drivers\irda.sys
2011-02-06 02:54 . 2001-08-17 20:51 18688 ----a-w- c:\windows\system32\drivers\irsir.sys
2011-02-06 02:51 . 2004-08-17 14:49 153088 ----a-w- c:\windows\system32\irftp.exe
2011-02-06 02:51 . 2004-08-17 14:49 8192 ----a-w- c:\windows\system32\wshirda.dll
2011-02-06 02:51 . 2004-08-17 14:49 26624 ----a-w- c:\windows\system32\irmon.dll
2011-02-06 02:51 . 2001-08-17 20:51 19584 ----a-w- c:\windows\system32\drivers\rasirda.sys
2011-02-05 22:13 . 2011-02-05 22:13 -------- d-----w- c:\documents and settings\Administrator
2011-02-05 20:52 . 2011-02-05 20:52 -------- d-----w- c:\program files\trend micro
2011-02-05 20:51 . 2011-02-05 20:52 -------- d-----w- C:\rsit
2011-01-19 00:40 . 2011-01-19 00:40 -------- d-----w- c:\windows\system32\LogFiles
2011-01-15 22:21 . 2011-01-15 22:21 -------- d-----w- c:\documents and settings\All Users\Data aplikací\FLEXnet
2011-01-15 22:10 . 2011-01-15 22:10 -------- d-----w- c:\program files\Adobe Media Player
2011-01-15 22:09 . 2010-02-05 13:14 -------- d-----w- c:\documents and settings\Vlado\Data aplikací\skypePM
2011-01-15 22:07 . 2011-01-15 22:07 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-01-15 22:03 . 2011-01-15 22:03 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2011-01-15 21:53 . 2011-01-15 21:53 -------- d-----w- c:\program files\Common Files\Skype
2011-01-15 21:53 . 2011-01-15 21:54 -------- d-----r- c:\program files\Skype
2011-01-15 21:53 . 2010-02-05 13:19 -------- d-----w- c:\documents and settings\Vlado\Data aplikací\Skype
2011-01-15 21:53 . 2011-01-15 21:53 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Skype
2011-01-11 14:01 . 2011-01-11 14:01 -------- d-----w- c:\documents and settings\Vlado\Local Settings\Data aplikací\PCHealth
2011-01-09 15:14 . 2011-01-09 15:14 -------- d-----w- c:\program files\Realtek
2011-01-09 15:14 . 2010-10-28 09:46 1251944 ----a-w- c:\windows\RtlExUpd.dll
2011-01-09 11:12 . 2011-01-09 11:12 -------- d-----w- c:\windows\system32\XPSViewer
2011-01-09 11:11 . 2011-01-09 11:11 -------- d-----w- c:\program files\MSBuild
2011-01-09 11:11 . 2011-01-09 11:11 -------- d-----w- c:\program files\Reference Assemblies
2011-01-09 11:11 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-01-09 11:11 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2011-01-09 11:11 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2011-01-09 11:11 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2011-01-09 11:11 . 2008-07-06 10:50 597504 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-01-09 02:02 . 2011-01-09 02:02 -------- d-----w- c:\program files\MSXML 6.0
2011-01-08 01:23 . 2011-01-08 01:23 -------- d-----w- c:\documents and settings\Vlado\Local Settings\Data aplikací\The Witcher

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 15:30 . 2011-01-05 20:02 60416 ----a-w- c:\windows\ALCFDRTM.VER
2011-01-05 23:19 . 2011-01-05 23:19 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2011-01-05 20:02 . 2011-01-05 20:02 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2011-01-05 19:08 . 2011-01-05 19:08 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 17:01 . 2009-09-04 17:01 525656 ----a-w- c:\program files\DXSETUP.exe
2009-09-04 17:01 . 2009-09-04 17:01 94024 ----a-w- c:\program files\DSETUP.dll
2009-09-04 17:01 . 2009-09-04 17:01 1691464 ----a-w- c:\program files\dsetup32.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 11:51 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6edc3889-b841-4127-a2bf-c5fc48f972c7}]
2010-10-18 11:26 3908192 ----a-w- c:\program files\RadarSync2\tbRada.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-12-09 11:51 3911776 ----a-w- c:\program files\uTorrentBar\tbuTor.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
"{6edc3889-b841-4127-a2bf-c5fc48f972c7}"= "c:\program files\RadarSync2\tbRada.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CLASSES_ROOT\clsid\{6edc3889-b841-4127-a2bf-c5fc48f972c7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2009-08-21 98304]
"D-Link D-Link Wireless G DWL-G122_DWA-110"="c:\program files\D-Link\DWL-G122_DWA-110\AirGCFG.exe" [2009-09-18 1708032]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-14 98304]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"ATIModeChange"="Ati2mdxx.exe" [2009-07-15 26112]
"SRFirstRun"="srclient.dll" [2004-08-18 67584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-18 44544]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2010-8-28 1462272]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Games\\4\\hon.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5.1.2011 20:08 691696]
S2 ANIWConnService;ANIWConn Service;c:\windows\system32\ANIWConnService.exe [6.1.2011 2:04 151552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 13:16 130384]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe [27.8.2009 17:09 1253376]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [6.1.2011 0:19 23456]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\Common Files\MAGIX Services\Database\bin\fbserver.exe [7.8.2008 11:10 3276800]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 13:16 753504]
.
Obsah adresáře 'Naplánované úlohy'

2010-02-05 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 11:45]

2011-01-20 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 11:45]
.
.
------- Doplňkový sken -------
.
TCP: {9BFB6DF6-E194-4B52-82C3-3F01EC308C50} = 208.67.222.222,208.67.220.220
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-06 21:30
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Celkový čas: 2011-02-06 21:32:24
ComboFix-quarantined-files.txt 2011-02-06 20:32

Před spuštěním: Volných bajtů: 16 082 526 208
Po spuštění: Volných bajtů: 16 046 411 776

Current=4 Default=4 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - C34AB5DAC5BD6857E941FD949637AD0A

[vyosek]

V pohode, jsou infikovane systemove soubory, zkusime je obnovit pres CFko a kdyztak bych Vam poslal nahradni

Registrace by se mela dat udelat i pres telefon, i presto ze je system nelegal - jen natukate pozadovane udaje a je to to...

Pokud nemate, tak presunte Combofix na plochu

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  Restore::
  c:\windows\explorer.exe
  c:\windows\system32\winlogon.exe
  
  SRPeek::
  c:\windows\explorer.exe
  c:\windows\system32\winlogon.exe
  
  Folder::
  c:\program files\uTorrentBar
  C:\Program Files\DAEMON Tools Toolbar
  
  Registry::
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
  "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=-
  "{32099AAC-C132-4136-9E9A-4E364A424E17}"=-
  
  [-HKEY_CLASSES_ROOT\clsid\{6edc3889-b841-4127-a2bf-c5fc48f972c7}]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "SunJavaUpdateSched"=-
  "Adobe Reader Speed Launcher"=-
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  "Google Update"=C:\Documents and Settings\Vlado\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe [2011-01-05 136176]
  "uTorrent"=-
  "DAEMON Tools Lite"=-
  "Skype"=-
  "Pando Media Booster"=-
  
  File::
  C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-261903793-725345543-1004Core.job
  C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-261903793-725345543-1004UA.job
  C:\WINDOWS\tasks\RegCure Program Check.job
  C:\WINDOWS\tasks\RegCure.job
  C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
  C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
  
  RegLock::
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

• Ulozte vytvoreny TXT jako CFScript.txt
• Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
  
• Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

[Herbalife]

ComboFix 11-02-05.01 - Administrator 06.02.2011 22:42:20.3.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1250.420.1029.18.1023.786 [GMT 1:00]
Spuštěný z: c:\documents and settings\Administrator.HUDCOVCE-2A7DB1.000\Plocha\Beruska.com.exe
Použité ovládací přepínače :: c:\documents and settings\Administrator.HUDCOVCE-2A7DB1.000\Plocha\CFScript.txt

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!

FILE ::
"c:\windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job"
"c:\windows\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job"
"c:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-261903793-725345543-1004Core.job"
"c:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-261903793-725345543-1004UA.job"
"c:\windows\tasks\RegCure Program Check.job"
"c:\windows\tasks\RegCure.job"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\DAEMON Tools Toolbar
c:\program files\DAEMON Tools Toolbar\_DTLite.xml
c:\program files\DAEMON Tools Toolbar\DTToolbar.dll
c:\program files\DAEMON Tools Toolbar\Resources\about.ico
c:\program files\DAEMON Tools Toolbar\Resources\AboutWindow.ico
c:\program files\DAEMON Tools Toolbar\Resources\accept.ico
c:\program files\DAEMON Tools Toolbar\Resources\AddRadioStation.ico
c:\program files\DAEMON Tools Toolbar\Resources\ARA.xml
c:\program files\DAEMON Tools Toolbar\Resources\as.ico
c:\program files\DAEMON Tools Toolbar\Resources\as.png
c:\program files\DAEMON Tools Toolbar\Resources\astro.ico
c:\program files\DAEMON Tools Toolbar\Resources\astro_audio.ico
c:\program files\DAEMON Tools Toolbar\Resources\astro_buy.ico
c:\program files\DAEMON Tools Toolbar\Resources\astro_download.ico
c:\program files\DAEMON Tools Toolbar\Resources\astro_feedback.ico
c:\program files\DAEMON Tools Toolbar\Resources\astro_forum.ico
c:\program files\DAEMON Tools Toolbar\Resources\astro_home.ico
c:\program files\DAEMON Tools Toolbar\Resources\astro_lite.ico
c:\program files\DAEMON Tools Toolbar\Resources\astroburn_site.ico
c:\program files\DAEMON Tools Toolbar\Resources\az.ico
c:\program files\DAEMON Tools Toolbar\Resources\AZE.xml
c:\program files\DAEMON Tools Toolbar\Resources\b1.png
c:\program files\DAEMON Tools Toolbar\Resources\burn_files.ico
c:\program files\DAEMON Tools Toolbar\Resources\burn_image.ico
c:\program files\DAEMON Tools Toolbar\Resources\burn_imgs.ico
c:\program files\DAEMON Tools Toolbar\Resources\BurnImage.ico
c:\program files\DAEMON Tools Toolbar\Resources\buy.ico
c:\program files\DAEMON Tools Toolbar\Resources\cal.ico
c:\program files\DAEMON Tools Toolbar\Resources\Config.ico
c:\program files\DAEMON Tools Toolbar\Resources\d.ico
c:\program files\DAEMON Tools Toolbar\Resources\d2.ico
c:\program files\DAEMON Tools Toolbar\Resources\daemon_search.ico
c:\program files\DAEMON Tools Toolbar\Resources\daemon_search_site.ico
c:\program files\DAEMON Tools Toolbar\Resources\DEU.xml
c:\program files\DAEMON Tools Toolbar\Resources\dot_disabled.bmp
c:\program files\DAEMON Tools Toolbar\Resources\dot_enabled.bmp
c:\program files\DAEMON Tools Toolbar\Resources\dot_on_over.bmp
c:\program files\DAEMON Tools Toolbar\Resources\download.ico
c:\program files\DAEMON Tools Toolbar\Resources\ds.ico
c:\program files\DAEMON Tools Toolbar\Resources\dsearch.ico
c:\program files\DAEMON Tools Toolbar\Resources\dt-home.ico
c:\program files\DAEMON Tools Toolbar\Resources\dt.ico
c:\program files\DAEMON Tools Toolbar\Resources\dt_about.ico
c:\program files\DAEMON Tools Toolbar\Resources\dt_buy.ico
c:\program files\DAEMON Tools Toolbar\Resources\dt_download.ico
c:\program files\DAEMON Tools Toolbar\Resources\dt_faq.ico
c:\program files\DAEMON Tools Toolbar\Resources\dt_feedback.ico
c:\program files\DAEMON Tools Toolbar\Resources\dt_forum.ico
c:\program files\DAEMON Tools Toolbar\Resources\dt_line.ico
c:\program files\DAEMON Tools Toolbar\Resources\dt_lite.ico
c:\program files\DAEMON Tools Toolbar\Resources\dt_manual.ico
c:\program files\DAEMON Tools Toolbar\Resources\dt_pro.ico
c:\program files\DAEMON Tools Toolbar\Resources\DTPro.ico
c:\program files\DAEMON Tools Toolbar\Resources\dtt16.ico
c:\program files\DAEMON Tools Toolbar\Resources\dtt32.ico
c:\program files\DAEMON Tools Toolbar\Resources\Dwnl.ico
c:\program files\DAEMON Tools Toolbar\Resources\emulation.ico
c:\program files\DAEMON Tools Toolbar\Resources\ENG.xml
c:\program files\DAEMON Tools Toolbar\Resources\faq.ico
c:\program files\DAEMON Tools Toolbar\Resources\favicon.ico
c:\program files\DAEMON Tools Toolbar\Resources\fb.ico
c:\program files\DAEMON Tools Toolbar\Resources\features.ico
c:\program files\DAEMON Tools Toolbar\Resources\feedback.ico
c:\program files\DAEMON Tools Toolbar\Resources\forum.ico
c:\program files\DAEMON Tools Toolbar\Resources\FRA.xml
c:\program files\DAEMON Tools Toolbar\Resources\GameCentrix.ico
c:\program files\DAEMON Tools Toolbar\Resources\GameCentrixCristals.ico
c:\program files\DAEMON Tools Toolbar\Resources\GameCentrixDownload.ico
c:\program files\DAEMON Tools Toolbar\Resources\GameCentrixPlayOnline.ico
c:\program files\DAEMON Tools Toolbar\Resources\GameCentrixTop.ico
c:\program files\DAEMON Tools Toolbar\Resources\GameS.ico
c:\program files\DAEMON Tools Toolbar\Resources\games_search.ico
c:\program files\DAEMON Tools Toolbar\Resources\games_search_SA.ico
c:\program files\DAEMON Tools Toolbar\Resources\GameSA.ico
c:\program files\DAEMON Tools Toolbar\Resources\gct16.ico
c:\program files\DAEMON Tools Toolbar\Resources\gd.ico
c:\program files\DAEMON Tools Toolbar\Resources\genre.xml
c:\program files\DAEMON Tools Toolbar\Resources\globe.ico
c:\program files\DAEMON Tools Toolbar\Resources\GrabImage.ico
c:\program files\DAEMON Tools Toolbar\Resources\hb.bmp
c:\program files\DAEMON Tools Toolbar\Resources\hb.ico
c:\program files\DAEMON Tools Toolbar\Resources\help.ico
c:\program files\DAEMON Tools Toolbar\Resources\hide.ico
c:\program files\DAEMON Tools Toolbar\Resources\home.ico
c:\program files\DAEMON Tools Toolbar\Resources\CHS.xml
c:\program files\DAEMON Tools Toolbar\Resources\CHT.xml
c:\program files\DAEMON Tools Toolbar\Resources\image_search.ico
c:\program files\DAEMON Tools Toolbar\Resources\image_search_SA.ico
c:\program files\DAEMON Tools Toolbar\Resources\ImageS.ico
c:\program files\DAEMON Tools Toolbar\Resources\ImageSA.ico
c:\program files\DAEMON Tools Toolbar\Resources\ip.ico
c:\program files\DAEMON Tools Toolbar\Resources\ITA.xml
c:\program files\DAEMON Tools Toolbar\Resources\JPN.xml
c:\program files\DAEMON Tools Toolbar\Resources\KOR.xml
c:\program files\DAEMON Tools Toolbar\Resources\lang.xml
c:\program files\DAEMON Tools Toolbar\Resources\lingvo.ico
c:\program files\DAEMON Tools Toolbar\Resources\m.ico
c:\program files\DAEMON Tools Toolbar\Resources\mail.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_disable.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mail_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_disable.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\mailc_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\manual.ico
c:\program files\DAEMON Tools Toolbar\Resources\map.ico
c:\program files\DAEMON Tools Toolbar\Resources\MenuRadioConfig.ico
c:\program files\DAEMON Tools Toolbar\Resources\MenuRadioStation.ico
c:\program files\DAEMON Tools Toolbar\Resources\MenuRSCur.ico
c:\program files\DAEMON Tools Toolbar\Resources\MenuTr.ico
c:\program files\DAEMON Tools Toolbar\Resources\mount.ico
c:\program files\DAEMON Tools Toolbar\Resources\mount_n_drive.ico
c:\program files\DAEMON Tools Toolbar\Resources\next.bmp
c:\program files\DAEMON Tools Toolbar\Resources\next_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\next_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\next_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\none.bmp
c:\program files\DAEMON Tools Toolbar\Resources\none_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\op.ico
c:\program files\DAEMON Tools Toolbar\Resources\play.bmp
c:\program files\DAEMON Tools Toolbar\Resources\play.ico
c:\program files\DAEMON Tools Toolbar\Resources\play_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\play_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\play_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\pragma.ico
c:\program files\DAEMON Tools Toolbar\Resources\prev.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prev_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prev_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prev_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\prod.ico
c:\program files\DAEMON Tools Toolbar\Resources\Radio.ico
c:\program files\DAEMON Tools Toolbar\Resources\RadioBg.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioBg.ico
c:\program files\DAEMON Tools Toolbar\Resources\RadioBgMask.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDisp.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDisp_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDown.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDown.ico
c:\program files\DAEMON Tools Toolbar\Resources\RadioDown_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDown_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioDown_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioE.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioG.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioL.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioLDotMask.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioLeft.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioLeftMask.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioLM.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioM.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioN.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioR.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioR.ico
c:\program files\DAEMON Tools Toolbar\Resources\RadioRM.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioRU.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioVolume.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioVolume_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioVolume_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioVolume_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\RadioW.bmp
c:\program files\DAEMON Tools Toolbar\Resources\rbcheck.ico
c:\program files\DAEMON Tools Toolbar\Resources\rbtxt.ico
c:\program files\DAEMON Tools Toolbar\Resources\refresh.bmp
c:\program files\DAEMON Tools Toolbar\Resources\refresh_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\refresh_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\refresh_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Rss.ico
c:\program files\DAEMON Tools Toolbar\Resources\Rss1.ico
c:\program files\DAEMON Tools Toolbar\Resources\RssA.ico
c:\program files\DAEMON Tools Toolbar\Resources\RssA1.ico
c:\program files\DAEMON Tools Toolbar\Resources\rssClose.ico
c:\program files\DAEMON Tools Toolbar\Resources\rssL.bmp
c:\program files\DAEMON Tools Toolbar\Resources\rssOpen.ico
c:\program files\DAEMON Tools Toolbar\Resources\RssRefresh.ico
c:\program files\DAEMON Tools Toolbar\Resources\RUS.xml
c:\program files\DAEMON Tools Toolbar\Resources\s2.ico
c:\program files\DAEMON Tools Toolbar\Resources\show.ico
c:\program files\DAEMON Tools Toolbar\Resources\size.bmp
c:\program files\DAEMON Tools Toolbar\Resources\size_lr.ico
c:\program files\DAEMON Tools Toolbar\Resources\size_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\size_rl.ico
c:\program files\DAEMON Tools Toolbar\Resources\skins.ico
c:\program files\DAEMON Tools Toolbar\Resources\soft24.ico
c:\program files\DAEMON Tools Toolbar\Resources\soft24_SA.ico
c:\program files\DAEMON Tools Toolbar\Resources\spt.ico
c:\program files\DAEMON Tools Toolbar\Resources\stop.bmp
c:\program files\DAEMON Tools Toolbar\Resources\stop.ico
c:\program files\DAEMON Tools Toolbar\Resources\stop_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\stop_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\stop_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\style.ico
c:\program files\DAEMON Tools Toolbar\Resources\SupportRequest.ico
c:\program files\DAEMON Tools Toolbar\Resources\timer.ico
c:\program files\DAEMON Tools Toolbar\Resources\TitleIcon.ico
c:\program files\DAEMON Tools Toolbar\Resources\toolbar.xml
c:\program files\DAEMON Tools Toolbar\Resources\trans.ico
c:\program files\DAEMON Tools Toolbar\Resources\Trash.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_disable.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\Trash_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\u.ico
c:\program files\DAEMON Tools Toolbar\Resources\UKR.xml
c:\program files\DAEMON Tools Toolbar\Resources\unmount-all.ico
c:\program files\DAEMON Tools Toolbar\Resources\vol.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol.ico
c:\program files\DAEMON Tools Toolbar\Resources\vol_back.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_dott.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_dott_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_mute.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_mute_check.bmp
c:\program files\DAEMON Tools Toolbar\Resources\vol_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtClose_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText_down.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText_m.bmp
c:\program files\DAEMON Tools Toolbar\Resources\wBtText_under.bmp
c:\program files\DAEMON Tools Toolbar\Resources\web_resources.ico
c:\program files\DAEMON Tools Toolbar\Resources\web_search.ico
c:\program files\DAEMON Tools Toolbar\Resources\web_search_SA.ico
c:\program files\DAEMON Tools Toolbar\Resources\WebS.ico
c:\program files\DAEMON Tools Toolbar\Resources\WebSa.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi0.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi1.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi10.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi11.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi12.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi13.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi14.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi2.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi3.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi4.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi5.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi6.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi7.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi8.ico
c:\program files\DAEMON Tools Toolbar\Resources\wi9.ico
c:\program files\DAEMON Tools Toolbar\uninst.exe
c:\program files\uTorrentBar
c:\program files\uTorrentBar\GottenAppsContextMenu.xml
c:\program files\uTorrentBar\INSTALL.LOG
c:\program files\uTorrentBar\OtherAppsContextMenu.xml
c:\program files\uTorrentBar\SharedAppsContextMenu.xml
c:\program files\uTorrentBar\tbuTor.dll
c:\program files\uTorrentBar\toolbar.cfg
c:\program files\uTorrentBar\ToolbarContextMenu.xml
c:\program files\uTorrentBar\UNWISE.EXE
c:\program files\uTorrentBar\uTorrentBarToolbarHelper.exe
c:\windows\tasks\RegCure Program Check.job
c:\windows\tasks\RegCure.job

c:\windows\explorer.exe . . . je infikován!!

Nakažená kopie c:\windows\system32\winlogon.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ERDNT\cache\winlogon.exe

.
((((((((((((((((((((((((( Soubory vytvořené od 2011-01-06 do 2011-02-06 )))))))))))))))))))))))))))))))
.

2011-02-06 03:04 . 2004-08-18 12:00 36927 -c--a-w- c:\windows\system32\dllcache\padrs411.dll
2011-02-06 03:03 . 2004-08-18 12:00 330752 -c--a-w- c:\windows\system32\dllcache\aqueue.dll
2011-02-06 02:57 . 2004-08-03 22:00 87424 ----a-w- c:\windows\system32\drivers\irda.sys
2011-02-06 02:54 . 2001-08-17 20:51 18688 ----a-w- c:\windows\system32\drivers\irsir.sys
2011-02-06 02:51 . 2004-08-17 14:49 153088 ----a-w- c:\windows\system32\irftp.exe
2011-02-06 02:51 . 2004-08-17 14:49 8192 ----a-w- c:\windows\system32\wshirda.dll
2011-02-06 02:51 . 2004-08-17 14:49 26624 ----a-w- c:\windows\system32\irmon.dll
2011-02-06 02:51 . 2001-08-17 20:51 19584 ----a-w- c:\windows\system32\drivers\rasirda.sys
2011-02-05 22:13 . 2011-02-05 22:13 -------- d-----w- c:\documents and settings\Administrator
2011-02-05 20:52 . 2011-02-05 20:52 -------- d-----w- c:\program files\trend micro
2011-02-05 20:51 . 2011-02-05 20:52 -------- d-----w- C:\rsit
2011-01-19 00:40 . 2011-01-19 00:40 -------- d-----w- c:\windows\system32\LogFiles
2011-01-15 22:21 . 2011-01-15 22:21 -------- d-----w- c:\documents and settings\All Users\Data aplikací\FLEXnet
2011-01-15 22:10 . 2011-01-15 22:10 -------- d-----w- c:\program files\Adobe Media Player
2011-01-15 22:09 . 2010-02-05 13:14 -------- d-----w- c:\documents and settings\Vlado\Data aplikací\skypePM
2011-01-15 22:07 . 2011-01-15 22:07 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-01-15 22:03 . 2011-01-15 22:03 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2011-01-15 21:53 . 2011-01-15 21:53 -------- d-----w- c:\program files\Common Files\Skype
2011-01-15 21:53 . 2011-01-15 21:54 -------- d-----r- c:\program files\Skype
2011-01-15 21:53 . 2010-02-05 13:19 -------- d-----w- c:\documents and settings\Vlado\Data aplikací\Skype
2011-01-15 21:53 . 2011-01-15 21:53 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Skype
2011-01-11 14:01 . 2011-01-11 14:01 -------- d-----w- c:\documents and settings\Vlado\Local Settings\Data aplikací\PCHealth
2011-01-09 15:14 . 2011-01-09 15:14 -------- d-----w- c:\program files\Realtek
2011-01-09 15:14 . 2010-10-28 09:46 1251944 ----a-w- c:\windows\RtlExUpd.dll
2011-01-09 11:12 . 2011-01-09 11:12 -------- d-----w- c:\windows\system32\XPSViewer
2011-01-09 11:11 . 2011-01-09 11:11 -------- d-----w- c:\program files\MSBuild
2011-01-09 11:11 . 2011-01-09 11:11 -------- d-----w- c:\program files\Reference Assemblies
2011-01-09 11:11 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-01-09 11:11 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2011-01-09 11:11 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2011-01-09 11:11 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2011-01-09 11:11 . 2008-07-06 10:50 597504 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-01-09 02:02 . 2011-01-09 02:02 -------- d-----w- c:\program files\MSXML 6.0
2011-01-08 01:23 . 2011-01-08 01:23 -------- d-----w- c:\documents and settings\Vlado\Local Settings\Data aplikací\The Witcher

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 15:30 . 2011-01-05 20:02 60416 ----a-w- c:\windows\ALCFDRTM.VER
2011-01-05 23:19 . 2011-01-05 23:19 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2011-01-05 20:02 . 2011-01-05 20:02 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2011-01-05 19:08 . 2011-01-05 19:08 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 17:01 . 2009-09-04 17:01 525656 ----a-w- c:\program files\DXSETUP.exe
2009-09-04 17:01 . 2009-09-04 17:01 94024 ----a-w- c:\program files\DSETUP.dll
2009-09-04 17:01 . 2009-09-04 17:01 1691464 ----a-w- c:\program files\dsetup32.dll
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 11:51 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2009-08-21 98304]
"D-Link D-Link Wireless G DWL-G122_DWA-110"="c:\program files\D-Link\DWL-G122_DWA-110\AirGCFG.exe" [2009-09-18 1708032]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-14 98304]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"ATIModeChange"="Ati2mdxx.exe" [2009-07-15 26112]
"SRFirstRun"="srclient.dll" [2004-08-18 67584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-18 44544]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2010-8-28 1462272]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Games\\4\\hon.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5.1.2011 20:08 691696]
S2 ANIWConnService;ANIWConn Service;c:\windows\system32\ANIWConnService.exe [6.1.2011 2:04 151552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 13:16 130384]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe [27.8.2009 17:09 1253376]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [6.1.2011 0:19 23456]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\Common Files\MAGIX Services\Database\bin\fbserver.exe [7.8.2008 11:10 3276800]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 13:16 753504]
.
.
------- Doplňkový sken -------
.
TCP: {9BFB6DF6-E194-4B52-82C3-3F01EC308C50} = 208.67.222.222,208.67.220.220
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

BHO-{6edc3889-b841-4127-a2bf-c5fc48f972c7} - (no file)
Toolbar-{6edc3889-b841-4127-a2bf-c5fc48f972c7} - (no file)
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-uTorrentBar Toolbar - c:\progra~1\UTORRE~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-06 22:50
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Celkový čas: 2011-02-06 22:52:47 - počítač byl restartován
ComboFix-quarantined-files.txt 2011-02-06 21:52
ComboFix2.txt 2011-02-06 20:32

Před spuštěním: Volných bajtů: 16 051 216 384
Po spuštění: Volných bajtů: 16 028 254 208

Current=6 Default=6 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - CF532E78E072A48D75BEF6E43D2C6B08

[vyosek]

Stahnete si tento nahradni soubor explorer.exe http://vyosek.ic.cz/pro_usery/explorer.exe a ulozte jej primo na disk c:\ tak aby nebyl v zadne slozce

Skript pro ComboFix - postup je stejny jako minule - log opet sem

Kód: Vybrat vše

KillAll::

FCopy::
c:\explorer.exe | c:\windows\explorer.exe

Reboot::

[Herbalife]

Pocas CF operacia, WIN vypisal chybu v PEV.exe

ComboFix 11-02-05.01 - Administrator 06.02.2011 23:12:15.4.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1250.420.1029.18.1023.810 [GMT 1:00]
Spuštěný z: c:\documents and settings\Administrator.HUDCOVCE-2A7DB1.000\Plocha\Beruska.com.exe
Použité ovládací přepínače :: c:\documents and settings\Administrator.HUDCOVCE-2A7DB1.000\Plocha\CFScript.txt

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\explorer.exe

.
--------------- FCopy ---------------

c:\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-01-06 do 2011-02-06 )))))))))))))))))))))))))))))))
.

2011-02-06 03:04 . 2004-08-18 12:00 36927 -c--a-w- c:\windows\system32\dllcache\padrs411.dll
2011-02-06 03:03 . 2004-08-18 12:00 330752 -c--a-w- c:\windows\system32\dllcache\aqueue.dll
2011-02-06 02:57 . 2004-08-03 22:00 87424 ----a-w- c:\windows\system32\drivers\irda.sys
2011-02-06 02:54 . 2001-08-17 20:51 18688 ----a-w- c:\windows\system32\drivers\irsir.sys
2011-02-06 02:51 . 2004-08-17 14:49 153088 ----a-w- c:\windows\system32\irftp.exe
2011-02-06 02:51 . 2004-08-17 14:49 8192 ----a-w- c:\windows\system32\wshirda.dll
2011-02-06 02:51 . 2004-08-17 14:49 26624 ----a-w- c:\windows\system32\irmon.dll
2011-02-06 02:51 . 2001-08-17 20:51 19584 ----a-w- c:\windows\system32\drivers\rasirda.sys
2011-02-05 22:13 . 2011-02-05 22:13 -------- d-----w- c:\documents and settings\Administrator
2011-02-05 20:52 . 2011-02-05 20:52 -------- d-----w- c:\program files\trend micro
2011-02-05 20:51 . 2011-02-05 20:52 -------- d-----w- C:\rsit
2011-01-19 00:40 . 2011-01-19 00:40 -------- d-----w- c:\windows\system32\LogFiles
2011-01-15 22:21 . 2011-01-15 22:21 -------- d-----w- c:\documents and settings\All Users\Data aplikací\FLEXnet
2011-01-15 22:10 . 2011-01-15 22:10 -------- d-----w- c:\program files\Adobe Media Player
2011-01-15 22:09 . 2010-02-05 13:14 -------- d-----w- c:\documents and settings\Vlado\Data aplikací\skypePM
2011-01-15 22:07 . 2011-01-15 22:07 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-01-15 22:03 . 2011-01-15 22:03 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2011-01-15 21:53 . 2011-01-15 21:53 -------- d-----w- c:\program files\Common Files\Skype
2011-01-15 21:53 . 2011-01-15 21:54 -------- d-----r- c:\program files\Skype
2011-01-15 21:53 . 2010-02-05 13:19 -------- d-----w- c:\documents and settings\Vlado\Data aplikací\Skype
2011-01-15 21:53 . 2011-01-15 21:53 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Skype
2011-01-11 14:01 . 2011-01-11 14:01 -------- d-----w- c:\documents and settings\Vlado\Local Settings\Data aplikací\PCHealth
2011-01-09 15:14 . 2011-01-09 15:14 -------- d-----w- c:\program files\Realtek
2011-01-09 15:14 . 2010-10-28 09:46 1251944 ----a-w- c:\windows\RtlExUpd.dll
2011-01-09 11:12 . 2011-01-09 11:12 -------- d-----w- c:\windows\system32\XPSViewer
2011-01-09 11:11 . 2011-01-09 11:11 -------- d-----w- c:\program files\MSBuild
2011-01-09 11:11 . 2011-01-09 11:11 -------- d-----w- c:\program files\Reference Assemblies
2011-01-09 11:11 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-01-09 11:11 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2011-01-09 11:11 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2011-01-09 11:11 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2011-01-09 11:11 . 2008-07-06 10:50 597504 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-01-09 02:02 . 2011-01-09 02:02 -------- d-----w- c:\program files\MSXML 6.0
2011-01-08 01:23 . 2011-01-08 01:23 -------- d-----w- c:\documents and settings\Vlado\Local Settings\Data aplikací\The Witcher

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-07 16:28 . 2004-08-18 12:00 1034240 ----a-w- c:\windows\explorer.exe
2011-01-13 15:30 . 2011-01-05 20:02 60416 ----a-w- c:\windows\ALCFDRTM.VER
2011-01-05 23:19 . 2011-01-05 23:19 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2011-01-05 20:02 . 2011-01-05 20:02 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2011-01-05 19:08 . 2011-01-05 19:08 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-04 17:01 . 2009-09-04 17:01 525656 ----a-w- c:\program files\DXSETUP.exe
2009-09-04 17:01 . 2009-09-04 17:01 94024 ----a-w- c:\program files\DSETUP.dll
2009-09-04 17:01 . 2009-09-04 17:01 1691464 ----a-w- c:\program files\dsetup32.dll
.

------- Sigcheck -------

[-] 2011-02-07 . 27AFD587C462E280EE046B8CCA3C2CD1 . 1034240 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 27AFD587C462E280EE046B8CCA3C2CD1 . 1034240 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\44c8256673ca0542cb198384f8131b68\explorer.exe
[7] 2004-08-18 . 53114D57AB73A406AC7F602227781A99 . 1032704 . . [6.00.2900.2180] . . c:\windows\ERDNT\cache\explorer.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 11:51 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2009-08-21 98304]
"D-Link D-Link Wireless G DWL-G122_DWA-110"="c:\program files\D-Link\DWL-G122_DWA-110\AirGCFG.exe" [2009-09-18 1708032]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-14 98304]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"ATIModeChange"="Ati2mdxx.exe" [2009-07-15 26112]
"SRFirstRun"="srclient.dll" [2004-08-18 67584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-18 44544]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2010-8-28 1462272]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Games\\4\\hon.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5.1.2011 20:08 691696]
S2 ANIWConnService;ANIWConn Service;c:\windows\system32\ANIWConnService.exe [6.1.2011 2:04 151552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 13:16 130384]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe [27.8.2009 17:09 1253376]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [6.1.2011 0:19 23456]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\Common Files\MAGIX Services\Database\bin\fbserver.exe [7.8.2008 11:10 3276800]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 13:16 753504]
.
.
------- Doplňkový sken -------
.
TCP: {9BFB6DF6-E194-4B52-82C3-3F01EC308C50} = 208.67.222.222,208.67.220.220
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-06 23:20
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Celkový čas: 2011-02-06 23:23:25 - počítač byl restartován
ComboFix-quarantined-files.txt 2011-02-06 22:23
ComboFix2.txt 2011-02-06 21:52
ComboFix3.txt 2011-02-06 20:32

Před spuštěním: Volných bajtů: 16 032 747 520
Po spuštění: Volných bajtů: 16 019 496 960

Current=6 Default=6 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 5F78D9239E871E4B427857AAFACD1249

[vyosek]

Jak se chova PC

[Herbalife]

Nevidim nic podozrive, avsak stale som len v safe mode lebo neviem ako WIN aktivovat cez telefon. prip co dalej.

[Herbalife]

Ak zvolim v normal mode moznost registrovat, logne ma to ale vidim len pozadie plus modre okno registracie, ktore je uplne prazedne okrem 2 ikon (nieco ako ramy obrazkov s kryzom)

[vyosek]

Stahnete Malwarebytes' Anti-Malware (zkracene MBAM) (viz muj podpis)

• Provedte aktualizaci - treti zalozka
• Provedte uplny sken - nic nemazte
• MBAM miva obcas falesne detekce, proto vlozte log do prispevku a pockejte na posouzeni

[Herbalife]

Este stale vam vsetko pisem z laptopu, lebo lognut sa da len v rezime noudze, cize bez siete. Cize mozem sken vykonat len bez aktualizacii. Za chvilu poslem log.

[Herbalife]

Prepacte, ze to trvalo dlho mal som pracovnu konferenciu.


Malwarebytes' Anti-Malware 1.50.1.1100
http://www.malwarebytes.org

Verze databáze: 5363

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180

7.2.2011 2:21:12
mbam-log-2011-02-07 (02-21-05).txt

Typ kontroly: Úplný test (C:\|D:\|F:\|)
Testované objekty: 276092
Uplynulý čas: 47 minut, 50 sekund

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče v registru: 0
Infikované hodnoty v registru: 0
Infikované datové položky v registru: 0
Infikované složky: 0
Infikované soubory: 6

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče v registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované hodnoty v registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky v registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
c:\documents and settings\Vlado\dokumenty\downloads\lara.croft.and.the.guardian.of.light.update.3-skidrow\SKIDROW\lcgollauncher.exe (Trojan.FakeAlert) -> No action taken.
c:\WINDOWS\system32\antiwpa.dll (PUP.Wpakill) -> No action taken.
d:\Games\lara croft and the guardian of light\lcgollauncher.exe (Trojan.FakeAlert) -> No action taken.
d:\Games\RO 2\WalkRO2\System\Window.dll (Malware.Packer.T) -> No action taken.
d:\install\laracroft\SKIDROW\lcgollauncher.exe (Trojan.FakeAlert) -> No action taken.
f:\SYSTEM\g-923-321232-3232-32211-23\memory.exe (Backdoor.Bot.Gen) -> No action taken.

[cernohous13]

Zdravím,
a než se objeví vyosek, dám ti jednu otázku:
jsi přesvědčen, že ti Microsoft bude registrovat cracknutou verzi Windows?

[Herbalife]

Tato problematika bola riesena na prvej strane. Akokolvek si to spojazdnim. Kazdopadne som milo prekvapeny ochotou ludi na tomto fore a podla moznosti prispejem hned ako budem moct nech uz oprava dopadne akokolvek.