Zase ten Virtuomonde x(

[Fidla]

ComboFix 10-08-31.01 - FIlip 31.08.2010 22:06:38.1.2 - x86
Spuštěný z: c:\documents and settings\FIlip\Plocha\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\FIlip\LOCALS~1\Temp\install_flash_player.exe
C:\Install.exe
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\windows\system32\urQQkjgh.dll
c:\windows\system32\winlogon.bak

Nakažená kopie c:\windows\system32\winlogon.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\SoftwareDistribution\Download\8fb85d68ee3649be8b622da7b69408ee\winlogon.exe

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_glaide32


((((((((((((((((((((((((( Soubory vytvořené od 2010-08-01 do 2010-09-01 )))))))))))))))))))))))))))))))
.

2010-08-31 19:31 . 2010-08-31 19:31 -------- d-----w- C:\rsit
2010-08-31 18:48 . 2010-08-31 18:48 -------- d-----w- c:\program files\Common Files\ATI Technologies
2010-08-31 18:39 . 2006-04-27 08:48 307200 ----a-r- c:\windows\system32\atiiiexx.dll
2010-08-31 18:39 . 2006-04-24 15:48 127619 ----a-r- c:\windows\system32\atiicdxx.dat
2010-08-31 17:56 . 2010-08-31 17:56 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2010-08-31 17:12 . 2010-08-31 17:12 -------- d-----w- C:\ATI
2010-08-31 16:20 . 2010-08-31 18:38 -------- d-----w- c:\program files\ATI Technologies
2010-08-31 15:43 . 2006-04-27 08:25 1408000 -c--a-w- c:\windows\system32\dllcache\ativvaxx.dll
2010-08-31 15:43 . 2006-04-27 08:25 1408000 ----a-w- c:\windows\system32\ativvaxx.dll
2010-08-31 15:43 . 2006-04-27 08:31 2693280 -c--a-w- c:\windows\system32\dllcache\ati3duag.dll
2010-08-31 15:43 . 2006-04-27 08:31 2693280 ----a-w- c:\windows\system32\ati3duag.dll
2010-08-31 15:43 . 2006-04-27 08:47 258048 -c--a-w- c:\windows\system32\dllcache\ati2dvag.dll
2010-08-31 15:43 . 2006-04-27 08:47 258048 ----a-w- c:\windows\system32\ati2dvag.dll
2010-08-31 15:43 . 2006-04-27 08:05 282624 -c--a-w- c:\windows\system32\dllcache\ati2cqag.dll
2010-08-31 15:43 . 2006-04-27 08:05 282624 ----a-w- c:\windows\system32\ati2cqag.dll
2010-08-31 15:33 . 2010-08-31 15:33 -------- d-----w- c:\program files\Phyxion.net
2010-08-31 14:54 . 2010-08-31 14:54 -------- d-----w- c:\program files\MobilityDotNET
2010-08-30 18:34 . 2010-08-30 18:40 -------- d-----w- C:\CRASH
2010-08-26 15:57 . 2010-08-26 16:03 -------- d-----w- C:\OSUDOV__DOTEK
2010-08-22 21:05 . 2010-08-22 21:06 -------- d-----w- c:\program files\PC Auto Shutdown
2010-08-12 19:17 . 2010-08-12 19:17 -------- d-----w- c:\program files\Audacity
2010-08-06 16:22 . 2010-08-06 16:27 -------- d-----w- c:\program files\ARPR
2010-08-05 21:20 . 2007-06-29 12:47 34304 ----a-w- c:\windows\system32\drivers\AmdLLD.sys
2010-08-03 12:20 . 2010-08-03 12:20 -------- d-----w- c:\program files\THQ
2010-08-03 10:29 . 2010-08-03 10:29 -------- d-----w- c:\program files\7-Zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-31 19:31 . 2008-07-11 13:06 -------- d-----w- c:\program files\Trend Micro
2010-08-31 18:19 . 2008-03-16 17:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-31 18:07 . 2008-12-16 13:45 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-29 11:55 . 2010-06-29 16:09 -------- d-----w- c:\program files\ICQ7.2
2010-08-11 21:43 . 2008-06-21 14:22 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-08-11 21:42 . 2008-06-21 14:22 -------- d-----w- c:\program files\DVDVideoSoft
2010-08-06 14:42 . 2008-03-21 17:09 -------- d-----w- c:\program files\uTorrent
2010-08-05 21:20 . 2008-05-26 15:27 -------- d-----w- c:\program files\AMD
2010-07-16 14:53 . 2010-07-14 18:04 -------- d-----w- c:\program files\OLYMPUS
2010-07-16 14:51 . 2009-01-10 19:22 -------- d-----w- c:\program files\Sony
2010-07-15 19:54 . 2010-07-15 19:54 -------- d-----w- c:\program files\CZ
2010-07-14 11:18 . 2010-07-14 11:18 -------- d-----w- c:\program files\OO Software
2010-07-12 12:54 . 2010-07-12 12:23 -------- d-----w- c:\program files\DVDFab 7
2010-07-12 12:23 . 2008-03-23 20:40 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-06-27 13:03 . 2004-08-18 12:00 82840 ----a-w- c:\windows\system32\perfc005.dat
2010-06-27 13:03 . 2004-08-18 12:00 437574 ----a-w- c:\windows\system32\perfh005.dat
2010-06-21 20:38 . 2010-06-21 20:38 1254728 ----a-w- c:\windows\system32\ooscrsav.scr
2010-06-21 20:37 . 2010-06-21 20:37 200008 ----a-w- c:\windows\system32\oodbs.exe
2010-06-21 20:33 . 2010-06-21 20:33 546120 ----a-w- c:\windows\system32\oodssrs.dll
2010-06-21 20:32 . 2010-06-21 20:32 10056 ----a-w- c:\windows\system32\oodbsrs.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"Google Update"="c:\documents and settings\FIlip\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2009-11-02 135664]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2009-11-15 33120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-15 53248]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-11 1236992]
"KTPWare"="c:\program files\Elantech\ktp.exe" [2006-03-28 512000]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-03 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-15 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-30 19523616]
"OODefragTray"="c:\program files\OO Software\Defrag\oodtray.exe" [2010-06-21 2528584]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"PC Auto Shutdown"="c:\program files\PC Auto Shutdown\AutoShutdown.exe" [2010-07-06 1387520]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-02 16:59 135664 ----atw- c:\documents and settings\FIlip\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-02-15 17:50 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2009-11-12 15:45 3217368 ----a-w- c:\program files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-01-03 14:34 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Electronic Arts\\Command & Conquer 3 Kane's Wrath\\RetailExe\\1.0\\cnc3ep1.dat"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer Generals Zero Hour\\game.dat"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\Electronic Arts\\Command & Conquer 3 Kane's Wrath\\RetailExe\\1.1\\cnc3ep1.dat"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"=
"c:\\Program Files\\Electronic Arts\\Command & Conquer 3 Kane's Wrath\\RetailExe\\1.2\\cnc3ep1.dat"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Games\\KKND Krossfire\\Kknd2.exe"=
"c:\\Program Files\\Electronic Arts\\Future Cop\\FCopLAPD.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\patchget.dat"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
"c:\\WESTWOOD\\C&C95\\C&C95.EXE"=
"c:\\Program Files\\Valve\\cstrike.exe"=
"c:\\SIERRA\\Half-Life\\hlds.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"25431:TCP"= 25431:TCP:BitComet 25431 TCP
"25431:UDP"= 25431:UDP:BitComet 25431 UDP

R1 uzqwodiy;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzqwodiy.sys [26.4.2010 18:33 11264]
S1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys --> c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [?]
S1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [20.2.2008 12:11 35168]
S2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [7.10.2009 10:16 472280]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [16.10.2009 17:53 133104]
S2 OODefragAgent;O&O Defrag Agent;c:\program files\OO Software\Defrag\oodag.exe [21.6.2010 22:37 1619272]
S2 PCAutoShutdown_Service;PCAutoShutdown_Service;c:\program files\PC Auto Shutdown\ShutdownService.exe [22.8.2010 23:05 441624]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [8.12.2009 0:04 583640]
S3 2hotspot controller;2hotspot Miniport;c:\windows\system32\DRIVERS\acontrol.sys --> c:\windows\system32\DRIVERS\acontrol.sys [?]
S3 5a0ffa89-78f8-49d3-b4f8-ba8b57f6d6c5;5a0ffa89-78f8-49d3-b4f8-ba8b57f6d6c5;\??\d:\player\cds300.dll --> d:\player\cds300.dll [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [23.5.2010 14:54 1691480]
S3 cpuz130;cpuz130;\??\c:\docume~1\FIlip\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\FIlip\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\FIlip\LOCALS~1\Temp\OFXF77.tmp --> c:\docume~1\FIlip\LOCALS~1\Temp\OFXF77.tmp [?]
S3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [16.1.2008 9:58 65024]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [5.4.2010 21:10 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [5.4.2010 21:10 8320]
S3 PEEK5;PEEK5 Protocol Driver;\??\c:\docume~1\FIlip\LOCALS~1\Temp\Rar$EX00.093\AIRCRA~1.4\win32\PEEK5.SYS --> c:\docume~1\FIlip\LOCALS~1\Temp\Rar$EX00.093\AIRCRA~1.4\win32\PEEK5.SYS [?]
S3 PRODIGY;PRODIGY;c:\windows\system32\drivers\prodigy.sys [25.5.2008 12:54 32377]
S3 TS_AR5416;[CommView] Atheros AR5008 Wireless Network Adapter Service;c:\windows\system32\drivers\ts_athw.sys [28.12.2009 1:33 1351104]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.3.2008 19:26 691696]
.
Obsah adresáře 'Naplánované úlohy'

2010-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-16 15:53]

2010-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-16 15:53]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://seznam.cz/
IE: Free YouTube Download - c:\documents and settings\FIlip\Data aplikací\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\FIlip\Data aplikací\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - c:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748449} - {CC963627-B1DC-40E0-B52A-CF21EE748449} - c:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
TCP: {075C02F8-2DB3-4A58-AA4A-5E2FEA90AB05} = 192.168.100.1
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
FF - ProfilePath - c:\documents and settings\FIlip\Data aplikací\Mozilla\Firefox\Profiles\wbn53luj.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

Toolbar-Locked - (no file)
HKCU-Run-Oexpress - (no file)
HKCU-Run-Webtran - (no file)
HKCU-Run-Nektra OEAPI - (no file)
HKCU-Run-Windows Updates - c:\windows\system\Update.exe
MSConfigStartUp-OODefragTray - c:\windows\system32\oodtray.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-{B931FB80-537A-4600-00AD-AC5DEDB6C25B} - c:\program files\Electronic Arts\The Lord of the Rings
AddRemove-Rise of the Witch King Unofficial Patch 2.02 - c:\program files\Electronic Arts\The Lord of the Rings



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-01 12:25
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\FIlip\LOCALS~1\Temp\OFXF77.tmp"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1292428093-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{17B1E868-DDF3-F465-745E-2E631B88CA4C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abffcglgndonmjafojfkejpibolicpcdia"=hex:61,61,00,00
"bbffcglgndonmjafojakpmomlpcmbelhigap"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-1292428093-413027322-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:07,f9,9c,9a,dd,5e,98,47,e3,af,cd,2c,10,2c,ec,49,0b,f5,30,6d,ce,ae,37,
d6,86,fb,f6,bf,c5,92,fa,e8,c1,99,58,eb,b7,67,5e,83,62,dd,24,a1,95,bc,83,b0,\
"??"=hex:e2,06,90,c3,a9,ab,f7,ca,1c,f7,63,d7,3e,f2,89,5d

[HKEY_USERS\S-1-5-21-1292428093-413027322-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:91,c4,24,53,b9,36,60,56,5e,8f,02,b2,9a,f3,55,96,b1,d7,43,68,0c,
77,86,41,20,5c,84,59,44,67,cc,d0,8d,60,5c,ae,a9,c0,aa,c1,48,be,38,4a,ae,d4,\
"rkeysecu"=hex:56,c6,0d,e0,20,27,f2,5f,5e,7a,0c,15,6c,01,a7,f3

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="C80FD0978FBEA61298E2FEB2E388D54C513E216370CF64F3F1E4281F841417E4DFB840F23F2CC126922E674BA80979BB15DB48591685A5134A1370F9DB48517612094DBC563E5712AF13FAEAB790D78C0871EB2932C286FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555A6171C11EC38DE3DA9C6AECB7A5D14075EA6214A96EE2619221D76246802DAA05CD13FEF97B87F169BD417E6C9255747B76661FBCAF891CDEAAF94FD26AF59DD7B4E1482DBFB7CD9EA3617AA1C1316BDC159A9B4953ADAD76423B4D7D33265CE784C9578AD671A7B5FEECA2845F4189337F7AE74157FC09E75E044090FD343BE8C3F8B204A5E47CD211FF040436C154051AF48D227C6625D8BC0D37C380F1FD0750DDF56B4FAD776DF5BEEE5D9512A8CD0E27476F144C72698919A2F759686777492A20F320B83EECEA9CC2310AB5897F9E4D21EDD6059D98E15F1B430CDEBFD509C85D1CD90E40524083592B13C82569200A89A1535E332E802D7B114CCA47ED26F60B9D4C0FC5A9965F8644CF5710DE86F5FD00992993AA202EDE21361ECE9C7C02F75D9842D656EA60B5E357CD2D8C96604BA6DFB0F523C327A14630B6287023E0EC8347ABEEEE6228457812DB4260B89C6E6BAA93E2D3B2567A87BFD07EED784428BFBF2DA95C626A1BC0E160E3983EF7DF3AD8684D3A8E1C2169B23428B2127B0A8117493C9DB72408E797735A70EA89F984533A2218F61BE6843185E1F3E2E669F933859D372B9656026CA68DD8BB44B9D45823FC48291AFBB372C88BE0D931003EBAB06CA5D24B95A3CB9C699DF07C06137FA62C21455114481E45352F646037AC370541E74CD083A2621556DF00BE553E6587AF3DE0201476F783698E3A9B4C0085BE30F9148414F1495FAC02C1CC27AE30C5982FDE13F9F91560C20C0154026EAF637B3939577FD78DC864E000D84EE83B733EE1333B43B3D1E11CE8054640EE381B5F55DAEE43F0AF1A62461A1FB5F5D33220D43A7E89B8B23E9DC192404EEACE9AB92D4FE641DC382F0A646929D0BCC0BA205B5E40BD7D96F1B5882B9A6534358489B65E7743AE5715C8A2C0E834872FD975217866B1AC83F90A0BBBAF5DB69A41EF7FC3CBB4A73D4C7DB9133E802B27FC5C3199882A13E81986AC54242BBA55CA5E00FC48015337870797A1930B1363755FEF01EE73F635D633F27607D3A42C2B9E3923DAE7630D97C946EC85D6CE701D57AD68CDA5924298AFB69973F32CDCB1BE1805556E0B92BF4B6F8BD1BD5F86BB701054FBCEB32F28651985FC29299226A125931ABD5E2D444382AE933A65CBACFB440C29303057A36C3C7A0E4603B21B17E9E69076F836F3C4915B1992DCBE65809C9BA8942D1B35CAB0DBCABB08E5C5A0357"
"OODEFRAG12.00.00.01PROFESSIONAL"="A906E61345788AF2305D04C939102D80881928CA031DD9BD3F005049009600EFC8ED3B87F709D0E2121C21AA132825C76EF5BA222CE3A5A13FF51CA0EB99D2C9839D5C1CB1C4CFF6A4718C6E54D28760A29383EFAEF799EA005F7239759C1CE68C9E505FEFD52C60774E12D26772CF7C336C32427D1223692B5D8711C1D25E584BDE725E23881D924B085298A90D0B92DDDECBAA061248B41FF8E62DE614B2F7592C722C304FF1469A57BF836ECCDB599A2D2ABDA6FB1E286C9B6D1173DC46DE053DD1E2F03D0CF70F5A235CF97E78D00F7E7896B174D0DE5817CC4AE4CC576D52A8681CB18C5F660992987007162CB71A5CB851EFC81FBEDD1DFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808BA7FD869164D6794BA7FD869164D6794C038D530D6EB3452E1C847C5DE15E28716B6E7EDD7174D5125D7847FD2699A7DA65A16ED56573BCBC1182EB1629870D03475C4E99FB78356A760D0FE5D9ACCCADE4F36E2E609064EAA5B06D81C4EED3833E68253EBE6BF4393D107578D4273BABB422981930CD741AFFABE044D8E709D0D41A1CCF31E3124E35154A7AD9B7C20DD6AE77FE07E7A63B8DD3F214CF7BFC90E3D931D029B3E67EC8A562E1F258935BC825F3561BF6FD40271E04184E9D8E5D699BF2FF6610061D12BA4CED5A2F194A3CAEF9F3FF3E91D9925739BF38B6C7FDB17019246B6C3C80DE6C312D91A41BE31076E6038835024646E370A2CC4DE8BE57C2779F4A28CB9ED74B12348D7B418587F243B1D1ABF371B45E38953C2C75E9212F43CA0770E34950DDDD1CF6ABFEA5E7E4F1A53A8868748A7A13D25767533D1A7A153F7C4B31978F02D13B5250761DFD49F8AD3E1A9AB4C158FE96E9666A7698BD6DE3D6198B2E1E1F57D521F670DCA563A3BAB3FDE1C5A92BE7A121AD13F70163523C8E6902AEEA6864E9235EE61E15839037D7C92377BA9B67B85401D5FD5A0CF048533A09012891C65F5035E38BCB9A8597D1A633E8965709FD488675358872C8F73EA80D78F5A6DC48FED2E4CC4D709DC755CA6D4B557D9BD9C387F480D2E46F2A3F120D8026BA016899D08BF3A18514D414AE206839356CD8FD96AD1DE798D80C0729F4E591252A59FFB4B16AEDFE88ED3B1D3BEC9B33AEFF4B961678852E431035B5557D2A99361A23989B7891DACAB3221E75136535063266850601BA6A21E3BDE4AF70891E6DEF54809F084BD6FD0F46D447147145790913C587D7BE81207CB72BB96E12CC4D592DEC572B0B6F24E4AAE403A509A00FE394DCCDFE28EF2CE2D501B001DDF19A003796CCF6E7EF499734165A7798E705F3379B68FDD9076FBE9F78F624C97C4C169D6E082F6121E4B44C5F51CBF1E44812B6153744CEC4639222970D1D4429B5BF9FA"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(232)
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2010-09-01 12:40:18 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-09-01 10:40

Před spuštěním: 6 771 822 592
Po spuštění: 6 853 689 344

WindowsXP-KB310994-SP2-Home-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 53D181248E6E91E020523E472AB0B71B

[vyosek]

Nakažená kopie c:\windows\system32\winlogon.exe byla nalezena a vyléčena. Uz vis proc se neslo prihlasit

Dej mi chvili, projedu log a dam dalsi postup - je potreba to docistit...

[Fidla]

Nevim, objasni

[vyosek]

Jeste overime par souboru (navody mam ve vykani, tak se nediv )
Nasledujici soubory otestujte na VirusTotalu (viz muj podpis)

• c:\windows\system32\drivers\uzqwodiy.sys
  d:\player\cds300.dll
  c:\windows\system32\drivers\Ambfilt.sys
• Kliknete na Prochazet
• Soubor nehledejte, jen vlozte cestu souboru, ktery chci otestovat
• Pokud napise Soubor byl jiz testovan, dejte otestovat znovu
• Kliknete na Otestovat soubor
• Vysledek analyzy sem vlozte (jako odkaz)

[Fidla]

Big problem, já teď pracuji z bráchovýho notebooku a ten můj který je infikován funguje pouze v režimu stav nouze, zkusil jsem stav nouze s prací v síti ale vyskočí mi tam zase ta aktivace, takže nevim jak ty soubory jinak otestovat.

[vyosek]

winlogon.exe zajistuje prihlasovani do windows, byla nakazena (zaprasena bordelem), ten "parchant" CF ji pekne vylecil

Predpokladam ze winy mas legalne zakoupene...Mas i instalacni CD

Udelame opravu pomoci CF, zatim bez testu tech souboru - nebudu je ani mazat...
Pokud nemate, tak presunte Combofix na plochu

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  Folder::
  c:\docume~1\FIlip\LOCALS~1\Temp
  
  Registry::
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "DAEMON Tools Lite"=-
  "Google Update"=-
  "AlcoholAutomount"=-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "TkBellExe"=-
  "QuickTime Task"=-
  "Adobe Reader Speed Launcher"=-
  "Adobe ARM"=-
  "SunJavaUpdateSched"=-
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
  
  Driver::
  cpuz130
  GarenaPEngine
  PEEK5
  
  File::
  c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
  c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
  
  Firefox::
  FF - ProfilePath - c:\documents and settings\FIlip\Data aplikací\Mozilla\Firefox\Profiles\wbn53luj.default\
  FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
  FF - prefs.js: browser.search.selectedEngine - ICQ Search
  
  RegLock::
  [HKEY_USERS\S-1-5-21-1292428093-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{17B1E868-DDF3-F465-745E-2E631B88CA4C}*]
  [HKEY_USERS\S-1-5-21-1292428093-413027322-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
  [HKEY_USERS\S-1-5-21-1292428093-413027322-839522115-1003\Software\SecuROM\License information*]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
  [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]

• Ulozte vytvoreny TXT jako CFScript.txt
• Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
  
• Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

[Fidla]

windows cd mam takže jakoby je mam legální, hned bude ten log

[vyosek]

windows cd mam takže jakoby je mam legální, hned bude ten log

Mas koupenou licenci Nebo jak mam chapat "jakoby"

[Fidla]

že jsem koupil notebook bez oficiálního win CD ale už s nainstalovaným systémem, takže pokaždé když jsem ho reinstaloval, tak jsem si zazálohoval jeden soubor, který jsem poté do čerstvě nainstalovaného systému přetáhl, stane se opět legální. Win cd tedy mam ale na jiný klíč.

[vyosek]

Ty winy by mely byt na tom ntb zazalohovane, nebo mela jit vytvorit jejich zaloha...

Tohle mi prijde na porusovani pravidel fora, autorskeho zakona a tim padem pachani trestneho cinu...
Poptam se kolegu moderatoru, kteri rozhodnou co dale...

[Fidla]

píše mi to: CFScript chyba názvu
Zkoušeli jste aplikovat CFScript?
Název CFScript se zád být nesprávně hláskovaný.

[vyosek]

Dalsi kroky nepodnikej do vyjadreni moderatoru fora, uz jsem kolegy kontaktoval...

[Fidla]

dobře

[vyosek]

Po porade s kolegou Rudym jsme dosli k nasledujicimu:

• Kazde CD ma svuj originalni CD-KEY ktery je nutny k aktivaci\registraci windowsu - mel byt dodan se systemem
• Co presne je ten soubor ktery je nutny zachovat - mame podezreni ze se jedna o soubor kterym se obchazi ona nutnost registrace
• Dle nasi uvahy je zrejme ze se jedna o obchazeni autorskeho zakona - pokud system instalujete z jineho CD, to CD ma mit CD key, pripadne si je mozne jej zakoupit - coz nedelas
• Proc nepouzivas originalni windows, ale ty instalovane z jineho CD

[Fidla]

Po porade s kolegou Rudym jsme dosli k nasledujicimu:

• Kazde CD ma svuj originalni CD-KEY ktery je nutny k aktivaci\registraci windowsu - mel byt dodan se systemem
• Co presne je ten soubor ktery je nutny zachovat - mame podezreni ze se jedna o soubor kterym se obchazi ona nutnost registrace
• Dle nasi uvahy je zrejme ze se jedna o obchazeni autorskeho zakona - pokud system instalujete z jineho CD, to CD ma mit CD key, pripadne si je mozne jej zakoupit - coz nedelas
• Proc nepouzivas originalni windows, ale ty instalovane z jineho CD

Ten soubor o kterém mluvím/mluvíte se zazálohuje z legálního systému a např. při reinstalaci či formátu se ten soubor zkopíruje zpět do daného adresáře windows. A tento soubor je nepřesouvatelný mezi ostatními počítači, tudíž to nefunguje tak, že se dá někde stáhnout z internetu. I vy ostatní ho máte v počítači, stačí si ho zazálohovat třeba na CD. Já jsem tento soubor zazálohoval z první istalace systému windows, kterou jsem dostal současně s počítačem (bez. cd).