Prosim o kontrolu RSIT logu

[Tomik04]

zde posilam log z MBAM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Verze databáze: 4675

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

23.9.2010 14:09:18
mbam-log-2010-09-23 (14-09-18).txt

Typ skenu: Úplný sken (C:\|)
Skenované objekty: 378349
Uplynulý čas: 2 hodina(y), 18 minuta(y), 9 sekunda(y)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 0
Infikované hodnoty registru: 0
Infikované datové položky registru: 0
Infikované složky: 1
Infikované soubory: 1

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované hodnoty registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované složky:
C:\Program Files\WinZix (Trojan.Swizzor) -> No action taken.

Infikované soubory:
C:\Documents and Settings\TomasHP\Data aplikací\wiaserva.log (Malware.Trace) -> No action taken.

[motji]

V mbamu vše smažte.

Spustte OTL
-do bílého okna dole skopírujte tento skript:

Kód: Vybrat vše

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
FF - prefs.js..browser.search.defaultthis.engineName: "BS Player Customized Web Search"
F - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT1750559&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "BS Player Customized Web Search"
FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT1750559&SearchSource=13"
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT1750559&SearchSource=2&q="
[2009.09.04 17:12:32 | 000,000,000 | ---D | M] (BS Player Toolbar) -- C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}
[2009.07.01 14:22:12 | 000,000,880 | ---- | M] () -- C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\searchplugins\conduit.xml
O4 - HKLM..\Run: [] File not found
O33 - MountPoints2\{e00fcf5c-9330-11df-bd86-001a4b742105}\Shell\AutoRun\command - "" = D:\SamsungSoftware\APPInst.exe -- File not found

:files
C:\WINDOWS\system32\*.tmp.dll /s
C:\WINDOWS\system32\SET*.tmp /s
C:\WINDOWS\*.tmp /s

:commands
[emptytemp]
[EMPTYFLASH]
[Reboot]

-klikněte na tlačítko opravit.
-Následně se pc restartuje.
- Log vložte zde

[Tomik04]

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
Prefs.js: "BS Player Customized Web Search" removed from browser.search.defaultthis.engineName
Prefs.js: "BS Player Customized Web Search" removed from browser.search.selectedEngine
Prefs.js: "http://search.conduit.com/?ctid=CT17505 ... hSource=13" removed from browser.startup.homepage
Prefs.js: "http://search.conduit.com/ResultsExt.as ... ource=2&q=" removed from keyword.URL
Folder move failed. C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\searchplugin scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\META-INF scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\lib scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\defaults scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\components scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\chrome scheduled to be moved on reboot.
Folder move failed. C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5} scheduled to be moved on reboot.
C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\searchplugins\conduit.xml moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e00fcf5c-9330-11df-bd86-001a4b742105}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e00fcf5c-9330-11df-bd86-001a4b742105}\ not found.
File D:\SamsungSoftware\APPInst.exe not found.
========== FILES ==========
File\Folder C:\WINDOWS\system32\*.tmp.dll not found.
File\Folder C:\WINDOWS\system32\SET*.tmp not found.
C:\WINDOWS\002763_.tmp moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1591.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP315.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8DD.tmp folder moved successfully.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9EA.tmp folder moved successfully.
C:\WINDOWS\Installer\MSI114.tmp moved successfully.
C:\WINDOWS\Installer\MSI23F2.tmp moved successfully.
C:\WINDOWS\Installer\MSI2405.tmp moved successfully.
C:\WINDOWS\Installer\MSI64.tmp moved successfully.
C:\WINDOWS\Installer\MSI6B6.tmp moved successfully.
C:\WINDOWS\Installer\MSI6C7.tmp moved successfully.
C:\WINDOWS\Installer\MSI7E13.tmp moved successfully.
C:\WINDOWS\Installer\MSI7E1E.tmp moved successfully.
C:\WINDOWS\Installer\MSI8FF.tmp moved successfully.
C:\WINDOWS\Installer\MSI9C.tmp moved successfully.
C:\WINDOWS\Installer\MSIA4.tmp moved successfully.
C:\WINDOWS\Installer\MSIC6.tmp moved successfully.
C:\WINDOWS\Installer\MSIEC.tmp moved successfully.
C:\WINDOWS\system32\CONFIG.TMP moved successfully.
C:\WINDOWS\system32\spool\PRINTERS\Tcp2951.tmp moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Flash cache emptied: 1505 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 95407 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 744363 bytes

User: TomasHP
->Temp folder emptied: 7510653 bytes
->Temporary Internet Files folder emptied: 89705239 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 37546188 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1040 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 82883 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 43533590 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 171,00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: TomasHP
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.2.14.1 log created on 09232010_205308

Files\Folders moved on Reboot...
C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\searchplugin folder moved successfully.
C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\META-INF folder moved successfully.
C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\lib folder moved successfully.
C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\defaults folder moved successfully.
C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\components folder moved successfully.
C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\chrome folder moved successfully.
C:\Documents and Settings\TomasHP\Data aplikací\Mozilla\Firefox\Profiles\wcdezs2z.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5} folder moved successfully.
File\Folder C:\Documents and Settings\TomasHP\Local Settings\Temp\~DF2834.tmp not found!
File\Folder C:\Documents and Settings\TomasHP\Local Settings\Temp\~DF2840.tmp not found!
File\Folder C:\Documents and Settings\TomasHP\Local Settings\Temp\~DF289F.tmp not found!
File\Folder C:\Documents and Settings\TomasHP\Local Settings\Temp\~DF28AB.tmp not found!
File\Folder C:\Documents and Settings\TomasHP\Local Settings\Temp\~DF28EA.tmp not found!
File\Folder C:\Documents and Settings\TomasHP\Local Settings\Temp\~DF28F6.tmp not found!
File\Folder C:\Documents and Settings\TomasHP\Local Settings\Temp\~DF847F.tmp not found!
File\Folder C:\Documents and Settings\TomasHP\Local Settings\Temp\~DF84C2.tmp not found!
C:\Documents and Settings\TomasHP\Local Settings\Temporary Internet Files\Content.IE5\LBRM6E9N\afr[1].htm moved successfully.
C:\Documents and Settings\TomasHP\Local Settings\Temporary Internet Files\Content.IE5\LBRM6E9N\viewtopic[2].htm moved successfully.
C:\Documents and Settings\TomasHP\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\TomasHP\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.

Registry entries deleted on Reboot...

[motji]

Zkuste teď ten combofix

[Tomik04]

Combofix se mi povedlo zaktualizovat, ale stale to hlasi stejnu hlasku.

[motji]

Zkuste ho přejmenovat na cokoliv.com a spustit v nouzovém režimu

[Tomik04]

V nouzovem rezimu se mi nedari vypnout Eset antivir a combofix se diky tomu nechce spustit.

[motji]

Ani když dáte ignorovat? měl by se i přes antivir spustit.

[Tomik04]

jdu to zkusit

[motji]

[Tomik04]

Konecne posilam log z Combofixu.
Zaroven priznavam, ze se mi log v nouzovem rezimu neulozil, takze posilam log az z druheho scanu, ale uz v normalnim rezimu.

ComboFix 10-09-23.01 - TomasHP 24.09.2010 10:53:54.9.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1015.387 [GMT 2:00]
Spuštěný z: c:\documents and settings\TomasHP\Plocha\cokoliv.com.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-08-24 do 2010-09-24 )))))))))))))))))))))))))))))))
.

2010-09-23 22:12 . 2010-09-23 22:12 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-09-23 19:18 . 2010-09-23 21:59 -------- d-----w- C:\ComboFix
2010-09-23 18:53 . 2010-09-23 18:53 -------- d-----w- C:\_OTL
2010-09-23 09:45 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-23 09:45 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-23 09:45 . 2010-09-23 12:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-20 09:12 . 2010-09-20 09:12 -------- d-----w- c:\program files\iPod
2010-09-20 09:12 . 2010-09-20 09:14 -------- d-----w- c:\program files\iTunes
2010-09-20 05:09 . 2010-09-20 05:09 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-24 08:32 . 2010-05-11 11:58 -------- d-----w- c:\program files\Fighters
2010-09-23 18:53 . 2004-09-08 09:09 89562 ----a-w- c:\windows\system32\perfc005.dat
2010-09-23 18:53 . 2004-09-08 09:09 456996 ----a-w- c:\windows\system32\perfh005.dat
2010-09-23 10:25 . 2008-01-22 08:07 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-09-22 21:04 . 2010-03-12 06:33 -------- d-----w- c:\program files\trend micro
2010-09-20 09:12 . 2009-11-26 11:09 -------- d-----w- c:\program files\Common Files\Apple
2010-09-20 09:07 . 2008-01-09 09:48 -------- d-----w- c:\program files\QuickTime
2010-09-15 10:31 . 2010-09-15 10:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-09-12 05:27 . 2008-01-09 10:21 -------- d-----w- c:\program files\audiograbber
2010-09-08 21:42 . 2009-09-11 11:49 -------- d-----w- c:\program files\Microsoft Silverlight
2010-08-17 13:17 . 2004-08-18 08:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-13 06:33 . 2010-01-18 23:35 -------- d-----w- c:\program files\Pinnacle
2010-08-04 21:56 . 2010-08-04 19:54 -------- d-----w- c:\program files\Mv2Player
2010-07-26 16:48 . 2010-02-07 14:38 -------- d-----w- c:\program files\iPhone Explorer
2010-07-22 15:46 . 2004-08-18 08:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 06:19 . 2008-05-05 05:25 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-07 14:52 . 2009-12-21 09:47 94432 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-06-30 12:33 . 2004-08-18 08:00 149504 ----a-w- c:\windows\system32\schannel.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-09-24_08.21.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-24 08:28 . 2010-09-24 08:28 16384 c:\windows\temp\Perflib_Perfdata_234.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"Google Update"="c:\documents and settings\TomasHP\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2009-11-21 135664]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-13 26192168]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-07-26 1867776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2007-05-08 331552]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-02 148888]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 163840]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-09 806912]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Device Detector"="c:\program files\Common Files\ACD Systems\EN\DevDetect.exe" [2003-11-26 217088]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-12-20 37376]
"NokiaMusic FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2009-07-22 2331936]
"GrooveMonitor"="c:\program files\Microsoft Office2007\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"sfagent"="c:\program files\Fighters\sfagent.exe" [2010-07-23 760968]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-1-9 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-12-6 192512]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office2007\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office2007\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [22.4.2007 16:24 100095]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [9.10.2006 13:31 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [29.3.2007 16:54 13696]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14.11.2007 16:06 35168]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [22.4.2007 16:25 5808]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [18.8.2004 10:00 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [18.8.2004 10:00 14336]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [7.10.2009 10:16 472280]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [22.4.2007 16:32 221184]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [26.7.2007 0:54 540448]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\Fighters\sfus.exe [23.7.2010 11:45 189064]
R2 Suite Service;Suite Service;c:\program files\Fighters\FighterSuiteService.exe [23.7.2010 11:46 983688]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [19.9.2006 18:58 36608]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [26.11.2009 13:10 17408]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [26.11.2009 21:32 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [26.11.2009 21:32 8320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 11:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'

2010-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-07-22 c:\windows\Tasks\SLOW-PCfighter-TomasHP-Startup.job
- c:\program files\Fighters\SLOW-PCfighter\SLOW-PCfighter.exe [2010-03-18 15:41]

2010-09-24 c:\windows\Tasks\User_Feed_Synchronization-{2DC54E72-8A64-4932-A747-ADEFEFF51418}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.cz/ig?hl=cs
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: csob.cz\ib24
DPF: {672EE252-D813-4F5E-81BB-5DD163DD4FA5} - hxxps://www.mojedatovaschranka.cz/static/pages/ ... b?3,14,8,0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-24 11:03
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????T??????????????|?M?|?????M?|&?@

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\windows\system32\APSHook.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItDAC.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItReports.DLL
c:\program files\Hewlett-Packard\IAM\Bin\BioAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\ittal.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASBIoAT.dll
c:\program files\Hewlett-Packard\IAM\Bin\STEngine.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItVCClient.dll
c:\program files\Hewlett-Packard\IAM\Bin\AuthWiz.dll

- - - - - - - > 'lsass.exe'(1036)
c:\windows\system32\APSHook.dll
c:\windows\SbHpNp.dll

- - - - - - - > 'explorer.exe'(2628)
c:\windows\system32\APSHook.dll
c:\windows\system32\btmmhook.dll
c:\program files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Celkový čas: 2010-09-24 11:09:23
ComboFix-quarantined-files.txt 2010-09-24 09:09
ComboFix2.txt 2010-09-24 08:24

Před spuštěním: 9 514 876 928
Po spuštění: 9 500 221 440

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 16F2CF86B2B643B57A8E81062B9A717B

[motji]

Můžete se prosím podívat na disk C nebo do složky combofix po tomto logu?
ComboFix-quarantined-files.txt 2010-09-24 09:09

[Tomik04]

nasel jsem pouze jeden soubor s timto nazvem, ale vytvoreny v jinem case.
Zde posilam kopii:

2010-09-24 08:22:45 . 2010-09-24 08:22:45 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat
2010-09-24 08:19:57 . 2010-09-24 09:01:32 12,114 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-09-22 21:46:27 . 2010-09-24 08:46:46 408 ----a-w- C:\Qoobox\Quarantine\catchme.log

[motji]

Tento soubor C:\Qoobox dejte do zipu nebo raru a upněte na www.upload.cz.
Link mi vložte do sz. Zítra na to mrknu, asi až večer

[Tomik04]

Stranka www.upload.cz - nic se nezobrazuje, asi nefunguje, muzu vam to poslat nejakou jinou cestou?