prosím o kontrolu logu

[vyosek]

"Jen" cracky ale ne to jsem hledal

Zkuste jeste sken pomoci Dr. Web CureIt http://www.viry.cz/forum/viewtopic.php?f=29&t=47721 - ten ho detekoval i Virustotalu, takze uvidime co najde...

[whistler4]

prebehlo express scanovanie naslo dva virusy len som zabudol skopirovat vysledok ale urcite to boli systemove subory bo uz na mna vybehla tabulka so znenim "Doslo k nahrazeni souboru nezbytnych pro spravnou funkcnost systemu windows soubory neznae verze. Stabilita systemu windows bude zachovana pokud system obnovi puvodni verze techto souboru. Vlozte disk windows XP SP 2 bla bla bla... este spravim ten kompletni scan cez dr. web

[whistler4]

No uz sa mi podaril najst log z dr.web skopiroval som len tie dva viry co naslo

C:\WINDOWS\system32\winlogon.exe infikované Win32.Dat.14 - vyliečené

c:\windows\explorer.exe infikované Win32.Dat.14 - vyliečené

[vyosek]

Fajn, Dr. Web neco vylecil udelejte tedy komplet sken a pak uvidime co bude treba dale...

[whistler4]

no po osem a pol hodinach pribudlo este

C:\Documents and Settings\All Users\Data aplikací\SweetIM\Messenger\update\sweetimsetup.exe infikované Trojan.PWS.Siggen.8028 - neliečiteľné - presunuté
C:\Documents and Settings\Pici\Plocha\ComboFix.exe - vymazané
C:\Documents and Settings\All Users\Dokumenty\Server\hlp.dat infikované Trojan.Hottrend.29 - vymazané

co dalej pocitacovy sensei ?

[vyosek]

Stahnete si ComboFix http://download.bleepingcomputer.com/sUBs/ComboFix.exe jelikoz nam jej Dr.Web smazal a provedte jim sken - log prosim sem

[whistler4]

stale je to tam

ComboFix 10-11-21.01 - Pici . 11. 2010 22:50:42.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.421.1029.18.383.138 [GMT 1:00]
Running from: c:\documents and settings\Pici\Dokumenty\Preberanie\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-10-21 to 2010-11-21 )))))))))))))))))))))))))))))))
.

2010-11-21 10:18 . 2010-11-21 13:08 -------- d-----w- c:\documents and settings\Pici\DoctorWeb
2010-11-19 15:58 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-11-19 15:24 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-11-19 15:24 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-19 15:24 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-19 15:24 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-19 15:24 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-11-19 15:24 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-11-19 15:24 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-11-19 15:23 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-19 15:22 . 2010-11-19 15:22 -------- d-----w- c:\program files\Alwil Software
2010-11-19 15:22 . 2010-11-19 15:22 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Alwil Software
2010-11-19 15:11 . 2010-11-19 15:11 -------- d-----w- c:\program files\Zone Labs
2010-11-19 15:11 . 2010-11-21 21:42 -------- d-----w- c:\windows\Internet Logs
2010-11-19 13:33 . 2010-11-19 15:57 -------- d-----w- c:\program files\trend micro
2010-11-19 13:32 . 2010-11-19 13:33 -------- d-----w- C:\rsit
2010-11-15 16:50 . 2010-11-15 16:50 -------- d-----r- C:\Feast
2010-11-08 20:10 . 2010-11-08 20:10 -------- d-----w- c:\program files\PC Connectivity Solution
2010-11-08 20:08 . 2010-11-08 20:08 -------- d-----w- c:\documents and settings\Pici\Data aplikací\Samsung
2010-11-08 20:07 . 2010-11-08 20:07 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Samsung
2010-11-08 20:07 . 2010-11-08 20:07 -------- d-----w- c:\windows\system32\LogFiles
2010-11-08 20:05 . 2010-11-08 20:07 -------- d-----w- c:\windows\system32\drivers\umdf
2010-11-08 19:52 . 2010-11-08 19:52 -------- d-----w- c:\windows\system32\XPSViewer
2010-11-08 19:52 . 2010-11-08 19:52 -------- d-----w- c:\program files\MSBuild
2010-11-08 19:51 . 2010-11-08 19:51 -------- d-----w- c:\program files\Reference Assemblies
2010-11-08 19:50 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-11-08 19:50 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-11-08 19:50 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-11-08 19:50 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-11-08 19:50 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-11-08 19:50 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-11-08 19:50 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-11-08 19:50 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-11-08 19:50 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-11-08 19:45 . 2010-11-08 19:45 -------- d-----w- c:\program files\MSXML 6.0
2010-11-08 19:39 . 2010-11-08 20:07 -------- d-----w- c:\program files\Common Files\Samsung
2010-10-23 17:53 . 2010-10-23 19:47 -------- d-----w- c:\documents and settings\Pici\Data aplikací\Happy Foto
2010-10-23 17:52 . 2010-10-23 17:52 -------- d-----w- c:\program files\HappyFoto

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:59 . 2010-09-18 17:59 0 ----a-w- c:\documents and settings\Pici\MobilityManager.tmp
.

------- Sigcheck -------

[-] 2004-08-03 21:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys

[-] 2004-08-17 . 54E0816496EFFFA2C6AD003037C147A1 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2004-08-17 . F0667F40CB113075FB2382A7C7E550F2 . 1032704 . . [6.00.2900.2180] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-11-19_16.38.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 21:23 . 2010-11-21 21:23 16384 c:\windows\Temp\Perflib_Perfdata_10c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2010-06-13 18:10 2734688 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2005-11-30 1355776]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-12-05 1885464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-09-02 738808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"STYLEXP"=c:\program files\TGTSoft\StyleXP\StyleXP.exe -Hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"Control Center"=c:\program files\ASUS\WLAN Card Utilities\Center.exe
"HControl"=c:\windows\ATK0100\HControl.exe
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"RTHDCPL"=RTHDCPL.EXE
"SMSERIAL"=sm56hlpr.exe
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [26. 12. 2009 19:05 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [26. 12. 2009 19:05 5248]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [19. 11. 2010 16:24 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [19. 11. 2010 16:24 17744]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2. 9. 2010 13:26 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [2. 9. 2010 13:26 493048]
R3 ft1000;Flarion Flash OFDM wireless service;c:\windows\system32\drivers\ft1000.sys [17. 9. 2008 20:39 62208]
R3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\drivers\SynMini.sys [17. 9. 2008 18:03 1056512]
R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [17. 9. 2008 18:03 8064]
S2 FMMService;FMMService;c:\progra~1\MOBILI~1\FMMSER~1.EXE [17. 9. 2008 20:39 40960]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe --> c:\windows\system32\FsUsbExService.Exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.azet.sk/
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\progra~1\PCTRAN~1\webie.dll
TCP: {59FEECEF-2DF0-4548-80C1-1D989938E333} = 172.20.21.235
FF - ProfilePath - c:\documents and settings\Pici\Data aplikací\Mozilla\Firefox\Profiles\x1kwr4rn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Security Customized Web Search
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\documents and settings\Pici\Data aplikací\Mozilla\Firefox\Profiles\x1kwr4rn.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Pici\Data aplikací\Mozilla\Firefox\Profiles\x1kwr4rn.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\RadioWMPCore.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-21 22:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\Ati2evxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(956)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2010-11-21 23:01:10
ComboFix-quarantined-files.txt 2010-11-21 22:01
ComboFix2.txt 2010-11-20 11:51
ComboFix3.txt 2010-11-19 16:40

Pre-Run: 247 197 696
Post-Run: 293 752 832

- - End Of File - - 3A2A5E24C9F5FA85B538B7D7C76281B2

[vyosek]

Uvolnete volne misto alespon na 3 giga, jinak se Vam windows udusi...

Stahnete SytemLook (viz muj podpis) a ulozte jej na plochu

• Do okna vlozte skript nize

• Kód: Vybrat vše

  :filefind
  explorer.exe
  winlogon.exe
  atapi.sys

• Kliknete na Look
• Tlacitko Look se zmeni na Scanning a zsedne
• Pockejte pokud se tlacitko Scanning opet nezmeni na Look - tak poznate ze SystemLook dokoncil svou praci
• Vyskoci na Vas log s nazvem SystemLook (pripadne bude ulozen na plose), jeho obsah mi sem vlozte

[whistler4]

SystemLook 04.09.10 by jpshortstuff
Log created at 23:40 on 21/11/2010 by Pici
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 1032704 bytes [14:49 17/08/2004] [14:49 17/08/2004] F0667F40CB113075FB2382A7C7E550F2

Searching for "winlogon.exe"
C:\WINDOWS\system32\winlogon.exe --a---- 502272 bytes [14:49 17/08/2004] [14:49 17/08/2004] 54E0816496EFFFA2C6AD003037C147A1

Searching for "atapi.sys"
C:\WINDOWS\system32\drivers\atapi.sys --a---- 95360 bytes [21:59 03/08/2004] [21:59 03/08/2004] (Unable to calculate MD5)

-= EOF =-

[vyosek]

Stahnete si z prilohy tyto tri soubory http://leteckaposta.cz/385004367 a ulozte je primo na disk C:\

Pokud nemate, tak presunte Combofix na plochu

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  FCopy::
  C:\explorer.exe | C:\WINDOWS\explorer.exe
  C:\winlogon.exe | C:\WINDOWS\system32\winlogon.exe
  C:\ATAPI.SYS | C:\WINDOWS\system32\drivers\atapi.sys

• Ulozte vytvoreny TXT jako CFScript.txt
• Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
  
• Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

[whistler4]

ComboFix 10-11-21.01 - Pici . 11. 2010 0:01.4.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.421.1029.18.383.179 [GMT 1:00]
Running from: c:\documents and settings\Pici\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\Pici\Plocha\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
ADS - explorer.exe: deleted 26 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\explorer.exe
C:\winlogon.exe

.
--------------- FCopy ---------------

c:\explorer.exe --> c:\WINDOWS\explorer.exe
c:\winlogon.exe --> c:\WINDOWS\system32\winlogon.exe
c:\atapi.sys --> c:\WINDOWS\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-10-21 to 2010-11-21 )))))))))))))))))))))))))))))))
.

2010-11-21 23:01 . 2010-11-21 23:01 -------- d-----w- c:\windows\LastGood
2010-11-21 23:01 . 2010-11-21 22:54 27600 ----a-w- c:\windows\system32\drivers\OLDB.tmp
2010-11-21 22:54 . 2010-11-21 22:54 27600 ------w- C:\ATAPI.SYS
2010-11-21 10:18 . 2010-11-21 13:08 -------- d-----w- c:\documents and settings\Pici\DoctorWeb
2010-11-19 15:58 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-11-19 15:24 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-11-19 15:24 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-19 15:24 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-19 15:24 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-19 15:24 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-11-19 15:24 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-11-19 15:24 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-11-19 15:23 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-19 15:22 . 2010-11-19 15:22 -------- d-----w- c:\program files\Alwil Software
2010-11-19 15:22 . 2010-11-19 15:22 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Alwil Software
2010-11-19 15:11 . 2010-11-19 15:11 -------- d-----w- c:\program files\Zone Labs
2010-11-19 15:11 . 2010-11-21 22:59 -------- d-----w- c:\windows\Internet Logs
2010-11-19 13:33 . 2010-11-19 15:57 -------- d-----w- c:\program files\trend micro
2010-11-19 13:32 . 2010-11-19 13:33 -------- d-----w- C:\rsit
2010-11-15 16:50 . 2010-11-15 16:50 -------- d-----r- C:\Feast
2010-11-08 20:10 . 2010-11-08 20:10 -------- d-----w- c:\program files\PC Connectivity Solution
2010-11-08 20:08 . 2010-11-08 20:08 -------- d-----w- c:\documents and settings\Pici\Data aplikací\Samsung
2010-11-08 20:07 . 2010-11-08 20:07 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Samsung
2010-11-08 20:07 . 2010-11-08 20:07 -------- d-----w- c:\windows\system32\LogFiles
2010-11-08 20:05 . 2010-11-08 20:07 -------- d-----w- c:\windows\system32\drivers\umdf
2010-11-08 19:52 . 2010-11-08 19:52 -------- d-----w- c:\windows\system32\XPSViewer
2010-11-08 19:52 . 2010-11-08 19:52 -------- d-----w- c:\program files\MSBuild
2010-11-08 19:51 . 2010-11-08 19:51 -------- d-----w- c:\program files\Reference Assemblies
2010-11-08 19:50 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-11-08 19:50 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-11-08 19:50 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-11-08 19:50 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-11-08 19:50 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-11-08 19:50 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-11-08 19:50 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-11-08 19:50 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-11-08 19:50 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-11-08 19:45 . 2010-11-08 19:45 -------- d-----w- c:\program files\MSXML 6.0
2010-11-08 19:39 . 2010-11-08 20:07 -------- d-----w- c:\program files\Common Files\Samsung
2010-10-23 17:53 . 2010-10-23 19:47 -------- d-----w- c:\documents and settings\Pici\Data aplikací\Happy Foto
2010-10-23 17:52 . 2010-10-23 17:52 -------- d-----w- c:\program files\HappyFoto

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-21 22:54 . 2004-08-17 14:49 1034240 ----a-w- c:\windows\explorer.exe
2010-11-21 22:54 . 2004-08-17 14:49 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-09-18 17:59 . 2010-09-18 17:59 0 ----a-w- c:\documents and settings\Pici\MobilityManager.tmp
.

------- Sigcheck -------

[-] 2010-11-21 . CDDB1F8E1AEA356F3AD106F2CF9B7FEA . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2010-11-21 . 27AFD587C462E280EE046B8CCA3C2CD1 . 1034240 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-11-19_16.38.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 22:34 . 2010-11-21 22:34 16384 c:\windows\Temp\Perflib_Perfdata_14c.dat
+ 2004-08-03 21:59 . 2004-08-03 21:59 95360 c:\windows\system32\dllcache\atapi.sys
+ 2010-11-21 23:01 . 2010-11-21 22:54 27600 c:\windows\LastGood\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2010-06-13 18:10 2734688 ----a-w- c:\program files\ZoneAlarm_Security\tbZone.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\tbZone.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2005-11-30 1355776]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-12-05 1885464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-09-02 1043968]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-09-02 738808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"STYLEXP"=c:\program files\TGTSoft\StyleXP\StyleXP.exe -Hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"Control Center"=c:\program files\ASUS\WLAN Card Utilities\Center.exe
"HControl"=c:\windows\ATK0100\HControl.exe
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"RTHDCPL"=RTHDCPL.EXE
"SMSERIAL"=sm56hlpr.exe
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [26. 12. 2009 19:05 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [26. 12. 2009 19:05 5248]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [19. 11. 2010 16:24 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [19. 11. 2010 16:24 17744]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2. 9. 2010 13:26 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [2. 9. 2010 13:26 493048]
R3 ft1000;Flarion Flash OFDM wireless service;c:\windows\system32\drivers\ft1000.sys [17. 9. 2008 20:39 62208]
R3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\drivers\SynMini.sys [17. 9. 2008 18:03 1056512]
R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [17. 9. 2008 18:03 8064]
S2 FMMService;FMMService;c:\progra~1\MOBILI~1\FMMSER~1.EXE [17. 9. 2008 20:39 40960]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe --> c:\windows\system32\FsUsbExService.Exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.azet.sk/
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\progra~1\PCTRAN~1\webie.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\progra~1\PCTRAN~1\webie.dll
TCP: {59FEECEF-2DF0-4548-80C1-1D989938E333} = 172.20.21.235
FF - ProfilePath - c:\documents and settings\Pici\Data aplikací\Mozilla\Firefox\Profiles\x1kwr4rn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Security Customized Web Search
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&q=
FF - component: c:\documents and settings\Pici\Data aplikací\Mozilla\Firefox\Profiles\x1kwr4rn.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Pici\Data aplikací\Mozilla\Firefox\Profiles\x1kwr4rn.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\components\RadioWMPCore.dll
FF - component: c:\program files\CheckPoint\ZAForceField\TrustChecker\components\TrustCheckerMozillaPlugin.dll
FF - plugin: c:\program files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-22 00:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(960)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2010-11-22 00:11:26
ComboFix-quarantined-files.txt 2010-11-21 23:11
ComboFix2.txt 2010-11-21 22:01
ComboFix3.txt 2010-11-20 11:51
ComboFix4.txt 2010-11-19 16:40

Pre-Run: 3 646 500 864
Post-Run: 3 632 640 000

- - End Of File - - 372B79C1CA389DAE34A09739EEB571A2

[vyosek]

Nasledujici soubory otestujte na VirusTotalu (viz muj podpis)

• c:\windows\system32\winlogon.exe
  c:\windows\explorer.exe
• Kliknete na Prochazet
• Soubor nehledejte, jen vlozte cestu souboru, ktery chci otestovat
• Kliknete na Send File
• Pokud na Vas vyskoci obrazovka jako je nize, tak kliknete na ReAnalyse
  
• Vysledek analyzy sem vlozte (jako odkaz)

[whistler4]

http://www.virustotal.com/file-scan/rep ... 1290381456

http://www.virustotal.com/file-scan/rep ... 1290381659

[vyosek]

Udelejte jeste preventivne MBAM
Stahnete Malwarebytes' Anti-Malware (zkracene MBAM) (viz muj podpis)

• Provedte aktualizaci - treti zalozka
• Provedte uplny sken - nic nemazte
• MBAM miva obcas falesne detekce, proto vlozte log do prispevku a pockejte na posouzeni

[whistler4]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Verze databáze: 5170

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

22. 11. 2010 18:30:48
mbam-log-2010-11-22 (18-30-48).txt

Typ skenu: Rychlý sken
Skenované objekty: 141887
Uplynulý čas: 13 minuta(y), 44 sekunda(y)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 1
Infikované hodnoty registru: 0
Infikované datové položky registru: 0
Infikované složky: 1
Infikované soubory: 1

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče registru:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{67mad6m8-1mad-81ad-mad6-32op5g1234521} (Trojan.Refroso) -> No action taken.

Infikované hodnoty registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované složky:
C:\Feast\Ival (Trojan.Refroso) -> No action taken.

Infikované soubory:
C:\Feast\Ival\desKtOp.InI (Trojan.Refroso) -> No action taken.