Trojan Generic4_c.B FAA + zasílám log

[AsiStarnu]

zasilam log z CF:

ComboFix 11-10-02.03 - Jmeno Prijmeni 03.10.2011 17:24:51.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2047.1633 [GMT 2:00]
Spuštěný z: c:\documents and settings\Jmeno Prijmeni\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Jmeno Prijmeni\Plocha\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB47530$
c:\windows\$NtUninstallKB47530$\1510701693
c:\windows\$NtUninstallKB47530$\3403910326\@
c:\windows\$NtUninstallKB47530$\3403910326\click.tlb
c:\windows\$NtUninstallKB47530$\3403910326\L\eeyjymue
c:\windows\$NtUninstallKB47530$\3403910326\loader.tlb
c:\windows\$NtUninstallKB47530$\3403910326\U\@00000001
c:\windows\$NtUninstallKB47530$\3403910326\U\@000000c0
c:\windows\$NtUninstallKB47530$\3403910326\U\@000000cb
c:\windows\$NtUninstallKB47530$\3403910326\U\@000000cf
c:\windows\$NtUninstallKB47530$\3403910326\U\@80000000
c:\windows\$NtUninstallKB47530$\3403910326\U\@800000c0
c:\windows\$NtUninstallKB47530$\3403910326\U\@800000cb
c:\windows\$NtUninstallKB47530$\3403910326\U\@800000cf
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\3062686666
c:\windows\system32\
c:\windows\system32\c_29595.nls
c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
.
Nakažená kopie c:\windows\system32\drivers\ipsec.sys byla nalezena a vyléčena.
Obnovena kopie z - The cat found it
Nakažená kopie c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP497\A0060278.exe
.
Nakažená kopie c:\program files\HP\HPLaserJetService\HPLaserJetService.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP497\A0060279.exe
.
Nakažená kopie c:\program files\Java\jre6\bin\jqs.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP497\A0060280.exe
.
Nakažená kopie c:\windows\system32\nvsvc32.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\system32\ReinstallBackups\0002\DriverFiles\nvsvc32.exe
.
Nakažená kopie c:\program files\PC Connectivity Solution\ServiceLayer.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP497\A0060287.exe
.
Nakažená kopie c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP497\A0060282.exe
.
Nakažená kopie c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP497\A0060278.exe
Nakažená kopie c:\program files\HP\HPLaserJetService\HPLaserJetService.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP497\A0060279.exe
Nakažená kopie c:\program files\PC Connectivity Solution\ServiceLayer.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP497\A0060287.exe
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MPKSL28F47B8E
-------\Legacy_MPKSL2ABB79E2
-------\Legacy_MPKSL36D7F4B0
-------\Legacy_MPKSL379EB399
-------\Legacy_MPKSL4D5D5701
-------\Legacy_MPKSL57125E51
-------\Legacy_MPKSLB9C4A084
-------\Legacy_MPKSLBAC20B24
-------\Legacy_MPKSLCE198258
-------\Legacy_MPKSLCFC28278
-------\Legacy_MPKSLD2DA1B9F
-------\Legacy_MPKSLECD6124D
-------\Service_cae38cb6
-------\Service_MpKsl28f47b8e
-------\Service_MpKsl2abb79e2
-------\Service_MpKsl36d7f4b0
-------\Service_MpKsl379eb399
-------\Service_MpKsl4d5d5701
-------\Service_MpKsl57125e51
-------\Service_MpKslb9c4a084
-------\Service_MpKslbac20b24
-------\Service_MpKslce198258
-------\Service_MpKslcfc28278
-------\Service_MpKsld2da1b9f
-------\Service_MpKslecd6124d
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-09-03 do 2011-10-03 )))))))))))))))))))))))))))))))
.
.
2011-10-03 14:43 . 2011-10-03 14:43 48016 --sha-w- c:\windows\system32\c_29595.nl_
2011-09-07 10:22 . 2011-09-16 08:51 -------- d-----w- C:\$AVG8.VAULT$
2011-09-07 08:31 . 2010-03-29 15:33 438272 ----a-w- c:\windows\system32\CNQ2414L.dll
2011-09-07 08:31 . 2010-03-18 15:12 1335296 ----a-w- c:\windows\system32\CNQ2414C.dll
2011-09-07 08:31 . 2010-03-18 15:12 114688 ----a-w- c:\windows\system32\CNQ2414I.dll
2011-09-07 08:31 . 2010-03-18 15:11 106496 ----a-w- c:\windows\system32\CNQ2414U.dll
2011-09-07 08:31 . 2008-08-25 16:02 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2011-09-07 08:30 . 2011-09-07 08:30 -------- d-----w- c:\program files\Common Files\CANON
2011-09-07 08:30 . 2011-09-07 08:30 -------- d-----w- c:\documents and settings\All Users\Data aplikací\CanonIJWSpt
2011-09-07 08:29 . 2010-03-11 08:56 180224 ----a-w- c:\windows\system32\CNQ2414Y.dll
2011-09-07 08:29 . 2010-01-13 14:03 94208 ----a-w- c:\windows\system32\CNQ2414O.dll
2011-09-07 08:00 . 2011-09-07 08:00 -------- d-----w- c:\documents and settings\All Users\Data aplikací\HP
2011-09-07 07:59 . 2011-09-07 07:59 -------- d-----w- c:\documents and settings\All Users\Documents
2011-09-07 07:58 . 2010-05-12 16:33 86840 ----a-r- c:\windows\system32\hppccompio.dll
2011-09-07 07:58 . 2010-05-12 16:33 66872 ----a-r- c:\windows\system32\Spool\prtprocs\w32x86\HPCP1020PP.DLL
2011-09-07 07:58 . 2010-05-12 16:33 318264 ----a-r- c:\windows\system32\hpbcoins64.dll
2011-09-07 07:58 . 2010-05-12 16:33 245048 ----a-r- c:\windows\system32\hpbcoins32.dll
2011-09-07 07:58 . 2010-05-12 16:33 126264 ----a-r- c:\windows\system32\HPCP1020LM.dll
2011-09-07 07:58 . 2010-05-12 16:33 26936 ----a-r- c:\windows\system32\drivers\hppcgenio.sys
2011-09-07 07:58 . 2010-05-12 16:33 20792 ----a-r- c:\windows\system32\drivers\hppcbulkio.sys
2011-09-07 07:58 . 2010-05-12 16:33 195384 ----a-r- c:\windows\system32\hpmldm01.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-03 14:42 . 2006-03-02 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-09 09:12 . 2006-03-02 12:00 602112 ----a-w- c:\windows\system32\crypt32.dll
2011-09-08 09:07 . 2011-05-26 06:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-30 12:00 . 2011-08-30 12:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-30 12:00 . 2011-08-30 12:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-30 11:42 . 2011-08-30 11:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2011-08-30 11:41 . 2011-08-30 11:41 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-08-30 11:41 . 2011-08-30 11:41 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-08-30 11:41 . 2011-08-30 11:41 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-07-08 14:02 . 2006-03-02 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-03_11.46.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-03 15:34 . 2011-10-03 15:34 16384 c:\windows\temp\Perflib_Perfdata_94.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"nwiz"="nwiz.exe" [2008-09-17 1657376]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2011-09-07 2048352]
"HP CP1020 System Tray"="c:\program files\HP\HP LaserJet Professional CP1020 Series\HPCP1020STRAY.EXE" [2010-05-12 2627384]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
.
c:\documents and settings\Jmeno Prijmeni\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-12 581693]
ColorVisionStartup.lnk - c:\program files\ColorVision\Utility\ColorVisionStartup.exe [2006-1-31 385024]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2011-08-30 11:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Nokia\\Nokia PC Suite 7\\PCSuite.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Documents and Settings\\Jmeno Prijmeni\\Dokumenty\\Stažené soubory\\RSIT.exe"=
"c:\\Program Files\\STORMWARE\\POHODA\\StwUpdater.exe"=
"c:\\Program Files\\STORMWARE\\POHODA\\StwPh.exe"=
.
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [12.4.2010 9:13 142336]
R3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [7.9.2011 9:58 20792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 13:16 130384]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15.8.2008 6:46 284016]
S3 FLASHSYS;FLASHSYS;c:\program files\MSI\Live Update 4\LU4\FlashSys.sys [1.12.2009 14:10 9216]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 13:16 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [3.4.2010 20:56 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [3.4.2010 11:02 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3.4.2010 20:56 367456]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Od&eslat do aplikace OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: Převést cíl vazby do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Převést do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Připojit cíl vazby k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Připojit k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: Interfaces\{9F197DCB-A24E-4E1B-8E00-E01343FDCF9F}: NameServer = 10.0.0.138
FF - ProfilePath - c:\documents and settings\Jmeno Prijmeni\Data aplikací\Mozilla\Firefox\Profiles\oolt324t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dobrysluha.cz
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: 602XML Filler: xmlfiller@software602.cz - c:\program files\Mozilla Firefox\extensions\xmlfiller@software602.cz
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: PC Sync 2 Synchronisation Extension: bkmrksync@nokia.com - c:\program files\Nokia\Nokia PC Suite 7\bkmrksync
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
SafeBoot-97095531.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-03 17:34
Windows 5.1.2600 Service Pack 3 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'explorer.exe'(240)
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Celkový čas: 2011-10-03 17:38:28 - počítač byl restartován
ComboFix-quarantined-files.txt 2011-10-03 15:38
ComboFix2.txt 2011-10-03 11:53
ComboFix3.txt 2011-04-27 08:28
.
Před spuštěním: Volných bajtů: 83 083 759 616
Po spuštění: Volných bajtů: 83 086 319 616
.
- - End Of File - - 969A7DFB6F51311D32E47BA858D6455D

[vyosek]

Takze si dame dalsi skript pro CFko - postup je stejny

Kód: Vybrat vše

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"=-

Folder::
c:\progra~1\AVG
C:\$AVG8.VAULT$

Replicator::

Reboot::

[AsiStarnu]

Dobry den,
zasilam log z CF:

*-*-*-
ComboFix 11-10-03.01 - Jmeno Prijmeni 04.10.2011 9:50.4.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1023.477 [GMT 2:00]
Spuštěný z: c:\combofix\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Jmeno Prijmeni\Plocha\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-09-04 do 2011-10-04 )))))))))))))))))))))))))))))))
.
.
2011-10-03 14:43 . 2011-10-03 14:43 48016 --sha-w- c:\windows\system32\c_29595.nl_
2011-09-07 10:22 . 2011-09-16 08:51 -------- d-----w- C:\$AVG8.VAULT$
2011-09-07 08:31 . 2010-03-29 15:33 438272 ----a-w- c:\windows\system32\CNQ2414L.dll
2011-09-07 08:31 . 2010-03-18 15:12 1335296 ----a-w- c:\windows\system32\CNQ2414C.dll
2011-09-07 08:31 . 2010-03-18 15:12 114688 ----a-w- c:\windows\system32\CNQ2414I.dll
2011-09-07 08:31 . 2010-03-18 15:11 106496 ----a-w- c:\windows\system32\CNQ2414U.dll
2011-09-07 08:31 . 2008-08-25 16:02 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2011-09-07 08:30 . 2011-09-07 08:30 -------- d-----w- c:\program files\Common Files\CANON
2011-09-07 08:30 . 2011-09-07 08:30 -------- d-----w- c:\documents and settings\All Users\Data aplikací\CanonIJWSpt
2011-09-07 08:29 . 2010-03-11 08:56 180224 ----a-w- c:\windows\system32\CNQ2414Y.dll
2011-09-07 08:29 . 2010-01-13 14:03 94208 ----a-w- c:\windows\system32\CNQ2414O.dll
2011-09-07 08:00 . 2011-09-07 08:00 -------- d-----w- c:\documents and settings\All Users\Data aplikací\HP
2011-09-07 07:59 . 2011-09-07 07:59 -------- d-----w- c:\documents and settings\All Users\Documents
2011-09-07 07:58 . 2010-05-12 16:33 86840 ----a-r- c:\windows\system32\hppccompio.dll
2011-09-07 07:58 . 2010-05-12 16:33 66872 ----a-r- c:\windows\system32\Spool\prtprocs\w32x86\HPCP1020PP.DLL
2011-09-07 07:58 . 2010-05-12 16:33 318264 ----a-r- c:\windows\system32\hpbcoins64.dll
2011-09-07 07:58 . 2010-05-12 16:33 245048 ----a-r- c:\windows\system32\hpbcoins32.dll
2011-09-07 07:58 . 2010-05-12 16:33 126264 ----a-r- c:\windows\system32\HPCP1020LM.dll
2011-09-07 07:58 . 2010-05-12 16:33 26936 ----a-r- c:\windows\system32\drivers\hppcgenio.sys
2011-09-07 07:58 . 2010-05-12 16:33 20792 ----a-r- c:\windows\system32\drivers\hppcbulkio.sys
2011-09-07 07:58 . 2010-05-12 16:33 195384 ----a-r- c:\windows\system32\hpmldm01.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-03 14:42 . 2006-03-02 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-09 09:12 . 2006-03-02 12:00 602112 ----a-w- c:\windows\system32\crypt32.dll
2011-09-08 09:07 . 2011-05-26 06:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-30 12:00 . 2011-08-30 12:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-30 12:00 . 2011-08-30 12:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-30 11:42 . 2011-08-30 11:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2011-08-30 11:41 . 2011-08-30 11:41 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-08-30 11:41 . 2011-08-30 11:41 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-08-30 11:41 . 2011-08-30 11:41 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-07-08 14:02 . 2006-03-02 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-03_11.46.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-04 07:40 . 2011-10-04 07:40 16384 c:\windows\temp\Perflib_Perfdata_6c4.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"nwiz"="nwiz.exe" [2008-09-17 1657376]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2011-09-07 2048352]
"HP CP1020 System Tray"="c:\program files\HP\HP LaserJet Professional CP1020 Series\HPCP1020STRAY.EXE" [2010-05-12 2627384]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
.
c:\documents and settings\Jmeno Prijmeni\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-12 581693]
ColorVisionStartup.lnk - c:\program files\ColorVision\Utility\ColorVisionStartup.exe [2006-1-31 385024]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2011-08-30 11:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Nokia\\Nokia PC Suite 7\\PCSuite.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Documents and Settings\\Jmeno Prijmeni\\Dokumenty\\Stažené soubory\\RSIT.exe"=
"c:\\Program Files\\STORMWARE\\POHODA\\StwUpdater.exe"=
"c:\\Program Files\\STORMWARE\\POHODA\\StwPh.exe"=
.
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [12.4.2010 9:13 142336]
R3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [7.9.2011 9:58 20792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 13:16 130384]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15.8.2008 6:46 284016]
S3 FLASHSYS;FLASHSYS;c:\program files\MSI\Live Update 4\LU4\FlashSys.sys [1.12.2009 14:10 9216]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 13:16 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [3.4.2010 20:56 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [3.4.2010 11:02 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3.4.2010 20:56 367456]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Od&eslat do aplikace OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: Převést cíl vazby do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Převést do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Připojit cíl vazby k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Připojit k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: Interfaces\{9F197DCB-A24E-4E1B-8E00-E01343FDCF9F}: NameServer = 10.0.0.138
FF - ProfilePath - c:\documents and settings\Jmeno Prijmeni\Data aplikací\Mozilla\Firefox\Profiles\oolt324t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dobrysluha.cz
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: 602XML Filler: xmlfiller@software602.cz - c:\program files\Mozilla Firefox\extensions\xmlfiller@software602.cz
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: PC Sync 2 Synchronisation Extension: bkmrksync@nokia.com - c:\program files\Nokia\Nokia PC Suite 7\bkmrksync
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-04 09:59
Windows 5.1.2600 Service Pack 3 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'explorer.exe'(3348)
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Celkový čas: 2011-10-04 10:02:11
ComboFix-quarantined-files.txt 2011-10-04 08:02
ComboFix2.txt 2011-10-03 15:38
ComboFix3.txt 2011-10-03 11:53
ComboFix4.txt 2011-04-27 08:28
.
Před spuštěním: Volných bajtů: 83 090 755 584
Po spuštění: Volných bajtů: 83 075 928 064
.
- - End Of File - - 49E495FBBC99AADE783917949E435984

[vyosek]

Zdravim

Nejak se nam neprovedlo co melo, opakujte mazani v nouzovem rezimu, ale pouzijte tento skript

Kód: Vybrat vše

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"=-

Folder::
c:\progra~1\AVG
C:\$AVG8.VAULT$

SecCenter::
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
{17DDD097-36FF-435F-9E1B-52D74245D6BF}

Replicator::

Reboot::

[AsiStarnu]

... a jak se dostanu do nouzoveho rezimu ?

[vyosek]

Restart PC, mackat F8, zvolit Stav nouze s praci v siti

[AsiStarnu]

Jsem tedy stale v nouzovem rezimu a posilam log
*-*-
ComboFix 11-10-02.03 - Jmeno Prijmeni 04.10.2011 10:30:01.5.1 - x86 NETWORK
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1023.773 [GMT 2:00]
Spuštěný z: c:\documents and settings\Jmeno Prijmeni\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Jmeno Prijmeni\Plocha\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-09-04 do 2011-10-04 )))))))))))))))))))))))))))))))
.
.
2011-10-03 14:43 . 2011-10-03 14:43 48016 --sha-w- c:\windows\system32\c_29595.nl_
2011-09-07 10:22 . 2011-09-16 08:51 -------- d-----w- C:\$AVG8.VAULT$
2011-09-07 08:31 . 2010-03-29 15:33 438272 ----a-w- c:\windows\system32\CNQ2414L.dll
2011-09-07 08:31 . 2010-03-18 15:12 1335296 ----a-w- c:\windows\system32\CNQ2414C.dll
2011-09-07 08:31 . 2010-03-18 15:12 114688 ----a-w- c:\windows\system32\CNQ2414I.dll
2011-09-07 08:31 . 2010-03-18 15:11 106496 ----a-w- c:\windows\system32\CNQ2414U.dll
2011-09-07 08:31 . 2008-08-25 16:02 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2011-09-07 08:30 . 2011-09-07 08:30 -------- d-----w- c:\program files\Common Files\CANON
2011-09-07 08:30 . 2011-09-07 08:30 -------- d-----w- c:\documents and settings\All Users\Data aplikací\CanonIJWSpt
2011-09-07 08:29 . 2010-03-11 08:56 180224 ----a-w- c:\windows\system32\CNQ2414Y.dll
2011-09-07 08:29 . 2010-01-13 14:03 94208 ----a-w- c:\windows\system32\CNQ2414O.dll
2011-09-07 08:00 . 2011-09-07 08:00 -------- d-----w- c:\documents and settings\All Users\Data aplikací\HP
2011-09-07 07:59 . 2011-09-07 07:59 -------- d-----w- c:\documents and settings\All Users\Documents
2011-09-07 07:58 . 2010-05-12 16:33 86840 ----a-r- c:\windows\system32\hppccompio.dll
2011-09-07 07:58 . 2010-05-12 16:33 66872 ----a-r- c:\windows\system32\Spool\prtprocs\w32x86\HPCP1020PP.DLL
2011-09-07 07:58 . 2010-05-12 16:33 318264 ----a-r- c:\windows\system32\hpbcoins64.dll
2011-09-07 07:58 . 2010-05-12 16:33 245048 ----a-r- c:\windows\system32\hpbcoins32.dll
2011-09-07 07:58 . 2010-05-12 16:33 126264 ----a-r- c:\windows\system32\HPCP1020LM.dll
2011-09-07 07:58 . 2010-05-12 16:33 26936 ----a-r- c:\windows\system32\drivers\hppcgenio.sys
2011-09-07 07:58 . 2010-05-12 16:33 20792 ----a-r- c:\windows\system32\drivers\hppcbulkio.sys
2011-09-07 07:58 . 2010-05-12 16:33 195384 ----a-r- c:\windows\system32\hpmldm01.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-03 14:42 . 2006-03-02 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-09 09:12 . 2006-03-02 12:00 602112 ----a-w- c:\windows\system32\crypt32.dll
2011-09-08 09:07 . 2011-05-26 06:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-30 12:00 . 2011-08-30 12:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-30 12:00 . 2011-08-30 12:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-30 11:42 . 2011-08-30 11:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2011-08-30 11:41 . 2011-08-30 11:41 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-08-30 11:41 . 2011-08-30 11:41 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-08-30 11:41 . 2011-08-30 11:41 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-07-08 14:02 . 2006-03-02 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"nwiz"="nwiz.exe" [2008-09-17 1657376]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2011-09-07 2048352]
"HP CP1020 System Tray"="c:\program files\HP\HP LaserJet Professional CP1020 Series\HPCP1020STRAY.EXE" [2010-05-12 2627384]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
.
c:\documents and settings\Jmeno Prijmeni\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-12 581693]
ColorVisionStartup.lnk - c:\program files\ColorVision\Utility\ColorVisionStartup.exe [2006-1-31 385024]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2011-08-30 11:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Nokia\\Nokia PC Suite 7\\PCSuite.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Documents and Settings\\Jmeno Prijmeni\\Dokumenty\\Stažené soubory\\RSIT.exe"=
"c:\\Program Files\\STORMWARE\\POHODA\\StwUpdater.exe"=
"c:\\Program Files\\STORMWARE\\POHODA\\StwPh.exe"=
.
R3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [7.9.2011 9:58 20792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 13:16 130384]
S2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [12.4.2010 9:13 142336]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15.8.2008 6:46 284016]
S3 FLASHSYS;FLASHSYS;c:\program files\MSI\Live Update 4\LU4\FlashSys.sys [1.12.2009 14:10 9216]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 13:16 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [3.4.2010 20:56 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [3.4.2010 11:02 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3.4.2010 20:56 367456]
.
--- Ostatní služby/ovladače v paměti ---
.
*NewlyCreated* - PARPORT
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Od&eslat do aplikace OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: Převést cíl vazby do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Převést do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Připojit cíl vazby k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Připojit k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: Interfaces\{9F197DCB-A24E-4E1B-8E00-E01343FDCF9F}: NameServer = 10.0.0.138
FF - ProfilePath - c:\documents and settings\Jmeno Prijmeni\Data aplikací\Mozilla\Firefox\Profiles\oolt324t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dobrysluha.cz
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: 602XML Filler: xmlfiller@software602.cz - c:\program files\Mozilla Firefox\extensions\xmlfiller@software602.cz
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: PC Sync 2 Synchronisation Extension: bkmrksync@nokia.com - c:\program files\Nokia\Nokia PC Suite 7\bkmrksync
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-04 10:36
Windows 5.1.2600 Service Pack 3 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'explorer.exe'(1848)
c:\windows\system32\msi.dll
.
Celkový čas: 2011-10-04 10:38:16
ComboFix-quarantined-files.txt 2011-10-04 08:38
ComboFix2.txt 2011-10-04 08:02
ComboFix3.txt 2011-10-03 15:38
ComboFix4.txt 2011-10-03 11:53
ComboFix5.txt 2011-10-04 08:29
.
Před spuštěním: Volných bajtů: 83 063 783 424
Po spuštění: Volných bajtů: 83 047 387 136
.
- - End Of File - - 55EFBE6A3342F8A471DC706720B455A2

[vyosek]

Potvore se neche, takze jinak, postup udelejte v nouzovem rezimu

Stahnete OTM http://oldtimer.geekstogo.com/OTM.exe

• Spustte jej
• Do leveho okna Paste Instructions for Items to be Moved (pod zlutou caru) vlozte obsah, ktery mate nize (cely ten zeleny text)

• Kód: Vybrat vše

  :reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "AVG8_TRAY"=-
  
  :files
  c:\progra~1\AVG
  C:\$AVG8.VAULT$
  %windir%\system32\*.tmp.dll /s
  %windir%\system32\SET*.tmp /s
  %windir%\*.tmp
  
  :commands
  [RESETHOSTS]
  [EMPTYTEMP]
  [EMPTYFLASH]

• Kliknete na cervene tlacitko MoveIt!
• Budete vyzvani na restart, dejte Yes, log pote najdete C:\_OTM\MovedFiles, obsah sem vlozte

[AsiStarnu]

jsem stale v NR
log:
*-*-
All processes killed
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\AVG8_TRAY deleted successfully.
========== FILES ==========
c:\progra~1\AVG\AVG8\Notification folder moved successfully.
c:\progra~1\AVG\AVG8\log folder moved successfully.
c:\progra~1\AVG\AVG8\cfg folder moved successfully.
Folder move failed. c:\progra~1\AVG\AVG8 scheduled to be moved on reboot.
Folder move failed. c:\progra~1\AVG scheduled to be moved on reboot.
C:\$AVG8.VAULT$ folder moved successfully.
File/Folder C:\WINDOWS\system32\*.tmp.dll not found.
File/Folder C:\WINDOWS\system32\SET*.tmp not found.
C:\WINDOWS\002702_.tmp moved successfully.
C:\WINDOWS\NV14283140.TMP folder moved successfully.
C:\WINDOWS\SET25.tmp moved successfully.
C:\WINDOWS\SET3.tmp moved successfully.
C:\WINDOWS\SET4.tmp moved successfully.
C:\WINDOWS\SET8.tmp moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56466 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Jmeno Prijmeni
->Temp folder emptied: 759296 bytes
->Temporary Internet Files folder emptied: 49353 bytes
->Java cache emptied: 65642 bytes
->FireFox cache emptied: 61496567 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 60027 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2504 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 505 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 24225 bytes

Total Files Cleaned = 60,00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 10042011_115729

[vyosek]

Fajn, nyni skript pro ComboFix

Kód: Vybrat vše

KillAll::

SecCenter::
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
{17DDD097-36FF-435F-9E1B-52D74245D6BF}

Replicator::

Reboot::

[AsiStarnu]

hmm, vypada to, ze se tam to AVG porad drzi
ve fazi _5 doslo k hlasce:
PEV.exe doslo k selhani (nebo neco takoveho) dal jsem NEODESILAT chybu) potom byly asi dva restarty nyni jsem v normalnim rezimu, mam se prepnout zpet do nouzoveho ?
*-*-
ComboFix 11-10-02.03 - Jmeno Prijmeni 04.10.2011 15:37:57.5.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2047.1612 [GMT 2:00]
Spuštěný z: c:\documents and settings\Jmeno Prijmeni\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Jmeno Prijmeni\Plocha\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Jmeno Prijmeni\Data aplikací\Adobe\plugs\mmc0.exe
c:\documents and settings\Jmeno Prijmeni\Data aplikací\Adobe\plugs\mmc211.exe
c:\windows\$NtUninstallKB47530$
c:\windows\$NtUninstallKB47530$\2270326558
c:\windows\system32\d3d9caps.dat
.
Nakažená kopie c:\windows\system32\drivers\redbook.sys byla nalezena a vyléčena.
Obnovena kopie z - The cat found it
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-09-04 do 2011-10-04 )))))))))))))))))))))))))))))))
.
.
2011-10-04 13:34 . 2008-04-14 02:14 58496 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-10-04 09:57 . 2011-10-04 09:57 -------- d-----w- C:\_OTM
2011-10-04 08:40 . 2011-10-04 08:40 -------- d-sh--w- c:\documents and settings\Jmeno Prijmeni\Local Settings\Data aplikací\cae38cb6
2011-10-03 14:43 . 2011-10-03 14:43 48016 --sha-w- c:\windows\system32\c_29595.nl_
2011-09-07 08:31 . 2010-03-29 15:33 438272 ----a-w- c:\windows\system32\CNQ2414L.dll
2011-09-07 08:31 . 2010-03-18 15:12 1335296 ----a-w- c:\windows\system32\CNQ2414C.dll
2011-09-07 08:31 . 2010-03-18 15:12 114688 ----a-w- c:\windows\system32\CNQ2414I.dll
2011-09-07 08:31 . 2010-03-18 15:11 106496 ----a-w- c:\windows\system32\CNQ2414U.dll
2011-09-07 08:31 . 2008-08-25 16:02 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2011-09-07 08:30 . 2011-09-07 08:30 -------- d-----w- c:\program files\Common Files\CANON
2011-09-07 08:30 . 2011-09-07 08:30 -------- d-----w- c:\documents and settings\All Users\Data aplikací\CanonIJWSpt
2011-09-07 08:29 . 2010-03-11 08:56 180224 ----a-w- c:\windows\system32\CNQ2414Y.dll
2011-09-07 08:29 . 2010-01-13 14:03 94208 ----a-w- c:\windows\system32\CNQ2414O.dll
2011-09-07 08:00 . 2011-09-07 08:00 -------- d-----w- c:\documents and settings\All Users\Data aplikací\HP
2011-09-07 07:59 . 2011-09-07 07:59 -------- d-----w- c:\documents and settings\All Users\Documents
2011-09-07 07:58 . 2010-05-12 16:33 86840 ----a-r- c:\windows\system32\hppccompio.dll
2011-09-07 07:58 . 2010-05-12 16:33 66872 ----a-r- c:\windows\system32\Spool\prtprocs\w32x86\HPCP1020PP.DLL
2011-09-07 07:58 . 2010-05-12 16:33 318264 ----a-r- c:\windows\system32\hpbcoins64.dll
2011-09-07 07:58 . 2010-05-12 16:33 245048 ----a-r- c:\windows\system32\hpbcoins32.dll
2011-09-07 07:58 . 2010-05-12 16:33 126264 ----a-r- c:\windows\system32\HPCP1020LM.dll
2011-09-07 07:58 . 2010-05-12 16:33 26936 ----a-r- c:\windows\system32\drivers\hppcgenio.sys
2011-09-07 07:58 . 2010-05-12 16:33 20792 ----a-r- c:\windows\system32\drivers\hppcbulkio.sys
2011-09-07 07:58 . 2010-05-12 16:33 195384 ----a-r- c:\windows\system32\hpmldm01.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-03 14:42 . 2006-03-02 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-09 09:12 . 2006-03-02 12:00 602112 ----a-w- c:\windows\system32\crypt32.dll
2011-09-08 09:07 . 2011-05-26 06:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-30 12:00 . 2011-08-30 12:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-30 12:00 . 2011-08-30 12:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-30 11:42 . 2011-08-30 11:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2011-08-30 11:41 . 2011-08-30 11:41 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-08-30 11:41 . 2011-08-30 11:41 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-08-30 11:41 . 2011-08-30 11:41 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-07-08 14:02 . 2006-03-02 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-03_11.46.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-04 13:46 . 2011-10-04 13:46 16384 c:\windows\temp\Perflib_Perfdata_6c8.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"nwiz"="nwiz.exe" [2008-09-17 1657376]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2011-09-07 2048352]
"HP CP1020 System Tray"="c:\program files\HP\HP LaserJet Professional CP1020 Series\HPCP1020STRAY.EXE" [2010-05-12 2627384]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
.
c:\documents and settings\Jmeno Prijmeni\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-12 581693]
ColorVisionStartup.lnk - c:\program files\ColorVision\Utility\ColorVisionStartup.exe [2006-1-31 385024]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2011-08-30 11:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Nokia\\Nokia PC Suite 7\\PCSuite.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Documents and Settings\\Jmeno Prijmeni\\Dokumenty\\Stažené soubory\\RSIT.exe"=
"c:\\Program Files\\STORMWARE\\POHODA\\StwUpdater.exe"=
"c:\\Program Files\\STORMWARE\\POHODA\\StwPh.exe"=
.
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [12.4.2010 9:13 142336]
R3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [7.9.2011 9:58 20792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 13:16 130384]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15.8.2008 6:46 284016]
S3 FLASHSYS;FLASHSYS;c:\program files\MSI\Live Update 4\LU4\FlashSys.sys [1.12.2009 14:10 9216]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 13:16 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [3.4.2010 20:56 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [3.4.2010 11:02 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3.4.2010 20:56 367456]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Od&eslat do aplikace OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: Převést cíl vazby do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Převést do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Připojit cíl vazby k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Připojit k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: Interfaces\{9F197DCB-A24E-4E1B-8E00-E01343FDCF9F}: NameServer = 10.0.0.138
FF - ProfilePath - c:\documents and settings\Jmeno Prijmeni\Data aplikací\Mozilla\Firefox\Profiles\oolt324t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dobrysluha.cz
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: 602XML Filler: xmlfiller@software602.cz - c:\program files\Mozilla Firefox\extensions\xmlfiller@software602.cz
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: PC Sync 2 Synchronisation Extension: bkmrksync@nokia.com - c:\program files\Nokia\Nokia PC Suite 7\bkmrksync
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-04 15:49
Windows 5.1.2600 Service Pack 3 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'explorer.exe'(596)
c:\windows\system32\msi.dll
c:\program files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Celkový čas: 2011-10-04 15:52:55 - počítač byl restartován
ComboFix-quarantined-files.txt 2011-10-04 13:52
ComboFix2.txt 2011-10-04 08:38
ComboFix3.txt 2011-10-04 08:02
ComboFix4.txt 2011-10-03 15:38
ComboFix5.txt 2011-10-04 13:33
.
Před spuštěním: Volných bajtů: 83 008 131 072
Po spuštění: Volných bajtů: 83 006 791 680
.
- - End Of File - - 7F93717FEDC4E71168F66C096D02A8E4

[vyosek]

Spis se nam tam odnekud vraci havet mam pocit

Pustte tam avptool dle navodu zde http://www.viry.cz/forum/viewtopic.php?f=29&t=58179

[AsiStarnu]

Zdravim Vas,
Kaspersky nesel spustit (asi byl blokovan), tak jsem pouzil posledni script a prohnal ComboFix (log zasilam nize)
potom jsem nasadil ten soubor Kaspersky (potom uz sel v pohode), vysledek posilam pod logem pro ComboFixem:

Taky jsem pred spustenim Kasperskeho zatrh volbu - nedelat bod obnovy (v nastaveni), mam to opet dat do puvodniho stavu?
Jeste prosba, nenaboural se ten vir do ucetnictvi? - STORMWARE\POHODA budu muset delat po ociste ucetnictvi a nerad bych zazil dalsi ocistec

log ComboFix:
*-*-*-*-*-*-
ComboFix 11-10-02.03 - Jmeno Prijmeni 05.10.2011 10:02:42.6.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2047.1622 [GMT 2:00]
Spuštěný z: c:\documents and settings\Jmeno Prijmeni\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Jmeno Prijmeni\Plocha\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB47530$
c:\windows\$NtUninstallKB47530$\3403910326\@
c:\windows\$NtUninstallKB47530$\3403910326\click.tlb
c:\windows\$NtUninstallKB47530$\3403910326\L\eeyjymue
c:\windows\$NtUninstallKB47530$\3403910326\loader.tlb
c:\windows\$NtUninstallKB47530$\3403910326\U\@00000001
c:\windows\$NtUninstallKB47530$\3403910326\U\@000000c0
c:\windows\$NtUninstallKB47530$\3403910326\U\@000000cb
c:\windows\$NtUninstallKB47530$\3403910326\U\@000000cf
c:\windows\$NtUninstallKB47530$\3403910326\U\@80000000
c:\windows\$NtUninstallKB47530$\3403910326\U\@800000c0
c:\windows\$NtUninstallKB47530$\3403910326\U\@800000cb
c:\windows\$NtUninstallKB47530$\3403910326\U\@800000cf
c:\windows\$NtUninstallKB47530$\3736103078
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\system32\
c:\windows\system32\c_29595.nls
.
Nakažená kopie c:\windows\system32\drivers\netbt.sys byla nalezena a vyléčena.
Obnovena kopie z - The cat found it
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe . . . je infikován!!
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\HP\HPLaserJetService\HPLaserJetService.exe . . . je infikován!!
c:\program files\HP\HPLaserJetService\HPLaserJetService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . je infikován!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
Nakažená kopie c:\windows\system32\nvsvc32.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\system32\ReinstallBackups\0002\DriverFiles\nvsvc32.exe
.
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe . . . je infikován!!
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\SearchIndexer.exe . . . je infikován!!
c:\windows\system32\SearchIndexer.exe . . . was deleted!! You should re-install the program it pertains to
.
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_cae38cb6
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-09-05 do 2011-10-05 )))))))))))))))))))))))))))))))
.
.
2011-10-05 07:59 . 2008-04-13 19:21 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2011-10-05 07:59 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-10-04 13:34 . 2008-04-14 02:14 58496 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-10-04 09:57 . 2011-10-04 09:57 -------- d-----w- C:\_OTM
2011-10-04 08:40 . 2011-10-04 08:40 -------- d-sh--w- c:\documents and settings\Jmeno Prijmeni\Local Settings\Data aplikací\cae38cb6
2011-10-03 14:43 . 2011-10-03 14:43 48016 --sha-w- c:\windows\system32\c_29595.nl_
2011-09-07 08:31 . 2010-03-29 15:33 438272 ----a-w- c:\windows\system32\CNQ2414L.dll
2011-09-07 08:31 . 2010-03-18 15:12 1335296 ----a-w- c:\windows\system32\CNQ2414C.dll
2011-09-07 08:31 . 2010-03-18 15:12 114688 ----a-w- c:\windows\system32\CNQ2414I.dll
2011-09-07 08:31 . 2010-03-18 15:11 106496 ----a-w- c:\windows\system32\CNQ2414U.dll
2011-09-07 08:31 . 2008-08-25 16:02 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2011-09-07 08:30 . 2011-09-07 08:30 -------- d-----w- c:\program files\Common Files\CANON
2011-09-07 08:30 . 2011-09-07 08:30 -------- d-----w- c:\documents and settings\All Users\Data aplikací\CanonIJWSpt
2011-09-07 08:29 . 2010-03-11 08:56 180224 ----a-w- c:\windows\system32\CNQ2414Y.dll
2011-09-07 08:29 . 2010-01-13 14:03 94208 ----a-w- c:\windows\system32\CNQ2414O.dll
2011-09-07 08:00 . 2011-09-07 08:00 -------- d-----w- c:\documents and settings\All Users\Data aplikací\HP
2011-09-07 07:59 . 2011-09-07 07:59 -------- d-----w- c:\documents and settings\All Users\Documents
2011-09-07 07:58 . 2010-05-12 16:33 86840 ----a-r- c:\windows\system32\hppccompio.dll
2011-09-07 07:58 . 2010-05-12 16:33 66872 ----a-r- c:\windows\system32\Spool\prtprocs\w32x86\HPCP1020PP.DLL
2011-09-07 07:58 . 2010-05-12 16:33 318264 ----a-r- c:\windows\system32\hpbcoins64.dll
2011-09-07 07:58 . 2010-05-12 16:33 245048 ----a-r- c:\windows\system32\hpbcoins32.dll
2011-09-07 07:58 . 2010-05-12 16:33 126264 ----a-r- c:\windows\system32\HPCP1020LM.dll
2011-09-07 07:58 . 2010-05-12 16:33 26936 ----a-r- c:\windows\system32\drivers\hppcgenio.sys
2011-09-07 07:58 . 2010-05-12 16:33 20792 ----a-r- c:\windows\system32\drivers\hppcbulkio.sys
2011-09-07 07:58 . 2010-05-12 16:33 195384 ----a-r- c:\windows\system32\hpmldm01.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-03 14:42 . 2006-03-02 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-09 09:12 . 2006-03-02 12:00 602112 ----a-w- c:\windows\system32\crypt32.dll
2011-09-08 09:07 . 2011-05-26 06:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-30 12:00 . 2011-08-30 12:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-30 12:00 . 2011-08-30 12:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-30 11:42 . 2011-08-30 11:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2011-08-30 11:41 . 2011-08-30 11:41 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-08-30 11:41 . 2011-08-30 11:41 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-08-30 11:41 . 2011-08-30 11:41 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-07-08 14:02 . 2006-03-02 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-08-22 5148672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"nwiz"="nwiz.exe" [2008-09-17 1657376]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2011-09-07 2048352]
"HP CP1020 System Tray"="c:\program files\HP\HP LaserJet Professional CP1020 Series\HPCP1020STRAY.EXE" [2010-05-12 2627384]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
.
c:\documents and settings\Jmeno Prijmeni\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
_uninst_.lnk - c:\documents and settings\Jmeno Prijmeni\Local Settings\temp\_uninst_.bat [N/A]
.
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-12 581693]
ColorVisionStartup.lnk - c:\program files\ColorVision\Utility\ColorVisionStartup.exe [2006-1-31 385024]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2011-08-30 11:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Nokia\\Nokia PC Suite 7\\PCSuite.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Documents and Settings\\Jmeno Prijmeni\\Dokumenty\\Stažené soubory\\RSIT.exe"=
"c:\\Program Files\\STORMWARE\\POHODA\\StwUpdater.exe"=
"c:\\Program Files\\STORMWARE\\POHODA\\StwPh.exe"=
.
R3 HPFXBULKLEDM;HPFXBULKLEDM;c:\windows\system32\drivers\hppcbulkio.sys [7.9.2011 9:58 20792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 13:16 130384]
S2 HP LaserJet Service;HP LaserJet Service;"c:\program files\HP\HPLaserJetService\HPLaserJetService.exe" --> c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15.8.2008 6:46 284016]
S3 FLASHSYS;FLASHSYS;c:\program files\MSI\Live Update 4\LU4\FlashSys.sys [1.12.2009 14:10 9216]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 13:16 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [3.4.2010 20:56 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [3.4.2010 11:02 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3.4.2010 20:56 367456]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Od&eslat do aplikace OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: Převést cíl vazby do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Převést do Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Připojit cíl vazby k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Připojit k existujícímu PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: Interfaces\{9F197DCB-A24E-4E1B-8E00-E01343FDCF9F}: NameServer = 10.0.0.138
FF - ProfilePath - c:\documents and settings\Jmeno Prijmeni\Data aplikací\Mozilla\Firefox\Profiles\oolt324t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dobrysluha.cz
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: 602XML Filler: xmlfiller@software602.cz - c:\program files\Mozilla Firefox\extensions\xmlfiller@software602.cz
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: PC Sync 2 Synchronisation Extension: bkmrksync@nokia.com - c:\program files\Nokia\Nokia PC Suite 7\bkmrksync
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-05 10:11
Windows 5.1.2600 Service Pack 3 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'explorer.exe'(3136)
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Celkový čas: 2011-10-05 10:14:54 - počítač byl restartován
ComboFix-quarantined-files.txt 2011-10-05 08:14
ComboFix2.txt 2011-10-04 13:52
ComboFix3.txt 2011-10-04 08:38
ComboFix4.txt 2011-10-04 08:02
ComboFix5.txt 2011-10-05 07:58
.
Před spuštěním: Volných bajtů: 86 878 404 608
Po spuštění: Volných bajtů: 87 095 783 424
.
- - End Of File - - F5CECDA8689BD121E9CE4A924EF53152


*-*-*-*-*-*-*
log z Kasperskeho:
*-*-*-*-*-*-*
Status: Quarantined (events: 1)
5.10.2011 10:41:36 Quarantined virus HEUR:Trojan.Win32.Generic C:\Documents and Settings\Petr Vácha\Local Settings\Data aplikací\cae38cb6\X High
Status: Deleted (events: 31)
5.10.2011 10:52:40 Deleted Trojan program Trojan.Win32.Patched.mf C:\Program Files\AVG\AVG8\avgrsx.exe High
5.10.2011 10:52:45 Deleted Trojan program Trojan.Win32.Patched.mf C:\Program Files\AVG\AVG8\avgwdsvc.exe High
5.10.2011 11:11:20 Deleted Trojan program Trojan.Win32.Patched.mf C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe High
5.10.2011 11:11:20 Deleted Trojan program Trojan.Win32.Patched.mf C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe High
5.10.2011 11:11:20 Deleted Trojan program Backdoor.Win32.ZAccess.ob C:\Qoobox\Quarantine\C\WINDOWS\3062686666.vir:891056969.exe High
5.10.2011 11:11:20 Deleted Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\HP\HPLaserJetService\HPLaserJetService.exe.vir High
5.10.2011 11:11:41 Deleted Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir High
5.10.2011 11:11:41 Deleted Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe.vir High
5.10.2011 11:11:40 Deleted Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\PC Connectivity Solution\ServiceLayer.exe.vir High
5.10.2011 11:11:51 Deleted Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe.vir High
5.10.2011 11:11:52 Deleted Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\PROGRA~1\AVG\AVG8\avgemc.exe.vir High
5.10.2011 11:11:51 Deleted Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\PROGRA~1\AVG\AVG8\avgwdsvc.exe.vir High
5.10.2011 11:12:37 Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir High
5.10.2011 11:12:41 Deleted Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\WINDOWS\system32\SearchIndexer.exe.vir High
5.10.2011 11:12:38 Deleted Trojan program Rootkit.Win32.ZAccess.e C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ipsec.sys.vir High
5.10.2011 11:12:53 Deleted Trojan program Rootkit.Win32.ZAccess.h C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\netbt.sys.vir High
5.10.2011 11:12:42 Deleted Trojan program Rootkit.Win32.ZAccess.h C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\redbook.sys.vir High
5.10.2011 11:12:55 Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP1\A0000022.ini High
5.10.2011 11:12:54 Deleted Trojan program Rootkit.Win32.ZAccess.h C:\System Volume Information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP1\A0000032.sys High
5.10.2011 11:12:58 Deleted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP1\A0000069.exe High
5.10.2011 11:12:59 Deleted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP1\A0000068.exe High
5.10.2011 11:12:58 Deleted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP1\A0000070.exe High
5.10.2011 11:13:00 Deleted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP1\A0000071.exe High
5.10.2011 11:13:01 Deleted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP1\A0000072.exe High
5.10.2011 11:13:07 Deleted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP1\A0000073.exe High
5.10.2011 11:13:18 Deleted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP1\A0000151.exe High
5.10.2011 11:13:19 Deleted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP1\A0000152.exe High
5.10.2011 11:13:21 Deleted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP1\A0000153.exe High
5.10.2011 11:13:21 Deleted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP1\A0000154.exe High
5.10.2011 11:30:34 Deleted virus HEUR:Backdoor.Win32.ZAccess.gen C:\WINDOWS\system32\c_29595.nl_ High
5.10.2011 11:30:33 Deleted Trojan program Trojan.Win32.Patched.mf C:\WINDOWS\system32\searchprotocolhost.exe High
Status: Disinfected (events: 1)
5.10.2011 11:12:16 Disinfected Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\WINDOWS\system32\nvsvc32.exe.vir High

[vyosek]

Nemyslim si ze se naboural, ale je tam spousta dalsich poskozenych\infikovanych...

Bod obnovy zatim nedelejte, mohli bychom zazalohovat nejakou havet

Pustte jeste CureIt http://www.viry.cz/forum/viewtopic.php?f=29&t=47721

[AsiStarnu]

jenom doplnim, jeste jsem jednou spustil Kasperskeho a nasel jeste toto:

Status: Deleted (events: 1)
5.10.2011 13:30:34 Deleted Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{41696BCA-D864-473A-813F-ACE914A534A8}\RP1\A0000155.exe High