IE spam

Zpráva

#31 Příspěvek od **riffman** » 01 črc 2010 21:07

c:\windows\system32\drivers\atapi.sys otestujte na VIRUSTOTALu

(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet, najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor, ignorujte pripadne hlasky, ze soubor byl jiz testovan a provedte sken znova; dejte skenerum nejakych deset minut; vysledek sem vlozte at uz zkopirovanim textu, nebo pripadne vlozenim odkazu po ukonceni skenu)

kroenen2 · #32 Příspěvek od **kroenen2** » 08 črc 2010 11:40

Sory ze tak neskoro ale nebol som pri pc dlho.

No VirusTotal mi okamzite vyhodil len prazdnu stranku a na nej napisane:

0 bytes size received / Se ha recibido un archivo vacio

#33 Příspěvek od **riffman** » 08 črc 2010 11:52

aha...behem vecera vam postnu postup na nahrazeni tohoto souboru

#34 Příspěvek od **riffman** » 09 črc 2010 08:04

otevrete si poznamkovy blok

do nej zkopirujte nasledujici text:

Kód: Vybrat vše

FCopy::
c:\windows\system32\dllcache\atapi.sys | c:\windows\system32\drivers\atapi.sys

ulozte vami vytvoreny textovy soubor jako CFScript.txt na plochu

po ulozeni uchopte vami vytvoreny skript levym tlacitkem mysi a presunte jej nad ikonu Combofixu, nad niz skript upustte:

Obrázek

po aplikaci by na vas mel vybafnout dalsi log, vlozte jej sem

Upozorneni: je mozne, ze po aplikaci skriptu a restartu nenabehnou Windows, v takovem pripade znovu restartujte, po restartu mackejte F8 a zvolte Posledni znamou fukncni konfiguraci

#35 Příspěvek od **riffman** » 09 črc 2010 12:22

jeste predtim ale spachejte tohle:

http://www.esagelab.com/files/bootkit_remover.rar

stahnout, rozbalit na plochu, spustit

po spusteni klik pravym mysidlem do okna, zvolit moznost Vybrat vse, CTRL+C a sem do odpovedi CTRL+V (tim mi sem plesknete log)

kroenen2 · #36 Příspěvek od **kroenen2** » 09 črc 2010 22:40

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\D: -> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Press any key to quit...

#37 Příspěvek od **riffman** » 10 črc 2010 06:18

tak ted ten postup s Combofixem a skriptem - viz vyse

kroenen2 · #38 Příspěvek od **kroenen2** » 10 črc 2010 17:22

ok, nech sa páči:

ComboFix 10-07-08.02 - kroenen2 10.07.2010 17:28:17.10.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1033.18.503.267 [GMT 2:00]
Running from: c:\documents and settings\kroenen2\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kroenen2\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-06-10 to 2010-07-10 )))))))))))))))))))))))))))))))
.

2010-06-25 14:15 . 2010-06-25 14:15 210944 ----a-w- c:\documents and settings\kroenen2\Application Data\Microsoft\Internet Explorer\Quick Launch\apps\T-Cleaner.exe
2010-06-21 18:49 . 2010-05-31 08:41 998736 ----a-w- c:\windows\system32\drivers\TDSSKiller.exe
2010-06-20 18:14 . 2010-06-28 16:27 -------- d-----w- c:\program files\trend micro
2010-06-18 11:50 . 2010-06-18 11:50 -------- d-----w- c:\program files\Common Files\Skype
2010-06-16 21:43 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-16 21:43 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-09 22:10 . 2010-06-01 21:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-06 19:29 . 2008-11-28 22:55 -------- d-----w- c:\documents and settings\kroenen2\Application Data\vlc
2010-06-23 23:20 . 2008-05-20 14:15 -------- d-----w- c:\documents and settings\kroenen2\Application Data\dvdcss
2010-06-23 21:58 . 2010-06-04 23:35 -------- d-----w- c:\documents and settings\kroenen2\Application Data\PriceGong
2010-06-20 15:18 . 2009-01-16 02:34 -------- d-----w- c:\documents and settings\kroenen2\Application Data\uTorrent
2010-06-18 14:27 . 2007-12-21 21:12 -------- d-----w- c:\documents and settings\kroenen2\Application Data\Skype
2010-06-18 14:23 . 2007-12-21 21:18 -------- d-----w- c:\documents and settings\kroenen2\Application Data\skypePM
2010-06-04 21:54 . 2010-01-04 00:54 -------- d-----w- c:\program files\myBabylon_English
2010-06-04 21:54 . 2009-11-01 09:43 -------- d-----w- c:\program files\PageRage
2010-05-31 16:59 . 2010-05-31 16:59 -------- d-----w- c:\program files\EPSON Projector
2010-05-17 14:15 . 2010-06-21 18:49 2258 ----a-w- c:\windows\system32\drivers\eula.txt
2010-05-02 05:22 . 2004-08-03 22:17 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-03 23:56 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2004-08-03 23:56 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-03 23:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2008-11-21 20:19 . 2008-05-06 20:03 10240 -csha-w- c:\program files\Thumbs.db
2008-02-16 20:09 . 2008-02-16 20:09 0 -c--a-w- c:\program files\AstonWriteTest.txt
2009-01-17 09:20 . 2009-01-15 14:39 45320224 --sha-w- c:\windows\system32\drivers\fidbox.dat
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-03 11:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys

[-] 2008-04-14 . 561A50497324F378E30F55D09B4E1258 . 975872 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 561A50497324F378E30F55D09B4E1258 . 975872 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-06-28_16.44.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-29 08:14 . 2010-06-29 08:14 25512 c:\windows\system32\DRVSTORE\ggsemc_69474B299F8096A4E4CB4CE6EB0E19FC32D18E55\x86\ggsemc.sys
+ 2010-06-29 08:14 . 2010-06-29 08:14 13224 c:\windows\system32\DRVSTORE\ggsemc_69474B299F8096A4E4CB4CE6EB0E19FC32D18E55\x86\ggflt.sys
+ 2010-06-29 08:14 . 2010-06-29 08:14 1112288 c:\windows\system32\DRVSTORE\ggsemc_69474B299F8096A4E4CB4CE6EB0E19FC32D18E55\x86\WdfCoInstaller01007.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\tbPag0.dll" [2010-06-04 2393184]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}"= "c:\program files\myBabylon_English\tbmyB0.dll" [2010-06-04 2515552]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
2010-06-04 21:54 2393184 ----a-w- c:\program files\PageRage\tbPag0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2010-06-04 21:54 2515552 ----a-w- c:\program files\myBabylon_English\tbmyB0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\tbPag0.dll" [2010-06-04 2393184]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}"= "c:\program files\myBabylon_English\tbmyB0.dll" [2010-06-04 2515552]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{9565115D-C7D6-46D3-BD63-B67B481A4368}"= "c:\program files\PageRage\tbPag0.dll" [2010-06-04 2393184]
"{B2E293EE-FD7E-4C71-A714-5F4750D8D7B7}"= "c:\program files\myBabylon_English\tbmyB0.dll" [2010-06-04 2515552]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UberIcon"="d:\windows\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe" [2006-05-21 180224]
"\\KROENENAMD\EPSON SX110 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE" [2008-09-26 199680]
"Google Update"="c:\documents and settings\kroenen2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-22 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-05-25 1253376]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\kroenen2\Start Menu\Programs\Startup\
RocketDock.lnk - d:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-3-19 630784]
Start Unlocker Assistant.lnk - d:\program files\Unlocker\UnlockerAssistant.exe [2006-9-7 15872]
TransBar.lnk - d:\windows\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-6-1 65536]
Y'z Shadow.lnk - d:\windows\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-5-21 155648]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= d:\my hp_software\IMAGES\ZNAKY, SYMBOLY\bumblebee1.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= d:\my hp_software\CAM_stream\image.jpg
FriendlyName=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^kroenen2^Start Menu^Programs^Startup^UberIcon.lnk]
path=c:\documents and settings\kroenen2\Start Menu\Programs\Startup\UberIcon.lnk
backup=c:\windows\pss\UberIcon.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-09-26 10:02 2356088 ----a-r- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2009-03-02 11:08 209153 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2009-12-23 13:55 3722128 ----a-w- d:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Domino]
2006-08-18 15:58 49152 -c--a-w- c:\windows\Domino.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON_UD_START]
2009-01-21 08:35 329632 ----a-w- c:\program files\EPSON Projector\EPSON USB Display V1.4\EMP_UD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-22 17:24 135664 ----atw- c:\documents and settings\kroenen2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2006-09-07 17:19 15872 ----a-w- d:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VisualTaskTips]
2007-09-05 17:20 36352 ----a-w- d:\program files\VisualTaskTips\VisualTaskTips.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZSSnp211]
2007-04-06 10:06 57344 -c--a-w- c:\windows\ZSSnp211.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Counter-Strike\\hl.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Program Files\\VLC\\vlc.exe"=
"d:\\Program Files\\ICQ6.5\\ICQ.exe"=
"d:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"d:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\rserver30\\rserver3.exe"=

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [6.11.2007 3:08 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [6.11.2007 3:08 5248]
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [31.7.2008 21:45 20616]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [24.4.2008 8:49 45848]
R2 EMP_UDSA;EMP_UDSA;c:\program files\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe [31.5.2010 18:59 98304]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [29.10.2009 13:27 1074568]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [24.4.2008 8:44 1238344]
R3 eppvad_simple;EPSON Projector UD Audio Device;c:\windows\system32\drivers\EMP_UDAU.sys [31.5.2010 18:59 17664]
R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [21.4.2007 16:15 9344]
S1 oxser;OX16C95x Serial port driver;c:\windows\system32\DRIVERS\oxser.sys --> c:\windows\system32\DRIVERS\oxser.sys [?]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9.6.2009 22:43 108289]
S2 ctm;Convar task manager;d:\program files\TaskManager\ctm.exe [6.6.2008 4:48 98304]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2.7.2008 15:58 26248]
S3 K320bus;Sony Ericsson K320 driver (WDM);c:\windows\system32\drivers\K320bus.sys [9.4.2008 21:20 61504]
S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;c:\windows\system32\drivers\K320mdfl.sys [21.12.2008 12:11 9328]
S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;c:\windows\system32\drivers\K320mdm.sys [21.12.2008 12:11 97056]
S3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\K320mgmt.sys [21.12.2008 12:11 88560]
S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;c:\windows\system32\drivers\K320obex.sys [21.12.2008 12:11 86368]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25.1.2007 19:31 42000]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [20.5.2010 18:02 588032]
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 c:\windows\Tasks\02 - Trevor Rabin - Ben.job
- d:\my hp_software\MUSIC\SOUNDTRACKS\NATIONAL TREASURE OST (2004)\02 - Trevor Rabin - Ben.mp3 [2008-03-22 20:07]

2010-01-24 c:\windows\Tasks\Edward Maya & Vika Jigulina - Stereo Love (Molella Remix).job
- d:\my hp_software\MUSIC\TRANCE-DISCO\Edward Maya & Vika Jigulina - Stereo Love (Molella Remix).mp3 [2010-01-04 14:20]

2010-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-329068152-839522115-1003Core.job
- c:\documents and settings\kroenen2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-22 17:24]

2010-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-329068152-839522115-1003UA.job
- c:\documents and settings\kroenen2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-22 17:24]

2008-03-31 c:\windows\Tasks\STV2_live.job
- d:\program files\Mozilla Firefox\firefox.exe [2008-01-11 11:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.sk/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xportovat do aplikace Microsoft Office Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Translate this web page with Babylon - d:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - d:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\kroenen2\Application Data\Mozilla\Firefox\Profiles\r7usiygb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT689909&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - ÄŚSFD
FF - prefs.js: browser.startup.homepage - google.sk
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\documents and settings\kroenen2\Application Data\Mozilla\Firefox\Profiles\r7usiygb.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\kroenen2\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: d:\progra~1\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: d:\progra~1\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: d:\progra~1\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: d:\progra~1\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: d:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: d:\program files\Opera\program\plugins\npdsplay.dll
FF - plugin: d:\program files\Opera\program\plugins\npmusicn.dll
FF - plugin: d:\program files\Opera\program\plugins\npmusicn.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin2.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin3.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin4.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin5.dll
FF - plugin: d:\program files\Opera\program\plugins\npwmsdrm.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\VLC\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-10 17:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82BB3C70]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8556f28
\Driver\ACPI -> ACPI.sys @ 0xf83a1cb8
\Driver\atapi -> 0x82bb3c70
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: Broadcom 802.11b/g WLAN -> SendCompleteHandler -> NDIS.sys @ 0xf8209bb0
PacketIndicateHandler -> NDIS.sys @ 0xf81f8a0d
SendHandler -> NDIS.sys @ 0xf820cb40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-329068152-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72E8F93C-8E97-A926-0C03-27BBA1DE88FA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jalkghkdbmdbicbjpehf"=hex:62,61,70,65,00,00
"jalkghkdbmdbicbjpelf"=hex:62,61,6c,65,00,00
"iallbcbmmbfihhigag"=hex:6b,61,6f,65,67,62,61,64,6f,66,66,68,6a,61,70,6b,65,64,
66,67,6f,6b,00,00
"hanldfkfnacohgnl"=hex:6b,61,6f,65,67,62,61,64,62,66,61,6f,63,6b,6d,70,6b,6d,
6d,70,67,6e,00,00
"hapkbfjanjckkjhg"=hex:6b,61,65,6d,62,69,6f,65,62,6f,62,70,65,6f,6f,6f,6f,6c,
69,6c,6d,62,00,00
"jamkdgjgmlmebbjnlegl"=hex:6f,61,6b,6b,67,65,6f,6b,65,62,69,6d,6b,69,6a,6b,6a,
62,6e,69,68,68,62,70,69,69,64,66,62,6d,00,53

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AEF00276-DE2E-4627-E4FF-3FD9459F1E1C}\InProcServer32*]
"paaanjhkjahfakjhjmeknkcedajobpec"=hex:6a,61,70,63,6f,70,6b,66,70,69,61,6b,67,
6a,62,6c,6c,61,62,69,00,f6
"oaaahjnnihmgjhdjpdfhabffeajgcl"=hex:69,61,70,63,69,62,6d,65,6a,63,61,68,6d,69,
63,69,62,61,00,00

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(904)
d:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll
d:\windows\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.dll
d:\windows\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\rserver30\FamItrfc.Exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2010-07-10 17:38:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-10 15:38

Pre-Run: 521 752 576 bytes free
Post-Run: 504 950 784 voľných bajtov

- - End Of File - - 0CF2DA7E3A3A438D7BD0C7226B438066

#39 Příspěvek od **riffman** » 10 črc 2010 19:42

ja se poseru, svinstvo je tam zas...

takze si dame znova tohle (ovsem tentokrat v nouzovem rezimu) :

stahnete TDSSKiller , rozbalte do slozky C:\WINDOWS\system32\drivers a spustte

v operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"

zobrazi se nasledujici okno:

Obrázek

probehne sken, na jehoz konci se v pripade infekce zobrazi nasledujici okno:

Obrázek

Pokud uvidite na poslednim radku hlasku "Close all programs and choose Y to restart or N to continue", zmacknete klavesu Y a vas stroj bude restartovan

po restartu znovu aplikujte Combofix a vlozte sem log po aplikaci

kroenen2 · #40 Příspěvek od **kroenen2** » 10 črc 2010 21:52

Jako zase to iste co tam bolo predtym a my sme to dostali prec? Pocuvaj a nemoze to byt tym ze kamos si sem tam ten nb pozicia a pusta tam rozne stranky "podradne"??? A okrem toho mi blbne antivir a chcel som ho odinstalovat a znova nahodit ale neda sa odstranit ani s UninstallTool. Tak mi pls pomoze najprv s tym, nech je tam funkcna Avira. Ale nieco ine je dolezitejsie?

#41 Příspěvek od **riffman** » 10 črc 2010 22:11

v MBR sektoru je svinstvo, takze bych zvazil moznost pujcovani NTB a kamosovi nakopat rit

prvorady ukol rovna se odstranit svinstvo

kroenen2 · #42 Příspěvek od **kroenen2** » 10 črc 2010 22:20

Takze normalne podla tvojho postupu (ak nevadi, budeme si tykat

) a reinstal aviry nechame na neskor aj ked nefunguje a nb je stale pripojeny k sieti?

#43 Příspěvek od **riffman** » 11 črc 2010 07:33

aaaaaaaaaaano

kroenen2 · #44 Příspěvek od **kroenen2** » 25 črc 2010 08:40

Ospravedlnujem sa, bol som dlho chory a nejaky cas prec. Ale problem chcem vyriesit, takze som postupoval presne podla tvojho navodu (mimochodom, TDSSKiller uz nepracuje v prikazovom riadku, ale normalne v okne)

ComboFix 10-07-24.01 - kroenen2 25.07.2010 9:26.11.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1033.18.503.267 [GMT 2:00]
Running from: c:\documents and settings\kroenen2\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-14 20:54 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-25 14:15 . 2010-06-25 14:15 210944 ----a-w- c:\documents and settings\kroenen2\Application Data\Microsoft\Internet Explorer\Quick Launch\apps\T-Cleaner.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 07:23 . 2008-11-28 22:55 -------- d-----w- c:\documents and settings\kroenen2\Application Data\vlc
2010-07-22 14:11 . 2010-06-21 18:49 1170256 ----a-w- c:\windows\system32\drivers\TDSSKiller.exe
2010-07-19 13:27 . 2010-06-01 21:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-28 16:27 . 2010-06-20 18:14 -------- d-----w- c:\program files\trend micro
2010-06-23 23:20 . 2008-05-20 14:15 -------- d-----w- c:\documents and settings\kroenen2\Application Data\dvdcss
2010-06-23 21:58 . 2010-06-04 23:35 -------- d-----w- c:\documents and settings\kroenen2\Application Data\PriceGong
2010-06-20 15:18 . 2009-01-16 02:34 -------- d-----w- c:\documents and settings\kroenen2\Application Data\uTorrent
2010-06-18 14:27 . 2007-12-21 21:12 -------- d-----w- c:\documents and settings\kroenen2\Application Data\Skype
2010-06-18 14:23 . 2007-12-21 21:18 -------- d-----w- c:\documents and settings\kroenen2\Application Data\skypePM
2010-06-18 11:50 . 2010-06-18 11:50 -------- d-----w- c:\program files\Common Files\Skype
2010-06-14 14:31 . 2007-11-06 00:17 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-04 21:54 . 2010-01-04 00:54 -------- d-----w- c:\program files\myBabylon_English
2010-06-04 21:54 . 2009-11-01 09:43 -------- d-----w- c:\program files\PageRage
2010-05-31 16:59 . 2010-05-31 16:59 -------- d-----w- c:\program files\EPSON Projector
2010-05-02 05:22 . 2004-08-03 22:17 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 13:39 . 2010-06-16 21:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2010-06-16 21:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-11-21 20:19 . 2008-05-06 20:03 10240 -csha-w- c:\program files\Thumbs.db
2008-02-16 20:09 . 2008-02-16 20:09 0 -c--a-w- c:\program files\AstonWriteTest.txt
2009-01-17 09:20 . 2009-01-15 14:39 45320224 --sha-w- c:\windows\system32\drivers\fidbox.dat
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-03 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-03 09:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys

[-] 2008-04-14 . 561A50497324F378E30F55D09B4E1258 . 975872 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 561A50497324F378E30F55D09B4E1258 . 975872 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-06-28_16.44.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-29 08:14 . 2010-06-29 08:14 25512 c:\windows\system32\DRVSTORE\ggsemc_69474B299F8096A4E4CB4CE6EB0E19FC32D18E55\x86\ggsemc.sys
+ 2010-06-29 08:14 . 2010-06-29 08:14 13224 c:\windows\system32\DRVSTORE\ggsemc_69474B299F8096A4E4CB4CE6EB0E19FC32D18E55\x86\ggflt.sys
+ 2010-06-29 08:14 . 2010-06-29 08:14 1112288 c:\windows\system32\DRVSTORE\ggsemc_69474B299F8096A4E4CB4CE6EB0E19FC32D18E55\x86\WdfCoInstaller01007.dll
+ 2007-12-12 04:42 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\tbPag0.dll" [2010-06-04 2393184]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}"= "c:\program files\myBabylon_English\tbmyB0.dll" [2010-06-04 2515552]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
2010-06-04 21:54 2393184 ----a-w- c:\program files\PageRage\tbPag0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]
2010-06-04 21:54 2515552 ----a-w- c:\program files\myBabylon_English\tbmyB0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\tbPag0.dll" [2010-06-04 2393184]
"{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}"= "c:\program files\myBabylon_English\tbmyB0.dll" [2010-06-04 2515552]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{9565115D-C7D6-46D3-BD63-B67B481A4368}"= "c:\program files\PageRage\tbPag0.dll" [2010-06-04 2393184]
"{B2E293EE-FD7E-4C71-A714-5F4750D8D7B7}"= "c:\program files\myBabylon_English\tbmyB0.dll" [2010-06-04 2515552]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UberIcon"="d:\windows\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe" [2006-05-21 180224]
"\\KROENENAMD\EPSON SX110 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE" [2008-09-26 199680]
"Google Update"="c:\documents and settings\kroenen2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-22 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-05-25 1253376]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\kroenen2\Start Menu\Programs\Startup\
RocketDock.lnk - d:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-3-19 630784]
Start Unlocker Assistant.lnk - d:\program files\Unlocker\UnlockerAssistant.exe [2006-9-7 15872]
TransBar.lnk - d:\windows\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-6-1 65536]
Y'z Shadow.lnk - d:\windows\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe [2006-5-21 155648]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= d:\my hp_software\IMAGES\ZNAKY, SYMBOLY\bumblebee1.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= d:\my hp_software\CAM_stream\image.jpg
FriendlyName=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^kroenen2^Start Menu^Programs^Startup^UberIcon.lnk]
path=c:\documents and settings\kroenen2\Start Menu\Programs\Startup\UberIcon.lnk
backup=c:\windows\pss\UberIcon.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-09-26 10:02 2356088 ----a-r- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2009-03-02 11:08 209153 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2009-12-23 13:55 3722128 ----a-w- d:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Domino]
2006-08-18 15:58 49152 -c--a-w- c:\windows\Domino.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON_UD_START]
2009-01-21 08:35 329632 ----a-w- c:\program files\EPSON Projector\EPSON USB Display V1.4\EMP_UD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-22 17:24 135664 ----atw- c:\documents and settings\kroenen2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2006-09-07 17:19 15872 ----a-w- d:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VisualTaskTips]
2007-09-05 17:20 36352 ----a-w- d:\program files\VisualTaskTips\VisualTaskTips.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZSSnp211]
2007-04-06 10:06 57344 -c--a-w- c:\windows\ZSSnp211.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Counter-Strike\\hl.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Program Files\\VLC\\vlc.exe"=
"d:\\Program Files\\ICQ6.5\\ICQ.exe"=
"d:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"d:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\rserver30\\rserver3.exe"=

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [6.11.2007 3:08 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [6.11.2007 3:08 5248]
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [31.7.2008 21:45 20616]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [24.4.2008 8:49 45848]
R2 EMP_UDSA;EMP_UDSA;c:\program files\EPSON Projector\EPSON USB Display V1.4\EMP_UDSA.exe [31.5.2010 18:59 98304]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [29.10.2009 13:27 1074568]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [24.4.2008 8:44 1238344]
R3 eppvad_simple;EPSON Projector UD Audio Device;c:\windows\system32\drivers\EMP_UDAU.sys [31.5.2010 18:59 17664]
R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [21.4.2007 16:15 9344]
S1 oxser;OX16C95x Serial port driver;c:\windows\system32\DRIVERS\oxser.sys --> c:\windows\system32\DRIVERS\oxser.sys [?]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9.6.2009 22:43 108289]
S2 ctm;Convar task manager;d:\program files\TaskManager\ctm.exe [6.6.2008 4:48 98304]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2.7.2008 15:58 26248]
S3 K320bus;Sony Ericsson K320 driver (WDM);c:\windows\system32\drivers\K320bus.sys [9.4.2008 21:20 61504]
S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;c:\windows\system32\drivers\K320mdfl.sys [21.12.2008 12:11 9328]
S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;c:\windows\system32\drivers\K320mdm.sys [21.12.2008 12:11 97056]
S3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\K320mgmt.sys [21.12.2008 12:11 88560]
S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;c:\windows\system32\drivers\K320obex.sys [21.12.2008 12:11 86368]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25.1.2007 19:31 42000]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [20.5.2010 18:02 588032]
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 c:\windows\Tasks\02 - Trevor Rabin - Ben.job
- d:\my hp_software\MUSIC\SOUNDTRACKS\NATIONAL TREASURE OST (2004)\02 - Trevor Rabin - Ben.mp3 [2008-03-22 20:07]

2010-01-24 c:\windows\Tasks\Edward Maya & Vika Jigulina - Stereo Love (Molella Remix).job
- d:\my hp_software\MUSIC\TRANCE-DISCO\Edward Maya & Vika Jigulina - Stereo Love (Molella Remix).mp3 [2010-01-04 14:20]

2010-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-329068152-839522115-1003Core.job
- c:\documents and settings\kroenen2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-22 17:24]

2010-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-329068152-839522115-1003UA.job
- c:\documents and settings\kroenen2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-22 17:24]

2008-03-31 c:\windows\Tasks\STV2_live.job
- d:\program files\Mozilla Firefox\firefox.exe [2008-01-11 20:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.sk/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xportovat do aplikace Microsoft Office Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Translate this web page with Babylon - d:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - d:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\kroenen2\Application Data\Mozilla\Firefox\Profiles\r7usiygb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT689909&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - ÄŚSFD
FF - prefs.js: browser.startup.homepage - google.sk
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\documents and settings\kroenen2\Application Data\Mozilla\Firefox\Profiles\r7usiygb.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\kroenen2\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: d:\progra~1\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: d:\progra~1\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: d:\progra~1\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: d:\progra~1\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: d:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: d:\program files\Opera\program\plugins\npdsplay.dll
FF - plugin: d:\program files\Opera\program\plugins\npmusicn.dll
FF - plugin: d:\program files\Opera\program\plugins\npmusicn.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin2.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin3.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin4.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin5.dll
FF - plugin: d:\program files\Opera\program\plugins\npwmsdrm.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\VLC\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-25 09:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82BB24A0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8556f28
\Driver\ACPI -> ACPI.sys @ 0xf83a1cb8
\Driver\atapi -> 0x82bb24a0
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: Broadcom 802.11b/g WLAN -> SendCompleteHandler -> NDIS.sys @ 0xf8209bb0
PacketIndicateHandler -> NDIS.sys @ 0xf81f8a0d
SendHandler -> NDIS.sys @ 0xf820cb40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-329068152-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72E8F93C-8E97-A926-0C03-27BBA1DE88FA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jalkghkdbmdbicbjpehf"=hex:62,61,70,65,00,00
"jalkghkdbmdbicbjpelf"=hex:62,61,6c,65,00,00
"iallbcbmmbfihhigag"=hex:6b,61,6f,65,67,62,61,64,6f,66,66,68,6a,61,70,6b,65,64,
66,67,6f,6b,00,00
"hanldfkfnacohgnl"=hex:6b,61,6f,65,67,62,61,64,62,66,61,6f,63,6b,6d,70,6b,6d,
6d,70,67,6e,00,00
"hapkbfjanjckkjhg"=hex:6b,61,65,6d,62,69,6f,65,62,6f,62,70,65,6f,6f,6f,6f,6c,
69,6c,6d,62,00,00
"jamkdgjgmlmebbjnlegl"=hex:6f,61,6b,6b,67,65,6f,6b,65,62,69,6d,6b,69,6a,6b,6a,
62,6e,69,68,68,62,70,69,69,64,66,62,6d,00,53

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AEF00276-DE2E-4627-E4FF-3FD9459F1E1C}\InProcServer32*]
"paaanjhkjahfakjhjmeknkcedajobpec"=hex:6a,61,70,63,6f,70,6b,66,70,69,61,6b,67,
6a,62,6c,6c,61,62,69,00,f6
"oaaahjnnihmgjhdjpdfhabffeajgcl"=hex:69,61,70,63,69,62,6d,65,6a,63,61,68,6d,69,
63,69,62,61,00,00

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3768)
d:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll
d:\windows\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.dll
d:\windows\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rserver30\FamItrfc.Exe
.
**************************************************************************
.
Completion time: 2010-07-25 09:37:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-25 07:37
ComboFix2.txt 2010-07-10 15:38

Pre-Run: 561 074 176 bytes free
Post-Run: 544 657 408 voľných bajtov

- - End Of File - - 191C313B8E7BF806CF8A4C7C89C9135A

#45 Příspěvek od **riffman** » 25 črc 2010 08:57

stahnete MBR

presunte mbr.exe do adresare C:\Windows

dalsi postup jest nasledujici:

Start/Spustit a do chlivecku napiste cmd a stisk Enter.

vybafne na vas okenko prikazoveho radku; vy nadatlujte rucne prikaz:

mbr.exe -f

a stisknete Enter

Po provedeni operace restartujte a spustte mbr jeste jednou, jiz normalne a vlozte sem log

VIRY.CZ

IE spam

Re: IE spam

Re: IE spam

Re: IE spam

Re: IE spam

Re: IE spam

Re: IE spam

Re: IE spam

Re: IE spam

Re: IE spam

Re: IE spam

Re: IE spam

Re: IE spam

Re: IE spam

Re: IE spam

Re: IE spam