Re: Win32/Mebroot.K
Napsal: 09 úno 2009 22:30
Tady je log z CF... co dál, už je pc čisté?
ComboFix 09-02-08.02 - Tomas 2009-02-09 22:18:44.1 - NTFSx86 MINIMAL
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.1535.1269 [GMT 1:00]
Spuštěný z: c:\documents and settings\Tomas\Plocha\ComboFix.exe
AV: Eset NOD32 Antivirus 2.0 *On-access scanning enabled* (Updated)
FW: Kerio Personal Firewall *enabled*
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Tomas\Data aplikací\QNVW601P.dll
c:\program files\INSTALL.LOG
c:\program files\Seekmo Programs
c:\windows\system32\mdm.exe
c:\windows\tmlpcert2005
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_WinDriver
((((((((((((((((((((((((( Soubory vytvořené od 2009-01-09 do 2009-02-09 )))))))))))))))))))))))))))))))
.
2040-11-09 12:38 . 2005-12-16 12:29 <DIR> d-------- c:\program files\Web Page Maker V2
2010-03-29 21:54 . 2006-12-31 11:35 <DIR> d-------- c:\program files\SlySoft
2009-02-09 17:55 . 2009-02-09 17:55 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-09 17:53 . 2009-02-09 17:53 <DIR> d-------- c:\windows\ERUNT
2009-02-09 17:53 . 2001-08-18 12:00 1,688 --a------ c:\windows\system32\AUTOEXEC.NT
2009-02-09 17:48 . 2009-02-09 18:10 <DIR> d-------- C:\SDFix
2009-02-09 17:24 . 2009-02-09 17:24 <DIR> d-------- c:\documents and settings\Tomas\DoctorWeb
2009-02-09 09:50 . 2009-02-09 09:50 <DIR> d-------- c:\documents and settings\Tomas\Data aplikací\Ashampoo
2009-02-09 09:50 . 2009-02-09 09:50 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\ashampoo
2009-01-23 16:02 . 2009-01-23 16:02 <DIR> d-------- c:\program files\QO Developments
2009-01-14 00:09 . 2009-01-14 00:09 1,597,440 --a------ C:\t2fo.d
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 21:14 66,796 ----a-w c:\windows\system32\drivers\fwdrv.err
2009-02-09 20:58 --------- d-----w c:\program files\ESET
2009-02-09 19:05 --------- d-----w c:\program files\SMS
2009-02-09 08:50 --------- d-----w c:\program files\Ashampoo
2009-02-04 16:30 --------- d-----w c:\documents and settings\Tomas\Data aplikací\Canon
2009-01-04 23:13 --------- d-----w c:\documents and settings\Tomas\Data aplikací\Skype
2009-01-04 14:23 --------- d-----w c:\program files\Formica4.40
2009-01-02 10:32 --------- d-----w c:\program files\Google
2009-01-02 00:14 --------- d-----w c:\documents and settings\All Users\Data aplikací\285D
2009-01-01 23:16 --------- d-----w c:\program files\ICQ6.5
2009-01-01 16:46 --------- d-----w c:\documents and settings\Tomas\Data aplikací\Apple Computer
2009-01-01 16:18 --------- d-----w c:\program files\ICQ6
2008-12-31 18:41 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-31 18:41 --------- d-----w c:\program files\Java
2008-12-21 22:56 --------- d-----w c:\documents and settings\All Users\Data aplikací\233B9
2008-12-19 12:30 --------- d-----w c:\documents and settings\All Users\Data aplikací\201D4
2008-12-19 12:06 --------- d-----w c:\documents and settings\All Users\Data aplikací\182AF
2008-12-11 19:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-10 14:56 --------- d-----w c:\program files\Common Files\Motive
2008-12-10 14:56 --------- d-----w c:\documents and settings\All Users\Data aplikací\Motive
2008-12-10 11:59 --------- d-----w c:\program files\TO2SAM
2003-07-31 09:53 147,456 -c--a-w c:\windows\inf\EL2K_XP.sys
2003-07-31 09:50 448,768 -c--a-w c:\windows\inf\EL2K_N64.sys
2003-07-31 09:43 147,456 -c--a-w c:\windows\inf\EL2K_2K.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 335872]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2004-09-21 778240]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"TCASUTIEXE"="TCAUDIAG.exe" [2003-07-16 c:\windows\system32\TCAUDIAG.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Tomas\Nabˇdka Start\Programy\Po spuçtŘnˇ\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.EM2V"= EtxCodec.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Tomas\Data aplikací\iolo\
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2002-07-29 10:54 473088 c:\windows\mHotkey.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"g:\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2005-09-26 286720]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2005-09-26 81920]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\documents and settings\All Users\Data aplikací\Spyware Terminator\sp_rsdrv2.sys [2006-06-22 131712]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [2000-06-06 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [2001-09-04 19534]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2002-08-29 69120]
S3 cpuz129;cpuz129;\??\c:\docume~1\Tomas\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Tomas\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [2008-08-13 23600]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{279b634f-832f-11dc-a01f-101111111111}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe
.
Obsah adresáře 'Naplánované úlohy'
2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2007-11-11 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 15:52]
2005-05-09 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe [2005-12-09 11:44]
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
MSConfigStartUp-ICQ - c:\program files\ICQ6\ICQ.exe
MSConfigStartUp-Svátky a výročí - c:\program files\OKsoftware\Svátky a výročí\Vyroci.exe
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: &Search - http://edits.mywebsearch.com/toolbaredi ... xpt119YYCZ
IE: E&xportovat do aplikace Microsoft Excel - g:\office12\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Najdi na mapě
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - c:\program files\Pc Translator\WEBIE.DLL
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\program files\Pc Translator\WEBIE.DLL
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\program files\Pc Translator\WEBIE.DLL
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\program files\Pc Translator\WEBIE.DLL
LSP: imon.dll
TCP: {728ADE8D-21E8-455B-AF73-D04191D13B19} = 10.3.3.1,212.24.128.8
TCP: {7AA50CCE-3EAD-456C-B0CD-22C3CD3010C6} = 194.228.2.1,194.228.41.113
TCP: {F823DDD0-C493-4146-817D-37F9B756BC26} = 194.228.2.1,194.228.41.113
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {030735DF-13FE-4560-8B57-CE341E8EAAA2} - mk:@MSITStore:d:\html\instal.chm::/Install/Mg3D.cab
DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} - file://c:\program files\AutoCAD 2002 Cz\InstFred.ocx
DPF: {3190CE26-0B6E-4133-A7D3-87D29CB92120} - hxxp://www.bezpecnyinternet.cz/SBI.cab
DPF: {37B7C7C6-BCD8-11D7-BD5C-00C026104E7F} - hxxp://jav.webreport.cz/sdp/dload/10051_13_CZ_dload.exe
DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\AutoCAD 2002 Cz\InstBanr.ocx
DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} - hxxp://xtraz.icq.com/xtraz/activex/MISBH.cab
FF - ProfilePath - c:\documents and settings\Tomas\Data aplikací\Mozilla\Firefox\Profiles\d9wfof9n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.cz
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
.
------- Asociace souborů -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 22:25:58
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-1417001333-1580818891-839522115-1003\Software\Andreas Haak\a*Ű]
"Language"="English"
"Expires"="1/1/3000
"
"Last"="30.9.2007"
[HKEY_USERS\S-1-5-21-1417001333-1580818891-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1417001333-1580818891-839522115-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1417001333-1580818891-839522115-1003)
@Allowed: (Read) (S-1-5-21-1417001333-1580818891-839522115-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Andreas Haak\a*Ű]
"User"="sikecxixao@seznam.cz"
"Code"="biyisini27"
"License"=dword:00000001
"Active"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Atelier Web\AWRC***]
"HD"="??????2"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(1084)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\ESET\nod32krn.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2009-02-09 22:30:10 - počítač byl restartován [Tomas]
ComboFix-quarantined-files.txt 2009-02-09 21:29:59
Před spuštěním: 2,752,344,064
Po spuštění: 2,603,651,072
Current=3 Default=3 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
239 --- E O F --- 2009-01-14 15:05:19
ComboFix 09-02-08.02 - Tomas 2009-02-09 22:18:44.1 - NTFSx86 MINIMAL
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.1535.1269 [GMT 1:00]
Spuštěný z: c:\documents and settings\Tomas\Plocha\ComboFix.exe
AV: Eset NOD32 Antivirus 2.0 *On-access scanning enabled* (Updated)
FW: Kerio Personal Firewall *enabled*
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Tomas\Data aplikací\QNVW601P.dll
c:\program files\INSTALL.LOG
c:\program files\Seekmo Programs
c:\windows\system32\mdm.exe
c:\windows\tmlpcert2005
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_WinDriver
((((((((((((((((((((((((( Soubory vytvořené od 2009-01-09 do 2009-02-09 )))))))))))))))))))))))))))))))
.
2040-11-09 12:38 . 2005-12-16 12:29 <DIR> d-------- c:\program files\Web Page Maker V2
2010-03-29 21:54 . 2006-12-31 11:35 <DIR> d-------- c:\program files\SlySoft
2009-02-09 17:55 . 2009-02-09 17:55 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-09 17:53 . 2009-02-09 17:53 <DIR> d-------- c:\windows\ERUNT
2009-02-09 17:53 . 2001-08-18 12:00 1,688 --a------ c:\windows\system32\AUTOEXEC.NT
2009-02-09 17:48 . 2009-02-09 18:10 <DIR> d-------- C:\SDFix
2009-02-09 17:24 . 2009-02-09 17:24 <DIR> d-------- c:\documents and settings\Tomas\DoctorWeb
2009-02-09 09:50 . 2009-02-09 09:50 <DIR> d-------- c:\documents and settings\Tomas\Data aplikací\Ashampoo
2009-02-09 09:50 . 2009-02-09 09:50 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\ashampoo
2009-01-23 16:02 . 2009-01-23 16:02 <DIR> d-------- c:\program files\QO Developments
2009-01-14 00:09 . 2009-01-14 00:09 1,597,440 --a------ C:\t2fo.d
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 21:14 66,796 ----a-w c:\windows\system32\drivers\fwdrv.err
2009-02-09 20:58 --------- d-----w c:\program files\ESET
2009-02-09 19:05 --------- d-----w c:\program files\SMS
2009-02-09 08:50 --------- d-----w c:\program files\Ashampoo
2009-02-04 16:30 --------- d-----w c:\documents and settings\Tomas\Data aplikací\Canon
2009-01-04 23:13 --------- d-----w c:\documents and settings\Tomas\Data aplikací\Skype
2009-01-04 14:23 --------- d-----w c:\program files\Formica4.40
2009-01-02 10:32 --------- d-----w c:\program files\Google
2009-01-02 00:14 --------- d-----w c:\documents and settings\All Users\Data aplikací\285D
2009-01-01 23:16 --------- d-----w c:\program files\ICQ6.5
2009-01-01 16:46 --------- d-----w c:\documents and settings\Tomas\Data aplikací\Apple Computer
2009-01-01 16:18 --------- d-----w c:\program files\ICQ6
2008-12-31 18:41 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-31 18:41 --------- d-----w c:\program files\Java
2008-12-21 22:56 --------- d-----w c:\documents and settings\All Users\Data aplikací\233B9
2008-12-19 12:30 --------- d-----w c:\documents and settings\All Users\Data aplikací\201D4
2008-12-19 12:06 --------- d-----w c:\documents and settings\All Users\Data aplikací\182AF
2008-12-11 19:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-10 14:56 --------- d-----w c:\program files\Common Files\Motive
2008-12-10 14:56 --------- d-----w c:\documents and settings\All Users\Data aplikací\Motive
2008-12-10 11:59 --------- d-----w c:\program files\TO2SAM
2003-07-31 09:53 147,456 -c--a-w c:\windows\inf\EL2K_XP.sys
2003-07-31 09:50 448,768 -c--a-w c:\windows\inf\EL2K_N64.sys
2003-07-31 09:43 147,456 -c--a-w c:\windows\inf\EL2K_2K.sys
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 335872]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2004-09-21 778240]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"TCASUTIEXE"="TCAUDIAG.exe" [2003-07-16 c:\windows\system32\TCAUDIAG.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Tomas\Nabˇdka Start\Programy\Po spuçtŘnˇ\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.EM2V"= EtxCodec.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\Tomas\Data aplikací\iolo\
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2002-07-29 10:54 473088 c:\windows\mHotkey.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"g:\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2005-09-26 286720]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2005-09-26 81920]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\documents and settings\All Users\Data aplikací\Spyware Terminator\sp_rsdrv2.sys [2006-06-22 131712]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [2000-06-06 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [2001-09-04 19534]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2002-08-29 69120]
S3 cpuz129;cpuz129;\??\c:\docume~1\Tomas\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Tomas\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [2008-08-13 23600]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{279b634f-832f-11dc-a01f-101111111111}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe
.
Obsah adresáře 'Naplánované úlohy'
2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2007-11-11 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 15:52]
2005-05-09 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe [2005-12-09 11:44]
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
MSConfigStartUp-ICQ - c:\program files\ICQ6\ICQ.exe
MSConfigStartUp-Svátky a výročí - c:\program files\OKsoftware\Svátky a výročí\Vyroci.exe
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: &Search - http://edits.mywebsearch.com/toolbaredi ... xpt119YYCZ
IE: E&xportovat do aplikace Microsoft Excel - g:\office12\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Najdi na mapě
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - c:\program files\Pc Translator\WEBIE.DLL
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\program files\Pc Translator\WEBIE.DLL
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\program files\Pc Translator\WEBIE.DLL
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\program files\Pc Translator\WEBIE.DLL
LSP: imon.dll
TCP: {728ADE8D-21E8-455B-AF73-D04191D13B19} = 10.3.3.1,212.24.128.8
TCP: {7AA50CCE-3EAD-456C-B0CD-22C3CD3010C6} = 194.228.2.1,194.228.41.113
TCP: {F823DDD0-C493-4146-817D-37F9B756BC26} = 194.228.2.1,194.228.41.113
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {030735DF-13FE-4560-8B57-CE341E8EAAA2} - mk:@MSITStore:d:\html\instal.chm::/Install/Mg3D.cab
DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} - file://c:\program files\AutoCAD 2002 Cz\InstFred.ocx
DPF: {3190CE26-0B6E-4133-A7D3-87D29CB92120} - hxxp://www.bezpecnyinternet.cz/SBI.cab
DPF: {37B7C7C6-BCD8-11D7-BD5C-00C026104E7F} - hxxp://jav.webreport.cz/sdp/dload/10051_13_CZ_dload.exe
DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\AutoCAD 2002 Cz\InstBanr.ocx
DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} - hxxp://xtraz.icq.com/xtraz/activex/MISBH.cab
FF - ProfilePath - c:\documents and settings\Tomas\Data aplikací\Mozilla\Firefox\Profiles\d9wfof9n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.cz
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
.
------- Asociace souborů -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 22:25:58
Windows 5.1.2600 Service Pack 3 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_USERS\S-1-5-21-1417001333-1580818891-839522115-1003\Software\Andreas Haak\a*Ű]
"Language"="English"
"Expires"="1/1/3000
""Last"="30.9.2007"
[HKEY_USERS\S-1-5-21-1417001333-1580818891-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1417001333-1580818891-839522115-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1417001333-1580818891-839522115-1003)
@Allowed: (Read) (S-1-5-21-1417001333-1580818891-839522115-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Andreas Haak\a*Ű]
"User"="sikecxixao@seznam.cz"
"Code"="biyisini27"
"License"=dword:00000001
"Active"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Atelier Web\AWRC***]
"HD"="??????2"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(1084)
c:\windows\system32\imon.dll
c:\program files\Eset\pr_imon.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\ESET\nod32krn.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2009-02-09 22:30:10 - počítač byl restartován [Tomas]
ComboFix-quarantined-files.txt 2009-02-09 21:29:59
Před spuštěním: 2,752,344,064
Po spuštění: 2,603,651,072
Current=3 Default=3 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
239 --- E O F --- 2009-01-14 15:05:19
