VIRY.CZ

poradte prosim...nemohu zbavit od vire

log z combofixu
(vypinal obnoveni systemu, cistil Ccleanerem atd - nepomohlo)
Predem dekuji moc!!!

ComboFix 10-10-25.01 - korensky 26.10.2010 10:35:12.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1015.631 [GMT 2:00]
Spuštěný z: C:\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\korensky\Dokumenty\cc_20101026_093218.reg

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-09-26 do 2010-10-26 )))))))))))))))))))))))))))))))
.

2010-10-26 07:25 . 2010-10-26 07:26 94217974 ----a-w- C:\zaloha.reg
2010-10-25 14:44 . 2010-10-25 14:46 -------- d-----w- C:\setup_full_3800_3
2010-10-25 14:28 . 2010-10-25 14:28 -------- d-----w- c:\documents and settings\All Users\Data aplikací\HP
2010-10-25 13:01 . 2010-10-25 13:01 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-10-25_12.34.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-03-18 08:09 . 2010-03-18 08:09 99176 c:\windows\system32\PresentationHostProxy.dll
+ 2010-03-30 22:16 . 2010-03-30 22:16 99176 c:\windows\system32\PresentationHostProxy.dll
- 2010-03-18 08:09 . 2010-03-18 08:09 49488 c:\windows\system32\netfxperf.dll
+ 2009-11-06 23:07 . 2009-11-06 23:07 49488 c:\windows\system32\netfxperf.dll
- 2009-11-11 18:06 . 2009-11-11 18:06 11600 c:\windows\system32\mui\0409\mscorees.dll
+ 2009-11-06 23:07 . 2009-11-06 23:07 11600 c:\windows\system32\mui\0409\mscorees.dll
+ 2008-08-19 09:56 . 2008-04-13 17:45 15104 c:\windows\system32\drivers\usbscan.sys
- 2008-08-19 09:56 . 2008-04-13 18:45 15104 c:\windows\system32\drivers\usbscan.sys
+ 2008-08-19 09:56 . 2008-04-13 17:45 15104 c:\windows\system32\dllcache\usbscan.sys
- 2010-03-18 11:16 . 2010-03-18 11:16 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2009-11-06 23:07 . 2009-11-06 23:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
- 2010-03-18 11:16 . 2010-03-18 11:16 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2009-11-06 23:07 . 2009-11-06 23:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2009-11-06 23:07 . 2009-11-06 23:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp10.dll
- 2010-03-18 11:16 . 2010-03-18 11:16 13648 c:\windows\Microsoft.NET\Framework\sbscmp10.dll
+ 2009-11-06 23:07 . 2009-11-06 23:07 86864 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
- 2010-03-18 11:16 . 2010-03-18 11:16 86864 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2010-03-30 22:10 . 2010-03-30 22:10 295264 c:\windows\system32\PresentationHost.exe
- 2010-03-18 08:09 . 2010-03-18 08:09 295264 c:\windows\system32\PresentationHost.exe
- 2010-03-18 08:09 . 2010-03-18 08:09 297808 c:\windows\system32\mscoree.dll
+ 2009-11-06 23:07 . 2009-11-06 23:07 297808 c:\windows\system32\mscoree.dll
- 2008-08-19 09:56 . 2007-01-14 23:45 622592 c:\windows\system32\hpxp3800.dll
+ 2008-08-19 09:56 . 2007-01-15 06:45 622592 c:\windows\system32\hpxp3800.dll
- 2008-08-19 09:56 . 2007-01-14 23:41 888832 c:\windows\system32\hpgt3800.dll
+ 2008-08-19 09:56 . 2007-05-24 18:40 888832 c:\windows\system32\hpgt3800.dll
- 2008-08-19 09:56 . 2007-01-14 23:42 438272 c:\windows\system32\hp3800co.dll
+ 2008-08-19 09:56 . 2007-01-15 06:42 438272 c:\windows\system32\hp3800co.dll
+ 2008-08-19 10:18 . 2010-10-25 14:46 170436 c:\windows\hpgins13.dat
+ 2009-11-06 23:06 . 2009-11-06 23:06 1130824 c:\windows\system32\dfshim.dll
- 2009-11-11 18:06 . 2009-11-11 18:06 1130824 c:\windows\system32\dfshim.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 143360]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-09-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-09-30 126976]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Docházka\\Docházka.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.5.2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14.5.2009 15:49 94360]
R2 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [12.10.2003 22:20 143360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14.5.2009 15:47 731840]
R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [20.9.2002 19:29 53248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 13:16 130384]
S3 CA_LIC_SRVR;CA License Server;c:\program files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [7.4.2003 18:45 151552]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [18.8.2004 14:00 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 13:16 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ijjltz
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://intranet
uInternet Settings,ProxyServer = 192.168.55.2:3128
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-26 10:39
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\ORL\VNC\VNCHooks.dll
.
Celkový čas: 2010-10-26 10:41:25
ComboFix-quarantined-files.txt 2010-10-26 08:41
ComboFix2.txt 2010-10-26 07:24
ComboFix3.txt 2010-10-25 12:36

Před spuštěním: Volných bajtů: 63 566 651 392
Po spuštění: Volných bajtů: 63 551 160 320

- - End Of File - - B0846C907996B71CB74D6ECE943A70FE

Zdravim a pekny den preji

Vy umite aplikovat a pouzivat CF ze si jej tak vesele pouzivate

Nebezpeci CFka

Je urcen primarne pro radce - jeho svevolnym pouzitim ztracite narok na podporu
Maze stopy po haveti, takze v logu z RSIT neni nic videt
Jeho log je treba dolustit, jelikoz neumi smazat vse - to ovsem tezko zvladnete pokud k tomu nejste vyskolen
CF muze mit bug = sunda Vam system, pokud nevite kam co uklada, jak co obnovit, mate system v kytkam a ceka Vas reinstal
CF taky bohuzel prozatim nekontroluje nektere dulezite knihovny (napr. hal.dll) - ty treba mazou nektere typy haveti (napr. angela) - smaze Vam po restartu hal.dll = nenajede Vam system a jste o radek vyse = reinstal

Nejak nechapu opakovaneho pouziti CF - vlozte sem proto vsechny logy (ComboFix1-3.txt), at vidim, co jste tam s nim vyvadel...

vyosek píše:Zdravim a pekny den preji

Vy umite aplikovat a pouzivat CF ze si jej tak vesele pouzivate

CF pouzival jen pro skenovani, nic jsem necistil.
Nic mene logy combofix (1-3) nemam na diske c: - mam jen ten posledny kteri prilozil.
logy vylozil prave pro to abych dostat nejkou poradu co s tim dal...

PS Sorry - take zdravim a pekny den

Uplne zmotany s toho vire - nemohu uz 2 dny s toho zbavit...

Pravidla fora ale rikaji ze se ma na uvod davat log z RSIT

ted uz jej ale nedavejte, je zbytecny

CF je na skenovani prilis agresivni

Zabalte celou slozku C:\Qoobox a poslete mi ji na vyosek@forum.viry.cz vyctu si to z ni co mazal...

Pote Vam dam dalsi postup

Jinak ktery vir nemuzete odstranit - jak pisete v tematu

vyosek píše: Pravidla fora ale rikaji ze se ma na uvod davat log z RSIT ted uz jej ale nedavejte, je zbytecny

CF je na skenovani prilis agresivni

Zabalte celou slozku C:\Qoobox a poslete mi ji na vyosek@forum.viry.cz vyctu si to z ni co mazal...

Pote Vam dam dalsi postup

Jinak ktery vir nemuzete odstranit - jak pisete v tematu

1. za doporuceni dekuji - budeme pouzivat.
2. slozku zabalil a odeslal - tak ze mas v mejlu.
3. cekame
4. vidim ze neco mam napr pri kazdem skenovani maze zalohu
c:\documents and settings\korensky\Dokumenty\cc_20101026_093218.reg
a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ijjltz

Mazani zalohy CCleaneru (cc_20101026_093218.reg) se snazime vyjednat u sUBSe - autora CF

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ijjltz CF neumi sam smazat - na to je prave treba byt v pouzivani CF vyskolen a umet sepsat skript

Necitujte prosim mou odpoved, je to zbytecne

Pokud nemate, tak presunte Combofix na plochu

Spustte poznamkovy blok (Start-spustit-notepad)
Zkopirujte skript nize

Kód: Vybrat vše

NetSvcs::
ijjltz

DDS::
uStart Page = hxxp://intranet

Ulozte vytvoreny TXT jako CFScript.txt
Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

dekuji - jdu testovat

Tohle neni testovani, tohle je cilene zneskodneni haveti...Testovat si muzete na virtualnim PC ne na svem a pokud si chcete hrat, tak toho ja se ucastnim nebudu. Bud respektujte me rady nebo se haveti nezbavime...

Odjizdim do prace, budu tu v noci, tak doufam ze na me bude cekat log

samosebou log po provedeni prikladam:

ComboFix 10-10-25.01 - korensky 26.10.2010 13:52:24.4.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1015.690 [GMT 2:00]
Spuštěný z: C:\ComboFix.exe
Použité ovládací přepínače :: C:\CFScript.txt
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-09-26 do 2010-10-26 )))))))))))))))))))))))))))))))
.

2010-10-26 11:26 . 2010-10-26 11:26 -------- d--h--w- c:\windows\PIF
2010-10-26 07:25 . 2010-10-26 07:26 94217974 ----a-w- C:\zaloha.reg
2010-10-25 14:28 . 2010-10-26 08:57 -------- d-----w- c:\documents and settings\All Users\Data aplikací\HP
2010-10-25 14:27 . 2010-10-25 14:27 177749928 ----a-w- C:\setup_full_3800_3.exe
2010-10-25 13:01 . 2010-10-25 13:01 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-10-25_12.34.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-30 22:16 . 2010-03-30 22:16 99176 c:\windows\system32\PresentationHostProxy.dll
- 2010-03-18 08:09 . 2010-03-18 08:09 99176 c:\windows\system32\PresentationHostProxy.dll
+ 2009-11-06 23:07 . 2009-11-06 23:07 49488 c:\windows\system32\netfxperf.dll
- 2010-03-18 08:09 . 2010-03-18 08:09 49488 c:\windows\system32\netfxperf.dll
- 2009-11-11 18:06 . 2009-11-11 18:06 11600 c:\windows\system32\mui\0409\mscorees.dll
+ 2009-11-06 23:07 . 2009-11-06 23:07 11600 c:\windows\system32\mui\0409\mscorees.dll
+ 2008-08-19 09:56 . 2008-04-13 17:45 15104 c:\windows\system32\drivers\usbscan.sys
- 2008-08-19 09:56 . 2008-04-13 18:45 15104 c:\windows\system32\drivers\usbscan.sys
+ 2008-08-19 09:56 . 2008-04-13 17:45 15104 c:\windows\system32\dllcache\usbscan.sys
- 2005-06-16 07:33 . 2005-06-16 07:33 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-06-16 07:33 . 2010-10-26 11:18 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-06-16 07:33 . 2010-10-26 11:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-06-16 07:33 . 2005-06-16 07:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-06-16 07:33 . 2005-06-16 07:33 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-10-26 09:54 . 2010-10-26 11:18 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-03-18 11:16 . 2010-03-18 11:16 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2009-11-06 23:07 . 2009-11-06 23:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
- 2010-03-18 11:16 . 2010-03-18 11:16 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2009-11-06 23:07 . 2009-11-06 23:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
- 2010-03-18 11:16 . 2010-03-18 11:16 13648 c:\windows\Microsoft.NET\Framework\sbscmp10.dll
+ 2009-11-06 23:07 . 2009-11-06 23:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp10.dll
+ 2009-11-06 23:07 . 2009-11-06 23:07 86864 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
- 2010-03-18 11:16 . 2010-03-18 11:16 86864 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
- 2008-08-19 10:25 . 2008-08-19 10:25 65536 c:\windows\Installer\{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}\ARPPRODUCTICON.exe
+ 2010-10-26 08:58 . 2010-10-26 08:58 65536 c:\windows\Installer\{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}\ARPPRODUCTICON.exe
- 2010-03-18 08:09 . 2010-03-18 08:09 295264 c:\windows\system32\PresentationHost.exe
+ 2010-03-30 22:10 . 2010-03-30 22:10 295264 c:\windows\system32\PresentationHost.exe
+ 2009-11-06 23:07 . 2009-11-06 23:07 297808 c:\windows\system32\mscoree.dll
- 2010-03-18 08:09 . 2010-03-18 08:09 297808 c:\windows\system32\mscoree.dll
- 2008-08-19 09:56 . 2007-01-14 23:45 622592 c:\windows\system32\hpxp3800.dll
+ 2008-08-19 09:56 . 2007-01-15 06:45 622592 c:\windows\system32\hpxp3800.dll
- 2008-08-19 09:56 . 2007-01-14 23:41 888832 c:\windows\system32\hpgt3800.dll
+ 2008-08-19 09:56 . 2007-05-24 18:40 888832 c:\windows\system32\hpgt3800.dll
- 2008-08-19 09:56 . 2007-01-14 23:42 438272 c:\windows\system32\hp3800co.dll
+ 2008-08-19 09:56 . 2007-01-15 06:42 438272 c:\windows\system32\hp3800co.dll
+ 2010-10-26 08:58 . 2010-10-26 08:58 183296 c:\windows\Installer\1dd30d.msi
+ 2010-10-26 08:57 . 2010-10-26 08:57 425984 c:\windows\Installer\1dd305.msi
+ 2010-10-26 08:57 . 2010-10-26 08:57 795136 c:\windows\Installer\1dd2f6.msi
+ 2010-10-26 08:58 . 2010-10-26 08:58 643072 c:\windows\Installer\{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}\HPSUShortcut_BB85ED9CAFC943BDB8DC258C3C7DF72E.exe
- 2008-08-19 10:25 . 2008-08-19 10:25 643072 c:\windows\Installer\{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}\HPSUShortcut_BB85ED9CAFC943BDB8DC258C3C7DF72E.exe
+ 2008-08-19 10:18 . 2010-10-26 08:58 109683 c:\windows\hpgins13.dat
- 2008-08-19 10:18 . 2008-08-19 10:28 109683 c:\windows\hpgins13.dat
+ 2009-11-06 23:06 . 2009-11-06 23:06 1130824 c:\windows\system32\dfshim.dll
- 2009-11-11 18:06 . 2009-11-11 18:06 1130824 c:\windows\system32\dfshim.dll
+ 2010-10-26 08:58 . 2010-10-26 08:58 1241600 c:\windows\Installer\1dd310.msi
+ 2010-10-26 08:57 . 2010-10-26 08:57 2112000 c:\windows\Installer\1dd2fc.msi
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 143360]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-09-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-09-30 126976]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Rychlě zaź tek s aplikacˇ HP Photosmart Premier.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Docházka\\Docházka.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [20.9.2002 19:29 53248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.3.2010 13:16 130384]
S3 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [12.10.2003 22:20 143360]
S3 CA_LIC_SRVR;CA License Server;c:\program files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [7.4.2003 18:45 151552]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [18.8.2004 14:00 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.3.2010 13:16 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ijjltz
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://intranet
uInternet Settings,ProxyServer = 192.168.55.2:3128
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-26 13:56
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(2844)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
Celkový čas: 2010-10-26 13:58:16
ComboFix-quarantined-files.txt 2010-10-26 11:58
ComboFix2.txt 2010-10-26 08:41
ComboFix3.txt 2010-10-26 07:24
ComboFix4.txt 2010-10-25 12:36

Před spuštěním: Volných bajtů: 63 001 972 736
Po spuštění: Volných bajtů: 63 022 837 760

- - End Of File - - 9D0816C5DE922E905A4D86434846AD09

dokonce pro jistotu udelal jeste sken RSITem

Logfile of random's system information tool 1.08 (written by random/random)
Run by korensky at 2010-10-26 14:22:17
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 60 GB (78%) free of 76 GB
Total RAM: 1015 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:22:54, on 26.10.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
K:\Veřejná složka\podgornyy\RSIT.exe
C:\Program Files\trend micro\korensky.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.55.2:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Rychlý začátek s aplikací HP Photosmart Premier.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 3298263387
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3297934141
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kl.kbprogres.cz
O17 - HKLM\Software\..\Telephony: DomainName = kl.kbprogres.cz
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kl.kbprogres.cz
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - AT&T Research Labs Cambridge - C:\Program Files\ORL\VNC\WinVNC.exe

--
End of file - 6065 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 63136]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Smapp"=C:\Program Files\Analog Devices\SoundMAX\SMTray.exe [2003-07-30 143360]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2004-09-30 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2004-09-30 126976]
"ToolBoxFX"=C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe [2006-06-15 49152]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-05-14 2029640]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
Rychlý začátek s aplikací HP Photosmart Premier.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-09-30 344064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Docházka\Docházka.exe"="C:\Program Files\Docházka\Docházka.exe:*:Enabled:Docházka"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CA\eTrust Antivirus\InocIT.exe"="C:\Program Files\CA\eTrust Antivirus\InocIT.exe:*:Enabled:eTrust Antivirus"
"C:\Program Files\CA\eTrust Antivirus\Realmon.exe"="C:\Program Files\CA\eTrust Antivirus\Realmon.exe:*:Enabled:Realtime Monitor"
"C:\Program Files\CA\eTrust Antivirus\InoUpTNG.exe"="C:\Program Files\CA\eTrust Antivirus\InoUpTNG.exe:*:Enabled:InoUpTNG"
"C:\Program Files\Docházka\Docházka.exe"="C:\Program Files\Docházka\Docházka.exe:*:Enabled:Docházka"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\EXCEL.EXE"="C:\Program Files\Microsoft Office\Office12\EXCEL.EXE:*:Enabled:Microsoft Office Excel"

======List of files/folders created in the last 1 months======

2010-10-26 14:22:19 ----D---- C:\Program Files\trend micro
2010-10-26 14:22:17 ----D---- C:\rsit
2010-10-26 14:01:47 ----SHD---- C:\RECYCLER
2010-10-26 14:01:10 ----D---- C:\Program Files\ESET
2010-10-26 13:58:20 ----D---- C:\WINDOWS\temp
2010-10-26 13:58:16 ----A---- C:\ComboFix.txt
2010-10-26 13:26:56 ----HD---- C:\WINDOWS\PIF
2010-10-25 16:28:38 ----D---- C:\Documents and Settings\All Users\Data aplikací\HP
2010-10-25 16:27:23 ----A---- C:\setup_full_3800_3.exe
2010-10-25 15:01:33 ----D---- C:\Program Files\CCleaner
2010-10-25 14:30:05 ----A---- C:\Boot.bak
2010-10-25 14:29:58 ----RASHD---- C:\cmdcons
2010-10-25 14:25:45 ----A---- C:\WINDOWS\zip.exe
2010-10-25 14:25:45 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-10-25 14:25:45 ----A---- C:\WINDOWS\SWSC.exe
2010-10-25 14:25:45 ----A---- C:\WINDOWS\SWREG.exe
2010-10-25 14:25:45 ----A---- C:\WINDOWS\sed.exe
2010-10-25 14:25:45 ----A---- C:\WINDOWS\PEV.exe
2010-10-25 14:25:45 ----A---- C:\WINDOWS\NIRCMD.exe
2010-10-25 14:25:45 ----A---- C:\WINDOWS\MBR.exe
2010-10-25 14:25:45 ----A---- C:\WINDOWS\grep.exe
2010-10-25 14:25:24 ----D---- C:\WINDOWS\ERDNT
2010-10-25 14:22:44 ----D---- C:\Qoobox

======List of files/folders modified in the last 1 months======

2010-10-26 14:22:31 ----A---- C:\WINDOWS\BRWMARK.INI
2010-10-26 14:22:21 ----D---- C:\WINDOWS\Prefetch
2010-10-26 14:22:19 ----RD---- C:\Program Files
2010-10-26 14:17:00 ----D---- C:\WINDOWS\system32
2010-10-26 14:03:54 ----D---- C:\WINDOWS
2010-10-26 14:02:21 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-10-26 14:01:44 ----SHD---- C:\WINDOWS\Installer
2010-10-26 14:01:42 ----D---- C:\Config.Msi
2010-10-26 14:01:35 ----HD---- C:\WINDOWS\inf
2010-10-26 14:01:35 ----D---- C:\WINDOWS\system32\drivers
2010-10-26 13:56:29 ----A---- C:\WINDOWS\system.ini
2010-10-26 13:55:01 ----D---- C:\WINDOWS\AppPatch
2010-10-26 13:54:58 ----D---- C:\Program Files\Common Files
2010-10-26 13:52:05 ----D---- C:\WINDOWS\system32\CatRoot2
2010-10-26 11:23:56 ----SHD---- C:\System Volume Information
2010-10-26 11:00:59 ----SD---- C:\Documents and Settings\All Users\Data aplikací\Microsoft
2010-10-26 10:57:29 ----D---- C:\WINDOWS\twain_32
2010-10-26 10:47:50 ----D---- C:\Program Files\COL11002
2010-10-26 10:39:27 ----D---- C:\WINDOWS\system32\drivers\etc
2010-10-26 10:33:57 ----D---- C:\WINDOWS\system32\Restore
2010-10-26 09:31:51 ----D---- C:\WINDOWS\Minidump
2010-10-25 16:53:33 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-10-25 16:35:59 ----D---- C:\Temp
2010-10-25 16:01:57 ----D---- C:\WINDOWS\system32\appmgmt
2010-10-25 15:59:06 ----D---- C:\WINDOWS\system32\en-us
2010-10-25 15:58:51 ----D---- C:\WINDOWS\Microsoft.NET
2010-10-25 15:15:53 ----D---- C:\WINDOWS\Debug
2010-10-25 14:30:05 ----RASH---- C:\boot.ini
2010-10-20 17:57:32 ----D---- C:\KB
2010-10-08 10:35:24 ----D---- C:\zalohy
2010-10-06 07:55:45 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2005-08-19 46080]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-05-14 107256]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-05-14 94360]
R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40192]
R1 kbdhid;Ovladač klávesnice standardu HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-05-14 114472]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2003-10-23 100384]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2005-03-17 132608]
R3 hidusb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HPFXBULK;HPFXBULK; C:\WINDOWS\system32\drivers\hpfxbulk.sys [2006-06-12 9344]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-09-30 752093]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-18 12160]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-04-15 612416]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 catchme;catchme; \??\C:\DOCUME~1\korensky\LOCALS~1\Temp\catchme.sys []
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-05-14 731840]
R2 LogWatch;Event Log Watch; C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 53248]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2006-10-26 335872]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 winvnc;VNC Server; C:\Program Files\ORL\VNC\WinVNC.exe [1999-10-07 200704]
R2 WSearch;Vyhledávání systému Windows; C:\WINDOWS\system32\SearchIndexer.exe [2007-02-05 300032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S3 aspnet_state;Stavová služba ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe [2010-03-18 35160]
S3 CA_LIC_CLNT;CA License Client; C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2003-10-12 143360]
S3 CA_LIC_SRVR;CA License Server; C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2003-04-07 151552]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-05-14 20680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Služba Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WinRM;Windows Remote Management (WS-Management); C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 WMPNetworkSvc;Služba Windows Media Player Network Sharing; C:\Program Files\Windows Media Player\WMPNetwk.exe [2007-01-05 913920]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]

-----------------EOF-----------------

Nectete navod

CF mel byt na plose, stejne jako skript a Vy jej mate zcela jinde (Spuštěný z: C:\ComboFix.exe
Použité ovládací přepínače :: C:\CFScript.txt)

Tak opakovat ale pouzijte nize uvedeny skript, jinak postup stejny jako jsem psal vyse (CF na plochu, vytvorit skript, pretahnout nad CF, nechat probehnout, log sem)

Kód: Vybrat vše

NetSvc::
ijjltz

DDS::
uStart Page = hxxp://intranet

Stahnete Malwarebytes' Anti-Malware (zkracene MBAM) (viz muj podpis)

Provedte aktualizaci - treti zalozka
Provedte uplny sken - nic nemazte
MBAM miva obcas falesne detekce, proto vlozte log do prispevku a pockejte na posouzeni

VIRY.CZ

nemohu odstranit vir - HELP

nemohu odstranit vir - HELP

Re: nemohu odstranit vir - HELP

Re: nemohu odstranit vir - HELP

Re: nemohu odstranit vir - HELP

Re: nemohu odstranit vir - HELP

Re: nemohu odstranit vir - HELP

Re: nemohu odstranit vir - HELP

Re: nemohu odstranit vir - HELP

Re: nemohu odstranit vir - HELP

Re: nemohu odstranit vir - HELP

Re: nemohu odstranit vir - HELP

Re: nemohu odstranit vir - HELP