Katusha.a / backdoor.generic14

[pepa1d]

Dobrý den,

snazim se opravit přítelkyně notebook. Používá Windows XP SP3 a účet je administrátorský. Přišel jsem na problém tak že v systemtray nebyla ikona AVG Free 9.0. Jednou se mi podařil ručně zapnout a zobrazil se mi ihned nález virů "Katusha.a" (asi 10 souborů, které jsem ale poznal jakospouštěcí soubory jiných programů např: iTunes, Skype, Winamp atd) a druhý "backdoor.generic14.avbq" asi u dvou neznámých souborů. Od té doby už nejde ani ručně zapnout, jakoby ho něco blokovalo. AVG nejde ani aktualizovat na verzy AVG Free 2012. Pokaždé to vyhodí následující chybu:

Závažnost: Chyba
Chybový kod:0xC0070643
Chybové hlášení: Obecná interníchyba.
Doplňující hlášení: MSI Engine: Selhala instalace produktu.
The installer has encountered an anexpcted error installing this package. his may indicate a problem with package. The error code is 2755.
Kontext: Instalace AVG COre, selhání akce MSI

Co se týče tohoto, zkoušel jsem hledat všemožná fóra a řešení pro tuto chybu. Nic mi nepomohlo.
Zkoušel jsem scan MBAM ale po pár vteřinách se scan zruší a MBAM nejde spustit, musim ho reinstalovat a pak se to opakuje. Zkoušel jsem i AVPTool ale zacne se rozbalovat, asi i instalovatale hláška s přijetím license se neobjeví a program spadne. V nouzovém režimu se dá spustit, neco odstanil ale po najetí do normálního režimu je vše zpátky. Zkoušel jsem to 2x. Také se neustále objevuje při spuštění jakéhokoliv programu hláška Windows Firewall zda blokovat nebo odblokovat. Ve správci úloh běží jakýsi proces 2667165092:1531577953.exe který nejde ničím zabít.

At zkouším cokoliv každý program který by stim mohl něco udělat se po chvíli zablokuje. Taky mi přijde že blokuje nějakým způsobem určité stránky, protože na forum AVG se mi nedaří dostat. Hledal jsem všude možně, tady na foru jsem našel podobné téma http://www.viry.cz/forum/viewtopic.php?f=13&t=113491 kde byl problém vyřešen. Snad mi tady u vás někdo pomůže, protože tohle je fakt zlo.

Díky

Log z RSIT:

Logfile of random's system information tool 1.09 (written by random/random)
Run by Dituška at 2011-11-05 16:41:18
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 53 GB (34%) free of 153 GB
Total RAM: 2039 MB (51% free)


======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

=========Mozilla firefox=========

ProfilePath - C:\Documents and Settings\Dituška\Data aplikací\Mozilla\Firefox\Profiles\h8z3xcgo.default

prefs.js - "browser.startup.homepage" - "http://www.seznam.cz/"
prefs.js - "extensions.enabledItems" - "{3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.872, {20a82645-c095-46ed-80e3-08825760534b}:1.1, {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}:6.0.16, jqs@sun.com:1.0, {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17, {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.16"

"{3f963a5b-e555-4543-90e2-c3908898db71}"=C:\Program Files\AVG\AVG9\Firefox
"{20a82645-c095-46ed-80e3-08825760534b}"=c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
"jqs@sun.com"=C:\Program Files\Java\jre6\lib\deploy\jqs\ff


[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Description"=Adobe® Flash® Player 10.1 Plugin
"Path"=C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Apple.com/iTunes,version=]
"Description"=iTunes Detector Plug-in
"Path"=

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Apple.com/iTunes,version=1.0]
"Description"=
"Path"=C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0]
"Description"=Ag Player Plugin
"Path"=c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/OfficeLive,version=1.4]
"Description"=Office Live Update v1.4
"Path"=C:\Program Files\Microsoft\Office Live\npOLW.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/WPF,version=3.5]
"Description"=Windows Presentation Foundation plug-in for Mozilla browsers
"Path"=c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\Adobe Reader]
"Description"=Handles PDFs in-place in Firefox
"Path"=C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd}
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

C:\Program Files\Mozilla Firefox\components\
binary.manifest
browsercomps.dll
nsIQTScriptablePlugin.xpt

C:\Program Files\Mozilla Firefox\plugins\
npdeploytk.dll
nppdf32.dll
npqtplugin.dll
npqtplugin2.dll
npqtplugin3.dll
npqtplugin4.dll
npqtplugin5.dll
npqtplugin6.dll
npqtplugin7.dll
QuickTimePlugin.class

C:\Program Files\Mozilla Firefox\searchplugins\
google.xml
heureka-cz.xml
jyxo-cz.xml
mall-cz.xml
seznam-cz.xml
slunecnice-cz.xml
wikipedia-cz.xml

C:\Documents and Settings\Dituška\Data aplikací\Mozilla\Firefox\Profiles\h8z3xcgo.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b}

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2010-11-24 1623392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Pomocná služba pro přihlášení ke službě Windows Live ID - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-03-30 403824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-12 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-12 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATKHOTKEY"=C:\Program Files\ATK Hotkey\Hcontrol.exe [2007-04-19 225280]
"Wireless Console 2"=C:\Program Files\Wireless Console 2\wcourier.exe [2007-07-05 1040384]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-10-12 815104]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-07-05 16380416]
"ATKMEDIA"=C:\Program Files\ASUS\ATK Media\DMEDIA.EXE [2006-11-02 61440]
"APSDaemon"=C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [2011-09-27 59240]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2011-10-09 421736]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACU]
C:\Program Files\Atheros\ACU.exe [2006-11-07 381020]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2011-03-30 937920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2011-09-07 37296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Live Update]
C:\Program Files\ASUS\ASUS Live Update\ALU.exe [2007-07-19 49520]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe [2007-06-27 162328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe [2007-06-27 141848]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Infium]
C:\Program Files\QIP 2010\qip.exe [2011-07-18 6812032]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2011-10-09 421736]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [2008-06-08 2221352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2008-06-19 570664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
C:\WINDOWS\system32\oodtray.exe [2007-05-11 2512392]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe [2007-06-27 137752]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\QTTask.exe [2010-11-29 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [2006-11-22 630784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe [2008-03-27 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Bluetooth Manager.lnk]
C:\PROGRA~1\Toshiba\BLUETO~1\TosBtMng.exe [2007-05-22 2756608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2010-07-15 12536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-06-22 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 265096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=181
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\QIP\qip.exe"="C:\Program Files\QIP\qip.exe:*:Enabled:Quiet Internet Pager"
"C:\Program Files\AVG\AVG9\avgemc.exe"="C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG9\avgupd.exe"="C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG9\avgnsx.exe"="C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\QIP 2010\qip.exe"="C:\Program Files\QIP 2010\qip.exe:*:Enabled:QIP 2010"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe"="C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Documents and Settings\Dituška\Local Settings\temp\7zS13.tmp\avgmfapx.exe"="C:\Documents and Settings\Dituška\Local Settings\temp\7zS13.tmp\avgmfapx.exe:*:Enabled:AVG Installer Application"
"C:\Documents and Settings\All Users\Data aplikací\MFAData\SelfUpd\avgmfapx.exe"="C:\Documents and Settings\All Users\Data aplikací\MFAData\SelfUpd\avgmfapx.exe:*:Enabled:AVG Installer Application"
"C:\soft a ovladače xp\RSIT.exe"="C:\soft a ovladače xp\RSIT.exe:*:Enabled:RSIT"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"=midimap.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msadpcm"=msadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.trspch"=tssoft32.acm
"vidc.cvid"=iccvid.dll
"vidc.I420"=msh263.drv
"vidc.iv31"=ir32_32.dll
"vidc.iv32"=ir32_32.dll
"vidc.iv41"=ir41_32.ax
"VIDC.IYUV"=iyuv_32.dll
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"VIDC.UYVY"=msyuv.dll
"VIDC.YUY2"=msyuv.dll
"VIDC.YVU9"=tsbyuv.dll
"VIDC.YVYU"=msyuv.dll
"wavemapper"=msacm32.drv
"MSVideo8"=VfWWDM32.dll
"msacm.msg723"=msg723.acm
"vidc.M263"=msh263.drv
"vidc.M261"=msh261.drv
"msacm.msaudio1"=msaud32.acm
"msacm.sl_anet"=sl_anet.acm
"msacm.iac2"=C:\WINDOWS\system32\iac25_32.ax
"vidc.iv50"=ir50_32.dll
"msacm.l3acm"=C:\WINDOWS\system32\l3codeca.acm
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"wave1"=wdmaud.drv
"midi1"=wdmaud.drv
"mixer1"=wdmaud.drv
"wave2"=wdmaud.drv
"midi2"=wdmaud.drv
"mixer2"=wdmaud.drv
"wave4"=serwvdrv.dll
"wave3"=wdmaud.drv
"midi3"=wdmaud.drv
"mixer3"=wdmaud.drv
"aux"=wdmaud.drv

======List of files/folders created in the last 1 month======

2011-11-05 16:41:18 ----D---- C:\rsit
2011-11-05 16:37:57 ----D---- C:\WINDOWS\LastGood
2011-11-05 15:42:22 ----D---- C:\WINDOWS\system32\drivers\Avg
2011-11-05 15:42:21 ----D---- C:\Documents and Settings\Dituška\Data aplikací\AVG9
2011-11-05 15:37:26 ----D---- C:\Program Files\AVG
2011-11-05 15:37:26 ----D---- C:\Documents and Settings\All Users\Data aplikací\avg9
2011-11-05 14:23:56 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-11-04 22:33:26 ----D---- C:\Documents and Settings\All Users\Data aplikací\MFAData
2011-10-25 10:22:15 ----D---- C:\Program Files\iPod
2011-10-25 10:22:11 ----D---- C:\Program Files\iTunes
2011-10-25 10:18:18 ----D---- C:\Program Files\Bonjour
2011-10-13 07:13:35 ----HDC---- C:\WINDOWS\$NtUninstallKB2564958$
2011-10-13 07:08:15 ----HDC---- C:\WINDOWS\$NtUninstallKB2567053$
2011-10-13 07:08:07 ----HDC---- C:\WINDOWS\$NtUninstallKB2592799$

======List of files/folders modified in the last 1 month======

2011-11-05 16:41:20 ----D---- C:\Program Files\trend micro
2011-11-05 16:40:32 ----D---- C:\soft a ovladače xp
2011-11-05 16:38:28 ----D---- C:\WINDOWS\Temp
2011-11-05 16:38:28 ----D---- C:\WINDOWS\system32\drivers
2011-11-05 16:38:02 ----HD---- C:\WINDOWS\inf
2011-11-05 16:37:57 ----D---- C:\WINDOWS
2011-11-05 16:37:56 ----D---- C:\WINDOWS\system32\CatRoot2
2011-11-05 16:01:14 ----SHD---- C:\WINDOWS\Installer
2011-11-05 16:01:13 ----D---- C:\WINDOWS\WinSxS
2011-11-05 15:48:20 ----D---- C:\WINDOWS\system32
2011-11-05 15:48:20 ----D---- C:\Program Files\ATKGFNEX
2011-11-05 15:47:01 ----D---- C:\WINDOWS\Prefetch
2011-11-05 15:43:50 ----D---- C:\WINDOWS\system32\config
2011-11-05 15:43:37 ----D---- C:\WINDOWS\system32\wbem
2011-11-05 15:43:35 ----D---- C:\WINDOWS\Registration
2011-11-05 15:43:24 ----D---- C:\Program Files\QIP 2010
2011-11-05 15:42:31 ----SD---- C:\Documents and Settings\Dituška\Data aplikací\Microsoft
2011-11-05 15:39:06 ----D---- C:\WINDOWS\system32\dllcache
2011-11-05 15:38:56 ----D---- C:\Program Files\Common Files\System
2011-11-05 15:38:56 ----D---- C:\Documents and Settings\All Users\Data aplikací\Microsoft Help
2011-11-05 15:38:54 ----D---- C:\Program Files\Common Files\Microsoft Shared
2011-11-05 15:38:00 ----RD---- C:\Program Files
2011-11-05 15:37:57 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2011-11-05 15:36:34 ----D---- C:\WINDOWS\system32\Restore
2011-11-05 14:25:00 ----D---- C:\WINDOWS\SoftwareDistribution
2011-11-05 13:48:40 ----SHD---- C:\RECYCLER
2011-11-05 12:44:34 ----SHD---- C:\System Volume Information
2011-11-05 12:27:26 ----A---- C:\WINDOWS\win.ini
2011-11-04 23:31:27 ----D---- C:\Documents and Settings\Dituška\Data aplikací\Winamp
2011-11-04 23:31:24 ----D---- C:\WINDOWS\Debug
2011-11-01 19:24:58 ----A---- C:\WINDOWS\NeroDigital.ini
2011-10-30 08:01:50 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2011-10-29 11:40:51 ----A---- C:\WINDOWS\wincmd.ini
2011-10-25 10:22:14 ----D---- C:\Program Files\Common Files\Apple
2011-10-25 10:18:49 ----DC---- C:\WINDOWS\system32\DRVSTORE
2011-10-21 15:21:37 ----D---- C:\Program Files\Unlocker
2011-10-21 14:02:03 ----D---- C:\Program Files\Apple Software Update
2011-10-21 14:00:22 ----SD---- C:\WINDOWS\Tasks
2011-10-13 13:40:38 ----RSD---- C:\WINDOWS\assembly
2011-10-13 13:37:36 ----D---- C:\WINDOWS\Microsoft.NET
2011-10-13 07:17:21 ----D---- C:\Program Files\Microsoft Silverlight
2011-10-13 07:08:24 ----A---- C:\WINDOWS\system32\MRT.exe
2011-10-13 07:08:05 ----HD---- C:\WINDOWS\$hf_mig$
2011-10-13 07:07:27 ----D---- C:\Program Files\Internet Explorer

[Rudy]

Zdravím!
Poprosím o log ComboFix.

Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se

jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine

aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode,

pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k

nezadoucim kolizim s rezidentem antispyware

[pepa1d]

Tady je log z Combofixu. AVG beželo na pozadí, nemám k němu žádný přístup, tedy jsem neměl možnost ho vypnout. Combofix se spustil bez problémů, restartoval pc, probehlo asi 50 fází, restart a výpis logu.

Nevím jestli logy dávat do code nebo ne, kdyžtak upravím.

Díky za další rady

ComboFix 11-11-05.02 - Dituška 05.11.2011 18:29:32.4.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2039.1639 [GMT 1:00]
Spuštěný z: c:\documents and settings\Dituška\Plocha\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dituška\Local Settings\Data aplikací\a4b5f99e\U\80000000.@
c:\documents and settings\Dituška\Local Settings\Data aplikací\a4b5f99e\U\800000cb.@
c:\windows\$NtUninstallKB41684$\115567311
c:\windows\$NtUninstallKB41684$\2763389342\@
c:\windows\$NtUninstallKB41684$\2763389342\L\vdkpatjv
c:\windows\$NtUninstallKB41684$\2763389342\loader(2).tlb
c:\windows\$NtUninstallKB41684$\2763389342\loader.tlb
c:\windows\$NtUninstallKB41684$\2763389342\U\@00000001
c:\windows\$NtUninstallKB41684$\2763389342\U\@000000c0
c:\windows\$NtUninstallKB41684$\2763389342\U\@000000cb
c:\windows\$NtUninstallKB41684$\2763389342\U\@000000cf
c:\windows\$NtUninstallKB41684$\2763389342\U\@80000000
c:\windows\$NtUninstallKB41684$\2763389342\U\@800000c0
c:\windows\$NtUninstallKB41684$\2763389342\U\@800000cb
c:\windows\$NtUninstallKB41684$\2763389342\U\@800000cf
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\IsUn0405.exe
c:\windows\iun6002.exe
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\system32\
c:\windows\$NtUninstallKB41684$ . . . . nemohl být smazán
.
Nakažená kopie c:\program files\ASUS\ASUS Data Security Manager\ADSMSrv.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{759C231F-F024-4F4F-9DCB-DB59D66366C6}\RP299\A0044153.exe
.
Nakažená kopie c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{759C231F-F024-4F4F-9DCB-DB59D66366C6}\RP299\A0044156.exe
.
Nakažená kopie c:\program files\ATKGFNEX\GFNEXSrv.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{759C231F-F024-4F4F-9DCB-DB59D66366C6}\RP299\A0044154.exe
.
Nakažená kopie c:\program files\iPod\bin\iPodService.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{759C231F-F024-4F4F-9DCB-DB59D66366C6}\RP299\A0044169.exe
.
Nakažená kopie c:\program files\Java\jre6\bin\jqs.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{759C231F-F024-4F4F-9DCB-DB59D66366C6}\RP299\A0044158.exe
.
Nakažená kopie c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{759C231F-F024-4F4F-9DCB-DB59D66366C6}\RP299\A0044159.exe
.
Nakažená kopie c:\windows\system32\oodag.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{759C231F-F024-4F4F-9DCB-DB59D66366C6}\RP303\A0045410.exe
.
Nakažená kopie c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{759C231F-F024-4F4F-9DCB-DB59D66366C6}\RP299\A0044164.exe
.
Nakažená kopie c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{759C231F-F024-4F4F-9DCB-DB59D66366C6}\RP299\A0044165.EXE
.
Nakažená kopie c:\program files\ASUS\ASUS Data Security Manager\ADSMSrv.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{759C231F-F024-4F4F-9DCB-DB59D66366C6}\RP299\A0044153.exe
Nakažená kopie c:\program files\ATKGFNEX\GFNEXSrv.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{759C231F-F024-4F4F-9DCB-DB59D66366C6}\RP299\A0044154.exe
Nakažená kopie c:\windows\system32\oodag.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{759C231F-F024-4F4F-9DCB-DB59D66366C6}\RP303\A0045410.exe
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_a4b5f99e
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-10-05 do 2011-11-05 )))))))))))))))))))))))))))))))
.
.
2011-11-05 15:41 . 2011-11-05 15:41 -------- d-----w- C:\rsit
2011-11-05 14:43 . 2011-11-05 14:43 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-05 14:42 . 2011-11-05 14:42 -------- d-----w- c:\windows\system32\drivers\Avg
2011-11-05 14:42 . 2011-11-05 14:42 -------- d-----w- c:\documents and settings\Dituška\Data aplikací\AVG9
2011-11-05 14:37 . 2011-11-05 14:43 -------- d-----w- c:\documents and settings\All Users\Data aplikací\avg9
2011-11-05 14:37 . 2011-11-05 14:38 -------- d-----w- c:\program files\AVG
2011-11-05 13:55 . 2011-11-05 13:55 -------- d-----w- c:\documents and settings\Dituška\Local Settings\Data aplikací\VS Revo Group
2011-11-05 13:24 . 2011-11-05 13:24 -------- d-----w- c:\documents and settings\Dituška\Local Settings\Data aplikací\Xenocode
2011-11-05 13:03 . 2011-11-05 13:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Data aplikací\Xenocode
2011-11-05 12:39 . 2011-11-05 12:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Data aplikací\Mozilla
2011-11-05 11:57 . 2011-11-05 11:57 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2011-11-04 21:33 . 2011-11-05 15:46 -------- d-----w- c:\documents and settings\All Users\Data aplikací\MFAData
2011-11-04 20:16 . 2011-11-04 20:16 -------- d-----r- c:\documents and settings\NetworkService\Oblíbené položky
2011-11-04 18:16 . 2011-11-04 18:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-11-04 18:09 . 2011-11-05 12:14 -------- d-sh--w- c:\documents and settings\Dituška\Local Settings\Data aplikací\a4b5f99e
2011-11-04 08:12 . 2011-11-04 08:12 8646 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\TILEBOX.JS
2011-11-04 08:12 . 2011-11-04 08:12 6429 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\UICORE.JS
2011-11-04 08:12 . 2011-11-04 08:12 63115 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\USERTILE.JS
2011-11-04 08:12 . 2011-11-04 08:12 4599 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\UIRESOURCE.JS
2011-11-04 08:12 . 2011-11-04 08:12 9310 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\TEXTBOX.JS
2011-11-04 08:12 . 2011-11-04 08:12 8613 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\SAVEDUSER.JS
2011-11-04 08:12 . 2011-11-04 08:12 5927 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\TEXT.JS
2011-11-04 08:12 . 2011-11-04 08:12 1651 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\QUERYSTRING.JS
2011-11-04 08:12 . 2011-11-04 08:12 8288 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\IMAGE.JS
2011-11-04 08:12 . 2011-11-04 08:12 6910 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\NEWUSERCOMM.JS
2011-11-04 08:12 . 2011-11-04 08:12 6208 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\LINK.JS
2011-11-04 08:12 . 2011-11-04 08:12 18541 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\LOCALIZATION.JS
2011-11-04 08:11 . 2011-11-04 08:11 51852 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\EXTERNALWRAPPER.JS
2011-11-04 08:11 . 2011-11-04 08:11 8782 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\BUTTON.JS
2011-11-04 08:11 . 2011-11-04 08:11 7271 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\CHECKBOX.JS
2011-11-04 08:11 . 2011-11-04 08:11 23327 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\COMBOBOX.JS
2011-11-04 08:11 . 2011-11-04 08:11 20719 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\DIVWRAPPER.JS
2011-10-25 09:22 . 2011-10-25 09:22 -------- d-----w- c:\program files\iPod
2011-10-25 09:22 . 2011-10-25 09:23 -------- d-----w- c:\program files\iTunes
2011-10-25 09:18 . 2011-10-25 09:18 -------- d-----w- c:\documents and settings\LocalService\Data aplikací\Apple Computer
2011-10-25 09:18 . 2011-10-25 09:18 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-05 12:11 . 2007-05-11 00:09 1044480 ----a-w- c:\windows\system32\oodag.exe
2011-10-08 09:52 . 2011-05-22 08:12 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 09:41 . 2008-07-29 17:59 613376 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41 . 2004-08-18 11:00 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 09:41 . 2004-08-18 11:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-12 18:30 . 2009-01-21 21:00 29712 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-09-09 09:12 . 2004-08-18 11:00 602112 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 14:10 . 2004-08-18 11:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-30 21:05 . 2011-08-30 21:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-30 21:05 . 2011-08-30 21:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-22 23:41 . 2004-08-18 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:41 . 2004-08-18 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:41 . 2004-08-18 11:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-18 11:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-18 11:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-05 04:42 . 2011-03-26 14:12 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 15:08 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATKHOTKEY"="c:\program files\ATK Hotkey\Hcontrol.exe" [2007-04-19 225280]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-12 815104]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 19:27 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACU]
2006-11-07 08:18 381020 ----a-w- c:\program files\Atheros\ACU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Live Update]
2007-07-19 13:41 49520 ----a-w- c:\program files\ASUS\ASUS Live Update\ALU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-06-27 14:38 162328 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-06-27 14:38 141848 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Infium]
2011-07-18 13:26 6812032 ----a-w- c:\program files\QIP 2010\qip.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 16:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-06-08 08:31 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-06-19 08:53 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
2007-05-11 00:08 2512392 ----a-w- c:\windows\system32\oodtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-06-27 14:38 137752 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime Alternative\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-11-22 15:31 630784 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 03:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-03-27 06:35 36352 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\QIP 2010\\qip.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\All Users\\Data aplikací\\MFAData\\SelfUpd\\avgmfapx.exe"=
"c:\\soft a ovladače xp\\RSIT.exe"=
"c:\\Program Files\\WinZip\\WINZIP32.EXE"=
"c:\\Documents and Settings\\Dituška\\Plocha\\TeamViewerPortable\\TeamViewer.exe"=
.
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27.3.2009 18:19 243152]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [21.1.2009 22:00 216400]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [15.7.2010 20:27 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15.7.2010 20:27 308136]
S3 CamSpaceBus;CamSpace Virtual Joystick Bus device driver;c:\windows\system32\drivers\CamSpaceBus.sys [10.6.2008 15:14 14848]
S3 CamSpaceJoy;CamSpace Virtual Joystick device driver;c:\windows\system32\drivers\CamSpaceJoy.sys [10.6.2008 15:14 30464]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [8.5.2008 0:22 47360]
S3 SinoTPM;Driver For SINOSUN Trusted Platform Module;c:\windows\system32\drivers\SinoTpm.sys [8.5.2008 5:10 34048]
.
Obsah adresáře 'Naplánované úlohy'
.
2011-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:57]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.138
FF - ProfilePath - c:\documents and settings\Dituška\Data aplikací\Mozilla\Firefox\Profiles\h8z3xcgo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
MSConfigStartUp-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
AddRemove-Cool's_Codec_pack_4.12 - c:\windows\iun6002.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-05 18:41
Windows 5.1.2600 Service Pack 3 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
.
C:\ADSM_PData_0150
.
sken byl úspešně dokončen
skryté soubory: 1
.
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="C297EE66BA3055FB07E978A54FD0DD08BA5D9E1ED646B5D4F3FCDB9279C8909EF226C14DDD709FFC79FE98C4A2AB135273FBC9E0B75574D0727B1CBB79CC438CF064BF812227F09BF0E1AFD98870A14D5F29D5623774BF674E4F0EB6C322E37DFC2F71FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79339DB7CE019D40AA5CA2D97226D213B555BA7FD869164D6794B7ABB0BEBB9685212AF51E012869C447D99B5610A568618732A35E26C0D09B2BBF49E20E1F8FFCAFB5E29A86DDC5BD990A8BB276EE23398B1F2AD1740E0EF83900BBA194409DC59EA9F96B1467DFD30DE544504BE672F38AB3E8FE6E546BDD7A48B084A93994049F8F3C2B7F67707D614F3DE8FCD892F6EE4E6EDF44A7CA41A78EE7E8DA089BDFD816423450E205334A4F0179B37417AE1BED5833577F63A0EDEAB86E658DAF06E48F35AAC2C5FC736D90AFC5474D6508E1B6DB7DBE38C0FAED1B0B7A3D0E9EA8CFF0D3F1C85D0FBFE7607D53C5D9B6778B6FC0044313C053BCFEDC338B358EF91FD4EF3306DCC11E46322FEA71F51A725485E4D3E6B31731639CBD06A90FF4B445786FDB52D8F3970D1DA29C3EE0EE736B87373A58A3C8A25F1D5623280D1E942E3E4D1EBA4E553A325DC53AD7BF6D7A752A3DCB01CD3233A1CB5C7D4A05ABD9B7AB19EC019A6A1822CF9B5919171F888AC40EDF7984027A0E1AA04F08AF904A34EA7183187F0DC5BA773CD316545F25B654D49011793A0E7F1E01930D2B922EE7C910DDA924E85E4F7D52C793C5E25AFA77D43C4BC7B289420FF40AB878CFD10F3B3EBD91127F7DA7AA1E9989202EB74873DF89DBE9150D16CB04361EFC3705575359A8DFB9A5C6FDEDF0EC27F99A5089AE605B31C1613D32D3CD6384020D9EE0CC546659EA045E815BB4AC4DCE56399A37D0606613E8BFBECC8199E73667F5C386B504F75D96EE5529E20792FCE30DC9B9C184500653C1577D65AB78A8B46789811855E62CAE268FB20BEEBFC9186CDC0D57FDF3279AF18FD5D2AD1950B2542F6229EB06D3F135BDF4CF98515B9CF78B284B420DE60F0569653777E087F52028752AA4EBB8D7D1DB956A7FF9BD70D700A5680C89995232E1E012A41C0A663659A7F2985F9F2EB55FD925E29F606435DCC78FDC8BF75BB4E1217A154AF8BE009E096DAC5D34959EADADDE425A961EC034F03574E99DF4CB4DA39A6D1EDA90EFC3D21804978402CD23200B66F917182B1029E05DAF0CBE3CF788AC170019BDFA8BDC8487F081BC890DE1B0D7FD7D9F2B6A9C2FDF9AA7AACDAA16843C8B007F182DA559650204629AAFCB6BE41CC9D5FD341BD18D9D37FECAA3B3874E0F42E0C550CE500F194564CFC2D76B203E5FB1DE51988A385F68D684926EAC800F744284161F3A383463"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'explorer.exe'(3512)
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATK Hotkey\ATKOSD.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkový čas: 2011-11-05 18:44:50 - počítač byl restartován
ComboFix-quarantined-files.txt 2011-11-05 17:44
.
Před spuštěním: Volných bajtů: 55 116 406 784
Po spuštění: Volných bajtů: 55 678 980 096
.
- - End Of File - - 0DB98512947730FA562E4B99D439FC49

[Rudy]

Ještě dočistíme. Otevřte poznámkový blok a zkopírujte do něj:

Collect::
C:\ADSM_PData_0150

Uložte na plochu jako CFScript.txt.Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.

[pepa1d]

Takže opět bohužel se spuštěným AVG na pozadí, combofix se spustil přetažením textového souboru, zeptal se zda ho chci aktualizovat tak jsem zvolil že ne a tady je log.

ComboFix 11-11-05.02 - Dituška 05.11.2011 21:01:49.5.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2039.1388 [GMT 1:00]
Spuštěný z: c:\documents and settings\Dituška\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Dituška\Plocha\CFScript.txt
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-10-05 do 2011-11-05 )))))))))))))))))))))))))))))))
.
.
2011-11-05 15:41 . 2011-11-05 15:41 -------- d-----w- C:\rsit
2011-11-05 14:43 . 2011-11-05 14:43 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-05 14:42 . 2011-11-05 14:42 -------- d-----w- c:\windows\system32\drivers\Avg
2011-11-05 14:42 . 2011-11-05 14:42 -------- d-----w- c:\documents and settings\Dituška\Data aplikací\AVG9
2011-11-05 14:37 . 2011-11-05 14:43 -------- d-----w- c:\documents and settings\All Users\Data aplikací\avg9
2011-11-05 14:37 . 2011-11-05 14:38 -------- d-----w- c:\program files\AVG
2011-11-05 13:55 . 2011-11-05 13:55 -------- d-----w- c:\documents and settings\Dituška\Local Settings\Data aplikací\VS Revo Group
2011-11-05 13:24 . 2011-11-05 13:24 -------- d-----w- c:\documents and settings\Dituška\Local Settings\Data aplikací\Xenocode
2011-11-05 13:03 . 2011-11-05 13:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Data aplikací\Xenocode
2011-11-05 12:39 . 2011-11-05 12:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Data aplikací\Mozilla
2011-11-05 11:57 . 2011-11-05 11:57 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2011-11-04 21:33 . 2011-11-05 15:46 -------- d-----w- c:\documents and settings\All Users\Data aplikací\MFAData
2011-11-04 20:16 . 2011-11-04 20:16 -------- d-----r- c:\documents and settings\NetworkService\Oblíbené položky
2011-11-04 18:16 . 2011-11-04 18:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-11-04 18:09 . 2011-11-05 12:14 -------- d-sh--w- c:\documents and settings\Dituška\Local Settings\Data aplikací\a4b5f99e
2011-11-04 08:12 . 2011-11-04 08:12 8646 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\TILEBOX.JS
2011-11-04 08:12 . 2011-11-04 08:12 6429 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\UICORE.JS
2011-11-04 08:12 . 2011-11-04 08:12 63115 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\USERTILE.JS
2011-11-04 08:12 . 2011-11-04 08:12 4599 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\UIRESOURCE.JS
2011-11-04 08:12 . 2011-11-04 08:12 9310 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\TEXTBOX.JS
2011-11-04 08:12 . 2011-11-04 08:12 8613 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\SAVEDUSER.JS
2011-11-04 08:12 . 2011-11-04 08:12 5927 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\TEXT.JS
2011-11-04 08:12 . 2011-11-04 08:12 1651 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\QUERYSTRING.JS
2011-11-04 08:12 . 2011-11-04 08:12 8288 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\IMAGE.JS
2011-11-04 08:12 . 2011-11-04 08:12 6910 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\NEWUSERCOMM.JS
2011-11-04 08:12 . 2011-11-04 08:12 6208 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\LINK.JS
2011-11-04 08:12 . 2011-11-04 08:12 18541 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\LOCALIZATION.JS
2011-11-04 08:11 . 2011-11-04 08:11 51852 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\EXTERNALWRAPPER.JS
2011-11-04 08:11 . 2011-11-04 08:11 8782 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\BUTTON.JS
2011-11-04 08:11 . 2011-11-04 08:11 7271 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\CHECKBOX.JS
2011-11-04 08:11 . 2011-11-04 08:11 23327 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\COMBOBOX.JS
2011-11-04 08:11 . 2011-11-04 08:11 20719 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(2)\DIVWRAPPER.JS
2011-10-25 09:22 . 2011-10-25 09:22 -------- d-----w- c:\program files\iPod
2011-10-25 09:22 . 2011-10-25 09:23 -------- d-----w- c:\program files\iTunes
2011-10-25 09:18 . 2011-10-25 09:18 -------- d-----w- c:\documents and settings\LocalService\Data aplikací\Apple Computer
2011-10-25 09:18 . 2011-10-25 09:18 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-05 12:11 . 2007-05-11 00:09 1044480 ----a-w- c:\windows\system32\oodag.exe
2011-10-08 09:52 . 2011-05-22 08:12 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 09:41 . 2008-07-29 17:59 613376 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41 . 2004-08-18 11:00 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 09:41 . 2004-08-18 11:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-12 18:30 . 2009-01-21 21:00 29712 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-09-09 09:12 . 2004-08-18 11:00 602112 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 14:10 . 2004-08-18 11:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-30 21:05 . 2011-08-30 21:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-30 21:05 . 2011-08-30 21:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-22 23:41 . 2004-08-18 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:41 . 2004-08-18 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:41 . 2004-08-18 11:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-18 11:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-18 11:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-05 04:42 . 2011-03-26 14:12 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-05_17.40.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-05 20:10 . 2011-11-05 20:10 16384 c:\windows\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_580.dat
+ 2008-05-07 02:43 . 2011-11-05 19:53 35088 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-05-07 02:43 . 2011-10-13 06:08 35088 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-05-07 02:43 . 2011-11-05 19:53 18704 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-05-07 02:43 . 2011-10-13 06:08 18704 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-05-07 02:43 . 2011-10-13 06:08 20240 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-05-07 02:43 . 2011-11-05 19:53 20240 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-05-07 02:43 . 2011-10-13 06:08 888080 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-05-07 02:43 . 2011-11-05 19:53 888080 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-05-07 02:43 . 2011-11-05 19:53 922384 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\pptico.exe
- 2008-05-07 02:43 . 2011-10-13 06:08 922384 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\pptico.exe
- 2008-05-07 02:43 . 2011-10-13 06:08 845584 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-05-07 02:43 . 2011-11-05 19:53 845584 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\outicon.exe
- 2008-05-07 02:43 . 2011-10-13 06:08 217864 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\misc.exe
+ 2008-05-07 02:43 . 2011-11-05 19:53 217864 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\misc.exe
+ 2008-05-07 02:43 . 2011-11-05 19:53 1172240 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-05-07 02:43 . 2011-10-13 06:08 1172240 c:\windows\Installer\{90120000-0012-0000-0000-0000000FF1CE}\xlicons.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 15:08 143360 ----a-w- c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATKHOTKEY"="c:\program files\ATK Hotkey\Hcontrol.exe" [2007-04-19 225280]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-12 815104]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 19:27 12536 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACU]
2006-11-07 08:18 381020 ----a-w- c:\program files\Atheros\ACU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Live Update]
2007-07-19 13:41 49520 ----a-w- c:\program files\ASUS\ASUS Live Update\ALU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-06-27 14:38 162328 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-06-27 14:38 141848 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Infium]
2011-07-18 13:26 6812032 ----a-w- c:\program files\QIP 2010\qip.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 16:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-06-08 08:31 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-06-19 08:53 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
2007-05-11 00:08 2512392 ----a-w- c:\windows\system32\oodtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-06-27 14:38 137752 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime Alternative\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-11-22 15:31 630784 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 03:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-03-27 06:35 36352 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\QIP 2010\\qip.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\All Users\\Data aplikací\\MFAData\\SelfUpd\\avgmfapx.exe"=
"c:\\soft a ovladače xp\\RSIT.exe"=
"c:\\Program Files\\WinZip\\WINZIP32.EXE"=
"c:\\Documents and Settings\\Dituška\\Plocha\\TeamViewerPortable\\TeamViewer.exe"=
.
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27.3.2009 18:19 243152]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [21.1.2009 22:00 216400]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [15.7.2010 20:27 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15.7.2010 20:27 308136]
S3 CamSpaceBus;CamSpace Virtual Joystick Bus device driver;c:\windows\system32\drivers\CamSpaceBus.sys [10.6.2008 15:14 14848]
S3 CamSpaceJoy;CamSpace Virtual Joystick device driver;c:\windows\system32\drivers\CamSpaceJoy.sys [10.6.2008 15:14 30464]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [8.5.2008 0:22 47360]
S3 SinoTPM;Driver For SINOSUN Trusted Platform Module;c:\windows\system32\drivers\SinoTpm.sys [8.5.2008 5:10 34048]
.
Obsah adresáře 'Naplánované úlohy'
.
2011-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:57]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.138
FF - ProfilePath - c:\documents and settings\Dituška\Data aplikací\Mozilla\Firefox\Profiles\h8z3xcgo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-05 21:11
Windows 5.1.2600 Service Pack 3 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="C297EE66BA3055FB07E978A54FD0DD08BA5D9E1ED646B5D4F3FCDB9279C8909EF226C14DDD709FFC79FE98C4A2AB135273FBC9E0B75574D0727B1CBB79CC438CF064BF812227F09BF0E1AFD98870A14D5F29D5623774BF674E4F0EB6C322E37DFC2F71FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79339DB7CE019D40AA5CA2D97226D213B555BA7FD869164D6794B7ABB0BEBB9685212AF51E012869C447D99B5610A568618732A35E26C0D09B2BBF49E20E1F8FFCAFB5E29A86DDC5BD990A8BB276EE23398B1F2AD1740E0EF83900BBA194409DC59EA9F96B1467DFD30DE544504BE672F38AB3E8FE6E546BDD7A48B084A93994049F8F3C2B7F67707D614F3DE8FCD892F6EE4E6EDF44A7CA41A78EE7E8DA089BDFD816423450E205334A4F0179B37417AE1BED5833577F63A0EDEAB86E658DAF06E48F35AAC2C5FC736D90AFC5474D6508E1B6DB7DBE38C0FAED1B0B7A3D0E9EA8CFF0D3F1C85D0FBFE7607D53C5D9B6778B6FC0044313C053BCFEDC338B358EF91FD4EF3306DCC11E46322FEA71F51A725485E4D3E6B31731639CBD06A90FF4B445786FDB52D8F3970D1DA29C3EE0EE736B87373A58A3C8A25F1D5623280D1E942E3E4D1EBA4E553A325DC53AD7BF6D7A752A3DCB01CD3233A1CB5C7D4A05ABD9B7AB19EC019A6A1822CF9B5919171F888AC40EDF7984027A0E1AA04F08AF904A34EA7183187F0DC5BA773CD316545F25B654D49011793A0E7F1E01930D2B922EE7C910DDA924E85E4F7D52C793C5E25AFA77D43C4BC7B289420FF40AB878CFD10F3B3EBD91127F7DA7AA1E9989202EB74873DF89DBE9150D16CB04361EFC3705575359A8DFB9A5C6FDEDF0EC27F99A5089AE605B31C1613D32D3CD6384020D9EE0CC546659EA045E815BB4AC4DCE56399A37D0606613E8BFBECC8199E73667F5C386B504F75D96EE5529E20792FCE30DC9B9C184500653C1577D65AB78A8B46789811855E62CAE268FB20BEEBFC9186CDC0D57FDF3279AF18FD5D2AD1950B2542F6229EB06D3F135BDF4CF98515B9CF78B284B420DE60F0569653777E087F52028752AA4EBB8D7D1DB956A7FF9BD70D700A5680C89995232E1E012A41C0A663659A7F2985F9F2EB55FD925E29F606435DCC78FDC8BF75BB4E1217A154AF8BE009E096DAC5D34959EADADDE425A961EC034F03574E99DF4CB4DA39A6D1EDA90EFC3D21804978402CD23200B66F917182B1029E05DAF0CBE3CF788AC170019BDFA8BDC8487F081BC890DE1B0D7FD7D9F2B6A9C2FDF9AA7AACDAA16843C8B007F182DA559650204629AAFCB6BE41CC9D5FD341BD18D9D37FECAA3B3874E0F42E0C550CE500F194564CFC2D76B203E5FB1DE51988A385F68D684926EAC800F744284161F3A383463"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'explorer.exe'(2960)
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATK Hotkey\ATKOSD.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkový čas: 2011-11-05 21:15:10 - počítač byl restartován
ComboFix-quarantined-files.txt 2011-11-05 20:15
.
Před spuštěním: Volných bajtů: 55 887 425 536
Po spuštění: Volných bajtů: 55 865 962 496
.
- - End Of File - - 0A05ADEC9E998C244A36A7B6BB48BDA0

[Rudy]

Log již vypadá OK. Nastala nějaká změna?

[pepa1d]

Ve správci úloh neběžel onen zmiňovaný prapodivný proces 2667165092:1531577953.exe. Znovu jsem nainstaloval MBAM protože původní instalace nereagovala a ani nechtěla jit odinstalovat. MBAM "fungovalo" v pořádku. Dále AVG free 9.0 na nic nereagovalo, nechtělo jít odinstalovat ani přes ccleaner ani přes ovládací panely. Použil jsem tedy oficiální AVG Removal Tool a AVG jsem odstranil. Notebook se restartoval. Vše v pořádku vše fungovalo. Spustil jsem instalaci AVG Free 2012, doběhla až téměř do konce, alespoň podle status baru a v tu chvíli notebook zamrzl. Nereagoval vůbec na nic, myš sice reagovala, ale na nic nešlo kliknout, správce úloh nešel spustit, po 5 minutách čekání žádná změna. Bohužel jsem tedy notebook natvrdo vypnul držením tlačítka power. Po opětovném spuštění klasická bootovací obrazovka, logo a bootování windows XP pak obrazovka zcela zčerná a nic se neděje. Po 10 minutách čekání nic. Opět vypnutí natvrdo tentokrát jsem ho spustil do nouzového režimu s prací v síti a to naběhl v pořádku. Přihlásil jsem se na účet skrytého administrátora. AVG 2012 je nainstalované. Dal jsem počítač restartovat a nechal nabíhat v normálním režimu a místo modrého pozadí s nápisem "vítejte" opět jenom černá obrazovka bez ikony myši.

Už jsem si myslel že je vše v pořádku při instalaci AVG a ted zase tohle..

EDIT: Pokusím to spustit v nouzovém režimu a odinstalovat opět AVG, ale až zítra, dnes už nato nemám nervy..

[Rudy]

OK. Pak sdělte, jak to dopadlo. Je možné, že je tam ještě něco skryto.

[pepa1d]

Zdravím,

tak v nouzovém režimu se povedlo AVG odinstalovat a po restartu bezproblému naběhly windows XP. AVG je snad odinstalované.

Spustil jsem AVPtool a v pohode se rozběhlo, spustil jsem scan s vysokou prioritou a jediné co to našlo tak jsou 4 zranitelné soubory:
(udelám aktualizace)

Status: Vulnerability (events: 4)
6.11.2011 12:06:20 Vulnerability http://www.securelist.com/en/advisories/45516 c:\Program Files\QuickTime Alternative\QuickTimePlayer.exe Low
6.11.2011 12:06:23 Vulnerability http://www.securelist.com/en/advisories/45080 c:\Program Files\Winamp\winamp.exe Low
6.11.2011 12:06:44 Vulnerability http://www.securelist.com/en/advisories/38875 c:\Program Files\Skype\Phone\Skype.exe Low
6.11.2011 12:07:31 Vulnerability http://www.securelist.com/en/advisories/46512 c:\Program Files\Java\jre6\bin\java.exe Low

Potom jsem spustil MBAM na rychlou kontrolu a tady je čistý log.

Malwarebytes' Anti-Malware
http://www.malwarebytes.org

Verze databáze:

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6.11.2011 12:20:33
mbam-log-2011-11-06 (12-20-33).txt

Typ: Rychlá kontrola
Kontrolované objekty: 186681
Uplynulý čas: 3 minut, 43 sekund

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče v registru: 0
Infikované hodnoty v registru: 0
Infikované datové položky v registru: 0
Infikované složky: 0
Infikované soubory: 0

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče v registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované hodnoty v registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky v registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
(Žádné škodlivé položky nebyly zjištěny)

Problém byl tedy v AVG a nyní je notebook bez antiviru. AVG Free použivam asi na 6 počítačích s různými operačními systémy už od roku 2009 a nikdy nebyl žádný problém. Jen se ho ted bojím znovu nainstalovat na tento notebook aby se neopakovala ta samá situace se zamrznutím a černou obrazovkou, ale to už je asi téma pro jiné forum. Mám udělat ještě nějaký test pro kontrolu?

[Rudy]

Osobně si myslím, že je AVG s něčím, co je v PC nainstalováno v konfliktu. To by bylo spíše pro technikou podporu AVG.

[pepa1d]

Zkusím znovu AVG removal tool pro odstranění zbytků po nainstalovaném AVG, notebook pořádně pročistím pomocí CCleaner (soubory i registry), restartuji a pak zkusím čistou instalaci AVG Free 2012. Do objevení viru běželo AVG na notebooku v pořádku. Pokud obrazovka znovu zčerná je jasné že se AVG s něčím pere a v nouzovem režimu ho zase odinstaluju. Každopádně moc děkuju za váš čas a pomoc a toto téma je asi možné uzavřít.

Ještě jednou díky.
pepa1d

[Rudy]

Rádo se stalo!