VIRY.CZ

MS OnLineScaner mi nalezl 2 neřády (autorun.inf)
Pak jsem spustil Combofix. Prosím o kontrolu. Děkuji Jiří

ComboFix 10-02-04.01 - user 04.02.2010 22:05:11.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18..1983.1433 [GMT 1:00]
Spuštěný z: d:\z_internetu\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
..

((((((((((((((((((((((((( Soubory vytvořené od 2010-01-04 do 2010-02-04 )))))))))))))))))))))))))))))))
..

2010-02-04 16:35 . 2010-02-04 16:49 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-04 16:34 . 2010-02-04 16:34 -------- d-----w- c:\windows\LastGood
2010-01-24 15:36 . 2010-02-02 17:42 118114 ----a-w- c:\windows\system32\e1-UPM1Hnuh-.exe
2010-01-24 15:36 . 2010-01-24 15:36 288828 ----a-w- c:\documents and settings\user\FLVDirect.exe
2010-01-24 11:02 . 2010-01-24 11:02 -------- d-----w- c:\program files\DVD Decrypter
2010-01-21 23:56 . 2010-01-21 23:56 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-01-21 23:51 . 2010-01-21 23:51 -------- d-----w- c:\program files\Common Files\Windows Live
2010-01-21 23:51 . 2010-01-23 13:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 23:50 . 2010-01-21 23:56 -------- d-----w- c:\program files\Microsoft
2010-01-21 23:27 . 2006-06-29 12:07 14048 ------w- c:\windows\system32\spmsg2.dll
2010-01-13 10:03 . 2009-11-21 16:03 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

..
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
..
2010-02-04 16:26 . 2002-09-23 12:00 90726 ----a-w- c:\windows\system32\perfc005.dat
2010-02-04 16:26 . 2002-09-23 12:00 458644 ----a-w- c:\windows\system32\perfh005.dat
2010-01-24 10:58 . 2009-11-28 19:10 -------- d-----w- c:\program files\Free Easy Burner
2010-01-14 10:12 . 2009-10-25 06:39 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-03 15:36 . 2010-01-03 15:35 -------- d-----w- c:\program files\OpenOffice.org 3
2009-12-29 10:37 . 2009-12-28 21:27 -------- d-----w- c:\program files\Common Files\Ahead
2009-12-28 21:27 . 2009-12-28 21:27 -------- d-----w- c:\program files\Nero
2009-12-25 22:36 . 2009-12-25 22:36 1171456 ----a-w- c:\windows\system32\IzXQVKT.dll
2009-12-21 19:08 . 2002-09-23 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 17:58 . 2009-12-17 17:58 -------- d-----w- c:\program files\Common Files\Borland Shared
2009-12-17 17:58 . 2009-12-17 17:58 -------- d-----w- c:\program files\Borland
2009-12-09 17:31 . 2009-12-09 17:31 -------- d-----w- c:\program files\Microsoft.NET
2009-11-21 16:03 . 2002-09-23 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
..

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
..
..
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bce834d2-a5a0-3f7c-8182-7d6c43472043}]
2009-12-25 22:36 1171456 ----a-w- c:\windows\system32\IzXQVKT.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2004-12-14 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [6.2.2009 13:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [6.2.2009 13:24 93336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6.2.2009 13:23 727720]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng..exe [3.11.2006 19:19 13592]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [24.10.2009 20:31 28672]
..
Obsah adresáře 'Naplánované úlohy'

2010-02-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
..
..
------- Doplňkový sken -------
..
uStart Page = hxxp://www.ghorice.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: flvdirect.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\user\Data aplikací\Mozilla\Firefox\Profiles\w4bmamgw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.ghorice.cz
FF - prefs.js: keyword.URL - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - component: c:\program files\Mozilla Firefox\extensions\{2fc1f8b5-6143-b072-acdd-e87ad00c4e43}\components\_A0WKAyIzHB.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
..

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 22:08
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
..
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(312)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
..
Celkový čas: 2010-02-04 22:09:46
ComboFix-quarantined-files.txt 2010-02-04 21:09

Před spuštěním: 8 756 068 352
Po spuštění: 8 778 186 752

- - End Of File - - 3B258B3C10AD84CDB05CF0732AAABCEA

Tento soubor otestujte na www.virustotal.com :
c:\windows\system32\IzXQVKT.dll

výsledek sem zkopírujte.

Otestováno - Výsledek:

Soubor R-r_gvjU_Bs2.dll přijatý 2010.01.30 15:03:04 (UTC)
Současný stav: Dokončeno
Výsledek: 1/41 (2.44%)
Formátované Formátované
Vytisknout výsledky Vytisknout výsledky
Antivirus Verze Poslední aktualizace Výsledek
a-squared 4.5.0.50 2010.01.30 -
AhnLab-V3 5.0.0.2 2010.01.30 -
AntiVir 7.9.1.154 2010.01.29 -
Antiy-AVL 2.0.3.7 2010.01.28 -
Authentium 5.2.0.5 2010.01.30 -
Avast 4.8.1351.0 2010.01.30 -
AVG 9.0.0.730 2010.01.30 -
BitDefender 7.2 2010.01.30 -
CAT-QuickHeal 10.00 2010.01.30 -
ClamAV 0.96.0.0-git 2010.01.30 -
Comodo 3761 2010.01.30 -
DrWeb 5.0.1.12222 2010.01.30 -
eSafe 7.0.17.0 2010.01.28 -
eTrust-Vet 35.2.7271 2010.01.29 -
F-Prot 4.5.1.85 2010.01.29 -
F-Secure 9.0.15370.0 2010.01.30 -
Fortinet 4.0.14.0 2010.01.30 -
GData 19 2010.01.30 -
Ikarus T3.1.1.80.0 2010.01.30 -
Jiangmin 13.0.900 2010.01.28 -
K7AntiVirus 7.10.960 2010.01.29 -
Kaspersky 7.0.0.125 2010.01.30 -
McAfee 5876 2010.01.29 -
McAfee+Artemis 5876 2010.01.29 -
McAfee-GW-Edition 6.8.5 2010.01.30 -
Microsoft 1.5406 2010.01.30 -
NOD32 4820 2010.01.30 -
Norman 6.04.03 2010.01.30 -
nProtect 2009.1.8.0 2010.01.30 -
Panda 10.0.2.2 2010.01.30 -
PCTools 7.0.3.5 2010.01.30 -
Prevx 3.0 2010.01.30 -
Rising 22.32.05.04 2010.01.30 -
Sophos 4.50.0 2010.01.30 -
Sunbelt 3.2.1858.2 2010.01.30 -
Symantec 20091.2.0.41 2010.01.30 Reser.Reputation.1
TheHacker 6.5.1.0.172 2010.01.30 -
TrendMicro 9.120.0.1004 2010.01.30 -
VBA32 3.12.12.1 2010.01.29 -
ViRobot 2010.1.30.2164 2010.01.30 -
VirusBuster 5.0.21.0 2010.01.30 -
Rozšiřující informace
File size: 1171456 bytes
MD5 : 447f7c7a37d4f82fc47fa7145467737d
SHA1 : 1a82c986d86eb2ca918e4fe893af39572c8844d4
SHA256: e4437bbc39a7d403331e3ed4b41a5605f4dccb7c6b3feeef9429603bb4b3dd0c
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xD6A01
timedatestamp.....: 0x4B353E51 (Fri Dec 25 23:36:01 2009)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xEA2CC 0xEB000 6.59 a35e6fd2e71ce83fa5f0448e5dcb61ea
.rdata 0xEC000 0x17164 0x18000 4.92 104f3d149a9a3becf1b1b43d453d4937
.data 0x104000 0x5AF4 0x1000 5.66 9bc99c854a60744121007580519b26cc
.reloc 0x10A000 0x18126 0x19000 5.96 fa1b46cf21d49e2bae6250e687833043

( 6 imports )

> kernel32.dll: GetProcAddress, LoadLibraryA, MultiByteToWideChar, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, GetCurrentThreadId, LoadLibraryW, WideCharToMultiByte
> msvcp60.dll: _peek@_$basic_istream@DU_$char_traits@D@std@@@std@@QAEHXZ, _get@_$basic_istream@DU_$char_traits@D@std@@@std@@QAEHXZ, __8std@@YA_NABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@0@Z, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, __C@_1___Nullstr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@CAPBDXZ@4DB, _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z, _npos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@2IB, _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z, __Tidy@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEX_N@Z, __C@_1___Nullstr@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@CAPBGXZ@4GB, __1_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAE@XZ, __Tidy@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAEX_N@Z, __Hstd@@YA_AV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@PBGABV10@@Z, _assign@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@PBGI@Z, _assign@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z, _npos@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@2IB, __8std@@YA_NABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@0@Z, _append@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z, _append@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@PBGI@Z, _find@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIPBGII@Z, __0_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAE@ABV01@@Z, __Freeze@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAEXXZ, __Hstd@@YA_AV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@ABV10@PBG@Z, __1_Lockit@std@@QAE@XZ, __0_Lockit@std@@QAE@XZ, __Mstd@@YA_NABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@0@Z, __Hstd@@YA_AV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@ABV10@0@Z, _append@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@IG@Z, __Eos@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAEXI@Z, __Split@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAEXXZ, __Xran@std@@YAXXZ, __Grow@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAE_NI_N@Z, __Copy@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAEXI@Z, __Xlen@std@@YAXXZ, _max_size@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIXZ, _substr@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBE_AV12@II@Z, _find_last_of@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIPBGII@Z, __8std@@YA_NABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@PBG@Z, _erase@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@II@Z, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z, __Grow@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAE_NI_N@Z, __Copy@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXI@Z, __Eos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXI@Z, __9std@@YA_NABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@PBG@Z, __0logic_error@std@@QAE@ABV01@@Z, __0out_of_range@std@@QAE@ABV01@@Z, __1out_of_range@std@@UAE@XZ, __1logic_error@std@@UAE@XZ, ___7out_of_range@std@@6B@, ___7logic_error@std@@6B@, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z, __9std@@YA_NABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@0@Z, __Refcnt@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAEAAEPBG@Z, _find_first_of@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIPBGII@Z, _replace@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@IIPBGI@Z, __0locale@std@@QAE@XZ, __Decref@facet@locale@std@@QAEPAV123@XZ, _do_narrow@_$ctype@G@std@@MBEDGD@Z, _do_narrow@_$ctype@G@std@@MBEPBGPBG0DPAD@Z, _do_widen@_$ctype@G@std@@MBEGD@Z, _do_widen@_$ctype@G@std@@MBEPBDPBD0PAG@Z, _do_toupper@_$ctype@G@std@@MBEGG@Z, _do_toupper@_$ctype@G@std@@MBEPBGPAGPBG@Z, _do_tolower@_$ctype@G@std@@MBEGG@Z, _do_tolower@_$ctype@G@std@@MBEPBGPAGPBG@Z, _do_scan_not@_$ctype@G@std@@MBEPBGFPBG0@Z, _do_scan_is@_$ctype@G@std@@MBEPBGFPBG0@Z, _do_is@_$ctype@G@std@@MBE_NFG@Z, _do_is@_$ctype@G@std@@MBEPBGPBG0PAF@Z, __0bad_cast@std@@QAE@ABV01@@Z, __1bad_cast@std@@UAE@XZ, __1ctype_base@std@@UAE@XZ, __1facet@locale@std@@UAE@XZ, ___7bad_cast@std@@6B@, __1_Locinfo@std@@QAE@XZ, _Getctype, __0_Locinfo@std@@QAE@PBD@Z, ___7_$ctype@G@std@@6B@, ___7ctype_base@std@@6B@, ___7facet@locale@std@@6B@, __Iscloc@locale@std@@QBE_NXZ, __Getfacet@locale@std@@QBEPBVfacet@12@I_N@Z, __Id_cnt@id@locale@std@@0HA, _id@_$ctype@G@std@@2V0locale@2@A, __1_$ctype@G@std@@UAE@XZ, _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ID@Z, __Split@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXXZ, _erase@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@II@Z, ___D_$basic_ifstream@DU_$char_traits@D@std@@@std@@QAEXXZ, __1_$basic_filebuf@DU_$char_traits@D@std@@@std@@UAE@XZ, __1_$basic_istream@DU_$char_traits@D@std@@@std@@UAE@XZ, __1_$basic_ios@DU_$char_traits@D@std@@@std@@UAE@XZ, __1ios_base@std@@UAE@XZ, __1_$basic_ifstream@DU_$char_traits@D@std@@@std@@UAE@XZ, _setstate@_$basic_ios@DU_$char_traits@D@std@@@std@@QAEXH_N@Z, _open@_$basic_filebuf@DU_$char_traits@D@std@@@std@@QAEPAV12@PBDH@Z, ___7_$basic_ifstream@DU_$char_traits@D@std@@@std@@6B@, __0_$basic_filebuf@DU_$char_traits@D@std@@@std@@QAE@PAU_iobuf@@@Z, __0_$basic_istream@DU_$char_traits@D@std@@@std@@QAE@PAV_$basic_streambuf@DU_$char_traits@D@std@@@1@_N@Z, ___7_$basic_ios@DU_$char_traits@D@std@@@std@@6B@, __0ios_base@std@@IAE@XZ, ___8_$basic_ifstream@DU_$char_traits@D@std@@@std@@7B@, __Hstd@@YA_AV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@DABV10@@Z, __Hstd@@YA_AV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@PBDABV10@@Z, _substr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBE_AV12@II@Z, __0runtime_error@std@@QAE@ABV01@@Z, __1runtime_error@std@@UAE@XZ, ___7runtime_error@std@@6B@, __0_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAE@PBGABV_$allocator@G@1@@Z, __0_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAE@ABV_$allocator@G@1@@Z, _replace@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@IIABV12@II@Z, _replace@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@IIABV12@@Z, __8std@@YA_NPBGABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@@Z, __Hstd@@YA_AV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@ABV10@PBD@Z, __Hstd@@YA_AV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@ABV10@0@Z, _find@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBEIPBDII@Z, _assign@_$char_traits@G@std@@SAXAAGABG@Z, __Nullstr@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@CAPBGXZ, _copy@_$char_traits@G@std@@SAPAGPAGPBGI@Z, _capacity@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIXZ, _c_str@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEPBGXZ, _size@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIXZ, __0out_of_range@std@@QAE@ABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@1@@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@PBDABV_$allocator@D@1@@Z, __0logic_error@std@@QAE@ABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@1@@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@ABV01@@Z, ___D_$basic_ofstream@GU_$char_traits@G@std@@@std@@QAEXXZ, __1_$basic_ostream@GU_$char_traits@G@std@@@std@@UAE@XZ, ___D_$basic_ifstream@GU_$char_traits@G@std@@@std@@QAEXXZ, __1_$basic_istream@GU_$char_traits@G@std@@@std@@UAE@XZ, __1_$basic_streambuf@GU_$char_traits@G@std@@@std@@UAE@XZ, __1locale@std@@QAE@XZ, __Init@_$basic_filebuf@GU_$char_traits@G@std@@@std@@IAEXPAU_iobuf@@W4_Initfl@12@@Z, ___7_$basic_filebuf@GU_$char_traits@G@std@@@std@@6B@, __6std@@YAAAV_$basic_ostream@GU_$char_traits@G@std@@@0@AAV10@PBG@Z, __6std@@YAAAV_$basic_ostream@GU_$char_traits@G@std@@@0@AAV10@ABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@@Z, ___7_$basic_ostream@GU_$char_traits@G@std@@@std@@6B@, _clear@_$basic_ios@GU_$char_traits@G@std@@@std@@QAEXH_N@Z, ___7_$basic_ofstream@GU_$char_traits@G@std@@@std@@6B@, __0_$basic_ostream@GU_$char_traits@G@std@@@std@@QAE@PAV_$basic_streambuf@GU_$char_traits@G@std@@@1@_N1@Z, ___8_$basic_ofstream@GU_$char_traits@G@std@@@std@@7B@, __1_$basic_ios@GU_$char_traits@G@std@@@std@@UAE@XZ, ___7_$basic_istream@GU_$char_traits@G@std@@@std@@6B@, __1_$basic_filebuf@GU_$char_traits@G@std@@@std@@UAE@XZ, _getline@std@@YAAAV_$basic_istream@GU_$char_traits@G@std@@@1@AAV21@AAV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@1@@Z, _setstate@_$basic_ios@GU_$char_traits@G@std@@@std@@QAEXH_N@Z, _open@_$basic_filebuf@GU_$char_traits@G@std@@@std@@QAEPAV12@PBDH@Z, ___7_$basic_ifstream@GU_$char_traits@G@std@@@std@@6B@, __0_$basic_filebuf@GU_$char_traits@G@std@@@std@@QAE@PAU_iobuf@@@Z, __0_$basic_istream@GU_$char_traits@G@std@@@std@@QAE@PAV_$basic_streambuf@GU_$char_traits@G@std@@@1@_N@Z, ___7_$basic_ios@GU_$char_traits@G@std@@@std@@6B@, ___8_$basic_ifstream@GU_$char_traits@G@std@@@std@@7B@, _close@_$basic_filebuf@GU_$char_traits@G@std@@@std@@QAEPAV12@XZ, __1_$basic_ofstream@GU_$char_traits@G@std@@@std@@UAE@XZ, _getline@std@@YAAAV_$basic_istream@DU_$char_traits@D@std@@@1@AAV21@AAV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@1@@Z, ___7_$basic_istream@DU_$char_traits@D@std@@@std@@6B@, __0Init@ios_base@std@@QAE@XZ, __1Init@ios_base@std@@QAE@XZ, __0_Winit@std@@QAE@XZ, __1_Winit@std@@QAE@XZ, _seekg@_$basic_istream@DU_$char_traits@D@std@@@std@@QAEAAV12@V_$fpos@H@2@@Z, __0runtime_error@std@@QAE@ABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@1@@Z, _tellg@_$basic_istream@DU_$char_traits@D@std@@@std@@QAE_AV_$fpos@H@2@XZ, _seekg@_$basic_istream@DU_$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z, _what@logic_error@std@@UBEPBDXZ, __Fpz@std@@3_JB, _read@_$basic_istream@DU_$char_traits@D@std@@@std@@QAEAAV12@PADH@Z, _max_size@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBEIXZ, _find@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIABV12@I@Z, __1_$basic_streambuf@DU_$char_traits@D@std@@@std@@UAE@XZ, ___D_$basic_ofstream@DU_$char_traits@D@std@@@std@@QAEXXZ, __1_$basic_ostream@DU_$char_traits@D@std@@@std@@UAE@XZ, ___7_$basic_streambuf@DU_$char_traits@D@std@@@std@@6B@, _close@_$basic_filebuf@DU_$char_traits@D@std@@@std@@QAEPAV12@XZ, ___7_$basic_filebuf@DU_$char_traits@D@std@@@std@@6B@, _write@_$basic_ostream@DU_$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z, ___7_$basic_ostream@DU_$char_traits@D@std@@@std@@6B@, _clear@_$basic_ios@DU_$char_traits@D@std@@@std@@QAEXH_N@Z, ___7_$basic_ofstream@DU_$char_traits@D@std@@@std@@6B@, __0_$basic_ostream@DU_$char_traits@D@std@@@std@@QAE@PAV_$basic_streambuf@DU_$char_traits@D@std@@@1@_N1@Z, ___8_$basic_ofstream@DU_$char_traits@D@std@@@std@@7B@, __Hstd@@YA_AV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@ABV10@G@Z
> msvcrt.dll: wcscpy, fwrite, _fdopen, _terminate@@YAXXZ, _except_handler3, __1type_info@@UAE@XZ, __CxxFrameHandler, strcpy, strlen, __2@YAPAXI@Z, wcslen, memcmp, swprintf, _purecall, time, __0exception@@QAE@ABV0@@Z, __1exception@@UAE@XZ, __0exception@@QAE@ABQBD@Z, _CxxThrowException, _ltow, _ultow, wcstol, _errno, wcstoul, atof, memmove, fclose, _wfopen, rand, _ftol, wcsftime, localtime, gmtime, __set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z, _beginthreadex, difftime, _wstat, memchr, isalnum, tolower, fopen, _snprintf, fprintf, fread, ftell, fseek, fputc, isalpha, isspace, strncmp, strchr, free, __dllonexit, _onexit, _initterm, malloc, _adjust_fdiv
> ole32.dll: CoUnmarshalInterface, CoMarshalInterThreadInterfaceInStream
> oleaut32.dll: -, -, -, -, -
> user32.dll: ShowWindow, IsWindow

( 1 exports )

> DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer
TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 24576:yQkgBZhASeCPo6tJpdMpVtS48LB0708pVfIjekTWD2rsejyuiaeEYL1:KCOIB0IVfTiaHeEYL1
PEiD : -
RDS : NSRL Reference Data Set
-

pokud jste tak jeste neucinil, presunte Combofix na plochu

otevrete si Poznamkovy blok

do nej zkopirujte skript z nasledujiciho okna:

Kód: Vybrat vše

File::
c:\windows\system32\IzXQVKT.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bce834d2-a5a0-3f7c-8182-7d6c43472043}]

ulozte vami vytvoreny textovy soubor jako CFScript.txt na plochu

po ulozeni uchopte vami vytvoreny skript levym tlacitkem mysi a presunte jej nad ikonu Combofixu, nad niz skript upustte:

Obrázek

po aplikaci by na vas mel vybafnout dalsi log, vlozte jej sem

Upozorneni: je mozne, ze po aplikaci skriptu a restartu nenabehnou Windows, v takovem pripade znovu restartujte, po restartu mackejte F8 a zvolte Posledni znamou fukncni konfiguraci

Po aplikaci vaší úpravy registrů:

ComboFix 10-02-05.01 - user 05.02.2010 19:50:44.4.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1983.1535 [GMT 1:00]
Spuštěný z: c:\documents and settings\user\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\user\Plocha\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FILE ::
"c:\windows\system32\IzXQVKT.dll"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\IzXQVKT.dll

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-01-05 do 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-04 16:35 . 2010-02-04 16:49 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-24 15:36 . 2010-02-02 17:42 118114 ----a-w- c:\windows\system32\e1-UPM1Hnuh-.exe
2010-01-24 15:36 . 2010-01-24 15:36 288828 ----a-w- c:\documents and settings\user\FLVDirect.exe
2010-01-24 11:02 . 2010-01-24 11:02 -------- d-----w- c:\program files\DVD Decrypter
2010-01-21 23:56 . 2010-01-21 23:56 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-01-21 23:51 . 2010-01-21 23:51 -------- d-----w- c:\program files\Common Files\Windows Live
2010-01-21 23:51 . 2010-01-23 13:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 23:50 . 2010-01-21 23:56 -------- d-----w- c:\program files\Microsoft
2010-01-21 23:27 . 2006-06-29 12:07 14048 ------w- c:\windows\system32\spmsg2.dll
2010-01-13 10:03 . 2009-11-21 16:03 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 18:45 . 2002-09-23 12:00 90726 ----a-w- c:\windows\system32\perfc005.dat
2010-02-05 18:45 . 2002-09-23 12:00 458644 ----a-w- c:\windows\system32\perfh005.dat
2010-01-24 10:58 . 2009-11-28 19:10 -------- d-----w- c:\program files\Free Easy Burner
2010-01-14 10:12 . 2009-10-25 06:39 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-03 15:36 . 2010-01-03 15:35 -------- d-----w- c:\program files\OpenOffice.org 3
2009-12-29 10:37 . 2009-12-28 21:27 -------- d-----w- c:\program files\Common Files\Ahead
2009-12-28 21:27 . 2009-12-28 21:27 -------- d-----w- c:\program files\Nero
2009-12-21 19:08 . 2002-09-23 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 17:58 . 2009-12-17 17:58 -------- d-----w- c:\program files\Common Files\Borland Shared
2009-12-17 17:58 . 2009-12-17 17:58 -------- d-----w- c:\program files\Borland
2009-12-09 17:31 . 2009-12-09 17:31 -------- d-----w- c:\program files\Microsoft.NET
2009-11-21 16:03 . 2002-09-23 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-04_21.08.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2002-09-23 12:00 . 2010-02-04 16:26 71196 c:\windows\system32\perfc009.dat
+ 2002-09-23 12:00 . 2010-02-05 18:45 71196 c:\windows\system32\perfc009.dat
+ 2002-09-23 12:00 . 2010-02-05 18:45 441260 c:\windows\system32\perfh009.dat
- 2002-09-23 12:00 . 2010-02-04 16:26 441260 c:\windows\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2004-12-14 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [6.2.2009 13:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [6.2.2009 13:24 93336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6.2.2009 13:23 727720]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 19:19 13592]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [24.10.2009 20:31 28672]
.
Obsah adresáře 'Naplánované úlohy'

2010-02-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.ghorice.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: flvdirect.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\user\Data aplikací\Mozilla\Firefox\Profiles\w4bmamgw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.ghorice.cz
FF - prefs.js: keyword.URL - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - component: c:\program files\Mozilla Firefox\extensions\{2fc1f8b5-6143-b072-acdd-e87ad00c4e43}\components\_A0WKAyIzHB.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-05 19:54
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2010-02-05 19:55:35
ComboFix-quarantined-files.txt 2010-02-05 18:55
ComboFix2.txt 2010-02-04 21:09

Před spuštěním: 8 761 495 552
Po spuštění: 8 736 579 584

- - End Of File - - 0EA5AE7023FBE5736575C5FF3D4C2518

Už tam žádnou podivnost nevidím. Mělo by to být v pořádku.

Děkuji moc. Hezký večer
Jiří

Nezapomeňte ComboFix odinstalovat:
Start-Spustit-combofix /unistall

Rádo se stalo.
Také vám pěkný večer.

VIRY.CZ

Prosim o kontrolu vypisu z Combofix

Prosim o kontrolu vypisu z Combofix

Re: Prosim o kontrolu vypisu z Combofix

Re: Prosim o kontrolu vypisu z Combofix

Re: Prosim o kontrolu vypisu z Combofix

Re: Prosim o kontrolu vypisu z Combofix

Re: Prosim o kontrolu vypisu z Combofix

Re: Prosim o kontrolu vypisu z Combofix

Re: Prosim o kontrolu vypisu z Combofix