VIRY.CZ

Dobrý den,
chtěl bych poprpsit o pomoc. Na jednom našem PC se neustále objevují viry, přestože to pokaždé projedu antivirem vyčistím, ale oni se objevují stále znovu. Přikládám log z Ssitu a prosím o radu. Předem děkuji.
Cernto

Logfile of random's system information tool 1.06 (written by random/random)
Run by pospisilova at 2010-03-15 07:41:04
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 64 GB (79%) free of 80 GB
Total RAM: 2010 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:11, on 15.3.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\pospisilova\Plocha\RSIT.exe
C:\Program Files\trend micro\pospisilova.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://flvdirect.iamwired.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{fc600575-3013-4e8e-941c-4b00dafce730} - (no file)
F2 - REG:system.ini: Shell=
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: flvdirect - {5625fd13-4240-16fb-af40-70b30bc97859} - C:\WINDOWS\system32\kukZ8LW_mFJE.dll
O2 - BHO: Babylon IE plugin - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: myBabylon English4 Toolbar - {fc600575-3013-4e8e-941c-4b00dafce730} - C:\Program Files\myBabylon_English4\tbmyB0.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: myBabylon English4 Toolbar - {fc600575-3013-4e8e-941c-4b00dafce730} - C:\Program Files\myBabylon_English4\tbmyB0.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [Microsoft(R) System Manager] C:\WINDOWS\system32\a5ca62.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [SyncMan] C:\WINDOWS\system32\SyncMan.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\pospisilova.OHAVLOVA\reader_s.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SyncMan] C:\Documents and Settings\pospisilova\SyncMan.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate this web page with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
O8 - Extra context menu item: Translate with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O9 - Extra 'Tools' menuitem: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.flvdirect.com
O15 - ESC Trusted Zone: http://www.flvdirect.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4301E7A7-EDE2-4F0F-AA15-E8DFB36CDFAB}: NameServer = 62.129.50.20,85.135.32.100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: f_lock - f_lock.dll (file missing)
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7577 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Podpora odkazu pro Adobe PDF Reader - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2010-03-12 1598744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5625fd13-4240-16fb-af40-70b30bc97859}]
flvdirect - C:\WINDOWS\system32\kukZ8LW_mFJE.dll [2010-01-29 1241088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}]
Babylon IE plugin - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll [2010-02-03 252816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
AVG Security Toolbar BHO - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [2009-11-25 1230080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc600575-3013-4e8e-941c-4b00dafce730}]
myBabylon English4 Toolbar - C:\Program Files\myBabylon_English4\tbmyB0.dll [2010-03-03 2349080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [2009-11-25 1230080]
{fc600575-3013-4e8e-941c-4b00dafce730} - myBabylon English4 Toolbar - C:\Program Files\myBabylon_English4\tbmyB0.dll [2010-03-03 2349080]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-12-23 18077696]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2008-06-19 57344]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2009-01-21 134656]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2009-01-21 166912]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2009-01-21 134656]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2008-07-14 570664]
"LGODDFU"=C:\Program Files\lg_fwupdate\fwupdate.exe [2009-12-03 557056]
"Microsoft(R) System Manager"=C:\WINDOWS\system32\a5ca62.exe []
"Babylon Client"=C:\Program Files\Babylon\Babylon-Pro\Babylon.exe [2010-02-03 3721104]
"SyncMan"=C:\WINDOWS\system32\SyncMan.exe []
"Regedit32"=C:\WINDOWS\system32\regedit.exe []
"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe [2010-03-12 2059544]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"reader_s"=C:\Documents and Settings\pospisilova.OHAVLOVA\reader_s.exe []
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe []
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"SyncMan"=C:\Documents and Settings\pospisilova\SyncMan.exe []

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2010-03-12 12464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\f_lock]
f_lock.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2009-01-21 205824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 265096]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
wsetdtc.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AVG\AVG8\avgam.exe"="C:\Program Files\AVG\AVG8\avgam.exe:*:Enabled:avgam.exe"
"C:\Program Files\AVG\AVG8\avgdiag.exe"="C:\Program Files\AVG\AVG8\avgdiag.exe:*:Enabled:avgdiag.exe"
"C:\Program Files\AVG\AVG8\avgdiagex.exe"="C:\Program Files\AVG\AVG8\avgdiagex.exe:*:Enabled:avgdiagex.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\WINDOWS\TEMP\gkst.tmp\svchost.exe"="C:\WINDOWS\TEMP\gkst.tmp\svchost.exe:*:Enabled:svchost"
"\??\C:\WINDOWS\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\Program Files\AVG\AVG9\avgam.exe"="C:\Program Files\AVG\AVG9\avgam.exe:*:Enabled:avgam.exe"
"C:\Program Files\AVG\AVG9\avgdiagex.exe"="C:\Program Files\AVG\AVG9\avgdiagex.exe:*:Enabled:avgdiagex.exe"
"C:\Program Files\AVG\AVG9\avgemc.exe"="C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG9\avgupd.exe"="C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG9\avgnsx.exe"="C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c9a90b4-8b03-11de-894a-0016768a7146}]
shell\autorun\command - E:\cplebk.exe
shell\explore\command - E:\cplebk.exe
shell\open\command - E:\cplebk.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e080106-7eaf-11db-b234-0016768a7146}]
shell\autorun\command - F:\zahrkw.exe
shell\explore\command - F:\zahrkw.exe
shell\open\command - F:\zahrkw.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3476343a-403a-11de-8920-0016768a7146}]
shell\autorun\command - E:\tcskdx.exe
shell\explore\command - E:\tcskdx.exe
shell\open\command - E:\tcskdx.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{54b48346-065a-11df-bb5b-001cc0e6f738}]
shell\AutoRun\command - O:\ozBPdf.eXe
shell\OPEn\command - O:\ozbpDf.Exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58684ce7-019f-11df-bb57-001cc0e6f738}]
shell\AutoRun\command - O:\ozBPdf.eXe
shell\OPEn\command - O:\ozbpDf.Exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e578949-50d0-11de-8930-0016768a7146}]
shell\autorun\command - E:\zahrkw.exe
shell\explore\command - E:\zahrkw.exe
shell\open\command - E:\zahrkw.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fda4236-d409-11de-bb29-001cc0e6f738}]
shell\AutoRun\command - O:\wjcbrt.exe
shell\explore\command - O:\wjcbrt.exe
shell\open\command - O:\wjcbrt.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{824abcfe-347c-11de-890f-0016768a7146}]
shell\autorun\command - E:\kqaojd.exe
shell\explore\command - E:\kqaojd.exe
shell\open\command - E:\kqaojd.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89c7edd0-04bf-11df-bb59-001cc0e6f738}]
shell\AutoRun\command - O:\ozBPdf.eXe
shell\OPEn\command - O:\ozbpDf.Exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89c7edd8-04bf-11df-bb59-001cc0e6f738}]
shell\AutoRun\command - O:\ozBPdf.eXe
shell\OPEn\command - O:\ozbpDf.Exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b3a23e3-40ff-11de-8922-0016768a7146}]
shell\autorun\command - ikuxwg.exe
shell\explore\command - ikuxwg.exe
shell\open\command - ikuxwg.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9816f23f-0f26-11df-bb64-001cc0e6f738}]
shell\AutoRun\command - E:\ozBPdf.eXe
shell\OPEn\command - E:\ozbpDf.Exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a619b3e-0733-11df-bb5d-001cc0e6f738}]
shell\AutoRun\command - O:\ozBPdf.eXe
shell\OPEn\command - O:\ozbpDf.Exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e72870a-c2f1-11de-bb1f-001cc0e6f738}]
shell\AutoRun\command - E:\HrPlNT.exE
shell\OpEn\command - E:\HRplNt.exE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b429c3d0-5da3-11db-b203-0016768a7146}]
shell\AutoRun\command - E:\yqlvle.exe
shell\explore\command - E:\yqlvle.exe
shell\open\command - E:\yqlvle.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd1ecd61-d7f7-11de-bb2c-001cc0e6f738}]
shell\AutoRun\command - E:\OOvKMf.eXe
shell\OpEn\command - E:\oOvkmF.eXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6d43dfb-0108-11df-bb56-001cc0e6f738}]
shell\AutoRun\command - SnZWro.eXe
shell\OPeN\command - SNzWro.exE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7064756-d59f-11de-bb2b-001cc0e6f738}]
shell\AutoRun\command - O:\ozBPdf.eXe
shell\OPEn\command - O:\ozbpDf.Exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd1c6d4a-33db-11de-91a3-0016768a7146}]
shell\autorun\command - E:\zahrkw.exe
shell\explore\command - E:\zahrkw.exe
shell\open\command - E:\zahrkw.exe

======List of files/folders created in the last 1 months======

2010-03-15 07:41:05 ----D---- C:\Program Files\trend micro
2010-03-15 07:41:04 ----D---- C:\rsit
2010-03-15 07:20:51 ----D---- C:\Documents and Settings\pospisilova\Data aplikací\AVGTOOLBAR
2010-03-15 07:20:51 ----D---- C:\Documents and Settings\pospisilova\Data aplikací\AVG8
2010-03-12 13:57:21 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2010-03-12 13:43:03 ----HD---- C:\$AVG
2010-03-12 13:42:36 ----D---- C:\Documents and Settings\All Users\Data aplikací\avg9
2010-03-12 07:06:19 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$
2010-03-04 07:16:34 ----HDC---- C:\WINDOWS\$NtUninstallKB977165-v2$
2010-03-02 07:59:00 ----A---- C:\WINDOWS\system32\svchost.bat
2010-03-02 07:01:59 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$

======List of files/folders modified in the last 1 months======

2010-03-15 07:41:05 ----RD---- C:\Program Files
2010-03-15 07:40:18 ----D---- C:\WINDOWS\Temp
2010-03-15 07:40:18 ----D---- C:\Documents and Settings\All Users\Data aplikací\Babylon
2010-03-15 07:37:25 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-15 07:37:22 ----D---- C:\WINDOWS\Prefetch
2010-03-15 07:37:20 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-15 07:20:55 ----A---- C:\WINDOWS\lgfwup.ini
2010-03-15 07:03:02 ----D---- C:\WINDOWS\system32
2010-03-12 14:38:21 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-12 13:57:32 ----D---- C:\WINDOWS\system32\drivers
2010-03-12 13:43:01 ----D---- C:\Program Files\AVG
2010-03-12 13:42:23 ----SHD---- C:\WINDOWS\Installer
2010-03-12 13:42:22 ----D---- C:\WINDOWS\WinSxS
2010-03-12 13:42:14 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-03-12 13:42:00 ----D---- C:\WINDOWS
2010-03-12 13:37:51 ----SHD---- C:\System Volume Information
2010-03-12 13:37:51 ----D---- C:\WINDOWS\system32\Restore
2010-03-12 11:31:53 ----D---- C:\Documents and Settings\All Users\Data aplikací\Microsoft Help
2010-03-12 07:06:24 ----HD---- C:\WINDOWS\inf
2010-03-12 07:06:21 ----D---- C:\Program Files\Movie Maker
2010-03-12 07:06:08 ----HD---- C:\WINDOWS\$hf_mig$
2010-03-05 13:40:40 ----D---- C:\Dokumenty
2010-03-04 07:16:41 ----A---- C:\WINDOWS\imsins.BAK
2010-03-03 12:43:40 ----D---- C:\Program Files\myBabylon_English4
2010-03-03 09:38:08 ----D---- C:\Program Files\lg_fwupdate
2010-03-02 08:32:05 ----SHD---- C:\WINDOWS\CSC
2010-03-02 06:30:12 ----A---- C:\WINDOWS\system32\MRT.exe
2010-02-19 07:05:13 ----D---- C:\Program Files\Microsoft Works
2010-02-18 08:00:26 ----D---- C:\Temp

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2010-03-12 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2010-03-12 29512]
R1 AvgTdiX;AVG8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2010-03-12 242696]
R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40192]
R3 HDAudBus;Ovladač Microsoft UAA pro sběrnici High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2009-01-21 6278560]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-12-23 4967424]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-12-17 119552]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbstor;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg9emc;AVG E-mail Scanner; C:\Program Files\AVG\AVG9\avgemc.exe [2010-03-12 916760]
R2 avg9wd;AVG WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2010-03-12 308064]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2008-01-22 275752]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------

Nastrkejte do počítače všechny USB klíče a udělejte toto:

stahnete a ulozte nejlepe na plochu ComboFix

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano:

Obrázek

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode, pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k nezadoucim kolizim s rezidentem antispyware

po restartu aplikace vytvori log, ulozeny na C:/Combofix.txt (pri opakovanem pouziti jsou logy oznaceny Combofix2.txt atd.), jeho obsah vlozte sem

Provedl jsem, přikládám log.

ComboFix 10-03-14.06 - Administrator 15.03.2010 12:31:10.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2010.1613 [GMT 1:00]
Spuštěný z: c:\documents and settings\pospisilova\Plocha\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Plocha\FLV Direct Player.lnk
c:\documents and settings\pospisilova\biodo.exe
c:\documents and settings\pospisilova\goeuto.exe
c:\documents and settings\pospisilova\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\pospisilova\pjveow.exe
c:\program files\FLV Direct Player
c:\program files\FLV Direct Player\downloading.swf
c:\program files\FLV Direct Player\dskinliteu.dll
c:\program files\FLV Direct Player\FLVPlayer.exe
c:\program files\FLV Direct Player\player.dat
c:\program files\FLV Direct Player\preload.swf
c:\program files\FLV Direct Player\SkinDirectFLV\skin.xml
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Button\button_default.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Button\button_disable.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Button\button_down.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Button\button_hot.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Button\button_normal.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\ComboBox\combobox_buttonDown.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\ComboBox\combobox_buttonHot.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\ComboBox\combobox_buttonNor.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\ComboBox\edit_back.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Menu\menubg.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Menu\menuItem_arrow.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Menu\menuItem_check.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Menu\menuitem_select.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Menu\menuItem_seperator.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_close_down.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_close_hot.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_close_nor.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_max_down.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_max_hot.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_max_nor.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_min_down.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_min_hot.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_min_nor.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_restore_down.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_restore_hot.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\SysButton\sys_restore_nor.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Window\BottomBorder.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Window\downarrow.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Window\LeftBorder.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Window\Logo.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Window\main.ico
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Window\RightBorder.bmp
c:\program files\FLV Direct Player\SkinDirectFLV\skin\Window\TitlePattern.bmp
c:\program files\FLV Direct Player\uninstall.exe
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1811
c:\recycler\S-1-5-21-1117510159-6537730022-828093388-5715
c:\windows\system32\AutoRun.inf
c:\windows\system32\msvcrt2.dll
c:\windows\system32\VB6KO.DLL

Nakažená kopie c:\windows\system32\DRIVERS\atapi.sys byla nalezena a vyléčena.
Obnovena kopie z - Kitty ate it :p
c:\windows\system32\drivers\cdrom.sys . . . chybí !!

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-15 do 2010-03-15 )))))))))))))))))))))))))))))))
.

2010-03-15 06:41 . 2010-03-15 06:41 -------- d-----w- c:\program files\trend micro
2010-03-15 06:41 . 2010-03-15 06:41 -------- d-----w- C:\rsit
2010-03-12 12:57 . 2010-03-12 12:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-12 12:43 . 2010-03-12 13:01 -------- d-----w- C:\$AVG
2010-03-02 06:59 . 2010-03-02 06:59 137 ----a-w- c:\windows\system32\svchost.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-15 11:21 . 2010-03-15 11:21 3362816 ---ha-w- c:\documents and settings\pospisilova\ntuser.tmp
2010-03-15 06:37 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-12 12:57 . 2009-10-27 12:53 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-12 12:57 . 2009-10-27 12:53 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-12 12:56 . 2009-10-27 12:53 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-03-12 12:56 . 2009-10-27 12:53 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 12:43 . 2009-10-27 12:53 -------- d-----w- c:\program files\AVG
2010-03-03 11:43 . 2010-02-03 06:38 -------- d-----w- c:\program files\myBabylon_English4
2010-03-03 08:38 . 2009-10-26 09:50 -------- d-----w- c:\program files\lg_fwupdate
2010-02-19 06:05 . 2010-02-09 14:08 -------- d-----w- c:\program files\Microsoft Works
2010-02-03 06:39 . 2010-02-03 06:39 118260 ----a-w- c:\windows\system32\Dsj8V6LJ-J-u.exe
2010-02-03 06:38 . 2010-02-03 06:38 -------- d-----w- c:\program files\Conduit
2010-02-03 06:38 . 2010-02-03 06:38 -------- d-----w- c:\program files\Babylon
2010-02-03 06:38 . 2010-02-03 06:38 307840 ----a-w- c:\documents and settings\pospisilova\FLVDirect.exe
2010-01-29 00:25 . 2010-01-29 00:25 1241088 ----a-w- c:\windows\system32\kukZ8LW_mFJE.dll
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:08 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 07:42 . 2009-10-26 09:09 343552 ----a-w- c:\windows\system32\mspaint.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5625fd13-4240-16fb-af40-70b30bc97859}]
2010-01-29 00:25 1241088 ----a-w- c:\windows\system32\kukZ8LW_mFJE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 12:02 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc600575-3013-4e8e-941c-4b00dafce730}]
2010-03-03 11:43 2349080 ----a-w- c:\program files\myBabylon_English4\tbmyB0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{fc600575-3013-4e8e-941c-4b00dafce730}"= "c:\program files\myBabylon_English4\tbmyB0.dll" [2010-03-03 2349080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{fc600575-3013-4e8e-941c-4b00dafce730}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-23 18077696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-07-14 570664]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2009-12-03 557056]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2010-02-03 3721104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-12 12:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [27.10.2009 13:53 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27.10.2009 13:53 216200]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27.10.2009 13:53 242696]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12.3.2010 13:56 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12.3.2010 13:57 308064]
S0 cwyis;cwyis; [x]
S0 kqlhuqz;kqlhuqz; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e72870a-c2f1-11de-bb1f-001cc0e6f738}]
\SHELl\AutoRun\command - E:\HrPlNT.exE
\SHELl\OpEn\cOMMAnd - E:\HRplNt.exE
.
.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
IE: {{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
TCP: {4301E7A7-EDE2-4F0F-AA15-E8DFB36CDFAB} = 62.129.50.20,85.135.32.100
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKLM-Run-Microsoft(R) System Manager - c:\windows\system32\a5ca62.exe
HKLM-Run-SyncMan - c:\windows\system32\SyncMan.exe
Notify-f_lock - f_lock.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-15 12:35
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1292428093-179605362-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,68,a2,d3,52,04,6e,fe,4d,aa,2c,72,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,68,a2,d3,52,04,6e,fe,4d,aa,2c,72,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,e1,b3,a3,57,54,38,44,a3,15,ed,\
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(3336)
c:\program files\Babylon\Babylon-Pro\Captlib.dll
c:\windows\system32\webcheck.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Celkový čas: 2010-03-15 12:36:45 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-15 11:36

Před spuštěním: Volných bajtů: 70 736 543 744
Po spuštění: Volných bajtů: 72 461 475 840

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0097CD39AB8DC67ED052F1A604AE2044

Ještě bych chtěl podotknout, že ta paní co jí to PC patří používá 3 USB disky a když je skenuju tak se na nich objevuje virus Packed Autolt a objevuje se v souborech ozbpdf.exe a hwrkca.exe. Nevím co to jsou za soubory, na flashce je nikde nevidím a na inetu jsem taky nic k tomu nenašel. Díky za každou radu.
Cernto

pokud jste tak jeste neucinil, presunte Combofix na plochu

otevrete si Poznamkovy blok

do nej zkopirujte skript z nasledujiciho okna:

Kód: Vybrat vše

Driver::
cwyis
kqlhuqz

File::
c:\windows\system32\svchost.bat
c:\windows\system32\Dsj8V6LJ-J-u.exe
c:\windows\system32\kukZ8LW_mFJE.dll
E:\cplebk.exe
F:\zahrkw.exe
E:\tcskdx.exe
O:\ozBPdf.eXe
O:\ozbpDf.Exe
E:\zahrkw.exe
O:\wjcbrt.exe
E:\kqaojd.exe
E:\HrPlNT.exE
E:\yqlvle.exe
E:\OOvKMf.eXe
E:\oOvkmF.eXE

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd1c6d4a-33db-11de-91a3-0016768a7146}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7064756-d59f-11de-bb2b-001cc0e6f738}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6d43dfb-0108-11df-bb56-001cc0e6f738}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd1ecd61-d7f7-11de-bb2c-001cc0e6f738}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b429c3d0-5da3-11db-b203-0016768a7146}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e72870a-c2f1-11de-bb1f-001cc0e6f738}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a619b3e-0733-11df-bb5d-001cc0e6f738}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b3a23e3-40ff-11de-8922-0016768a7146}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89c7edd8-04bf-11df-bb59-001cc0e6f738}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{824abcfe-347c-11de-890f-0016768a7146}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fda4236-d409-11de-bb29-001cc0e6f738}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e578949-50d0-11de-8930-0016768a7146}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58684ce7-019f-11df-bb57-001cc0e6f738}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{54b48346-065a-11df-bb5b-001cc0e6f738}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3476343a-403a-11de-8920-0016768a7146}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e080106-7eaf-11db-b234-0016768a7146}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c9a90b4-8b03-11de-894a-0016768a7146}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e72870a-c2f1-11de-bb1f-001cc0e6f738}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc600575-3013-4e8e-941c-4b00dafce730}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5625fd13-4240-16fb-af40-70b30bc97859}]

ulozte vami vytvoreny textovy soubor jako CFScript.txt na plochu

po ulozeni uchopte vami vytvoreny skript levym tlacitkem mysi a presunte jej nad ikonu Combofixu, nad niz skript upustte:

Obrázek

po aplikaci by na vas mel vybafnout dalsi log, vlozte jej sem

Upozorneni: je mozne, ze po aplikaci skriptu a restartu nenabehnou Windows, v takovem pripade znovu restartujte, po restartu mackejte F8 a zvolte Posledni znamou fukncni konfiguraci

Toto dobře znáte?
c:\program files\myBabylon_English4

Provedl jsem, přikládám log.
Cernto

ComboFix 10-03-15.04 - pospisilova 16.03.2010 7:15.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2010.1445 [GMT 1:00]
Spuštěný z: c:\documents and settings\pospisilova\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\pospisilova\Plocha\CFScript.txt

FILE ::
"c:\windows\system32\Dsj8V6LJ-J-u.exe"
"c:\windows\system32\kukZ8LW_mFJE.dll"
"c:\windows\system32\svchost.bat"
"E:\cplebk.exe"
"E:\HrPlNT.exE"
"E:\kqaojd.exe"
"E:\oOvkmF.eXE"
"E:\tcskdx.exe"
"E:\yqlvle.exe"
"E:\zahrkw.exe"
"F:\zahrkw.exe"
"O:\ozBPdf.eXe"
"O:\wjcbrt.exe"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\pospisilova\biodo.exe
c:\documents and settings\pospisilova\goeuto.exe
c:\documents and settings\pospisilova\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\pospisilova\pjveow.exe
c:\windows\system32\Dsj8V6LJ-J-u.exe
c:\windows\system32\kukZ8LW_mFJE.dll
c:\windows\system32\svchost.bat

c:\windows\system32\drivers\cdrom.sys . . . chybí !!

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_cwyis
-------\Service_kqlhuqz

((((((((((((((((((((((((( Soubory vytvořené od 2010-02-16 do 2010-03-16 )))))))))))))))))))))))))))))))
.

2010-03-15 06:41 . 2010-03-15 06:41 -------- d-----w- c:\program files\trend micro
2010-03-15 06:41 . 2010-03-15 06:41 -------- d-----w- C:\rsit
2010-03-12 12:57 . 2010-03-12 12:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-12 12:43 . 2010-03-12 13:01 -------- d-----w- C:\$AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-15 06:37 . 2008-04-14 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-12 12:57 . 2009-10-27 12:53 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-12 12:57 . 2009-10-27 12:53 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-12 12:56 . 2009-10-27 12:53 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-03-12 12:56 . 2009-10-27 12:53 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 12:43 . 2009-10-27 12:53 -------- d-----w- c:\program files\AVG
2010-03-03 11:43 . 2010-02-03 06:38 -------- d-----w- c:\program files\myBabylon_English4
2010-03-03 08:38 . 2009-10-26 09:50 -------- d-----w- c:\program files\lg_fwupdate
2010-02-19 06:05 . 2010-02-09 14:08 -------- d-----w- c:\program files\Microsoft Works
2010-02-03 06:38 . 2010-02-03 06:38 -------- d-----w- c:\program files\Conduit
2010-02-03 06:38 . 2010-02-03 06:38 -------- d-----w- c:\program files\Babylon
2010-02-03 06:38 . 2010-02-03 06:38 307840 ----a-w- c:\documents and settings\pospisilova\FLVDirect.exe
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:08 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 07:42 . 2009-10-26 09:09 343552 ----a-w- c:\windows\system32\mspaint.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 12:02 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-23 18077696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-07-14 570664]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2009-12-03 557056]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2010-02-03 3721104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-12 12:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [27.10.2009 13:53 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27.10.2009 13:53 216200]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27.10.2009 13:53 242696]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12.3.2010 13:56 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12.3.2010 13:57 308064]
.
.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
IE: {{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
TCP: {4301E7A7-EDE2-4F0F-AA15-E8DFB36CDFAB} = 62.129.50.20,85.135.32.100
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

AddRemove-Dsj8V6LJ-J-u - c:\windows\system32\Dsj8V6LJ-J-u.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-16 07:21
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1292428093-179605362-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,68,a2,d3,52,04,6e,fe,4d,aa,2c,72,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,68,a2,d3,52,04,6e,fe,4d,aa,2c,72,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,e1,b3,a3,57,54,38,44,a3,15,ed,\
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(2888)
c:\program files\Babylon\Babylon-Pro\Captlib.dll
c:\windows\system32\webcheck.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Celkový čas: 2010-03-16 07:23:05 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-16 06:23
ComboFix2.txt 2010-03-15 11:36

Před spuštěním: Volných bajtů: 72 454 426 624
Po spuštění: Volných bajtů: 72 418 115 584

- - End Of File - - 82C32E214EE19F379DA9999FF2FEBB3B

Paráda!

Pokud se mi to povede, stáhněte si soubor, který posílám, rozbalte ho a uložte si ho na Plochu.

Potom udělejte nový script pro ComboFix. Do Poznámkového bloku zkopírujte:

Kód: Vybrat vše

FCopy::
c:\documents and settings\pospisilova\Plocha\cdrom.sys | c:\windows\system32\drivers\cdrom.sys

Opět přesuňte nad iconu ComboFixu a ComboFix se zase spustí. Následný log sem vložte a popište chování počítače.

Provedl jsem a přikládám log. Nevšiml jsem si nějakého zvláštního chování při běhu Comba. Akurát se mi PC před vytvořením logu nerestartovalo, jako v předchozích připádech.
Cernto

ComboFix 10-03-16.05 - Administrator 17.03.2010 13:40:00.3.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2010.1433 [GMT 1:00]
Spuštěný z: c:\documents and settings\Administrator\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Administrator\Plocha\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\cdrom.sys . . . chybí !!

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-17 do 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-15 06:41 . 2010-03-15 06:41 -------- d-----w- c:\program files\trend micro
2010-03-15 06:41 . 2010-03-15 06:41 -------- d-----w- C:\rsit
2010-03-12 12:57 . 2010-03-12 12:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-12 12:43 . 2010-03-12 13:01 -------- d-----w- C:\$AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-15 06:37 . 2008-04-14 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-12 12:57 . 2009-10-27 12:53 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-12 12:57 . 2009-10-27 12:53 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-12 12:56 . 2009-10-27 12:53 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-03-12 12:56 . 2009-10-27 12:53 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 12:43 . 2009-10-27 12:53 -------- d-----w- c:\program files\AVG
2010-03-03 11:43 . 2010-02-03 06:38 -------- d-----w- c:\program files\myBabylon_English4
2010-03-03 08:38 . 2009-10-26 09:50 -------- d-----w- c:\program files\lg_fwupdate
2010-02-19 06:05 . 2010-02-09 14:08 -------- d-----w- c:\program files\Microsoft Works
2010-02-03 06:38 . 2010-02-03 06:38 -------- d-----w- c:\program files\Conduit
2010-02-03 06:38 . 2010-02-03 06:38 -------- d-----w- c:\program files\Babylon
2010-02-03 06:38 . 2010-02-03 06:38 307840 ----a-w- c:\documents and settings\pospisilova\FLVDirect.exe
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:08 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 13:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-23 18077696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-07-14 570664]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2009-12-03 557056]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2010-02-03 3721104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-12 12:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [27.10.2009 13:53 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27.10.2009 13:53 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27.10.2009 13:53 242696]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12.3.2010 13:56 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12.3.2010 13:57 308064]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [16.3.2010 8:01 369920]
.
.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
IE: {{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
TCP: {4301E7A7-EDE2-4F0F-AA15-E8DFB36CDFAB} = 62.129.50.20,85.135.32.100
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-17 13:41
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1292428093-179605362-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,68,a2,d3,52,04,6e,fe,4d,aa,2c,72,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,68,a2,d3,52,04,6e,fe,4d,aa,2c,72,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,e1,b3,a3,57,54,38,44,a3,15,ed,\
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(3396)
c:\windows\system32\webcheck.dll
.
Celkový čas: 2010-03-17 13:42:33
ComboFix-quarantined-files.txt 2010-03-17 12:42
ComboFix2.txt 2010-03-16 06:23
ComboFix3.txt 2010-03-15 11:36

Před spuštěním: Volných bajtů: 72 248 500 224
Po spuštění: Volných bajtů: 72 228 184 064

- - End Of File - - 54E4EB9E2BF51737016FCFDD063EE8C1

Edo promiň

Stáhni "System Look" - http://jpshortstuff.247fixes.com/SystemLook.exe
Spusť jej a do okna zkopíruj

Kód: Vybrat vše

:filefind
cdrom.sys

Klik na Look a po scanu sem zkopíruj výsledek hledání

Provedl jsem, přikládám log.
Cernto

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:02 on 18/03/2010 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "cdrom.sys"
C:\Documents and Settings\Administrator\Plocha\cdrom.sys --a--- 62976 bytes [12:37 17/03/2010] [18:40 13/04/2008] 1F4260CC5B42272D71F79E570A27A4FE
C:\Documents and Settings\Administrator\Plocha\cdrom\cdrom.sys --a--- 62976 bytes [18:40 13/04/2008] [18:40 13/04/2008] 1F4260CC5B42272D71F79E570A27A4FE

-=End Of File=-

Nový CFscript

Kód: Vybrat vše

FCopy::
C:\Documents and Settings\Administrator\Plocha\cdrom.sys | c:\windows\system32\drivers\cdrom.sys
C:\Documents and Settings\Administrator\Plocha\cdrom.sys | C:\windows\system32\dllcache\cdrom.sys

Provedl jsem, přikládám log.
Cernto

ComboFix 10-03-18.01 - Administrator 19.03.2010 8:16.4.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2010.1434 [GMT 1:00]
Spuštěný z: c:\documents and settings\Administrator\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Administrator\Plocha\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\documents and settings\Administrator\Plocha\cdrom.sys --> c:\windows\system32\drivers\cdrom.sys
c:\documents and settings\Administrator\Plocha\cdrom.sys --> c:\windows\system32\dllcache\cdrom.sys
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-19 do 2010-03-19 )))))))))))))))))))))))))))))))
.

2010-03-19 07:16 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-03-19 07:16 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-03-15 06:41 . 2010-03-15 06:41 -------- d-----w- c:\program files\trend micro
2010-03-15 06:41 . 2010-03-15 06:41 -------- d-----w- C:\rsit
2010-03-12 12:57 . 2010-03-12 12:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-12 12:43 . 2010-03-12 13:01 -------- d-----w- C:\$AVG

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-15 06:37 . 2008-04-14 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-12 12:57 . 2009-10-27 12:53 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-12 12:57 . 2009-10-27 12:53 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-12 12:56 . 2009-10-27 12:53 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-03-12 12:56 . 2009-10-27 12:53 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-12 12:43 . 2009-10-27 12:53 -------- d-----w- c:\program files\AVG
2010-03-03 11:43 . 2010-02-03 06:38 -------- d-----w- c:\program files\myBabylon_English4
2010-03-03 08:38 . 2009-10-26 09:50 -------- d-----w- c:\program files\lg_fwupdate
2010-02-19 06:05 . 2010-02-09 14:08 -------- d-----w- c:\program files\Microsoft Works
2010-02-03 06:38 . 2010-02-03 06:38 -------- d-----w- c:\program files\Conduit
2010-02-03 06:38 . 2010-02-03 06:38 -------- d-----w- c:\program files\Babylon
2010-02-03 06:38 . 2010-02-03 06:38 307840 ----a-w- c:\documents and settings\pospisilova\FLVDirect.exe
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:08 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 13:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-23 18077696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-07-14 570664]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2009-12-03 557056]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2010-02-03 3721104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-12 12:57 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [27.10.2009 13:53 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27.10.2009 13:53 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27.10.2009 13:53 242696]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12.3.2010 13:56 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12.3.2010 13:57 308064]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [16.3.2010 8:01 369920]
.
.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
IE: {{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
TCP: {4301E7A7-EDE2-4F0F-AA15-E8DFB36CDFAB} = 62.129.50.20,85.135.32.100
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.

**************************************************************************
skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory:

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1292428093-179605362-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,68,a2,d3,52,04,6e,fe,4d,aa,2c,72,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,68,a2,d3,52,04,6e,fe,4d,aa,2c,72,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,e1,b3,a3,57,54,38,44,a3,15,ed,\
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(1960)
c:\program files\Babylon\Babylon-Pro\Captlib.dll
c:\windows\system32\webcheck.dll
.
Celkový čas: 2010-03-19 08:18:34
ComboFix-quarantined-files.txt 2010-03-19 07:18
ComboFix2.txt 2010-03-17 12:42
ComboFix3.txt 2010-03-16 06:23
ComboFix4.txt 2010-03-15 11:36

Před spuštěním: Volných bajtů: 72 044 634 112
Po spuštění: Volných bajtů: 72 027 414 528

- - End Of File - - 066BFF0AD79CB47A64548CC0AD94F5F2

Co na to počítač? Jsou ještě nějaké problémy?

Pro sichr ještě zkuste prověřit na www.virustotal.com tento soubor:
c:\windows\system32\webcheck.dll

výsledek sem zkopírujte.

Já se omlouvám, že se ozývám až teď, ale měl jsem teď hrozné fofry a zapomněl jsem na to. Teď jsem na tom PC byl a ten soubor jsem tam nenašel. Zatím to vypadá snad dobře. Uvidíme.
Cernto

VIRY.CZ

Neustále se objevující viry

Neustále se objevující viry

Re: Neustále se objevující viry

Re: Neustále se objevující viry

Re: Neustále se objevující viry

Re: Neustále se objevující viry

Re: Neustále se objevující viry

Re: Neustále se objevující viry

Re: Neustále se objevující viry

Re: Neustále se objevující viry

Re: Neustále se objevující viry

Re: Neustále se objevující viry

Re: Neustále se objevující viry

Re: Neustále se objevující viry

Re: Neustále se objevující viry

Re: Neustále se objevující viry