virus, trojsky kon, Total XP Security

[nofuj]

Na to bude script vypadat takto - můžeš podobně doplnit i další nalezené soubory

Kód: Vybrat vše

Files to delete:
e:\program files\itunes\ituneshelper.exe

Files to move:
e:\program files\itunes\ituneshelper .exe | e:\program files\itunes\ituneshelper.exe

wmpscfgs.exe - zkusím sehnat radu u kolegů

ok, dakujem

nasiel som este nejake na c:\Windows\System32 - mozem ich tiez vymazat? presne ide o tieto:

C:\WINDOWS\system32\alcmtr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\nerocheck.exe

problem asi moze byt v tom, ze v predchadzjucich vymazoch sa odstranili tie "dobre" subory, ale nemam tusenie, ci su to dolezite systemove subory, alebo nepotrebne

// oprava, odstranil sa iba posledny, prvy je ten dobry je umiesnteny v C:\WINDOWS\Alcmtr.exe (tam najskor ma aj byt)
a dalsie dva su v:
C:\WINDOWS\system32\DRVSTORE\igxp32_0A50666CFF0DD3C88576D08ED123D8A7D09710B6

takze cely script by podla mna mohol byt:

Files to delete:
C:\Program Files\Common Files\Ahead\Lib\nmbgmonitor.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\zcfgsvc.exe
C:\Program Files\Launch Manager\lmanager.exe
C:\Program Files\Realtek\InstallShield\azmixersel.exe
C:\Program Files\Synaptics\SynTP\syntpenh.exe
C:\Program Files\Internet Explorer\wmpscfgs.exe
C:\Program Files\Internet Explorer\js.mui
C:\Documents and Settings\jančo\Local Settings\temp\wmpscfgs.exe
C:\WINDOWS\system32\alcmtr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\nerocheck.exe
E:\Program Files\iTunes\ituneshelper.exe

Files to move:
C:\Program Files\Common Files\Ahead\Lib\nmbgmonitor .exe | C:\Program Files\Common Files\Ahead\Lib\nmbgmonitor.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe | C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\zcfgsvc .exe | C:\Program Files\Intel\Wireless\Bin\zcfgsvc.exe
C:\Program Files\Launch Manager\lmanager .exe | C:\Program Files\Launch Manager\lmanager.exe
C:\Program Files\Realtek\InstallShield\azmixersel .exe | C:\Program Files\Realtek\InstallShield\azmixersel.exe
C:\Program Files\Synaptics\SynTP\syntpenh .exe | C:\Program Files\Synaptics\SynTP\syntpenh.exe
E:\Program Files\iTunes\ituneshelper .exe | E:\Program Files\iTunes\ituneshelper.exe

znova su tam aj tie, ktore sme sa pokusali odstranit naposledy, oni sa totiz neodstranili. a ten hrozny virus wmpscfgs.exe sa nachadza aj v C:\Documents and Settings\jančo\Local Settings\temp\wmpscfgs.exe

[nofuj]

velmi ocenujem tvoju snahu, ale neexistuje ine riesenie? totiz studujem na stazi v GB a prave su velkonocne prazdniny, takze nezozeniem nikoho, u koho by som si to vsetko mohol stiahnut, v skole su prisne obmedzenia na stahovanie, takze sa mi to taktiez neda

[nofuj]

tu je este odkaz na vysledok testu suboru winlogon.exe: http://www.virustotal.com/cs/analisis/b ... 1269617111

[nofuj]

ahoj, trochu mi to trva, ale laptop sa nacisto zblaznil - virus posobil dost zakerne, odrovnal avast, vyskakovali okna ... tak som sa nastval a pouzil Avenger so skriptom vyssie viem, ze si pisal, ze nemam nic mazat, takze sorry, avsak nastastie virus bol odstraneny a po restarte pc nabehol rychlo a zatial vsetko funguje ... MBAM nenasiel nic, mam este spustit Gmer?

pouzil som este CF na winlogon.exe, neviem, ci ten script, ktory si napisal ho mal vymazat, ci nie, ale je opat v procesoch, a ked som ho chcel z procesov vypnut, tak vyskocila hlaska, ze je to kriticky subor, ktory tam musi zostat, tu je log z CF:

ComboFix 10-03-26.01 - jančo 26.03.2010 18:45:37.6.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2038.1404 [GMT 0:00]
Spuštěný z: c:\documents and settings\jančo\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\jančo\Plocha\CFscript.txt
AV: avast! antivirus 4.8.1368 [VPS 100325-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . je infikován!!

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-26 do 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-24 12:22 . 2010-03-24 12:22 -------- d-----r- c:\documents and settings\NetworkService\Oblíbené položky
2010-03-24 03:39 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 03:39 . 2010-03-24 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 03:39 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 23:17 . 2010-03-25 12:27 -------- d-----w- c:\program files\trend micro
2010-03-23 23:17 . 2010-03-23 23:18 -------- d-----w- C:\rsit
2010-03-23 22:57 . 2010-03-23 22:57 -------- d-----w- c:\windows\system32\LogFiles
2010-03-23 22:45 . 2010-03-23 22:45 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-20 01:29 . 2010-03-20 01:29 -------- d-----w- c:\program files\Frontlets
2010-03-11 20:23 . 2010-03-11 20:23 -------- d-----w- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 15:14 . 2009-03-21 14:13 -------- d-----w- c:\program files\Launch Manager
2010-03-26 00:16 . 2009-03-21 13:53 -------- d-----w- c:\program files\Atheros
2010-03-25 22:00 . 2009-06-25 20:43 -------- d-----w- c:\program files\QuickTime
2010-03-11 20:22 . 2009-04-05 16:10 -------- d-----w- c:\program files\Java
.

------- Sigcheck -------

[-] 2009-03-21 . 427E6DED3A2369D3432A683EB489EE14 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-03-24_12.39.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-26 18:48 . 2010-03-26 18:48 16384 c:\windows\Temp\Perflib_Perfdata_a78.dat
+ 2010-03-26 18:48 . 2010-03-26 18:48 16384 c:\windows\Temp\Perflib_Perfdata_118.dat
+ 2009-03-21 13:54 . 2010-03-26 14:04 280536 c:\windows\system32\FNTCACHE.DAT
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-04-16 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-04-16 970752]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-10-17 858632]
"avast!"="e:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\ICQ6.5\\ICQ.exe"=
"e:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\Mathematica.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\MathKernel.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\math.exe"=
"e:\\Program Files\\Nero 7\\Nero 7\\Nero Home\\NeroHome.exe"=
"e:\\Program Files\\Genuitec_fortran\\Profiles\\Eclipse 3.4 Classic\\eclipse.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"e:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Maple 11\\jre\\bin\\maple.exe"=
"e:\\Program Files\\Maple 11\\jre\\bin\\java.exe"=
"e:\\Program Files\\SopCast\\SopCast.exe"=
"e:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"e:\\Program Files\\Proxy Switcher Standard\\ProxySwitcher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [21.3.2009 16:34 114768]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [8.1.2010 0:51 380928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21.3.2009 16:34 20560]
R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [23.3.2009 18:18 29184]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [4.3.2009 15:52 202016]
.
Obsah adresáře 'Naplánované úlohy'
.
.
------- Doplňkový sken -------
.
uInternet Settings,ProxyOverride = *.local
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\jančo\Data aplikací\Mozilla\Firefox\Profiles\pte9svr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/weather/forecast/353
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8 ... &gfns=1&q=
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll

---- NASTAVENÍ FIREFOXU ----
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-26 18:49
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(3604)
e:\program files\iTunes\iTunesMiniPlayer.dll
e:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
e:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
e:\program files\Alwil Software\Avast4\aswUpdSv.exe
e:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
e:\program files\Alwil Software\Avast4\ashMaiSv.exe
e:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Celkový čas: 2010-03-26 18:51:07 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-26 18:51
ComboFix2.txt 2010-03-26 09:20
ComboFix3.txt 2010-03-25 22:05
ComboFix4.txt 2010-03-25 20:21
ComboFix5.txt 2010-03-26 18:44

Před spuštěním: Volných bajtů: 46 107 553 792
Po spuštění: Volných bajtů: 46 076 837 888

- - End Of File - - 7C0F63329578CDC97B828FD5C0487594

[nofuj]

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!

chyby ze neni nainstalvana

Psal jsem abys nic nemazal z duvodu nez se zorientuji. Winlogon se nemaze ale nahrazuje.

prepac este raz

samozrejme, zajtra ale nebudem moct ja, cestujem, bude ti vyhovovat nedela?

RSIT

Logfile of random's system information tool 1.06 (written by random/random)
Run by jančo at 2010-03-26 19:25:34
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 44 GB (86%) free of 51 GB
Total RAM: 2038 MB (69% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:25:36, on 26.3.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\windows\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\windows\system32\svchost.exe
C:\windows\system32\wscntfy.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\windows\System32\svchost.exe
C:\windows\explorer.exe
C:\windows\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\jančo\Plocha\RSIT.exe
C:\Program Files\trend micro\jančo.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - E:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe

--
End of file - 6852 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-02-18 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-02-18 79648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\windows\RTHDCPL.EXE [2007-05-28 16132608]
"AzMixerSel"=C:\Program Files\Realtek\InstallShield\AzMixerSel.exe [2005-06-11 53248]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-12-16 761945]
"IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2007-04-16 819200]
"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2007-04-16 970752]
"LManager"=C:\PROGRA~1\LAUNCH~1\LManager.exe [2007-10-17 858632]
"avast!"=E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-11-24 81000]
"iTunesHelper"=E:\Program Files\iTunes\iTunesHelper.exe [2009-06-05 292136]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe [2005-10-28 94208]

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\windows\system32\igfxdev.dll [2007-06-05 204800]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"E:\Program Files\ICQ6.5\ICQ.exe"="E:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"E:\Program Files\VideoLAN\VLC\vlc.exe"="E:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player"
"E:\Program Files\Wolfram Research\Mathematica\7.0\Mathematica.exe"="E:\Program Files\Wolfram Research\Mathematica\7.0\Mathematica.exe:*:Enabled:Wolfram Mathematica 7 for Students"
"E:\Program Files\Wolfram Research\Mathematica\7.0\MathKernel.exe"="E:\Program Files\Wolfram Research\Mathematica\7.0\MathKernel.exe:*:Enabled:Wolfram Mathematica 7 for Students Kernel"
"E:\Program Files\Wolfram Research\Mathematica\7.0\math.exe"="E:\Program Files\Wolfram Research\Mathematica\7.0\math.exe:*:Enabled:math.exe"
"E:\Program Files\Nero 7\Nero 7\Nero Home\NeroHome.exe"="E:\Program Files\Nero 7\Nero 7\Nero Home\NeroHome.exe:*:Enabled:Nero Home"
"E:\Program Files\Genuitec_fortran\Profiles\Eclipse 3.4 Classic\eclipse.exe"="E:\Program Files\Genuitec_fortran\Profiles\Eclipse 3.4 Classic\eclipse.exe:*:Enabled:eclipse"
"C:\WINDOWS\system32\javaw.exe"="C:\WINDOWS\system32\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"E:\Program Files\MATLAB\R2008a\bin\win32\MATLAB.exe"="E:\Program Files\MATLAB\R2008a\bin\win32\MATLAB.exe:*:Enabled:MATLAB"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"E:\Program Files\iTunes\iTunes.exe"="E:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"E:\Program Files\Maple 11\jre\bin\maple.exe"="E:\Program Files\Maple 11\jre\bin\maple.exe:*:Enabled:Maple 11"
"E:\Program Files\Maple 11\jre\bin\java.exe"="E:\Program Files\Maple 11\jre\bin\java.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"E:\Program Files\SopCast\SopCast.exe"="E:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application"
"E:\Program Files\SopCast\adv\SopAdver.exe"="E:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\Program Files\O2\agent\bin\bcont.exe"="C:\Program Files\O2\agent\bin\bcont.exe:*:Enabled:bcont.exe"
"C:\Program Files\O2\bin\wificfg.exe"="C:\Program Files\O2\bin\wificfg.exe:*:Enabled:sprtcmd.exe"
"C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe"="C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe:*:Enabled:ssrc.exe"
"C:\Program Files\O2\agent\bin\bcont_nm.exe"="C:\Program Files\O2\agent\bin\bcont_nm.exe:*:Enabled:bcont_nm.exe"
"E:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe"="E:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe:*:Enabled:Proxy Switcher"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2010-03-26 18:51:07 ----A---- C:\ComboFix.txt
2010-03-26 15:13:59 ----A---- C:\avenger.txt
2010-03-26 09:00:42 ----SHD---- C:\windows\CSC
2010-03-25 20:08:13 ----D---- C:\Avenger
2010-03-24 12:22:12 ----A---- C:\windows\zip.exe
2010-03-24 12:22:12 ----A---- C:\windows\SWXCACLS.exe
2010-03-24 12:22:12 ----A---- C:\windows\SWSC.exe
2010-03-24 12:22:12 ----A---- C:\windows\SWREG.exe
2010-03-24 12:22:12 ----A---- C:\windows\sed.exe
2010-03-24 12:22:12 ----A---- C:\windows\PEV.exe
2010-03-24 12:22:12 ----A---- C:\windows\NIRCMD.exe
2010-03-24 12:22:12 ----A---- C:\windows\MBR.exe
2010-03-24 12:22:12 ----A---- C:\windows\grep.exe
2010-03-24 12:20:49 ----D---- C:\windows\ERDNT
2010-03-24 12:20:32 ----D---- C:\Qoobox
2010-03-24 03:39:23 ----D---- C:\Documents and Settings\jančo\Data aplikací\Malwarebytes
2010-03-24 03:39:17 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-24 03:39:17 ----D---- C:\Documents and Settings\All Users\Data aplikací\Malwarebytes
2010-03-23 23:17:49 ----D---- C:\Program Files\trend micro
2010-03-23 23:17:47 ----D---- C:\rsit
2010-03-23 22:57:54 ----D---- C:\windows\system32\LogFiles
2010-03-20 01:29:55 ----D---- C:\Program Files\Frontlets
2010-03-11 20:23:27 ----D---- C:\Documents and Settings\All Users\Data aplikací\Sun
2010-03-11 20:23:26 ----D---- C:\Program Files\Common Files\Java
2010-03-11 20:22:49 ----A---- C:\windows\system32\javaws.exe
2010-03-11 20:22:49 ----A---- C:\windows\system32\javaw.exe
2010-03-11 20:22:49 ----A---- C:\windows\system32\java.exe
2010-03-11 19:36:29 ----D---- C:\Documents and Settings\jančo\Data aplikací\WNR

======List of files/folders modified in the last 1 months======

2010-03-26 18:51:09 ----D---- C:\windows\system32\drivers
2010-03-26 18:50:51 ----D---- C:\windows\Temp
2010-03-26 18:50:41 ----SD---- C:\windows\Tasks
2010-03-26 18:50:15 ----D---- C:\windows\system32\CatRoot2
2010-03-26 18:48:46 ----D---- C:\WINDOWS
2010-03-26 18:48:46 ----A---- C:\windows\system.ini
2010-03-26 18:46:35 ----D---- C:\windows\system32
2010-03-26 18:46:35 ----D---- C:\windows\AppPatch
2010-03-26 18:46:32 ----D---- C:\Program Files\Common Files
2010-03-26 18:44:54 ----A---- C:\windows\SchedLgU.Txt
2010-03-26 15:14:12 ----D---- C:\Program Files\Launch Manager
2010-03-26 15:13:59 ----D---- C:\Program Files\Internet Explorer
2010-03-26 14:56:34 ----RD---- C:\Program Files
2010-03-26 01:01:17 ----A---- C:\windows\NeroDigital.ini
2010-03-26 00:16:52 ----D---- C:\Program Files\Atheros
2010-03-25 23:58:45 ----RD---- C:\windows\Web
2010-03-25 22:02:18 ----D---- C:\windows\system32\config
2010-03-25 22:00:52 ----D---- C:\Program Files\QuickTime
2010-03-25 22:00:24 ----D---- C:\windows\Prefetch
2010-03-25 11:56:37 ----D---- C:\Documents and Settings
2010-03-25 11:18:00 ----D---- C:\windows\msapps
2010-03-24 12:37:10 ----D---- C:\Program Files\Adobe
2010-03-24 12:26:16 ----RSHDC---- C:\windows\system32\dllcache
2010-03-24 04:08:08 ----SHD---- C:\windows\Installer
2010-03-24 03:51:35 ----D---- C:\windows\SUYIN NB Cam
2010-03-21 00:02:16 ----D---- C:\Documents and Settings\jančo\Data aplikací\Skype
2010-03-12 22:11:27 ----D---- C:\Documents and Settings\jančo\Data aplikací\Audacity
2010-03-11 20:22:46 ----D---- C:\Program Files\Java
2010-03-10 00:19:22 ----D---- C:\Documents and Settings\jančo\Data aplikací\gtk-2.0

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\windows\system32\drivers\Aavmker4.sys [2009-11-24 27408]
R1 aswSP;avast! Self Protection; C:\windows\system32\drivers\aswSP.sys [2009-11-24 114768]
R1 aswTdi;avast! Network Shield Support; C:\windows\system32\drivers\aswTdi.sys [2009-11-24 48560]
R1 intelppm;Řadič procesoru Intel; C:\windows\system32\DRIVERS\intelppm.sys [2004-08-18 39936]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\windows\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.7.4.0; C:\windows\system32\DRIVERS\AegisP.sys [2009-03-21 21393]
R2 aswFsBlk;aswFsBlk; C:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
R2 aswMon2;avast! Standard Shield Support; C:\windows\system32\drivers\aswMon2.sys [2009-11-24 94160]
R2 irda;Protokol IrDA; C:\windows\system32\DRIVERS\irda.sys [2004-08-03 87424]
R2 mdmxsdk;mdmxsdk; C:\windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 RTWTKRNL;Real-Time Windows Target; \??\C:\WINDOWS\system32\drivers\RTWTKRNL.sys []
R2 s24trans;WLAN Transport; C:\windows\system32\DRIVERS\s24trans.sys [2007-03-29 12416]
R3 Arp1394;Protokol 1394 ARP Client; C:\windows\system32\DRIVERS\arp1394.sys [2004-08-18 60800]
R3 aswRdr;aswRdr; C:\windows\system32\drivers\aswRdr.sys [2009-11-24 23120]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\windows\system32\DRIVERS\b57xp32.sys [2007-02-16 160256]
R3 btaudio;Bluetooth Audio Device; C:\windows\system32\drivers\btaudio.sys [2007-03-23 539072]
R3 BTDriver;Bluetooth Virtual Communications Driver; C:\windows\system32\DRIVERS\btport.sys [2007-03-23 37424]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\windows\system32\DRIVERS\btkrnl.sys [2007-03-31 876384]
R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
R3 CmBatt;Microsoft AC Adapter Driver; C:\windows\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\windows\system32\DRIVERS\DKbFltr.sys [2006-01-20 17408]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\windows\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\windows\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HSF_DPV;HSF_DPV; C:\windows\system32\DRIVERS\HSF_DPV.sys [2006-12-22 988800]
R3 HSFHWAZL;HSFHWAZL; C:\windows\system32\DRIVERS\HSFHWAZL.sys [2006-12-22 209664]
R3 ialm;ialm; C:\windows\system32\DRIVERS\igxpmp32.sys [2007-06-05 5761728]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\windows\system32\drivers\RtkHDAud.sys [2007-05-30 4424192]
R3 NETw4x32;Ovladač adaptéru Intel(R) Wireless WiFi Link pro systém Windows XP 32 Bit; C:\windows\system32\DRIVERS\NETw4x32.sys [2007-04-29 2206976]
R3 NIC1394;1394 Net Driver; C:\windows\system32\DRIVERS\nic1394.sys [2004-08-18 61824]
R3 NSCIRDA;NSC Infrared Device Driver; C:\windows\system32\DRIVERS\nscirda.sys [2004-08-03 28672]
R3 Rasirda;WAN Miniport (IrDA); C:\windows\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 sdbus;sdbus; C:\windows\system32\DRIVERS\sdbus.sys [2004-08-18 67584]
R3 SynTP;Synaptics TouchPad Driver; C:\windows\system32\DRIVERS\SynTP.sys [2005-12-16 191936]
R3 tifm21;tifm21; C:\windows\system32\drivers\tifm21.sys [2007-05-01 290816]
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\windows\system32\DRIVERS\usbccgp.sys [2004-08-18 31616]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\windows\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Rozbočovač umožnující USB2; C:\windows\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\windows\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 usbvideo;Zobrazovací zařízení USB (WDM); C:\windows\System32\Drivers\usbvideo.sys [2004-08-03 78464]
R3 winachsf;winachsf; C:\windows\system32\DRIVERS\HSF_CNXT.sys [2006-12-22 730112]
S1 InCDPass;InCDPass; C:\windows\system32\drivers\InCDPass.sys []
S1 InCDRm;InCD Reader; C:\windows\system32\drivers\InCDRm.sys []
S3 BTWDNDIS;Bluetooth LAN Access Server; C:\windows\system32\DRIVERS\btwdndis.sys [2007-03-23 149123]
S3 btwhid;btwhid; C:\windows\system32\DRIVERS\btwhid.sys [2007-03-31 55352]
S3 btwmodem;Bluetooth Modem; C:\windows\system32\DRIVERS\btwmodem.sys [2007-03-23 37280]
S3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\windows\System32\Drivers\btwusb.sys [2007-03-23 67960]
S3 CCDECODE;Dekodér Closed Caption; C:\windows\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 hidusb;Ovladač třídy standardu HID; C:\windows\system32\DRIVERS\hidusb.sys [2004-08-18 9600]
S3 mbr;mbr; \??\C:\DOCUME~1\JANO~1\LOCALS~1\Temp\mbr.sys []
S3 mouhid;Ovladač myši standardu HID; C:\windows\system32\DRIVERS\mouhid.sys [2004-08-18 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\windows\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\windows\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\windows\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 SLIP;BDA Slip De-Framer; C:\windows\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\windows\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 UIUSys;Conexant Setup API; C:\windows\system32\DRIVERS\UIUSYS.SYS [2006-06-09 6909]
S3 usbbus;LGE Mobile Composite USB Device; C:\windows\system32\DRIVERS\lgusbbus.sys []
S3 UsbDiag;LGE Mobile USB Serial Port; C:\windows\system32\DRIVERS\lgusbdiag.sys []
S3 USBModem;LGE Mobile USB Modem; C:\windows\system32\DRIVERS\lgusbmodem.sys []
S3 usbprint;Třída USB Printer; C:\windows\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;Ovladač skeneru USB; C:\windows\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\windows\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WSTCODEC;Dálnopisný kodek světového standardu; C:\windows\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S4 InCDFs;InCD File System; C:\windows\system32\drivers\InCDFs.sys []
S4 IntelIde;IntelIde; C:\windows\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Application Updater;Application Updater; C:\Program Files\Application Updater\ApplicationUpdater.exe [2010-01-08 380928]
R2 aswUpdSv;avast! iAVS4 Control Service; E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-11-24 18752]
R2 avast! Antivirus;avast! Antivirus; E:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-11-24 138680]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2007-04-01 273256]
R2 EvtEng;Intel(R) PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2007-04-16 647168]
R2 Irmon;Sledování infračerveného přenosu; C:\windows\system32\svchost.exe [2004-08-18 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-12-17 153376]
R2 RegSrvc;Intel(R) PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2007-04-16 327680]
R2 S24EventMonitor;Intel(R) PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2007-04-16 983040]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2); C:\Program Files\O2\bin\sprtsvc.exe [2009-03-04 202016]
R2 UMWdf;Windows User Mode Driver Framework; C:\windows\system32\wdfmgr.exe [2005-01-28 38912]
R3 avast! Mail Scanner;avast! Mail Scanner; E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-11-24 254040]
R3 avast! Web Scanner;avast! Web Scanner; E:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-11-24 352920]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-06-05 541992]
S3 aspnet_state;ASP.NET State Service; C:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist; C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe [2007-07-27 382320]

-----------------EOF-----------------

[cernohous13]

Léčba ComboFixem byla zřejmě neúspěšná, je tu další možnost:

V příloze je winlogon.zip - stáhni a rozbal do rootu C: - musí být C:\winlogon.exe
Script pro Avenger

Kód: Vybrat vše

Files to move:
C:\winlogon.exe | C:\Windows\system32\winlogon.exe

winlogon.zip

(282.05 KiB) Staženo 59 x

[nofuj]

nezdarilo sa

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\Windows\system32\winlogon.exe" is whitelisted
File move operation "C:\winlogon.exe|C:\Windows\system32\winlogon.exe" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

[cernohous13]

Tak zkusíme CFscript

Kód: Vybrat vše

KillAll::

Restore::
c:\windows\system32\winlogon.exe

Reboot::

[nofuj]

to uz som robil na radu Naughtyho, mam este raz?

[cernohous13]

On ho při Naughtyho návodu neměl CF pro opravu kde najít.
Zkopíruj winlogon.exe z C: ještě do C:\WINDOWS\system32\dllcache
a pak udělej CFscript

[nofuj]

novy CF log:

ComboFix 10-03-26.02 - jančo 26.03.2010 21:40:07.7.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2038.1468 [GMT 0:00]
Spuštěný z: c:\documents and settings\jančo\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\jančo\Plocha\CFscript.txt
AV: avast! antivirus 4.8.1368 [VPS 100326-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\winlogon.exe

c:\windows\system32\winlogon.exe . . . je infikován!!

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-26 do 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-26 20:36 . 2008-04-14 04:22 507904 ----a-w- c:\windows\system32\dllcache\winlogon.exe
2010-03-24 12:22 . 2010-03-24 12:22 -------- d-----r- c:\documents and settings\NetworkService\Oblíbené položky
2010-03-24 03:39 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 03:39 . 2010-03-24 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 03:39 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 23:17 . 2010-03-26 19:25 -------- d-----w- c:\program files\trend micro
2010-03-23 23:17 . 2010-03-23 23:18 -------- d-----w- C:\rsit
2010-03-23 22:57 . 2010-03-23 22:57 -------- d-----w- c:\windows\system32\LogFiles
2010-03-23 22:45 . 2010-03-23 22:45 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-20 01:29 . 2010-03-20 01:29 -------- d-----w- c:\program files\Frontlets
2010-03-11 20:23 . 2010-03-11 20:23 -------- d-----w- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 15:14 . 2009-03-21 14:13 -------- d-----w- c:\program files\Launch Manager
2010-03-26 00:16 . 2009-03-21 13:53 -------- d-----w- c:\program files\Atheros
2010-03-25 22:00 . 2009-06-25 20:43 -------- d-----w- c:\program files\QuickTime
2010-03-11 20:22 . 2009-04-05 16:10 -------- d-----w- c:\program files\Java
.

------- Sigcheck -------

[-] 2009-03-21 . 427E6DED3A2369D3432A683EB489EE14 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . CDDB1F8E1AEA356F3AD106F2CF9B7FEA . 507904 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-03-24_12.39.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-26 21:43 . 2010-03-26 21:43 16384 c:\windows\Temp\Perflib_Perfdata_a8c.dat
+ 2010-03-26 21:43 . 2010-03-26 21:43 16384 c:\windows\Temp\Perflib_Perfdata_208.dat
+ 2009-03-21 13:54 . 2010-03-26 14:04 280536 c:\windows\system32\FNTCACHE.DAT
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-04-16 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-04-16 970752]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-10-17 858632]
"avast!"="e:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\ICQ6.5\\ICQ.exe"=
"e:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\Mathematica.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\MathKernel.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\math.exe"=
"e:\\Program Files\\Nero 7\\Nero 7\\Nero Home\\NeroHome.exe"=
"e:\\Program Files\\Genuitec_fortran\\Profiles\\Eclipse 3.4 Classic\\eclipse.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"e:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Maple 11\\jre\\bin\\maple.exe"=
"e:\\Program Files\\Maple 11\\jre\\bin\\java.exe"=
"e:\\Program Files\\SopCast\\SopCast.exe"=
"e:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"e:\\Program Files\\Proxy Switcher Standard\\ProxySwitcher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [21.3.2009 16:34 114768]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [8.1.2010 0:51 380928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21.3.2009 16:34 20560]
R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [23.3.2009 18:18 29184]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [4.3.2009 15:52 202016]
.
.
------- Doplňkový sken -------
.
uInternet Settings,ProxyOverride = *.local
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\jančo\Data aplikací\Mozilla\Firefox\Profiles\pte9svr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/weather/forecast/353
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8 ... &gfns=1&q=
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll

---- NASTAVENÍ FIREFOXU ----
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-26 21:43
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(3028)
e:\program files\iTunes\iTunesMiniPlayer.dll
e:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
e:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
e:\program files\Alwil Software\Avast4\aswUpdSv.exe
e:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\docume~1\JANO~1\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
e:\program files\Alwil Software\Avast4\ashMaiSv.exe
e:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Celkový čas: 2010-03-26 21:44:50 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-26 21:44
ComboFix2.txt 2010-03-26 18:51
ComboFix3.txt 2010-03-26 09:20
ComboFix4.txt 2010-03-25 22:05
ComboFix5.txt 2010-03-26 21:39

Před spuštěním: Volných bajtů: 46 009 544 704
Po spuštění: Volných bajtů: 45 977 993 216

- - End Of File - - CAD555A9B19AF19AA6E9C77AAE06F578

[cernohous13]

Ještě otestuj na VT oba soubory
c:\windows\system32\dllcache\winlogon.exe
c:\windows\system32\winlogon.exe

Byl by problém doinstalovat SP3?

Udělej kontrolu aktualizovaným MBAM

[nofuj]

ahoj,

c:\windows\system32\dllcache\winlogon.exe http://www.virustotal.com/cs/analisis/f ... 1269723305

c:\windows\system32\winlogon.exe http://www.virustotal.com/cs/analisis/b ... 1269723442

Byl by problém doinstalovat SP3?

no ja nemam problem SP3 niekde stiahnut (ak sa da) a nainstalovat, ale nemam najmensie tusenie, ci je nejaky problem po technickej stranke - velmi sa do toho nerozumiem

Udělej kontrolu aktualizovaným MBAM

*oprava - pisal si aktualizovanym MBAMom, za chvilku, ho sem dam

** takze, log:

Malwarebytes' Anti-Malware 1.44
Database version: 3922
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

27.3.2010 21:13:42
mbam-log-2010-03-27 (21-13-36).txt

Scan type: Quick Scan
Objects scanned: 124123
Time elapsed: 1 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\bfvf.bxo (Backdoor.Bot) -> No action taken.

\\ este dodam, ze som nalez nechal skontrolovat na virustotal a v 17 pripadoch ukazalo, ze ide o trojana, agenta a co este http://www.virustotal.com/cs/analisis/f ... 1269725236 takze som ho nechal vymazat, opatovny scan MBAM po restarte bol cisty

[cernohous13]

Šikovný

SP3 - měl by se nabídnout v aktualizacích http://www.update.microsoft.com/windows ... aspx?ln=cs
taky koukni sem http://www.microsoft.com/downloads/deta ... 1555d4f3d4

nový CFscript

Kód: Vybrat vše

KillAll::

FCopy::
c:\windows\system32\dllcache\winlogon.exe | c:\windows\system32\winlogon.exe

Reboot::

[nofuj]

Predtym, nez nainstalujem SP3 sa chcem este opytat, ci je to nevyhnutne. System sa teraz chova dobre a ta tvoja otazka, ci by bol problem nainstalovat SP3 ma zneistila totiz, mozu sa objavit nejake problemy?

tu je novy log z CF, zda sa, ze vymena sa podarila, pretoze pocas priebehu skenu vybehla hlaska, ze som zmenil systemovy subor ...

ComboFix 10-03-27.03 - jančo 28.03.2010 14:10:48.8.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2038.1515 [GMT 1:00]
Spuštěný z: c:\documents and settings\jančo\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\jančo\Plocha\CFscript.txt
AV: avast! antivirus 4.8.1368 [VPS 100328-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Vytvořen nový Bod Obnovení

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\winlogon.exe --> c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-28 do 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-26 20:36 . 2008-04-14 04:22 507904 ------w- c:\windows\system32\dllcache\winlogon.exe
2010-03-24 12:22 . 2010-03-24 12:22 -------- d-----r- c:\documents and settings\NetworkService\Oblíbené položky
2010-03-24 03:39 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 03:39 . 2010-03-24 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 03:39 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 23:17 . 2010-03-27 22:38 -------- d-----w- c:\program files\trend micro
2010-03-23 23:17 . 2010-03-23 23:18 -------- d-----w- C:\rsit
2010-03-23 22:57 . 2010-03-23 22:57 -------- d-----w- c:\windows\system32\LogFiles
2010-03-23 22:45 . 2010-03-23 22:45 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-03-20 01:29 . 2010-03-20 01:29 -------- d-----w- c:\program files\Frontlets
2010-03-11 20:23 . 2010-03-11 20:23 -------- d-----w- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 15:14 . 2009-03-21 14:13 -------- d-----w- c:\program files\Launch Manager
2010-03-26 00:16 . 2009-03-21 13:53 -------- d-----w- c:\program files\Atheros
2010-03-25 22:00 . 2009-06-25 20:43 -------- d-----w- c:\program files\QuickTime
2010-03-11 20:22 . 2009-04-05 16:10 -------- d-----w- c:\program files\Java
.

------- Sigcheck -------

[-] 2008-04-14 . CDDB1F8E1AEA356F3AD106F2CF9B7FEA . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . CDDB1F8E1AEA356F3AD106F2CF9B7FEA . 507904 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-03-24_12.39.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-28 13:13 . 2010-03-28 13:13 16384 c:\windows\Temp\Perflib_Perfdata_a4c.dat
+ 2010-03-28 13:13 . 2010-03-28 13:13 16384 c:\windows\Temp\Perflib_Perfdata_124.dat
+ 2009-03-21 13:54 . 2010-03-26 14:04 280536 c:\windows\system32\FNTCACHE.DAT
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-04-16 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-04-16 970752]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-10-17 858632]
"avast!"="e:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-18 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\ICQ6.5\\ICQ.exe"=
"e:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\Mathematica.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\MathKernel.exe"=
"e:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\math.exe"=
"e:\\Program Files\\Nero 7\\Nero 7\\Nero Home\\NeroHome.exe"=
"e:\\Program Files\\Genuitec_fortran\\Profiles\\Eclipse 3.4 Classic\\eclipse.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"e:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Maple 11\\jre\\bin\\maple.exe"=
"e:\\Program Files\\Maple 11\\jre\\bin\\java.exe"=
"e:\\Program Files\\SopCast\\SopCast.exe"=
"e:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"e:\\Program Files\\Proxy Switcher Standard\\ProxySwitcher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [21.3.2009 17:34 114768]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [8.1.2010 1:51 380928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21.3.2009 17:34 20560]
R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [23.3.2009 19:18 29184]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [4.3.2009 16:52 202016]
.
.
------- Doplňkový sken -------
.
uInternet Settings,ProxyOverride = *.local
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\jančo\Data aplikací\Mozilla\Firefox\Profiles\pte9svr1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/weather/forecast/353
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8 ... &gfns=1&q=
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll

---- NASTAVENÍ FIREFOXU ----
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-28 14:14
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(3932)
e:\program files\iTunes\iTunesMiniPlayer.dll
e:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
e:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\msi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
e:\program files\Alwil Software\Avast4\aswUpdSv.exe
e:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\docume~1\JANO~1\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
e:\program files\Alwil Software\Avast4\ashMaiSv.exe
e:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\wpabaln.exe
.
**************************************************************************
.
Celkový čas: 2010-03-28 14:16:29 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-28 13:16
ComboFix2.txt 2010-03-26 21:44
ComboFix3.txt 2010-03-26 18:51
ComboFix4.txt 2010-03-26 09:20
ComboFix5.txt 2010-03-28 13:10

Před spuštěním: Volných bajtů: 46 073 061 376
Po spuštění: Volných bajtů: 46 040 399 872

- - End Of File - - CEC22DAE6AA0D137089DC4B87F0973FE