Přihlašování na ip

[Rygy]

Něco se mi furt připojuje na jinou IP, není to csrss.exe? Prosím o radu, díky


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:30, on 22.2.2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Users\Rygol\AppData\Local\Temp\Kq1.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe
C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe
C:\Windows\System32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Users\Rygol\Downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.qip.ru/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.qip.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.qip.ru/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: QIPBHO Class - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Users\Rygol\AppData\Roaming\Microsoft\Internet Explorer\qipsearchbar.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: QIPBHO - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Users\Rygol\AppData\Roaming\Microsoft\Internet Explorer\qipsearchbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CAP3ON] C:\Windows\system32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [LosAlamos] rundll32.exe C:\Windows\system32\sshnas21.dll,AttachConsoleA
O4 - HKCU\..\Run: [TOY5KNQ8OC] C:\Users\Rygol\AppData\Local\Temp\Kq1.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Výřezy obrazovky a spuštění aplikace OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Aktualizovat ESET licenci.lnk = C:\Program Files\ESET\MiNODLogin\MiNODLogin.exe
O4 - Global Startup: AVer HID Receiver.lnk = C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe
O4 - Global Startup: AVerQuick.lnk = C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\Windows\System32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: AVerRemote - AVerMedia - C:\Program Files\Common Files\AVerMedia\Service\AVerRemote.exe
O23 - Service: AVerScheduleService - Unknown owner - C:\Program Files\Common Files\AVerMedia\Service\AVerScheduleService.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

--
End of file - 7628 bytes

[Rygy]

jinak mi nejde stáhnout mwav, stáhne 0kb a poté napíše, že aplikace není platná 32bit. Co se týče nod32, tak ten nic nenašel, akorát opakovaně po chvilce ukazuje, že zablokoval spojení s yourgot.com a cosi kdesi + IP adresu, kde je na konci port :80

[zombux]

ComboFix

[Rygy]

ComboFix 10-02-21.02 - Rygol 22.02.2010 19:53:30.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1250.420.1029.18.3036.1766 [GMT 1:00]
Spuštěný z: c:\users\Rygol\Desktop\ComboFix.exe
* Rezidentní štít AV je zapnutý

.
ADS - Windows: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AVerQuick.lnk
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
c:\windows\system32\pthreadVC.dll
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

----- BITS: Možné infikované stránky -----

hxxp://armmf.adobe.com
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-01-22 do 2010-02-22 )))))))))))))))))))))))))))))))
.

2010-02-22 19:01 . 2010-02-22 19:01 -------- d-----w- c:\users\Rygol\AppData\Local\temp
2010-02-22 19:01 . 2010-02-22 19:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-22 10:56 . 2010-02-22 10:35 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-22 10:33 . 2010-02-22 10:33 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-22 10:33 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-22 10:33 . 2010-02-22 10:35 -------- d-----w- c:\programdata\Lavasoft
2010-02-22 10:33 . 2010-02-22 10:33 -------- d-----w- c:\program files\Lavasoft
2010-02-21 07:27 . 2010-02-21 07:36 -------- d-----w- c:\program files\Vision Objects
2010-02-18 20:26 . 2010-02-18 20:26 -------- d-----w- c:\windows\system32\js
2010-02-18 20:26 . 2010-02-18 20:26 -------- d-----w- c:\windows\system32\html
2010-02-18 20:26 . 2010-02-18 20:26 -------- d-----w- c:\windows\system32\css
2010-02-18 20:26 . 2010-02-18 20:26 -------- d-----w- c:\program files\Business Objects
2010-02-18 20:26 . 2010-02-18 20:26 -------- d-----w- c:\program files\Microsoft Device Emulator
2010-02-18 20:25 . 2010-02-18 20:26 -------- d-----w- c:\program files\Windows Mobile 5.0 SDK R2
2010-02-18 20:24 . 2010-02-18 20:24 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-02-18 20:24 . 2010-02-18 20:24 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-02-18 20:16 . 2010-02-18 20:16 -------- d-----w- c:\programdata\PreEmptive Solutions
2010-02-18 20:11 . 2010-02-18 20:11 -------- d-----w- c:\windows\symbols
2010-02-18 20:09 . 2010-02-18 20:12 -------- d-----w- c:\program files\HTML Help Workshop
2010-02-18 20:09 . 2010-02-18 20:09 -------- d-----w- c:\program files\CE Remote Tools
2010-02-18 06:55 . 2010-02-18 06:55 -------- d-----w- c:\program files\Microsoft Web Designer Tools
2010-02-09 13:37 . 2010-02-09 13:38 -------- d-----w- c:\users\Rygol\AppData\Roaming\Zoner
2010-02-09 13:37 . 2010-02-09 13:37 -------- d-----w- c:\users\Rygol\AppData\Local\Zoner
2010-02-09 13:36 . 2010-02-09 13:36 -------- d-----w- c:\program files\Zoner
2010-02-03 10:59 . 2009-06-02 14:39 737152 ----a-w- c:\windows\system32\drivers\A885VCap.sys
2010-02-03 10:22 . 2010-02-07 19:06 -------- d-----w- c:\users\Rygol\AppData\Local\AVer MediaCenter
2010-02-03 10:21 . 2010-02-03 10:21 -------- d-----w- c:\programdata\AVer MediaCenter
2010-02-03 09:37 . 2010-02-03 11:05 -------- d-----w- c:\programdata\AVerTV
2010-02-03 09:36 . 2010-02-03 09:36 -------- d-----w- c:\users\Rygol\AppData\Local\AVerMedia
2010-02-03 09:36 . 2009-08-18 21:25 102400 ----a-w- c:\windows\system32\CardID.dll
2010-02-03 09:36 . 2007-02-08 20:09 49152 ----a-w- c:\windows\system32\AVerIO.dll
2010-02-03 09:36 . 2005-04-29 02:08 3456 ----a-w- c:\windows\system32\AVerIO.sys
2010-02-03 09:36 . 2009-08-13 23:23 307200 ----a-w- c:\windows\system32\sptlib01.dll
2010-02-03 09:36 . 2009-08-07 00:22 598016 ----a-w- c:\windows\system32\sptlib21.dll
2010-02-03 09:36 . 2009-07-03 02:38 294912 ----a-w- c:\windows\system32\sptlib11.dll
2010-02-03 09:36 . 2009-05-25 21:56 249856 ----a-w- c:\windows\system32\sptlib03.dll
2010-02-03 09:36 . 2009-03-23 20:59 225280 ----a-w- c:\windows\system32\sptlib02.dll
2010-02-03 09:36 . 2008-12-02 23:03 135168 ----a-w- c:\windows\system32\sptlib12.dll
2010-02-03 09:36 . 2008-10-08 00:31 290816 ----a-w- c:\windows\system32\sptlib22.dll
2010-02-03 09:31 . 2010-02-03 10:19 -------- d-----w- c:\program files\Common Files\AVerMedia
2010-02-03 09:31 . 2010-02-03 09:31 -------- d-----w- c:\programdata\AVerMedia
2010-02-03 08:57 . 2010-02-03 08:57 -------- d-----w- c:\users\user\LOCALS~1
2010-02-03 08:57 . 2010-02-03 08:57 -------- d-----w- c:\users\user
2010-02-03 08:29 . 2010-02-03 08:29 -------- d-----w- c:\program files\PlayReady
2010-02-03 08:27 . 2010-02-03 08:27 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2010-02-03 07:59 . 2010-02-03 11:01 -------- d-----w- c:\windows\Driver Cache
2010-02-03 07:57 . 2010-02-03 10:19 -------- d-----w- c:\program files\AVerMedia
2010-01-27 10:59 . 2010-01-27 10:59 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-26 22:00 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer.exe
2010-01-26 22:00 . 2009-10-28 06:17 285696 ----a-w- c:\windows\system32\winlogon.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 20:14 . 2009-10-13 21:11 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-21 19:17 . 2009-10-28 11:29 -------- d-----w- c:\program files\Garena
2010-02-21 19:08 . 2009-09-25 08:45 687972 ----a-w- c:\windows\system32\perfh005.dat
2010-02-21 19:08 . 2009-09-25 08:45 143212 ----a-w- c:\windows\system32\perfc005.dat
2010-02-21 07:36 . 2009-11-07 11:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-18 20:42 . 2009-09-25 09:09 -------- d-----w- c:\programdata\Microsoft Help
2010-02-18 20:42 . 2009-09-25 09:54 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-02-18 20:33 . 2009-09-25 10:01 111256 ----a-w- c:\users\Rygol\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-18 20:23 . 2009-09-25 09:11 -------- d-----w- c:\program files\Microsoft.NET
2010-02-18 20:16 . 2009-09-25 09:54 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-02-18 20:11 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2010-02-04 15:53 . 2010-02-22 10:35 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-27 11:10 . 2009-09-26 07:47 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 23:29 . 2010-02-10 06:18 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-18 23:29 . 2010-02-10 06:18 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-18 23:29 . 2010-02-10 06:18 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-18 23:29 . 2010-02-10 06:18 369152 ----a-w- c:\windows\system32\secproc.dll
2010-01-18 23:28 . 2010-02-10 06:18 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-18 23:28 . 2010-02-10 06:18 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-18 23:28 . 2010-02-10 06:18 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-18 23:28 . 2010-02-10 06:18 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-14 10:12 . 2009-10-02 19:15 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 21:42 . 2008-08-14 05:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2010-01-12 16:04 . 2010-01-12 14:29 -------- d-----w- c:\users\Rygol\AppData\Roaming\Hamachi
2010-01-08 03:18 . 2010-02-10 06:18 221184 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-01-08 03:17 . 2010-02-10 06:18 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-01-06 14:55 . 2010-01-06 14:55 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2009-12-20 20:59 . 2009-10-13 20:23 484160 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-19 09:02 . 2010-01-21 19:15 977920 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 09:02 . 2010-02-10 06:18 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-19 09:02 . 2010-02-10 06:18 1328640 ----a-w- c:\windows\system32\quartz.dll
2009-12-19 09:02 . 2010-02-10 06:18 22016 ----a-w- c:\windows\system32\msyuv.dll
2009-12-19 09:02 . 2010-02-10 06:18 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-19 09:02 . 2010-02-10 06:18 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-19 09:02 . 2010-02-10 06:18 84480 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-19 09:02 . 2010-02-10 06:18 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-19 09:02 . 2010-02-10 06:18 91648 ----a-w- c:\windows\system32\avifil32.dll
2009-12-08 11:40 . 2010-02-10 06:18 3955288 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 11:40 . 2010-02-10 06:18 3899464 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 11:32 . 2010-02-10 06:18 292864 ----a-w- c:\windows\system32\apphelp.dll
2009-12-08 08:05 . 2010-02-10 06:18 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-08 08:05 . 2010-02-10 06:18 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE}"= "c:\users\Rygol\AppData\Roaming\Microsoft\Internet Explorer\qipsearchbar.dll" [2009-07-14 150768]

[HKEY_CLASSES_ROOT\clsid\{a55f9c95-2bb1-4ea2-bc77-dfaab78832ce}]
[HKEY_CLASSES_ROOT\qipbar.QIPBHO.1]
[HKEY_CLASSES_ROOT\TypeLib\{45FF696B-5284-4781-B2CA-ECF3A742A17B}]
[HKEY_CLASSES_ROOT\qipbar.QIPBHO]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE}]
2009-07-14 15:14 150768 ----a-w- c:\users\Rygol\AppData\Roaming\Microsoft\Internet Explorer\qipsearchbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-04-13 2387968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"CAP3ON"="c:\windows\system32\spool\drivers\w32x86\3\CAP3ONN.EXE" [2007-01-19 28288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-12-18 39424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]

c:\users\Rygol\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Věýezy obrazovky a spuçtŘnˇ aplikace OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Aktualizovat ESET licenci.lnk - c:\program files\ESET\MiNODLogin\MiNODLogin.exe [2009-10-24 125952]
AVer HID Receiver.lnk - c:\program files\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe [2010-2-3 155648]
Canon LASER SHOT LBP-1120 Status Window.LNK - c:\windows\System32\spool\drivers\w32x86\3\CAP3LAK.EXE [2007-1-9 38976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2010-01-13 21:42 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [22.2.2010 11:35 64288]
R1 ehdrv;ehdrv;c:\windows\System32\drivers\ehdrv.sys [14.5.2009 14:47 107256]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\System32\drivers\vwififlt.sys [14.7.2009 0:52 48128]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\System32\atiesrxx.exe [18.8.2009 1:36 176128]
R2 AVerRemote;AVerRemote;c:\program files\Common Files\AVerMedia\Service\AVerRemote.exe [3.2.2010 10:36 344064]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14.5.2009 14:47 731840]
R2 epfwwfpr;epfwwfpr;c:\windows\System32\drivers\epfwwfpr.sys [14.5.2009 14:49 93312]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [4.2.2010 16:52 1229232]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [9.10.2009 16:07 493248]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\System32\drivers\vwifimp.sys [14.7.2009 0:52 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\System32\drivers\yk62x86.sys [28.9.2009 8:22 315392]
S2 AVerScheduleService;AVerScheduleService;c:\program files\Common Files\AVerMedia\Service\AVerScheduleService.exe [3.2.2010 10:36 405504]
S3 CXSONORA;AVerMedia 23885 AvStream Video Capture;c:\windows\System32\drivers\A885VCap.sys [3.2.2010 11:59 737152]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11.7.2008 1:28 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\System32\drivers\RsFx0102.sys [10.7.2008 1:49 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [11.7.2008 1:28 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-04-13 13:08 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Doplňkový sken -------
.
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Rygol\AppData\Roaming\Mozilla\Firefox\Profiles\o3s28o0e.default\
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - component: c:\users\Rygol\AppData\Roaming\Mozilla\Firefox\Profiles\o3s28o0e.default\extensions\coc@ble.pl\components\dwmxpcom.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKCU-Run-AdobeBridge - (no file)



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\GarenaPEngine]
"ImagePath"="\??\c:\users\Rygol\AppData\Local\Temp\GIK82D7.tmp"
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Celkový čas: 2010-02-22 20:04:00
ComboFix-quarantined-files.txt 2010-02-22 19:03

Před spuštěním: Volných bajtů: 443 814 526 976
Po spuštění: Volných bajtů: 444 346 556 416

- - End Of File - - 19FFC4577EF114E3D035DF8C97534570

[Rygy]

Ještě před Spuštěním programu jsem spustil Ad-ware a ten našel trojana a těsně před spuštěním mi nod32
22.2.2010 19:53:30 Rezidentní ochrana soubor C:\Users\Rygol\AppData\Local\Temp\Av-test.txt Eicar testovací soubor vyléčen smazáním - uložen do karantény NOTEBOOK\Rygol Tato skutečnost byla zjištěna na nově vytvořeném souboru aplikací: C:\ComboFix\CF32334.cfxxe.
22.2.2010 17:43:53 Kontrola při startu soubor C:\Users\Rygol\AppData\Local\Temp\Kq1.exe varianta infiltrace Win32/Kryptik.CNX trojský kůň vyléčen smazáním - uložen do karantény
22.2.2010 17:43:31 Kontrola při startu soubor C:\Windows\system32\sshnas21.dll varianta infiltrace Win32/Kryptik.COE trojský kůň vyléčen smazáním (po nejbližším restartu) - uložen do karantény NOTEBOOK\Rygol

Ad-ware našel:
Category Malware
Win32.Trojan.Agent

[jan.svoboda]

Ahoj, pokud chvilku vydržíš, prostuduju log z ComboFixu a napíšu další postup, je tam opravdu celkem dost havěti.

[Rygy]

Budu jenom rád. Díky

[jan.svoboda]

Ale jak tak koukám, nedivím se, že tam je bordel. Takovej MiNODLogin pro nelegální aktualizace ESETu ...

Otevři Poznámkový blok a vlož do něj tento skript (kromě Kód):

Kód: Vybrat vše

KillAll::

File::
C:\Users\Rygol\AppData\Local\Temp\Kq1.exe
C:\Windows\system32\sshnas21.dll

RootKit::
c:\users\Rygol\AppData\Local\Temp\GIK82D7.tmp

Folder::
C:\Program Files\ESET\MiNODLogin

Driver::
GarenaPEngine

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\GarenaPEngine]

Ulož na plochu jako CFScript.txt. Pak jej myší přetáhni nad ikonu ComboFix a pusť. CF se spustí a vykoná příkazy ze skriptu. Poté vyskočí nový log, ten sem vlož.

Ještě proskenuj PC MBAMem:
http://www.viry.cz/forum/viewtopic.php?f=29&t=67229 - Stáhni, nainstaluj, proveď aktualizaci, úplný sken, nic nemaž a výsledek z logu pošly sem.

[Rygy]

ComboFix 10-02-21.02 - Rygol 22.02.2010 21:01:32.2.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1250.420.1029.18.3036.1882 [GMT 1:00]
Spuštěný z: c:\users\Rygol\Desktop\ComboFix.exe
Použité ovládací přepínače :: c:\users\Rygol\Desktop\CFScript.TXT
* Rezidentní štít AV je zapnutý


FILE ::
"c:\users\Rygol\AppData\Local\Temp\Kq1.exe"
"c:\windows\system32\sshnas21.dll"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ESET\MiNODLogin
c:\program files\ESET\MiNODLogin\MiNODLogin.exe
c:\program files\ESET\MiNODLogin\MiNODLogin.jar
c:\program files\ESET\MiNODLogin\MiNODLoginLib.dll
c:\program files\ESET\MiNODLogin\MiNODLoginUninst.exe
c:\program files\ESET\MiNODLogin\servidores.xml

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GARENAPENGINE


((((((((((((((((((((((((( Soubory vytvořené od 2010-01-22 do 2010-02-22 )))))))))))))))))))))))))))))))
.

2010-02-22 20:09 . 2010-02-22 20:09 -------- d-----w- C:\Device
2010-02-22 20:09 . 2010-02-22 20:11 -------- d-----w- c:\users\Rygol\AppData\Local\temp
2010-02-22 20:09 . 2010-02-22 20:09 -------- d-----w- c:\users\user\AppData\Local\temp
2010-02-22 20:09 . 2010-02-22 20:09 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-22 20:09 . 2010-02-22 20:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-22 10:56 . 2010-02-22 10:35 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-22 10:35 . 2010-02-22 10:35 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-22 10:35 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-22 10:35 . 2010-02-22 10:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-22 10:33 . 2010-02-22 10:33 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-22 10:33 . 2010-02-22 10:35 -------- d-----w- c:\programdata\Lavasoft
2010-02-22 10:33 . 2010-02-22 10:33 -------- d-----w- c:\program files\Lavasoft
2010-02-21 07:27 . 2010-02-21 07:36 -------- d-----w- c:\program files\Vision Objects
2010-02-18 20:26 . 2010-02-18 20:26 -------- d-----w- c:\windows\system32\js
2010-02-18 20:26 . 2010-02-18 20:26 -------- d-----w- c:\windows\system32\html
2010-02-18 20:26 . 2010-02-18 20:26 -------- d-----w- c:\windows\system32\css
2010-02-18 20:26 . 2010-02-18 20:26 -------- d-----w- c:\program files\Business Objects
2010-02-18 20:26 . 2010-02-18 20:26 -------- d-----w- c:\program files\Microsoft Device Emulator
2010-02-18 20:25 . 2010-02-18 20:26 -------- d-----w- c:\program files\Windows Mobile 5.0 SDK R2
2010-02-18 20:24 . 2010-02-18 20:24 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-02-18 20:24 . 2010-02-18 20:24 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-02-18 20:16 . 2010-02-18 20:16 -------- d-----w- c:\programdata\PreEmptive Solutions
2010-02-18 20:11 . 2010-02-18 20:11 -------- d-----w- c:\windows\symbols
2010-02-18 20:09 . 2010-02-18 20:12 -------- d-----w- c:\program files\HTML Help Workshop
2010-02-18 20:09 . 2010-02-18 20:09 -------- d-----w- c:\program files\CE Remote Tools
2010-02-18 06:55 . 2010-02-18 06:55 -------- d-----w- c:\program files\Microsoft Web Designer Tools
2010-02-09 13:37 . 2010-02-09 13:38 -------- d-----w- c:\users\Rygol\AppData\Roaming\Zoner
2010-02-09 13:37 . 2010-02-09 13:37 -------- d-----w- c:\users\Rygol\AppData\Local\Zoner
2010-02-09 13:36 . 2010-02-09 13:36 -------- d-----w- c:\program files\Zoner
2010-02-03 10:59 . 2009-06-02 14:39 737152 ----a-w- c:\windows\system32\drivers\A885VCap.sys
2010-02-03 10:22 . 2010-02-07 19:06 -------- d-----w- c:\users\Rygol\AppData\Local\AVer MediaCenter
2010-02-03 10:21 . 2010-02-03 10:21 -------- d-----w- c:\programdata\AVer MediaCenter
2010-02-03 09:37 . 2010-02-03 11:05 -------- d-----w- c:\programdata\AVerTV
2010-02-03 09:36 . 2010-02-03 09:36 -------- d-----w- c:\users\Rygol\AppData\Local\AVerMedia
2010-02-03 09:36 . 2009-08-18 21:25 102400 ----a-w- c:\windows\system32\CardID.dll
2010-02-03 09:36 . 2007-02-08 20:09 49152 ----a-w- c:\windows\system32\AVerIO.dll
2010-02-03 09:36 . 2005-04-29 02:08 3456 ----a-w- c:\windows\system32\AVerIO.sys
2010-02-03 09:36 . 2009-08-13 23:23 307200 ----a-w- c:\windows\system32\sptlib01.dll
2010-02-03 09:36 . 2009-08-07 00:22 598016 ----a-w- c:\windows\system32\sptlib21.dll
2010-02-03 09:36 . 2009-07-03 02:38 294912 ----a-w- c:\windows\system32\sptlib11.dll
2010-02-03 09:36 . 2009-05-25 21:56 249856 ----a-w- c:\windows\system32\sptlib03.dll
2010-02-03 09:36 . 2009-03-23 20:59 225280 ----a-w- c:\windows\system32\sptlib02.dll
2010-02-03 09:36 . 2008-12-02 23:03 135168 ----a-w- c:\windows\system32\sptlib12.dll
2010-02-03 09:36 . 2008-10-08 00:31 290816 ----a-w- c:\windows\system32\sptlib22.dll
2010-02-03 09:31 . 2010-02-03 10:19 -------- d-----w- c:\program files\Common Files\AVerMedia
2010-02-03 09:31 . 2010-02-03 09:31 -------- d-----w- c:\programdata\AVerMedia
2010-02-03 08:57 . 2010-02-22 19:04 -------- d-----w- c:\users\user
2010-02-03 08:57 . 2010-02-03 08:57 -------- d-----w- c:\users\user\LOCALS~1
2010-02-03 08:29 . 2010-02-03 08:29 -------- d-----w- c:\program files\PlayReady
2010-02-03 07:59 . 2010-02-03 11:01 -------- d-----w- c:\windows\Driver Cache
2010-02-03 07:57 . 2010-02-03 10:19 -------- d-----w- c:\program files\AVerMedia
2010-01-27 10:59 . 2010-01-27 10:59 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-26 22:00 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer.exe
2010-01-26 22:00 . 2009-10-28 06:17 285696 ----a-w- c:\windows\system32\winlogon.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-22 20:08 . 2009-09-25 09:31 -------- d-----w- c:\program files\ESET
2010-02-21 20:14 . 2009-10-13 21:11 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-21 19:17 . 2009-10-28 11:29 -------- d-----w- c:\program files\Garena
2010-02-21 19:08 . 2009-09-25 08:45 687972 ----a-w- c:\windows\system32\perfh005.dat
2010-02-21 19:08 . 2009-09-25 08:45 143212 ----a-w- c:\windows\system32\perfc005.dat
2010-02-21 07:36 . 2009-11-07 11:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-18 20:42 . 2009-09-25 09:09 -------- d-----w- c:\programdata\Microsoft Help
2010-02-18 20:42 . 2009-09-25 09:54 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-02-18 20:33 . 2009-09-25 10:01 111256 ----a-w- c:\users\Rygol\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-18 20:23 . 2009-09-25 09:11 -------- d-----w- c:\program files\Microsoft.NET
2010-02-18 20:16 . 2009-09-25 09:54 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-02-18 20:11 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2010-02-04 15:53 . 2010-02-22 10:33 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-03 08:27 . 2010-02-03 08:27 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2010-01-27 11:10 . 2009-09-26 07:47 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 23:29 . 2010-02-10 06:18 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-18 23:29 . 2010-02-10 06:18 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-18 23:29 . 2010-02-10 06:18 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-18 23:29 . 2010-02-10 06:18 369152 ----a-w- c:\windows\system32\secproc.dll
2010-01-18 23:28 . 2010-02-10 06:18 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-18 23:28 . 2010-02-10 06:18 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-18 23:28 . 2010-02-10 06:18 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-18 23:28 . 2010-02-10 06:18 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-14 10:12 . 2009-10-02 19:15 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 21:42 . 2008-08-14 05:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2010-01-12 16:04 . 2010-01-12 14:29 -------- d-----w- c:\users\Rygol\AppData\Roaming\Hamachi
2010-01-08 03:18 . 2010-02-10 06:18 221184 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-01-08 03:17 . 2010-02-10 06:18 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-01-06 14:55 . 2010-01-06 14:55 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2009-12-20 20:59 . 2009-10-13 20:23 484160 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-19 09:02 . 2010-01-21 19:15 977920 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 09:02 . 2010-02-10 06:18 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-19 09:02 . 2010-02-10 06:18 1328640 ----a-w- c:\windows\system32\quartz.dll
2009-12-19 09:02 . 2010-02-10 06:18 22016 ----a-w- c:\windows\system32\msyuv.dll
2009-12-19 09:02 . 2010-02-10 06:18 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-19 09:02 . 2010-02-10 06:18 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-19 09:02 . 2010-02-10 06:18 84480 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-19 09:02 . 2010-02-10 06:18 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-19 09:02 . 2010-02-10 06:18 91648 ----a-w- c:\windows\system32\avifil32.dll
2009-12-08 11:40 . 2010-02-10 06:18 3955288 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 11:40 . 2010-02-10 06:18 3899464 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 11:32 . 2010-02-10 06:18 292864 ----a-w- c:\windows\system32\apphelp.dll
2009-12-08 08:05 . 2010-02-10 06:18 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-08 08:05 . 2010-02-10 06:18 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE}"= "c:\users\Rygol\AppData\Roaming\Microsoft\Internet Explorer\qipsearchbar.dll" [2009-07-14 150768]

[HKEY_CLASSES_ROOT\clsid\{a55f9c95-2bb1-4ea2-bc77-dfaab78832ce}]
[HKEY_CLASSES_ROOT\qipbar.QIPBHO.1]
[HKEY_CLASSES_ROOT\TypeLib\{45FF696B-5284-4781-B2CA-ECF3A742A17B}]
[HKEY_CLASSES_ROOT\qipbar.QIPBHO]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE}]
2009-07-14 15:14 150768 ----a-w- c:\users\Rygol\AppData\Roaming\Microsoft\Internet Explorer\qipsearchbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-04-13 2387968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"CAP3ON"="c:\windows\system32\spool\drivers\w32x86\3\CAP3ONN.EXE" [2007-01-19 28288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-12-18 39424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Users^Rygol^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Výřezy obrazovky a spuštění aplikace OneNote 2007.lnk]
path=c:\users\Rygol\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Výřezy obrazovky a spuštění aplikace OneNote 2007.lnk
backup=c:\windows\pss\Výřezy obrazovky a spuštění aplikace OneNote 2007.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2010-01-13 21:42 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [22.2.2010 11:35 64288]
R1 ehdrv;ehdrv;c:\windows\System32\drivers\ehdrv.sys [14.5.2009 14:47 107256]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\System32\drivers\vwififlt.sys [14.7.2009 0:52 48128]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\System32\atiesrxx.exe [18.8.2009 1:36 176128]
R2 AVerRemote;AVerRemote;c:\program files\Common Files\AVerMedia\Service\AVerRemote.exe [3.2.2010 10:36 344064]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14.5.2009 14:47 731840]
R2 epfwwfpr;epfwwfpr;c:\windows\System32\drivers\epfwwfpr.sys [14.5.2009 14:49 93312]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [4.2.2010 16:52 1229232]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [9.10.2009 16:07 493248]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\System32\drivers\vwifimp.sys [14.7.2009 0:52 14336]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\System32\drivers\yk62x86.sys [28.9.2009 8:22 315392]
S2 AVerScheduleService;AVerScheduleService;c:\program files\Common Files\AVerMedia\Service\AVerScheduleService.exe [3.2.2010 10:36 405504]
S3 CXSONORA;AVerMedia 23885 AvStream Video Capture;c:\windows\System32\drivers\A885VCap.sys [3.2.2010 11:59 737152]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11.7.2008 1:28 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\System32\drivers\RsFx0102.sys [10.7.2008 1:49 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [11.7.2008 1:28 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-04-13 13:08 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Doplňkový sken -------
.
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Rygol\AppData\Roaming\Mozilla\Firefox\Profiles\o3s28o0e.default\
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - component: c:\users\Rygol\AppData\Roaming\Mozilla\Firefox\Profiles\o3s28o0e.default\extensions\coc@ble.pl\components\dwmxpcom.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

AddRemove-MiNODLogin - c:\program files\ESET\MiNODLogin\MiNODLoginUninst.exe


.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'Explorer.exe'(2900)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\atieclxx.exe
c:\windows\system32\AEADISRV.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\CAP3RSK.EXE
c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
c:\windows\system32\taskhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\conhost.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe
c:\windows\System32\spool\drivers\w32x86\3\CAP3LAK.EXE
c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Celkový čas: 2010-02-22 21:16:53 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-02-22 20:16
ComboFix2.txt 2010-02-22 19:04

Před spuštěním: Volných bajtů: 444 420 259 840
Po spuštění: Volných bajtů: 444 204 175 360

- - End Of File - - BB6A500D9C2E09DFC2F3F5AA064AF49B

[Rygy]

Teď dělám kompletním sken Malwarebytes...
Jinak o Nod32 jsem nevěděl, dal mi to tam kámoš, místo nodu 32 si tam dám Windows Essentials, dobrá volba nebo nod32 je lepší?

[Rygy]

Jinak toto jsem zjistil, že to teď je v protokolu nodu
22.2.2010 21:01:32 Rezidentní ochrana soubor C:\Users\Rygol\AppData\Local\Temp\Av-test.txt Eicar testovací soubor vyléčen smazáním - uložen do karantény NOTEBOOK\Rygol Tato skutečnost byla zjištěna na nově vytvořeném souboru aplikací: C:\ComboFix\CF23366.cfxxe.
22.2.2010 19:53:30 Rezidentní ochrana soubor C:\Users\Rygol\AppData\Local\Temp\Av-test.txt Eicar testovací soubor vyléčen smazáním - uložen do karantény NOTEBOOK\Rygol Tato skutečnost byla zjištěna na nově vytvořeném souboru aplikací: C:\ComboFix\CF32334.cfxxe.

[zombux]

eicar je v pohodě, to neřeš. jinak combofix ti to pěkně pročistil, těžko říct jestli tam je ještě něco.

[jan.svoboda]

OK, moment, za chvilku ještě mrknu na ten log z ComboFixu, snad už tam nic nebude, ale uvidíme. Již to vypadá dobře.

[jan.svoboda]

Ještě proskenuj PC MBAMem:
http://www.viry.cz/forum/viewtopic.php?f=29&t=67229 - Stáhni, nainstaluj, proveď aktualizaci, úplný sken, nic nemaž a výsledek z logu pošly sem. Jinak log z ComboFixu vypadá již dobře.

[Rygy]

Malwarebytes' Anti-Malware 1.44
Verze databáze: 3777
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

23.2.2010 5:17:48
mbam-log-2010-02-23 (05-17-48).txt

Typ kontroly: Kompletní kontrola (C:\|)
Zkontrolované objekty: 299058
Uplynulý čas: 2 hour(s), 31 minute(s), 4 second(s)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 0
Infikované hodnoty registru: 0
Infikované datové položky registru: 0
Infikované adresáře: 0
Infikované soubory: 0

Infikované procesy v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované moduly v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované klíče registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované hodnoty registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované datové položky registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované adresáře:
(Nebyly nalezeny žádné škodlivé položky)

Infikované soubory:
(Nebyly nalezeny žádné škodlivé položky)

[jan.svoboda]

OK, log je čistý, dej sem tedy ještě poslední log, a to aktuální z HiajckThis. Jsou s PC nějaké problémy?

[Rygy]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:27:47, on 23.2.2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe
C:\Windows\System32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Rygol\Downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.qip.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.qip.ru/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: QIPBHO Class - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Users\Rygol\AppData\Roaming\Microsoft\Internet Explorer\qipsearchbar.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Pomocná služba pro přihlášení ke službě Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: QIPBHO - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Users\Rygol\AppData\Roaming\Microsoft\Internet Explorer\qipsearchbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CAP3ON] C:\Windows\system32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - Global Startup: Aktualizovat ESET licenci.lnk = C:\Program Files\ESET\MiNODLogin\MiNODLogin.exe
O4 - Global Startup: AVer HID Receiver.lnk = C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerHIDReceiver.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\Windows\System32\spool\drivers\w32x86\3\CAP3LAK.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Přidat na blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Přidat na blog Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: AVerRemote - AVerMedia - C:\Program Files\Common Files\AVerMedia\Service\AVerRemote.exe
O23 - Service: AVerScheduleService - Unknown owner - C:\Program Files\Common Files\AVerMedia\Service\AVerScheduleService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

--
End of file - 7101 bytes


Všechno se zdá být v pohodě... Díky

[jan.svoboda]

Fixni v HijackThis:

R3 - URLSearchHook: (no name) - - (no file)
O4 - Global Startup: Aktualizovat ESET licenci.lnk = C:\Program Files\ESET\MiNODLogin\MiNODLogin.exe

Jen neškodné položky. Jinak se mi zdá všechno OK, logy jsou čisté... Takže je to vše. Za všechny zúčastněné, nemáš zač.