Pomaly internet - services.exe

petr7003 · Příspěvek od **petr7003** » úte 23. bře 2010, 09:06

Začal se mi zpomalovat internet a počítač. Když dám netstat -b, mám tam pořád prográmek servces.exe - co s tím? Posílám log z ComboFixu a z HijackThis.

ComboFix:
ComboFix 10-03-22.02 - Petr Novák 23.03.2010 8:22.11.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1022.567 [GMT 1:00]
Spuštěný z: c:\documents and settings\Petr Novák\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100321-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-02-23 do 2010-03-23 )))))))))))))))))))))))))))))))
.

2010-03-22 11:20 . 2009-11-21 16:03 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-03-22 11:19 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-15 14:36 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-15 14:36 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-15 14:36 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-15 14:36 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-03-15 14:36 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-15 14:36 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-15 14:36 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-15 14:36 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-15 14:35 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 14:06 . 2010-03-09 14:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-01 12:02 . 2009-02-09 11:25 111104 -c--a-w- c:\windows\system32\dllcache\services.exe
2010-03-01 12:02 . 2009-02-09 11:25 111104 ------w- c:\windows\system32\services.exe
2010-02-26 13:36 . 2010-02-26 13:39 -------- d-----w- C:\CD2
2010-02-26 13:10 . 2010-02-26 13:36 -------- d-----w- C:\CD1
2010-02-26 07:15 . 2010-03-23 07:35 802304 ----a-w- c:\windows\system32\drivers\pqiqp.sys
2010-02-25 11:34 . 2010-02-25 11:34 -------- d-----w- C:\Vitkovo Kvarteto - 1985 - Veterani Studene Valky
2010-02-25 11:33 . 2010-02-25 11:34 -------- d-----w- C:\Vitkovo Kvarteto - 1995 - Live 1995
2010-02-25 10:18 . 2010-02-25 10:19 -------- d-----w- C:\Vitkovo Kvarteto - Z Budikova Do Narodniho

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-23 07:12 . 2004-08-18 12:00 77872 ----a-w- c:\windows\system32\perfc005.dat
2010-03-23 07:12 . 2004-08-18 12:00 428750 ----a-w- c:\windows\system32\perfh005.dat
2010-03-22 14:07 . 2008-11-04 06:53 -------- d-----w- c:\program files\Opera
2010-03-16 12:26 . 2008-09-17 06:34 -------- d-----w- c:\program files\FT DVD Clone 4.0
2010-03-16 12:25 . 2006-07-31 10:54 -------- d-----w- c:\program files\BSPlayer
2010-03-16 12:25 . 2006-07-26 09:01 -------- d-----w- c:\program files\Elaborate Bytes
2010-03-16 12:24 . 2005-12-21 06:01 -------- d-----w- c:\program files\SlySoft
2010-03-15 07:59 . 2005-11-08 11:04 -------- d-----w- c:\program files\Google
2010-03-15 07:57 . 2006-08-18 12:17 -------- d-----w- c:\program files\Sudoku
2010-03-15 07:57 . 2008-03-21 08:56 -------- d-----w- c:\program files\Return to Castle Wolfenstein
2010-03-15 07:56 . 2008-09-16 11:37 -------- d-----w- c:\program files\Super Clone DVD
2010-03-15 07:55 . 2006-06-12 08:23 -------- d-----w- c:\program files\Yahoo!
2010-03-15 07:54 . 2007-07-24 10:40 -------- d-----w- c:\program files\HEROSOFT
2010-03-15 07:53 . 2008-10-06 11:57 -------- d-----w- c:\program files\E.M. DVD Copy
2010-03-15 07:51 . 2007-11-06 07:57 -------- d-----w- c:\program files\ElcomSoft
2010-02-22 06:49 . 2005-03-24 08:10 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-19 12:19 . 2006-11-03 13:35 -------- d-----w- c:\program files\Xilisoft
2010-02-19 09:53 . 2010-02-19 09:53 4384320 ----a-w- C:\Shockwave_Installer_Slim.exe
2010-02-15 11:30 . 2010-02-15 11:28 9936244 ----a-w- C:\convert.exe
2010-02-15 11:24 . 2010-02-15 11:21 25786688 ----a-w- C:\wmp11-windowsxp-x86-CS-CZ.exe
2010-02-12 09:44 . 2009-04-29 09:19 -------- d-----w- c:\program files\TC UP
2010-02-12 08:19 . 2010-02-12 08:19 475136 ----a-w- C:\SRDownloader.exe
2010-02-12 07:45 . 2010-02-12 07:45 -------- d-----w- c:\program files\Kodek CZ
2010-02-12 07:43 . 2010-02-12 07:43 5184550 ----a-w- C:\kodek016cz.exe
2010-02-12 06:48 . 2010-02-12 06:48 939956 ----a-w- C:\7z465.exe
2010-02-11 11:29 . 2010-02-11 11:28 14452040 ----a-w- C:\winzip140.exe
2010-02-09 07:27 . 2010-02-08 13:23 -------- d-----w- c:\program files\Rapidown
2010-01-30 21:48 . 2010-02-19 12:18 16601220 ----a-w- C:\x-avi-mpeg-converter-standard.exe
2010-01-05 09:58 . 2004-08-18 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 09:57 . 2009-06-25 07:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 09:57 . 2004-08-18 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-18 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2005-06-13 23:37 . 2006-10-16 06:32 3606 ----a-w- c:\program files\ReadMe.txt
2005-06-13 23:25 . 2006-10-16 06:32 241664 ----a-w- c:\program files\IMGTool.exe
2007-10-08 10:28 . 2007-10-08 10:28 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{50d0cd27-d4ef-4a21-917e-a1573771def4}"= "c:\program files\forumswatcher.com\tbfor0.dll" [2009-11-09 2166296]
"{669163c1-c4b9-46de-ad62-a0271d3a0a75}"= "c:\program files\USARadioNow\tbUSA0.dll" [2009-11-09 2166296]

[HKEY_CLASSES_ROOT\clsid\{50d0cd27-d4ef-4a21-917e-a1573771def4}]

[HKEY_CLASSES_ROOT\clsid\{669163c1-c4b9-46de-ad62-a0271d3a0a75}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50d0cd27-d4ef-4a21-917e-a1573771def4}]
2009-11-09 14:15 2166296 ----a-w- c:\program files\forumswatcher.com\tbfor0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669163c1-c4b9-46de-ad62-a0271d3a0a75}]
2009-11-09 14:15 2166296 ----a-w- c:\program files\USARadioNow\tbUSA0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{50d0cd27-d4ef-4a21-917e-a1573771def4}"= "c:\program files\forumswatcher.com\tbfor0.dll" [2009-11-09 2166296]
"{669163c1-c4b9-46de-ad62-a0271d3a0a75}"= "c:\program files\USARadioNow\tbUSA0.dll" [2009-11-09 2166296]

[HKEY_CLASSES_ROOT\clsid\{50d0cd27-d4ef-4a21-917e-a1573771def4}]

[HKEY_CLASSES_ROOT\clsid\{669163c1-c4b9-46de-ad62-a0271d3a0a75}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{50D0CD27-D4EF-4A21-917E-A1573771DEF4}"= "c:\program files\forumswatcher.com\tbfor0.dll" [2009-11-09 2166296]
"{669163C1-C4B9-46DE-AD62-A0271D3A0A75}"= "c:\program files\USARadioNow\tbUSA0.dll" [2009-11-09 2166296]

[HKEY_CLASSES_ROOT\clsid\{50d0cd27-d4ef-4a21-917e-a1573771def4}]

[HKEY_CLASSES_ROOT\clsid\{669163c1-c4b9-46de-ad62-a0271d3a0a75}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-04-11 1409024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-03 339968]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-11 229952]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-05 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\aaa\Nabˇdka Start\Programy\Po spuçtŘnˇ\
PowerReg SchedulerV2.exe [2004-12-9 256000]

c:\documents and settings\All Users.WINDOWS\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe [2006-6-7 82026]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-04-30 16:08 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ans_admin.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ls970.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ls970_DP.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\lsprepostd.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\mpitest.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\mpitestmpich.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\sxpost.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\tclsh.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\wish.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\DANSYS\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\DANSYSMPICH\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\TCL\\bin\\Intel\\tclsh.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\TCL\\bin\\Intel\\wish.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\catia\\Intel\\ac4catia.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\CATIAV5\\Intel\\code\\bin\\ac4catia5.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\para\\Intel\\ac4para.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\pro\\Intel\\ac4pro.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\sat\\Intel\\ac4sat.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug10\\Intel\\ansconug10.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug20\\Intel\\ansconug20.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug30\\Intel\\ansconug30.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\RadLight Company\\RadLight 4.0\\rlkernel.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"z:\\aaa\\novak\\marias_talon_cz.exe"=
"c:\\Program Files\\TC UP\\TOTALCMD.EXE"=
"c:\\totalcommander\\totalcmd\\TOTALCMD.EXE"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14134:TCP"= 14134:TCP:BitComet 14134 TCP
"14134:UDP"= 14134:UDP:BitComet 14134 UDP
"16330:TCP"= 16330:TCP:BitComet 16330 TCP
"16330:UDP"= 16330:UDP:BitComet 16330 UDP
"7046:TCP"= 7046:TCP:BitComet 7046 TCP
"7046:UDP"= 7046:UDP:BitComet 7046 UDP

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [15.9.2006 9:30 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [15.9.2006 9:30 5248]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [6.12.2005 16:11 35328]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [15.3.2010 15:36 114768]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [13.1.2006 14:00 15872]
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\progra~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [11.8.2005 10:38 909312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15.3.2010 15:36 20560]
R2 SCPDFReadSpool;SolidConverterPDFReadSpool;c:\windows\Installer\MSI8122.tmp [27.5.2009 10:58 189696]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [18.8.2004 13:00 3584]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6.11.2007 21:22 34064]
S3 Wibukey2;Wibukey2;c:\windows\system32\drivers\Wibukey2.sys [15.6.2009 9:26 17408]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - pqiqp
.
Obsah adresáře 'Naplánované úlohy'

2010-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 12:21]
.
.
------- Doplňkový sken -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.seznam.cz/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Settings,ProxyServer = 192.168.1.1:3128
uSearchURL,(Default) = hxxp://www.app-zilla.com/search.htm
IE: Compare Prices with &Dealio - c:\documents and settings\Petr Novák\Data aplikací\Dealio\kb127\res\DealioSearch.html
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} - hxxp://www.skylinesoft.com/interactive/terraex ... all/TE.cab
DPF: {B10CBD8D-F9B6-11CF-9B38-0080AD11B667} - file:///C:/novak/Strojnicke_tabulky/script/ikcntrls.cab
DPF: {BF3CD111-6278-11D2-9EA3-00A0C9251384} - hxxp://www.o2c.de/download/O2CPlayer.CAB
.
.
------- Asociace souborů -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-23 08:34
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B4F7E0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf772bf28
\Driver\ACPI -> ACPI.sys @ 0xf7668cb8
\Driver\atapi -> 0x86b4f7e0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf73afbb0
PacketIndicateHandler -> NDIS.sys @ 0xf73bca21
SendHandler -> NDIS.sys @ 0xf739a87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCPDFReadSpool]
"ImagePath"="c:\windows\Installer\MSI8122.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pqiqp]

.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll

- - - - - - - > 'lsass.exe'(900)
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll

- - - - - - - > 'explorer.exe'(2612)
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\crypserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe
c:\progra~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
.
**************************************************************************
.
Celkový čas: 2010-03-23 08:44:39 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-23 07:44
ComboFix2.txt 2010-03-22 11:25
ComboFix3.txt 2008-09-11 06:13
ComboFix4.txt 2008-09-09 12:54
ComboFix5.txt 2010-03-23 07:17

Před spuštěním: 7 870 992 384
Po spuštění: 7 856 033 792

- - End Of File - - 2FC49733CD1ED1C985E78A2AEAD243E8

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:23, on 23.3.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\Installer\MSI8122.tmp
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.app-zilla.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: forumswatcher.com Toolbar - {50d0cd27-d4ef-4a21-917e-a1573771def4} - C:\Program Files\forumswatcher.com\tbfor0.dll
R3 - URLSearchHook: USARadioNow Toolbar - {669163c1-c4b9-46de-ad62-a0271d3a0a75} - C:\Program Files\USARadioNow\tbUSA0.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: forumswatcher.com Toolbar - {50d0cd27-d4ef-4a21-917e-a1573771def4} - C:\Program Files\forumswatcher.com\tbfor0.dll
O2 - BHO: USARadioNow Toolbar - {669163c1-c4b9-46de-ad62-a0271d3a0a75} - C:\Program Files\USARadioNow\tbUSA0.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb127\Dealio.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: forumswatcher.com Toolbar - {50d0cd27-d4ef-4a21-917e-a1573771def4} - C:\Program Files\forumswatcher.com\tbfor0.dll
O3 - Toolbar: USARadioNow Toolbar - {669163c1-c4b9-46de-ad62-a0271d3a0a75} - C:\Program Files\USARadioNow\tbUSA0.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb127\Dealio.dll
O3 - Toolbar: Autodesk DWF - {F03966D3-8EA0-47b4-BBE0-85BFE6CBC8AC} - C:\Program Files\Autodesk\Autodesk DWF Writer\DWF Addin\DWFIEAddin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1029
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Petr Novák\Data aplikací\Dealio\kb127\res\DealioSearch.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.skylinesoft.com/interactive/ ... all/TE.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0463301703
O16 - DPF: {B10CBD8D-F9B6-11CF-9B38-0080AD11B667} (Ikonic Button Control) - file:///C:/novak/Strojnicke_tabulky/script/ikcntrls.cab
O16 - DPF: {BF3CD111-6278-11D2-9EA3-00A0C9251384} (O2C-Player Version 1.x) - http://www.o2c.de/download/O2CPlayer.CAB
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Prvek AcPreview) - file://C:\Program Files\Autocad_L\AcPreview.ocx
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SolidConverterPDFReadSpool (SCPDFReadSpool) - Solid Documents, LLC - C:\WINDOWS\Installer\MSI8122.tmp
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9489 bytes

dík za jakékoliv rady.

jan.svoboda

Ahoj, ještě sem dej log z MBAMu. Pěkně zas*iněný PC, je tam i MBR rootkit (zřejmě, dle logu z ComboFixu).Po logu z MBAMu budeme čistiti a mazat.

Stáhněte Malwarebytes' Anti-Malware - http://viry.cz/forum/viewtopic.php?f=29&t=67229
Dejte úplný sken C systém
Log sem, nic nemazat až po posouzení logu

petr7003 · Příspěvek od **petr7003** » úte 23. bře 2010, 13:07

Tak konečně to mám:

Malwarebytes' Anti-Malware 1.44
Verze databáze: 3902
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

23.3.2010 13:06:39
mbam-log-2010-03-23 (13-06-31).txt

Typ kontroly: Kompletní kontrola (C:\|Z:\|)
Zkontrolované objekty: 487983
Uplynulý čas: 2 hour(s), 9 minute(s), 43 second(s)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 2
Infikované hodnoty registru: 0
Infikované datové položky registru: 0
Infikované adresáře: 2
Infikované soubory: 11

Infikované procesy v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované moduly v paměti:
(Nebyly nalezeny žádné škodlivé položky)

Infikované klíče registru:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> No action taken.

Infikované hodnoty registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované datové položky registru:
(Nebyly nalezeny žádné škodlivé položky)

Infikované adresáře:
C:\Documents and Settings\LocalService\Data aplikací\NetMon (Trojan.NetMon) -> No action taken.
C:\Program Files\Save (Adware.WhenU) -> No action taken.

Infikované soubory:
C:\Documents and Settings\Petr Novák\Local Settings\TempImages\USARadioNow.exe (Trojan.BHO) -> No action taken.
C:\Program Files\USARadioNow\tbUSAR.dll (Adware.NetPumper) -> No action taken.
C:\aa\Xilisoft Video Converter 5.1.24.0531\Keygen.exe (Trojan.Agent.CK) -> No action taken.
C:\WINDOWS\system32\drivers\pqiqp.sys (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{23BE8455-0E08-4156-95CA-6FF0F93E36B4}\RP1165\A0105108.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LocalService\Data aplikací\NetMon\domains.txt (Trojan.NetMon) -> No action taken.
C:\Documents and Settings\LocalService\Data aplikací\NetMon\log.txt (Trojan.NetMon) -> No action taken.
C:\Program Files\Save\ffext.mod (Adware.WhenU) -> No action taken.
C:\Documents and Settings\Petr Novák\Data aplikací\wiaserva.log (Malware.Trace) -> No action taken.
C:\Program Files\ICOO Loader\addons\icoou.dll (Hijack.Filter) -> No action taken.
C:\Documents and Settings\Petr Novák\Data aplikací\avdrn.dat (Malware.Trace) -> No action taken.

petr7003 · Příspěvek od **petr7003** » úte 23. bře 2010, 15:30

Mám něco vymazat?

jan.svoboda

Omlouvám se za zpoždění, až se vrátím ze školy, mrknu na to a napíšu další postup. Jistě budeme mazat ComboFixem, takže v MBAMu zatím nic nemaž.

jan.svoboda · Příspěvek od **jan.svoboda** » sob 27. bře 2010, 13:44

Doporučuji odinstalovat programy PowerReg, USARadioNow a NetMon, obsahují spyware/adware.

Dle návodu http://viry.cz/forum/viewtopic.php?f=11&t=7294 udělej opravu MBR.

Pokud jsi tak ještě neučinil, přesuň ComboFix na plochu. Otevři Poznámkový blok a vlož do něj tento skript (kromě Kód):

Kód: Vybrat vše

KillAll::

RootKit::
C:\WINDOWS\system32\drivers\pqiqp.sys

Folder::
C:\Documents and Settings\LocalService\Data aplikací\NetMon
C:\Program Files\Save
C:\Program Files\Dealio

File::
C:\aa\Xilisoft Video Converter 5.1.24.0531\Keygen.exe
C:\Documents and Settings\Petr Novák\Data aplikací\wiaserva.log
C:\Documents and Settings\Petr Novák\Data aplikací\avdrn.dat

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pqiqp]

Ulož na plochu jako CFScript.txt. Pak jej myší přetáhni nad ikonu ComboFix a pusť. CF se spustí a vykoná příkazy ze skriptu. Po dokončení ComboFix vytvoří nový log, jeho obsah sem vlož!

petr7003 · Příspěvek od **petr7003** » ned 28. bře 2010, 12:37

ComboFix 10-03-27.03 - Petr Novák 28.03.2010 12:09:07.13.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1022.613 [GMT 2:00]
Spuštěný z: c:\documents and settings\Petr Novák\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Petr Novák\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100327-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Vytvořen nový Bod Obnovení

FILE ::
"c:\aa\Xilisoft Video Converter 5.1.24.0531\Keygen.exe"
"c:\documents and settings\Petr Novák\Data aplikací\avdrn.dat"
"c:\documents and settings\Petr Novák\Data aplikací\wiaserva.log"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Dealio
c:\program files\Dealio\DealioAU.exe
c:\program files\Dealio\kb127\Dealio Deskbar.exe
c:\program files\Dealio\kb127\Dealio.dll
c:\program files\Dealio\kb127\DealioRes409.dll
c:\program files\Dealio\kb127\res\alerts.gif
c:\program files\Dealio\kb127\res\alerts_over.gif
c:\program files\Dealio\kb127\res\alerts_rec.gif
c:\program files\Dealio\kb127\res\alerts_rec_over.gif
c:\program files\Dealio\kb127\res\deal_report.jpg
c:\program files\Dealio\kb127\res\DealioSearch.html
c:\program files\Dealio\kb127\res\deals-leftcap.gif
c:\program files\Dealio\kb127\res\ebay_login.jpg
c:\program files\Dealio\kb127\res\err_mainwindow.html
c:\program files\Dealio\kb127\res\err_toolbar.html
c:\program files\Dealio\kb127\res\global_scripts.js
c:\program files\Dealio\kb127\res\headerbgthin.jpg
c:\program files\Dealio\kb127\res\highlight-bg.png
c:\program files\Dealio\kb127\res\chevron-small.gif
c:\program files\Dealio\kb127\res\logo.gif
c:\program files\Dealio\kb127\res\logo_over.gif
c:\program files\Dealio\kb127\res\man_toolbar.css
c:\program files\Dealio\kb127\res\man_toolbar.html
c:\program files\Dealio\kb127\res\man_toolbar.js
c:\program files\Dealio\kb127\res\man_toolbarl.js
c:\program files\Dealio\kb127\res\post-this-deal.gif
c:\program files\Dealio\kb127\res\post-this-deal_over.gif
c:\program files\Dealio\kb127\res\scripts.js
c:\program files\Dealio\kb127\res\scroller.js
c:\program files\Dealio\kb127\res\search-chevron.gif
c:\program files\Dealio\kb127\res\search-chevron_over.gif
c:\program files\Dealio\kb127\res\search_bg_blink.gif
c:\program files\Dealio\kb127\res\separator.gif
c:\program files\Dealio\kb127\res\settings.gif
c:\program files\Dealio\kb127\res\settings_over.gif
c:\program files\Dealio\kb127\res\yahoo-search.png
c:\program files\Dealio\kb127\resDN\bottom.gif
c:\program files\Dealio\kb127\resDN\close.gif
c:\program files\Dealio\kb127\resDN\deskbar.css
c:\program files\Dealio\kb127\resDN\deskbar.js
c:\program files\Dealio\kb127\resDN\dispatch_helper.js
c:\program files\Dealio\kb127\resDN\ebay_compatible.jpg
c:\program files\Dealio\kb127\resDN\chevron_down.gif
c:\program files\Dealio\kb127\resDN\chevron_up.gif
c:\program files\Dealio\kb127\resDN\logo.gif
c:\program files\Dealio\kb127\resDN\logo_chevron_bkg.gif
c:\program files\Dealio\kb127\resDN\losing.gif
c:\program files\Dealio\kb127\resDN\lost.gif
c:\program files\Dealio\kb127\resDN\man_deskbar.html
c:\program files\Dealio\kb127\resDN\menu_arrow.gif
c:\program files\Dealio\kb127\resDN\menu_check.gif
c:\program files\Dealio\kb127\resDN\no_image.gif
c:\program files\Dealio\kb127\resDN\prod_img.gif
c:\program files\Dealio\kb127\resDN\search_chevron.gif
c:\program files\Dealio\kb127\resDN\spacer.gif
c:\program files\Dealio\kb127\resDN\textfield_bkg.gif
c:\program files\Dealio\kb127\resDN\top.gif
c:\program files\Dealio\kb127\resDN\unknown.gif
c:\program files\Dealio\kb127\resDN\winning.gif
c:\program files\Dealio\kb127\resDN\won.gif
c:\program files\Dealio\kb127\rules\index.76.35
c:\program files\Dealio\kb127\rules\rules.1.10.76
c:\program files\Dealio\kb127\rules\rules.1.109.43
c:\program files\Dealio\kb127\rules\rules.1.110.43
c:\program files\Dealio\kb127\rules\rules.1.12.52
c:\program files\Dealio\kb127\rules\rules.1.13.58
c:\program files\Dealio\kb127\rules\rules.1.130.58
c:\program files\Dealio\kb127\rules\rules.1.135.50
c:\program files\Dealio\kb127\rules\rules.1.153.44
c:\program files\Dealio\kb127\rules\rules.1.155.43
c:\program files\Dealio\kb127\rules\rules.1.156.49
c:\program files\Dealio\kb127\rules\rules.1.16.60
c:\program files\Dealio\kb127\rules\rules.1.161.52
c:\program files\Dealio\kb127\rules\rules.1.178.66
c:\program files\Dealio\kb127\rules\rules.1.184.55
c:\program files\Dealio\kb127\rules\rules.1.188.52
c:\program files\Dealio\kb127\rules\rules.1.189.45
c:\program files\Dealio\kb127\rules\rules.1.196.43
c:\program files\Dealio\kb127\rules\rules.1.198.56
c:\program files\Dealio\kb127\rules\rules.1.199.43
c:\program files\Dealio\kb127\rules\rules.1.200.53
c:\program files\Dealio\kb127\rules\rules.1.201.43
c:\program files\Dealio\kb127\rules\rules.1.202.43
c:\program files\Dealio\kb127\rules\rules.1.203.71
c:\program files\Dealio\kb127\rules\rules.1.205.62
c:\program files\Dealio\kb127\rules\rules.1.213.71
c:\program files\Dealio\kb127\rules\rules.1.214.49
c:\program files\Dealio\kb127\rules\rules.1.215.43
c:\program files\Dealio\kb127\rules\rules.1.216.67
c:\program files\Dealio\kb127\rules\rules.1.217.67
c:\program files\Dealio\kb127\rules\rules.1.218.52
c:\program files\Dealio\kb127\rules\rules.1.219.43
c:\program files\Dealio\kb127\rules\rules.1.220.43
c:\program files\Dealio\kb127\rules\rules.1.221.57
c:\program files\Dealio\kb127\rules\rules.1.222.43
c:\program files\Dealio\kb127\rules\rules.1.223.68
c:\program files\Dealio\kb127\rules\rules.1.226.68
c:\program files\Dealio\kb127\rules\rules.1.227.43
c:\program files\Dealio\kb127\rules\rules.1.228.62
c:\program files\Dealio\kb127\rules\rules.1.229.76
c:\program files\Dealio\kb127\rules\rules.1.23.63
c:\program files\Dealio\kb127\rules\rules.1.239.43
c:\program files\Dealio\kb127\rules\rules.1.24.43
c:\program files\Dealio\kb127\rules\rules.1.240.43
c:\program files\Dealio\kb127\rules\rules.1.241.43
c:\program files\Dealio\kb127\rules\rules.1.242.43
c:\program files\Dealio\kb127\rules\rules.1.243.43
c:\program files\Dealio\kb127\rules\rules.1.244.63
c:\program files\Dealio\kb127\rules\rules.1.245.43
c:\program files\Dealio\kb127\rules\rules.1.247.43
c:\program files\Dealio\kb127\rules\rules.1.248.43
c:\program files\Dealio\kb127\rules\rules.1.249.43
c:\program files\Dealio\kb127\rules\rules.1.250.43
c:\program files\Dealio\kb127\rules\rules.1.251.43
c:\program files\Dealio\kb127\rules\rules.1.252.43
c:\program files\Dealio\kb127\rules\rules.1.253.43
c:\program files\Dealio\kb127\rules\rules.1.254.43
c:\program files\Dealio\kb127\rules\rules.1.255.43
c:\program files\Dealio\kb127\rules\rules.1.256.43
c:\program files\Dealio\kb127\rules\rules.1.257.43
c:\program files\Dealio\kb127\rules\rules.1.279.43
c:\program files\Dealio\kb127\rules\rules.1.28.58
c:\program files\Dealio\kb127\rules\rules.1.282.75
c:\program files\Dealio\kb127\rules\rules.1.283.43
c:\program files\Dealio\kb127\rules\rules.1.284.43
c:\program files\Dealio\kb127\rules\rules.1.289.67
c:\program files\Dealio\kb127\rules\rules.1.290.62
c:\program files\Dealio\kb127\rules\rules.1.291.61
c:\program files\Dealio\kb127\rules\rules.1.296.43
c:\program files\Dealio\kb127\rules\rules.1.297.43
c:\program files\Dealio\kb127\rules\rules.1.304.43
c:\program files\Dealio\kb127\rules\rules.1.307.43
c:\program files\Dealio\kb127\rules\rules.1.308.75
c:\program files\Dealio\kb127\rules\rules.1.31.47
c:\program files\Dealio\kb127\rules\rules.1.310.46
c:\program files\Dealio\kb127\rules\rules.1.311.43
c:\program files\Dealio\kb127\rules\rules.1.315.43
c:\program files\Dealio\kb127\rules\rules.1.316.43
c:\program files\Dealio\kb127\rules\rules.1.317.43
c:\program files\Dealio\kb127\rules\rules.1.318.43
c:\program files\Dealio\kb127\rules\rules.1.319.49
c:\program files\Dealio\kb127\rules\rules.1.32.48
c:\program files\Dealio\kb127\rules\rules.1.334.44
c:\program files\Dealio\kb127\rules\rules.1.335.60
c:\program files\Dealio\kb127\rules\rules.1.336.44
c:\program files\Dealio\kb127\rules\rules.1.337.44
c:\program files\Dealio\kb127\rules\rules.1.338.75
c:\program files\Dealio\kb127\rules\rules.1.339.47
c:\program files\Dealio\kb127\rules\rules.1.34.43
c:\program files\Dealio\kb127\rules\rules.1.340.47
c:\program files\Dealio\kb127\rules\rules.1.341.47
c:\program files\Dealio\kb127\rules\rules.1.349.50
c:\program files\Dealio\kb127\rules\rules.1.35.48
c:\program files\Dealio\kb127\rules\rules.1.350.50
c:\program files\Dealio\kb127\rules\rules.1.351.51
c:\program files\Dealio\kb127\rules\rules.1.352.54
c:\program files\Dealio\kb127\rules\rules.1.353.51
c:\program files\Dealio\kb127\rules\rules.1.354.51
c:\program files\Dealio\kb127\rules\rules.1.357.62
c:\program files\Dealio\kb127\rules\rules.1.358.52
c:\program files\Dealio\kb127\rules\rules.1.359.52
c:\program files\Dealio\kb127\rules\rules.1.360.53
c:\program files\Dealio\kb127\rules\rules.1.361.54
c:\program files\Dealio\kb127\rules\rules.1.362.68
c:\program files\Dealio\kb127\rules\rules.1.363.58
c:\program files\Dealio\kb127\rules\rules.1.364.54
c:\program files\Dealio\kb127\rules\rules.1.365.53
c:\program files\Dealio\kb127\rules\rules.1.367.56
c:\program files\Dealio\kb127\rules\rules.1.368.58
c:\program files\Dealio\kb127\rules\rules.1.369.55
c:\program files\Dealio\kb127\rules\rules.1.370.56
c:\program files\Dealio\kb127\rules\rules.1.371.56
c:\program files\Dealio\kb127\rules\rules.1.372.57
c:\program files\Dealio\kb127\rules\rules.1.373.55
c:\program files\Dealio\kb127\rules\rules.1.375.56
c:\program files\Dealio\kb127\rules\rules.1.376.57
c:\program files\Dealio\kb127\rules\rules.1.377.55
c:\program files\Dealio\kb127\rules\rules.1.378.65
c:\program files\Dealio\kb127\rules\rules.1.384.58
c:\program files\Dealio\kb127\rules\rules.1.386.71
c:\program files\Dealio\kb127\rules\rules.1.387.59
c:\program files\Dealio\kb127\rules\rules.1.388.59
c:\program files\Dealio\kb127\rules\rules.1.389.59
c:\program files\Dealio\kb127\rules\rules.1.390.60
c:\program files\Dealio\kb127\rules\rules.1.391.60
c:\program files\Dealio\kb127\rules\rules.1.392.60
c:\program files\Dealio\kb127\rules\rules.1.393.60
c:\program files\Dealio\kb127\rules\rules.1.394.60
c:\program files\Dealio\kb127\rules\rules.1.396.61
c:\program files\Dealio\kb127\rules\rules.1.397.61
c:\program files\Dealio\kb127\rules\rules.1.398.60
c:\program files\Dealio\kb127\rules\rules.1.399.60
c:\program files\Dealio\kb127\rules\rules.1.403.61
c:\program files\Dealio\kb127\rules\rules.1.404.63
c:\program files\Dealio\kb127\rules\rules.1.405.61
c:\program files\Dealio\kb127\rules\rules.1.406.61
c:\program files\Dealio\kb127\rules\rules.1.407.76
c:\program files\Dealio\kb127\rules\rules.1.408.63
c:\program files\Dealio\kb127\rules\rules.1.409.61
c:\program files\Dealio\kb127\rules\rules.1.412.62
c:\program files\Dealio\kb127\rules\rules.1.413.62
c:\program files\Dealio\kb127\rules\rules.1.414.62
c:\program files\Dealio\kb127\rules\rules.1.415.62
c:\program files\Dealio\kb127\rules\rules.1.416.62
c:\program files\Dealio\kb127\rules\rules.1.417.62
c:\program files\Dealio\kb127\rules\rules.1.418.62
c:\program files\Dealio\kb127\rules\rules.1.419.62
c:\program files\Dealio\kb127\rules\rules.1.420.62
c:\program files\Dealio\kb127\rules\rules.1.421.62
c:\program files\Dealio\kb127\rules\rules.1.423.63
c:\program files\Dealio\kb127\rules\rules.1.424.63
c:\program files\Dealio\kb127\rules\rules.1.425.63
c:\program files\Dealio\kb127\rules\rules.1.426.63
c:\program files\Dealio\kb127\rules\rules.1.427.63
c:\program files\Dealio\kb127\rules\rules.1.428.65
c:\program files\Dealio\kb127\rules\rules.1.429.63
c:\program files\Dealio\kb127\rules\rules.1.430.63
c:\program files\Dealio\kb127\rules\rules.1.432.65
c:\program files\Dealio\kb127\rules\rules.1.433.64
c:\program files\Dealio\kb127\rules\rules.1.434.65
c:\program files\Dealio\kb127\rules\rules.1.435.64
c:\program files\Dealio\kb127\rules\rules.1.436.76
c:\program files\Dealio\kb127\rules\rules.1.437.64
c:\program files\Dealio\kb127\rules\rules.1.438.71
c:\program files\Dealio\kb127\rules\rules.1.439.71
c:\program files\Dealio\kb127\rules\rules.1.440.75
c:\program files\Dealio\kb127\rules\rules.1.442.73
c:\program files\Dealio\kb127\rules\rules.1.443.73
c:\program files\Dealio\kb127\rules\rules.1.444.73
c:\program files\Dealio\kb127\rules\rules.1.445.68
c:\program files\Dealio\kb127\rules\rules.1.446.69
c:\program files\Dealio\kb127\rules\rules.1.450.67
c:\program files\Dealio\kb127\rules\rules.1.451.67
c:\program files\Dealio\kb127\rules\rules.1.452.68
c:\program files\Dealio\kb127\rules\rules.1.453.68
c:\program files\Dealio\kb127\rules\rules.1.454.69
c:\program files\Dealio\kb127\rules\rules.1.456.69
c:\program files\Dealio\kb127\rules\rules.1.457.75
c:\program files\Dealio\kb127\rules\rules.1.458.70
c:\program files\Dealio\kb127\rules\rules.1.459.70
c:\program files\Dealio\kb127\rules\rules.1.460.69
c:\program files\Dealio\kb127\rules\rules.1.462.74
c:\program files\Dealio\kb127\rules\rules.1.463.69
c:\program files\Dealio\kb127\rules\rules.1.464.70
c:\program files\Dealio\kb127\rules\rules.1.465.68
c:\program files\Dealio\kb127\rules\rules.1.468.70
c:\program files\Dealio\kb127\rules\rules.1.469.70
c:\program files\Dealio\kb127\rules\rules.1.470.70
c:\program files\Dealio\kb127\rules\rules.1.471.73
c:\program files\Dealio\kb127\rules\rules.1.472.70
c:\program files\Dealio\kb127\rules\rules.1.478.74
c:\program files\Dealio\kb127\rules\rules.1.479.73
c:\program files\Dealio\kb127\rules\rules.1.480.68
c:\program files\Dealio\kb127\rules\rules.1.481.71
c:\program files\Dealio\kb127\rules\rules.1.482.74
c:\program files\Dealio\kb127\rules\rules.1.49.67
c:\program files\Dealio\kb127\rules\rules.1.50.43
c:\program files\Dealio\kb127\rules\rules.1.500.71
c:\program files\Dealio\kb127\rules\rules.1.501.74
c:\program files\Dealio\kb127\rules\rules.1.502.71
c:\program files\Dealio\kb127\rules\rules.1.51.69
c:\program files\Dealio\kb127\rules\rules.1.52.72
c:\program files\Dealio\kb127\rules\rules.1.520.76
c:\program files\Dealio\kb127\rules\rules.1.521.76
c:\program files\Dealio\kb127\rules\rules.1.522.76
c:\program files\Dealio\kb127\rules\rules.1.53.51
c:\program files\Dealio\kb127\rules\rules.1.531.76
c:\program files\Dealio\kb127\rules\rules.1.532.75
c:\program files\Dealio\kb127\rules\rules.1.534.75
c:\program files\Dealio\kb127\rules\rules.1.54.47
c:\program files\Dealio\kb127\rules\rules.1.55.45
c:\program files\Dealio\kb127\rules\rules.1.56.69
c:\program files\Dealio\kb127\rules\rules.1.57.43
c:\program files\Dealio\kb127\rules\rules.1.58.47
c:\program files\Dealio\kb127\rules\rules.1.593.76
c:\program files\Dealio\kb127\rules\rules.1.595.76
c:\program files\Dealio\kb127\rules\rules.1.63.57
c:\program files\Dealio\kb127\rules\rules.1.66.47
c:\program files\Dealio\kb127\rules\rules.1.70.75
c:\program files\Dealio\kb127\rules\rules.1.71.43
c:\program files\Dealio\SearchSettingsKit.exe
C:\Thumbs.db
c:\windows\system32\prsgrc.dll
c:\windows\system32\ssprs.dll

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-28 do 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-28 07:13 . 2009-12-15 09:24 293376 ----a-w- C:\gmer.exe
2010-03-25 06:57 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-24 12:50 . 2008-03-05 14:56 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2010-03-24 12:50 . 2008-02-05 22:07 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2010-03-24 12:50 . 2008-03-05 14:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2010-03-24 12:49 . 2010-03-24 12:49 -------- d-----w- c:\windows\Logs
2010-03-24 12:36 . 2010-03-24 12:42 164736648 ----a-w- C:\SetupDWGTrueView2010_32bit.exe
2010-03-23 09:44 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 09:44 . 2010-03-23 09:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 09:44 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-22 11:20 . 2009-11-21 16:03 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-03-22 11:19 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-15 14:36 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-15 14:36 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-15 14:36 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-15 14:36 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-03-15 14:36 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-15 14:36 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-15 14:36 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-15 14:36 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-15 14:35 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 14:06 . 2010-03-09 14:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-01 12:02 . 2009-02-09 11:25 111104 -c--a-w- c:\windows\system32\dllcache\services.exe
2010-03-01 12:02 . 2009-02-09 11:25 111104 ------w- c:\windows\system32\services.exe
2010-02-26 13:36 . 2010-02-26 13:39 -------- d-----w- C:\CD2
2010-02-26 13:10 . 2010-02-26 13:36 -------- d-----w- C:\CD1

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 06:39 . 2004-08-18 12:00 77872 ----a-w- c:\windows\system32\perfc005.dat
2010-03-28 06:39 . 2004-08-18 12:00 428750 ----a-w- c:\windows\system32\perfh005.dat
2010-03-26 07:10 . 2008-08-12 09:39 -------- d-----w- c:\program files\VisualConnection
2010-03-22 14:07 . 2008-11-04 06:53 -------- d-----w- c:\program files\Opera
2010-03-16 12:26 . 2008-09-17 06:34 -------- d-----w- c:\program files\FT DVD Clone 4.0
2010-03-16 12:25 . 2006-07-31 10:54 -------- d-----w- c:\program files\BSPlayer
2010-03-16 12:25 . 2006-07-26 09:01 -------- d-----w- c:\program files\Elaborate Bytes
2010-03-16 12:24 . 2005-12-21 06:01 -------- d-----w- c:\program files\SlySoft
2010-03-15 07:59 . 2005-11-08 11:04 -------- d-----w- c:\program files\Google
2010-03-15 07:57 . 2006-08-18 12:17 -------- d-----w- c:\program files\Sudoku
2010-03-15 07:57 . 2008-03-21 08:56 -------- d-----w- c:\program files\Return to Castle Wolfenstein
2010-03-15 07:56 . 2008-09-16 11:37 -------- d-----w- c:\program files\Super Clone DVD
2010-03-15 07:55 . 2006-06-12 08:23 -------- d-----w- c:\program files\Yahoo!
2010-03-15 07:54 . 2007-07-24 10:40 -------- d-----w- c:\program files\HEROSOFT
2010-03-15 07:53 . 2008-10-06 11:57 -------- d-----w- c:\program files\E.M. DVD Copy
2010-03-15 07:51 . 2007-11-06 07:57 -------- d-----w- c:\program files\ElcomSoft
2010-02-22 06:49 . 2005-03-24 08:10 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-19 12:19 . 2006-11-03 13:35 -------- d-----w- c:\program files\Xilisoft
2010-02-19 09:53 . 2010-02-19 09:53 4384320 ----a-w- C:\Shockwave_Installer_Slim.exe
2010-02-15 11:30 . 2010-02-15 11:28 9936244 ----a-w- C:\convert.exe
2010-02-15 11:24 . 2010-02-15 11:21 25786688 ----a-w- C:\wmp11-windowsxp-x86-CS-CZ.exe
2010-02-12 09:44 . 2009-04-29 09:19 -------- d-----w- c:\program files\TC UP
2010-02-12 08:19 . 2010-02-12 08:19 475136 ----a-w- C:\SRDownloader.exe
2010-02-12 07:45 . 2010-02-12 07:45 -------- d-----w- c:\program files\Kodek CZ
2010-02-12 07:43 . 2010-02-12 07:43 5184550 ----a-w- C:\kodek016cz.exe
2010-02-12 06:48 . 2010-02-12 06:48 939956 ----a-w- C:\7z465.exe
2010-02-11 11:29 . 2010-02-11 11:28 14452040 ----a-w- C:\winzip140.exe
2010-02-09 07:27 . 2010-02-08 13:23 -------- d-----w- c:\program files\Rapidown
2010-01-30 21:48 . 2010-02-19 12:18 16601220 ----a-w- C:\x-avi-mpeg-converter-standard.exe
2010-01-05 09:58 . 2004-08-18 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 09:57 . 2009-06-25 07:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 09:57 . 2004-08-18 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-18 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2005-06-13 23:37 . 2006-10-16 06:32 3606 ----a-w- c:\program files\ReadMe.txt
2005-06-13 23:25 . 2006-10-16 06:32 241664 ----a-w- c:\program files\IMGTool.exe
2007-10-08 10:28 . 2007-10-08 10:28 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{50d0cd27-d4ef-4a21-917e-a1573771def4}"= "c:\program files\forumswatcher.com\tbfor1.dll" [2010-03-24 2349080]
"{669163c1-c4b9-46de-ad62-a0271d3a0a75}"= "c:\program files\USARadioNow\tbUSA1.dll" [2010-03-24 2349080]

[HKEY_CLASSES_ROOT\clsid\{50d0cd27-d4ef-4a21-917e-a1573771def4}]

[HKEY_CLASSES_ROOT\clsid\{669163c1-c4b9-46de-ad62-a0271d3a0a75}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50d0cd27-d4ef-4a21-917e-a1573771def4}]
2010-03-24 12:33 2349080 ----a-w- c:\program files\forumswatcher.com\tbfor1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669163c1-c4b9-46de-ad62-a0271d3a0a75}]
2010-03-24 12:32 2349080 ----a-w- c:\program files\USARadioNow\tbUSA1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{50d0cd27-d4ef-4a21-917e-a1573771def4}"= "c:\program files\forumswatcher.com\tbfor1.dll" [2010-03-24 2349080]
"{669163c1-c4b9-46de-ad62-a0271d3a0a75}"= "c:\program files\USARadioNow\tbUSA1.dll" [2010-03-24 2349080]

[HKEY_CLASSES_ROOT\clsid\{50d0cd27-d4ef-4a21-917e-a1573771def4}]

[HKEY_CLASSES_ROOT\clsid\{669163c1-c4b9-46de-ad62-a0271d3a0a75}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{50D0CD27-D4EF-4A21-917E-A1573771DEF4}"= "c:\program files\forumswatcher.com\tbfor1.dll" [2010-03-24 2349080]
"{669163C1-C4B9-46DE-AD62-A0271D3A0A75}"= "c:\program files\USARadioNow\tbUSA1.dll" [2010-03-24 2349080]

[HKEY_CLASSES_ROOT\clsid\{50d0cd27-d4ef-4a21-917e-a1573771def4}]

[HKEY_CLASSES_ROOT\clsid\{669163c1-c4b9-46de-ad62-a0271d3a0a75}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-04-11 1409024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-03 339968]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-11 229952]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-05 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\aaa\Nabˇdka Start\Programy\Po spuçtŘnˇ\
PowerReg SchedulerV2.exe [2004-12-9 256000]

c:\documents and settings\All Users.WINDOWS\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe [2006-6-7 82026]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-04-30 16:08 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ans_admin.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ls970.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ls970_DP.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\lsprepostd.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\mpitest.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\mpitestmpich.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\sxpost.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\tclsh.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\wish.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\DANSYS\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\DANSYSMPICH\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\TCL\\bin\\Intel\\tclsh.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\TCL\\bin\\Intel\\wish.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\catia\\Intel\\ac4catia.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\CATIAV5\\Intel\\code\\bin\\ac4catia5.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\para\\Intel\\ac4para.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\pro\\Intel\\ac4pro.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\sat\\Intel\\ac4sat.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug10\\Intel\\ansconug10.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug20\\Intel\\ansconug20.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug30\\Intel\\ansconug30.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\RadLight Company\\RadLight 4.0\\rlkernel.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\TC UP\\TOTALCMD.EXE"=
"c:\\totalcommander\\totalcmd\\TOTALCMD.EXE"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14134:TCP"= 14134:TCP:BitComet 14134 TCP
"14134:UDP"= 14134:UDP:BitComet 14134 UDP
"16330:TCP"= 16330:TCP:BitComet 16330 TCP
"16330:UDP"= 16330:UDP:BitComet 16330 UDP
"7046:TCP"= 7046:TCP:BitComet 7046 TCP
"7046:UDP"= 7046:UDP:BitComet 7046 UDP

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [15.9.2006 10:30 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [15.9.2006 10:30 5248]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [6.12.2005 17:11 35328]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [15.3.2010 16:36 114768]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [13.1.2006 15:00 15872]
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\progra~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [11.8.2005 11:38 909312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15.3.2010 16:36 20560]
R2 SCPDFReadSpool;SolidConverterPDFReadSpool;c:\windows\Installer\MSI8122.tmp [27.5.2009 11:58 189696]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6.11.2007 22:22 34064]
S3 Wibukey2;Wibukey2;c:\windows\system32\drivers\Wibukey2.sys [15.6.2009 10:26 17408]
.
Obsah adresáře 'Naplánované úlohy'

2010-03-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 12:21]
.
.
------- Doplňkový sken -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.seznam.cz/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Settings,ProxyServer = 192.168.1.1:3128
uSearchURL,(Default) = hxxp://www.app-zilla.com/search.htm
IE: Compare Prices with &Dealio - c:\documents and settings\Petr Novák\Data aplikací\Dealio\kb127\res\DealioSearch.html
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} - hxxp://www.skylinesoft.com/interactive/terraex ... all/TE.cab
DPF: {B10CBD8D-F9B6-11CF-9B38-0080AD11B667} - file:///C:/novak/Strojnicke_tabulky/script/ikcntrls.cab
DPF: {BF3CD111-6278-11D2-9EA3-00A0C9251384} - hxxp://www.o2c.de/download/O2CPlayer.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-28 12:23
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86BE7CC0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf772bf28
\Driver\ACPI -> ACPI.sys @ 0xf7668cb8
\Driver\atapi -> 0x86be7cc0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf74dbbb0
PacketIndicateHandler -> NDIS.sys @ 0xf74e8a21
SendHandler -> NDIS.sys @ 0xf74c687b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCPDFReadSpool]
"ImagePath"="c:\windows\Installer\MSI8122.tmp"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll

- - - - - - - > 'lsass.exe'(892)
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll

- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\vorbis.dll
c:\windows\system32\ogg.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\crypserv.exe
c:\program files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
.
**************************************************************************
.
Celkový čas: 2010-03-28 12:35:45 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-28 10:35
ComboFix2.txt 2010-03-26 07:51

Před spuštěním: Volných bajtů: 12 974 424 064
Po spuštění: Volných bajtů: 12 939 120 640

- - End Of File - - CBE82FAF071F7B5DB8D4CBF42A601203

jan.svoboda · Příspěvek od **jan.svoboda** » ned 28. bře 2010, 13:21

Ještě se mi to nelíbí + zřejmě MBR rootkit tam pořád je. Obnovu MBR jsi udělal dle návodu?

Pokud používáš emulační programy (Alcohol 120%, ...) odinstaluj je.
Stahni SPTD - http://www.duplexsecure.com/en/downloads, uloz na plochu a spust. Zvol moznost "Uninstall" a restartuj PC.

Stahni si gmer na plochu http://www2.gmer.net/gmer.zip
- rozbal tak aby nebyl spousteci soubr v zadne slozce
- spust gmer.exe
- po dokonceni rychleho skenu -> klik na tlacitko Save log, nasledne ho otevri s tym, ze obsah vlozis do sveho prispevku.
Pak proved - odoznac (klik na ctverecek):
Sections
IAT/EAT
- neoznacuj:
Show All a jine jedontky nez je systemovy disk (typicky C:\)
- klik na tlacitko Scan
- klik na tlacitko Save log nasledne ho otevri s tym, ze obsah vlozis do sveho prispevku jako dlouhy log z gmeru.

Upozorneni, kompletni sken trva nekdy nehorazne dlouho, kvuli velkemu poctu malych souboru na disku. Pokud dojde ke stavu odmitnuti odeslani prispevku kvuli max. poctu povolenych znaku, vloz jako prilohu (zip soubor logu)

Stahni MBR http://www2.gmer.net/mbr/mbr.exe primo na C:\ tak aby nebyl v zadne slozce
- spust
- v miste spusteni programu se vytvori log s nazvem mbr.txt
- otevri log, jeho obsah vloz do sveho prispevku

Klik na Start - Spustit, zde zadej cmd , zmackni enter, otevre se doss okno, v nem napis:

Kód: Vybrat vše

cd \, odentruj
mbr.exe -t , odentruj

znovu otevri mbr.txt, jeho log by mel byt jiny, rad ho uvidim.

Ještě jednou použij pro ComboFix tento skript a nový log sem zase vlož:

Kód: Vybrat vše

KillAll::

File::
C:\WINDOWS\system32\drivers\pqiqp.sys

RootKit::
C:\WINDOWS\system32\drivers\pqiqp.sys

Driver::
C:\WINDOWS\system32\drivers\pqiqp.sys

petr7003 · Příspěvek od **petr7003** » pon 29. bře 2010, 09:12

gmer mi nejde jde cca 2-3 sekundy a pak je hláška, že nastala chyba a skončí.

Log z mbr:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Druhý log z mbr:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B62200]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x86b62200
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

petr7003 · Příspěvek od **petr7003** » pon 29. bře 2010, 10:03

log CF:

ComboFix 10-03-28.02 - Petr Novák 29.03.2010 9:38.15.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1022.588 [GMT 2:00]
Spuštěný z: c:\documents and settings\Petr Novák\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Petr Novák\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100328-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\system32\drivers\pqiqp.sys"
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-02-28 do 2010-03-29 )))))))))))))))))))))))))))))))
.

2010-03-29 07:24 . 2010-03-29 07:50 -------- d-----w- \ComboFix
2010-03-29 07:08 . 2010-03-28 12:00 77312 ----a-w- C:\mbr.exe
2010-03-29 07:08 . 2010-03-28 12:00 77312 ----a-w- \mbr.exe
2010-03-29 07:08 . 2010-03-28 12:00 284915 ----a-w- C:\gmer.zip
2010-03-29 07:08 . 2010-03-28 12:00 284915 ----a-w- \gmer.zip
2010-03-29 06:50 . 2010-03-29 06:50 0 ----a-w- C:\settings.dat
2010-03-29 06:50 . 2010-03-29 06:50 0 ----a-w- \settings.dat
2010-03-29 06:49 . 2009-08-13 09:14 472064 ----a-w- C:\RootRepeal.exe
2010-03-29 06:49 . 2009-08-13 09:14 472064 ----a-w- \RootRepeal.exe
2010-03-28 12:25 . 2010-03-28 12:25 880624 ----a-w- C:\SPTDinst-v162-x86.exe
2010-03-28 12:25 . 2010-03-28 12:25 880624 ----a-w- \SPTDinst-v162-x86.exe
2010-03-28 12:25 . 2010-03-28 12:25 1065968 ----a-w- C:\SPTDinst-v162-x64.exe
2010-03-28 12:25 . 2010-03-28 12:25 1065968 ----a-w- \SPTDinst-v162-x64.exe
2010-03-28 07:13 . 2009-12-15 09:24 293376 ----a-w- C:\gmer.exe
2010-03-28 07:13 . 2009-12-15 09:24 293376 ----a-w- \gmer.exe
2010-03-26 10:18 . 2010-03-26 10:19 -------- d-----w- \Avenger
2010-03-26 07:23 . 2010-03-29 07:50 -------- d-----w- \Qoobox
2010-03-24 12:49 . 2010-03-24 12:49 -------- d-----w- c:\windows\Logs
2010-03-24 12:36 . 2010-03-24 12:42 164736648 ----a-w- C:\SetupDWGTrueView2010_32bit.exe
2010-03-24 12:36 . 2010-03-24 12:42 164736648 ----a-w- \SetupDWGTrueView2010_32bit.exe
2010-03-23 09:44 . 2010-03-23 09:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-22 10:51 . 2010-03-22 10:51 -------- d-sha-r- \cmdcons
2010-03-09 14:06 . 2010-03-09 14:06 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 12:00 . 2010-03-29 07:08 77312 ----a-w- \mbr.exe
2010-03-28 12:00 . 2010-03-29 07:08 284915 ----a-w- \gmer.zip
2010-03-26 07:10 . 2008-08-12 09:39 -------- d-----w- c:\program files\VisualConnection
2010-03-24 12:42 . 2010-03-24 12:36 164736648 ----a-w- \SetupDWGTrueView2010_32bit.exe
2010-03-22 14:07 . 2008-11-04 06:53 -------- d-----w- c:\program files\Opera
2010-03-16 12:26 . 2008-09-17 06:34 -------- d-----w- c:\program files\FT DVD Clone 4.0
2010-03-16 12:25 . 2006-07-31 10:54 -------- d-----w- c:\program files\BSPlayer
2010-03-16 12:25 . 2006-07-26 09:01 -------- d-----w- c:\program files\Elaborate Bytes
2010-03-16 12:24 . 2005-12-21 06:01 -------- d-----w- c:\program files\SlySoft
2010-03-15 07:59 . 2005-11-08 11:04 -------- d-----w- c:\program files\Google
2010-03-15 07:57 . 2006-08-18 12:17 -------- d-----w- c:\program files\Sudoku
2010-03-15 07:57 . 2008-03-21 08:56 -------- d-----w- c:\program files\Return to Castle Wolfenstein
2010-03-15 07:56 . 2008-09-16 11:37 -------- d-----w- c:\program files\Super Clone DVD
2010-03-15 07:55 . 2006-06-12 08:23 -------- d-----w- c:\program files\Yahoo!
2010-03-15 07:54 . 2007-07-24 10:40 -------- d-----w- c:\program files\HEROSOFT
2010-03-15 07:53 . 2008-10-06 11:57 -------- d-----w- c:\program files\E.M. DVD Copy
2010-03-15 07:51 . 2007-11-06 07:57 -------- d-----w- c:\program files\ElcomSoft
2010-02-22 06:49 . 2005-03-24 08:10 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-19 12:19 . 2006-11-03 13:35 -------- d-----w- c:\program files\Xilisoft
2010-02-19 09:53 . 2010-02-19 09:53 4384320 ----a-w- C:\Shockwave_Installer_Slim.exe
2010-02-19 09:53 . 2010-02-19 09:53 4384320 ----a-w- \Shockwave_Installer_Slim.exe
2010-02-15 11:30 . 2010-02-15 11:28 9936244 ----a-w- C:\convert.exe
2010-02-15 11:30 . 2010-02-15 11:28 9936244 ----a-w- \convert.exe
2010-02-15 11:24 . 2010-02-15 11:21 25786688 ----a-w- C:\wmp11-windowsxp-x86-CS-CZ.exe
2010-02-15 11:24 . 2010-02-15 11:21 25786688 ----a-w- \wmp11-windowsxp-x86-CS-CZ.exe
2010-02-12 09:44 . 2009-04-29 09:19 -------- d-----w- c:\program files\TC UP
2010-02-12 08:19 . 2010-02-12 08:19 475136 ----a-w- C:\SRDownloader.exe
2010-02-12 08:19 . 2010-02-12 08:19 475136 ----a-w- \SRDownloader.exe
2010-02-12 07:45 . 2010-02-12 07:45 -------- d-----w- c:\program files\Kodek CZ
2010-02-12 07:43 . 2010-02-12 07:43 5184550 ----a-w- C:\kodek016cz.exe
2010-02-12 07:43 . 2010-02-12 07:43 5184550 ----a-w- \kodek016cz.exe
2010-02-12 06:48 . 2010-02-12 06:48 939956 ----a-w- C:\7z465.exe
2010-02-12 06:48 . 2010-02-12 06:48 939956 ----a-w- \7z465.exe
2010-02-11 11:29 . 2010-02-11 11:28 14452040 ----a-w- C:\winzip140.exe
2010-02-11 11:29 . 2010-02-11 11:28 14452040 ----a-w- \winzip140.exe
2010-02-09 07:27 . 2010-02-08 13:23 -------- d-----w- c:\program files\Rapidown
2010-01-30 21:48 . 2010-02-19 12:18 16601220 ----a-w- C:\x-avi-mpeg-converter-standard.exe
2010-01-30 21:48 . 2010-02-19 12:18 16601220 ----a-w- \x-avi-mpeg-converter-standard.exe
2005-06-13 23:37 . 2006-10-16 06:32 3606 ----a-w- c:\program files\ReadMe.txt
2005-06-13 23:25 . 2006-10-16 06:32 241664 ----a-w- c:\program files\IMGTool.exe
2007-10-08 10:28 . 2007-10-08 10:28 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{50d0cd27-d4ef-4a21-917e-a1573771def4}"= "c:\program files\forumswatcher.com\tbfor1.dll" [2010-03-24 2349080]
"{669163c1-c4b9-46de-ad62-a0271d3a0a75}"= "c:\program files\USARadioNow\tbUSA1.dll" [2010-03-24 2349080]

[HKEY_CLASSES_ROOT\clsid\{50d0cd27-d4ef-4a21-917e-a1573771def4}]

[HKEY_CLASSES_ROOT\clsid\{669163c1-c4b9-46de-ad62-a0271d3a0a75}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50d0cd27-d4ef-4a21-917e-a1573771def4}]
2010-03-24 12:33 2349080 ----a-w- c:\program files\forumswatcher.com\tbfor1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669163c1-c4b9-46de-ad62-a0271d3a0a75}]
2010-03-24 12:32 2349080 ----a-w- c:\program files\USARadioNow\tbUSA1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{50d0cd27-d4ef-4a21-917e-a1573771def4}"= "c:\program files\forumswatcher.com\tbfor1.dll" [2010-03-24 2349080]
"{669163c1-c4b9-46de-ad62-a0271d3a0a75}"= "c:\program files\USARadioNow\tbUSA1.dll" [2010-03-24 2349080]

[HKEY_CLASSES_ROOT\clsid\{50d0cd27-d4ef-4a21-917e-a1573771def4}]

[HKEY_CLASSES_ROOT\clsid\{669163c1-c4b9-46de-ad62-a0271d3a0a75}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{50D0CD27-D4EF-4A21-917E-A1573771DEF4}"= "c:\program files\forumswatcher.com\tbfor1.dll" [2010-03-24 2349080]
"{669163C1-C4B9-46DE-AD62-A0271D3A0A75}"= "c:\program files\USARadioNow\tbUSA1.dll" [2010-03-24 2349080]

[HKEY_CLASSES_ROOT\clsid\{50d0cd27-d4ef-4a21-917e-a1573771def4}]

[HKEY_CLASSES_ROOT\clsid\{669163c1-c4b9-46de-ad62-a0271d3a0a75}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-04-11 1409024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-03 339968]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-11 229952]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-05 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\aaa\Nabˇdka Start\Programy\Po spuçtŘnˇ\
PowerReg SchedulerV2.exe [2004-12-9 256000]

c:\documents and settings\All Users.WINDOWS\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0 CE\Distillr\AcroTray.exe [2006-6-7 82026]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 495432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-04-30 16:08 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ans_admin.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ls970.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\ls970_DP.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\lsprepostd.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\mpitest.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\mpitestmpich.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\sxpost.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\tclsh.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\wish.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\DANSYS\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\bin\\Intel\\DANSYSMPICH\\ANSYS.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\TCL\\bin\\Intel\\tclsh.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\TCL\\bin\\Intel\\wish.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\catia\\Intel\\ac4catia.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\CommonFiles\\CATIAV5\\Intel\\code\\bin\\ac4catia5.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\para\\Intel\\ac4para.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\pro\\Intel\\ac4pro.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\sat\\Intel\\ac4sat.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug10\\Intel\\ansconug10.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug20\\Intel\\ansconug20.exe"=
"c:\\Program Files\\Ansys Inc\\v100\\ANSYS\\ac4\\bin\\ug30\\Intel\\ansconug30.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\RadLight Company\\RadLight 4.0\\rlkernel.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\TC UP\\TOTALCMD.EXE"=
"c:\\totalcommander\\totalcmd\\TOTALCMD.EXE"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14134:TCP"= 14134:TCP:BitComet 14134 TCP
"14134:UDP"= 14134:UDP:BitComet 14134 UDP
"16330:TCP"= 16330:TCP:BitComet 16330 TCP
"16330:UDP"= 16330:UDP:BitComet 16330 UDP
"7046:TCP"= 7046:TCP:BitComet 7046 TCP
"7046:UDP"= 7046:UDP:BitComet 7046 UDP

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [15.9.2006 10:30 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [15.9.2006 10:30 5248]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [6.12.2005 17:11 35328]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [15.3.2010 16:36 114768]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [13.1.2006 15:00 15872]
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\progra~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [11.8.2005 11:38 909312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15.3.2010 16:36 20560]
R2 SCPDFReadSpool;SolidConverterPDFReadSpool;c:\windows\Installer\MSI8122.tmp [27.5.2009 11:58 189696]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6.11.2007 22:22 34064]
S3 Wibukey2;Wibukey2;c:\windows\system32\drivers\Wibukey2.sys [15.6.2009 10:26 17408]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [28.3.2010 14:26 691696]
.
.
------- Doplňkový sken -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.seznam.cz/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Settings,ProxyServer = 192.168.1.1:3128
uSearchURL,(Default) = hxxp://www.app-zilla.com/search.htm
IE: Compare Prices with &Dealio - c:\documents and settings\Petr Novák\Data aplikací\Dealio\kb127\res\DealioSearch.html
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} - hxxp://www.skylinesoft.com/interactive/terraex ... all/TE.cab
DPF: {B10CBD8D-F9B6-11CF-9B38-0080AD11B667} - file:///C:/novak/Strojnicke_tabulky/script/ikcntrls.cab
DPF: {BF3CD111-6278-11D2-9EA3-00A0C9251384} - hxxp://www.o2c.de/download/O2CPlayer.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-29 09:50
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86AB2248]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf772bf28
\Driver\ACPI -> ACPI.sys @ 0xf7668cb8
\Driver\atapi -> 0x86ab2248
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf74dbbb0
PacketIndicateHandler -> NDIS.sys @ 0xf74e8a21
SendHandler -> NDIS.sys @ 0xf74c687b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCPDFReadSpool]
"ImagePath"="c:\windows\Installer\MSI8122.tmp"
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\System32\smss.exe
c:\windows\system32\csrss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\System32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\svchost.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\crypserv.exe
c:\program files\Ansys Inc\Shared Files\Licensing\intel\ansyslmd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\System32\alg.exe
c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
c:\progra~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wuauclt.exe
c:\windows\system32\wbem\wmiprvse.exe
.
**************************************************************************
.
Celkový čas: 2010-03-29 10:02:53 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-03-29 08:02
ComboFix2.txt 2010-03-28 12:24
ComboFix3.txt 2010-03-28 10:35
ComboFix4.txt 2010-03-26 07:51

Před spuštěním: Volných bajtů: 12 822 622 208
Po spuštění: Volných bajtů: 12 816 293 888

- - End Of File - - 81A0A0D6BC9E3695608D39133482C404

jan.svoboda · Příspěvek od **jan.svoboda** » čtv 1. dub 2010, 11:01

Ok, už se nám to lepší. Ten GMER neva, zkus místo něho IceSword - http://www.viry.cz/forum/viewtopic.php?t=11394 a dej sem dle návodu logy z: Process, Kernel Module, Win32 services, SSDT.

Jinak nemohu si pomoci, ale mám takový dojem, že ComboFix stejně ten jeden rootkit nesmazal... Pro jistotu ještě udělej toto:

Dle tohoto návodu http://www.viry.cz/forum/viewtopic.php?t=19832 stáhni a spusť Avenger, a do něj zkopíruj následující skript (bez Kód):

Kód: Vybrat vše

Drivers to delete:
pqiqp

Potvrď a postupuj zase dle návodu. Hlavně potřebuji vidět log, který to vypíše.

Ještě odstraň všechny body obnovení systému (vypnout Obnovu systému, restartovat PC, zapnout Obnovu systému).

iwigirl · Příspěvek od **iwigirl** » úte 13. dub 2010, 14:52

Dobrý den, Jane Svobodo,
ráda bych Vás požádala o jednu věc:

nekraďte nám z fóra viry.cz návody, které si vlastnoručně vytvořili a používají rádci na našem fóru.
Jednak to je neetické a jednak jste jistě schopen si vytvořit návody vlastní (ačkoliv úroveň Vašich znalostí o tom nesvědčí).

Děkuji

iwigirl
site admin fóra viry.cz

jan.svoboda · Příspěvek od **jan.svoboda** » úte 13. dub 2010, 16:35

iwigirl píše:Dobrý den, Jane Svobodo,
ráda bych Vás požádala o jednu věc:

nekraďte nám z fóra viry.cz návody, které si vlastnoručně vytvořili a používají rádci na našem fóru.
Jednak to je neetické a jednak jste jistě schopen si vytvořit návody vlastní (ačkoliv úroveň Vašich znalostí o tom nesvědčí).

Děkuji

iwigirl
site admin fóra viry.cz

Dobrý den, Iwigril, rád bych se také vyjádřil a trošku opravil Vaše tvrzení.
O tom, že nějaké z návodů jsem si psal, se už nezmiňujete. Ve většině případů pouze odkazuji na programy ve Vašem foru, což není ani neetické, ani porušení autorských práv, nebo návody cituji, a jak se dá vyvodit ze slova citace, vyplývá z toho, že návod není můj. Ano, u některých návodů, kde tedy necituji, si příště dám pozor na Vás, a návod(y) si přepíšu, aby byli moje a vyhnul jsem se problémům.

Netvrdím, že mám v oblasti virů více zkušeností než Vy a lépe PC vyčistím, ale zatím jsem ve většině případů uživatelům úspěšně pomohl odstranit problém, který s PC měly kvůli havěti. A i to je mým cílem. Pokud uživatel není spokojen, já tu nikoho nedržím nebo do něčeho nenutím, a pokud bude chtít, může si nechat poradit od Vás, místo ode mě. Radím dobrovolně a ve svém volném čase, a to nejen v oblasti virů. Proto si prosím odpusťte komentáře typu: "(ačkoliv úroveň Vašich znalostí o tom nesvědčí)". Stejně s Vámi nesouhlasím, třeba Vy lépe ovládáte čištění PC, ale já se primárně zaměřuji obecně na software a hardware (programování, konstrukce PC, elektrotechnika - modifikace hardware, ... a mnoho dalšího), který ovládám dle mě a dalších lidí na velmi dobré úrovni. To Vy nemůžete vědět a každý umíme dobře něco jiného - Vy čištění PC od virů, já mnoho dalších věcí. A troufnu si říci, že nějakou z věcí zvládnu lépe já, nežli Vy.

Tímto považuji tuto kapitolu zde na PCTF za uzavřenou a nebudu jí dále řešit, proto Vy už sem také nepište. Je to OT a další osobní diskuze by byla SPAM. Kvůli Vám si tu nebudu přidělávat problémy. A pokud chcete ještě dělat Vy další problémy, prosím, pište SZ (nechci porušovat pravidla PCTF).
Btw: Radči ani ty SZ nepište, nemám k tomu co více dodat. A volný čas věnuji důležitějším věcem, než se s Vámi dohadovat (pro mě) o ničem.

Pomaly internet - services.exe

Pomaly internet - services.exe

Re: Pomaly internet - services.exe

Re: Pomaly internet - services.exe

Re: Pomaly internet - services.exe

Re: Pomaly internet - services.exe

Re: Pomaly internet - services.exe

Re: Pomaly internet - services.exe

Re: Pomaly internet - services.exe

Re: Pomaly internet - services.exe

Re: Pomaly internet - services.exe

Re: Pomaly internet - services.exe

Re: Pomaly internet - services.exe

Re: Pomaly internet - services.exe