Facebook- Trojsky kon

[07Radoslav]

Ahojte.. Potreboval by som pomôcť s trojským koňom ktorého som dostal na FB pri stiahnutí flash player keď som chcel si pozrieť video… zablokovalo mi to antivírový program ktorý teraz vypisuje len (Attention! Avast operates under emhanced protection mode. This is a temporary measure neceséry for immediate response to the Great from virus. No action is required from you.) neviem ho používať… trojský kôň mi napadol súbor WIN32. neviete mi pomôcť alebo poradiť?
Ďakujem Radoslav

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:54:52, on 16. 7. 2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\WINDOWS\update.tray-7-0\svchost.exe
C:\WINDOWS\l1rezerv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\systemup.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\update.2\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\update.1\svchost.exe
C:\WINDOWS\update.2\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\sysdriver32.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\WINDOWS\update.5.0\svchost.exe
C:\WINDOWS\update.5.0\svchost.exe
C:\WINDOWS\ufa\ufa.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Hry\Programi inštal\HiJackThis\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://search13.net/search.php?clid=486&q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search13.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search13.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search13.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search13.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.parabola.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60076
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_custo ... TbId=60076
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search13.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search13.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: QIPBHO Class - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Documents and Settings\Root\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: GdfrDUEn - {A3CF7606-E683-4375-A372-96B75DA0AEF7} - C:\Program Files\Stylish Profile\enlbrdr.dll
O2 - BHO: QIPBHO - {A55F9C95-2BB1-4EA2-BC77-DFAAB78832CE} - C:\Documents and Settings\Root\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
O4 - HKLM\..\Run: [wxpdrv] C:\WINDOWS\services32.exe
O4 - HKLM\..\Run: [tray_ico0] C:\WINDOWS\update.tray-7-0\svchost.exe
O4 - HKLM\..\Run: [5793024.exe] "C:\DOCUME~1\Root\LOCALS~1\Temp\5793024.exe"
O4 - HKLM\..\Run: [sysdriver32.exe] "C:\WINDOWS\sysdriver32.exe" rezerv
O4 - HKLM\..\Run: [sysdriver32_.exe] "C:\WINDOWS\sysdriver32_.exe" rezerv
O4 - HKLM\..\Run: [9301718.exe] "C:\WINDOWS\TEMP\9301718.exe"
O4 - HKLM\..\Run: [107724.exe] "C:\WINDOWS\TEMP\107724.exe"
O4 - HKLM\..\Run: [l1rezerv.exe] "C:\WINDOWS\l1rezerv.exe"
O4 - HKLM\..\Run: [systemup] "C:\WINDOWS\systemup.exe" stand
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [9677931.exe] "C:\WINDOWS\TEMP\9677931.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ7.0\ICQ.exe" silent loginmode=4
O4 - HKCU\..\Run: [NokiaOviSuite2] C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportovať do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: StylishProfile - {14CD42DD-ABCD-3586-DCAB-40E3693E3737} - C:\Program Files\Stylish Profile\ct.htm
O9 - Extra 'Tools' menuitem: StylishProfile - {14CD42DD-ABCD-3586-DCAB-40E3693E3737} - C:\Program Files\Stylish Profile\ct.htm
O9 - Extra button: Odoslať do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&oslať do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Program Files\ICQ7.0\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Program Files\ICQ7.0\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: WebTran - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Nastaviť prekladač - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Preložiť &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Preložiť &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: QIP Infium - {1EF681F7-A04B-4D6D-9012-A307CCA55610} - D:\Hry\Programi inštal\QIP Infium\infium.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http:\\www.stonline.sk
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmileyCentral Service (SmileyCentral_1vService) - SmileyCentral - C:\PROGRA~1\SMILEY~2\bar\1.bin\1vbarsvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: srvbtcclient - Unknown owner - C:\WINDOWS\update.5.0\svchost.exe
O23 - Service: srviecheck - Unknown owner - C:\WINDOWS\update.2\svchost.exe
O23 - Service: srvsysdriver32 - Unknown owner - C:\WINDOWS\sysdriver32.exe
O23 - Service: wxpdrivers - Unknown owner - C:\WINDOWS\update.1\svchost.exe

--
End of file - 12882 bytes

[07Radoslav]

PC mi nechce nejako pracovať v Stave nouze s praci v siti stále ma ruší a PC sa dáva do stavu normálneho môžem aj takom stave otvoriť Rkill EXE?

[vyosek]

Zdravim, pekny den preji a vitam Vas u nas na foru

Stahnete RKill http://download.bleepingcomputer.com/grinler/rkill.com

• Pokud ho havet blokuje, pouzijte jeden z nasledujicich

  Rkill EXE:
  http://download.bleepingcomputer.com/grinler/rkill.exe
  
  Rkill SCR:
  http://download.bleepingcomputer.com/grinler/rkill.scr
  
  Rkill PIF:
  http://download.bleepingcomputer.com/grinler/rkill.pif

• Ulozte nejlepena plochu a ukoncete vsechny aplikace (jinak to udela RKill za Vas)
• Spustte tradicne dvojklikem - program probehne temer okamzite a ukonci i svou cinnost
• RKill ukonci vsechny ne-systemove procesy - tedy i procesy, pod kterymi bezi havet
• Ted nerestartujte PC - prisli byste o ucinek RKillu

Aplikujte exeHelper by Raktor

• Linky ke stazeni
  • COM soubor http://vyosek.ic.cz/BE/exeHelper.com
  • SCR soubor http://vyosek.ic.cz/BE/exeHelper.scr
• Utilitu staci spustit jako Spravce (klik pravym mysidlem), probehne oprava a vznikne log exehelperlog.txt

RKill i eXeHelper by mely udelat logy, vlozte mi je sem - pokud ne, nevadi

PROSIM CTETE DUKLADNE NAVOD - TATO UTILITA MA VELKOU SCHOPNOST MAZAT A JE NUTNE JI APLIKOVAT JEN NA DOPORUCENI, JINAK VAM MUZE JIT SYSTEM DO KYTEK
Stahnete a ulozte na plochu Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

• Vypnete vsechny rezidentni bezpecnostní programy - firewally, antiviry, antispywary apod.
• Pokud mate Win XP spustte pod uctem Spravce\Administratora
• Pokud mate Win Vista ci Win 7, kliknete na Combofix pravym a dejte Run As Administrator ci Spustit jako spravce
• Ihned po startu se zobrazi stranka s licencnim ujednanim, pokracujte kliknutim na Ano
• Pokud Vam CF nabidne instalaci Konzoly pro zotaveni, tak souhlaste
• Dale postupujte dle pokynu, behem scanu nechte PC naprosto v klidu - nespoustejte zadne aplikace a neklikejte do zobrazujiciho se okna
• Scan by mel trvat cca 10 min, ale pokud bude PC hodne zaneseno, muze se cas prodlouzit
• Po dokonceni skenu a pripadnem restartu CF zobrazi log, pripadne jej najdete zde C:\ComboFix.txt, jeho obsah sem vlozte
• Detailni postup vc. obrazku mate zde http://www.bleepingcomputer.com/combofi ... t-combofix

[07Radoslav]

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on . 07. 2011 at 15:13:29.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
D:\Hry\Programi inC:\Documents and Settings\Root\Dokumenty\rkill.com


Rkill completed on . 07. 2011 at 15:13:37.




exeHelper by Raktor
Build 20100414
Run at 15:15:29 on 07/16/11
Now searching...
Checking for numerical processes...
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5793024.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9301718.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9677931.exe
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

[07Radoslav]

ComboFix 11-07-15.03 - Root . 07. 2011 15:41:24.1.1 - x86
Running from: c:\documents and settings\Root\Dokumenty\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Root\WINDOWS
c:\program files\bifrost
c:\program files\Bifrost\logg.dat
c:\windows\btc_client_iplist.txt
c:\windows\ddh_iplist.txt
c:\windows\front_ip_list.txt
c:\windows\iecheck_iplist.txt
c:\windows\info1
c:\windows\iplist.txt
c:\windows\l1rezerv.exe
c:\windows\loader2.exe_ok
c:\windows\proc_list1.log
c:\windows\services32.exe
c:\windows\sysdriver32.exe
c:\windows\sysdriver32_.exe
c:\windows\system32\drivers\etc\HSTS~1
c:\windows\system32\system32
c:\windows\system32\system32\logg.dat
c:\windows\system32\wdsdtdsini.dll
c:\windows\systemup.exe
c:\windows\update.1
c:\windows\update.1\svchost.exe
c:\windows\update.2
c:\windows\update.2\svchost.exe
c:\windows\update.5.0
c:\windows\update.5.0\svchost.exe
c:\windows\update.tray-7-0\svchost.exe
c:\windows\winlog-dirs.txt
c:\windows\winlog-ids.txt
c:\windows\winsetupapi.log
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SRVIECHECK
-------\Legacy_SRVSYSDRIVER32
-------\Legacy_WXPDRIVERS
-------\Service_srviecheck
-------\Service_srvsysdriver32
-------\Service_wxpdrivers
-------\Legacy_srvbtcclient
-------\Legacy_srvbtcclient
-------\Service_srvbtcclient
-------\Service_srvbtcclient
.
.
((((((((((((((((((((((((( Files Created from 2011-06-16 to 2011-07-16 )))))))))))))))))))))))))))))))
.
.
2011-07-16 10:54 . 2011-07-16 10:54 388096 ----a-r- c:\documents and settings\Root\Data aplikací\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-15 10:04 . 2011-07-15 10:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-14 18:52 . 2011-07-16 13:46 -------- d--h--w- c:\windows\update.tray-7-0
2011-07-14 18:52 . 2011-07-14 18:52 -------- d--h--w- c:\windows\update.tray-7-0-lnk
2011-07-14 18:48 . 2011-01-13 07:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-14 18:48 . 2011-01-13 07:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-07-14 18:48 . 2011-01-13 07:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-14 18:48 . 2011-01-13 07:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-14 18:48 . 2011-01-13 07:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-07-14 18:48 . 2011-01-13 07:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-07-14 18:48 . 2011-01-13 07:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-07-14 18:47 . 2011-01-13 07:47 38848 ----a-w- c:\windows\avastSS.scr
2011-07-14 18:47 . 2011-01-13 07:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-14 14:40 . 2011-07-14 14:39 502368 ----a-w- c:\windows\system32\drivers\amon.sys
2011-07-14 10:02 . 2011-07-14 10:02 -------- d-----w- c:\windows\ufa
2011-07-14 10:02 . 2011-07-14 10:02 -------- d-----w- c:\windows\rpcminer
2011-07-14 10:02 . 2011-07-14 10:02 -------- d-----w- c:\windows\phoenix
2011-07-14 10:02 . 2011-07-14 10:02 246272 ----a-w- c:\windows\unrar.exe
2011-07-14 09:59 . 2011-07-14 18:54 -------- d-----w- c:\windows\av_ico
2011-07-14 09:58 . 2011-07-14 09:58 -------- d--h--w- c:\windows\update.tray-3-0
2011-07-14 09:58 . 2011-07-14 09:58 -------- d--h--w- c:\windows\update.tray-3-0-lnk
2011-07-14 09:47 . 2011-07-14 09:47 -------- d-----w- c:\documents and settings\LocalService\Nabídka Start
2011-07-04 15:06 . 2011-07-04 15:06 -------- d-----w- c:\documents and settings\All Users\Data aplikací\NokiaAccount
2011-07-04 14:29 . 2008-08-26 08:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2011-07-04 14:28 . 2011-07-04 14:28 -------- d-----w- c:\program files\PC Connectivity Solution
2011-07-04 14:28 . 2010-12-02 11:36 8576 ----a-w- c:\windows\system32\drivers\nmwcdnsuc.sys
2011-07-04 14:28 . 2010-12-02 11:36 137600 ----a-w- c:\windows\system32\drivers\nmwcdnsu.sys
2011-07-04 14:27 . 2010-12-02 13:13 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2011-07-04 14:27 . 2010-12-02 13:13 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2011-07-04 14:27 . 2010-12-02 13:13 23168 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2011-07-04 14:27 . 2010-12-02 13:13 18304 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2011-07-04 14:19 . 2011-07-04 14:19 -------- d-----w- c:\documents and settings\All Users\Data aplikacĂ­
2011-06-26 13:45 . 2011-06-26 13:45 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-26 13:45 . 2011-06-26 13:45 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-26 13:45 . 2011-05-08 14:40 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3CF7606-E683-4375-A372-96B75DA0AEF7}]
2010-01-07 06:51 185344 ----a-w- c:\program files\Stylish Profile\enlbrdr.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"ICQ"="c:\program files\ICQ7.0\ICQ.exe" [2011-01-05 133432]
"NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2011-05-20 724536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-10-21 1817600]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-24 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"DisableThumbnailCache"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Hry\\CS 1.6\\hl.exe"=
"d:\\Hry\\Warcraft III\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Hry\\Programi inštal\\QIP Infium\\infium.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\ICQ7.0\\ICQ.exe"=
"c:\\Program Files\\ICQ7.0\\aolload.exe"=
"d:\\Hry\\Programi inštal\\Skype\\Skype.exe"=
"d:\\Hry\\Programi inštal\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Hry\\Programi inštal\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\WINDOWS\\update.tray-3-0\\svchost.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11. 4. 2007 12:52 691696]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [21. 10. 2008 8:26 141312]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPortIO.SYS [16. 2. 2010 20:01 3584]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [5. 4. 2010 17:10 246520]
R3 SER120;OTI Serial port driver;c:\windows\system32\drivers\ser120.sys [18. 6. 2009 9:30 32782]
S2 SmileyCentral_1vService;SmileyCentral Service;c:\progra~1\SMILEY~2\bar\1.bin\1vbarsvc.exe [5. 12. 2010 12:53 28766]
S3 AC2003;AC2003;c:\windows\system32\drivers\AC2003.sys [11. 4. 2007 19:45 4224]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [4. 7. 2011 16:28 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [4. 7. 2011 16:28 8576]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [8. 5. 2007 16:00 23600]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.parabola.cz/
uDefault_Search_URL = hxxp://search13.net/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://search13.net/
uCustomizeSearch = hxxp://search13.net/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} -
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Root\Data aplikací\Mozilla\Firefox\Profiles\kvxyhrsy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search13.net/search.php?clid=486&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.zoznam.sk/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZNzfb013YYSK&ptb=55F39EE3-62A4-4FE4-8024-7327F87C3B77&psa=&ind=2010120505&ptnrS=ZNzfb013YYSK&si=&st=kwd&n=77d00139&searchfor=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-wxpdrv - c:\windows\services32.exe
HKLM-Run-tray_ico - (no file)
HKLM-Run-tray_ico0 - c:\windows\update.tray-7-0\svchost.exe
HKLM-Run-tray_ico1 - (no file)
HKLM-Run-tray_ico2 - (no file)
HKLM-Run-tray_ico3 - (no file)
HKLM-Run-tray_ico4 - (no file)
HKLM-Run-sysdriver32.exe - c:\windows\sysdriver32.exe
HKLM-Run-sysdriver32_.exe - c:\windows\sysdriver32_.exe
HKLM-Run-l1rezerv.exe - c:\windows\l1rezerv.exe
HKLM-Run-systemup - c:\windows\systemup.exe
ShellExecuteHooks-{0CD68AC9-FF63-3E61-626B-B663E62F6236} - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
HKLM_ActiveSetup-{42ADED99-DA74-BD17-BEF2-ECC18E7D8F32} - c:\windows\internet\iexploer.exe
AddRemove-avast5 - c:\program files\Alwil Software\Avast5\aswRunDll.exe
AddRemove-{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1 - c:\program files\Eset\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-16 15:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1072)
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Mozilla Firefox\plugin-container.exe
.
**************************************************************************
.
Completion time: 2011-07-16 16:02:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-16 14:01
.
Pre-Run: 9 729 531 904
Post-Run: 9 949 630 464
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=AlwaysOff /fastdetect
.
- - End Of File - - 4001535B25C9951372F2271BAE0D6BA7

[vyosek]

Pokud nemate, tak presunte Combofix na plochu

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  KillAll::
  
  Collect::
  c:\windows\unrar.exe
  
  File::
  C:\Documents and Settings\Root\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll
  
  Folder::
  c:\windows\update.tray-7-0
  c:\windows\update.tray-7-0-lnk
  c:\windows\ufa
  c:\windows\rpcminer
  c:\windows\phoenix
  c:\windows\av_ico
  c:\windows\update.tray-3-0
  c:\windows\update.tray-3-0-lnk
  c:\program files\Stylish Profile
  c:\progra~1\SMILEY~2
  c:\program files\ICQ6Toolbar
  
  DDS::
  uDefault_Search_URL = hxxp://search13.net/
  uInternet Settings,ProxyOverride = *.local
  uSearchAssistant = hxxp://search13.net/
  uCustomizeSearch = hxxp://search13.net/
  
  Firefox::
  FF - ProfilePath - c:\documents and settings\Root\Data aplikací\Mozilla\Firefox\Profiles\kvxyhrsy.default\
  FF - prefs.js: browser.search.defaulturl - hxxp://search13.net/search.php?clid=486&q=
  FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsear ... searchfor=
  
  Registry::
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=-
  "ICQ"=-
  "NokiaOviSuite2"=-
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3CF7606-E683-4375-A372-96B75DA0AEF7}]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "NokiaMServer"=-
  "OrderReminder"=-
  "NeroFilterCheck"=-
  "SunJavaUpdateSched"=-
  "Adobe Reader Speed Launcher"=-
  "Adobe ARM"=-
  "GrooveMonitor"=-
  "QuickTime Task"=-
  [HKEY_LOCAL_MACHINE\software\microsoft\security center]
  "AntiVirusOverride"=dword:00000000
  "FirewallOverride"=dword:00000000
  "DisableThumbnailCache"=dword:00000000
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
  c:\\WINDOWS\\update.tray-3-0\\svchost.exe"=-
  
  Driver::
  SmileyCentral_1vService
  ICQ Service
  NBService
  
  Reboot::
  

• Ulozte vytvoreny TXT jako CFScript.txt
• Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
  
• Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

[07Radoslav]

ComboFix 11-07-15.03 - Root . 07. 2011 16:57:52.2.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.1022.584 [GMT 2:00]
Running from: c:\documents and settings\Root\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\Root\Plocha\CFScript.txt
AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\documents and settings\Root\Data aplikací\Microsoft\Internet Explorer\qipsearchbar.dll"
.
file zipped: c:\windows\unrar.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Root\LOCALS~1\Temp\4047540.exe
C:\Microsoft
c:\progra~1\SMILEY~2
c:\progra~1\SMILEY~2\bar\1.bin\1vbar.dll
c:\progra~1\SMILEY~2\bar\1.bin\1vbarsvc.exe
c:\progra~1\SMILEY~2\bar\1.bin\1vdatact.dll
c:\progra~1\SMILEY~2\bar\1.bin\1vdyn.dll
c:\progra~1\SMILEY~2\bar\1.bin\1vfeedmg.dll
c:\progra~1\SMILEY~2\bar\1.bin\1vhighin.exe
c:\progra~1\SMILEY~2\bar\1.bin\1vhtml.dll
c:\progra~1\SMILEY~2\bar\1.bin\1vhtmlmu.dll
c:\progra~1\SMILEY~2\bar\1.bin\1vhttpct.dll
c:\progra~1\SMILEY~2\bar\1.bin\1vidle.dll
c:\progra~1\SMILEY~2\bar\1.bin\1vimpipe.exe
c:\progra~1\SMILEY~2\bar\1.bin\1vmedint.exe
c:\progra~1\SMILEY~2\bar\1.bin\1vmlbtn.dll
c:\progra~1\SMILEY~2\bar\1.bin\1vmsg.dll
c:\progra~1\SMILEY~2\bar\1.bin\1vPlugin.dll
c:\progra~1\SMILEY~2\bar\1.bin\1vradio.dll
c:\progra~1\SMILEY~2\bar\1.bin\1vregfft.dll
c:\progra~1\SMILEY~2\bar\1.bin\1vscript.dll
c:\progra~1\SMILEY~2\bar\1.bin\1vskin.dll
c:\progra~1\SMILEY~2\bar\1.bin\1vskplay.exe
c:\progra~1\SMILEY~2\bar\1.bin\CHROME.MANIFEST
c:\progra~1\SMILEY~2\bar\1.bin\chrome\1vffxtbr.jar
c:\progra~1\SMILEY~2\bar\1.bin\INSTALL.RDF
c:\progra~1\SMILEY~2\bar\1.bin\LOGO.BMP
c:\progra~1\SMILEY~2\bar\1.bin\NP1vStub.dll
c:\progra~1\SMILEY~2\bar\Cache\00429885
c:\progra~1\SMILEY~2\bar\Cache\004377BA.bmp
c:\progra~1\SMILEY~2\bar\Cache\004379ED.bmp
c:\progra~1\SMILEY~2\bar\Cache\00437EA0.bmp
c:\progra~1\SMILEY~2\bar\Cache\00438036.bmp
c:\progra~1\SMILEY~2\bar\Cache\00438268.bmp
c:\progra~1\SMILEY~2\bar\Cache\0043869F.bmp
c:\progra~1\SMILEY~2\bar\Cache\00438A96.bin
c:\progra~1\SMILEY~2\bar\Cache\files.ini
c:\progra~1\SMILEY~2\bar\History\search3
c:\progra~1\SMILEY~2\bar\Message\COMMON.T8S
c:\progra~1\SMILEY~2\bar\Settings\prevcfg2.htm
c:\progra~1\SMILEY~2\bar\Settings\s_pid.dat
c:\program files\ICQ6Toolbar
c:\program files\ICQ6Toolbar\config.xml
c:\program files\ICQ6Toolbar\Icons.bmp
c:\program files\ICQ6Toolbar\ICQ Service.exe
c:\program files\ICQ6Toolbar\icq6Toolbar.ico
c:\program files\ICQ6Toolbar\ICQToolBar.dll
c:\program files\ICQ6Toolbar\ICQUnToolbar.exe
c:\program files\ICQ6Toolbar\logo_small.gif
c:\program files\ICQ6Toolbar\ServiceStarter.exe
c:\program files\ICQ6Toolbar\short.wav
c:\program files\ICQ6Toolbar\Thumbs.db
c:\program files\ICQ6Toolbar\Version.txt
c:\program files\Stylish Profile
c:\program files\Stylish Profile\ct.htm
c:\program files\Stylish Profile\enlbrdr.dll
c:\program files\Stylish Profile\hoticon.ico
c:\program files\Stylish Profile\tomapi.js
c:\program files\Stylish Profile\tommain.js
c:\program files\Stylish Profile\uninstall.exe
c:\windows\av_ico
c:\windows\av_ico\ico_avast_desktop.ico
c:\windows\av_ico\ico_avast_start.ico
c:\windows\av_ico\ico_NOD_SS_START.ico
c:\windows\av_ico\ico_NOD_SYSINSP.ico
c:\windows\av_ico\ico_NOD_SYSRESC.ico
c:\windows\av_ico\ico_NOD_TXT.ico
c:\windows\av_ico\ico_NOD_UNINSTALL.ico
c:\windows\front_ip_list.txt
c:\windows\info1
c:\windows\iplist.txt
c:\windows\l1rezerv.exe
c:\windows\loader2.exe_ok
c:\windows\phoenix
c:\windows\phoenix\kernels\phatk\__init__.py
c:\windows\phoenix\kernels\phatk\__init__.pyc
c:\windows\phoenix\kernels\phatk\BFIPatcher.py
c:\windows\phoenix\kernels\phatk\kernel.cl
c:\windows\phoenix\kernels\poclbm\__init__.py
c:\windows\phoenix\kernels\poclbm\__init__.pyc
c:\windows\phoenix\kernels\poclbm\BFIPatcher.py
c:\windows\phoenix\kernels\poclbm\kernel.cl
c:\windows\phoenix\phoenix.exe
c:\windows\proc_list1.log
c:\windows\rpcminer
c:\windows\rpcminer\bitcoinminercuda_10.cubin
c:\windows\rpcminer\bitcoinminercuda_11.cubin
c:\windows\rpcminer\bitcoinminercuda_20.cubin
c:\windows\rpcminer\bitcoinmineropencl.cl
c:\windows\rpcminer\cudart32_32_16.dll
c:\windows\rpcminer\curllib.dll
c:\windows\rpcminer\libeay32.dll
c:\windows\rpcminer\libsasl.dll
c:\windows\rpcminer\openldap.dll
c:\windows\rpcminer\rpcminer-4way.exe
c:\windows\rpcminer\rpcminer-cpu.exe
c:\windows\rpcminer\rpcminer-cuda.exe
c:\windows\rpcminer\rpcminer-opencl.exe
c:\windows\rpcminer\ssleay32.dll
c:\windows\sysdriver32.exe
c:\windows\sysdriver32_.exe
c:\windows\TEMP\5025677.exe
c:\windows\ufa
c:\windows\ufa\ufa.exe
c:\windows\unrar.exe
c:\windows\update.2
c:\windows\update.2\svchost.exe
c:\windows\update.tray-3-0-lnk
c:\windows\update.tray-3-0-lnk\svchost.exe
c:\windows\update.tray-3-0
c:\windows\update.tray-3-0\svchost.exe
c:\windows\update.tray-7-0-lnk
c:\windows\update.tray-7-0-lnk\svchost.exe
c:\windows\update.tray-7-0
c:\windows\winsetupapi.log
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ICQ_SERVICE
-------\Legacy_SMILEYCENTRAL_1VSERVICE
-------\Legacy_SRVIECHECK
-------\Legacy_SRVSYSDRIVER32
-------\Service_ICQ Service
-------\Service_NBService
-------\Service_SmileyCentral_1vService
-------\Service_srviecheck
-------\Service_srvsysdriver32
.
.
((((((((((((((((((((((((( Files Created from 2011-06-16 to 2011-07-16 )))))))))))))))))))))))))))))))
.
.
2011-07-16 14:56 . 2011-07-16 14:56 181760 ----a-w- c:\program files\Windows NT\dwm.exe
2011-07-16 14:56 . 2011-07-16 14:56 169472 ----a-w- c:\program files\Internet Explorer\conhost.exe
2011-07-16 14:56 . 2011-07-16 14:56 169472 ----a-w- c:\windows\gbot111.exe
2011-07-16 10:54 . 2011-07-16 10:54 388096 ----a-r- c:\documents and settings\Root\Data aplikací\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-15 10:04 . 2011-07-15 10:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-14 18:48 . 2011-01-13 07:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-14 18:48 . 2011-01-13 07:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-07-14 18:48 . 2011-01-13 07:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-14 18:48 . 2011-01-13 07:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-14 18:48 . 2011-01-13 07:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-07-14 18:48 . 2011-01-13 07:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-07-14 18:48 . 2011-01-13 07:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-07-14 18:47 . 2011-01-13 07:47 38848 ----a-w- c:\windows\avastSS.scr
2011-07-14 18:47 . 2011-01-13 07:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-14 14:40 . 2011-07-14 14:39 502368 ----a-w- c:\windows\system32\drivers\amon.sys
2011-07-14 09:47 . 2011-07-14 09:47 -------- d-----w- c:\documents and settings\LocalService\Nabídka Start
2011-07-04 15:06 . 2011-07-04 15:06 -------- d-----w- c:\documents and settings\All Users\Data aplikací\NokiaAccount
2011-07-04 14:29 . 2008-08-26 08:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2011-07-04 14:28 . 2011-07-04 14:28 -------- d-----w- c:\program files\PC Connectivity Solution
2011-07-04 14:28 . 2010-12-02 11:36 8576 ----a-w- c:\windows\system32\drivers\nmwcdnsuc.sys
2011-07-04 14:28 . 2010-12-02 11:36 137600 ----a-w- c:\windows\system32\drivers\nmwcdnsu.sys
2011-07-04 14:27 . 2010-12-02 13:13 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2011-07-04 14:27 . 2010-12-02 13:13 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2011-07-04 14:27 . 2010-12-02 13:13 23168 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2011-07-04 14:27 . 2010-12-02 13:13 18304 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2011-07-04 14:19 . 2011-07-04 14:19 -------- d-----w- c:\documents and settings\All Users\Data aplikacĂ­
2011-06-26 13:45 . 2011-06-26 13:45 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-26 13:45 . 2011-06-26 13:45 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-26 13:45 . 2011-05-08 14:40 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-16_13.52.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-16 15:06 . 2011-07-16 15:06 16384 c:\windows\temp\Perflib_Perfdata_644.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-10-21 1817600]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-24 98304]
"sysdriver32.exe"="c:\windows\sysdriver32.exe" [BU]
"sysdriver32_.exe"="c:\windows\sysdriver32_.exe" [BU]
"l1rezerv.exe"="c:\windows\l1rezerv.exe" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Hry\\CS 1.6\\hl.exe"=
"d:\\Hry\\Warcraft III\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Hry\\Programi inštal\\QIP Infium\\infium.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\ICQ7.0\\ICQ.exe"=
"c:\\Program Files\\ICQ7.0\\aolload.exe"=
"d:\\Hry\\Programi inštal\\Skype\\Skype.exe"=
"d:\\Hry\\Programi inštal\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Hry\\Programi inštal\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11. 4. 2007 12:52 691696]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [21. 10. 2008 8:26 141312]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPortIO.SYS [16. 2. 2010 20:01 3584]
R3 SER120;OTI Serial port driver;c:\windows\system32\drivers\ser120.sys [18. 6. 2009 9:30 32782]
S3 AC2003;AC2003;c:\windows\system32\drivers\AC2003.sys [11. 4. 2007 19:45 4224]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [4. 7. 2011 16:28 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [4. 7. 2011 16:28 8576]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [8. 5. 2007 16:00 23600]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.parabola.cz/
uSearchAssistant = hxxp://search13.net/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} -
FF - ProfilePath - c:\documents and settings\Root\Data aplikací\Mozilla\Firefox\Profiles\kvxyhrsy.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.zoznam.sk/
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ICQToolbar - c:\program files\ICQ6Toolbar\ICQUnToolbar.exe
AddRemove-Stylish Profile - c:\program files\Stylish Profile\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-16 17:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(576)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(208)
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2011-07-16 17:10:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-16 15:10
ComboFix2.txt 2011-07-16 14:02
.
Pre-Run: Volných bajtů: 10 042 798 080
Post-Run: Volných bajtů: 10 586 796 032
.
- - End Of File - - 9D2A2A840D9C7665CC08F320E381C570

[vyosek]

Jeste dalsi skript pro ComboFix - postup je stejny

Kód: Vybrat vše

KillAll::

Collect::
c:\windows\sysdriver32.exe
c:\windows\sysdriver32_.exe
c:\windows\l1rezerv.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sysdriver32.exe"=-
"sysdriver32_.exe"=-
"l1rezerv.exe"=-

Reboot::

[07Radoslav]

ComboFix 11-07-15.03 - Root . 07. 2011 17:26:53.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.1022.651 [GMT 2:00]
Running from: c:\documents and settings\Root\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\Root\Plocha\CFScript.txt
AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-16 to 2011-07-16 )))))))))))))))))))))))))))))))
.
.
2011-07-16 14:56 . 2011-07-16 14:56 181760 ----a-w- c:\program files\Windows NT\dwm.exe
2011-07-16 14:56 . 2011-07-16 14:56 169472 ----a-w- c:\program files\Internet Explorer\conhost.exe
2011-07-16 14:56 . 2011-07-16 14:56 169472 ----a-w- c:\windows\gbot111.exe
2011-07-16 10:54 . 2011-07-16 10:54 388096 ----a-r- c:\documents and settings\Root\Data aplikací\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-15 10:04 . 2011-07-15 10:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-14 18:48 . 2011-01-13 07:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-14 18:48 . 2011-01-13 07:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-07-14 18:48 . 2011-01-13 07:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-14 18:48 . 2011-01-13 07:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-14 18:48 . 2011-01-13 07:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-07-14 18:48 . 2011-01-13 07:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-07-14 18:48 . 2011-01-13 07:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-07-14 18:47 . 2011-01-13 07:47 38848 ----a-w- c:\windows\avastSS.scr
2011-07-14 18:47 . 2011-01-13 07:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-14 14:40 . 2011-07-14 14:39 502368 ----a-w- c:\windows\system32\drivers\amon.sys
2011-07-14 09:47 . 2011-07-14 09:47 -------- d-----w- c:\documents and settings\LocalService\Nabídka Start
2011-07-04 15:06 . 2011-07-04 15:06 -------- d-----w- c:\documents and settings\All Users\Data aplikací\NokiaAccount
2011-07-04 14:29 . 2008-08-26 08:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2011-07-04 14:28 . 2011-07-04 14:28 -------- d-----w- c:\program files\PC Connectivity Solution
2011-07-04 14:28 . 2010-12-02 11:36 8576 ----a-w- c:\windows\system32\drivers\nmwcdnsuc.sys
2011-07-04 14:28 . 2010-12-02 11:36 137600 ----a-w- c:\windows\system32\drivers\nmwcdnsu.sys
2011-07-04 14:27 . 2010-12-02 13:13 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2011-07-04 14:27 . 2010-12-02 13:13 8192 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2011-07-04 14:27 . 2010-12-02 13:13 23168 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2011-07-04 14:27 . 2010-12-02 13:13 18304 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2011-07-04 14:19 . 2011-07-04 14:19 -------- d-----w- c:\documents and settings\All Users\Data aplikacĂ­
2011-06-26 13:45 . 2011-06-26 13:45 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-26 13:45 . 2011-06-26 13:45 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-26 13:45 . 2011-05-08 14:40 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-16_13.52.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-16 15:33 . 2011-07-16 15:33 16384 c:\windows\temp\Perflib_Perfdata_6d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-10-21 1817600]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-24 98304]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Hry\\CS 1.6\\hl.exe"=
"d:\\Hry\\Warcraft III\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Hry\\Programi inštal\\QIP Infium\\infium.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\ICQ7.0\\ICQ.exe"=
"c:\\Program Files\\ICQ7.0\\aolload.exe"=
"d:\\Hry\\Programi inštal\\Skype\\Skype.exe"=
"d:\\Hry\\Programi inštal\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Hry\\Programi inštal\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11. 4. 2007 12:52 691696]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [21. 10. 2008 8:26 141312]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPortIO.SYS [16. 2. 2010 20:01 3584]
R3 SER120;OTI Serial port driver;c:\windows\system32\drivers\ser120.sys [18. 6. 2009 9:30 32782]
S3 AC2003;AC2003;c:\windows\system32\drivers\AC2003.sys [11. 4. 2007 19:45 4224]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [4. 7. 2011 16:28 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [4. 7. 2011 16:28 8576]
S3 TVICHW32;TVICHW32;c:\windows\system32\drivers\TVICHW32.SYS [8. 5. 2007 16:00 23600]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.parabola.cz/
uSearchAssistant = hxxp://search13.net/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} -
FF - ProfilePath - c:\documents and settings\Root\Data aplikací\Mozilla\Firefox\Profiles\kvxyhrsy.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.zoznam.sk/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-16 17:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3164)
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2011-07-16 17:37:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-16 15:37
ComboFix2.txt 2011-07-16 15:10
ComboFix3.txt 2011-07-16 14:02
.
Pre-Run: Volných bajtů: 10 594 566 144
Post-Run: Volných bajtů: 10 577 489 920
.
- - End Of File - - CDF6B3C75945684E49B87E13F236AEC2

[vyosek]

Odinstalujte Combofix

• Start - Spustit (nebo pouzijte klavesobou zkratku Win+R)
• Napiste ComboFix /Uninstall
• Stisknete Enter
• Tohle smaze Combofix a jeho slozky

T-Cleaner http://vyosek.ic.cz/pro_usery/T-Cleaner.exe

• Stahnete a spustte
• Pro potvrzeni volby mackejte A, Enter
• Po pouziti utilitu smazte
• Antiviry touhou utilitu chybne oznacit jako vir - jedna se o falesny poplach - takze v pohode stahnete (pripadne vypnete pri stahovani antivir)

Dejte log z RSIT - viz muj podpis - a napiste jak se chova PC

[07Radoslav]

ďakujem strašne si mi pomohol... ako sa odvďačím? vyzerá že sa už správa ako pred tým antivír nenašiel už nič

[vyosek]

Jeste poprosim o nasledujici kroky, trochu jsem to probral s kolegou

Stahnete si TDSSKiller http://support.kaspersky.com/downloads/ ... killer.exe

• Utilitu spustte a prikazte ji, at skenuje - klik na Start Scan
• Pokud utilita najde infikekci, bude ji chtit lecit (Cure), povolte leceni kliknutim na Continue
• Pokud utilita najde podezrely soubor (suspicious), bude jej chtit preskocit (Skip), povolte preskoceni kliknutim na Continue
• Po dokonceni skenu bude mozna nutny restart PC, povolte jej kliknutim na Reboot now
• Po restartu na Vas vyskoci log, pokud se tak nestane, najdete jej primo na disku, kde mate Windows (obvykle c:\) ve tvaru TDSSKiller.nejaka cisilka _log.txt - jeho obsah sem vlozte
• Pokud restart nebude vyzadovan, kliknete na Close a nasledne na Report - vytvori se log - jeho obsah sem vlozte

Dejte log z RSIT - viz muj podpis

Pokud chcete, muzete podporit nase forum - navod mam v podpise

[Dominika Polakova]

ahojte....ja mam ten isty problem s tymto virusom...spravila som si COmboFix ....a toto je jeho vysledok, ten zvany Log .... co teraz robit??



//upraven log, aby se nepletl

[motji]

Dominika Polakova
Založte si prosím vlastní topic, takto by se nám tu pletli logy .
Děkujeme za pochopení

[Dominika Polakova]

rada by som si zalozila vlastny topic ale vobec neviem o čom je reč