Virus odstavil antivirus

[cernohous13]

Použij znovu SystemLook s tímto scriptem

Kód: Vybrat vše

:Dir
C:\Program Files\windows nt\ /s
C:\WINDOWS\ufa\ /s
C:\WINDOWS\rpcminer\ /s
C:\WINDOWS\phoenix\ /s
C:\WINDOWS\update.tray-2-0-lnk\ /s
C:\WINDOWS\update.tray-3-0-lnk\ /s

Pokud bude log velký, dej ho po částech

[mikosuo]

SystemLook 04.09.10 by jpshortstuff
Log created at 23:08 on 19/07/2011 by Doma
Administrator - Elevation successful

========== Dir ==========

C:\Program Files\windows nt - Parameters: "/s"

---Files---
05E2.BA8 --a---- 3336 bytes [15:50 19/07/2011] [18:24 19/07/2011]
dwm.exe --a---- 181248 bytes [15:50 19/07/2011] [15:50 19/07/2011]

C:\Program Files\windows nt\accessories d------ [09:50 18/07/2011]

C:\Program Files\windows nt\pinball d------ [09:50 18/07/2011]

C:\WINDOWS\ufa - Parameters: "/s"

---Files---
ufa.exe --a---- 743936 bytes [13:24 17/07/2011] [10:20 29/06/2011]

No folders found.

C:\WINDOWS\rpcminer - Parameters: "/s"

---Files---
bitcoinminercuda_10.cubin --a---- 49392 bytes [13:24 17/07/2011] [15:06 13/02/2011]
bitcoinminercuda_11.cubin --a---- 49392 bytes [13:24 17/07/2011] [15:07 13/02/2011]
bitcoinminercuda_20.cubin --a---- 43272 bytes [13:24 17/07/2011] [14:41 13/02/2011]
bitcoinmineropencl.cl --a---- 9971 bytes [13:24 17/07/2011] [10:56 19/02/2011]
cudart32_32_16.dll --a---- 384616 bytes [13:24 17/07/2011] [02:41 06/11/2010]
curllib.dll --a---- 194048 bytes [13:24 17/07/2011] [09:19 17/02/2009]
libeay32.dll --a---- 1016832 bytes [13:24 17/07/2011] [16:27 07/01/2009]
libsasl.dll --a---- 65536 bytes [13:24 17/07/2011] [09:23 18/12/2010]
openldap.dll --a---- 110592 bytes [13:24 17/07/2011] [22:27 23/10/2003]
rpcminer-4way.exe --a---- 294912 bytes [13:24 17/07/2011] [07:48 27/02/2011]
rpcminer-cpu.exe --a---- 241664 bytes [13:24 17/07/2011] [07:46 27/02/2011]
rpcminer-cuda.exe --a---- 249856 bytes [13:24 17/07/2011] [07:50 27/02/2011]
rpcminer-opencl.exe --a---- 241664 bytes [13:24 17/07/2011] [07:52 27/02/2011]
ssleay32.dll --a---- 200192 bytes [13:24 17/07/2011] [16:27 07/01/2009]

No folders found.

C:\WINDOWS\phoenix - Parameters: "/s"

---Files---
phoenix.exe --a---- 6962815 bytes [13:24 17/07/2011] [13:51 14/06/2011]

C:\WINDOWS\phoenix\kernels d------ [13:24 17/07/2011]

C:\WINDOWS\phoenix\kernels\phatk d------ [13:24 17/07/2011]
BFIPatcher.py --a---- 5224 bytes [13:24 17/07/2011] [13:41 14/06/2011]
kernel.cl --a---- 10366 bytes [13:24 17/07/2011] [13:41 14/06/2011]
__init__.py --a---- 16922 bytes [13:24 17/07/2011] [13:41 14/06/2011]
__init__.pyc --a---- 11491 bytes [13:29 17/07/2011] [13:29 17/07/2011]

C:\WINDOWS\phoenix\kernels\poclbm d------ [13:24 17/07/2011]
BFIPatcher.py --a---- 5224 bytes [13:24 17/07/2011] [13:41 14/06/2011]
kernel.cl --a---- 30821 bytes [13:24 17/07/2011] [13:41 14/06/2011]
__init__.py --a---- 17266 bytes [13:24 17/07/2011] [13:41 14/06/2011]
__init__.pyc --a---- 11870 bytes [13:28 17/07/2011] [13:28 17/07/2011]

C:\WINDOWS\update.tray-2-0-lnk - Parameters: "/s"

---Files---
svchost.exe ---h--- 1154048 bytes [13:14 17/07/2011] [12:58 17/07/2011]

No folders found.

C:\WINDOWS\update.tray-3-0-lnk - Parameters: "/s"

---Files---
svchost.exe ---h--- 1154048 bytes [13:14 17/07/2011] [12:58 17/07/2011]

No folders found.

-= EOF =-

[cernohous13]

tak snad naposled SystemLook se scriptem

Kód: Vybrat vše

:dir
C:\Qoobox\ /s

pak bych ti dal script pro ComboFix

[mikosuo]

SystemLook 04.09.10 by jpshortstuff
Log created at 12:50 on 20/07/2011 by Doma
Administrator - Elevation successful

========== dir ==========

C:\Qoobox - Parameters: "/s"

---Files---
Add-Remove Programs.txt --a---- 3373 bytes [08:32 18/07/2011] [09:53 18/07/2011]
CF-Submit.htm --a---- 1236 bytes [09:39 18/07/2011] [09:39 18/07/2011]
CFScript_used_2011-07-18_11.26.47.txt --a---- 2355 bytes [09:26 18/07/2011] [09:25 18/07/2011]
CFScript_used_2011-07-18_11.31.27.txt --a---- 2355 bytes [09:31 18/07/2011] [09:29 18/07/2011]
CFScript_used_2011-07-18_11.39.32.txt --a---- 2603 bytes [09:39 18/07/2011] [09:34 18/07/2011]
ComboFix-quarantined-files.txt --a---- 23552 bytes [08:32 18/07/2011] [09:53 18/07/2011]
CurlIt.cmd --a---- 339 bytes [09:39 18/07/2011] [09:39 18/07/2011]
SnapShot@2011-07-18_08.29.55.dat --a---- 617221 bytes [08:31 18/07/2011] [08:31 18/07/2011]

C:\Qoobox\BackEnv d------ [06:21 18/07/2011]
AppData.folder.dat --a---- 389 bytes [06:22 18/07/2011] [06:22 18/07/2011]
Cache.folder.dat --a---- 322 bytes [06:22 18/07/2011] [06:22 18/07/2011]
Cookies.folder.dat --a---- 144 bytes [06:22 18/07/2011] [06:22 18/07/2011]
Desktop.folder.dat --a---- 87 bytes [06:22 18/07/2011] [06:22 18/07/2011]
Favorites.folder.dat --a---- 107 bytes [06:22 18/07/2011] [06:22 18/07/2011]
History.folder.dat --a---- 189 bytes [06:22 18/07/2011] [06:22 18/07/2011]
LocalAppData.folder.dat --a---- 420 bytes [06:22 18/07/2011] [06:22 18/07/2011]
LocalSettings.folder.dat --a---- 224 bytes [06:22 18/07/2011] [06:22 18/07/2011]
Music.folder.dat --a---- 105 bytes [06:22 18/07/2011] [06:22 18/07/2011]
NetHood.folder.dat --a---- 45 bytes [06:22 18/07/2011] [06:22 18/07/2011]
Personal.folder.dat --a---- 93 bytes [06:22 18/07/2011] [06:22 18/07/2011]
Pictures.folder.dat --a---- 109 bytes [06:22 18/07/2011] [06:22 18/07/2011]
PrintHood.folder.dat --a---- 230 bytes [06:22 18/07/2011] [06:22 18/07/2011]
Profiles.Folder.dat --a---- 233 bytes [06:22 18/07/2011] [06:22 18/07/2011]
Profiles.Folder.folder.dat --a---- 397 bytes [06:22 18/07/2011] [06:22 18/07/2011]
Programs.folder.dat --a---- 379 bytes [06:22 18/07/2011] [06:22 18/07/2011]
Recent.folder.dat --a---- 92 bytes [06:22 18/07/2011] [06:22 18/07/2011]
SendTo.folder.dat --a---- 92 bytes [06:22 18/07/2011] [06:22 18/07/2011]
SetPath.bat --a---- 6947 bytes [06:22 18/07/2011] [06:22 18/07/2011]
StartMenu.folder.dat --a---- 157 bytes [06:22 18/07/2011] [06:22 18/07/2011]
StartUp.folder.dat --a---- 457 bytes [06:22 18/07/2011] [06:22 18/07/2011]
SysPath.dat --a---- 2013 bytes [06:22 18/07/2011] [06:21 18/07/2011]
Templates.folder.dat --a---- 89 bytes [06:22 18/07/2011] [06:22 18/07/2011]
VikPev00 --a---- 2188 bytes [06:22 18/07/2011] [09:38 18/07/2011]

C:\Qoobox\LastRun d------ [06:21 18/07/2011]
CregC.old --a---- 0 bytes [08:26 18/07/2011] [09:48 18/07/2011]
drev_.dat --a---- 4971 bytes [09:48 18/07/2011] [09:50 18/07/2011]
drev_F.dat --a---- 4971 bytes [09:48 18/07/2011] [09:50 18/07/2011]
Gateway --a---- 13 bytes [06:23 18/07/2011] [09:30 18/07/2011]
ndis_log.old --a---- 139 bytes [09:46 18/07/2011] [09:46 18/07/2011]
RenVDel.dat --a---- 0 bytes [09:48 18/07/2011] [09:45 18/07/2011]
SrPeek.cfscript --a---- 0 bytes [09:39 18/07/2011] [09:39 18/07/2011]
SvcTarget.dat --a---- 707 bytes [09:48 18/07/2011] [09:46 18/07/2011]
zhsvc.old --a---- 40019 bytes [08:26 18/07/2011] [09:48 18/07/2011]

C:\Qoobox\Quarantine d------ [06:20 18/07/2011]
catchme.log --a---- 357 bytes [06:21 18/07/2011] [09:38 18/07/2011]
[4]-Submit_2011-07-18_11.39.32.zip --a---- 1756354 bytes [09:39 18/07/2011] [09:39 18/07/2011]

C:\Qoobox\Quarantine\C d------ [06:23 18/07/2011]

C:\Qoobox\Quarantine\C\Documents and Settings d------ [08:25 18/07/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Doma d------ [08:25 18/07/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Doma\Data aplikací d------ [08:25 18/07/2011]
27381.exe.vir --a---- 16384 bytes [19:28 27/02/2011] [13:21 29/03/2011]
37655.exe.vir --a---- 16384 bytes [19:26 27/02/2011] [13:21 29/03/2011]
dwm.exe.vir --a---- 179712 bytes [18:07 17/07/2011] [18:07 17/07/2011]

C:\Qoobox\Quarantine\C\Documents and Settings\Doma\Data aplikací\Microsoft d------ [08:25 18/07/2011]
conhost.exe.vir --a---- 169472 bytes [18:06 17/07/2011] [18:06 17/07/2011]

C:\Qoobox\Quarantine\C\humunkulus.exe d------ [08:25 18/07/2011]
config.bin.vir --a---- 557 bytes [06:51 14/04/2008] [06:51 14/04/2008]

C:\Qoobox\Quarantine\C\humunkulus.exe\humunkulus.exe d------ [06:51 14/04/2008]

C:\Qoobox\Quarantine\C\Microsoft d------ [08:26 18/07/2011]

C:\Qoobox\Quarantine\C\Microsoft\Microsoft d------ [13:17 17/07/2011]

C:\Qoobox\Quarantine\C\Program Files d------ [08:25 18/07/2011]

C:\Qoobox\Quarantine\C\Program Files\Ask.com d------ [09:47 18/07/2011]

C:\Qoobox\Quarantine\C\Program Files\Internet Explorer d------ [08:25 18/07/2011]
conhost.exe.vir --a---- 169472 bytes [13:17 17/07/2011] [13:17 17/07/2011]

C:\Qoobox\Quarantine\C\Program Files\Windows NT d------ [09:47 18/07/2011]
05E2.BA8.vir --a---- 3036 bytes [13:17 17/07/2011] [15:27 17/07/2011]
dialer.exe.vir --a---- 543232 bytes [23:53 28/09/2006] [06:52 14/04/2008]
dwm.exe.vir --a---- 181760 bytes [13:18 17/07/2011] [13:18 17/07/2011]
htrn_jis.dll.vir --a---- 13312 bytes [23:53 28/09/2006] [13:00 25/10/2001]
hypertrm.exe.vir --a---- 28160 bytes [23:53 28/09/2006] [13:00 25/10/2001]

C:\Qoobox\Quarantine\C\Program Files\Windows NT\Accessories d------ [09:47 18/07/2011]
mswrd6.wpc.vir --a---- 187392 bytes [23:53 28/09/2006] [06:00 14/04/2008]
mswrd8.wpc.vir --a---- 280064 bytes [23:53 28/09/2006] [06:00 14/04/2008]
wordpad.exe.vir --a---- 215552 bytes [23:53 28/09/2006] [06:52 14/04/2008]
write.wpc.vir --a---- 89600 bytes [23:53 28/09/2006] [05:57 14/04/2008]

C:\Qoobox\Quarantine\C\Program Files\Windows NT\Pinball d------ [09:47 18/07/2011]
FONT.DAT.vir --a---- 3947 bytes [23:53 28/09/2006] [13:00 25/10/2001]
PINBALL.DAT.vir --a---- 928700 bytes [23:53 28/09/2006] [13:00 25/10/2001]
PINBALL.EXE.vir --a---- 282112 bytes [23:53 28/09/2006] [06:52 14/04/2008]
PINBALL.MID.vir --a---- 108607 bytes [23:53 28/09/2006] [13:00 25/10/2001]
PINBALL2.MID.vir --a---- 28888 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND1.WAV.vir --a---- 55490 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND104.WAV.vir --a---- 1226 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND105.WAV.vir --a---- 1968 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND108.WAV.vir --a---- 7754 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND111.WAV.vir --a---- 890 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND112.WAV.vir --a---- 824 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND12.WAV.vir --a---- 4296 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND13.WAV.vir --a---- 8034 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND131.WAV.vir --a---- 1290 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND136.WAV.vir --a---- 19282 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND14.WAV.vir --a---- 3002 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND16.WAV.vir --a---- 1046 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND17.WAV.vir --a---- 2090 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND18.WAV.vir --a---- 3986 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND181.WAV.vir --a---- 27472 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND19.WAV.vir --a---- 5230 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND20.WAV.vir --a---- 8650 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND21.WAV.vir --a---- 9194 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND22.WAV.vir --a---- 7376 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND24.WAV.vir --a---- 12106 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND240.WAV.vir --a---- 14600 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND243.WAV.vir --a---- 20712 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND25.WAV.vir --a---- 25704 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND26.WAV.vir --a---- 7306 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND27.WAV.vir --a---- 20242 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND28.WAV.vir --a---- 8650 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND29.WAV.vir --a---- 10364 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND3.WAV.vir --a---- 22858 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND30.WAV.vir --a---- 22570 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND34.WAV.vir --a---- 1520 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND35.WAV.vir --a---- 19498 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND36.WAV.vir --a---- 33848 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND38.WAV.vir --a---- 13024 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND39.WAV.vir --a---- 28282 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND4.WAV.vir --a---- 16626 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND42.WAV.vir --a---- 29140 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND43.WAV.vir --a---- 22796 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND45.WAV.vir --a---- 9770 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND49.WAV.vir --a---- 1876 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND49D.WAV.vir --a---- 3330 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND5.WAV.vir --a---- 3180 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND50.WAV.vir --a---- 12074 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND528.WAV.vir --a---- 8932 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND53.WAV.vir --a---- 9022 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND54.WAV.vir --a---- 18250 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND55.WAV.vir --a---- 21890 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND560.WAV.vir --a---- 29004 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND563.WAV.vir --a---- 24192 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND57.WAV.vir --a---- 30502 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND58.WAV.vir --a---- 3408 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND6.WAV.vir --a---- 4376 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND65.WAV.vir --a---- 17676 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND68.WAV.vir --a---- 32402 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND7.WAV.vir --a---- 26442 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND713.WAV.vir --a---- 14592 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND735.WAV.vir --a---- 27268 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND8.WAV.vir --a---- 2102 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND827.WAV.vir --a---- 47230 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND9.WAV.vir --a---- 20098 bytes [23:53 28/09/2006] [13:00 25/10/2001]
SOUND999.WAV.vir --a---- 6742 bytes [23:53 28/09/2006] [13:00 25/10/2001]
table.bmp.vir --a---- 339178 bytes [23:53 28/09/2006] [13:00 25/10/2001]
wavemix.inf.vir --a---- 2687 bytes [23:53 28/09/2006] [13:00 25/10/2001]

C:\Qoobox\Quarantine\C\WINDOWS d------ [08:25 18/07/2011]
btc_client_iplist.txt.vir --a---- 11548 bytes [13:17 17/07/2011] [07:21 18/07/2011]
ddh_iplist.txt.vir --a---- 6957 bytes [13:17 17/07/2011] [07:52 18/07/2011]
front_ip_list.txt.vir --a---- 11596 bytes [09:30 18/07/2011] [09:30 18/07/2011]
gbot111.exe.vir --a---- 169472 bytes [13:17 17/07/2011] [13:17 17/07/2011]
iecheck_iplist.txt.vir --a---- 11453 bytes [13:17 17/07/2011] [21:28 17/07/2011]
info1.vir --a---- 23 bytes [09:33 18/07/2011] [09:33 18/07/2011]
iplist.txt.vir --a---- 11361 bytes [09:33 18/07/2011] [09:34 18/07/2011]
l1rezerv.exe.vir --a---- 110592 bytes [13:17 17/07/2011] [13:17 17/07/2011]
loader2.exe_ok.vir --a---- 0 bytes [13:16 17/07/2011] [13:16 17/07/2011]
phoenix.rar.vir --a---- 5589370 bytes [13:23 17/07/2011] [13:23 17/07/2011]
proc_list1.log.vir --a---- 721 bytes [09:30 18/07/2011] [09:30 18/07/2011]
rpcminer.rar.vir --a---- 1075284 bytes [13:23 17/07/2011] [13:23 17/07/2011]
services32.exe.vir --a---- 1154048 bytes [12:58 17/07/2011] [12:58 17/07/2011]
sysdriver32.exe.vir --a---- 232960 bytes [09:30 18/07/2011] [09:30 18/07/2011]
sysdriver32_.exe.vir --a---- 232960 bytes [09:33 18/07/2011] [09:30 18/07/2011]
systemup.exe.vir --a---- 114176 bytes [13:17 17/07/2011] [13:17 17/07/2011]
ufa.rar.vir --a---- 182617 bytes [13:23 17/07/2011] [13:23 17/07/2011]
unrar.exe.vir --a---- 246272 bytes [13:23 17/07/2011] [06:32 18/07/2011]
winlog-dirs.txt.vir --a---- 99 bytes [12:58 17/07/2011] [21:35 17/07/2011]
winlog-ids.txt.vir --a---- 5 bytes [12:58 17/07/2011] [21:35 17/07/2011]
winsetupapi.log.vir --a---- 10 bytes [21:37 17/07/2011] [21:52 17/07/2011]

C:\Qoobox\Quarantine\C\WINDOWS\av_ico d------ [09:47 18/07/2011]
ico_avast_desktop.ico.vir --a---- 16958 bytes [21:39 17/07/2011] [07:36 18/07/2011]
ico_avast_start.ico.vir --a---- 4286 bytes [21:39 17/07/2011] [07:36 18/07/2011]
ico_NOD_AV_START.ico.vir --a---- 4286 bytes [13:15 17/07/2011] [21:01 17/07/2011]
ico_NOD_SS_START.ico.vir --a---- 4286 bytes [13:15 17/07/2011] [21:01 17/07/2011]
ico_NOD_SYSINSP.ico.vir --a---- 4286 bytes [13:15 17/07/2011] [21:01 17/07/2011]
ico_NOD_SYSRESC.ico.vir --a---- 4286 bytes [13:15 17/07/2011] [21:01 17/07/2011]
ico_NOD_TXT.ico.vir --a---- 4286 bytes [13:15 17/07/2011] [21:01 17/07/2011]
ico_NOD_UNINSTALL.ico.vir --a---- 4286 bytes [13:15 17/07/2011] [21:01 17/07/2011]

C:\Qoobox\Quarantine\C\WINDOWS\Explorer d------ [08:26 18/07/2011]

C:\Qoobox\Quarantine\C\WINDOWS\Install d------ [08:26 18/07/2011]

C:\Qoobox\Quarantine\C\WINDOWS\system32 d------ [08:26 18/07/2011]
ezGOSvc.dll.vir --a---- 73600 bytes [09:55 29/05/2011] [20:25 28/05/2011]
ezGOSvcApp.exe.vir --a---- 718208 bytes [09:55 29/05/2011] [20:25 28/05/2011]
kernel32.dll.vir --a---- 988160 bytes [06:51 14/04/2008] [06:51 14/04/2008]
tmp19D8.tmp.vir --a---- 809560 bytes [08:57 11/07/2011] [15:10 18/08/2010]
tmp19D9.tmp.vir --a---- 809560 bytes [08:57 11/07/2011] [15:10 18/08/2010]

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers d------ [08:26 18/07/2011]
ehdrv.sys.vir --a---- 115008 bytes [12:31 29/07/2010] [12:31 29/07/2010]

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\etc d------ [08:26 18/07/2011]
HSTS~1.vir --a---- 734 bytes [13:17 17/07/2011] [06:13 18/07/2011]

C:\Qoobox\Quarantine\C\WINDOWS\system32\install d------ [08:26 18/07/2011]
server.exe.vir --a---- 1172472 bytes [07:53 13/06/2005] [07:53 13/06/2005]

C:\Qoobox\Quarantine\C\WINDOWS\system32\WinDir d------ [08:26 18/07/2011]

C:\Qoobox\Quarantine\C\WINDOWS\system32\Windows Update d------ [08:26 18/07/2011]
Windows Update.exe.vir --a---- 33280 bytes [19:25 30/06/2006] [19:25 30/06/2006]

C:\Qoobox\Quarantine\C\WINDOWS\system32\Windupdt d------ [08:26 18/07/2011]

C:\Qoobox\Quarantine\C\WINDOWS\Tasks d------ [09:47 18/07/2011]
GoogleUpdateTaskMachineCore.job.vir --a---- 916 bytes [11:05 28/02/2011] [09:32 18/07/2011]
GoogleUpdateTaskMachineUA.job.vir --a---- 924 bytes [15:21 26/04/2011] [08:31 18/07/2011]
RealUpgradeLogonTaskS-1-5-21-1078081533-1770027372-1177238915-1003.job.vir --a---- 276 bytes [08:52 02/07/2011] [09:33 18/07/2011]
RealUpgradeScheduledTaskS-1-5-21-1078081533-1770027372-1177238915-1003.job.vir --a---- 284 bytes [18:04 15/02/2011] [09:33 18/07/2011]

C:\Qoobox\Quarantine\C\WINDOWS\update.1 d------ [08:26 18/07/2011]
svchost.exe.vir --a---- 1154048 bytes [13:14 17/07/2011] [12:58 17/07/2011]

C:\Qoobox\Quarantine\C\WINDOWS\update.2 d------ [08:26 18/07/2011]
svchost.exe.vir --a---- 483328 bytes [13:17 17/07/2011] [13:17 17/07/2011]

C:\Qoobox\Quarantine\C\WINDOWS\update.5.0 d------ [08:26 18/07/2011]
svchost.exe.vir --a---- 340480 bytes [13:17 17/07/2011] [20:11 17/07/2011]

C:\Qoobox\Quarantine\C\WINDOWS\update.tray-2-0 d------ [09:47 18/07/2011]
svchost.exe.vir --a---- 1154048 bytes [13:14 17/07/2011] [12:58 17/07/2011]

C:\Qoobox\Quarantine\C\WINDOWS\update.tray-3-0 d------ [09:47 18/07/2011]
svchost.exe.vir --a---- 1154048 bytes [13:14 17/07/2011] [12:58 17/07/2011]

C:\Qoobox\Quarantine\C\WINDOWS\update.tray-7-0 d------ [08:26 18/07/2011]
svchost.exe.vir --a---- 1154048 bytes [21:37 17/07/2011] [12:58 17/07/2011]

C:\Qoobox\Quarantine\C\Windupdt d------ [08:26 18/07/2011]
winupdate.exe.vir --a---- 1172472 bytes [01:38 05/03/2011] [10:17 25/07/2008]

C:\Qoobox\Quarantine\C\Windupdt\Windupdt d------ [01:38 05/03/2011]

C:\Qoobox\Quarantine\Registry_backups d------ [06:20 18/07/2011]
AddRemove-NVIDIA nView Desktop Manager.reg.dat --a---- 948 bytes [08:32 18/07/2011] [08:32 18/07/2011]
AddRemove-Super Mario.reg.dat --a---- 476 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKCU-Run-DesktopIconToy.reg.dat --a---- 79 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKCU-Run-VlROc2VtUkhWblJSVjFKMFlWYzFjR016VW5sWldGSjJZMmM5UFE9PQ==.reg.dat --a---- 79 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKCU-Run-winlogin.exe.reg.dat --a---- 79 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKLM-Run-avast.reg.dat --a---- 80 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKLM-Run-l1rezerv.exe.reg.dat --a---- 80 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKLM-Run-NPSStartup.reg.dat --a---- 80 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKLM-Run-sysdriver32.exe.reg.dat --a---- 80 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKLM-Run-sysdriver32_.exe.reg.dat --a---- 80 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKLM-Run-systemup.reg.dat --a---- 80 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKLM-Run-tray_ico.reg.dat --a---- 80 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKLM-Run-tray_ico0.reg.dat --a---- 80 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKLM-Run-tray_ico1.reg.dat --a---- 80 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKLM-Run-tray_ico2.reg.dat --a---- 80 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKLM-Run-tray_ico3.reg.dat --a---- 80 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKLM-Run-tray_ico4.reg.dat --a---- 80 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKLM-Run-winlogin.exe.reg.dat --a---- 80 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKLM-Run-wxpdrv.reg.dat --a---- 80 bytes [08:32 18/07/2011] [08:32 18/07/2011]
HKLM_ActiveSetup-{30CDD4E0-ADCB-C61B-BE59-277CBA2D3F70}.reg.dat --a---- 203 bytes [08:32 18/07/2011] [08:32 18/07/2011]
Legacy_EHDRV.reg.dat --a---- 1298 bytes [09:46 18/07/2011] [09:46 18/07/2011]
Legacy_EPFWTDIR.reg.dat --a---- 1334 bytes [09:46 18/07/2011] [09:46 18/07/2011]
Legacy_EZGOSVC.reg.dat --a---- 848 bytes [06:27 18/07/2011] [09:46 18/07/2011]
Legacy_GUPDATE.reg.dat --a---- 844 bytes [09:46 18/07/2011] [09:46 18/07/2011]
Legacy_srvbtcclient.reg.dat --a---- 838 bytes [08:25 18/07/2011] [08:25 18/07/2011]
Legacy_SRVIECHECK.reg.dat --a---- 822 bytes [06:27 18/07/2011] [08:24 18/07/2011]
Legacy_SRVSYSDRIVER32.reg.dat --a---- 854 bytes [06:27 18/07/2011] [09:46 18/07/2011]
Legacy_WXPDRIVERS.reg.dat --a---- 822 bytes [06:27 18/07/2011] [08:24 18/07/2011]
Service_ehdrv.reg.dat --a---- 2760 bytes [09:46 18/07/2011] [09:46 18/07/2011]
Service_epfwtdir.reg.dat --a---- 2762 bytes [09:46 18/07/2011] [09:46 18/07/2011]
Service_ezGOSvc.reg.dat --a---- 526 bytes [06:27 18/07/2011] [09:46 18/07/2011]
Service_gupdate.reg.dat --a---- 3656 bytes [09:46 18/07/2011] [09:46 18/07/2011]
Service_gupdatem.reg.dat --a---- 3378 bytes [09:46 18/07/2011] [09:46 18/07/2011]
Service_srvbtcclient.reg.dat --a---- 216 bytes [08:25 18/07/2011] [08:25 18/07/2011]
Service_srviecheck.reg.dat --a---- 630 bytes [06:27 18/07/2011] [08:24 18/07/2011]
Service_srvsysdriver32.reg.dat --a---- 2476 bytes [06:27 18/07/2011] [09:46 18/07/2011]
Service_wxpdrivers.reg.dat --a---- 630 bytes [06:27 18/07/2011] [08:24 18/07/2011]
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24}.reg.dat --a---- 489 bytes [08:32 18/07/2011] [08:32 18/07/2011]
tcpip.reg --a---- 7347 bytes [06:27 18/07/2011] [09:45 18/07/2011]

C:\Qoobox\Test d------ [06:21 18/07/2011]

C:\Qoobox\TestC d------ [06:21 18/07/2011]

-= EOF =-

[cernohous13]

Pokud nemáš ComboFix na ploše, přesuň jej tam.
Otevři Poznámkový blok (Notepad) a zkopíruj celý zelený text z "CFscriptu".
Soubor ulož na plochu jako CFscript.txt a jeho ikonu přetáhni myší nad ikonu ComboFixu - tam pusť.

ComboFix se spustí - počkej na log a vlož ho sem.

CFscript

Kód: Vybrat vše

KillAll::

DeQuarantine::
C:\Qoobox\Quarantine\C\Program Files\Windows NT

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"=-
"{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"DesktopIconToy"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"Microsoft Windows Hosting Service Login"=-

File::
C:\Documents and Settings\Doma\Nabídka Start\Programy\Po spuštění\license.dll
C:\Documents and Settings\Doma\Local Settings\Temp\explorer.exe

Folder::
C:\WINDOWS\ufa
C:\WINDOWS\rpcminer
C:\WINDOWS\phoenix
C:\WINDOWS\update.tray-2-0-lnk
C:\WINDOWS\update.tray-3-0-lnk

Driver::
eamon
catchme

Klikni na https://www.virustotal.com/cs/
klik "Procházet" > do zadávacího pole "Název souboru" jen zkopíruj:

C:\Program Files\Windows NT\05E2.BA8

"Send file" (pokud byl již testován, nech testovat znovu - Reanalyse)
Trpělivě vyčkej dokončení scanu dokud se neobjeví konečný výsledek např.0/41
Do fóra zkopíruj výsledný log. nebo odkaz z adresního řádku na stránku.
Pokud nebude nález stačí jen oznámit

[mikosuo]

ten subor oznacil jedine mcaffe:
McAfee 5.400.0.1158 2011.07.20 BackDoor-EXI!conf



log z combofixu:

ComboFix 11-07-20.05 - Doma . 07. 2011 23:21:00.6.2 - x86 MINIMAL
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.3199.2812 [GMT 2:00]
Running from: C:\Documents and Settings\Doma\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Doma\Plocha\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"C:\Documents and Settings\Doma\Local Settings\Temp\explorer.exe"
"C:\Documents and Settings\Doma\Nabídka Start\Programy\Po spuštění\license.dll"


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Doma\LOCALS~1\Temp\8386345.exe
C:\Documents and Settings\Doma\Data aplikací\dwm.exe
C:\Documents and Settings\Doma\Data aplikací\Microsoft\conhost.exe
C:\Documents and Settings\Doma\Dokumenty\cc_20110720_172710.reg
C:\Microsoft
C:\Program Files\Internet Explorer\conhost.exe
C:\WINDOWS\btc_client_iplist.txt
C:\WINDOWS\ddh_iplist.txt
C:\WINDOWS\front_ip_list.txt
C:\WINDOWS\gbot111.exe
C:\WINDOWS\iecheck_iplist.txt
C:\WINDOWS\info1
C:\WINDOWS\iplist.txt
C:\WINDOWS\l1rezerv.exe
C:\WINDOWS\loader2.exe_ok
C:\WINDOWS\phoenix
C:\WINDOWS\phoenix\kernels\phatk\__init__.py
C:\WINDOWS\phoenix\kernels\phatk\__init__.pyc
C:\WINDOWS\phoenix\kernels\phatk\BFIPatcher.py
C:\WINDOWS\phoenix\kernels\phatk\kernel.cl
C:\WINDOWS\phoenix\kernels\poclbm\__init__.py
C:\WINDOWS\phoenix\kernels\poclbm\__init__.pyc
C:\WINDOWS\phoenix\kernels\poclbm\BFIPatcher.py
C:\WINDOWS\phoenix\kernels\poclbm\kernel.cl
C:\WINDOWS\phoenix\phoenix.exe
C:\WINDOWS\proc_list1.log
C:\WINDOWS\rpcminer
C:\WINDOWS\rpcminer\bitcoinminercuda_10.cubin
C:\WINDOWS\rpcminer\bitcoinminercuda_11.cubin
C:\WINDOWS\rpcminer\bitcoinminercuda_20.cubin
C:\WINDOWS\rpcminer\bitcoinmineropencl.cl
C:\WINDOWS\rpcminer\cudart32_32_16.dll
C:\WINDOWS\rpcminer\curllib.dll
C:\WINDOWS\rpcminer\libeay32.dll
C:\WINDOWS\rpcminer\libsasl.dll
C:\WINDOWS\rpcminer\openldap.dll
C:\WINDOWS\rpcminer\rpcminer-4way.exe
C:\WINDOWS\rpcminer\rpcminer-cpu.exe
C:\WINDOWS\rpcminer\rpcminer-cuda.exe
C:\WINDOWS\rpcminer\rpcminer-opencl.exe
C:\WINDOWS\rpcminer\ssleay32.dll
C:\WINDOWS\sysdriver32.exe
C:\WINDOWS\sysdriver32_.exe
C:\WINDOWS\system32\drivers\etc\HSTS~1
C:\WINDOWS\systemup.exe
C:\WINDOWS\TEMP\4075020.exe
C:\WINDOWS\ufa
C:\WINDOWS\ufa\ufa.exe
C:\WINDOWS\update.2
C:\WINDOWS\update.2\svchost.exe
C:\WINDOWS\update.5.0
C:\WINDOWS\update.5.0\svchost.exe
C:\WINDOWS\update.tray-2-0-lnk
C:\WINDOWS\update.tray-2-0-lnk\svchost.exe
C:\WINDOWS\update.tray-3-0-lnk
C:\WINDOWS\update.tray-3-0-lnk\svchost.exe

---- Previous Run -------

C:\DOCUME~1\Doma\LOCALS~1\Temp\6278303.exe
C:\Program Files\Windows NT\05E2.BA8
C:\Program Files\Windows NT\Accessories\mswrd6.wpc
C:\Program Files\Windows NT\Accessories\mswrd8.wpc
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Windows NT\Accessories\write.wpc
C:\Program Files\Windows NT\dialer.exe
C:\Program Files\Windows NT\dwm.exe
C:\Program Files\Windows NT\htrn_jis.dll
C:\Program Files\Windows NT\hypertrm.exe
C:\Program Files\Windows NT\Pinball\FONT.DAT
C:\Program Files\Windows NT\Pinball\PINBALL.DAT
C:\Program Files\Windows NT\Pinball\PINBALL.EXE
C:\Program Files\Windows NT\Pinball\PINBALL.MID
C:\Program Files\Windows NT\Pinball\PINBALL2.MID
C:\Program Files\Windows NT\Pinball\SOUND1.WAV
C:\Program Files\Windows NT\Pinball\SOUND104.WAV
C:\Program Files\Windows NT\Pinball\SOUND105.WAV
C:\Program Files\Windows NT\Pinball\SOUND108.WAV
C:\Program Files\Windows NT\Pinball\SOUND111.WAV
C:\Program Files\Windows NT\Pinball\SOUND112.WAV
C:\Program Files\Windows NT\Pinball\SOUND12.WAV
C:\Program Files\Windows NT\Pinball\SOUND13.WAV
C:\Program Files\Windows NT\Pinball\SOUND131.WAV
C:\Program Files\Windows NT\Pinball\SOUND136.WAV
C:\Program Files\Windows NT\Pinball\SOUND14.WAV
C:\Program Files\Windows NT\Pinball\SOUND16.WAV
C:\Program Files\Windows NT\Pinball\SOUND17.WAV
C:\Program Files\Windows NT\Pinball\SOUND18.WAV
C:\Program Files\Windows NT\Pinball\SOUND181.WAV
C:\Program Files\Windows NT\Pinball\SOUND19.WAV
C:\Program Files\Windows NT\Pinball\SOUND20.WAV
C:\Program Files\Windows NT\Pinball\SOUND21.WAV
C:\Program Files\Windows NT\Pinball\SOUND22.WAV
C:\Program Files\Windows NT\Pinball\SOUND24.WAV
C:\Program Files\Windows NT\Pinball\SOUND240.WAV
C:\Program Files\Windows NT\Pinball\SOUND243.WAV
C:\Program Files\Windows NT\Pinball\SOUND25.WAV
C:\Program Files\Windows NT\Pinball\SOUND26.WAV
C:\Program Files\Windows NT\Pinball\SOUND27.WAV
C:\Program Files\Windows NT\Pinball\SOUND28.WAV
C:\Program Files\Windows NT\Pinball\SOUND29.WAV
C:\Program Files\Windows NT\Pinball\SOUND3.WAV
C:\Program Files\Windows NT\Pinball\SOUND30.WAV
C:\Program Files\Windows NT\Pinball\SOUND34.WAV
C:\Program Files\Windows NT\Pinball\SOUND35.WAV
C:\Program Files\Windows NT\Pinball\SOUND36.WAV
C:\Program Files\Windows NT\Pinball\SOUND38.WAV
C:\Program Files\Windows NT\Pinball\SOUND39.WAV
C:\Program Files\Windows NT\Pinball\SOUND4.WAV
C:\Program Files\Windows NT\Pinball\SOUND42.WAV
C:\Program Files\Windows NT\Pinball\SOUND43.WAV
C:\Program Files\Windows NT\Pinball\SOUND45.WAV
C:\Program Files\Windows NT\Pinball\SOUND49.WAV
C:\Program Files\Windows NT\Pinball\SOUND49D.WAV
C:\Program Files\Windows NT\Pinball\SOUND5.WAV
C:\Program Files\Windows NT\Pinball\SOUND50.WAV
C:\Program Files\Windows NT\Pinball\SOUND528.WAV
C:\Program Files\Windows NT\Pinball\SOUND53.WAV
C:\Program Files\Windows NT\Pinball\SOUND54.WAV
C:\Program Files\Windows NT\Pinball\SOUND55.WAV
C:\Program Files\Windows NT\Pinball\SOUND560.WAV
C:\Program Files\Windows NT\Pinball\SOUND563.WAV
C:\Program Files\Windows NT\Pinball\SOUND57.WAV
C:\Program Files\Windows NT\Pinball\SOUND58.WAV
C:\Program Files\Windows NT\Pinball\SOUND6.WAV
C:\Program Files\Windows NT\Pinball\SOUND65.WAV
C:\Program Files\Windows NT\Pinball\SOUND68.WAV
C:\Program Files\Windows NT\Pinball\SOUND7.WAV
C:\Program Files\Windows NT\Pinball\SOUND713.WAV
C:\Program Files\Windows NT\Pinball\SOUND735.WAV
C:\Program Files\Windows NT\Pinball\SOUND8.WAV
C:\Program Files\Windows NT\Pinball\SOUND827.WAV
C:\Program Files\Windows NT\Pinball\SOUND9.WAV
C:\Program Files\Windows NT\Pinball\SOUND999.WAV
C:\Program Files\Windows NT\Pinball\table.bmp
C:\Program Files\Windows NT\Pinball\wavemix.inf
C:\WINDOWS\av_ico\ico_avast_desktop.ico
C:\WINDOWS\av_ico\ico_avast_start.ico
C:\WINDOWS\av_ico\ico_NOD_AV_START.ico
C:\WINDOWS\av_ico\ico_NOD_SS_START.ico
C:\WINDOWS\av_ico\ico_NOD_SYSINSP.ico
C:\WINDOWS\av_ico\ico_NOD_SYSRESC.ico
C:\WINDOWS\av_ico\ico_NOD_TXT.ico
C:\WINDOWS\av_ico\ico_NOD_UNINSTALL.ico
C:\WINDOWS\front_ip_list.txt
C:\WINDOWS\info1
C:\WINDOWS\iplist.txt
C:\WINDOWS\proc_list1.log
C:\WINDOWS\sysdriver32.exe
C:\WINDOWS\sysdriver32_.exe
C:\WINDOWS\system32\drivers\ehdrv.sys
C:\WINDOWS\system32\ezGOSvc.dll
C:\WINDOWS\system32\ezGOSvcApp.exe
C:\WINDOWS\system32\tmp19D8.tmp
C:\WINDOWS\system32\tmp19D9.tmp
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1078081533-1770027372-1177238915-1003.job
C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1078081533-1770027372-1177238915-1003.job
C:\WINDOWS\unrar.exe
C:\WINDOWS\update.tray-2-0\svchost.exe
C:\WINDOWS\update.tray-3-0\svchost.exe

-- Previous Run --

Infected copy of C:\WINDOWS\system32\kernel32.dll was found and disinfected
Restored copy from - C:\WINDOWS\ERDNT\cache\kernel32.dll

--------


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SRVIECHECK
-------\Legacy_SRVSYSDRIVER32
-------\Legacy_WXPDRIVERS
-------\Service_srviecheck
-------\Service_srvsysdriver32
-------\Service_wxpdrivers
-------\Legacy_srvbtcclient
-------\Legacy_srvbtcclient
-------\Service_srvbtcclient
-------\Service_srvbtcclient
-------\Legacy_EHDRV
-------\Legacy_EPFWTDIR
-------\Legacy_EZGOSVC
-------\Legacy_GUPDATE
-------\Legacy_SRVSYSDRIVER32
-------\Service_ehdrv
-------\Service_epfwtdir
-------\Service_ezGOSvc
-------\Service_gupdate
-------\Service_gupdatem
-------\Service_srvsysdriver32
-------\Legacy_CATCHME
-------\Legacy_EAMON
-------\Legacy_SRVIECHECK
-------\Legacy_SRVSYSDRIVER32
-------\Service_catchme
-------\Service_eamon
-------\Service_srviecheck
-------\Service_srvsysdriver32
-------\Legacy_srvbtcclient
-------\Legacy_srvbtcclient
-------\Service_srvbtcclient
-------\Service_srvbtcclient


((((((((((((((((((((((((( Files Created from 2011-06-20 to 2011-07-20 )))))))))))))))))))))))))))))))


2011-07-20 21:20:57 . 2008-04-14 06:52:42 282112 ----a-w- C:\Program Files\Windows NT\pinball\PINBALL.EXE
2011-07-20 21:20:56 . 2008-04-14 06:52:56 215552 ----a-w- C:\Program Files\Windows NT\accessories\wordpad.exe
2011-07-20 21:20:56 . 2001-10-25 13:00:00 28160 ----a-w- C:\Program Files\Windows NT\hypertrm.exe
2011-07-20 21:20:56 . 2001-10-25 13:00:00 13312 ----a-w- C:\Program Files\Windows NT\htrn_jis.dll
2011-07-20 21:20:55 . 2008-04-14 06:52:20 543232 ----a-w- C:\Program Files\Windows NT\dialer.exe
2011-07-20 13:41:38 . 2011-07-20 13:59:47 -------- d-----w- C:\Program Files\Windows Doctor
2011-07-20 12:13:53 . 2011-07-20 12:45:16 -------- d-----w- C:\Program Files\Counter-Strike Source
2011-07-19 15:50:28 . 2011-07-17 13:18:08 181760 ----a-w- C:\Program Files\Windows NT\dwm.exe
2011-07-19 13:25:25 . 2011-07-19 13:25:25 -------- d-----w- C:\_OTM
2011-07-17 21:34:55 . 2011-07-04 11:36:32 309848 ----a-w- C:\WINDOWS\system32\drivers\aswSP.sys
2011-07-17 21:34:55 . 2011-07-04 11:32:12 19544 ----a-w- C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011-07-17 21:34:53 . 2011-07-04 11:32:32 25432 ----a-w- C:\WINDOWS\system32\drivers\aswRdr.sys
2011-07-17 21:34:52 . 2011-07-04 11:36:43 441176 ----a-w- C:\WINDOWS\system32\drivers\aswSnx.sys
2011-07-17 21:34:52 . 2011-07-04 11:35:23 43608 ----a-w- C:\WINDOWS\system32\drivers\aswTdi.sys
2011-07-17 21:34:51 . 2011-07-04 11:35:12 102616 ----a-w- C:\WINDOWS\system32\drivers\aswmon2.sys
2011-07-17 21:34:51 . 2011-07-04 11:35:09 96344 ----a-w- C:\WINDOWS\system32\drivers\aswmon.sys
2011-07-17 21:34:51 . 2011-07-04 11:32:13 30808 ----a-w- C:\WINDOWS\system32\drivers\aavmker4.sys
2011-07-17 21:34:41 . 2011-07-04 11:43:53 40112 ----a-w- C:\WINDOWS\avastSS.scr
2011-07-17 21:34:41 . 2011-07-04 11:43:51 199304 ----a-w- C:\WINDOWS\system32\aswBoot.exe
2011-07-17 21:15:09 . 2011-07-17 21:15:09 -------- d-----w- C:\Documents and Settings\All Users\Data aplikací\Kaspersky Lab Setup Files
2011-07-17 12:58:48 . 2011-07-17 12:58:48 -------- d-----w- C:\Documents and Settings\LocalService\Nabídka Start
2011-07-02 05:31:02 . 2011-07-02 05:31:02 -------- d-----w- C:\Program Files\Lavalys
2011-06-21 18:47:08 . 2011-06-21 18:47:08 2106216 ----a-w- C:\Program Files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-21 18:47:07 . 2011-06-21 18:47:07 1998168 ----a-w- C:\Program Files\Mozilla Firefox\d3dx9_43.dll
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-07-11 08:57:06 . 2011-05-29 10:13:19 445016 ----a-w- C:\WINDOWS\system32\wrap_oal.dll
2011-07-11 08:57:05 . 2011-05-29 10:13:19 109144 ----a-w- C:\WINDOWS\system32\OpenAL32.dll
2011-07-09 15:22:59 . 2011-01-29 14:22:24 138184 ----a-w- C:\WINDOWS\system32\drivers\PnkBstrK.sys
2011-07-09 15:22:52 . 2011-01-29 14:22:06 183112 ----a-w- C:\WINDOWS\system32\PnkBstrB.exe
2011-06-28 17:28:46 . 2011-01-29 14:22:05 66872 ----a-w- C:\WINDOWS\system32\PnkBstrA.exe
2011-06-27 03:10:45 . 2011-06-06 03:07:47 404640 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2011-06-21 18:47:07 . 2011-04-03 19:01:02 142296 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.

[-] 2008-12-01 11:20:10 . 1E603EA2A3FDBAE9E5B88A8CB3C03124 . 1571840 . . [5.1.2600.5512 (xpsp.080413-2111)] . . C:\WINDOWS\system32\sfcfiles.dll

((((((((((((((((((((((((((((( SnapShot@2011-07-18_08.29.55 )))))))))))))))))))))))))))))))))))))))))

+ 2011-07-20 21:32:59 . 2011-07-20 21:32:59 16384 C:\WINDOWS\temp\Perflib_Perfdata_54c.dat
+ 2001-10-25 13:00:00 . 2011-07-20 21:34:29 68156 C:\WINDOWS\system32\perfc009.dat
- 2001-10-25 13:00:00 . 2011-07-18 08:30:10 68156 C:\WINDOWS\system32\perfc009.dat
- 2001-10-25 13:00:00 . 2011-07-18 08:30:09 78720 C:\WINDOWS\system32\perfc005.dat
+ 2001-10-25 13:00:00 . 2011-07-20 21:34:28 78720 C:\WINDOWS\system32\perfc005.dat
+ 2001-10-25 13:00:00 . 2011-07-20 21:34:29 435260 C:\WINDOWS\system32\perfh009.dat
- 2001-10-25 13:00:00 . 2011-07-18 08:30:11 435260 C:\WINDOWS\system32\perfh009.dat
- 2001-10-25 13:00:00 . 2011-07-18 08:30:10 431634 C:\WINDOWS\system32\perfh005.dat
+ 2001-10-25 13:00:00 . 2011-07-20 21:34:29 431634 C:\WINDOWS\system32\perfh005.dat
+ 2011-07-18 09:19:35 . 2011-07-18 09:19:35 691200 C:\WINDOWS\Installer\259ff0.msi
+ 2011-07-18 09:19:18 . 2011-07-18 09:19:18 371272 C:\WINDOWS\Installer\{D6F879CC-59D6-4D4B-AE9B-D761E48D25ED}\SkypeIcon.exe
+ 2011-07-18 09:19:17 . 2011-07-18 09:19:17 1541120 C:\WINDOWS\Installer\259fd8.msi

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2011-03-30 17:34:30 399736]
"AutoStartNPSAgent"="C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2010-04-27 12:00:02 102400]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2011-06-15 13:02:58 15141768]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 06:52:18 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2009-09-27 17:19:46 13918208]
"ROUTE66Sync"="C:\Program Files\ROUTE 66\ROUTE 66 Sync\Sync9Loader.exe" [2010-12-17 09:26:06 168448]
"sysdriver32.exe"="C:\WINDOWS\sysdriver32.exe" [BU]
"sysdriver32_.exe"="C:\WINDOWS\sysdriver32_.exe" [BU]
"systemup"="C:\WINDOWS\systemup.exe" [BU]
"l1rezerv.exe"="C:\WINDOWS\l1rezerv.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 06:52:18 15360]

C:\Documents and Settings\Doma\Nabˇdka Start\Programy\Po spuçtŘnˇ\
license.dll [2011-2-28 13824]
Orez vaź obrazovky a spŁçśaź programu OneNote 2007.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
AVerQuick.lnk - C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe [2011-1-22 581632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"DisableThumbnailCache"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Valve\\hl.exe"=
"D:\\Nová složka (2)\\crysis2(5620)_01_13\\Bin32\\Crysis2.exe"=
"C:\\Documents and Settings\\Doma\\Data aplikací\\RuneScapeDDoSer.exe"=
"c:\\program files\\mozilla firefox\\firefox.exe"=
"C:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"D:\\CRYSIS 2 CZ\\bin32\\Crysis2.exe"=
"C:\\Program Files\\ICQ7.5\\ICQ.exe"=
"C:\\Program Files\\Codemasters\\DiRT 3\\dirt3_game.exe"=
"C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"C:\\Program Files\\ROUTE 66\\ROUTE 66 Sync\\ROUTE66Sync.exe"=
"C:\\Program Files\\ROUTE 66\\ROUTE 66 Sync\\Sync9Loader.exe"=
"C:\\Documents and Settings\\Doma\\Plocha\\Nová složka (3)\\Counter strike 1.6 by Vinc\\cs\\hl.exe"=
"C:\\Program Files\\Codemasters\\F1 2010\\F1_2010_game.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\WINDOWS\system32\drivers\dtsoftbus01.sys [22.1.2011 19:04:29 218688]
R2 FsUsbExService;FsUsbExService;C:\WINDOWS\system32\FsUsbExService.Exe [1.6.2011 18:15:27 233472]
R2 ICQ Service;ICQ Service;C:\Program Files\ICQ6Toolbar\ICQ Service.exe [4.5.2011 18:02:00 247608]
R3 AVerBDA3x;AVerMedia SAA713x BDA Service;C:\WINDOWS\system32\drivers\AVerBDA3x.sys [22.1.2011 15:33:25 1171456]
R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\system32\FsUsbExDisk.Sys [1.6.2011 18:15:27 36608]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [2.7.2011 7:31:09 27760]


------- Supplementary Scan -------

uStart Page = hxxp://start.icq.com/
uInternet Settings,ProxyServer = http=127.0.0.1:50889
IE: E&xportovať do programu Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files\ICQ7.5\ICQ.exe
TCP: DhcpNameServer = 172.17.110.7 172.17.110.6
FF - ProfilePath - C:\Documents and Settings\Doma\Data aplikací\Mozilla\Firefox\Profiles\u5lxzfpq.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=toolbar2&q=

- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
HKCU-Run-RGSC - C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe

[cernohous13]

Nový script pro OTM

Kód: Vybrat vše

:Commands
[emptytemp]

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sysdriver32.exe"=-
"sysdriver32_.exe"=-
"systemup"=-
"l1rezerv.exe"=-
[HKLM\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 1

:Files
C:\WINDOWS\sysdriver32.exe
C:\WINDOWS\sysdriver32_.exe
C:\WINDOWS\systemup.exe
C:\WINDOWS\l1rezerv.exe
C:\Documents and Settings\Doma\Nabídka Start\Programy\Po spuštění\license.dll

Stáhni a nainstaluj MBAM zde http://www.download.com/Malwarebytes-An ... tag=button
Spustit > na 3.záložce "Aktualizace" > Kontrola aktualizací
následně na 1.záložce "Kontrolor" -> Úplná kontrola -> Prohledat
po dokončení scanu vyskočí okno Notepad s výsledkem - obsah zkopíruj do své odpovědi
zatím nic nemazat - počkej na posouzení

[mikosuo]

log z OTM:
All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Doma
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 55222221 bytes
->Google Chrome cache emptied: 1905008 bytes
->Flash cache emptied: 975 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 55,00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 07212011_122052

Files moved on Reboot...

Registry entries deleted on Reboot...








log Z MBAM:
Malwarebytes' Anti-Malware
www.malwarebytes.org

Verzia databázy:

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

21. 7. 2011 23:17:02
mbam-log-2011-07-21 (23-16-57).txt

Typ kontroly: Úplná kontrola (C:\|D:\|J:\|)
Objektov kontrolovaných: 356286
Uplynutý čas: 57 min, 1 sek

Infikované služby pamäte: 0
Infikované moduly pamäte: 0
Infikované registračné kľúče: 0
Infikované registračné hodnoty: 3
Infikované položky registračných dát: 0
Infikované priečinky: 0
Infikované súbory: 21

Infikované služby pamäte:
(Škodlivé položky neboli zistené)

Infikované moduly pamäte:
(Škodlivé položky neboli zistené)

Infikované registračné kľúče:
(Škodlivé položky neboli zistené)

Infikované registračné hodnoty:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32.exe (Trojan.Agent) -> Value: sysdriver32.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32_.exe (Trojan.Agent) -> Value: sysdriver32_.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\l1rezerv.exe (Trojan.Agent) -> Value: l1rezerv.exe -> No action taken.

Infikované položky registračných dát:
(Škodlivé položky neboli zistené)

Infikované priečinky:
(Škodlivé položky neboli zistené)

Infikované súbory:
c:\Qoobox\quarantine\C\WINDOWS\l1rezerv.exe.vir (Backdoor.Delf) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\services32.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\systemup.exe.vir (Trojan.Agent) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\update.1\svchost.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\update.tray-2-0\svchost.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\update.tray-2-0-lnk\svchost.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\update.tray-3-0\svchost.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\update.tray-3-0-lnk\svchost.exe.vir (Trojan.Dropper) -> No action taken.
c:\Qoobox\quarantine\C\WINDOWS\update.tray-7-0\svchost.exe.vir (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{f81c9733-fffc-47e2-99f2-a87ab8e1046f}\RP203\A0073794.exe (Backdoor.Delf) -> No action taken.
c:\system volume information\_restore{f81c9733-fffc-47e2-99f2-a87ab8e1046f}\RP203\A0073811.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{f81c9733-fffc-47e2-99f2-a87ab8e1046f}\RP203\A0073815.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{f81c9733-fffc-47e2-99f2-a87ab8e1046f}\RP203\A0073816.exe (Trojan.Dropper) -> No action taken.
c:\_OTM\movedfiles\07192011_152525\c_windows\update.tray-7-0-lnk\svchost.exe (Trojan.Dropper) -> No action taken.
j:\Torrent\aktivátor windows.exe (Hacktool.ChewWGA) -> No action taken.
j:\Torrent\aktivátory - legalizátory\windows 7 legalizátor\windows 7 legalizátor.exe (Riskware.Tool.CK) -> No action taken.
j:\Hry\medal of honor 2010\crack\loader.dll (Riskware.Tool.CK) -> No action taken.
c:\documents and settings\Doma\data aplikací\cglogs.dat (Malware.Trace) -> No action taken.
c:\documents and settings\Doma\data aplikací\data.dat (Stolen.Data) -> No action taken.
c:\documents and settings\Doma\data aplikací\lovely.ini (Malware.Trace) -> No action taken.
c:\documents and settings\Doma\data aplikací\runescapeddoser.exe (Trojan.Agent.Gen) -> No action taken.

[cernohous13]

v MBAM nech "Odstranit označené"

popiš chování PC - ještě jsou nějaké problémy?

[mikosuo]

tak antivirus sa konecne dal nainstalovat a aj funguje
zatial to vyzera ok
Dakujem

[cernohous13]

zdá se, že máš čisto
a jestli už nenacházíš nic podivného, tak po sobě uklidím

ComboFix odinstalujeme
jdi Start -> Spustit... a zkopíruj ComboFix /Uninstall (pozor, za x je mezera) -> OK (kdyby vyskočila hláška, že ho nemůže najít, pokračuj dalším krokem)

Stáhni a spusť T-cleaner http://vyosek.ic.cz/pro_usery/T-Cleaner.exe - uklidí po použitých čističích.
Po spuštění ignoruj případné varování antiviru - je to v pořádku
Po provedení akce T-cleaner smažeš

stáhni program OTC tady: http://oldtimer.geekstogo.com/OTC.exe - spusť ho -> "CleanUp" (smaže dříve použité čističe)

Mohu doporučit kontrolu a vyčištění Ccleanerem

Stáhni Ccleaner - http://www.slunecnice.cz/sw/ccleaner/
Při instalaci vyhodit fajfku u "Instalovat Yahoo! Toolbar"

zavřít Internetový prohlížeč a
spustit "Čistič" > "Spustit Ccleaner" - odstraní nepotřebné
spustit "Registry" > "Hledej problémy" > "Opravit vybrané problémy"
souhlas se zálohou registrů - opakovat dokud nebudou registry čisté.

Návod:http://jnp.zive.cz/Clanky/Prirucka-do-k ... fault.aspx

Ten si můžeš nechat i na budoucí občasné čištění.

Nakonec mi dej současný RSIT log

Po vyčištění by se hodila defragmentace
doporučuji http://www.slunecnice.cz/sw/defraggler/ + čeština