Abnow.com

[vyosek]

Na plose by mel byt textovy soubor (log) ten sem kdyztak dejte

[MartiN182]

Tak toto je ono:

Webroot AntiZeroAccess 0.8 Log File
Execution time: 07/03/2012 - 21:53
Host operation System: Windows Seven X86 version 6.1.7600
21:53:42 - CheckSystem - Begin to check system...
21:53:42 - OpenRootDrive - Opening system root volume and physical drive....
21:53:42 - C Root Drive: Disk number: 1 Start sector: 0x0000003F Partition Size: 0x0639D9A7 sectors.
21:53:42 - PrevX Main driver extracted in "C:\Windows\system32\drivers\ZeroAccess.sys".
21:53:42 - InstallAndStartDriver - Main driver was installed and now is running.
21:53:42 - CheckSystem - Disk class driver state is OK.
21:53:46 - CheckFile - Unable to send FSCTL_GET_RETRIEVAL_POINTERS to file object. DeviceIoControl last error: 5
21:53:46 - CheckFile - Unable to send FSCTL_GET_RETRIEVAL_POINTERS to file object. DeviceIoControl last error: 5
21:53:46 - CheckFile - Unable to send FSCTL_GET_RETRIEVAL_POINTERS to file object. DeviceIoControl last error: 5
21:53:46 - CheckFile - Unable to send FSCTL_GET_RETRIEVAL_POINTERS to file object. DeviceIoControl last error: 5
21:53:46 - CheckFile - Unable to send FSCTL_GET_RETRIEVAL_POINTERS to file object. DeviceIoControl last error: 5
21:53:48 - CheckFile - Unable to read "sptd.sys" file. CreateFile last eror: 0x00000020.
21:53:49 - StopAndRemoveDriver - AntiZeroAccess Driver is stopped and removed.
21:53:49 - StopAndRemoveDriver - File "ZeroAccess.sys" was deleted!
21:53:49 - Execution Ended!

[vyosek]

Fajn, zkuste nyni ComboFix, pripadne pak zase F8 a posledni znama funkcni konfigurace pokud nebude chtit spolupracovat

[MartiN182]

Skúšam, ale Combofix sa tvári akoby nič nerobil, ani HDD nepracuje.. akoby to celé prestalo reagovať, skúsim reštartovať a odznova

[vyosek]

Zkuste jej ale spusti v nouzovem rezimu a prejmenujte jej na beruska.com

[MartiN182]

Tak chvíľku to trvalo, ale na tretí pokus to konečne vyšlo:)

Tu je výsledný log:

ComboFix 12-03-07.05 - miso 03/07/2012 23:16:53.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.991.293 [GMT 1:00]
Running from: c:\users\miso\Desktop\beruska.com.exe
AV: Kaspersky Internet Security *Disabled/Outdated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\bce4b20.dll
c:\windows\system32\bce4b20_pres.dll
c:\windows\system32\lxdm_device.dll
c:\windows\system32\s7oppitx.dll
c:\windows\XSxS
c:\windows\$NtUninstallKB47616$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-02-07 to 2012-03-07 )))))))))))))))))))))))))))))))
.
.
2012-03-07 18:57 . 2012-03-07 18:57 -------- d-----w- c:\users\miso\AppData\Roaming\Citrix
2012-03-07 18:51 . 2012-03-07 18:51 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-03-07 17:21 . 2012-03-07 17:21 -------- d-----w- c:\program files\trend micro
2012-03-07 17:21 . 2012-03-07 17:21 -------- d-----w- C:\rsit
2012-03-05 18:18 . 2012-03-07 16:54 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
2012-03-05 17:50 . 2012-03-05 23:45 -------- d-sh--w- c:\users\miso\AppData\Local\211064ef
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-05 18:17 . 2011-08-05 10:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2008-08-16 16:42 . 2008-08-16 16:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 16:42 . 2008-08-16 16:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 16:42 . 2008-08-16 16:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 16:42 . 2008-08-16 16:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 16:43 . 2008-08-16 16:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 16:42 . 2008-08-16 16:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 16:42 . 2008-08-16 16:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 07:41 . 2008-05-21 07:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 07:41 . 2008-05-21 07:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 07:41 . 2008-05-21 07:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 12:58 . 2008-06-05 12:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 16:42 . 2008-08-16 16:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2012-02-20 13:06 . 2011-05-06 22:12 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2010-08-20 33120]
"ICQ"="c:\program files\ICQ7.2\ICQ.exe" [2011-01-05 133432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe" [2011-04-24 202296]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Citrix XenApp.lnk - c:\windows\Installer\{388C130B-0079-46B4-A0D5-DC2DD7A89A7B}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2010-11-16 73728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Users^miso^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\users\miso\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 136176]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-01-16 436792]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2011-03-04 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2011-03-10 23856]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [2010-03-17 132464]
S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2011-04-06 2560]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S2 PRESLICSER;PReS License Service;c:\windows\SYSTEM32\preslicser.exe [2007-03-05 143360]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 19984]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WNCPKT
psimsvc
brmfbags
fcprintservice
trackcam4
agnfilt
PTproct
avsvcmonitor
NIPALK
avsinc
se44mdfl
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 07:35]
.
2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 07:35]
.
.
------- Supplementary Scan -------
.
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2012\ie_banner_deny.htm
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 195.34.133.21 212.186.211.21
DPF: {813A45F9-744F-435F-A815-19E2DF35A9D8} - hxxp://www.o2c.de/download/o2cplayerac.cab
FF - ProfilePath - c:\users\miso\AppData\Roaming\Mozilla\Firefox\Profiles\pcqdyuwm.default\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Juiced! - c:\programdata\{1698B2FF-E459-4282-A1E3-DF0F2FDEDC61}\Juiced_RE.exe.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\BFE]
"ImagePath"="."
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1256)
c:\program files\HappyFoto\HfAsistentSlk\FotoSync.dll
c:\program files\HappyFoto\HfAsistentSlk\xerc2701.dll
c:\program files\HappyFoto\HfAsistentSlk\fotosynr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\windows\system32\sppsvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\conhost.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-03-07 23:32:14 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-07 22:32
.
Pre-Run: 1,289,551,872 bytes free
Post-Run: 1,523,986,432 bytes free
.
- - End Of File - - 22AF5917187F67F0BC0DAF323EB3CD8F

[vyosek]

Pokud nemate, tak presunte Combofix na plochu

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  KillAll::
  
  Folder::
  c:\windows\$NtUninstallKB47616$
  c:\windows\system32\%APPDATA%
  c:\users\miso\AppData\Local\211064ef
  
  File::
  c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
  c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
  
  Collect::
  c:\windows\system32\dds_log_trash.cmd
  
  Registry::
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2010-08-20 33120]
  "ICQ"="c:\program files\ICQ7.2\ICQ.exe" [2011-01-05 133432]
  .
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "NeroFilterCheck"=-
  "Malwarebytes' Anti-Malware (reboot)"=-
  "SunJavaUpdateSched"=-
  "Adobe ARM"=-
  "Malwarebytes' Anti-Malware"=-
  [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
  "DisableMonitoring"=dword:00000000
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
  "netsvcs"=hex(7):41,65,4C,6F,6F,6B,75,70,53,76,63,00,41,70,\
    70,49,6E,66,6F,00,41,70,70,4D,67,6D,74,00,41,75,64,69,6F,53,72,76,00,42,\
    44,45,53,56,43,00,42,49,54,53,00,62,72,6F,77,73,65,72,00,43,65,72,74,\
    50,72,6F,70,53,76,63,00,45,61,70,48,6F,73,74,00,46,61,73,74,55,73,65,\
    72,53,77,69,74,63,68,69,6E,67,43,6F,6D,70,61,74,69,62,69,6C,69,74,79,\
    00,67,70,73,76,63,00,68,65,6C,70,73,76,63,00,68,6B,6D,73,76,63,00,49,\
    61,73,00,49,4B,45,45,58,54,00,69,70,68,6C,70,73,76,63,00,49,72,6D,6F,\
    6E,00,6C,61,6E,6D,61,6E,73,65,72,76,65,72,00,4C,6F,67,6F,6E,48,6F,75,\
    72,73,00,4D,4D,43,53,53,00,6D,73,69,73,63,73,69,00,4E,6C,61,00,4E,74,\
    6D,73,73,76,63,00,4E,57,43,57,6F,72,6B,73,74,61,74,69,6F,6E,00,4E,77,\
    73,61,70,61,67,65,6E,74,00,50,43,41,75,64,69,74,00,50,72,6F,66,53,76,\
    63,00,52,61,73,61,75,74,6F,00,52,61,73,6D,61,6E,00,52,65,6D,6F,74,65,\
    61,63,63,65,73,73,00,53,43,50,6F,6C,69,63,79,53,76,63,00,73,65,63,6C,\
    6F,67,6F,6E,00,53,45,4E,53,00,53,65,73,73,69,6F,6E,45,6E,76,00,53,68,\
    61,72,65,64,61,63,63,65,73,73,00,53,68,65,6C,6C,48,57,44,65,74,65,63,\
    74,69,6F,6E,00,73,63,68,65,64,75,6C,65,00,53,52,53,65,72,76,69,63,65,\
    00,54,61,70,69,73,72,76,00,54,65,72,6D,53,65,72,76,69,63,65,00,54,68,\
    65,6D,65,73,00,75,70,6C,6F,61,64,6D,67,72,00,77,65,72,63,70,6C,73,75,\
    70,70,6F,72,74,00,77,69,6E,6D,67,6D,74,00,57,6D,64,6D,50,6D,53,70,00,57,\
    6D,69,00,77,75,61,75,73,65,72,76,00,00
  
  Driver::
  gupdate
  gupdatem
  
  RegLock::
  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
  [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
  
  ClearJavaCache::
  
  AtJob::
  
  Reboot::

• Ulozte vytvoreny TXT jako CFScript.txt
• Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
  
• Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

[MartiN182]

Všetko prebehlo bez problémov

Tu je skript:

ComboFix 12-03-07.05 - miso 03/08/2012 15:35:13.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.991.329 [GMT 1:00]
Running from: c:\users\miso\Desktop\beruska.com.exe
Command switches used :: c:\users\miso\Desktop\CFScript.txt
AV: Kaspersky Internet Security *Disabled/Outdated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\Tasks\GoogleUpdateTaskMachineCore.job"
"c:\windows\Tasks\GoogleUpdateTaskMachineUA.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\miso\AppData\Local\211064ef
c:\users\miso\AppData\Local\211064ef\@
c:\windows\system32\%APPDATA%
c:\windows\system32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
c:\windows\$NtUninstallKB47616$ . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_gupdate
-------\Service_gupdatem
.
.
((((((((((((((((((((((((( Files Created from 2012-02-08 to 2012-03-08 )))))))))))))))))))))))))))))))
.
.
2012-03-08 14:44 . 2012-03-08 14:46 -------- d-----w- c:\users\miso\AppData\Local\temp
2012-03-07 18:57 . 2012-03-07 18:57 -------- d-----w- c:\users\miso\AppData\Roaming\Citrix
2012-03-07 17:21 . 2012-03-07 17:21 -------- d-----w- c:\program files\trend micro
2012-03-07 17:21 . 2012-03-07 17:21 -------- d-----w- C:\rsit
2012-03-05 18:18 . 2012-03-07 16:54 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-05 18:17 . 2011-08-05 10:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2008-08-16 16:42 . 2008-08-16 16:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 16:42 . 2008-08-16 16:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 16:42 . 2008-08-16 16:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 16:42 . 2008-08-16 16:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 16:43 . 2008-08-16 16:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 16:42 . 2008-08-16 16:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 16:42 . 2008-08-16 16:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 07:41 . 2008-05-21 07:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 07:41 . 2008-05-21 07:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 07:41 . 2008-05-21 07:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 12:58 . 2008-06-05 12:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 16:42 . 2008-08-16 16:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2012-02-20 13:06 . 2011-05-06 22:12 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2010-08-20 33120]
"ICQ"="c:\program files\ICQ7.2\ICQ.exe" [2011-01-05 133432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe" [2011-04-24 202296]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Citrix XenApp.lnk - c:\windows\Installer\{388C130B-0079-46B4-A0D5-DC2DD7A89A7B}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2010-11-16 73728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Users^miso^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\users\miso\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup
backupExtension=.Startup
.
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-01-16 436792]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2011-03-04 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2011-03-10 23856]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [2010-03-17 132464]
S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2011-04-06 2560]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S2 PRESLICSER;PReS License Service;c:\windows\SYSTEM32\preslicser.exe [2007-03-05 143360]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 19984]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 07:35]
.
2012-03-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-31 07:35]
.
.
------- Supplementary Scan -------
.
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2012\ie_banner_deny.htm
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 195.34.133.21 212.186.211.21
DPF: {813A45F9-744F-435F-A815-19E2DF35A9D8} - hxxp://www.o2c.de/download/o2cplayerac.cab
FF - ProfilePath - c:\users\miso\AppData\Roaming\Mozilla\Firefox\Profiles\pcqdyuwm.default\
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\BFE]
"ImagePath"="."
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\MpsSvc]
"ImagePath"="."
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3604)
c:\program files\HappyFoto\HfAsistentSlk\FotoSync.dll
c:\program files\HappyFoto\HfAsistentSlk\xerc2701.dll
c:\program files\HappyFoto\HfAsistentSlk\fotosynr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\windows\system32\sppsvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\conhost.exe
c:\program files\Citrix\ICA Client\PNAMain.exe
.
**************************************************************************
.
Completion time: 2012-03-08 15:48:58 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-08 14:48
ComboFix2.txt 2012-03-07 22:32
.
Pre-Run: 1,557,647,360 bytes free
Post-Run: 1,352,790,016 bytes free
.
- - End Of File - - 541AA66B8041413621E00B0F0931F78F

[vyosek]

Brani se mrcha, brani

Stahnete Avenger http://forum.viry.cz/viewtopic.php?f=11&t=19832

• Pokud pouzivate Win Vista ci W7, kliknete na Avenger pravym a dejte Run As Administrator ci Spustit jako spravce
• Po spusteni Vas program upozorni, ze vse co delate, delate na vlastni riziko - Dejte OK
• Po potvrzeni uz na Vas koukne hlavni okno, kam vlozite skript, ktery mate nize

• Kód: Vybrat vše

  Files to delete:
  c:\windows\system32\dds_log_trash.cmd
  
  Folders to delete:
  c:\windows\$NtUninstallKB47616$
  
  Drivers to delete:
  BFE
  MpsSvc

• Do ctverecku u Scan for rootkits a Automatically disable any rootkits found dejte fajecku
• Nyni uz kliknete na Execute a potvrdte Yes v nasledujicim okne - timto potvrdite spusteni skriptu
• Na otazku Reboot now odpovezte opet OK - timto se PC restartuje
• Po restartu by se mel otevrit poznamkovy blok s logem a jeho obsah vlozte sem. Pokud se tak nestane, naleznete pozadovany dokument v C:\avenger.txt

[MartiN182]

To áno, už by to mohla konečne vzdať..

Tu je log (zaujímavé že v Platform je Vista, keď mám 7čku):

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\dds_log_trash.cmd" deleted successfully.
Folder "c:\windows\$NtUninstallKB47616$" deleted successfully.
Driver "BFE" deleted successfully.
Driver "MpsSvc" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[vyosek]

No Avenger jeste neni zcela optimalizovan pro W7 ani pro 64bit OS, ale funkci zatim plni...

Tak Avengeru neodolal

Stahnete RogueKiller http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe

• Ukoncete vsechny programy
• Pokud pouzivate Win Vista ci W7, kliknete na RogueKiller pravym a dejte Run As Administrator ci Spustit jako spravce
• Pockejte na dokonceni PreScanu
• Zvolte moznost Prohledat (scan)
• Po dokonceni skenu kliknete na Zpráva (Report)- otevre se log, ten sem vlozte

[MartiN182]

Tak to ma teda teší, konečne začínam mať nádej že to svinstvo zmizne

Log:

RogueKiller V7.2.1 [02/29/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/fi ... guekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User: miso [Admin rights]
Mode: Scan -- Date: 03/08/2012 16:19:19

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] Runservice.exe -- C:\Windows\runservice.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 2 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160812A ATA Device +++++
--- User ---
[MBR] f15056b95aa7adbc50fa9a710e568c0b
[BSP] 30bab2c63aa20d2c1634d7a4d04ea5be : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 29996 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 61432560 | Size: 60008 Mo
2 - [XXXXXX] LINUX (0x83) [VISIBLE] Offset (sectors): 184329810 | Size: 39997 Mo
3 - [XXXXXX] LINUX-SWP (0x82) [VISIBLE] Offset (sectors): 266245245 | Size: 22622 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Hitachi HDS721616PLA SCSI Disk Device +++++
--- User ---
[MBR] 655875f0c1ed5fd242cb6bcf8624b8d2
[BSP] a293f9fe18c21948f8d8d3885a6b4644 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 51003 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 104454630 | Size: 101614 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

[vyosek]

Spustte znovu RogueKiller

• Pokud pouzivate Win Vista ci W7, kliknete na RogueKiller pravym a dejte Run As Administrator ci Spustit jako spravce
• Zvolte moznost Prohledat a pote Smazat a nasledne Zprava - otevre se log, ten sem vlozte

[MartiN182]

Hotovo

RogueKiller V7.2.1 [02/29/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/fi ... guekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User: miso [Admin rights]
Mode: Remove -- Date: 03/08/2012 16:29:23

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160812A ATA Device +++++
--- User ---
[MBR] f15056b95aa7adbc50fa9a710e568c0b
[BSP] 30bab2c63aa20d2c1634d7a4d04ea5be : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 29996 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 61432560 | Size: 60008 Mo
2 - [XXXXXX] LINUX (0x83) [VISIBLE] Offset (sectors): 184329810 | Size: 39997 Mo
3 - [XXXXXX] LINUX-SWP (0x82) [VISIBLE] Offset (sectors): 266245245 | Size: 22622 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Hitachi HDS721616PLA SCSI Disk Device +++++
--- User ---
[MBR] 655875f0c1ed5fd242cb6bcf8624b8d2
[BSP] a293f9fe18c21948f8d8d3885a6b4644 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 51003 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 104454630 | Size: 101614 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

[vyosek]

Sjupr, dame si jeste jeden skript pro ComboFix - postup je stejny

Kód: Vybrat vše

KillAll::

File::
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"=-
"ICQ"=-

ClearJavaCache::

Reboot::