Live Security Platinum - nechtěná nákaza - co s tím?

[enzo1]

Ted jsem se nakazil na webu z obyčejné stránky eshopu! Prosím, jak mám postupovat, nejde mi spustit žádný prohlížeč ani správce procesů. Moc děkuji. Leoš

[Márty84]

Zdravim

Zkuste nouzovy rezim (restartujte pc, mackejte klavesu F8 - pripadne jinou, zalezi na typu stroje, a zvolte moznost nouzovy rezim s praci v siti)

V nouzovem rezimu spustte RSIT a dejte sem log. http://forum.viry.cz/viewtopic.php?f=13&t=105895

[enzo1]

Ještě se mi podařilo v nouzovém režimu odtranit celou složku z infikovaným souborem dle návodu v tomto foru.
Nyní ten log:


Logfile of random's system information tool 1.09 (written by random/random)
Run by leos at 2012-07-07 21:57:56
Microsoft Windows 7 Ultimate Service Pack 1
System drive C: has 65 GB (40%) free of 163 GB
Total RAM: 4095 MB (72% free)

HijackThis download failed

======Listing Processes======

\SystemRoot\System32\smss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
wininit.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
"c:\Program Files\Microsoft Security Client\MsMpEng.exe"
C:\Windows\system32\atiesrxx.exe
winlogon.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
atieclxx
Ati2evxx.exe -Client
C:\Windows\system32\svchost.exe -k NetworkService
"C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe"
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agr64svc.exe
"C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe"
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
"taskhost.exe"
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
"C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
"C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
"C:\Windows\WindowsMobile\wmdc.exe"
C:\Windows\system32\svchost.exe -k WindowsMobile
"C:\Program Files\Synaptics\SynTP\SynAsus" /RegPlugIn
"C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe"
"C:\Program Files (x86)\ASUS\ATK Hotkey\MsgTranAgt64.exe"
"C:\Program Files\Synaptics\SynTP\SynTPHelper.exe"
"C:\Program Files\Wireless Console 2\wcourier.exe"
Atouch64.exe
ATKOSD.exe
WDC.exe
"C:\Program Files (x86)\Anti-Vibrate Oscar Editor\OscarEditor.exe" Minimum
"C:\Users\leos\AppData\Local\Google\Update\GoogleUpdate.exe" /c
"C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
"C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe"
"C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe"
"C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM"
"C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
C:\Windows\system32\SearchIndexer.exe /Embedding
"C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe" 0
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k SDRSVC
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Windows\system32\SearchFilterHost.exe" 0 516 520 528 65536 524
"C:\Users\leos\Desktop\RSITx64.exe"
C:\Windows\system32\wbem\wmiprvse.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1

======Scheduled tasks folder======

C:\Windows\tasks\Adobe Flash Player Updater.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-971161735-1096666337-592133431-1001Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-971161735-1096666337-592133431-1001UA.job

=========Mozilla firefox=========

ProfilePath - C:\Users\leos\AppData\Roaming\Mozilla\Firefox\Profiles\8r29owfv.default

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer]
"Description"=Adobe® Flash® Player 11.3.300.262 Plugin
"Path"=C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@Google.com/GoogleEarthPlugin]
"Description"=Google Earth in your browser
"Path"=C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@google.com/npPicasa3,version=3.0.0]
"Description"=Picasa3 plugin
"Path"=C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin]
"Description"=Oracle® Next Generation Java™ Plug-In
"Path"=C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE]
"Description"=
"Path"=disabled

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0]
"Description"=Ag Player Plugin
"Path"=c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description"=Google Update
"Path"=C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"=Google Update
"Path"=C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\Adobe Acrobat]
"Description"=Handles PDFs in-place in Firefox
"Path"=C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Description"=Adobe® Flash® Player 11.3.300.262 Plugin
"Path"=C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_262.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@microsoft.com/GENUINE]
"Description"=
"Path"=disabled

[HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0]
"Description"=Ag Player Plugin
"Path"=c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll

C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd}

C:\Program Files (x86)\Mozilla Firefox\components\
binary.manifest
browsercomps.dll

C:\Program Files (x86)\Mozilla Firefox\searchplugins\
google.xml
heureka-cz.xml
jyxo-cz.xml
seznam-cz.xml
slunecnice-cz.xml
wikipedia-cz.xml

C:\Users\leos\AppData\Roaming\Mozilla\Firefox\Profiles\8r29owfv.default\extensions\
{6AC85730-7D0F-4de0-B3FA-21142DD85326}

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-09-05 63912]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26 2217832]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files (x86)\Java\jre6\bin\ssv.dll [2012-03-11 325408]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2011-09-05 339872]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2012-03-11 42272]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077}]
SmartSelect Class - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2011-09-05 339872]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2011-09-05 339872]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
""= []
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2011-11-08 1813288]
"MSC"=c:\Program Files\Microsoft Security Client\msseces.exe [2012-03-26 1271168]
"Windows Mobile Device Center"=C:\Windows\WindowsMobile\wmdc.exe [2007-05-31 660360]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"OscarEditor"=C:\Program Files (x86)\Anti-Vibrate Oscar Editor\OscarEditor.exe [2010-07-22 2636800]
"Google Update"=C:\Users\leos\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-08 136176]
"GoogleDriveSync"=C:\Program Files (x86)\Google\Drive\googledrivesync.exe [2012-06-20 12163848]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [2011-09-05 2904984]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [2011-09-05 36760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2012-01-03 843712]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2011-03-30 499608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [2011-01-12 1523360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [2009-02-26 30040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
C:\Windows\RAVCpl64.exe [2011-11-08 6456352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
C:\Windows\Skytel.exe [2011-11-08 1833504]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2012-01-18 254696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
C:\Windows\WindowsMobile\wmdc.exe [2007-05-31 660360]

[HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run]
"ATKOSD2"=C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe [2008-08-29 8089600]
"HControlUser"=C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe [2008-08-18 98304]
"StartCCC"=C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-01-21 61440]
""= []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Users\leos\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
CCC.lnk - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26 2217832]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=5
"ConsentPromptBehaviorUser"=3
"EnableUIADesktopToggle"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=1
"NoActiveDesktopChanges"=1
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.msadpcm"=msadp32.acm
"midimapper"=midimap.dll
"wavemapper"=msacm32.drv
"VIDC.UYVY"=msyuv.dll
"VIDC.YUY2"=msyuv.dll
"VIDC.YVYU"=msyuv.dll
"VIDC.IYUV"=iyuv_32.dll
"vidc.i420"=iyuv_32.dll
"VIDC.YVU9"=tsbyuv.dll
"msacm.l3acm"=C:\Windows\System32\l3codeca.acm
"wave1"=wdmaud.drv
"midi1"=wdmaud.drv
"mixer1"=wdmaud.drv
"aux1"=wdmaud.drv
"MSVideo8"=VfWWDM32.dll
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv
"wave2"=serwvdrv.dll
"wave3"=wdmaud.drv
"midi2"=wdmaud.drv
"mixer2"=wdmaud.drv
"wave4"=wdmaud.drv
"midi3"=wdmaud.drv
"mixer3"=wdmaud.drv
"wave5"=wdmaud.drv
"midi4"=wdmaud.drv
"mixer4"=wdmaud.drv

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*
.txt - open - "C:\Program Files (x86)\PSPad editor\PSPad.exe" "%1"

======List of files/folders created in the last 1 month======

2012-07-07 21:57:56 ----D---- C:\rsit
2012-07-07 21:57:56 ----D---- C:\Program Files\trend micro
2012-07-07 21:34:56 ----A---- C:\Windows\ntbtlog.txt
2012-06-28 16:44:24 ----SHD---- C:\Config.Msi
2012-06-19 12:38:42 ----A---- C:\Windows\system32\wups2.dll
2012-06-19 12:38:42 ----A---- C:\Windows\system32\wucltux.dll
2012-06-19 12:38:42 ----A---- C:\Windows\system32\wuaueng.dll
2012-06-19 12:38:42 ----A---- C:\Windows\system32\wuauclt.exe
2012-06-19 12:38:18 ----A---- C:\Windows\system32\wups.dll
2012-06-19 12:38:18 ----A---- C:\Windows\system32\wudriver.dll
2012-06-19 12:38:18 ----A---- C:\Windows\system32\wuapi.dll
2012-06-19 12:37:51 ----A---- C:\Windows\system32\wuwebv.dll
2012-06-19 12:37:51 ----A---- C:\Windows\system32\wuapp.exe
2012-06-18 22:14:12 ----A---- C:\Windows\SYSWOW64\url.dll
2012-06-18 22:14:12 ----A---- C:\Windows\SYSWOW64\mshtmled.dll
2012-06-18 22:14:12 ----A---- C:\Windows\system32\url.dll
2012-06-18 22:14:12 ----A---- C:\Windows\system32\mshtmled.dll
2012-06-18 22:14:11 ----A---- C:\Windows\SYSWOW64\urlmon.dll
2012-06-18 22:14:11 ----A---- C:\Windows\SYSWOW64\iertutil.dll
2012-06-18 22:14:11 ----A---- C:\Windows\system32\urlmon.dll
2012-06-18 22:14:11 ----A---- C:\Windows\system32\iertutil.dll
2012-06-18 22:14:10 ----A---- C:\Windows\SYSWOW64\ieUnatt.exe
2012-06-18 22:14:10 ----A---- C:\Windows\SYSWOW64\ieui.dll
2012-06-18 22:14:10 ----A---- C:\Windows\system32\ieUnatt.exe
2012-06-18 22:14:10 ----A---- C:\Windows\system32\ieui.dll
2012-06-18 22:14:09 ----A---- C:\Windows\SYSWOW64\wininet.dll
2012-06-18 22:14:09 ----A---- C:\Windows\system32\wininet.dll
2012-06-18 22:14:08 ----A---- C:\Windows\system32\jsproxy.dll
2012-06-18 22:14:07 ----A---- C:\Windows\SYSWOW64\jscript9.dll
2012-06-18 22:14:07 ----A---- C:\Windows\SYSWOW64\jscript.dll
2012-06-18 22:14:07 ----A---- C:\Windows\system32\jscript9.dll
2012-06-18 22:14:06 ----A---- C:\Windows\SYSWOW64\jsproxy.dll
2012-06-18 22:14:06 ----A---- C:\Windows\system32\jscript.dll
2012-06-18 22:14:05 ----A---- C:\Windows\SYSWOW64\mshtml.dll
2012-06-18 22:14:04 ----A---- C:\Windows\system32\mshtml.dll
2012-06-18 22:14:02 ----A---- C:\Windows\system32\ieframe.dll
2012-06-18 22:14:00 ----A---- C:\Windows\SYSWOW64\ieframe.dll
2012-06-18 22:12:12 ----A---- C:\Windows\system32\ntoskrnl.exe
2012-06-18 22:12:09 ----A---- C:\Windows\SYSWOW64\ntoskrnl.exe
2012-06-18 22:12:09 ----A---- C:\Windows\SYSWOW64\ntkrnlpa.exe
2012-06-18 22:12:02 ----A---- C:\Windows\system32\rdpcorets.dll
2012-06-18 22:12:02 ----A---- C:\Windows\system32\profsvc.dll
2012-06-18 22:12:02 ----A---- C:\Windows\system32\drivers\rdpwd.sys
2012-06-18 22:12:01 ----A---- C:\Windows\system32\rdrmemptylst.exe
2012-06-18 22:12:01 ----A---- C:\Windows\system32\rdpwsx.dll
2012-06-18 22:12:01 ----A---- C:\Windows\system32\rdpcorekmts.dll
2012-06-18 22:11:59 ----A---- C:\Windows\system32\win32k.sys
2012-06-18 22:11:05 ----A---- C:\Windows\SYSWOW64\crypt32.dll
2012-06-18 22:11:05 ----A---- C:\Windows\system32\cryptsvc.dll
2012-06-18 22:11:05 ----A---- C:\Windows\system32\cryptnet.dll
2012-06-18 22:11:05 ----A---- C:\Windows\system32\crypt32.dll
2012-06-18 22:11:04 ----A---- C:\Windows\SYSWOW64\cryptsvc.dll
2012-06-18 22:11:04 ----A---- C:\Windows\SYSWOW64\cryptnet.dll
2012-06-18 22:10:25 ----A---- C:\Windows\system32\msi.dll
2012-06-18 22:10:24 ----A---- C:\Windows\SYSWOW64\msi.dll

======List of files/folders modified in the last 1 month======

2012-07-07 21:57:56 ----RD---- C:\Program Files
2012-07-07 21:57:56 ----D---- C:\Windows\Prefetch
2012-07-07 21:57:03 ----D---- C:\Windows\Temp
2012-07-07 21:37:39 ----HD---- C:\ProgramData
2012-07-07 21:34:56 ----D---- C:\Windows
2012-07-07 21:34:08 ----D---- C:\Windows\system32\config
2012-07-06 21:25:06 ----D---- C:\Windows\System32
2012-07-06 21:25:06 ----D---- C:\Windows\inf
2012-07-06 21:25:06 ----A---- C:\Windows\system32\PerfStringBackup.INI
2012-07-06 13:29:11 ----SHD---- C:\System Volume Information
2012-07-05 22:13:45 ----D---- C:\Users\leos\AppData\Roaming\Skype
2012-07-04 17:43:47 ----D---- C:\Windows\system32\NDF
2012-06-29 11:28:09 ----D---- C:\Windows\system32\catroot2
2012-06-28 16:44:36 ----SHD---- C:\Windows\Installer
2012-06-23 12:48:02 ----A---- C:\Windows\SYSWOW64\FlashPlayerApp.exe
2012-06-23 12:47:34 ----A---- C:\Windows\SYSWOW64\FlashPlayerInstaller.exe
2012-06-20 13:22:27 ----D---- C:\Windows\rescache
2012-06-20 12:52:10 ----RSD---- C:\Windows\assembly
2012-06-20 12:52:10 ----D---- C:\Windows\Microsoft.NET
2012-06-19 16:05:17 ----D---- C:\Windows\winsxs
2012-06-19 16:05:01 ----D---- C:\Windows\system32\cs-CZ
2012-06-19 12:38:56 ----D---- C:\Windows\system32\catroot
2012-06-18 23:29:18 ----D---- C:\Windows\SYSWOW64\migration
2012-06-18 23:29:18 ----D---- C:\Windows\SYSWOW64\cs-CZ
2012-06-18 23:29:18 ----D---- C:\Windows\SysWOW64
2012-06-18 23:29:18 ----D---- C:\Windows\system32\migration
2012-06-18 23:29:18 ----D---- C:\Windows\system32\drivers
2012-06-18 23:29:18 ----D---- C:\Program Files\Internet Explorer
2012-06-18 23:29:18 ----D---- C:\Program Files (x86)\Internet Explorer
2012-06-18 22:25:39 ----D---- C:\ProgramData\Microsoft Help
2012-06-18 22:20:56 ----D---- C:\Windows\debug
2012-06-18 22:20:54 ----A---- C:\Windows\system32\MRT.exe
2012-06-08 13:07:37 ----D---- C:\Program Files (x86)\Mozilla Maintenance Service
2012-06-08 10:07:56 ----D---- C:\Program Files (x86)\Mozilla Firefox

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [2012-03-20 203888]
R0 PxHlpa64;PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2010-11-20 213888]
R0 vmbus;@%SystemRoot%\system32\vmbusres.dll,-1000; C:\Windows\system32\drivers\vmbus.sys [2010-11-20 199552]
R1 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys [2010-11-20 514560]
R1 vwififlt;Virtual WiFi Filter Driver; C:\Windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmpx64.sys [2008-06-24 65024]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimspx64.sys [2007-07-26 55296]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdpx64.sys [2007-07-27 57856]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\Windows\system32\DRIVERS\agrsm64.sys [2011-11-08 1253376]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2011-11-08 4260864]
R3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver; C:\Windows\System32\Drivers\ATSwpWDF.sys [2009-12-03 716872]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys [2011-11-08 1487256]
R3 itecir;ITECIR Infrared Receiver; C:\Windows\system32\DRIVERS\itecir.sys [2009-03-09 60416]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\Windows\system32\drivers\MODEMCSA.sys [2009-07-14 24064]
R3 MTsensor;ATK0100 ACPI UTILITY; C:\Windows\system32\DRIVERS\ATK64AMD.sys [2007-08-09 13680]
R3 NETw5s64;Ovladač adaptéru Intel(R) Wireless WiFi Link pro systém Windows 7 64 Bit; C:\Windows\system32\DRIVERS\NETw5s64.sys [2009-09-15 6952960]
R3 RTL8167;Realtek 8167 NT Driver; C:\Windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
R3 sdbus;sdbus; C:\Windows\system32\drivers\sdbus.sys [2010-11-20 109056]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2011-11-08 286768]
R3 TPM;Čip TPM; C:\Windows\system32\drivers\tpm.sys [2009-07-14 38400]
S3 BthEnum;Ovladač pro Bluetooth Request Block; C:\Windows\system32\drivers\BthEnum.sys [2009-07-14 41984]
S3 BthPan;Zařízení Bluetooth (síť PAN); C:\Windows\system32\DRIVERS\bthpan.sys [2009-07-14 118784]
S3 BTHPORT;Ovladač portu Bluetooth; C:\Windows\System32\Drivers\BTHport.sys [2011-04-28 552960]
S3 BTHUSB;Ovladač rozhraní USB radiostanice Bluetooth; C:\Windows\System32\Drivers\BTHUSB.sys [2011-04-28 80384]
S3 btwaudio;Bluetooth Audio Device Service; C:\Windows\system32\drivers\btwaudio.sys [2011-11-08 92200]
S3 btwavdt;Bluetooth AVDT; C:\Windows\system32\drivers\btwavdt.sys [2011-11-08 121896]
S3 btwl2cap;Bluetooth L2CAP Service; C:\Windows\system32\DRIVERS\btwl2cap.sys [2011-11-08 36392]
S3 btwrchid;btwrchid; C:\Windows\system32\DRIVERS\btwrchid.sys [2011-11-08 19880]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series – ovladač adaptéru pro 64bitový systém Windows Vista; C:\Windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
S3 NisDrv;Microsoft Network Inspection System; C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 98688]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver; \??\C:\Windows\syswow64\NSNDIS5.SYS [2004-03-24 17280]
S3 pciide;pciide; C:\Windows\system32\drivers\pciide.sys [2009-07-14 12352]
S3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2012-04-18 82816]
S3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys [2010-11-20 165888]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver; C:\Windows\System32\drivers\rdpvideominiport.sys [2010-11-20 20992]
S3 RFCOMM;Zařízení Bluetooth (RFCOMM protokol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2009-07-14 158720]
S3 s3cap;s3cap; C:\Windows\system32\drivers\vms3cap.sys [2010-11-20 6656]
S3 storvsc;storvsc; C:\Windows\system32\drivers\storvsc.sys [2010-11-20 34688]
S3 Synth3dVsc;Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys []
S3 TsUsbFlt;TsUsbFlt; C:\Windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
S3 tsusbhub;@%SystemRoot%\system32\drivers\tsusbhub.sys,-1; C:\Windows\system32\drivers\tsusbhub.sys []
S3 usb_rndisx;Adaptér USB RNDIS; C:\Windows\system32\DRIVERS\usb8023x.sys [2009-07-14 19968]
S3 usbscan;Ovladač skeneru USB; C:\Windows\system32\DRIVERS\usbscan.sys [2009-07-14 41984]
S3 VGPU;VGPU; C:\Windows\System32\drivers\rdvgkmd.sys []
S3 VMBusHID;VMBusHID; C:\Windows\system32\drivers\VMBusHID.sys [2010-11-20 21760]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\Windows\system32\agr64svc.exe [2011-11-08 15872]
R2 AMD External Events Utility;AMD External Events Utility; C:\Windows\system32\atiesrxx.exe [2009-08-18 203264]
R2 ASLDRService;ASLDR Service; C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe [2008-08-13 100920]
R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2011-11-08 872960]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2008-07-29 798248]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-14 27136]
R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Client\MsMpEng.exe [2012-03-26 12600]
R2 RapiMgr;@%windir%\WindowsMobile\rapimgr.dll,-104; C:\Windows\system32\svchost.exe [2009-07-14 27136]
R2 WcesComm;@%windir%\WindowsMobile\wcescomm.dll,-40079; C:\Windows\system32\svchost.exe [2009-07-14 27136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 gupdate;Služba Google Update (gupdate); C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-08 136176]
S2 SkypeUpdate;Skype Updater; C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 250056]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-14 27136]
S3 gupdatem;Služba Google Update (gupdatem); C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-08 136176]
S3 gusvc;Google Updater Service; C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-05-10 136120]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe [2009-02-26 64856]
S3 MozillaMaintenance;Mozilla Maintenance Service; C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-08 113120]
S3 NisSrv;@c:\Program Files\Microsoft Security Client\MpAsDesc.dll,-243; c:\Program Files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2011-07-20 440696]
S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PeerDistSvc;@%SystemRoot%\system32\peerdistsvc.dll,-9000; C:\Windows\System32\svchost.exe [2009-07-14 27136]
S3 SwitchBoard;SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-14 27136]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [2011-11-08 1255736]

-----------------EOF-----------------

[Márty84]

Udelejte uplnou kontrolu s MBAM http://forum.viry.cz/viewtopic.php?f=29&t=115222 a dejte sem vysledky. Predem nic nemazte, miva obcas falesne detekce
Melo by to jit i v nouzovem rezimu, pokud normalni nepujde.

Kdyby to neslo, tak zkuste AVPTool http://forum.viry.cz/viewtopic.php?f=29&t=58179

[enzo1]

Malwarebytes Anti-Malware (Zkušební verze Malwarebytes Anti-Malware) 1.61.0.1400
www.malwarebytes.org

Verze databáze: v2012.07.07.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
leos :: LEOS-PC [administrátor]

Ochrana: Povolena

7.7.2012 22:52:02
mbam-log-2012-07-07 (22-59-45).txt

Typ: Rychlá kontrola
Nastavení kontroly povoleno: Paměť | Po spuštění | Registr | Systémové soubory | Heuristická analýza Extra | Heuristická analýza Shuriken | PUP | PUM
Nastavení kontroly zakázáno: P2P
Kontrolované objekty: 211301
Uplynulý čas: 6 minut, 20 sekund

Nalezené procesy v paměti: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené moduly v paměti: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené klíče v registru: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené hodnoty v registru: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené datové položky v registru: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené složky: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené soubory: 1
C:\Users\leos\AppData\Local\Temp\ax2h.exe (Spyware.Zbot) -> Žádná instrukce nebyla provedena.

(konec)

[Márty84]

Chtel jsem uplnou kontrolu, mam to tam i cervene Ten nalez nechte odstranit a udelejte uplnou, at vime, ze se tam nic neschovava.

Nebo to nechte az na zitra, dneska uz to stejne neprohlednu.

[enzo1]

Diky za pomoc, uz delam uplny sken, za chvili to poslu

[Márty84]

OK

Jen takova mala technicka. System mate legalni? Ultimate neni zrovna bezna domaci verze

[enzo1]

ano, je to firemni stroj

[enzo1]

Popíšu způsob nákazy: Klientovi se na jeho webu objevila hláška, že je distributor malweru. Po mém zjištění, že se v kodu webu objevily skripty a odkazy na malwer, začal jsem hledat otvor, kterým to tam roboti cpou. Na serveru hostingu jsem zrovna měnil chmod u některých souborů, když se mi najednou zavřel nejen ftp klient ale i prohlížeč a vyskočila hláška falešného antiviru. A bylo to. Nejsem si vůbec vědom, že bych něco podcenil Takže moc oceňuji vaši pomoc zde na viry.cz, je to opravdu neocenitelná služba.

[Márty84]

Tak firemni No, asi takto. Pokud je to firemni stroj, tak mi tu ten log ani davat nemusite.

Forum ma jista pravidla a ja se jimi musim taky ridit. Kdybyste si je precetl http://forum.viry.cz/viewtopic.php?f=12&t=5601 , nasel byste tam pravidlo 6.

6. Fórum viry.cz se nezabývá odvirováním firemních PC - na toto jsou ve firmách placení (a někdy až hodně nadstandardně) IT technici, případně si je firma může najmou. My jsme tu zdarma a ve svém volném čase, nehodláme dělat práci za někoho jiného, kdo si pak jen slízne smetánku a plat. Taktéž ani neposkytujeme poradenství v oblasti zabezpečení firemních sítí či nastavení firemních sítí. Zkrátka a jednoduše, naše fórum poskytuje podporu domácím uživatelům.

Krom toho, kdyby se necekane neco zvrtlo, mohl by byt velky problem

Takze bohuzel

[enzo1]

firemni = ja jako firma, na jako zaměstnanec. I to je špatně? Dělam sam na sebe

[enzo1]

Pokud to opravdu nejde, je možné si najmout někoho z vás na pomoc? Nebo je lepší příště lhát? Chci jednat poctivě, neberte to ironicky Díky za pomoc

[Márty84]

I to je spatne, porad je to firma. I kdyz primo vase a jste treba jediny zamestnanec. Tak to proste je. Tahle pravidla vznikla davno predtim, nez jsem se stal clenem zdejsiho tymu a vsichni se jimi musime ridit.


Najmout asi ne. Nebo nebudu mluvit za kolegy, ale mne urcite ne. Na to jsou firmy, ktere za svoji praci ruci a jsou, nebo mely by byt pojisteny, kdyby neco nevyslo. To ja vam zarucit nemuzu a nevemu si to na svedomi, ze prijdete o nejaka dulezita data.

Lhat muzete, ale casto se na to prijde v prubehu leceni, protoze v nekterych lozich jsou jiste stopy, kde se da poznat, nebo aspon hodne napovi, ze to neni bezne domaci pc. Mimochodem jeden z tech logu bych si taky vyzadal hned po zkontrolovani MBAM. Protoze RSIT neukaze zdaleka vse a kdyz jde o vaznejsi problem, je nedostacujici.

[enzo1]

ok, přesto díky za váš čas a ochotu. Přeji hezký zbytek víkendu.