Nefunkční TCP/IP připojení

[stell]

v pohode, niekedy prilisna iniciativa skodi,subor notepad vo zlozke windows je ok, Norman to falosne oznacil ako virus.
Rob len to co pisem, aby sme to mohli raz dva to ukoncit.

[Porqueroll]

Log ComboFixu:

ComboFix 12-12-14.01 - Luboš 14.12.2012 15:43:48.3.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2047.1348 [GMT 1:00]
Spuštěný z: c:\documents and settings\Luboš\Plocha\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2012-11-14 do 2012-12-14 )))))))))))))))))))))))))))))))
.
.
2012-12-14 14:35 . 2001-10-25 14:00 114688 -c--a-w- c:\windows\system32\dllcache\calc.exe
2012-12-14 14:35 . 2001-10-25 14:00 114688 ----a-w- c:\windows\system32\calc.exe
2012-12-14 14:25 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\Windows Defender\Definition Updates\{DECED81A-C8D9-4B95-B076-ECE8556B83AF}\mpengine.dll
2012-12-13 20:22 . 2012-12-13 20:22 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Office Genuine Advantage
2012-12-13 20:06 . 2012-12-14 14:09 0 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2012-12-12 19:56 . 2012-12-12 19:56 -------- d-----w- c:\documents and settings\LocalService\Data aplikací\GeekBuddyRSP
2012-12-12 19:54 . 2012-12-12 19:54 -------- d-----w- c:\program files\Common Files\Comodo
2012-12-10 17:09 . 2012-12-10 17:09 -------- d-----w- c:\documents and settings\Lubo?
2012-12-09 19:57 . 2012-12-09 19:57 -------- d-----w- c:\program files\trend micro
2012-12-09 10:55 . 2012-12-12 19:55 -------- d-----w- c:\documents and settings\All Users\Data aplikací\CPA_VA
2012-12-09 08:36 . 2012-12-12 19:47 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Comodo
2012-12-09 08:35 . 2012-12-12 19:57 -------- d-----w- c:\program files\COMODO
2012-12-08 08:24 . 2012-12-08 08:24 -------- d-----w- c:\documents and settings\Luboš\Data aplikací\ElevatedDiagnostics
2012-12-04 08:41 . 2012-12-04 08:41 36112 ----a-w- c:\windows\system32\drivers\CFRMD.sys
2012-11-25 14:09 . 2012-11-25 14:09 -------- d-----w- c:\program files\Galactic Gaming Guild
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-12 21:14 . 2012-03-31 18:37 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-12 21:14 . 2011-05-21 16:41 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-04 08:41 . 2012-12-04 08:41 36112 ----a-w- c:\windows\inf\CFRMD\cfrmd.sys
2012-11-13 11:56 . 2008-04-14 05:45 1875456 ----a-w- c:\windows\system32\win32k.sys
2012-11-08 18:00 . 2009-05-10 13:59 6812136 ----a-w- c:\documents and settings\All Users\Data aplikací\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-11-07 23:38 . 2012-03-11 20:13 99080 ----a-w- c:\windows\system32\drivers\inspect.sys
2012-11-07 23:38 . 2012-03-11 20:13 32640 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2012-11-07 23:38 . 2012-03-11 20:13 497952 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-11-07 23:38 . 2012-03-11 20:13 18096 ----a-w- c:\windows\system32\drivers\cmderd.sys
2012-11-07 23:37 . 2012-03-11 20:13 34024 ----a-w- c:\windows\system32\cmdcsr.dll
2012-11-07 23:37 . 2012-03-11 20:13 301264 ----a-w- c:\windows\system32\guard32.dll
2012-11-06 00:41 . 2008-04-14 06:37 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-02 02:03 . 2008-04-14 06:51 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:12 . 2008-07-28 21:25 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:12 . 2008-04-23 04:16 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:12 . 2008-04-23 04:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2008-07-28 21:24 385024 ----a-w- c:\windows\system32\html.iec
2012-10-30 22:51 . 2011-06-05 07:55 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-30 22:51 . 2009-09-13 15:48 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-10-30 22:51 . 2009-09-13 15:48 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-10-30 22:51 . 2009-09-13 15:48 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-10-30 22:51 . 2009-09-13 15:48 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-10-30 22:51 . 2009-09-13 15:48 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-10-30 22:51 . 2009-09-13 15:48 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-10-30 22:51 . 2009-09-13 15:48 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-10-30 22:51 . 2010-11-13 08:36 41224 ----a-w- c:\windows\avastSS.scr
2012-10-30 22:50 . 2009-09-13 15:47 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-10-02 18:04 . 2008-04-14 06:52 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-29 17:54 . 2012-10-26 18:45 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-24 13:32 . 2012-06-23 08:48 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 13:32 . 2010-04-18 13:31 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-24 11:51 . 2012-10-17 16:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-10-28 13:35 . 2012-10-28 13:32 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-08-15 19:42 . A23DF7213FE43F712F27A74DBCA5222B . 1593856 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
.
[-] 2008-08-15 . 12A799AD9415AE9C8ABCC5F75E9CF034 . 557056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[-] 2008-08-15 . CCB32D10C69A89822E9134C0C4894BE1 . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
.
[-] 2008-08-15 . F0C7CFFD1165068388311C793E32C4CC . 1482240 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
[-] 2008-04-14 . C2DCB09A1EA98F248DD9A5DE195B3DF3 . 277504 . . [5.1.2600.5512] . . c:\windows\regedit.exe
.
[-] 2008-08-15 . 94927BB89A6825C4A5952A2BF78F027B . 40960 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
[-] 2008-07-28 . 1E603EA2A3FDBAE9E5B88A8CB3C03124 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Luboš\Data aplikací\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Luboš\Data aplikací\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Luboš\Data aplikací\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"True transparacy"="c:\program files\extra\True Transparency\TrueTransparency.exe" [2008-06-24 372224]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2012-10-30 4297136]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-11-07 6756048]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-10-16 813584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 10:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\g:\0autocheck autochk /p \??\G:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Seznam Postak"="c:\program files\Seznam.cz\postak.exe" -s
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" -autorun
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"VisualTaskTips"=c:\program files\VisualTaskTips\VisualTaskTips.exe
"TransBar"=c:\program files\extra\TransBar\TransBar.exe /S
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"ViOrb"=c:\program files\extra\ViOrb\ViOrb.exe
"NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe
"Philips Device Listener"="c:\program files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\SEGA\\Beijing 2008\\Beijing.exe"=
"c:\\Program Files\\TmNationsForever\\TmForever.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Ubisoft\\Related Designs\\ANNO 1404\\Anno4.exe"=
"c:\\Program Files\\Ubisoft\\Related Designs\\ANNO 1404\\tools\\Anno4Web.exe"=
"c:\\Program Files\\Ubisoft\\Related Designs\\ANNO 1404\\Addon.exe"=
"c:\\Program Files\\Ubisoft\\Related Designs\\ANNO 1404\\tools\\AddonWeb.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Disney Interactive Studios\\Split Second\\SplitSecond.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Documents and Settings\\Luboš\\Data aplikací\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Dreamlords\\dreamlords.exe"=
"c:\\Program Files\\FlashGet Network\\FlashGet 3\\FlashGet3.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\football manager 2011\\fm.exe"=
"c:\\Program Files\\Origin Games\\FIFA 13 Demo\\Game\\fifa13_demo.exe"=
"g:\\Program Files\\KONAMI\\Pro Evolution Soccer 2011\\pes2011.exe"=
"c:\program files\Common Files\Comodo\GeekBuddyRSP.exe"= c:\program files\Common Files\Comodo\GeekBuddyRSP.exe:127.0.0.1/255.255.255.255:Enabled:GeekBuddy RSP
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10.5.2009 15:02 691696]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5.6.2011 8:55 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [13.9.2009 16:48 361032]
R1 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys [4.12.2012 9:41 36112]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [11.3.2012 21:13 497952]
R1 mdf15;mdf15;c:\program files\Clarus\Samsung SecretZone\mdf15.sys [19.3.2010 21:48 12800]
R1 mvd20;mvd20;c:\program files\Clarus\Samsung SecretZone\mvd20.sys [19.3.2010 21:48 64000]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [13.9.2009 16:48 21256]
R2 CLPSLauncher;COMODO LPS Launcher;c:\program files\Common Files\Comodo\launcher_service.exe [1.11.2012 8:52 70352]
R2 GeekBuddyRSP;GeekBuddy Remote Screen Protocol;c:\program files\Common Files\Comodo\GeekBuddyRSP.exe [31.10.2012 15:46 1467088]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [16.10.2010 11:47 10384]
R2 LGScsiCommandService;LG SCSI command service;c:\windows\system32\LGScsiCommandService.exe [25.12.2010 12:38 47616]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe [14.12.2011 12:47 1514304]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 15:49 13592]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [10.5.2009 15:50 36864]
R3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\drivers\lgbtport.sys [29.9.2009 8:11 12160]
R3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\drivers\lgbtbus.sys [29.9.2009 8:11 10496]
R3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\drivers\lgvmodem.sys [29.9.2009 8:11 12928]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys [22.9.2011 13:08 10064]
S2 MSR Service;Virtual Disk Service Manager;c:\program files\Clarus\Samsung SecretZone\MSSvc.exe [19.3.2010 21:48 114688]
S4 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [11.3.2012 21:13 32640]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2009-03-08 02:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Obsah adresáře 'Naplánované úlohy'
.
2012-12-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 21:14]
.
2012-12-14 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe [2012-07-02 22:50]
.
2012-12-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 14:50]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://java.sun.com/j2se/downloads.html
IE: ????3??
IE: ????3??????
IE: Download all by FlashGet3 - c:\documents and settings\Luboš\Data aplikací\FlashGetBHO\GetAllUrl.htm
IE: Download by FlashGet3 - c:\documents and settings\Luboš\Data aplikací\FlashGetBHO\GetUrl.htm
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Stahnou vse FlashGet3 - c:\documents and settings\Luboš\Data aplikací\FlashGetBHO\GetAllUrl.htm
IE: Stahnout FlashGet3 - c:\documents and settings\Luboš\Data aplikací\FlashGetBHO\GetUrl.htm
IE: ????3?? - c:\documents and settings\Luboš\Data aplikací\FlashGetBHO\GetUrl.htm
IE: ????3?????? - c:\documents and settings\Luboš\Data aplikací\FlashGetBHO\GetAllUrl.htm
IE: {{0E46D7B6-887D-4F81-B4CA-FCC92AF73610} - {0E46D7B6-887D-4F81-B4CA-FCC92AF73610} -
TCP: DhcpNameServer = 10.0.0.138
FF - ProfilePath - c:\documents and settings\Luboš\Data aplikací\Mozilla\Firefox\Profiles\qx3s0uar.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - ExtSQL: 2012-10-17 18:21; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: !HIDDEN! 2009-09-02 07:20; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-14 15:57
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_USERS\S-1-5-21-1229272821-73586283-1801674531-1003\Software\Microsoft\Internet Explorer\MenuExt\O(uë_fŹ3*
N}Ź]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Documents and Settings\\Luboš\\Data aplikací\\FlashGetBHO\\GetUrl.htm"
"contexts"=dword:00000022
.
[HKEY_USERS\S-1-5-21-1229272821-73586283-1801674531-1003\Software\Microsoft\Internet Explorer\MenuExt\O(uë_fŹ3*
N}ŹhQčţ”Ąc]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Documents and Settings\\Luboš\\Data aplikací\\FlashGetBHO\\GetAllUrl.htm"
"contexts"=dword:000000f3
.
[HKEY_USERS\S-1-5-21-1229272821-73586283-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:20,85,08,e4,4c,58,8e,73,7a,e0,a1,99,79,91,f1,09,0b,ab,99,58,df,5a,3e,
3c,cf,2b,38,ef,19,de,7c,d2,d9,56,9d,44,3a,9d,af,84,c3,4f,e8,91,f4,d2,9d,1c,\
"??"=hex:f4,94,0f,7b,d0,75,4d,60,81,7e,15,98,67,64,de,0f
.
[HKEY_USERS\S-1-5-21-1229272821-73586283-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:a4,a9,14,e3,cd,8b,e5,e7,f7,10,9b,5f,ba,a2,70,7c,6e,7d,b2,cb,68,
23,60,17,30,db,07,bc,51,17,11,d1,53,2f,85,9e,42,a7,ba,6e,48,34,af,cd,2b,05,\
"rkeysecu"=hex:2b,30,d7,2e,fb,0c,9c,0f,fb,58,0f,f4,d8,61,59,2d
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'winlogon.exe'(1112)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll
.
- - - - - - - > 'lsass.exe'(1216)
c:\windows\system32\MPR.dll
c:\windows\system32\guard32.dll
c:\windows\system32\setupapi.dll
.
- - - - - - - > 'explorer.exe'(1092)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\guard32.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\msi.dll
c:\documents and settings\Luboš\Data aplikací\Dropbox\bin\DropboxExt.13.dll
c:\windows\System32\cscui.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\MSVCP60.dll
c:\windows\system32\MPR.dll
.
- - - - - - - > 'csrss.exe'(992)
c:\windows\system32\cmdcsr.dll
.
Celkový čas: 2012-12-14 16:01:18
ComboFix-quarantined-files.txt 2012-12-14 15:01
ComboFix2.txt 2012-12-13 20:14
ComboFix3.txt 2012-12-13 16:13
.
Před spuštěním: Volných bajtů: 10 860 359 680
Po spuštění: Volných bajtů: 10 836 754 432
.
- - End Of File - - 0F2390D355E61607CD15A5C18776F642

[Porqueroll]

VirusTotal scan na calc.exe stary:
https://www.virustotal.com/file/99e3bb5 ... 355497541/

[Porqueroll]

A konečně log z Anti-Malware:

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Verze databáze: v2012.12.14.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Luboš :: LUBOS [administrátor]

14.12.2012 16:09:26
mbam-log-2012-12-14 (16-09-26).txt

Typ: Rychlá kontrola
Nastavení kontroly povoleno: Paměť | Po spuštění | Registr | Systémové soubory | Heuristická analýza Extra | Heuristická analýza Shuriken | PUP | PUM
Nastavení kontroly zakázáno: P2P
Kontrolované objekty: 243035
Uplynulý čas: 5 minut, 2 sekund

Nalezené procesy v paměti: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené moduly v paměti: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené klíče v registru: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené hodnoty v registru: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené datové položky v registru: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené složky: 0
(Žádné škodlivé položky nebyly zjištěny)

Nalezené soubory: 0
(Žádné škodlivé položky nebyly zjištěny)

(konec)

[stell]

FINIS.
1:Otvorte Notepad (Poznámkový blok) a skopíruj do neho text.
2:Potom klikneme na záložku Súbor v menu Uložiť ako.. ..
3:Ako je Názov súboru, tak do toho riadku napíšeme:sesion.reg
4:Typ súboru tak tam vyberiete všetky súbory
5:A uložíme ho na plochu.
6:2 x klikneme naň,povolíme zápis do registra,reštartujeme počítač.

Kód: Vybrat vše

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,00,20,\
  00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,00,00

2:stiahnes na plochu a spustis
http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE
Toto odinstaluje combofix.

3:Stiahnes na plochu program OTL
http://oldtimer.geekstogo.com/OTL.exe
:Nastavenie necháme tak ako je, dole do okna vložte tento skript.

Kód: Vybrat vše

:Files
ipconfig /flushdns /c
:Commands
[resethosts]
[emptytemp]
[clearallrestorepoints]
 

A kliknete na gombík OPRAVIŤ.
log vloz sem

[Porqueroll]

Spustil jsem CF_UNINST.exe, dostal se až do fáze Done!, to jsem odklikl Ok, ale pak zamrzl explorer, takže jsem po delší době rebootoval PC...ComboFix zůstal na ploše a když jsem Uninst pustil znova, tak hned napsal Done! a opakovalo se předchozí.

[stell]

To je ok, zmaz ikonu combofixu a pokracuj dalej.

[Porqueroll]

Provedl jsem opravu OTLem, ale log nemám, protože nemám notepad.

[stell]

nemám notepad.

ale, ak to ze nemas??spust start, hladat. notepad, a napis ze co nasiel.
A skus skor napisat, pretoZe tebe to vsetko trva prilis dlho.

[Porqueroll]

Pokaždý, když nějakej program vytvářel log, tak se objevila hláška, že nemůže najít dll knihovnu. Já jsem pak log dohledal a pustil ho ve WordPadu..

[stell]

To moze byt v assoc suborov.
spust systemlook a napis tam.

Kód: Vybrat vše

:filefind
notepad

klik look a log vloz sem.

[Porqueroll]

Je to vADVAP32.dll

Log je ve WordPadu/PSPadu stěží čitelný a nekopírovatelný, ale odpověď na Searching for 'notepad' je No files found. Nedá se ten log OTLu někde najít?

[stell]

Stiahni a spust,
http://download.bleepingcomputer.com/grinler/rkill.com
log vloz sem, a restart.

[Porqueroll]

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/14/2012 06:21:13 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\WINDOWS\system32\LGScsiCommandService.exe (PID: 1732) [WD-HEUR]
* C:\WINDOWS\system32\IoctlSvc.exe (PID: 2452) [WD-HEUR]
* C:\WINDOWS\system32\UAService7.exe (PID: 2876) [WD-HEUR]

3 proccesses terminated!

Possibly Patched Files.

* C:\WINDOWS\system32\ctfmon.exe

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath]

Searching for Missing Digital Signatures:

* C:\WINDOWS\System32\clipsrv.exe [NoSig]

* C:\WINDOWS\System32\comres.dll [NoSig]

* C:\WINDOWS\System32\ctfmon.exe [NoSig]

* C:\WINDOWS\System32\setupapi.dll [NoSig]

* C:\WINDOWS\System32\sfcfiles.dll [NoSig]

* C:\WINDOWS\System32\user32.dll [NoSig]

* C:\WINDOWS\System32\UxTheme.dll [NoSig]

* C:\WINDOWS\System32\winlogon.exe [NoSig]

* C:\WINDOWS\explorer.exe [NoSig]

Checking HOSTS File:

* HOSTS file entries found:

ÿþ1

[stell]

Stiahni na plochu
http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe
Vyberte položku Prehľadať a potom Zmazať a následne Sprava - otvorí sa log.
Potom kliknete na Oprava Host a Sprava - otvorí sa log.
Potom kliknete na Oprava Proxy a Sprava - otvorí sa log,

Pomackaj vsetky moznosti rogueKiller, a logy vloz sem.