WIN32/Bubnix.AB

Zpráva

Pirkin07 · #1 Příspěvek od **Pirkin07** » 21 dub 2010 08:16

Poprosím o radu. NOD32 mi hlási tento trojan na viacerých súboroch v adresári windows\system32\drivers\

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:33, on 21.4.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\PDF-XChangeSDKEU\PDFSaver.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\totalcmd\TOTALCMD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
E:\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://podatelna.socpoist.sk/ezu.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [PDFSaver] C:\Program Files\PDF-XChangeSDKEU\PDFSaver.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: winesm32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://eportal.apollo.sk/dll/xenroll.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2158606448
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://eportal.apollo.sk/dll/capicom.cab
O16 - DPF: {CF2BD3ED-F1CE-11D4-9B98-005004CA7085} (crypto Class) - https://eportal.apollo.sk/dll/SignForm.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{24ED62AC-F699-47A5-AF25-C849D97623CF}: NameServer = 195.146.128.60,195.146.132.59
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C87B449-B37B-443F-990F-ED0E0183ABD7}: NameServer = 195.146.128.60,195.146.132.59
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4779 bytes

#2 Příspěvek od **JaRon** » 21 dub 2010 08:27

O4 - Startup: winesm32.exe
bud najdi a ZMAZ uvedeny subor, alebo vloz log RSIT

Pirkin07 · #3 Příspěvek od **Pirkin07** » 21 dub 2010 08:55

JaRon píše:O4 - Startup: winesm32.exe
bud najdi a ZMAZ uvedeny subor, alebo vloz log RSIT

uvedený súbor mi nejde zmazať .

Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2010-04-21 09:55:04
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 12 GB (58%) free of 20 GB
Total RAM: 1919 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:11, on 21.4.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\PDF-XChangeSDKEU\PDFSaver.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\totalcmd\TOTALCMD.EXE
C:\WINDOWS\System32\svchost.exe
E:\HiJackThis.exe
C:\Program Files\internet explorer\iexplore.exe
E:\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
E:\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://podatelna.socpoist.sk/ezu.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [PDFSaver] C:\Program Files\PDF-XChangeSDKEU\PDFSaver.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: winesm32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://eportal.apollo.sk/dll/xenroll.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2158606448
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://eportal.apollo.sk/dll/capicom.cab
O16 - DPF: {CF2BD3ED-F1CE-11D4-9B98-005004CA7085} (crypto Class) - https://eportal.apollo.sk/dll/SignForm.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{24ED62AC-F699-47A5-AF25-C849D97623CF}: NameServer = 195.146.128.60,195.146.132.59
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C87B449-B37B-443F-990F-ED0E0183ABD7}: NameServer = 195.146.128.60,195.146.132.59
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4724 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"=C:\WINDOWS\System32\sistray.EXE [2002-05-09 303104]
"SiSUSBRG"=C:\WINDOWS\SiSUSBrg.exe [2002-07-12 106496]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-07-13 7626752]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-07-13 86016]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2009-10-07 1461080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"PDFSaver"=C:\Program Files\PDF-XChangeSDKEU\PDFSaver.exe [2003-02-21 61440]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Documents and Settings\Administrator\Nabídka Start\Programy\Po spuštění
winesm32.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2010-04-21 09:55:04 ----D---- C:\rsit
2010-04-21 09:01:50 ----A---- C:\avenger.txt
2010-04-21 07:25:34 ----D---- C:\Avenger
2010-04-21 07:04:32 ----D---- C:\WINDOWS\temp
2010-04-21 07:04:31 ----A---- C:\ComboFix.txt
2010-04-21 07:00:05 ----A---- C:\WINDOWS\zip.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\SWSC.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\SWREG.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\sed.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\PEV.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\NIRCMD.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\MBR.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\grep.exe
2010-04-21 07:00:01 ----D---- C:\WINDOWS\ERDNT
2010-04-21 06:58:56 ----D---- C:\Qoobox
2010-03-26 14:19:25 ----A---- C:\WINDOWS\system32\POS.dll
2010-03-26 14:19:22 ----A---- C:\WINDOWS\system32\ECR.dll
2010-03-26 14:19:22 ----A---- C:\WINDOWS\system32\CommTX.dll
2010-03-26 14:19:22 ----A---- C:\WINDOWS\system32\Comm32.dll

======List of files/folders modified in the last 1 months======

2010-04-21 09:46:14 ----A---- C:\WINDOWS\wincmd.ini
2010-04-21 09:01:32 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-21 07:25:06 ----A---- C:\WINDOWS\ntbtlog.txt
2010-04-21 07:03:42 ----A---- C:\WINDOWS\system.ini
2010-04-20 13:33:20 ----A---- C:\WINDOWS\ODBC.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 easdrv;easdrv; C:\WINDOWS\System32\DRIVERS\easdrv.sys [2009-10-07 54184]
R1 epfwtdi;epfwtdi; C:\WINDOWS\System32\DRIVERS\epfwtdi.sys [2009-10-07 55256]
R1 SiSkp;SiSkp; C:\WINDOWS\system32\drivers\srvkp.sys [2002-04-03 5760]
R1 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-10-25 12032]
R2 eamon;EAMON; C:\WINDOWS\System32\DRIVERS\eamon.sys [2009-10-07 40824]
R2 epfw;epfw; C:\WINDOWS\System32\DRIVERS\epfw.sys [2009-10-07 73760]
R2 NwlnkIpx;Transportní protokol kompatibilní s NWLink IPX/SPX/NetBIOS; C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys [2004-08-03 88448]
R2 NwlnkNb;Služba NWLink pro rozhraní NetBIOS; C:\WINDOWS\System32\DRIVERS\nwlnknb.sys [2001-10-25 63232]
R2 NwlnkSpx;Protokol NWLink SPX/SPXII; C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys [2001-10-25 55936]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller; C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-01-24 38656]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\System32\DRIVERS\Epfwndis.sys [2009-10-07 32072]
R3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-07-13 3934592]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S1 AmdK7;Ovladač procesoru AMD K7; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2004-08-17 41216]
S1 SiSV;SiSV; C:\WINDOWS\System32\DRIVERS\SiSV.sys [2001-08-17 50432]
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
S3 rtl8029;Realtek RTL8029(AS)-based PCI Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8029.SYS [2001-08-17 19017]
S3 SiS300i;SiS300i; C:\WINDOWS\System32\DRIVERS\sis300ip.sys [2001-08-17 101760]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2002-08-29 219648]
S3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\sisnic.sys [2004-08-03 32768]
S3 SiSV6306;SiSV6306; C:\WINDOWS\System32\DRIVERS\SiS6306p.sys [2001-08-17 68608]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;Ovladač filtru Obnovy systému; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-17 73344]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;Eset Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2009-10-07 472280]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-07-13 155715]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2007-02-10 89968]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2009-10-07 20680]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]
S4 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2007-02-10 242544]

-----------------EOF-----------------

#4 Příspěvek od **JaRon** » 21 dub 2010 08:57

aj som si myslel

pouzi Avenger - jeho script:
Files to delete:
C:\Documents and Settings\Administrator\Nabídka Start\Programy\Po spuštění\winesm32.exe

Pirkin07 · #5 Příspěvek od **Pirkin07** » 21 dub 2010 09:51

JaRon píše:aj som si myslel
pouzi Avenger - jeho script:
Files to delete:
C:\Documents and Settings\Administrator\Nabídka Start\Programy\Po spuštění\winesm32.exe

OK, súbor sa zmazal, ale NOD32 stále hlási koňa Bubnix.AB
ešte raz posielam výpis:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2010-04-21 10:51:02
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 12 GB (58%) free of 20 GB
Total RAM: 1919 MB (77% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:15, on 21.4.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\PDF-XChangeSDKEU\PDFSaver.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\totalcmd\TOTALCMD.EXE
E:\RSIT.exe
E:\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://podatelna.socpoist.sk/ezu.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [PDFSaver] C:\Program Files\PDF-XChangeSDKEU\PDFSaver.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://eportal.apollo.sk/dll/xenroll.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2158606448
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://eportal.apollo.sk/dll/capicom.cab
O16 - DPF: {CF2BD3ED-F1CE-11D4-9B98-005004CA7085} (crypto Class) - https://eportal.apollo.sk/dll/SignForm.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{24ED62AC-F699-47A5-AF25-C849D97623CF}: NameServer = 195.146.128.60,195.146.132.59
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C87B449-B37B-443F-990F-ED0E0183ABD7}: NameServer = 195.146.128.60,195.146.132.59
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4499 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-24 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"=C:\WINDOWS\System32\sistray.EXE [2002-05-09 303104]
"SiSUSBRG"=C:\WINDOWS\SiSUSBrg.exe [2002-07-12 106496]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-07-13 7626752]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-07-13 86016]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2009-10-07 1461080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"PDFSaver"=C:\Program Files\PDF-XChangeSDKEU\PDFSaver.exe [2003-02-21 61440]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2010-04-21 09:56:05 ----SHD---- C:\Recycled
2010-04-21 09:55:04 ----D---- C:\rsit
2010-04-21 09:01:50 ----A---- C:\avenger.txt
2010-04-21 07:25:34 ----D---- C:\Avenger
2010-04-21 07:04:32 ----D---- C:\WINDOWS\temp
2010-04-21 07:04:31 ----A---- C:\ComboFix.txt
2010-04-21 07:00:05 ----A---- C:\WINDOWS\zip.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\SWSC.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\SWREG.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\sed.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\PEV.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\NIRCMD.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\MBR.exe
2010-04-21 07:00:05 ----A---- C:\WINDOWS\grep.exe
2010-04-21 07:00:01 ----D---- C:\WINDOWS\ERDNT
2010-04-21 06:58:56 ----D---- C:\Qoobox
2010-03-26 14:19:25 ----A---- C:\WINDOWS\system32\POS.dll
2010-03-26 14:19:22 ----A---- C:\WINDOWS\system32\ECR.dll
2010-03-26 14:19:22 ----A---- C:\WINDOWS\system32\CommTX.dll
2010-03-26 14:19:22 ----A---- C:\WINDOWS\system32\Comm32.dll

======List of files/folders modified in the last 1 months======

2010-04-21 10:51:00 ----A---- C:\WINDOWS\wincmd.ini
2010-04-21 10:45:12 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-21 07:25:06 ----A---- C:\WINDOWS\ntbtlog.txt
2010-04-21 07:03:42 ----A---- C:\WINDOWS\system.ini
2010-04-20 13:33:20 ----A---- C:\WINDOWS\ODBC.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 easdrv;easdrv; C:\WINDOWS\System32\DRIVERS\easdrv.sys [2009-10-07 54184]
R1 epfwtdi;epfwtdi; C:\WINDOWS\System32\DRIVERS\epfwtdi.sys [2009-10-07 55256]
R1 SiSkp;SiSkp; C:\WINDOWS\system32\drivers\srvkp.sys [2002-04-03 5760]
R1 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-10-25 12032]
R2 eamon;EAMON; C:\WINDOWS\System32\DRIVERS\eamon.sys [2009-10-07 40824]
R2 epfw;epfw; C:\WINDOWS\System32\DRIVERS\epfw.sys [2009-10-07 73760]
R2 NwlnkIpx;Transportní protokol kompatibilní s NWLink IPX/SPX/NetBIOS; C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys [2004-08-03 88448]
R2 NwlnkNb;Služba NWLink pro rozhraní NetBIOS; C:\WINDOWS\System32\DRIVERS\nwlnknb.sys [2001-10-25 63232]
R2 NwlnkSpx;Protokol NWLink SPX/SPXII; C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys [2001-10-25 55936]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller; C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2007-01-24 38656]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\System32\DRIVERS\Epfwndis.sys [2009-10-07 32072]
R3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-24 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-07-13 3934592]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S1 AmdK7;Ovladač procesoru AMD K7; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2004-08-17 41216]
S1 SiSV;SiSV; C:\WINDOWS\System32\DRIVERS\SiSV.sys [2001-08-17 50432]
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
S3 rtl8029;Realtek RTL8029(AS)-based PCI Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8029.SYS [2001-08-17 19017]
S3 SiS300i;SiS300i; C:\WINDOWS\System32\DRIVERS\sis300ip.sys [2001-08-17 101760]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2002-08-29 219648]
S3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\sisnic.sys [2004-08-03 32768]
S3 SiSV6306;SiSV6306; C:\WINDOWS\System32\DRIVERS\SiS6306p.sys [2001-08-17 68608]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;Ovladač filtru Obnovy systému; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-17 73344]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;Eset Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2009-10-07 472280]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-07-13 155715]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2007-02-10 89968]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2009-10-07 20680]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]
S4 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2007-02-10 242544]

-----------------EOF-----------------

#6 Příspěvek od **JaRon** » 21 dub 2010 10:14

stiahni a uloz na plochu ComboFix

potom spust pod uctom s administratorskym opravnenim

akcia trva cca. 5-10 minut, niekedy i dlhsie -, Pocas scanu nespustaj ziadne ine aplikacie

Nie je dovod na paniku ak stroj bude restartovany
upozornenie: ak pouzivas antispyware s rezidentnim stitem, ten pred scanom vypni.

po restarte aplikacie vytvori log, ulozeny na C:\Combofix.txt (jeho obsah vloz sem)

Pirkin07 · #7 Příspěvek od **Pirkin07** » 21 dub 2010 12:16

JaRon píše:stiahni a uloz na plochu ComboFix

potom spust pod uctom s administratorskym opravnenim

akcia trva cca. 5-10 minut, niekedy i dlhsie -, Pocas scanu nespustaj ziadne ine aplikacie

Nie je dovod na paniku ak stroj bude restartovany
upozornenie: ak pouzivas antispyware s rezidentnim stitem, ten pred scanom vypni.

po restarte aplikacie vytvori log, ulozeny na C:\Combofix.txt (jeho obsah vloz sem)

NOD32 už nevypisuje nič, vyzerá to že je to OK.

ComboFix 10-04-20.01 - Administrator 21.04.2010 12:33:39.2.2 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.421.1029.18.1919.1469 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Plocha\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-21 07:55 . 2010-04-21 07:55 -------- d-----w- C:\rsit
2010-04-21 05:15 . 2010-04-21 05:20 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-16 04:43 . 2004-08-03 20:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-16 04:43 . 2004-08-03 20:59 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-16 04:43 . 2001-08-17 18:50 50432 ----a-w- c:\windows\system32\drivers\sisv.sys
2010-04-16 04:43 . 2001-08-17 18:50 50432 ----a-w- c:\windows\system32\dllcache\sisv.sys
2010-04-16 04:43 . 2001-08-17 18:12 19017 ----a-w- c:\windows\system32\drivers\rtl8029.sys
2010-04-16 04:43 . 2001-08-17 18:12 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys
2010-04-16 04:43 . 2004-08-03 21:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-16 04:43 . 2004-08-03 21:00 8192 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-16 04:43 . 2004-08-03 21:00 8192 ----a-w- c:\windows\system32\drivers\Changer.sys
2010-04-16 04:43 . 2004-08-03 21:00 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-03-26 12:19 . 2009-09-25 10:51 101816 ----a-w- c:\windows\system32\POS.dll
2010-03-26 12:19 . 2009-11-13 09:46 524288 ----a-w- c:\windows\system32\ECR.dll
2010-03-26 12:19 . 2009-11-11 13:35 270336 ----a-w- c:\windows\system32\Comm32.dll
2010-03-26 12:19 . 2008-07-01 07:43 43152 ----a-w- c:\windows\system32\CommTX.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 09:14 . 2009-05-12 06:16 46 ----a-w- c:\windows\system32\SP701ASM.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-04-21_05.03.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-03-25 10:10 . 2001-12-26 11:52 27136 c:\windows\system32\dllcache\sisagp.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDFSaver"="c:\program files\PDF-XChangeSDKEU\PDFSaver.exe" [2003-02-21 61440]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"="c:\windows\System32\sistray.EXE" [2002-05-09 303104]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-13 7626752]
"nwiz"="nwiz.exe" [2006-07-13 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-13 86016]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-10-07 1461080]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [7.10.2009 9:16 472280]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [1.11.2008 21:10 38656]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [21.4.2010 7:15 697328]
S1 SiSV;SiSV;c:\windows\system32\drivers\sisv.sys [16.4.2010 6:43 50432]
S3 SiSV6306;SiSV6306;c:\windows\system32\drivers\SiS6306p.sys [25.3.2003 11:40 68608]

--- Other Services/Drivers In Memory ---

*Deregistered* - kujefy
.
.
------- Supplementary Scan -------
.
uStart Page = https://podatelna.socpoist.sk/ezu.jsp
uInternet Settings,ProxyServer = 192.168.0.1:3128
uInternet Settings,ProxyOverride = <local>
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: vszp.sk\portal
Trusted Zone: vszp.sk\www
TCP: {24ED62AC-F699-47A5-AF25-C849D97623CF} = 195.146.128.60,195.146.132.59
TCP: {6C87B449-B37B-443F-990F-ED0E0183ABD7} = 195.146.128.60,195.146.132.59
DPF: {CF2BD3ED-F1CE-11D4-9B98-005004CA7085} - hxxps://eportal.apollo.sk/dll/SignForm.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - E:\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 12:36
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\kujefy]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\TelnetServer\1.0\ReadConfig]
@DACL=(02 0000)
"Defaults"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2100)
c:\windows\system32\msi.dll
.
Completion time: 2010-04-21 12:37:36
ComboFix-quarantined-files.txt 2010-04-21 10:37
ComboFix2.txt 2010-04-21 05:04

Pre-Run: Volných bajtů: 12 149 587 968
Post-Run: Volných bajtů: 12 149 997 568

Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
- - End Of File - - 870D232F31D908F11E65F11A29A87BB5

#8 Příspěvek od **JaRon** » 21 dub 2010 12:21

finisujeme

Presun ComboFix
na plochu (ak tam este nie je)

otvor si Poznamkovy blok - notepad

do neho zkopiruj skript z nasledujiceho okna:

Kód: Vybrat vše

Driver::
kujefy

uloz vytvoreny textovy soubor ako CFScript.txt na plochu

po ulozeni uchop vytvoreny skript lavym tlacitkom mysi a presun ho nad ikonu Combofixu, nad nim skript upust:

Obrázek

po aplikacii by mal vzniknut dalsi log, ten vloz sem

Pirkin07 · #9 Příspěvek od **Pirkin07** » 21 dub 2010 13:14

ComboFix 10-04-20.02 - Administrator 21.04.2010 13:34:51.3.2 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.421.1029.18.1919.1355 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Plocha\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KUJEFY
-------\Service_kujefy

((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-21 07:55 . 2010-04-21 07:55 -------- d-----w- C:\rsit
2010-04-21 05:15 . 2010-04-21 05:20 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-16 04:43 . 2004-08-03 20:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-16 04:43 . 2004-08-03 20:59 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-16 04:43 . 2001-08-17 18:50 50432 ----a-w- c:\windows\system32\drivers\sisv.sys
2010-04-16 04:43 . 2001-08-17 18:50 50432 ----a-w- c:\windows\system32\dllcache\sisv.sys
2010-04-16 04:43 . 2001-08-17 18:12 19017 ----a-w- c:\windows\system32\drivers\rtl8029.sys
2010-04-16 04:43 . 2001-08-17 18:12 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys
2010-04-16 04:43 . 2004-08-03 21:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-16 04:43 . 2004-08-03 21:00 8192 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-16 04:43 . 2004-08-03 21:00 8192 ----a-w- c:\windows\system32\drivers\Changer.sys
2010-04-16 04:43 . 2004-08-03 21:00 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-03-26 12:19 . 2009-09-25 10:51 101816 ----a-w- c:\windows\system32\POS.dll
2010-03-26 12:19 . 2009-11-13 09:46 524288 ----a-w- c:\windows\system32\ECR.dll
2010-03-26 12:19 . 2009-11-11 13:35 270336 ----a-w- c:\windows\system32\Comm32.dll
2010-03-26 12:19 . 2008-07-01 07:43 43152 ----a-w- c:\windows\system32\CommTX.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 11:37 . 2010-03-02 11:10 802304 ----a-w- c:\windows\system32\drivers\kujefy.sys
2010-04-20 09:14 . 2009-05-12 06:16 46 ----a-w- c:\windows\system32\SP701ASM.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-04-21_05.03.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-03-25 10:10 . 2001-12-26 11:52 27136 c:\windows\system32\dllcache\sisagp.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDFSaver"="c:\program files\PDF-XChangeSDKEU\PDFSaver.exe" [2003-02-21 61440]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Tray"="c:\windows\System32\sistray.EXE" [2002-05-09 303104]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-13 7626752]
"nwiz"="nwiz.exe" [2006-07-13 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-13 86016]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-10-07 1461080]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [21.4.2010 7:15 697328]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [7.10.2009 9:16 472280]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [1.11.2008 21:10 38656]
S1 SiSV;SiSV;c:\windows\system32\drivers\sisv.sys [16.4.2010 6:43 50432]
S3 SiSV6306;SiSV6306;c:\windows\system32\drivers\SiS6306p.sys [25.3.2003 11:40 68608]
.
.
------- Supplementary Scan -------
.
uStart Page = https://podatelna.socpoist.sk/ezu.jsp
uInternet Settings,ProxyServer = 192.168.0.1:3128
uInternet Settings,ProxyOverride = <local>
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: vszp.sk\portal
Trusted Zone: vszp.sk\www
TCP: {24ED62AC-F699-47A5-AF25-C849D97623CF} = 195.146.128.60,195.146.132.59
TCP: {6C87B449-B37B-443F-990F-ED0E0183ABD7} = 195.146.128.60,195.146.132.59
DPF: {CF2BD3ED-F1CE-11D4-9B98-005004CA7085} - hxxps://eportal.apollo.sk/dll/SignForm.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 13:39
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A6ED1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecfc3
\Driver\ACPI -> ACPI.sys @ 0xba66ecb8
\Driver\atapi -> 0x8a6ed1f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058236c
ParseProcedure -> ntkrnlpa.exe @ 0x8058146a
NDIS: Attansic L1 Gigabit Ethernet 10/100/1000Base-T Controller #2 -> SendCompleteHandler -> NDIS.sys @ 0xba44bba0
PacketIndicateHandler -> NDIS.sys @ 0xba458b21
SendHandler -> NDIS.sys @ 0xba43687b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\TelnetServer\1.0\ReadConfig]
@DACL=(02 0000)
"Defaults"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1740)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\RUNDLL32.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-21 13:41:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-21 11:41
ComboFix2.txt 2010-04-21 10:37
ComboFix3.txt 2010-04-21 05:04

Pre-Run: Volných bajtů: 12 089 311 232
Post-Run: Volných bajtů: 11 974 803 456

Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,6,7,8
- - End Of File - - C65A1FD88141172B5B4E360305E4740D

#10 Příspěvek od **JaRon** » 21 dub 2010 13:27

1. subor c:\windows\system32\drivers\kujefy.sys
najdi a ZMAZ

2. doinstaluj ServicePack3
3. ak nebudu ziadne problemy, tak hotovo

Pirkin07 · #11 Příspěvek od **Pirkin07** » 21 dub 2010 13:45

Veľká vďaka,

#12 Příspěvek od **JaRon** » 21 dub 2010 13:56

rado sa stalo

VIRY.CZ

WIN32/Bubnix.AB

WIN32/Bubnix.AB

Re: WIN32/Bubnix.AB

Re: WIN32/Bubnix.AB

Re: WIN32/Bubnix.AB

Re: WIN32/Bubnix.AB

Re: WIN32/Bubnix.AB

Re: WIN32/Bubnix.AB

Re: WIN32/Bubnix.AB

Re: WIN32/Bubnix.AB

Re: WIN32/Bubnix.AB

Re: WIN32/Bubnix.AB

Re: WIN32/Bubnix.AB