prosim o pomoc :(( zkontrolujte log prosim...

Zpráva

van · #1 Příspěvek od **van** » 28 dub 2010 10:03

ten je strasne zavirovan...porad pise nod hlasky
prikladam log s combofixu.

ComboFix 10-04-21.01 - brerrt 22.04.2010 13:37:08.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2023.1096 [GMT 2:00]
Spuštěný z: c:\documents and settings\brerrt\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\brerrt\Plocha\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Možné infikované stránky -----

hxxp://xxx.kl.kxxx.cz
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SIJZYWR
-------\Service_sijzywr

((((((((((((((((((((((((( Soubory vytvořené od 2010-03-22 do 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-22 11:56 . 2010-04-22 11:56 586240 ----a-w- c:\windows\system32\drivers\WDICA.sys
2010-04-15 18:08 . 2010-03-29 13:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-15 18:08 . 2010-03-29 13:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-15 18:08 . 2010-04-15 18:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-01 14:35 . 2010-04-01 14:37 -------- d-----w- C:\mystockmanager

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-22 11:58 . 2010-03-08 22:10 802304 ----a-w- c:\windows\system32\drivers\cfsyentb.sys
2010-04-22 11:55 . 2006-03-02 12:00 79440 ----a-w- c:\windows\system32\perfc005.dat
2010-04-22 11:55 . 2006-03-02 12:00 432516 ----a-w- c:\windows\system32\perfh005.dat
2010-04-07 07:21 . 2009-07-06 17:46 -------- d-----w- c:\program files\Google
2010-03-15 08:29 . 2010-03-15 08:29 -------- d-----w- c:\program files\epv32-csu
2009-02-04 12:00 . 2009-02-04 12:00 1083243 ----a-w- c:\program files\OpenVPN.zip
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CheckCfg"="c:\program files\checkcfg\Checkcfg.exe" [2009-05-05 155136]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
"pdfSaver3"="c:\program files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-09-05 380928]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-06 39408]
"Skype"="c:\program files\Skype\Phone\Skype_.exe" [2009-10-09 25623336]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-03-02 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-04-20 404248]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-15 677408]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-11 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-11 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-11 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2006-04-16 99328]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-11-06 177456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"WinVNC"="c:\program files\ORL\VNC\WinVNC.exe" [1999-10-07 200704]
"\\kompl\EPSON Stylus DX4000 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE" [2006-02-21 131072]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-12 37888]
"mylbx"="c:\program files\My Lockbox\mylbx.exe" [2010-01-26 1214128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 06:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [31.1.2010 23:16 43792]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [26.4.2007 19:23 100095]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [9.10.2006 13:31 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [29.3.2007 16:54 13696]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.5.2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14.5.2009 15:49 94360]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [23.1.2007 22:07 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [26.4.2007 19:23 5808]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2.3.2006 14:00 14336]
R2 atchksrv;Intel(R) Active Management Technology System Status Service;c:\program files\Intel\AMT\ATCHKSRV.EXE [25.7.2008 13:25 183064]
R2 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [12.10.2003 22:20 143360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14.5.2009 15:47 731840]
R2 Ethpdrv;Ethernet Packet Driver;c:\windows\system32\drivers\ethpdrv.sys [7.9.2007 12:12 9728]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [31.1.2010 23:16 142648]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [27.4.2007 10:58 221184]
R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [20.9.2002 19:29 53248]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [4.12.2006 16:13 292384]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.EXE [25.7.2008 13:25 1489688]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [25.7.2008 13:31 36608]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [16.4.2006 12:45 23552]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2.3.2006 14:00 14336]
S2 gupdate1c9fe61d52688c8;Služba Google Update (gupdate1c9fe61d52688c8);c:\program files\Google\Update\GoogleUpdate.exe [6.7.2009 19:47 133104]
S2 USBDriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [2.3.2006 14:00 14336]
S3 CA_LIC_SRVR;CA License Server;c:\program files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [7.4.2003 18:45 151552]
S3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys --> c:\windows\system32\DRIVERS\DAMDrv.sys [?]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [30.4.2007 8:28 172131]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\DRIVERS\HP24X.sys --> c:\windows\system32\DRIVERS\HP24X.sys [?]
S3 IpwP;IPWireless 3G PCMCIA Network Adapter;c:\windows\system32\DRIVERS\ipwpnet.sys --> c:\windows\system32\DRIVERS\ipwpnet.sys [?]
S3 trutil;trutil;\??\c:\docume~1\CERNOH~1\LOCALS~1\Temp\trutil.sys --> c:\docume~1\CERNOH~1\LOCALS~1\Temp\trutil.sys [?]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - cfsyentb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
nezfpnly
arlrx
USBDriver
.
Obsah adresáře 'Naplánované úlohy'

2010-04-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-06 17:46]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 17:47]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 17:47]

2010-04-22 c:\windows\Tasks\User_Feed_Synchronization-{7C008E57-0BAD-41D3-8C7B-068ECABB879B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 16:36]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://intranet
uInternet Connection Wizard,ShellNext = hxxp://intranet/
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Search - c:\documents and settings\All Users\Data aplikací\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Download with Xilisoft Download YouTube Video - c:\program files\Xilisoft\Download YouTube Video\upod_link.HTM
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save Flash with Flash Catcher - c:\program files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
DPF: {0D221D00-A6ED-477C-8A91-41F3B660A832} - hxxp://adam/Reports/Reserved.ReportViewerWebControl.axd?ReportSession=zqli0v2rqwma4o45kl04yrbr&ControlID=055f1509223b453c8ea89f0e0c549bd8&Culture=1029&UICulture=9&ReportStack=1&OpType=PrintCab
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxp://adam/Reports/Reserved.ReportViewerWebControl.axd?ReportSession=koc4inrpyanzxr55thw5bvfk&ControlID=c5ecfe92398c4e6095d68ef3d9d6b3b0&Culture=1029&UICulture=9&ReportStack=1&OpType=PrintCab
DPF: {4DF118B4-5498-4EEA-9277-9EBC94B38114} - hxxp://192.168.55.3/STWWebViewer.cab
DPF: {856ACB65-7B1F-4085-94D9-72824D6266CF} - hxxp://192.168.55.36/eng/activex/activex.CAB
DPF: {9B1EF185-CD13-44CB-B1B4-EDF08AA55FA8} - hxxp://192.168.55.3/STWWebSearch.cab
DPF: {C12E8A50-4243-4A8E-9341-258E5EBBBBBC} - hxxp://192.168.55.3/STWConfigSystemNVR.cab
DPF: {EEDBA32E-5C2D-48F1-A58E-0AAB0BC230E3} - hxxp://192.168.55.3/STWAxConfigNVR.cab
FF - ProfilePath - c:\documents and settings\cernohorsky\Data aplikací\Mozilla\Firefox\Profiles\ey58mti4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: c:\documents and settings\cernohorsky\Data aplikací\Mozilla\Firefox\Profiles\ey58mti4.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-22 13:50
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

c:\windows\system32\drivers\mspclock.sys.bak 5376 bytes executable

sken byl úspešně dokončen
skryté soubory: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cfsyentb]

.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1164)
c:\windows\system32\DeviceNP.dll

- - - - - - - > 'lsass.exe'(1224)
c:\windows\SbHpNp.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2204)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\ifxtcs.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\IfxPsdSv.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\program files\Microsoft ActiveSync\Wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Microsoft Office\Office12\OUTLOOK.EXE
c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclBCBTSrv.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Celkový čas: 2010-04-22 14:02:19 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-04-22 12:02
ComboFix2.txt 2010-04-22 10:07

Před spuštěním: Volných bajtů: 32 229 687 296
Po spuštění: Volných bajtů: 32 130 338 816

- - End Of File - - D119E866C0F61A07D0427740AA0B7449

#2 Příspěvek od **stell** » 28 dub 2010 14:02

ok,pozriem sa.

van · #3 Příspěvek od **van** » 28 dub 2010 14:30

diky diky diky uz na to tesim

ten soubor WDICA.sys neexistuje - nod ho promazal...

#4 Příspěvek od **stell** » 28 dub 2010 14:32

otestuj na www.virustotal.com
c:\windows\system32\drivers\WDICA.sys

van · #5 Příspěvek od **van** » 28 dub 2010 14:35

stell píše:otestuj na http://www.virustotal.com
c:\windows\system32\drivers\WDICA.sys

sorry nestiham za tebou ))))))))
ten soubor je promazan Nodem a neexistuje...
tak ze nemam co skenovat

Name C:\WINDOWS\system32\drivers\WDICA.sys
Threat Win32/Bubnix.AB trojan

#6 Příspěvek od **stell** » 28 dub 2010 14:45

Pri tejto akcii je nutné mať ComboFix na ploche.

Vypni>FIREWALL>Antivir>Antispyware>vsetko rezidentne.

Otvor Notepad (Poznámkový blok) a zkopíruj do neho celý zeleny tex:

Kód: Vybrat vše

KILLALL::
File::
c:\windows\system32\drivers\WDICA.sys
c:\windows\system32\drivers\cfsyentb.sys
Rootkit::
c:\docume~1\CERNOH~1\LOCALS~1\Temp\trutil.sys
Driver::
trutil
cfsyentb
nezfpnly
arlrx
USBDriver
NetSvc::
cfsyentb
nezfpnly
arlrx
USBDriver
DDS::
IE: &Winamp Search - c:\documents and settings\All Users\Data aplikací\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
DPF: {0D221D00-A6ED-477C-8A91-41F3B660A832} - hxxp://adam/Reports/Reserved.ReportView ... e=PrintCab
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxp://adam/Reports/Reserved.ReportView ... e=PrintCab
DPF: {4DF118B4-5498-4EEA-9277-9EBC94B38114} - hxxp://192.168.55.3/STWWebViewer.cab
DPF: {856ACB65-7B1F-4085-94D9-72824D6266CF} - hxxp://192.168.55.36/eng/activex/activex.CAB
DPF: {9B1EF185-CD13-44CB-B1B4-EDF08AA55FA8} - hxxp://192.168.55.3/STWWebSearch.cab
DPF: {C12E8A50-4243-4A8E-9341-258E5EBBBBBC} - hxxp://192.168.55.3/STWConfigSystemNVR.cab
DPF: {EEDBA32E-5C2D-48F1-A58E-0AAB0BC230E3} - hxxp://192.168.55.3/STWAxConfigNVR.cab
Extra::
FireFox::
FF - ProfilePath - c:\documents and settings\cernohorsky\Data aplikací\Mozilla\Firefox\Profiles\ey58mti4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/sli ... ie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/sli ... pab&query=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cfsyentb]
FileLook::
c:\windows\system32\drivers\mspclock.sys.bak

Potom klik na Subor -> Uložiť ako.. .. -> Ako je Názov souboru tak do toho riadku napiš:CFScript.txt
Typ súboru tak tam vyberies *všetky súbory
A ulož ho na plochu.> Pozor CFScript.txt>Neotvarat a nemoze byt ani>CFScript.txt.txt A Urobis Toto :
Obrázek

Po skonceni skenu vlož log čo ComboFix vytvorí

van · #7 Příspěvek od **van** » 28 dub 2010 14:50

diky moooooooooooooooc a
letim testovat ten skript ))

#8 Příspěvek od **stell** » 28 dub 2010 14:55

ok,ja sa vratim tak o hodinu,

van · #9 Příspěvek od **van** » 28 dub 2010 15:16

tak...probehlo to a ted mam takovy log (priznam se - uz je to mnohem lip nez bylo pred tim

))

ComboFix 10-04-21.01 - cernogorsky 28.04.2010 15:56:26.5.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2023.1378 [GMT 2:00]
Spuštěný z: c:\documents and settings\cernogorsky\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\cernogorsky\Plocha\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FILE ::
"c:\windows\system32\drivers\cfsyentb.sys"
"c:\windows\system32\drivers\WDICA.sys"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Data aplikací\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\\defaults\preferences\defaults.js
c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\\chrome.manifest
c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\\chrome\chrome.jar
c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\\install.rdf
c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\\MicrosoftDotNetFrameworkAssistant.xpi
c:\windows\system32\drivers\cfsyentb.sys

----- BITS: Možné infikované stránky -----

hxxp://xxxx.kl.xxxx.cz
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CFSYENTB
-------\Legacy_TRUTIL
-------\Legacy_USBDRIVER
-------\Service_cfsyentb
-------\Service_trutil
-------\Service_USBDriver

((((((((((((((((((((((((( Soubory vytvořené od 2010-03-28 do 2010-04-28 )))))))))))))))))))))))))))))))
.

2010-04-28 10:55 . 2010-04-28 10:57 -------- d-----w- c:\program files\I.CA
2010-04-28 09:21 . 2007-05-02 10:35 176128 ----a-r- c:\windows\system32\igfxres.dll
2010-04-27 19:10 . 2010-04-28 06:42 574464 ----a-w- c:\windows\system32\drivers\undysor.sys
2010-04-15 18:08 . 2010-03-29 13:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-15 18:08 . 2010-03-29 13:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-15 18:08 . 2010-04-15 18:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-01 14:35 . 2010-04-01 14:37 -------- d-----w- C:\mystockmanager

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 09:27 . 2006-03-02 12:00 79440 ----a-w- c:\windows\system32\perfc005.dat
2010-04-28 09:27 . 2006-03-02 12:00 432516 ----a-w- c:\windows\system32\perfh005.dat
2010-04-07 07:21 . 2009-07-06 17:46 -------- d-----w- c:\program files\Google
2010-03-15 08:29 . 2010-03-15 08:29 -------- d-----w- c:\program files\epv32-csu
2009-02-04 12:00 . 2009-02-04 12:00 1083243 ----a-w- c:\program files\OpenVPN.zip
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\drivers\mspclock.sys.bak ---
Company: Microsoft Corporation
File Description: MS Proxy Clock
File Version: 5.3.2600.2180 (xpsp_sp2_rtm.040803-2158)
Product Name: Microsoft(R) Windows(R) Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: mspclock.sys
File size: 5376
Created time: 2008-07-25 11:23
Modified time: 2004-08-03 20:58
MD5: 13E75FEF9DFEB08EEDED9D0246E1F448
SHA1: 9A1D1EC34BA0E6B3F925948E0EC98745D72CFCBB

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CheckCfg"="c:\program files\checkcfg\Checkcfg.exe" [2009-05-05 155136]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
"pdfSaver3"="c:\program files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-09-05 380928]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-06 39408]
"Skype"="c:\program files\Skype\Phone\Skype_.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-04-20 404248]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-15 677408]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2006-04-16 99328]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-11-06 177456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"WinVNC"="c:\program files\ORL\VNC\WinVNC.exe" [1999-10-07 200704]
"\\kompl\EPSON Stylus DX4000 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE" [2006-02-21 131072]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-12 37888]
"mylbx"="c:\program files\My Lockbox\mylbx.exe" [2010-01-26 1214128]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-11 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-11 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-11 138008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 06:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [31.1.2010 23:16 43792]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [26.4.2007 19:23 100095]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [9.10.2006 13:31 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [29.3.2007 16:54 13696]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.5.2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14.5.2009 15:49 94360]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [23.1.2007 22:07 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [26.4.2007 19:23 5808]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2.3.2006 14:00 14336]
R2 atchksrv;Intel(R) Active Management Technology System Status Service;c:\program files\Intel\AMT\ATCHKSRV.EXE [25.7.2008 13:25 183064]
R2 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [12.10.2003 22:20 143360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14.5.2009 15:47 731840]
R2 Ethpdrv;Ethernet Packet Driver;c:\windows\system32\drivers\ethpdrv.sys [7.9.2007 12:12 9728]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [31.1.2010 23:16 142648]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [27.4.2007 10:58 221184]
R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [20.9.2002 19:29 53248]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [4.12.2006 16:13 292384]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.EXE [25.7.2008 13:25 1489688]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [25.7.2008 13:31 36608]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [16.4.2006 12:45 23552]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2.3.2006 14:00 14336]
S2 gupdate1c9fe61d52688c8;Služba Google Update (gupdate1c9fe61d52688c8);c:\program files\Google\Update\GoogleUpdate.exe [6.7.2009 19:47 133104]
S3 CA_LIC_SRVR;CA License Server;c:\program files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [7.4.2003 18:45 151552]
S3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys --> c:\windows\system32\DRIVERS\DAMDrv.sys [?]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [30.4.2007 8:28 172131]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\DRIVERS\HP24X.sys --> c:\windows\system32\DRIVERS\HP24X.sys [?]
S3 IpwP;IPWireless 3G PCMCIA Network Adapter;c:\windows\system32\DRIVERS\ipwpnet.sys --> c:\windows\system32\DRIVERS\ipwpnet.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Obsah adresáře 'Naplánované úlohy'

2010-04-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-06 17:46]

2010-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 17:47]

2010-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 17:47]

2010-04-28 c:\windows\Tasks\User_Feed_Synchronization-{7C008E57-0BAD-41D3-8C7B-068ECABB879B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 16:36]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://intranet
uInternet Connection Wizard,ShellNext = hxxp://intranet/
uInternet Settings,ProxyOverride = *.local
IE: Download with Xilisoft Download YouTube Video - c:\program files\Xilisoft\Download YouTube Video\upod_link.HTM
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save Flash with Flash Catcher - c:\program files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
DPF: {4C3CEE0B-4F2F-44C3-9586-4368F3200143} - hxxps://tbica.ica.cz/icapki.cab
FF - ProfilePath - c:\documents and settings\cernohorsky\Data aplikací\Mozilla\Firefox\Profiles\ey58mti4.default\
FF - component: c:\documents and settings\cernohorsky\Data aplikací\Mozilla\Firefox\Profiles\ey58mti4.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
.
------- Asociace souborů -------
.
.scr=DWGTrueViewScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-28 16:13
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1156)
c:\windows\system32\DeviceNP.dll

- - - - - - - > 'lsass.exe'(1216)
c:\windows\SbHpNp.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3480)
c:\windows\system32\btmmhook.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\ifxtcs.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\IfxPsdSv.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\program files\Microsoft ActiveSync\Wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclBCBTSrv.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Celkový čas: 2010-04-28 16:14:06 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-04-28 14:14
ComboFix2.txt 2010-04-25 11:58
ComboFix3.txt 2010-04-22 12:02
ComboFix4.txt 2010-04-22 10:07

Před spuštěním: Volných bajtů: 32 676 704 256
Po spuštění: Volných bajtů: 32 654 622 720

- - End Of File - - 891739AA29D5FD7A7C936BB5333EFE1A

#10 Příspěvek od **stell** » 28 dub 2010 16:14

system volume information/restore (Obnova systému):
1. Je potřeba vypnout nástroj obnova systému - Ovládací panely>systém>obnovení systému>vypnout nástroj obnovení systému>OK

Pri tejto akcii je nutné mať ComboFix na ploche.

Vypni>FIREWALL>Antivir>Antispyware>vsetko rezidentne.

Otvor Notepad (Poznámkový blok) a zkopíruj do neho celý zeleny tex:

Kód: Vybrat vše

KILLALL::
File::
c:\windows\system32\drivers\undysor.sys

Potom klik na Subor -> Uložiť ako.. .. -> Ako je Názov souboru tak do toho riadku napiš:CFScript.txt
Typ súboru tak tam vyberies *všetky súbory
A ulož ho na plochu.> Pozor CFScript.txt>Neotvarat a nemoze byt ani>CFScript.txt.txt A Urobis Toto :
Obrázek

Po skonceni skenu vlož log čo ComboFix vytvorí

van · #11 Příspěvek od **van** » 29 dub 2010 09:51

rucne promazal ten soubor a nod normalne zaznamenal vir
varianta infiltrace Win32/Rootkit.Kryptik.BI trojský kůň
ale soubor normalne smazal s pocitace

dneska vecer spoustim jeste
ten combofix pro jistotu. Jeste jednou dekuji moc za pomoc. Ty jsi super!

#12 Příspěvek od **stell** » 29 dub 2010 10:04

ok,potom vloz sem log z combofixu.

van · #13 Příspěvek od **van** » 29 dub 2010 11:50

log z combofixu

ComboFix 10-04-21.01 - cernogorsky 29.04.2010 12:29:16.6.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2023.1309 [GMT 2:00]
Spuštěný z: c:\documents and settings\cernogorsky\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\cernogorsky\Plocha\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
- REŽIM S OMEZENOU FUNKČNOSTÍ -

FILE ::
"c:\windows\system32\drivers\undysor.sys"
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-03-28 do 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-28 10:55 . 2010-04-28 10:57 -------- d-----w- c:\program files\I.CA
2010-04-28 09:21 . 2007-05-02 10:35 176128 ----a-r- c:\windows\system32\igfxres.dll
2010-04-15 18:08 . 2010-03-29 13:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-15 18:08 . 2010-03-29 13:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-15 18:08 . 2010-04-15 18:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-01 14:35 . 2010-04-01 14:37 -------- d-----w- C:\mystockmanager

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 10:39 . 2006-03-02 12:00 432516 ----a-w- c:\windows\system32\perfh005.dat
2010-04-29 10:39 . 2006-03-02 12:00 79440 ----a-w- c:\windows\system32\perfc005.dat
2010-04-07 07:21 . 2009-07-06 17:46 -------- d-----w- c:\program files\Google
2010-03-15 08:29 . 2010-03-15 08:29 -------- d-----w- c:\program files\epv32-csu
2009-02-04 12:00 . 2009-02-04 12:00 1083243 ----a-w- c:\program files\OpenVPN.zip
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CheckCfg"="c:\program files\checkcfg\Checkcfg.exe" [2009-05-05 155136]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
"pdfSaver3"="c:\program files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-09-05 380928]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-06 39408]
"Skype"="c:\program files\Skype\Phone\Skype_.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-04-20 404248]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2007-01-24 124928]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-15 677408]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2006-04-16 99328]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-11-06 177456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"WinVNC"="c:\program files\ORL\VNC\WinVNC.exe" [1999-10-07 200704]
"\\kompl\EPSON Stylus DX4000 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE" [2006-02-21 131072]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-12 37888]
"mylbx"="c:\program files\My Lockbox\mylbx.exe" [2010-01-26 1214128]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-11 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-11 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-11 138008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 06:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [31.1.2010 23:16 43792]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [26.4.2007 19:23 100095]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [9.10.2006 13:31 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [29.3.2007 16:54 13696]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14.5.2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14.5.2009 15:49 94360]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [23.1.2007 22:07 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [26.4.2007 19:23 5808]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2.3.2006 14:00 14336]
R2 atchksrv;Intel(R) Active Management Technology System Status Service;c:\program files\Intel\AMT\ATCHKSRV.EXE [25.7.2008 13:25 183064]
R2 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [12.10.2003 22:20 143360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14.5.2009 15:47 731840]
R2 Ethpdrv;Ethernet Packet Driver;c:\windows\system32\drivers\ethpdrv.sys [7.9.2007 12:12 9728]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [31.1.2010 23:16 142648]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [27.4.2007 10:58 221184]
R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [20.9.2002 19:29 53248]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [4.12.2006 16:13 292384]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.EXE [25.7.2008 13:25 1489688]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [25.7.2008 13:31 36608]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [16.4.2006 12:45 23552]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2.3.2006 14:00 14336]
S2 gupdate1c9fe61d52688c8;Služba Google Update (gupdate1c9fe61d52688c8);c:\program files\Google\Update\GoogleUpdate.exe [6.7.2009 19:47 133104]
S3 CA_LIC_SRVR;CA License Server;c:\program files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [7.4.2003 18:45 151552]
S3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys --> c:\windows\system32\DRIVERS\DAMDrv.sys [?]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [30.4.2007 8:28 172131]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\DRIVERS\HP24X.sys --> c:\windows\system32\DRIVERS\HP24X.sys [?]
S3 IpwP;IPWireless 3G PCMCIA Network Adapter;c:\windows\system32\DRIVERS\ipwpnet.sys --> c:\windows\system32\DRIVERS\ipwpnet.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Obsah adresáře 'Naplánované úlohy'

2010-04-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-06 17:46]

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 17:47]

2010-04-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 17:47]

2010-04-28 c:\windows\Tasks\User_Feed_Synchronization-{7C008E57-0BAD-41D3-8C7B-068ECABB879B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 16:36]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://intranet
uInternet Connection Wizard,ShellNext = hxxp://intranet/
uInternet Settings,ProxyOverride = *.local
IE: Download with Xilisoft Download YouTube Video - c:\program files\Xilisoft\Download YouTube Video\upod_link.HTM
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save Flash with Flash Catcher - c:\program files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
DPF: {4C3CEE0B-4F2F-44C3-9586-4368F3200143} - hxxps://tbica.ica.cz/icapki.cab
FF - ProfilePath - c:\documents and settings\cernohorsky\Data aplikací\Mozilla\Firefox\Profiles\ey58mti4.default\
FF - component: c:\documents and settings\cernohorsky\Data aplikací\Mozilla\Firefox\Profiles\ey58mti4.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-29 12:36
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1156)
c:\windows\system32\DeviceNP.dll

- - - - - - - > 'lsass.exe'(1216)
c:\windows\SbHpNp.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2588)
c:\windows\system32\btmmhook.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\ifxtcs.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\IfxPsdSv.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\program files\Microsoft ActiveSync\Wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclBCBTSrv.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Celkový čas: 2010-04-29 12:43:23 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-04-29 10:43
ComboFix2.txt 2010-04-25 11:58
ComboFix3.txt 2010-04-22 12:02
ComboFix4.txt 2010-04-22 10:07

Před spuštěním: Volných bajtů: 35 795 410 944
Po spuštění: Volných bajtů: 35 798 720 512

- - End Of File - - A9A94780663F329040548C4DA05E8365

#14 Příspěvek od **stell** » 29 dub 2010 12:05

ok,combofix uz akurat dosluzil,ale este zmazal,smejda.
1:Odinstaluj combofix
2:Vypnut obnovu restart-zapnut spat.
3:Precistit pc CCleanerom a ATF-Cleanerom
4>a napis ako sa chova pc.

van · #15 Příspěvek od **van** » 29 dub 2010 13:18

vsechno super! diky moc clovece! Ty jsi super, fakt!

VIRY.CZ

prosim o pomoc :(( zkontrolujte log prosim...

prosim o pomoc :(( zkontrolujte log prosim...

Re: prosim o pomoc :(( zkontrolujte log prosim...

Re: prosim o pomoc :(( zkontrolujte log prosim...

Re: prosim o pomoc :(( zkontrolujte log prosim...

Re: prosim o pomoc :(( zkontrolujte log prosim...

Re: prosim o pomoc :(( zkontrolujte log prosim...

Re: prosim o pomoc :(( zkontrolujte log prosim...

Re: prosim o pomoc :(( zkontrolujte log prosim...

Re: prosim o pomoc :(( zkontrolujte log prosim...

Re: prosim o pomoc :(( zkontrolujte log prosim...

Re: prosim o pomoc :(( zkontrolujte log prosim...

Re: prosim o pomoc :(( zkontrolujte log prosim...

Re: prosim o pomoc :(( zkontrolujte log prosim...

Re: prosim o pomoc :(( zkontrolujte log prosim...

Re: prosim o pomoc :(( zkontrolujte log prosim...