Poprosil by som o kontrolu logu

[maxim-SK]

Zdravím Vás, poprosím o kontrolu logu, vopred ďakujem

Logfile of random's system information tool 1.07 (written by random/random)
Run by test at 2010-06-21 08:01:55
Systém Microsoft Windows XP Professional
System drive C: has 15 GB (79%) free of 19 GB
Total RAM: 255 MB (12% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:02:21, on 21.6.2010
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\test\Plocha\RSIT.exe
C:\Program Files\trend micro\test.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O3 - Toolbar: &R?dio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [test] C:\Documents and Settings\test\test.exe /i
O4 - HKCU\..\Run: [] C:\Documents and Settings\test\.exe /i
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipam?ti kategori? sou??st? - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Slu?ba inteligentn?ho p?enosu na pozad? (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Vym?niteln? ?lo?i?t? NtmsSvcSharedAccess (NtmsSvcSharedAccess) - Unknown owner - C:\WINDOWS\System32\arpy.exe (file missing)
O23 - Service: Automatick? aktualizace (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 3256 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Rádio - C:\WINDOWS\System32\msdxm.ocx [2001-10-25 846364]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2010-03-29 2145000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\System32\ctfmon.exe [2001-10-25 13312]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2001-08-02 1077277]
"test"=C:\Documents and Settings\test\test.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []
""=C:\Documents and Settings\test\.exe /i []

C:\Documents and Settings\test\Nabídka Start\Programy\Po spuštění
OpenOffice.org 3.0.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2010-06-21 08:01:56 ----D---- C:\Program Files\trend micro
2010-06-21 08:01:55 ----D---- C:\rsit
2010-06-17 10:46:37 ----D---- C:\Documents and Settings\All Users\Data aplikací\ESET

======List of files/folders modified in the last 1 months======

2010-06-21 08:01:58 ----D---- C:\WINDOWS\Temp
2010-06-21 08:01:56 ----AD---- C:\Program Files
2010-06-21 07:58:44 ----D---- C:\Program Files\Mozilla Firefox
2010-06-21 07:57:53 ----AD---- C:\WINDOWS
2010-06-21 07:57:45 ----D---- C:\WINDOWS\Debug
2010-06-17 13:18:10 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-06-17 10:53:08 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-06-17 10:53:04 ----D---- C:\WINDOWS\System32\drivers
2010-06-17 10:52:34 ----D---- C:\WINDOWS\Prefetch
2010-06-17 10:49:16 ----D---- C:\WINDOWS\System32\CatRoot2
2010-06-17 10:47:36 ----SHD---- C:\WINDOWS\Installer
2010-06-17 10:47:21 ----HD---- C:\WINDOWS\inf
2010-06-17 10:22:07 ----RD---- C:\WINDOWS\Web
2010-06-17 10:21:01 ----D---- C:\Documents and Settings\test\Data aplikací\Desktopicon
2010-06-17 10:10:55 ----A---- C:\WINDOWS\wincmd.ini
2010-06-17 10:09:12 ----AD---- C:\WINDOWS\system32
2010-06-17 10:09:11 ----D---- C:\WINDOWS\twain_32
2010-06-17 07:33:10 ----A---- C:\WINDOWS\System32\PerfStringBackup.TMP
2010-06-16 13:55:28 ----SHD---- C:\System Volume Information
2010-06-16 11:44:44 ----SHD---- C:\RECYCLER

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ehdrv;ehdrv; C:\WINDOWS\System32\DRIVERS\ehdrv.sys [2010-03-29 114984]
R1 epfwtdir;epfwtdir; C:\WINDOWS\System32\DRIVERS\epfwtdir.sys [2010-03-29 95872]
R2 eamon;eamon; C:\WINDOWS\System32\DRIVERS\eamon.sys [2010-03-29 140216]
R3 ac97intc;Služba instalace zvukového ovladače Intel(r) (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-18 96256]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-10-24 117760]
R3 nv4;nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-18 731648]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2001-10-25 50688]
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2001-08-17 21760]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2001-10-25 18944]
S1 e2b08877;e2b08877; C:\WINDOWS\System32\drivers\e2b08877.sys []
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2001-08-17 24960]
S4 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-10-25 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-03-29 810120]
S2 NtmsSvcSharedAccess;Vyměnitelné úložiště NtmsSvcSharedAccess; C:\WINDOWS\System32\arpy.exe srv []
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2010-03-29 33560]

-----------------EOF-----------------

[JaRon]

1. O4 - HKCU\..\Run: [test] C:\Documents and Settings\test\test.exe /i
O4 - HKCU\..\Run: [] C:\Documents and Settings\test\.exe /i
toto poznas ? ak nie FIXni v HijackThis
2. prescanuj PC s MBAM
3. doinstaluj nejaky ServicePack

[maxim-SK]

tu je log z MBAM


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Verze databáze: 4208

Windows 5.1.2600
Internet Explorer 6.0.2600.0000

21.6.2010 10:01:34
mbam-log-2010-06-21 (10-01-34).txt

Typ skenu: Úplný sken (C:\|E:\|)
Skenované objekty: 140725
Uplynulý čas: 17 minuta(y), 44 sekunda(y)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 0
Infikované hodnoty registru: 0
Infikované datové položky registru: 2
Infikované složky: 0
Infikované soubory: 0

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované hodnoty registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky registru:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
(Žádné škodlivé položky nebyly zjištěny)

[JaRon]

OKi - ked tam doinstalujes ServicePack, vloz znovu log RSIT na kontrolu

[maxim-SK]

pri akejkoľvek snahe o update systemú ale inštalácii SP mi vyhodí chybu (unable to connect, prípadne nepodarilo sa aktualizovať). nemôžem aktualizovať ani AV (nod32-4) a ani SpywareTerminator. kedže mám divne licensovaný Windows (pri reinštalácii z inštal cd mi neberie productkey hoci inštalujem tú istú verziu OS) musím vymyslieť ako vyčistiť bez toho aby som na novo ištaloval OS, za radu vopred ďakujem

[JaRon]

stiahni a uloz na plochu ComboFix

potom spust pod uctom s administratorskym opravnenim


akcia trva cca. 5-10 minut, niekedy i dlhsie -, Pocas scanu nespustaj ziadne ine aplikacie

Nie je dovod na paniku ak stroj bude restartovany
upozornenie: ak pouzivas antispyware s rezidentnim stitem, ten pred scanom vypni.

po restarte aplikacie vytvori log, ulozeny na C:\Combofix.txt (jeho obsah vloz sem)

[maxim-SK]

log z ComboFix:

ComboFix 10-06-20.06 - test 21.06.2010 13:54:06.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.0.1250.421.1029.18.255.107 [GMT 2:00]
Running from: c:\documents and settings\test\Plocha\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\test\Data aplikaci\64dlls.exe
c:\documents and settings\test\Data aplikaci\intel64.exe
c:\documents and settings\test\Data aplikaci\localsys64.exe
c:\documents and settings\test\Data aplikaci\ntos.exe
c:\documents and settings\test\Data aplikaci\oembios.exe
c:\documents and settings\test\Data aplikaci\sdra64.exe
c:\documents and settings\test\Data aplikaci\sdra73.exe
c:\documents and settings\test\Data aplikaci\swin32.exe
c:\documents and settings\test\Data aplikaci\twex.exe
c:\documents and settings\test\Data aplikaci\twext.exe
c:\documents and settings\test\Data aplikaci\wsnpoema.exe
c:\windows\system32\_003598_.tmp.dll
c:\windows\system32\_003750_.tmp.dll
c:\windows\system32\_003751_.tmp.dll
c:\windows\system32\_003752_.tmp.dll
c:\windows\system32\_003753_.tmp.dll
c:\windows\system32\_003760_.tmp.dll
c:\windows\system32\_003761_.tmp.dll
c:\windows\system32\_003762_.tmp.dll
c:\windows\system32\_003763_.tmp.dll
c:\windows\system32\_003765_.tmp.dll
c:\windows\system32\_003766_.tmp.dll
c:\windows\system32\_003769_.tmp.dll
c:\windows\system32\_003770_.tmp.dll
c:\windows\system32\_003773_.tmp.dll
c:\windows\system32\_003774_.tmp.dll
c:\windows\system32\_003776_.tmp.dll
c:\windows\system32\_003777_.tmp.dll
c:\windows\system32\_003779_.tmp.dll
c:\windows\system32\_003784_.tmp.dll
c:\windows\system32\_003786_.tmp.dll
c:\windows\system32\_003787_.tmp.dll
c:\windows\system32\_003789_.tmp.dll
c:\windows\system32\_003791_.tmp.dll
c:\windows\system32\_003792_.tmp.dll
c:\windows\system32\_003793_.tmp.dll
c:\windows\system32\_003794_.tmp.dll
c:\windows\system32\_003795_.tmp.dll
c:\windows\system32\_003798_.tmp.dll
c:\windows\system32\_003800_.tmp.dll
c:\windows\system32\_003801_.tmp.dll
c:\windows\system32\_003802_.tmp.dll
c:\windows\system32\_003806_.tmp.dll
c:\windows\system32\11224594.dat

c:\windows\system32\qmgr.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_acpi32
-------\Legacy_ati64si
-------\Legacy_fips32cup
-------\Legacy_i386si
-------\Legacy_ksi32sk
-------\Legacy_netsik
-------\Legacy_nicsk32
-------\Legacy_ntmssvcsharedaccess
-------\Legacy_port135sik
-------\Legacy_securentm
-------\Legacy_SYSTEMNTMI
-------\Legacy_ws2_32sik
-------\Service_NtmsSvcSharedAccess


((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
.

2010-06-21 09:25 . 2010-06-21 09:27 -------- d-----w- c:\windows\peernet
2010-06-21 09:25 . 2010-06-21 09:25 -------- d-----w- c:\windows\provisioning
2010-06-21 09:15 . 2004-08-03 20:42 15872 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-21 09:12 . 2001-10-25 20:00 1267200 ----a-w- c:\windows\system32\wbem\cimwin32.dll
2010-06-21 09:11 . 2001-10-25 20:00 93184 ----a-w- c:\windows\system32\winscard.dll
2010-06-21 06:01 . 2010-06-21 06:02 -------- d-----w- c:\program files\trend micro
2010-06-21 06:01 . 2010-06-21 06:02 -------- d-----w- C:\rsit
2010-06-17 08:53 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-17 08:52 . 2010-04-29 13:39 19288 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 08:53 . 2010-03-02 08:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 05:33 . 2009-11-06 06:18 381122 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-06-17 05:33 . 1980-01-01 07:00 52442 ----a-w- c:\windows\system32\perfc005.dat
2010-06-17 05:33 . 1980-01-01 07:00 328460 ----a-w- c:\windows\system32\perfh005.dat
2010-03-29 15:13 . 2010-03-29 15:13 95872 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2010-03-29 15:12 . 2010-03-29 15:12 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-03-29 15:07 . 2010-03-29 15:07 140216 ----a-w- c:\windows\system32\drivers\eamon.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-29 2145000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2001-10-25 13312]

c:\documents and settings\test\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-10-13 393216]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29.3.2010 17:12 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [29.3.2010 17:13 95872]
S1 e2b08877;e2b08877;c:\windows\system32\drivers\e2b08877.sys [1.6.2009 10:02 0]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ALG
.
.
------- Supplementary Scan -------
.
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-21 14:04
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\ODBC32.dll

- - - - - - - > 'lsass.exe'(704)
c:\windows\System32\dssenh.dll
c:\windows\system32\mswsock.dll

- - - - - - - > 'explorer.exe'(1112)
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2010-06-21 14:05:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-21 12:05

Pre-Run: Volných bajtů: 14.596.632.576
Post-Run: Volných bajtů: 14.935.126.016

WinXP_EN_PRO_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - 2B34DD68DF760F1978D4F5B257D7B528

[JaRon]

Presun ComboFix
na plochu (ak tam este nie je)

otvor si Poznamkovy blok - notepad

do neho zkopiruj skript z nasledujiceho okna:

Kód: Vybrat vše

Driver::
e2b08877

uloz vytvoreny textovy soubor ako CFScript.txt na plochu

po ulozeni uchop vytvoreny skript lavym tlacitkom mysi a presun ho nad ikonu Combofixu, nad nim skript upust:



po aplikacii by mal vzniknut dalsi log, ten vloz sem

[maxim-SK]

druhý log z combofix:

ComboFix 10-06-20.06 - test 21.06.2010 14:41:23.2.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.0.1250.421.1029.18.255.92 [GMT 2:00]
Running from: c:\documents and settings\test\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\test\Plocha\CFScript.txt
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\test\Data aplikaci\64dlls.exe
c:\documents and settings\test\Data aplikaci\intel64.exe
c:\documents and settings\test\Data aplikaci\localsys64.exe
c:\documents and settings\test\Data aplikaci\ntos.exe
c:\documents and settings\test\Data aplikaci\oembios.exe
c:\documents and settings\test\Data aplikaci\sdra64.exe
c:\documents and settings\test\Data aplikaci\sdra73.exe
c:\documents and settings\test\Data aplikaci\swin32.exe
c:\documents and settings\test\Data aplikaci\twex.exe
c:\documents and settings\test\Data aplikaci\twext.exe
c:\documents and settings\test\Data aplikaci\wsnpoema.exe

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\qmgr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_e2b08877


((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
.

2010-06-21 09:25 . 2010-06-21 09:27 -------- d-----w- c:\windows\peernet
2010-06-21 09:25 . 2010-06-21 09:25 -------- d-----w- c:\windows\provisioning
2010-06-21 09:15 . 2004-08-03 20:42 15872 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-21 09:12 . 2001-10-25 20:00 1267200 ----a-w- c:\windows\system32\wbem\cimwin32.dll
2010-06-21 09:11 . 2001-10-25 20:00 93184 ----a-w- c:\windows\system32\winscard.dll
2010-06-21 06:01 . 2010-06-21 06:02 -------- d-----w- c:\program files\trend micro
2010-06-21 06:01 . 2010-06-21 06:02 -------- d-----w- C:\rsit
2010-06-17 08:53 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-17 08:52 . 2010-04-29 13:39 19288 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 12:17 . 2009-11-06 06:18 381122 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-06-21 12:17 . 1980-01-01 07:00 52442 ----a-w- c:\windows\system32\perfc005.dat
2010-06-21 12:17 . 1980-01-01 07:00 328460 ----a-w- c:\windows\system32\perfh005.dat
2010-06-17 08:53 . 2010-03-02 08:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-29 15:13 . 2010-03-29 15:13 95872 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2010-03-29 15:12 . 2010-03-29 15:12 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-03-29 15:07 . 2010-03-29 15:07 140216 ----a-w- c:\windows\system32\drivers\eamon.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-06-21_12.02.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 12:09 . 2009-08-06 17:24 44768 c:\windows\system32\wups2.dll
+ 2009-04-16 07:52 . 2009-08-06 17:24 35552 c:\windows\system32\wups.dll
+ 2008-08-06 20:23 . 2009-08-06 17:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-06-21 12:17 . 2009-08-06 17:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-06-21 12:17 . 2009-08-06 17:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 1980-01-01 07:00 . 2010-06-21 12:17 45768 c:\windows\system32\perfc009.dat
- 1980-01-01 07:00 . 2010-06-17 05:33 45768 c:\windows\system32\perfc009.dat
+ 2008-08-06 20:23 . 2009-08-06 17:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 1980-01-01 07:00 . 2009-08-06 17:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2010-06-21 12:04 . 2010-06-21 12:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-06 20:36 . 2010-06-21 12:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-06 20:36 . 2010-06-21 09:44 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-06 20:36 . 2010-06-21 09:44 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-06 20:36 . 2010-06-21 12:49 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 1980-01-01 07:00 . 2009-08-06 17:24 96480 c:\windows\system32\cdm.dll
+ 2009-04-16 07:52 . 2009-08-06 17:24 327896 c:\windows\system32\wucltui.dll
+ 2009-04-16 07:52 . 2009-08-06 17:23 575704 c:\windows\system32\wuapi.dll
- 1980-01-01 07:00 . 2010-06-17 05:33 330866 c:\windows\system32\perfh009.dat
+ 1980-01-01 07:00 . 2010-06-21 12:17 330866 c:\windows\system32\perfh009.dat
+ 2008-08-06 20:23 . 2009-08-06 17:23 1929952 c:\windows\system32\wuaueng.dll
+ 2008-08-06 20:23 . 2009-08-06 17:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-29 2145000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2001-10-25 13312]

c:\documents and settings\test\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-10-13 393216]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29.3.2010 17:12 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [29.3.2010 17:13 95872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [29.3.2010 17:12 810120]
.
.
------- Supplementary Scan -------
.
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-21 14:53
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\ODBC32.dll

- - - - - - - > 'lsass.exe'(708)
c:\windows\System32\dssenh.dll
c:\windows\system32\mswsock.dll

- - - - - - - > 'explorer.exe'(2040)
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2010-06-21 14:56:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-21 12:56
ComboFix2.txt 2010-06-21 12:07

Pre-Run: Volných bajtů: 14.671.028.224
Post-Run: Volných bajtů: 14.662.926.336

- - End Of File - - 2E0E588F792716617E6450A91B570CF4

[JaRon]

uz to vypada slusne - preventivne prescanuj s Hitmanom http://www.viry.cz/forum/viewtopic.php? ... 29#p868829

[maxim-SK]

tui je ešte log z hitmana

- <Log computer="HEWLETT-CH3" scan="EWS" version="3.5.6.104" date="2010-06-22T08:20:14" timeSpentInSecs="1073" filesProcessed="4731">
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\test\Cookies\test@1071094658[1].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\test\Cookies\test@2o7[1].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\test\Cookies\test@ads.sa[1].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\test\Cookies\test@atdmt[1].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\test\Cookies\test@atwola[1].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\test\Cookies\test@bs.serving-sys[2].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\test\Cookies\test@doubleclick[2].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\test\Cookies\test@microsoftwllivemkt.112.2o7[1].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\test\Cookies\test@msnportal.112.2o7[1].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\test\Cookies\test@serving-sys[2].txt" />
</Item>
- <Item type="Repair" score="0.0" status="Deleted">
<File path="C:\Documents and Settings\test\Cookies\test@skype.122.2o7[1].txt" />
</Item>
- <Item type="EWS" score="-93.0" status="None">
<File path="C:\WINDOWS\system32\cisvc.exe" hash="E7EF6F0EF208671BC1DD80BD97287D2818F6979A3CE6F3EFCFF3FA2A54466605" />
- <Startup>
<Key path="HKLM\SYSTEM\CurrentControlSet\Services\cisvc\" />
</Startup>
</Item>
- <Item type="EWS" score="-93.0" status="None">
<File path="C:\WINDOWS\System32\dllhost.exe" hash="7C18ED9E797AA47DBC02EDA91C57E821324E4B19AB4B2E8848CB62C360381A75" />
- <Startup>
<Key path="HKLM\SYSTEM\CurrentControlSet\Services\COMSysApp\" />
<Key path="HKLM\SYSTEM\CurrentControlSet\Services\SwPrv\" />
</Startup>
</Item>
- <Item type="EWS" score="-93.0" status="None">
<File path="C:\WINDOWS\System32\drivers\MSPQM.sys" hash="915F4D83F37872CB1222BDBB055BBFF7F190B12B4ACB792E0627B99E037C866F" />
- <Startup>
<Key path="HKLM\SYSTEM\CurrentControlSet\Services\MSPQM\" />
</Startup>
</Item>
- <Item type="EWS" score="-93.0" status="None">
<File path="C:\WINDOWS\System32\DRIVERS\update.sys" hash="5943B2ECE6E893253E766BED32BBC41A33A57462705B75C03DE840EB3A955417" />
- <Startup>
<Key path="HKLM\SYSTEM\CurrentControlSet\Services\Update\" />
</Startup>
</Item>
- <Item type="EWS" score="-94.0" status="None">
<File path="C:\WINDOWS\system32\ie4uinit.exe" hash="A101A855E49F530E29E78BC37D28D924D326832DEC8076954C220D8D2E2E54AC" />
- <Startup>
<Key path="HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\" />
</Startup>
</Item>
- <Item type="EWS" score="-93.0" status="None">
<File path="C:\WINDOWS\system32\imapi.exe" hash="F539C16347D37DC676628BAF6428301CA150858A823078829E439BE3E1C50A13" />
- <Startup>
<Key path="HKLM\SYSTEM\CurrentControlSet\Services\ImapiService\" />
</Startup>
</Item>
- <Item type="EWS" score="-93.0" status="None">
<File path="C:\WINDOWS\system32\netdde.exe" hash="C83CF30AB5ADC5E98FCA07C1276B55B00B6B8C6509229E4DAC37E6402B1F1A54" />
- <Startup>
<Key path="HKLM\SYSTEM\CurrentControlSet\Services\NetDDE\" />
<Key path="HKLM\SYSTEM\CurrentControlSet\Services\NetDDEdsdm\" />
</Startup>
</Item>
- <Item type="EWS" score="-94.0" status="None">
<File path="C:\WINDOWS\system32\regsvr32.exe" hash="7A70454E226E1D40785045075A71BB1DF07FEA05B8B1D54C68E093EF1C6FD522" />
- <Startup>
<Key path="HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\" />
<Key path="HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\" />
</Startup>
</Item>
- <Item type="EWS" score="-94.0" status="None">
<File path="C:\WINDOWS\System32\RunDLL32.exe" hash="4BD362A7F63468660D2DB3111D8170FA1AF5033F4F596C134AC741F2A0DC39AD" />
- <Startup>
<Key path="HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\" />
<Key path="HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\" />
<Key path="HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\" />
<Key path="HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\" />
<Key path="HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\" />
<Key path="HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}\" />
</Startup>
- <References>
<File path="C:\Documents and Settings\All Users\Nabídka Start\Programy\Příslušenství\Komunikace\Průvodce instalací sítě.lnk" />
<File path="C:\Documents and Settings\All Users\Nabídka Start\Programy\Příslušenství\Komunikace\Průvodce vytvořením připojení.lnk" />
</References>
</Item>
- <Item type="EWS" score="-89.0" status="None">
<File path="C:\WINDOWS\system32\services.exe" hash="AE8BB73E21F0BA0F1A1D013D09F32CD847C54F27A1E3870044FE3911AAAD1707" />
- <Startup>
<Key path="HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\" />
<Key path="HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay\" />
</Startup>
</Item>
- <Item type="EWS" score="-93.0" status="None">
<File path="C:\WINDOWS\System32\tlntsvr.exe" hash="FDA847E8D00294B1D12DBF1AA296821582053520CA465B0B5760A4B9DD709E7B" />
- <Startup>
<Key path="HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr\" />
</Startup>
</Item>
- <Item type="EWS" score="-93.0" status="None">
<File path="C:\WINDOWS\System32\ups.exe" hash="E5DBA12A5BF4144F4100F22C398B7F45D3FE266BBE69314F506E55A00C1F39C9" />
- <Startup>
<Key path="HKLM\SYSTEM\CurrentControlSet\Services\UPS\" />
</Startup>
</Item>
</Log>

[JaRon]

je to OK
stiahni SP2 a nainstaluj ho

[maxim-SK]

ok, dakujem za pomoc

[JaRon]

za malo