AdminHPR?

[jiri25]

Dobrý den,
chtěl bych se zeptat na tuto položku našel mi to online scener jako hrozbu
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN->ADMINHPR
údaj hodnoty ADMINHPR:
RUNDLL32.EXE C:\WINDOWS\system32\odbc_inc.DLL,i

mohu tuto hodnotu z registrů vymazat a soubor odbc_inc.DLL ze system32 odstranit?

Děkuji za případné rady

[riffman]

zdravim

C:\WINDOWS\system32\odbc_inc.DLL otestujte na VIRUSTOTALu

(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet, najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor, ignorujte pripadne hlasky, ze soubor byl jiz testovan a provedte sken znova; dejte skenerum nejakych deset minut; vysledek sem vlozte at uz zkopirovanim textu, nebo pripadne vlozenim odkazu po ukonceni skenu)

[jiri25]

Přikládám co mi to vypsalo

Soubor odbc_inc.DLL přijatý 2010.07.16 06:49:27 (UTC)
Současný stav: Dokončeno
Výsledek: 27/42 (64.29%)

Antivirus Verze Poslední aktualizace Výsledek
a-squared 5.0.0.31 2010.07.16 Trojan-GameThief.Win32.WOW!IK
AhnLab-V3 2010.07.16.00 2010.07.15 Trojan/Win32.Trojan Horse
AntiVir 8.2.4.12 2010.07.15 TR/Spy.Gen
Antiy-AVL 2.0.3.7 2010.07.15 -
Authentium 5.2.0.5 2010.07.16 W32/OnlineGames.EH.gen!Eldorado
Avast 4.8.1351.0 2010.07.15 Win32:Spyware-gen
Avast5 5.0.332.0 2010.07.15 Win32:Spyware-gen
AVG 9.0.0.836 2010.07.15 -
BitDefender 7.2 2010.07.16 Trojan.Generic.IS.575500
CAT-QuickHeal 11.00 2010.07.16 Trojan.Agent.ATV
ClamAV 0.96.0.3-git 2010.07.16 -
Comodo 5442 2010.07.16 -
DrWeb 5.0.2.03300 2010.07.16 Trojan.PWS.Gamania.19244
eSafe 7.0.17.0 2010.07.15 -
eTrust-Vet 36.1.7713 2010.07.16 Win32/Wowpa.NY
F-Prot 4.6.1.107 2010.07.15 W32/OnlineGames.EH.gen!Eldorado
F-Secure 9.0.15370.0 2010.07.16 Trojan-PSW:W32/Agent.LEY
Fortinet 4.1.143.0 2010.07.15 -
GData 21 2010.07.16 Trojan.Generic.IS.575500
Ikarus T3.1.1.84.0 2010.07.16 Trojan-GameThief.Win32.WOW
Jiangmin 13.0.900 2010.07.16 -
Kaspersky 7.0.0.125 2010.07.16 -
McAfee 5.400.0.1158 2010.07.16 Artemis!FF69CA647539
McAfee-GW-Edition 2010.1 2010.07.15 Artemis!FF69CA647539
Microsoft 1.6004 2010.07.16 -
NOD32 5282 2010.07.15 a variant of Win32/PSW.WOW.NME
Norman 6.05.11 2010.07.15 W32/Suspicious_Gen2.AEFAZ
nProtect 2010-07-15.02 2010.07.15 Trojan.Generic.IS.575500
Panda 10.0.2.7 2010.07.15 -
PCTools 7.0.3.5 2010.07.16 Trojan.Generic
Prevx 3.0 2010.07.16 High Risk Fraudulent Security Program
Rising 22.56.04.03 2010.07.16 -
Sophos 4.55.0 2010.07.16 Mal/Generic-A
Sunbelt 6590 2010.07.16 Trojan.Win32.Generic!BT
SUPERAntiSpyware 4.40.0.1006 2010.07.16 -
Symantec 20101.1.1.7 2010.07.16 Trojan Horse
TheHacker 6.5.2.1.316 2010.07.16 -
TrendMicro 9.120.0.1004 2010.07.16 TROJ_ORSAM.AD
TrendMicro-HouseCall 9.120.0.1004 2010.07.16 TROJ_ORSAM.AD
VBA32 3.12.12.6 2010.07.15 -
ViRobot 2010.7.12.3932 2010.07.16 -
VirusBuster 5.0.27.0 2010.07.15 TrojanSpy.Agent.NYTC
Rozšiřující informace
File size: 65536 bytes
MD5...: ff69ca647539733bb0f6e74a3f0afd16
SHA1..: 2441990db03a5447b1f9785664992d4e6e9b1b34
SHA256: 6f6e3a30d77789d374d966d9f862bf3a330f424700669229999685eea5ef943f
ssdeep: 768:c1ZGHMdAmEQioKUCFJxIu9A/yoNy2T2DdlhFu9:c3vdYQioXClIu9RogtFu9
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x547f
timedatestamp.....: 0x49f9b239 (Thu Apr 30 14:14:17 2009)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7766 0x8000 6.50 47d46b47a43147e2c8c1d7c0ca11f0ba
.rdata 0x9000 0x13a9 0x2000 3.46 87de36ba8b8f52256cb1feca11248fe7
.data 0xb000 0x5ce8 0x1000 1.56 7eadc97ba87b5d106f0938fbf41748f2
0EF0A0SF 0x11000 0x7d0 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
ANGEL 0x12000 0x14 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x13000 0x368 0x1000 0.90 843e8fe83c6596ef55283e0daebf1fad
.reloc 0x14000 0x476 0x1000 2.03 fa8dd3a1e62c66e3c796871e8c33e035

( 8 imports )
> KERNEL32.dll: GetTickCount, GetTempPathA, CreateThread, WideCharToMultiByte, lstrlenW, GetBinaryTypeA, CloseHandle, GetCurrentProcess, GetModuleFileNameA, WinExec, DeleteFileA, Sleep, LoadLibraryA, GetProcAddress, GetCurrentProcessId, GetLocalTime
> USER32.dll: CharLowerA, SetTimer, MessageBoxA, SetWindowsHookExA, GetMessageA, TranslateMessage, DispatchMessageA, CallNextHookEx, wsprintfA
> ADVAPI32.dll: LookupPrivilegeValueA, OpenProcessToken, RegCloseKey, RegSetValueExA, RegCreateKeyA, AdjustTokenPrivileges
> ole32.dll: CoCreateInstance, CoInitialize
> OLEAUT32.dll: -, -
> MSVCRT.dll: malloc, free, fgets, _initterm, _adjust_fdiv, calloc, _splitpath, fopen, fclose, _except_handler3, __CxxFrameHandler, strstr, _access, sprintf, atoi, __2@YAPAXI@Z, strchr, strncmp, rename, _stricmp
> NETAPI32.dll: Netbios
> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -

( 3 exports )
AR, GetVer, i
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
<a href='http://info.prevx.com/aboutprogramtext. ... 005930952E' target='_blank'>http://info.prevx.com/aboutprogramtext. ... 930952E</a>
sigcheck:
publisher....: MS
copyright....: COPYRIGT(C) 2009
product......: SKY
description..: SKY
original name: BE.dll
internal name: SKY
file version.: 4, 0, 3, 1
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned

[riffman]

nj, tak jedem

stahnete a ulozte na plochu ComboFix

pote spustte aplikaci pod uctem s administratorskym opravnenim (nikoli pod uctem s omezenym opravnenim)


v operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano:



dale muze dojit k varovani ohledne rezidentniho stitu vaseho antiviru a upozorneni na nenainstalovanou konzoli pro zotaveni; tu zatim neinstalujte.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, deaktivujte jeho rezidentni stit, protoze dochazi pri skenu a vymazu pripadneho malware k nezadoucim kolizim Combofixu s rezidentem antispyware


po restartu aplikace vytvori log, ulozeny na C:/Combofix.txt (pri opakovanem pouziti jsou logy oznaceny Combofix2.txt atd.), jeho obsah vlozte sem

[jiri25]

ok děkuji du se do toho pustit

[jiri25]

vkládám log

ComboFix 10-07-15.03 - jiri25 16.07.2010 9:11.1.2 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2039.1503 [GMT 2:00]
Spuštěný z: c:\documents and settings\jiri25\Plocha\ComboFix.exe

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Temp
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_SSHNAS
-------\Service_SSHNAS


((((((((((((((((((((((((( Soubory vytvořené od 2010-06-16 do 2010-07-16 )))))))))))))))))))))))))))))))
.

2010-07-16 07:03 . 2004-08-17 18:00 65536 ----a-w- c:\windows\system32\odbc_inc.DLL
2010-07-16 05:06 . 2010-07-16 05:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-16 05:02 . 2010-07-16 05:02 -------- d-----w- c:\windows\system32\drivers\NSS
2010-07-16 05:02 . 2010-07-16 05:02 -------- d-----w- c:\program files\Norton Security Scan
2010-07-16 05:02 . 2010-07-16 05:02 -------- d-----w- c:\program files\NortonInstaller
2010-07-15 10:48 . 2010-07-15 10:48 -------- d-----w- C:\putty
2010-07-14 03:52 . 2010-07-14 03:52 -------- d-----w- c:\program files\Microsoft.NET
2010-07-14 03:47 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-12 07:15 . 2010-07-12 07:15 -------- d-----w- c:\program files\VMware
2010-07-12 05:04 . 2010-07-12 05:04 -------- d-----w- c:\program files\MSBuild
2010-07-12 05:02 . 2010-07-12 05:02 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-12 05:02 . 2010-07-12 05:02 -------- d-----w- c:\program files\Reference Assemblies
2010-07-12 05:02 . 2006-10-14 14:43 27648 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-12 05:01 . 2006-06-29 11:07 14048 ------w- c:\windows\system32\spmsg2.dll
2010-07-08 07:44 . 2010-07-08 07:44 -------- d-----w- c:\program files\Western Digital Corporation
2010-07-02 07:18 . 2010-07-02 07:18 -------- d-----w- c:\documents and settings\All Users\Data aplikac
2010-06-29 06:38 . 2010-06-29 06:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-28 10:10 . 2010-05-12 15:02 22856 ----a-w- c:\windows\system32\dopdfmn7.dll
2010-06-28 10:10 . 2010-05-12 15:02 19784 ----a-w- c:\windows\system32\dopdfmi7.dll
2010-06-28 10:10 . 2010-06-28 10:10 -------- d-----w- c:\program files\Softland
2010-06-21 08:39 . 2010-06-21 08:39 -------- d-----w- c:\program files\Maxthon
2010-06-18 08:05 . 2010-06-18 08:05 -------- d-----w- c:\program files\ICQ7.2

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-12 05:04 . 1979-12-31 22:00 94942 ----a-w- c:\windows\system32\perfc005.dat
2010-07-12 05:04 . 1979-12-31 22:00 477792 ----a-w- c:\windows\system32\perfh005.dat
2010-07-07 04:49 . 2009-08-18 04:06 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-29 06:38 . 2009-05-18 07:05 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-29 06:38 . 2009-05-18 07:05 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-14 14:31 . 2007-11-29 09:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-01 06:19 . 2007-12-05 05:03 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-26 04:59 . 2010-05-26 04:59 -------- d-----w- c:\program files\BlueVoda Website Builder
2010-05-26 04:59 . 2007-12-07 10:01 737280 ----a-w- c:\windows\iun6002.exe
2010-05-19 11:56 . 2010-05-19 11:56 -------- d-----w- c:\program files\FeedReader30
2010-05-17 10:59 . 2010-05-17 10:59 -------- d-----w- c:\program files\Sandboxie
2010-05-06 10:35 . 1979-12-31 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-05 04:20 . 2010-05-05 04:20 75776 ----a-w- c:\windows\cadkasdeinst01e.exe
2010-05-02 08:09 . 1979-12-31 23:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:32 . 1979-12-31 22:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2008-04-17 07:01 . 2008-01-09 05:02 72 --sh--w- c:\windows\SA6AF492B.tmp
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 08:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TransClock"="c:\documents and settings\jiri25\Dokumenty\TransClock.exe" [2002-01-23 248320]
"Yodm3D"="c:\documents and settings\jiri25\Plocha\3d plocha\Yodm3D.exe" [2007-06-26 2058752]
"ICQ"="c:\program files\ICQ7.2\ICQ.exe" [2010-06-18 133368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]
"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-07-12 29696]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-11 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Status Monitor CLJ1500"="c:\program files\Hewlett-Packard\CLJ1500\\Toolbox\HPPOUMUI.exe" [2003-06-05 692224]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"AdminHpr"="c:\windows\system32\odbc_inc.DLL" [2004-08-17 65536]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-29 2065760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\jiri25\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2007-12-11 8319560]
Psi.lnk - c:\program files\Psi\Psi.exe [2009-12-3 8456704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileUrl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-06-29 06:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Psi\\psi.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\diskg\\Sybase\\SQL Anywhere 9\\win32\\dbisqlg.exe"=
"c:\\diskg\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"=
"c:\\diskg\\Sybase\\Shared\\Sybase Central 4.3\\win32\\scjview.exe"=
"c:\\Xitami\\xigui32.exe"=
"c:\\MERCURY\\mercury.exe"=
"c:\\DISKG\\Sybase\\SQL Anywhere 9\\WIN32\\dbsrv9.exe"=
"c:\\Xitami\\xidos32.exe"=
"c:\\Program Files\\Mozilla Firefox3\\FIREFOX.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"\\\\Vgserver\\Video Guard 32\\VGClient32.exe"=
"c:\\Program Files\\Video Guard 32\\VGClient.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13364:UDP"= 13364:UDP:Print Server Utility
"13621:UDP"= 13621:UDP:MFP Bot Utility
"13107:UDP"= 13107:UDP:Print Server Utility
"69:UDP"= 69:UDP:Print Server Utility
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc
"5910:TCP"= 5910:TCP:vnc5910

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [18.5.2009 9:05 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18.5.2009 9:05 216400]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18.5.2009 9:05 243024]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [29.6.2010 8:38 921440]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [29.6.2010 8:38 308136]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [29.6.2010 8:38 2331032]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [13.5.2009 11:00 246520]
R2 VshtD;VshtD;c:\windows\system32\drivers\Vshtd.sys [2.2.2000 13:33 19020]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [27.11.2009 5:37 30104]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys --> c:\windows\system32\DRIVERS\pssnap.sys [?]
S3 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [14.1.2010 10:37 29416]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [27.11.2009 5:37 30104]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [1.10.2006 13:05 26624]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12.12.2007 13:06 685816]
.
Obsah adresáře 'Naplánované úlohy'

2010-07-16 c:\windows\Tasks\Norton Security Scan for jiri25.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-07-16 22:51]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - c:\program files\ICQ7.2\ICQ.exe
Trusted Zone: ica.cz\b
TCP: {A0034368-23E0-402F-AC3C-11033CEB4F70}
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKLM-Run-EtherDetect - (no file)
AddRemove-Mozilla Thunderbird (3.0.4) - j:\portable nástroje\thunderbird portable\ThunderbirdPortable\App\Thunderbird\uninstall\helper.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-16 09:17
Windows 5.1.2600 Service Pack 3 FAT NTAPI

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"

[HKEY_LOCAL_MACHINE\software\Xanthic\{290A6A8A-0F70-FC9A-A343-BE3AB91B8116}*_]
"fr"="078C407F5A545A"
"lr"="078C7B5D5E5441"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(6052)
c:\documents and settings\jiri25\Plocha\3d plocha\Yodm3D.dll
c:\windows\system32\odbc_inc.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\xampp\mysql\bin\mysqld.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI.EXE
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\RTHDCPL.EXE
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2010-07-16 09:20:19 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-16 07:20

Před spuštěním: 6 368 559 104
Po spuštění: 7 713 390 592

- - End Of File - - 92510278DB7E962587234079D1C545E2

[riffman]

nez provedeme domazani toho, co Combofix neodpalil, polozim vam dotaz:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13364:UDP"= 13364:UDP:Print Server Utility
"13621:UDP"= 13621:UDP:MFP Bot Utility
"13107:UDP"= 13107:UDP:Print Server Utility
"69:UDP"= 69:UDP:Print Server Utility
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc
"5910:TCP"= 5910:TCP:vnc5910

vsechny tyhle porty znate?

[jiri25]

ano jen u tohot si nejsem jisty co presne je
toto:@xpsp2res.dll,-22009

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[riffman]

je to systemova zalezitost, ma to na starosti nejaky systemovy zpravy...

jdeme docistit

pokud jste tak jeste neucinil, presunte Combofix na plochu

otevrete si Poznamkovy blok

do nej zkopirujte skript z nasledujiciho okna:

Kód: Vybrat vše

File::
c:\windows\system32\odbc_inc.DLL

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminHpr"=-

ulozte vami vytvoreny textovy soubor jako CFScript.txt na plochu

po ulozeni uchopte vami vytvoreny skript levym tlacitkem mysi a presunte jej nad ikonu Combofixu, nad niz skript upustte:



po aplikaci by na vas mel vybafnout dalsi log, vlozte jej sem

Upozorneni: je mozne, ze po aplikaci skriptu a restartu nenabehnou Windows, v takovem pripade znovu restartujte, po restartu mackejte F8 a zvolte Posledni znamou fukncni konfiguraci

[jiri25]

Budu ted muset vypnout pc a odejit prozatím dekuji a u pc budu nejspíš navečer nebo zitra a provedu vyse uvedene prozatim dekuji

[riffman]

v pohode, ja tady poletuju vicemene porad, ale vecer tady urcite budu

[jiri25]

omlouvám se za zpoždění jsem už zpět a provedl jsem výše uvedené zde je nový log

ComboFix 10-07-15.03 - jiri25 17.07.2010 17:26:51.2.2 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2039.1278 [GMT 2:00]
Spuštěný z: c:\documents and settings\jiri25\Plocha\comfic.exe
Použité ovládací přepínače :: c:\documents and settings\jiri25\Plocha\CFScript.txt
AV: AVG Anti-Virus Network Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!

FILE ::
"c:\windows\system32\odbc_inc.DLL"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\odbc_inc.DLL

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-17 do 2010-07-17 )))))))))))))))))))))))))))))))
.

2010-07-16 05:06 . 2010-07-16 05:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-16 05:02 . 2010-07-16 05:02 -------- d-----w- c:\windows\system32\drivers\NSS
2010-07-16 05:02 . 2010-07-16 05:02 -------- d-----w- c:\program files\Norton Security Scan
2010-07-16 05:02 . 2010-07-16 05:02 -------- d-----w- c:\program files\NortonInstaller
2010-07-15 10:48 . 2010-07-15 10:48 -------- d-----w- C:\putty
2010-07-14 03:52 . 2010-07-14 03:52 -------- d-----w- c:\program files\Microsoft.NET
2010-07-14 03:47 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-12 07:15 . 2010-07-12 07:15 -------- d-----w- c:\program files\VMware
2010-07-12 05:04 . 2010-07-12 05:04 -------- d-----w- c:\program files\MSBuild
2010-07-12 05:02 . 2010-07-12 05:02 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-12 05:02 . 2010-07-12 05:02 -------- d-----w- c:\program files\Reference Assemblies
2010-07-12 05:02 . 2006-10-14 14:43 27648 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-12 05:01 . 2006-06-29 11:07 14048 ------w- c:\windows\system32\spmsg2.dll
2010-07-08 07:44 . 2010-07-08 07:44 -------- d-----w- c:\program files\Western Digital Corporation
2010-07-02 07:18 . 2010-07-02 07:18 -------- d-----w- c:\documents and settings\All Users\Data aplikac
2010-06-29 06:38 . 2010-06-29 06:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-28 10:10 . 2010-05-12 15:02 22856 ----a-w- c:\windows\system32\dopdfmn7.dll
2010-06-28 10:10 . 2010-05-12 15:02 19784 ----a-w- c:\windows\system32\dopdfmi7.dll
2010-06-28 10:10 . 2010-06-28 10:10 -------- d-----w- c:\program files\Softland
2010-06-21 08:39 . 2010-06-21 08:39 -------- d-----w- c:\program files\Maxthon
2010-06-18 08:05 . 2010-06-18 08:05 -------- d-----w- c:\program files\ICQ7.2

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 15:34 . 2009-08-18 04:06 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-12 05:04 . 1979-12-31 22:00 94942 ----a-w- c:\windows\system32\perfc005.dat
2010-07-12 05:04 . 1979-12-31 22:00 477792 ----a-w- c:\windows\system32\perfh005.dat
2010-06-29 06:38 . 2009-05-18 07:05 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-29 06:38 . 2009-05-18 07:05 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-14 14:31 . 2007-11-29 09:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
2010-06-01 06:19 . 2007-12-05 05:03 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-26 04:59 . 2010-05-26 04:59 -------- d-----w- c:\program files\BlueVoda Website Builder
2010-05-26 04:59 . 2007-12-07 10:01 737280 ----a-w- c:\windows\iun6002.exe
2010-05-19 11:56 . 2010-05-19 11:56 -------- d-----w- c:\program files\FeedReader30
2010-05-06 10:35 . 1979-12-31 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-05 04:20 . 2010-05-05 04:20 75776 ----a-w- c:\windows\cadkasdeinst01e.exe
2010-05-02 08:09 . 1979-12-31 23:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:32 . 1979-12-31 22:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2008-04-17 07:01 . 2008-01-09 05:02 72 --sh--w- c:\windows\SA6AF492B.tmp
.

((((((((((((((((((((((((((((( SnapShot@2010-07-16_07.17.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-17 15:31 . 2010-07-17 15:31 16384 c:\windows\Temp\Perflib_Perfdata_4c4.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 08:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TransClock"="c:\documents and settings\jiri25\Dokumenty\TransClock.exe" [2002-01-23 248320]
"Yodm3D"="c:\documents and settings\jiri25\Plocha\3d plocha\Yodm3D.exe" [2007-06-26 2058752]
"ICQ"="c:\program files\ICQ7.2\ICQ.exe" [2010-06-18 133368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]
"SkyTel"="SkyTel.EXE" [2007-10-11 1826816]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-07-12 29696]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-11 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Status Monitor CLJ1500"="c:\program files\Hewlett-Packard\CLJ1500\\Toolbox\HPPOUMUI.exe" [2003-06-05 692224]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-29 2065760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\jiri25\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2007-12-11 8319560]
Psi.lnk - c:\program files\Psi\Psi.exe [2009-12-3 8456704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileUrl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-06-29 06:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Psi\\psi.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\diskg\\Sybase\\SQL Anywhere 9\\win32\\dbisqlg.exe"=
"c:\\diskg\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"=
"c:\\diskg\\Sybase\\Shared\\Sybase Central 4.3\\win32\\scjview.exe"=
"c:\\Xitami\\xigui32.exe"=
"c:\\MERCURY\\mercury.exe"=
"c:\\DISKG\\Sybase\\SQL Anywhere 9\\WIN32\\dbsrv9.exe"=
"c:\\Xitami\\xidos32.exe"=
"c:\\Program Files\\Mozilla Firefox3\\FIREFOX.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"\\\\Vgserver\\Video Guard 32\\VGClient32.exe"=
"c:\\Program Files\\Video Guard 32\\VGClient.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13364:UDP"= 13364:UDP:Print Server Utility
"13621:UDP"= 13621:UDP:MFP Bot Utility
"13107:UDP"= 13107:UDP:Print Server Utility
"69:UDP"= 69:UDP:Print Server Utility
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc
"5910:TCP"= 5910:TCP:vnc5910

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [18.5.2009 9:05 52872]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12.12.2007 13:06 685816]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18.5.2009 9:05 216400]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18.5.2009 9:05 243024]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [29.6.2010 8:38 921440]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [29.6.2010 8:38 308136]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [29.6.2010 8:38 2331032]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [13.5.2009 11:00 246520]
R2 VshtD;VshtD;c:\windows\system32\drivers\Vshtd.sys [2.2.2000 13:33 19020]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [27.11.2009 5:37 30104]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys --> c:\windows\system32\DRIVERS\pssnap.sys [?]
S3 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [14.1.2010 10:37 29416]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [27.11.2009 5:37 30104]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [1.10.2006 13:05 26624]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]
.
Obsah adresáře 'Naplánované úlohy'

2010-07-17 c:\windows\Tasks\Norton Security Scan for jiri25.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-07-16 22:51]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - c:\program files\ICQ7.2\ICQ.exe
Trusted Zone: ica.cz\b
TCP: {A0034368-23E0-402F-AC3C-11033CEB4F70}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-17 17:34
Windows 5.1.2600 Service Pack 3 FAT NTAPI

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x8A3AF8AC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9e7dcb8
\Driver\atapi -> atapi.sys @ 0xb9e12b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb9d85bd4
PacketIndicateHandler -> NDIS.sys @ 0xb9d91a21
SendHandler -> NDIS.sys @ 0xb9d85d44
user & kernel MBR OK

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"

[HKEY_LOCAL_MACHINE\software\Xanthic\{290A6A8A-0F70-FC9A-A343-BE3AB91B8116}*_]
"fr"="078C407F5A545A"
"lr"="078C7B5D5E5441"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(3744)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\xampp\mysql\bin\mysqld.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI.EXE
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\rdpclip.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\HPZinw12.exe
.
**************************************************************************
.
Celkový čas: 2010-07-17 17:37:03 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-07-17 15:37
ComboFix2.txt 2010-07-16 07:31

Před spuštěním: 7 627 341 824
Po spuštění: 7 602 028 544

- - End Of File - - 0029BA5D41E85C647CA96F70C1B97333

[riffman]

http://www.esagelab.com/files/bootkit_remover.rar

stahnout, rozbalit na plochu, spustit

po spusteni klik pravym mysidlem do okna, zvolit moznost Vybrat vse, CTRL+C a sem do odpovedi CTRL+V (tim mi sem plesknete log)

[jiri25]

jsem tu opět a dle návodu tedy vkládám log z tabulky


Bootkit Remover version 1.0.0.1
<c> 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\E: -> \\.\PhysicalDrive0
\\.\F: -> \\.\PhysicalDrive1
MD5: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
-------------------------------------------------
144 GB \\.\PhysicalDrive0 OK <DOS/Win32 Boot code found>
931 GB \\.\PhysicalDrive1 OK <DOS/Win32 Boot code found>

Press any key to quit...

[riffman]

stahnete TDSSKiller , rozbalte do slozky C:\WINDOWS\system32\drivers a spustte


v operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"

zobrazi se nasledujici okno:



probehne sken, na jehoz konci se v pripade infekce zobrazi nasledujici okno:



Pokud uvidite na poslednim radku hlasku "Close all programs and choose Y to restart or N to continue", zmacknete klavesu Y a vas stroj bude restartovan

po restartu znovu aplikujte Combofix a vlozte sem log po aplikaci