Avast mi našel Win32:Adware-gen

[astridlindgren]

Avast mi cca před dvěma týdny našel v System Volume Information/_restore... Win32:Adware-gen. Vymazal jsem všechny body obnovení a pak se vše chovalo O.K. Před pár dny se v emailu mnohonásobně zvýšila četnost spamů - bohužel jsem u některých i odesilatelem. Avast nic nenašel. Přikládám log z RSIT a prosím o kontrolu. Díky.

Logfile of random's system information tool 1.06 (written by random/random)
Run by Rodina at 2010-09-05 23:18:07
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 29 GB (48%) free of 61 GB
Total RAM: 1023 MB (55% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:18:29, on 5.9.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

[eda]

Dobrý den,
tento soubor otestujte online na www.virustotal.com :
C:\WINDOWS\system32\Dvbpws.dll
Do okna vložte cestu k souboru a dejte Odeslat.
Výsledek sem zkopírujte.

[astridlindgren]

Je to čisté ...

File name:
Dvbpws.dll
Submission date:
2010-09-06 15:53:39 (UTC)
Current status:
queued queued analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.09.05.00 2010.09.04 -
AntiVir 8.2.4.50 2010.09.06 -
Antiy-AVL 2.0.3.7 2010.09.03 -
Authentium 5.2.0.5 2010.09.06 -
Avast 4.8.1351.0 2010.09.06 -
Avast5 5.0.594.0 2010.09.06 -
AVG 9.0.0.851 2010.09.06 -
BitDefender 7.2 2010.09.06 -
CAT-QuickHeal 11.00 2010.09.06 -
ClamAV 0.96.2.0-git 2010.09.06 -
Comodo 5988 2010.09.06 -
DrWeb 5.0.2.03300 2010.09.06 -
Emsisoft 5.0.0.37 2010.09.06 -
eSafe 7.0.17.0 2010.09.05 -
eTrust-Vet 36.1.7838 2010.09.06 -
F-Prot 4.6.1.107 2010.09.01 -
F-Secure 9.0.15370.0 2010.09.06 -
Fortinet 4.1.143.0 2010.09.05 -
GData 21 2010.09.06 -
Ikarus T3.1.1.88.0 2010.09.06 -
Jiangmin 13.0.900 2010.09.06 -
K7AntiVirus 9.63.2453 2010.09.06 -
Kaspersky 7.0.0.125 2010.09.06 -
McAfee 5.400.0.1158 2010.09.06 -
McAfee-GW-Edition 2010.1B 2010.09.06 -
Microsoft 1.6103 2010.09.06 -
NOD32 5428 2010.09.06 -
Norman 6.05.11 2010.09.06 -
nProtect 2010-09-06.01 2010.09.06 -
Panda 10.0.2.7 2010.09.06 -
PCTools 7.0.3.5 2010.09.06 -
Prevx 3.0 2010.09.06 -
Rising 22.64.00.04 2010.09.06 -
Sophos 4.57.0 2010.09.06 -
Sunbelt 6838 2010.09.06 -
SUPERAntiSpyware 4.40.0.1006 2010.09.06 -
Symantec 20101.1.1.7 2010.09.06 -
TheHacker 6.5.2.1.365 2010.09.06 -
TrendMicro 9.120.0.1004 2010.09.06 -
TrendMicro-HouseCall 9.120.0.1004 2010.09.06 -
VBA32 3.12.14.0 2010.09.06 -
ViRobot 2010.9.6.4028 2010.09.06 -
VirusBuster 12.64.19.0 2010.09.06 -
Additional information
Show all
MD5 : c4103f122d27677c9db144cae1394a66
SHA1 : 1489f923c4dca729178b3e3233458550d8dddf29
SHA256: 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7

[eda]

O.K.
Klikněte na MBAM v mém podpise a dejte úplný scan. Zatím nic nemažte a výsledek sem vložte.

[astridlindgren]

Taky v pořádku ...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Verze databáze: 4556

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6.9.2010 21:44:24
mbam-log-2010-09-06 (21-44-24).txt

Typ skenu: Úplný sken (C:\|D:\|)
Skenované objekty: 187774
Uplynulý čas: 36 minuta(y), 35 sekunda(y)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 0
Infikované hodnoty registru: 0
Infikované datové položky registru: 0
Infikované složky: 0
Infikované soubory: 0

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované hodnoty registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
(Žádné škodlivé položky nebyly zjištěny)

[Caroprd111]

Dobrý den,
zaskočím za kolegu.


Stáhněte OTL http://oldtimer.geekstogo.com/OTL.exe na plochu

• Spusťte, poté do spodního políčka vložte následující skript.

Kód: Vybrat vše

 netsvcs
drivers32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /s
c:\windows\*.* /U
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys 
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys 
ndis.sys
winlogon.exe
explorer.exe
userinit.exe
lsass.exe
svchost.exe
smss.exe
hal.dll
ws2_32.dll
tcpip.sys
cryptsvc.dll
Changer.sys
JakNDis.sys
isapnp.sys 
cdrom.sys 
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav 
%systemroot%\system32\*.dll /lockedfiles
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon" /v GinaDLL /c
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v ImagePath /c
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v ImagePath /c
%systemroot%\system32\drivers\*.sys /3
%systemroot%\system32\*.* /3
CREATERESTOREPOINT 

• Označte položku Pro všechny uživatele.
• Označte položky Kontrola na havěť "LOP" a Kontrola na havěť "Purity"
• Klikněte na tlačítko Prohledat
• Po dokončení, sem vložte logy OTL.Txt a Extras.txt

[astridlindgren]

Dobrý den, vkládám logy a děkuji ...

OTL logfile created on: 7.9.2010 18:44:03 - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Rodina\Plocha
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

1 023,00 Mb Total Physical Memory | 578,00 Mb Available Physical Memory | 56,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 82,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 59,35 Gb Total Space | 28,59 Gb Free Space | 48,16% Space Free | Partition Type: NTFS
Drive D: | 126,96 Gb Total Space | 3,67 Gb Free Space | 2,89% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name:
Current User Name: Rodina
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[astridlindgren]

OTL Extras logfile created on: 7.9.2010 18:44:03 - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Rodina\Plocha
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

1 023,00 Mb Total Physical Memory | 578,00 Mb Available Physical Memory | 56,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 82,00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 59,35 Gb Total Space | 28,59 Gb Free Space | 48,16% Space Free | Partition Type: NTFS
Drive D: | 126,96 Gb Total Space | 3,67 Gb Free Space | 2,89% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name:
Current User Name: Rodina
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[Caroprd111]

Spusťte OTL a do spodního okna vložte následující skript.

Kód: Vybrat vše

:Commands
[EMPTYTEMP] 
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]

:OTL
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Data aplikací\TEMP:C31F31E6

Klikněte na Opravit, PC se restartuje, log vložte sem.

[astridlindgren]

All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 1058936 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 2387804 bytes
->Temporary Internet Files folder emptied: 33237 bytes

User: Petr
->Temp folder emptied: 14587937 bytes
->Temporary Internet Files folder emptied: 426278 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 37371187 bytes
->Flash cache emptied: 1638 bytes

User: Rodina
->Temp folder emptied: 951 bytes
->Temporary Internet Files folder emptied: 812177 bytes

User: Rodina.
->Temp folder emptied: 24013170 bytes
->Temporary Internet Files folder emptied: 416247 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 36420129 bytes
->Flash cache emptied: 483 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2134153 bytes
%systemroot%\System32 .tmp files removed: 2504 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1231034 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 40767314 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 135283 bytes

Total Files Cleaned = 154,00 mb


[EMPTYFLASH]

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: Petr
->Flash cache emptied: 0 bytes

User: Rodina

User: Rodina.
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0,00 mb

Restore points cleared and new OTL Restore Point set!
========== OTL ==========
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
ADS C:\Documents and Settings\All Users\Data aplikací\TEMP:C31F31E6 deleted successfully.

OTL by OldTimer - Version 3.2.11.0 log created on 09072010_201725

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[Caroprd111]

Odinstalujte všechny emulátory virtuálních mechanik.

Stáhněte SPTD http://www.duplexsecure.com/en/downloads

• Vyberte verzi podle svého operačního systému (64 & 32b). Uložte na plochu a spusťte.
• zvolte možnost Uninstall a restartujte PC.

Stáhněte a spusťte http://www.jpshortstuff.247fixes.com/Defogger.exe

• Klikněte na "Disable" a restartujte PC.

Stáhněte MBR na plochu http://www2.gmer.net/mbr/mbr.exe

Start > Spustit (Win + R)

• Vyskočí okénko, zkopírujte do něj:

Kód: Vybrat vše

"%userprofile%\plocha\mbr" -t

• Klikněte na OK

• Vytvoří se log s názvem mbr.log, vložte ho sem.

Dejte log z Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878

[astridlindgren]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

[Caroprd111]

Ok, ještě Gmer.

[astridlindgren]

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-09-07 22:25:17
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\RODINA~1.PET\LOCALS~1\Temp\kwdoipow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xAE75B60A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xAE75B864]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

[astridlindgren]

Druhý log obsahoval na vložení moc znaků, proto volím přiložení formou zip souboru. Děkuji.