prosím o kontolu logu

[vyosek]

Hlavne odinstalujte jeden antivir, pak se az pustte do CF...

[papanek333]

konečně se mi podařil ten log z CF, tak jej přikládám a ještě prosím o kontrolu. děkuji.


ComboFix 10-09-27.05 - Pospíšil 28.09.2010 11:20:37.2.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.895.629 [GMT 2:00]
Spuštěný z: c:\documents and settings\Pospíšil\Plocha\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Eset NOD32 Antivirus 2.50 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Rezidentní štít AV je zapnutý


VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-08-28 do 2010-09-28 )))))))))))))))))))))))))))))))
.

2010-09-26 12:52 . 2010-09-26 12:52 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-09-26 12:52 . 2010-09-26 12:52 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-09-26 12:20 . 2010-09-26 12:20 -------- d-----w- c:\program files\HD Tune
2010-09-26 05:39 . 2010-09-26 05:39 -------- d-----w- c:\program files\CCleaner
2010-09-14 01:39 . 2010-09-28 08:28 -------- d-----w- c:\program files\Lark Anti-Spyware
2010-09-13 09:07 . 2010-09-13 09:07 18944 ----a-w- c:\windows\system32\vbCPUInf.dll
2010-09-13 08:56 . 2010-09-26 05:48 -------- d-----w- c:\windows\vbSkinner
2010-09-13 08:55 . 2010-09-13 08:55 737280 ----a-w- c:\windows\iun6002.exe
2010-09-13 08:55 . 2010-09-13 08:55 -------- d-----w- c:\program files\CM Data Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-28 06:42 . 2010-09-26 13:10 -------- d-----w- c:\program files\trend micro
2010-09-26 13:19 . 2010-08-28 10:45 -------- d-----w- c:\program files\Ask.com
2010-09-07 15:12 . 2010-06-29 06:10 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-01-23 12:52 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-01-23 12:53 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-01-23 12:53 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-01-23 12:53 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-01-23 12:53 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-01-23 12:53 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-01-23 12:53 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-01-23 12:53 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-07 01:43 . 2010-07-20 01:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-29 19:30 . 2009-10-09 09:07 -------- d-----w- c:\program files\CDex_150
2010-08-28 10:47 . 2010-08-28 09:54 -------- d-----w- c:\program files\The KMPlayer
2010-08-27 02:24 . 2010-03-28 05:41 5 -c--a-w- c:\windows\system32\SySwmvtoavi.dat
2010-08-13 07:20 . 2010-06-05 08:04 -------- d-----w- c:\program files\Common Files\soft602
2010-08-12 11:14 . 2009-08-04 15:55 -------- d-----w- c:\program files\Webteh
2010-08-04 10:45 . 2010-08-04 10:45 -------- d-----w- c:\program files\Common Files\Java
2010-08-04 10:45 . 2010-05-06 16:41 -------- d-----w- c:\program files\Java
2010-07-31 08:15 . 2010-07-31 07:49 -------- d-----w- c:\program files\VSO
2010-07-26 08:19 . 2009-12-22 02:06 11532 -csha-w- c:\windows\system32\KGyGaAvL.sys
2010-07-17 03:00 . 2010-07-19 06:14 423656 ----a-w- c:\windows\system32\deployJava1.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-09-26_21.48.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-28 09:18 . 2010-09-28 09:18 16384 c:\windows\Temp\Perflib_Perfdata_4c0.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GAINWARD"="c:\program files\EXPERTool\TBPanel.exe" [2009-08-19 2181672]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Seznam Postak"="c:\documents and settings\Pospíšil\Local Settings\Data aplikací\Seznam.cz\postak.exe" [2010-05-19 462104]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-11-16 172792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2010-05-12 917504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13684736]
"nwiz"="nwiz.exe" [2009-04-14 1657376]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-12-03 33718272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneClick Cleanup]
2006-10-08 17:46 258048 ----a-w- c:\program files\CM Data Software\CM DiskCleaner\OneClick Cleanup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Startup Cleaner]
2006-10-08 16:59 122880 ----a-w- c:\program files\CM Data Software\CM DiskCleaner\Startup Cleaner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" boot
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe"
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"MSMSGS"="c:\progra~1\MESSEN~1\msmsgs.exe" /background
"OEXPRESS"=c:\windows\OETRN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogitechVideoTray"=c:\program files\Logitech\Video\LogiTray.exe
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"CHotkey"=mHotkey.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"SoundMan"=SOUNDMAN.EXE
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Edisk\\eDisk klient\\eDisk klient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [4.8.2009 17:55 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [4.8.2009 17:55 5248]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [23.1.2010 14:53 165584]
R2 602XML Updater;602Updater;c:\program files\Common Files\soft602\602updsvc\602updsvc.exe [14.4.2010 11:28 73728]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [23.1.2010 14:53 17744]
R3 AsAudioDevice_351;AsAudioDevice_351;c:\windows\system32\drivers\AsAudioDevice_351.sys [4.1.2010 4:46 16640]
R3 MosIrUsb;MosIrUsb.sys;c:\windows\system32\drivers\MosIrUsb.sys [14.4.2004 15:52 20736]
R3 Safetica;Safetica Encryption Driver;c:\windows\system32\drivers\safetica.sys [18.4.2010 11:41 272504]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [21.5.2010 23:15 1617408]
S3 AMBFilt;AMBFilt;c:\windows\system32\drivers\Ambfilt.sys [21.5.2010 23:15 1656960]
S3 AsrCDDrv;AsrCDDrv;\??\c:\windows\system32\Drivers\AsrCDDrv.sys --> c:\windows\system32\Drivers\AsrCDDrv.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [21.6.2010 20:09 406016]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30.1.2010 14:19 721904]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'

2010-09-28 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 08:09]

2010-09-28 c:\windows\Tasks\Automatic maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 08:09]

2010-09-28 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 14:50]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Crawler Search - tbr:iemenu
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{20954C80-4F0F-11d3-B17C-00C0DFE39736} - c:\program files\Dzuso\Nastavenie.exe
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748449} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\windows\WebIE.dll
LSP: imon.dll
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
DPF: {672EE252-D813-4F5E-81BB-5DD163DD4FA5} - hxxps://www.mojedatovaschranka.cz/static/pages/ ... b?3,14,8,0
FF - ProfilePath - c:\documents and settings\Pospíšil\Data aplikací\Mozilla\Firefox\Profiles\qai3mkmu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1750559&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://cs.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:cs:official
FF - prefs.js: keyword.URL - hxxp://www.crawler.com/search/dispatcher.aspx? ... 60347&qkw=
FF - component: c:\documents and settings\Pospíšil\Data aplikací\Mozilla\Firefox\Profiles\qai3mkmu.default\extensions\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Pospíšil\Data aplikací\Mozilla\Firefox\Profiles\qai3mkmu.default\extensions\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Pospíšil\Data aplikací\Mozilla\Firefox\Profiles\qai3mkmu.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Pospíšil\Data aplikací\Mozilla\Firefox\Profiles\qai3mkmu.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\components\RadioWMPCore.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xcomm.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xshared.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xsupport.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xwsg.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npfiller.dll

---- NASTAVENÍ FIREFOXU ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-28 11:26
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84FB11E0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbfc3
\Driver\ACPI -> ACPI.sys @ 0xf7338cb8
\Driver\atapi -> 0x84fb11e0
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf719bbc3
PacketIndicateHandler -> NDIS.sys @ 0xf7189a0b
SendHandler -> NDIS.sys @ 0xf719db31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Celkový čas: 2010-09-28 11:28:58
ComboFix-quarantined-files.txt 2010-09-28 09:28

Před spuštěním: 2 190 053 376
Po spuštění: 2 176 446 464

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - DDA50CB8AABBD5E3FE6CBAE8D5E46466

[papanek333]

jen nechápu proč je zapnutý rezidentní štít u NOD když jsem jej celý vypnul a i ikona zmizela

[vyosek]

CF asi spatne indikoval, stale tam jsou ale dva antiviry, takze jeden odinstalujte jak jsem jiz psal Mezitim napisu skript pro CF. Odinstalatory mate zde. Pokud je NOD zakoupeny, tak dejte pryc Avasta pomoci tohoto http://www.avast.com/cs-cz/uninstall-utility

[vyosek]

Po odinstalovani jednoho antiviru, aplikujte skript pro CF dle navodu nize

Pokud nemate, tak presunte Combofix na plochu

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  Folder::
  c:\program files\Ask.com
  
  Registry::
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "Skype"=-
  "ICQ"=-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "DAEMON Tools-1033"=-
  
  File::
  c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
  
  DDS::
  uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
  
  FireFox::
  FF - ProfilePath - c:\documents and settings\Pospíšil\Data aplikací\Mozilla\Firefox\Profiles\qai3mkmu.default\
  FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}
  FF - prefs.js: browser.startup.homepage - hxxp://cs.start3.mozilla.com/firefox?cl ... s:official
  FF - prefs.js: keyword.URL - hxxp://www.crawler.com/search/dispatche ... 60347&qkw=
  
  RegLock::
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
  [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

• Ulozte vytvoreny TXT jako CFScript.txt
• Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
  
• Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

[papanek333]

kam mám prosím ten skript uložit? klasicky do nové složky na plochu?

[vyosek]

Primo na plochu (ne do slozky), stejne jako ComboFix, pak jen provest pretahnuti skriptu nad CF jak ukazuje obrazek...

[papanek333]

je mi zatím líto úplně odinstalovat ten Avast! tak jsem jej alespoň úplně vypnul. stačí to? rád bych jej třeba někdy použil jen pro oskenování pc. a zde přikládám log z CF.

ComboFix 10-09-27.05 - Pospíšil 28.09.2010 12:19:11.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.895.627 [GMT 2:00]
Spuštěný z: c:\documents and settings\Pospíšil\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Pospíšil\Plocha\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Eset NOD32 Antivirus 2.50 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Rezidentní štít AV je zapnutý


VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!

FILE ::
"c:\windows\Tasks\Scheduled Update for Ask Toolbar.job"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Ask.com
c:\program files\Ask.com\cobrand.ico
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\favicon.ico
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\UpdateTask.exe
c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-08-28 do 2010-09-28 )))))))))))))))))))))))))))))))
.

2010-09-28 06:42 . 2010-09-28 06:42 -------- d-----w- C:\rsit
2010-09-26 13:10 . 2010-09-28 06:42 -------- d-----w- c:\program files\trend micro
2010-09-26 12:52 . 2010-09-26 12:52 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-09-26 12:52 . 2010-09-26 12:52 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-09-26 12:20 . 2010-09-26 12:20 -------- d-----w- c:\program files\HD Tune
2010-09-26 05:39 . 2010-09-26 05:39 -------- d-----w- c:\program files\CCleaner
2010-09-14 01:39 . 2010-09-28 08:28 -------- d-----w- c:\program files\Lark Anti-Spyware
2010-09-13 09:07 . 2010-09-13 09:07 18944 ----a-w- c:\windows\system32\vbCPUInf.dll
2010-09-13 08:56 . 2010-09-26 05:48 -------- d-----w- c:\windows\vbSkinner
2010-09-13 08:55 . 2010-09-13 08:55 737280 ----a-w- c:\windows\iun6002.exe
2010-09-13 08:55 . 2010-09-13 08:55 -------- d-----w- c:\program files\CM Data Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-07 15:12 . 2010-06-29 06:10 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-01-23 12:52 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-01-23 12:53 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-01-23 12:53 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-01-23 12:53 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-01-23 12:53 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-01-23 12:53 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-01-23 12:53 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-01-23 12:53 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-07 01:43 . 2010-07-20 01:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-29 19:30 . 2009-10-09 09:07 -------- d-----w- c:\program files\CDex_150
2010-08-28 10:47 . 2010-08-28 09:54 -------- d-----w- c:\program files\The KMPlayer
2010-08-27 02:24 . 2010-03-28 05:41 5 -c--a-w- c:\windows\system32\SySwmvtoavi.dat
2010-08-13 07:20 . 2010-06-05 08:04 -------- d-----w- c:\program files\Common Files\soft602
2010-08-12 11:14 . 2009-08-04 15:55 -------- d-----w- c:\program files\Webteh
2010-08-04 10:45 . 2010-08-04 10:45 -------- d-----w- c:\program files\Common Files\Java
2010-08-04 10:45 . 2010-05-06 16:41 -------- d-----w- c:\program files\Java
2010-07-31 08:15 . 2010-07-31 07:49 -------- d-----w- c:\program files\VSO
2010-07-26 08:19 . 2009-12-22 02:06 11532 -csha-w- c:\windows\system32\KGyGaAvL.sys
2010-07-17 03:00 . 2010-07-19 06:14 423656 ----a-w- c:\windows\system32\deployJava1.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-09-26_21.48.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-28 10:17 . 2010-09-28 10:17 16384 c:\windows\Temp\Perflib_Perfdata_4b4.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GAINWARD"="c:\program files\EXPERTool\TBPanel.exe" [2009-08-19 2181672]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Seznam Postak"="c:\documents and settings\Pospíšil\Local Settings\Data aplikací\Seznam.cz\postak.exe" [2010-05-19 462104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2010-05-12 917504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13684736]
"nwiz"="nwiz.exe" [2009-04-14 1657376]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-12-03 33718272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneClick Cleanup]
2006-10-08 17:46 258048 ----a-w- c:\program files\CM Data Software\CM DiskCleaner\OneClick Cleanup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Startup Cleaner]
2006-10-08 16:59 122880 ----a-w- c:\program files\CM Data Software\CM DiskCleaner\Startup Cleaner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" boot
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe"
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"MSMSGS"="c:\progra~1\MESSEN~1\msmsgs.exe" /background
"OEXPRESS"=c:\windows\OETRN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogitechVideoTray"=c:\program files\Logitech\Video\LogiTray.exe
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"CHotkey"=mHotkey.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"SoundMan"=SOUNDMAN.EXE
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Edisk\\eDisk klient\\eDisk klient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [4.8.2009 17:55 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [4.8.2009 17:55 5248]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [23.1.2010 14:53 165584]
R2 602XML Updater;602Updater;c:\program files\Common Files\soft602\602updsvc\602updsvc.exe [14.4.2010 11:28 73728]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [23.1.2010 14:53 17744]
R3 AsAudioDevice_351;AsAudioDevice_351;c:\windows\system32\drivers\AsAudioDevice_351.sys [4.1.2010 4:46 16640]
R3 MosIrUsb;MosIrUsb.sys;c:\windows\system32\drivers\MosIrUsb.sys [14.4.2004 15:52 20736]
R3 Safetica;Safetica Encryption Driver;c:\windows\system32\drivers\safetica.sys [18.4.2010 11:41 272504]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [21.5.2010 23:15 1617408]
S3 AMBFilt;AMBFilt;c:\windows\system32\drivers\Ambfilt.sys [21.5.2010 23:15 1656960]
S3 AsrCDDrv;AsrCDDrv;\??\c:\windows\system32\Drivers\AsrCDDrv.sys --> c:\windows\system32\Drivers\AsrCDDrv.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [21.6.2010 20:09 406016]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30.1.2010 14:19 721904]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'

2010-09-28 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 08:09]

2010-09-28 c:\windows\Tasks\Automatic maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 08:09]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Crawler Search - tbr:iemenu
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{20954C80-4F0F-11d3-B17C-00C0DFE39736} - c:\program files\Dzuso\Nastavenie.exe
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748449} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\windows\WebIE.dll
LSP: imon.dll
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
DPF: {672EE252-D813-4F5E-81BB-5DD163DD4FA5} - hxxps://www.mojedatovaschranka.cz/static/pages/ ... b?3,14,8,0
FF - ProfilePath - c:\documents and settings\Pospíšil\Data aplikací\Mozilla\Firefox\Profiles\qai3mkmu.default\
FF - prefs.js: browser.search.selectedEngine -
FF - component: c:\documents and settings\Pospíšil\Data aplikací\Mozilla\Firefox\Profiles\qai3mkmu.default\extensions\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Pospíšil\Data aplikací\Mozilla\Firefox\Profiles\qai3mkmu.default\extensions\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Pospíšil\Data aplikací\Mozilla\Firefox\Profiles\qai3mkmu.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Pospíšil\Data aplikací\Mozilla\Firefox\Profiles\qai3mkmu.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\components\RadioWMPCore.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xcomm.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xshared.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xsupport.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xwsg.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npfiller.dll

---- NASTAVENÍ FIREFOXU ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-28 12:24
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84FB2CE8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbfc3
\Driver\ACPI -> ACPI.sys @ 0xf7338cb8
\Driver\atapi -> 0x84fb2ce8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf719bbc3
PacketIndicateHandler -> NDIS.sys @ 0xf7189a0b
SendHandler -> NDIS.sys @ 0xf719db31
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
Celkový čas: 2010-09-28 12:27:06
ComboFix-quarantined-files.txt 2010-09-28 10:27
ComboFix2.txt 2010-09-28 09:28

Před spuštěním: 2 183 122 944
Po spuštění: 2 175 070 208

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 818BB5A15E93FAF712C082B345D7F077

[vyosek]

Nestaci, jelikoz Vam stale bezi jeho rez. stit...NOD ma tez skvelou detekci, rekl bych te o malo lepsi jak Avast...Pokud Vas moje argumenty na vice AV v systemu nepresvedcily, zde mate clanek od kolegy http://www.viry.cz/forum/viewtopic.php?f=29&t=2780

Odinstalujte vsechny emulatory virtualnich jednotek (Deamon Tools, Alcohol 120%, PowerISO apod)

Stahnete SPTD http://www.duplexsecure.com/en/downloads

• Vyberte z uvedene stranky verzi dle sveho operacniho systemu (32(x86)bit ci 64(x64)bit)
• Ulozte na plochu a spustte
• Zvolte moznost Uninstall a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte

Stahnete Defogger http://www.jpshortstuff.247fixes.com/Defogger.exe

• Ulozte na plochu a spustte
• Kliknete na Disable a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte

Stahnete MBR na plochu http://www2.gmer.net/mbr/mbr.exe

Kliknete na Start a pote Spustit, pripadne pouzijte klavesou zkratku Win+R

• Vyskoci na Vas okenko, do ktereho zkopirujte text nize

• Kód: Vybrat vše

  "%userprofile%\plocha\mbr" -t

• Kliknete na OK
• Na plose se Vam vytvori log s nazvem mbr.txt, jeho obsah mi sem vlozte

[papanek333]

jak prosím odstraním ty emulátory v.j. ?

[vyosek]

Normalne je odinstalujete (napr pres Pridat nebo odebrat programy)

[papanek333]

potřeboval bych opusit pc. je možné tady zanechat další zprávu pro Vás i když třeba nebudete připojen? dostane se k Vám třeba i zítra?

[vyosek]

Jasne, kdykoliv sem napiste, ja si to prectu...tez tu nebyvam porad...

[papanek333]

zatím tedy děkuji opravdu moc a přeji krásný zbytek dne.

[vyosek]

Nemate zac, i Vam pekny zbytek dne...