pomalý počítač, nezobrazuje sa plocha.

Zpráva

Mack556 · #1 Příspěvek od **Mack556** » 18 lis 2010 15:54

Logfile of random's system information tool 1.08 (written by random/random)
Run by uzivatel at 2010-11-18 15:45:35
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 288 GB (94%) free of 305 GB
Total RAM: 2047 MB (69% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:45:44, on 18.11.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\uzivatel\Data aplikací\Microsoft\Windows\shell.exe
C:\Documents and Settings\uzivatel\Data aplikací\Microsoft\svchost.exe
C:\DOCUME~1\uzivatel\LOCALS~1\Temp\dwm.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\hidebil.exe
C:\windows\system32\wuaucldt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ICQ7.1\ICQ.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\uzivatel\Local Settings\Data aplikací\odutxn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\WINDOWS\Rtyxoz.exe
C:\Documents and Settings\uzivatel\Data aplikací\Microsoft-5858-2574\winsvcrn.exe
C:\Documents and Settings\uzivatel\Data aplikací\D-2785-7947-8747\wincdsvn.exe
C:\DOCUME~1\uzivatel\LOCALS~1\Temp\Rc1.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Documents and Settings\uzivatel\Data aplikací\C-76947-8457-2745\msnliveap.exe
C:\Documents and Settings\uzivatel\Data aplikací\msnl.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\nvsvc32.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\DOCUME~1\uzivatel\LOCALS~1\Temp\flx24042.exe
C:\WINDOWS\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\uzivatel\Local Settings\Temporary Internet Files\Content.IE5\GTSEDOHZ\RSIT[1].exe
C:\Program Files\trend micro\uzivatel.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://domredi.com/1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.facemoods.com/?a=wfxt2
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.facemoods.com/?a=wfxt2&s={searchTerms}&f=4
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: (no name) - - (no file)
F3 - REG:win.ini: load=C:\DOCUME~1\uzivatel\LOCALS~1\Temp\dwm.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: facemoods Toolbar - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.4.8.1\facemoodsTlbr.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [facemoods] "C:\Program Files\facemoods.com\facemoods\1.4.8.1\facemoodssrv.exe" /md I
O4 - HKLM\..\Run: [NVIDIA driver monitor] C:\WINDOWS\nvsvc32.exe
O4 - HKLM\..\Run: [Windows System Guard] C:\Documents and Settings\uzivatel\Data aplikací\msnl.exe
O4 - HKLM\..\Run: [gosadi] C:\WINDOWS\system32\hidebil.exe
O4 - HKLM\..\Run: [svchost] C:\Documents and Settings\uzivatel\Data aplikací\Microsoft\svchost.exe
O4 - HKLM\..\Run: [wuaucldt] c:\windows\system32\wuaucldt.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [pojdpebh] C:\Documents and Settings\uzivatel\Local Settings\Data aplikací\odutxn.exe
O4 - HKLM\..\Run: [Java developer Script Browse] C:\WINDOWS\jusched.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched,] C:\Program Files\Java\jre-07\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus SX400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE /FU "C:\WINDOWS\TEMP\E_S277.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [NVIDIA driver monitor] C:\WINDOWS\nvsvc32.exe
O4 - HKCU\..\Run: [WindowsDriverControl] C:\Documents and Settings\uzivatel\Data aplikací\C-76947-8457-2745\msnliveap.exe
O4 - HKCU\..\Run: [IJKUK66HMN] C:\DOCUME~1\uzivatel\LOCALS~1\Temp\Rc1.exe
O4 - HKCU\..\Run: [WinMSDNControl] C:\Documents and Settings\uzivatel\Data aplikací\D-2785-7947-8747\wincdsvn.exe
O4 - HKCU\..\Run: [MSConfig] C:\Documents and Settings\uzivatel\rodb.exe \u
O4 - HKCU\..\Run: [MicrosoftMSDUpdateService] C:\Documents and Settings\uzivatel\Data aplikací\Microsoft-5858-2574\winsvcrn.exe
O4 - HKCU\..\Run: [wuaucldt] c:\documents and settings\uzivatel\wuaucldt.exe
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ7.1\ICQ.exe" silent loginmode=4
O4 - HKCU\..\Run: [pojdpebh] C:\Documents and Settings\uzivatel\Local Settings\Data aplikací\odutxn.exe
O4 - HKCU\..\Run: [Java developer Script Browse] C:\WINDOWS\jusched.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: 0fbww6i.exe
O4 - Startup: 0oojaav.exe
O4 - Startup: 0ozq1gh.exe
O4 - Startup: 0tpkk6w.exe
O4 - Startup: 0xc3y1u.exe
O4 - Startup: 0zvqq6c.exe
O4 - Startup: 1miiduu.exe
O4 - Startup: 1uqqlcc.exe
O4 - Startup: 2jee6qq.exe
O4 - Startup: 3eezqql.exe
O4 - Startup: 3m1cd03.exe
O4 - Startup: 61k3wrx.exe
O4 - Startup: 66a81mx.exe
O4 - Startup: 6pk0rxh.exe
O4 - Startup: 81ufgbr.exe
O4 - Startup: 86e3a0b.exe
O4 - Startup: aq1miiduk9.exe
O4 - Startup: bg81sdezf6.exe
O4 - Startup: c70dzuu6g.exe
O4 - Startup: d0jfaa6mm.exe
O4 - Startup: d70kkql03c.exe
O4 - Startup: dyy6kk6ww.exe
O4 - Startup: dzpplbbxnn.exe
O4 - Startup: dzuu6gg6.exe
O4 - Startup: dzz2fgb0.exe
O4 - Startup: e1uva870.exe
O4 - Startup: e7pfgbrsn.exe
O4 - Startup: eaavmmhyyt.exe
O4 - Startup: f0lhcc6oo.exe
O4 - Startup: fvbbw6ii.exe
O4 - Startup: fvvrhhdt.exe
O4 - Startup: fwwriidu.exe
O4 - Startup: g9c1yuupgg.exe
O4 - Startup: i5eeuva86m.exe
O4 - Startup: j0plgg6ss.exe
O4 - Startup: j703q1h70o.exe
O4 - Startup: jee6qq6cc.exe
O4 - Startup: jfvvrhhdtt.exe
O4 - Startup: jjfvvrhxxoo.exe
O4 - Startup: ju5plghm.exe
O4 - Startup: jzavwhm8.exe
O4 - Startup: k1abg81s3o.exe
O4 - Startup: lghm81yjkf.exe
O4 - Startup: lhcc6oo6.exe
O4 - Startup: mc0dzz66q8.exe
O4 - Startup: mhxytjkf.exe
O4 - Startup: nddzpplb.exe
O4 - Startup: ndezpqlr60.exe
O4 - Startup: ni1eaavmmh.exe
O4 - Startup: nn2tjkfvwrx.exe
O4 - Startup: oojaavmmhy.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: ozkpalcso.exe
O4 - Startup: pfq1gw1n70u.exe
O4 - Startup: pk1grxtoo6.exe
O4 - Startup: plbbxnnj.exe
O4 - Startup: plgg6ss6.exe
O4 - Startup: ppll2rsn.exe
O4 - Startup: pq70rnii6u.exe
O4 - Startup: pqlr2xnojp6.exe
O4 - Startup: pqlr60tzjf.exe
O4 - Startup: riiduupg.exe
O4 - Startup: siy1pva3w1.exe
O4 - Startup: ss6ee6qq6.exe
O4 - Startup: tejuflbms5k.exe
O4 - Startup: tjjzf66w3id.exe
O4 - Startup: tupfgbrsnde.exe
O4 - Startup: u6gg6ss6.exe
O4 - Startup: u81grsnt6.exe
O4 - Startup: vq1miiduuf.exe
O4 - Startup: vwrx2dtupv6.exe
O4 - Startup: xtoo6aa6.exe
O4 - Startup: y1zq1ghm.exe
O4 - Startup: yopu86whso.exe
O4 - Startup: z2fvwrx6.exe
O4 - Startup: zqqlccxo.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: ICQ7.1 - {71BFC818-0CED-42D6-9C87-5142918957EE} - C:\Program Files\ICQ7.1\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ7.1 - {71BFC818-0CED-42D6-9C87-5142918957EE} - C:\Program Files\ICQ7.1\ICQ.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: cryptnet32 - cryptnet32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PowerUtility TV Recording Reservation (yae4nsufaime1j) - Unknown owner - C:\WINDOWS\system32\lajype.exe

--
End of file - 11753 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll []
{855F3B16-6D32-4FE6-8A56-BBB695989046} - ICQToolBar - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll [2010-01-03 1019128]
{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - facemoods Toolbar - C:\Program Files\facemoods.com\facemoods\1.4.8.1\facemoodsTlbr.dll [2010-07-06 217088]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-10-28 17331200]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2008-06-19 57344]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-01-15 13680640]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-01-15 86016]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"tsnpstd3"=C:\WINDOWS\tsnpstd3.exe [2007-02-07 262144]
"snpstd3"=C:\WINDOWS\vsnpstd3.exe [2006-09-19 827392]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2007-12-21 1443072]
"facemoods"=C:\Program Files\facemoods.com\facemoods\1.4.8.1\facemoodssrv.exe [2010-07-06 323584]
"NVIDIA driver monitor"=C:\WINDOWS\nvsvc32.exe [2010-10-02 58880]
"Windows System Guard"=C:\Documents and Settings\uzivatel\Data aplikací\msnl.exe [2010-10-28 180224]
"gosadi"=C:\WINDOWS\system32\hidebil.exe [2010-10-28 201216]
"svchost"=C:\Documents and Settings\uzivatel\Data aplikací\Microsoft\svchost.exe [2010-11-12 114176]
"wuaucldt"=c:\windows\system32\wuaucldt.exe [2010-11-13 33280]
"Regedit32"=C:\WINDOWS\system32\regedit.exe []
"pojdpebh"=C:\Documents and Settings\uzivatel\Local Settings\Data aplikací\odutxn.exe [2010-11-13 64000]
"Java developer Script Browse"=C:\WINDOWS\jusched.exe [2010-11-18 104448]
"SunJavaUpdateSched,"=C:\Program Files\Java\jre-07\bin\jusched.exe [2010-11-10 64000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"EPSON Stylus SX400 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE [2007-12-17 188928]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2010-03-09 26100520]
"NVIDIA driver monitor"=C:\WINDOWS\nvsvc32.exe [2010-10-02 58880]
"WindowsDriverControl"=C:\Documents and Settings\uzivatel\Data aplikací\C-76947-8457-2745\msnliveap.exe [2010-10-28 172032]
"IJKUK66HMN"=C:\DOCUME~1\uzivatel\LOCALS~1\Temp\Rc1.exe [2010-10-09 188928]
"WinMSDNControl"=C:\Documents and Settings\uzivatel\Data aplikací\D-2785-7947-8747\wincdsvn.exe [2010-10-22 92724]
"MSConfig"=C:\Documents and Settings\uzivatel\rodb.exe [2010-11-02 18432]
"MicrosoftMSDUpdateService"=C:\Documents and Settings\uzivatel\Data aplikací\Microsoft-5858-2574\winsvcrn.exe [2010-11-08 584731]
"wuaucldt"=c:\documents and settings\uzivatel\wuaucldt.exe [2010-11-13 33280]
"ICQ"=C:\Program Files\ICQ7.1\ICQ.exe [2010-10-27 133432]
"pojdpebh"=C:\Documents and Settings\uzivatel\Local Settings\Data aplikací\odutxn.exe [2010-11-13 64000]
"Java developer Script Browse"=C:\WINDOWS\jusched.exe [2010-11-18 104448]

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Documents and Settings\uzivatel\Nabídka Start\Programy\Po spuštění
0fbww6i.exe
0oojaav.exe
0ozq1gh.exe
0tpkk6w.exe
0xc3y1u.exe
0zvqq6c.exe
1miiduu.exe
1uqqlcc.exe
2jee6qq.exe
3eezqql.exe
3m1cd03.exe
61k3wrx.exe
66a81mx.exe
6pk0rxh.exe
81ufgbr.exe
86e3a0b.exe
aq1miiduk9.exe
bg81sdezf6.exe
c70dzuu6g.exe
d0jfaa6mm.exe
d70kkql03c.exe
dyy6kk6ww.exe
dzpplbbxnn.exe
dzuu6gg6.exe
dzz2fgb0.exe
e1uva870.exe
e7pfgbrsn.exe
eaavmmhyyt.exe
f0lhcc6oo.exe
fvbbw6ii.exe
fvvrhhdt.exe
fwwriidu.exe
g9c1yuupgg.exe
i5eeuva86m.exe
j0plgg6ss.exe
j703q1h70o.exe
jee6qq6cc.exe
jfvvrhhdtt.exe
jjfvvrhxxoo.exe
ju5plghm.exe
jzavwhm8.exe
k1abg81s3o.exe
lghm81yjkf.exe
lhcc6oo6.exe
mc0dzz66q8.exe
mhxytjkf.exe
nddzpplb.exe
ndezpqlr60.exe
ni1eaavmmh.exe
nn2tjkfvwrx.exe
oojaavmmhy.exe
OpenOffice.org 3.0.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe
ozkpalcso.exe
pfq1gw1n70u.exe
pk1grxtoo6.exe
plbbxnnj.exe
plgg6ss6.exe
ppll2rsn.exe
pq70rnii6u.exe
pqlr2xnojp6.exe
pqlr60tzjf.exe
riiduupg.exe
siy1pva3w1.exe
ss6ee6qq6.exe
tejuflbms5k.exe
tjjzf66w3id.exe
tupfgbrsnde.exe
u6gg6ss6.exe
u81grsnt6.exe
vq1miiduuf.exe
vwrx2dtupv6.exe
xtoo6aa6.exe
y1zq1ghm.exe
yopu86whso.exe
z2fvwrx6.exe
zqqlccxo.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet32]
C:\WINDOWS\system32\cryptnet32.dll [2010-10-23 46592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll [2008-05-19 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ekbnznes.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ekbnznes.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\VP-EYE\avi\avi.exe"="C:\VP-EYE\avi\avi.exe:*:Enabled:Video Monitor"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\ICQ7.1\ICQ.exe"="C:\Program Files\ICQ7.1\ICQ.exe:*:Enabled:ICQ7.1"
"C:\Program Files\ICQ7.1\aolload.exe"="C:\Program Files\ICQ7.1\aolload.exe:*:Enabled:aolload.exe"
"C:\Documents and Settings\uzivatel\Dokumenty\Preberanie\Facemoods.exe"="C:\Documents and Settings\uzivatel\Dokumenty\Preberanie\Facemoods.exe:*:Enabled:Facemoods Installer"
"C:\Documents and Settings\uzivatel\Dokumenty\Preberanie\Facemoods(2).exe"="C:\Documents and Settings\uzivatel\Dokumenty\Preberanie\Facemoods(2).exe:*:Enabled:Facemoods Installer"
"C:\Documents and Settings\uzivatel\Local Settings\Temp\FacemoodsReinstal\Facemoods(2).exe"="C:\Documents and Settings\uzivatel\Local Settings\Temp\FacemoodsReinstal\Facemoods(2).exe:*:Enabled:Facemoods Installer"
"C:\Documents and Settings\uzivatel\Dokumenty\Preberanie\P12743574.JPG-www.facebook.exe"="C:\WINDOWS\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"
"C:\Documents and Settings\uzivatel\Data aplikací\C-76947-8457-2745\wincdrsvn.exe"="C:\Documents and Settings\uzivatel\Data aplikací\C-76947-8457-2745\wincdrsvn.exe:*:Enabled:WindowsDriverControl"
"C:\Documents and Settings\uzivatel\Data aplikací\S-3685-5437-5687\winsrvn.exe"="C:\Documents and Settings\uzivatel\Data aplikací\S-3685-5437-5687\winsrvn.exe:*:Enabled:MSNUpdateServices"
"C:\Documents and Settings\uzivatel\Data aplikací\D-2785-7947-8747\wincdsvn.exe"="C:\Documents and Settings\uzivatel\Data aplikací\D-2785-7947-8747\wincdsvn.exe:*:Enabled:WinMSDNControl"
"C:\Documents and Settings\uzivatel\Data aplikací\msnl.exe"="C:\Documents and Settings\uzivatel\Data aplikací\msnl.exe:*:Enabled:Windows System Guard"
"C:\Documents and Settings\uzivatel\Data aplikací\C-76947-8457-2745\msnliveap.exe"="C:\Documents and Settings\uzivatel\Data aplikací\C-76947-8457-2745\msnliveap.exe:*:Enabled:WindowsDriverControl"
"C:\Documents and Settings\uzivatel\Data aplikací\Microsoft-5858-2574\winsvcrn.exe"="C:\Documents and Settings\uzivatel\Data aplikací\Microsoft-5858-2574\winsvcrn.exe:*:Enabled:MicrosoftMSDUpdateService"
"C:\Program Files\Java\jre-07\bin\jusched.exe"="C:\Program Files\Java\jre-07\bin\jusched.exe:*:Enabled:JavaUpdate,"
"C:\DOCUME~1\uzivatel\LOCALS~1\Temp\flx24698.exe"="C:\WINDOWS\jusched.exe:*:Enabled:Java developer Script Browse"
"C:\DOCUME~1\uzivatel\LOCALS~1\Temp\flx24417.exe"="C:\WINDOWS\jusched.exe:*:Enabled:Java developer Script Browse"
"C:\DOCUME~1\uzivatel\LOCALS~1\Temp\flx22385.exe"="C:\WINDOWS\jusched.exe:*:Enabled:Java developer Script Browse"
"C:\DOCUME~1\uzivatel\LOCALS~1\Temp\flx28839.exe"="C:\WINDOWS\jusched.exe:*:Enabled:Java developer Script Browse"
"C:\DOCUME~1\uzivatel\LOCALS~1\Temp\flx24042.exe"="C:\WINDOWS\jusched.exe:*:Enabled:Java developer Script Browse"
"C:\DOCUME~1\uzivatel\LOCALS~1\Temp\flx36948.exe"="C:\WINDOWS\jusched.exe:*:Enabled:Java developer Script Browse"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ICQ7.1\ICQ.exe"="C:\Program Files\ICQ7.1\ICQ.exe:*:Enabled:ICQ7.1"
"C:\Program Files\ICQ7.1\aolload.exe"="C:\Program Files\ICQ7.1\aolload.exe:*:Enabled:aolload.exe"

======List of files/folders created in the last 1 months======

2010-11-18 15:45:36 ----D---- C:\Program Files\trend micro
2010-11-18 15:45:35 ----D---- C:\rsit
2010-11-18 15:31:37 ----A---- C:\WINDOWS\Rtyxoz.exe
2010-11-15 15:02:29 ----A---- C:\winnt7.exe
2010-11-13 23:45:58 ----RSH---- C:\WINDOWS\jusched.exe
2010-11-13 13:43:43 ----H---- C:\www.google.com.htm
2010-11-13 05:53:09 ----A---- C:\t6.exe
2010-11-13 05:34:36 ----HD---- C:\New Folder
2010-11-13 05:34:36 ----A---- C:\New Folder .exe
2010-11-13 05:33:34 ----A---- C:\WINDOWS\system32\wuaucldt.exe
2010-11-12 15:38:30 ----A---- C:\WINDOWS\Rtyxoy.exe
2010-11-12 14:45:31 ----A---- C:\QuickTime1.exe
2010-11-12 07:10:05 ----A---- C:\WINDOWS\Rtyxox.exe
2010-11-11 19:55:33 ----A---- C:\winscxs.exe
2010-11-11 19:54:01 ----A---- C:\6164.exe
2010-11-10 16:11:11 ----D---- C:\Program Files\Java
2010-11-09 06:55:31 ----A---- C:\WINDOWS\Rtyxow.exe
2010-11-08 17:40:52 ----A---- C:\z.exe
2010-11-08 17:30:36 ----AH---- C:\Documents and Settings\uzivatel\Data aplikací\winsavesrc.txt
2010-11-08 17:30:33 ----RSHD---- C:\Documents and Settings\uzivatel\Data aplikací\Microsoft-5858-2574
2010-11-07 19:20:47 ----A---- C:\WINDOWS\Rtyxov.exe
2010-11-06 21:14:14 ----A---- C:\WINDOWS\Rtyxou.exe
2010-11-06 05:22:57 ----A---- C:\WINDOWS\Rtyxot.exe
2010-11-06 05:21:36 ----A---- C:\WINDOWS\Rtyxos.exe
2010-11-03 16:51:20 ----A---- C:\WINDOWS\Rtyxor.exe
2010-11-03 15:31:43 ----A---- C:\WINDOWS\Rtyxoq.exe
2010-11-03 14:25:23 ----A---- C:\WINDOWS\Rtyxop.exe
2010-11-02 14:15:58 ----A---- C:\WINDOWS\Rtyxoo.exe
2010-11-02 07:55:18 ----A---- C:\WINDOWS\Rtyxon.exe
2010-10-31 16:59:36 ----A---- C:\WINDOWS\Rtyxom.exe
2010-10-30 17:04:57 ----A---- C:\WINDOWS\Rtyxol.exe
2010-10-30 14:24:10 ----A---- C:\WINDOWS\Rtyxok.exe
2010-10-30 13:29:40 ----A---- C:\WINDOWS\Rtyxoj.exe
2010-10-29 18:06:35 ----A---- C:\WINDOWS\system32\drivers\ndisvvan.sys
2010-10-29 17:15:38 ----A---- C:\WINDOWS\Rtyxoi.exe
2010-10-29 06:57:14 ----A---- C:\WINDOWS\Rtyxoh.exe
2010-10-28 16:43:56 ----A---- C:\WINDOWS\Rtyxog.exe
2010-10-28 13:02:02 ----A---- C:\WINDOWS\system32\lajype.exe
2010-10-28 13:01:15 ----A---- C:\WINDOWS\system32\hidebil.exe
2010-10-28 13:01:14 ----AH---- C:\WINDOWS\system32\win32app.txt
2010-10-28 13:00:48 ----RSH---- C:\Documents and Settings\uzivatel\Data aplikací\msnl.exe
2010-10-24 19:45:53 ----AH---- C:\WINDOWS\soms.txt
2010-10-24 13:16:40 ----A---- C:\WINDOWS\Rtyxof.exe
2010-10-23 16:57:06 ----A---- C:\WINDOWS\Rtyxoe.exe
2010-10-23 12:12:25 ----A---- C:\WINDOWS\system32\shimg.dll
2010-10-23 12:12:25 ----A---- C:\WINDOWS\system32\cryptnet32.dll
2010-10-22 12:55:52 ----RSHD---- C:\Documents and Settings\uzivatel\Data aplikací\D-2785-7947-8747
2010-10-19 06:40:04 ----AH---- C:\Documents and Settings\uzivatel\Data aplikací\wimknrncds.txt
2010-10-19 06:40:03 ----RSHD---- C:\Documents and Settings\uzivatel\Data aplikací\S-3685-5437-5687

======List of files/folders modified in the last 1 months======

2010-11-18 15:45:36 ----RD---- C:\Program Files
2010-11-18 15:45:36 ----AD---- C:\WINDOWS\Temp
2010-11-18 15:43:32 ----SD---- C:\WINDOWS\Tasks
2010-11-18 15:42:46 ----D---- C:\WINDOWS
2010-11-18 15:42:40 ----D---- C:\Documents and Settings\uzivatel\Data aplikací\Skype
2010-11-18 15:41:56 ----AH---- C:\WINDOWS\system32\winrtsnr.txt
2010-11-18 15:41:51 ----D---- C:\WINDOWS\system32
2010-11-18 15:40:51 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-11-18 15:36:17 ----D---- C:\Program Files\Mozilla Firefox
2010-11-18 15:31:47 ----D---- C:\Documents and Settings\uzivatel\Data aplikací\skypePM
2010-11-18 07:16:06 ----D---- C:\WINDOWS\system32\CatRoot2
2010-11-13 22:32:27 ----D---- C:\WINDOWS\Prefetch
2010-11-13 05:33:43 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-11-12 18:14:47 ----SD---- C:\Documents and Settings\uzivatel\Data aplikací\Microsoft
2010-11-09 16:23:39 ----D---- C:\Documents and Settings\uzivatel\Data aplikací\ICQ
2010-11-07 19:44:39 ----RSHD---- C:\RECYCLER
2010-11-07 13:42:04 ----D---- C:\WINDOWS\system32\system32
2010-11-01 08:35:40 ----D---- C:\Program Files\ICQ7.1
2010-10-31 13:12:26 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-10-29 18:06:41 ----HD---- C:\WINDOWS\inf
2010-10-29 18:06:35 ----D---- C:\WINDOWS\system32\drivers
2010-10-29 18:06:34 ----D---- C:\WINDOWS\Minidump
2010-10-28 17:06:49 ----RSHD---- C:\Documents and Settings\uzivatel\Data aplikací\C-76947-8457-2745

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 ekbnznes;ekbnznes; C:\WINDOWS\System32\Drivers\ekbnznes.sys [2010-10-17 40128]
R0 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2009-12-30 721904]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2007-12-21 30216]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2007-12-21 53768]
R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40192]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2007-12-21 39944]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2007-12-21 71176]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2007-12-21 30728]
R3 HDAudBus;Ovladač Microsoft UAA pro sběrnici High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-10-31 4942336]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-01-15 6301248]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-08-07 111360]
R3 SNPSTD3;USB PC Camera (SNPSTD3); C:\WINDOWS\system32\DRIVERS\snpstd3.sys [2007-04-06 10342784]
R3 usbstor;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 kbdhid;Ovladač klávesnice standardu HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
S3 CCDECODE;Dekodér Closed Caption; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 hidusb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-25 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 Passthru;Service; C:\WINDOWS\system32\DRIVERS\ndisvvan.sys [2010-10-29 52992]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WSTCODEC;Dálnopisný kodek světového standardu; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2008-05-19 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-05-19 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;Eset Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R2 ICQ Service;ICQ Service; C:\Program Files\ICQ6Toolbar\ICQ Service.exe [2010-01-03 246520]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-01-15 163908]
R2 SSHNAS;SSHNAS; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 yae4nsufaime1j;PowerUtility TV Recording Reservation; C:\WINDOWS\system32\lajype.exe [2010-10-28 201216]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2007-12-21 19200]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------

#2 Příspěvek od **cernohous13** » 18 lis 2010 16:07

no fuj, s tím ti někdo pomáhal, nebo jsi tu ZOO stihl sám?

Stáhni si ComboFix
a ulož ho na plochu.
návod na použití: http://www.bleepingcomputer.com/combofi ... t-combofix
Ukonči všechna aktivní okna,vypni Antispy a Antivir a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna a nic nespouštěj
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah
Kdyby ti po použití ComboFixu systém nenaběhl - při restartu F8 a poslední známá funkční konfigurace

Mack556 · #3 Příspěvek od **Mack556** » 18 lis 2010 17:04

Pred pouzitim Combofixu som manualne zmazal z priečinku "C:\Documents and Settings\uzivatel\Nabídka Start\Programy\Po spuštění" tieto súbory:
0fbww6i.exe
0oojaav.exe
0ozq1gh.exe
0tpkk6w.exe
0xc3y1u.exe
0zvqq6c.exe
1miiduu.exe
1uqqlcc.exe
2jee6qq.exe
3eezqql.exe
3m1cd03.exe
61k3wrx.exe
66a81mx.exe
6pk0rxh.exe
81ufgbr.exe
86e3a0b.exe
aq1miiduk9.exe
bg81sdezf6.exe
c70dzuu6g.exe
d0jfaa6mm.exe
d70kkql03c.exe
dyy6kk6ww.exe
dzpplbbxnn.exe
dzuu6gg6.exe
dzz2fgb0.exe
e1uva870.exe
e7pfgbrsn.exe
eaavmmhyyt.exe
f0lhcc6oo.exe
fvbbw6ii.exe
fvvrhhdt.exe
fwwriidu.exe
g9c1yuupgg.exe
i5eeuva86m.exe
j0plgg6ss.exe
j703q1h70o.exe
jee6qq6cc.exe
jfvvrhhdtt.exe
jjfvvrhxxoo.exe
ju5plghm.exe
jzavwhm8.exe
k1abg81s3o.exe
lghm81yjkf.exe
lhcc6oo6.exe
mc0dzz66q8.exe
mhxytjkf.exe
nddzpplb.exe
ndezpqlr60.exe
ni1eaavmmh.exe
nn2tjkfvwrx.exe
oojaavmmhy.exe
ozkpalcso.exe
pfq1gw1n70u.exe
pk1grxtoo6.exe
plbbxnnj.exe
plgg6ss6.exe
ppll2rsn.exe
pq70rnii6u.exe
pqlr2xnojp6.exe
pqlr60tzjf.exe
riiduupg.exe
siy1pva3w1.exe
ss6ee6qq6.exe
tejuflbms5k.exe
tjjzf66w3id.exe
tupfgbrsnde.exe
u6gg6ss6.exe
u81grsnt6.exe
vq1miiduuf.exe
vwrx2dtupv6.exe
xtoo6aa6.exe
y1zq1ghm.exe
yopu86whso.exe
z2fvwrx6.exe
zqqlccxo.exe

Log z ComboFixu:
ComboFix 10-11-17.03 - uzivatel 18.11.2010 16:31:49.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.2047.1716 [GMT 1:00]
Running from: c:\documents and settings\uzivatel\Plocha\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\6164.exe
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\uzivatel\Data aplikací\C-76947-8457-2745
c:\documents and settings\uzivatel\Data aplikací\C-76947-8457-2745\msnliveap.exe
c:\documents and settings\uzivatel\Data aplikací\C-76947-8457-2745\wincdrsvn.exe
c:\documents and settings\uzivatel\Data aplikací\D-2785-7947-8747
c:\documents and settings\uzivatel\Data aplikací\D-2785-7947-8747\wincdsvn.exe
c:\documents and settings\uzivatel\Data aplikací\facemoods.com
c:\documents and settings\uzivatel\Data aplikací\Microsoft\svchost.exe
c:\documents and settings\uzivatel\Data aplikací\msnl.exe
c:\documents and settings\uzivatel\Data aplikací\S-3685-5437-5687
c:\documents and settings\uzivatel\Data aplikací\S-3685-5437-5687\winsrvn.exe
c:\documents and settings\uzivatel\kaipqgo.exe
c:\documents and settings\uzivatel\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\uzivatel\Recent\Thumbs.db
c:\documents and settings\uzivatel\rodb.exe
c:\documents and settings\uzivatel\secupdat.dat
c:\documents and settings\uzivatel\wsa.exe
c:\documents and settings\uzivatel\wuaucldt.exe
C:\New Folder .exe
c:\program files\facemoods.com
c:\program files\facemoods.com\facemoods\1.4.8.1\bh\_facemoods.dll
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoods.crx
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoods.png
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodsApp.dll
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodsEng.dll
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodssrv.exe
c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodsTlbr.dll
c:\program files\facemoods.com\facemoods\1.4.8.1\uninstall.exe
C:\sample.exe
c:\windows\jusched.exe
c:\windows\nvsvc32.exe
c:\windows\system32\control.ini
c:\windows\system32\crt.dat
c:\windows\system32\cryptnet32.dll
c:\windows\system32\Drivers\ekbnznes.sys
c:\windows\system32\drivers\ndisvvan.sys
c:\windows\system32\hidebil.exe
c:\windows\system32\lajype.exe
c:\windows\system32\ms32.sys
c:\windows\system32\nHTMLn_2.95.dll
c:\windows\system32\script.ini
c:\windows\system32\secupdat.dat
c:\windows\system32\shimg.dll
c:\windows\system32\sshnas21.dll
c:\windows\system32\system32
c:\windows\system32\system32\msconfg.dll
c:\windows\system32\system32\Systemx.dll
c:\windows\system32\win32app.txt
c:\windows\system32\winrtsnr.txt
c:\windows\system32\wuaucldt.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
C:\z.exe

c:\windows\system32\Drivers\ekbnznes.sys . . . is infected!! . . . Failed to find a valid replacement.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{EAE66A94-5574-4CCC-99AB-C54EDFEEBFFA}\RP177\A0056226.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Service_SSHNAS
-------\Legacy_ekbnznes
-------\Legacy_yae4nsufaime1j
-------\Service_ekbnznes
-------\Service_Passthru
-------\Service_yae4nsufaime1j

((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 )))))))))))))))))))))))))))))))
.

2010-11-18 15:44 . 2010-11-18 15:44 64000 ----a-w- C:\New Folder .exe
2010-11-18 15:30 . 2010-11-18 15:19 253952 ----a-w- c:\windows\Rtyxo1.exe
2010-11-18 15:09 . 2010-11-18 15:09 -------- d-----w- c:\documents and settings\Administrator
2010-11-18 15:04 . 2010-11-18 14:43 253952 ----a-w- c:\windows\Rtyxo0.exe
2010-11-18 14:45 . 2010-11-18 14:45 -------- d-----w- c:\program files\trend micro
2010-11-18 14:45 . 2010-11-18 14:45 -------- d-----w- C:\rsit
2010-11-18 14:31 . 2010-11-18 14:13 253952 ----a-w- c:\windows\Rtyxoz.exe
2010-11-15 14:02 . 2010-11-15 14:02 91136 ----a-w- C:\winnt7.exe
2010-11-13 22:13 . 2010-11-13 22:13 64000 --s---r- c:\documents and settings\uzivatel\Local Settings\Data aplikací\odutxn.exe
2010-11-13 04:53 . 2010-11-14 18:39 90 ----a-w- C:\t6.exe
2010-11-13 04:34 . 2010-11-13 04:34 -------- d--h--w- C:\New Folder
2010-11-12 14:38 . 2010-11-12 13:19 212992 ----a-w- c:\windows\Rtyxoy.exe
2010-11-12 13:45 . 2010-11-12 13:45 41 ----a-w- C:\QuickTime1.exe
2010-11-12 06:10 . 2010-11-12 06:09 221184 ----a-w- c:\windows\Rtyxox.exe
2010-11-11 18:55 . 2010-11-11 18:56 0 ----a-w- C:\winscxs.exe
2010-11-10 15:11 . 2010-11-13 10:09 -------- d-----w- c:\program files\Java
2010-11-09 05:55 . 2010-11-08 16:22 217088 ----a-w- c:\windows\Rtyxow.exe
2010-11-08 16:30 . 2010-11-08 16:30 -------- d-sh--r- c:\documents and settings\uzivatel\Data aplikací\Microsoft-5858-2574
2010-11-07 18:20 . 2010-11-07 12:28 208896 ----a-w- c:\windows\Rtyxov.exe
2010-11-06 20:14 . 2010-11-06 17:01 208896 ----a-w- c:\windows\Rtyxou.exe
2010-11-06 04:22 . 2010-11-05 13:46 225280 ----a-w- c:\windows\Rtyxot.exe
2010-11-06 04:21 . 2010-11-05 13:46 225280 ----a-w- c:\windows\Rtyxos.exe
2010-11-03 15:51 . 2010-11-03 14:44 204800 ----a-w- c:\windows\Rtyxor.exe
2010-11-03 14:31 . 2010-11-03 13:37 204800 ----a-w- c:\windows\Rtyxoq.exe
2010-11-03 13:25 . 2010-11-03 06:24 212992 ----a-w- c:\windows\Rtyxop.exe
2010-11-02 13:15 . 2010-11-02 08:49 221184 ----a-w- c:\windows\Rtyxoo.exe
2010-11-02 06:55 . 2010-11-01 17:20 221184 ----a-w- c:\windows\Rtyxon.exe
2010-10-31 15:59 . 2010-10-31 08:37 266240 ----a-w- c:\windows\Rtyxom.exe
2010-10-30 16:04 . 2010-10-30 13:54 266240 ----a-w- c:\windows\Rtyxol.exe
2010-10-30 13:24 . 2010-10-30 12:52 266240 ----a-w- c:\windows\Rtyxok.exe
2010-10-30 12:29 . 2010-10-30 03:33 249856 ----a-w- c:\windows\Rtyxoj.exe
2010-10-29 16:15 . 2010-10-29 06:22 262144 ----a-w- c:\windows\Rtyxoi.exe
2010-10-29 05:57 . 2010-10-28 16:18 262144 ----a-w- c:\windows\Rtyxoh.exe
2010-10-28 15:43 . 2010-10-28 12:12 262144 ----a-w- c:\windows\Rtyxog.exe
2010-10-28 12:00 . 2010-11-05 18:32 112128 ------w- c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shellu.exe
2010-10-24 12:16 . 2010-10-24 11:12 270336 ----a-w- c:\windows\Rtyxof.exe
2010-10-23 15:57 . 2010-10-23 14:34 270336 ----a-w- c:\windows\Rtyxoe.exe
2010-10-21 16:59 . 2010-11-12 17:14 115200 ----a-w- c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shell.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-17 17:03 . 2010-10-17 17:03 93184 --sh--r- c:\documents and settings\uzivatel\Data aplikací\juzjf.exe
2010-10-16 16:38 . 2010-10-17 07:18 196608 ----a-w- c:\windows\Rtyxod.exe
2010-10-10 18:47 . 2010-10-10 18:47 225282 ----a-w- C:\tsa.exe
2010-10-10 18:16 . 2010-10-11 04:53 194048 ----a-w- c:\windows\Rtyxoc.exe
2010-10-10 13:13 . 2010-10-10 18:01 194048 ----a-w- c:\windows\Rtyxob.exe
2010-10-09 17:15 . 2010-10-09 17:15 191488 ----a-w- c:\windows\Rtyxoa.exe
.

------- Sigcheck -------

[-] 2008-06-23 . 1E603EA2A3FDBAE9E5B88A8CB3C03124 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"MicrosoftMSDUpdateService"="c:\documents and settings\uzivatel\Data aplikací\Microsoft-5858-2574\winsvcrn.exe" [2010-11-08 584731]
"ICQ"="c:\program files\ICQ7.1\ICQ.exe" [2010-10-27 133432]
"pojdpebh"="c:\documents and settings\uzivatel\Local Settings\Data aplikací\odutxn.exe" [2010-11-13 64000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-28 17331200]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"nwiz"="nwiz.exe" [2009-01-15 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-02-07 262144]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"pojdpebh"="c:\documents and settings\uzivatel\Local Settings\Data aplikací\odutxn.exe" [2010-11-13 64000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\uzivatel\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-1-15 393216]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-7-1 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\VP-EYE\\avi\\avi.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\ICQ7.1\\ICQ.exe"=
"c:\\Program Files\\ICQ7.1\\aolload.exe"=
"c:\\Documents and Settings\\uzivatel\\Data aplikací\\Microsoft-5858-2574\\winsvcrn.exe"=
"c:\\Program Files\\Java\\jre-07\\bin\\jusched.exe"=
"c:\\DOCUME~1\\uzivatel\\LOCALS~1\\Temp\\flx16120.exe"= c:\\WINDOWS\\jusched.exe
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30.12.2009 16:22 721904]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21.12.2007 7:21 468224]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [1.5.2010 20:26 246520]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://domredi.com/1/
mStart Page = hxxp://start.facemoods.com/?a=wfxt2
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: {{71BFC818-0CED-42D6-9C87-5142918957EE} - c:\program files\ICQ7.1\ICQ.exe
FF - ProfilePath - c:\documents and settings\uzivatel\Data aplikací\Mozilla\Firefox\Profiles\yszyddqx.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Searuser_pref(browser.startup.homepage, hxxp://domredi.com/1/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.2&q=
FF - component: c:\documents and settings\uzivatel\Data aplikací\Mozilla\Firefox\Profiles\yszyddqx.default\extensions\ffxtlbr@Facemoods.com\components\FFHst.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodsTlbr.dll
HKCU-Run-WindowsDriverControl - c:\documents and settings\uzivatel\Data aplikací\C-76947-8457-2745\msnliveap.exe
HKCU-Run-WinMSDNControl - c:\documents and settings\uzivatel\Data aplikací\D-2785-7947-8747\wincdsvn.exe
HKCU-Run-wuaucldt - c:\documents and settings\uzivatel\wuaucldt.exe
HKLM-Run-facemoods - c:\program files\facemoods.com\facemoods\1.4.8.1\facemoodssrv.exe
HKLM-Run-gosadi - c:\windows\system32\hidebil.exe
SafeBoot-ekbnznes.sys
AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.4.8.1\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-18 16:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAJS-00L7A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89AEFEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x889d4872; SUB DWORD [EBP-0x4], 0x889d412e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E1397] -> \Device\Harddisk0\DR0[0x89B6FAB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E1397] -> \Device\0000006b[0x89B5C9E8]
5 ACPI[0xF7495620] -> nt!IofCallDriver[0x804E1397] -> [0x89B65D98]
[0x89A7F7C8] -> IRP_MJ_CREATE -> 0x89AEFEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskWDC_WD3200AAJS-00L7A0___________________01.03E01#5&abde2ff&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89AEFAEA
user & kernel MBR OK
sectors 625142446 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\wbem\wmiapsrv.exe
c:\docume~1\uzivatel\LOCALS~1\Temp\flx16120.exe
c:\windows\jusched.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\jusched.exe
.
**************************************************************************
.
Completion time: 2010-11-18 16:47:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-18 15:47

Pre-Run: Volných bajtů: 301 689 729 024
Post-Run: Volných bajtů: 303 668 453 376

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - ABF58F271D62E90020A71236FC176F5D

Problémy pretrvávajú. spomalené reakcie pri otvorenom priečinku, plocha sa nezobrazuje "nefungovala ani predtým". Po štarte sa zapne IE a načita nejaku stranku - ako home page je nastavena "http://domredi.com/1/", ak tam zadám ako home page nejaku inu stranku po štarte je tam znova "http://domredi.com/1/".
Antivirus je tu neaktualizovaný eset smart security 3.0.621.0 databaza dlho neaktualizovana.

Mack556 · #4 Příspěvek od **Mack556** » 18 lis 2010 18:30

V riešení problému budem pokračovať zajtra. Napíšte prosím čo robiť ďalej. Ďakujem.

#5 Příspěvek od **cernohous13** » 18 lis 2010 20:33

Otevři Poznámkový blok (Notepad) a zkopíruj celý zelený text z "CFscriptu".
Soubor ulož na plochu jako CFscript.txt a jeho ikonu přetáhni myší nad ikonu ComboFixu - tam pusť.

ComboFix se spustí - počkej na log a vlož ho sem.

CFscript

Kód: Vybrat vše

KillAll::

File::
C:\New Folder .exe
c:\windows\Rtyxo3.exe
c:\windows\Rtyxo2.exe
c:\windows\Rtyxo1.exe
c:\windows\Rtyxo0.exe
c:\windows\Rtyxoz.exe
C:\winnt7.exe
c:\documents and settings\uzivatel\Local Settings\Data aplikací\odutxn.exe
C:\t6.exe
c:\windows\Rtyxoy.exe
C:\QuickTime1.exe
c:\windows\Rtyxox.exe
C:\winscxs.exe
c:\windows\Rtyxow.exe
c:\windows\Rtyxov.exe
c:\windows\Rtyxou.exe
c:\windows\Rtyxot.exe
c:\windows\Rtyxos.exe
c:\windows\Rtyxor.exe
c:\windows\Rtyxoq.exe
c:\windows\Rtyxop.exe
c:\windows\Rtyxoo.exe
c:\windows\Rtyxon.exe
c:\windows\Rtyxom.exe
c:\windows\Rtyxol.exe
c:\windows\Rtyxok.exe
c:\windows\Rtyxoj.exe
c:\windows\Rtyxoi.exe
c:\windows\Rtyxoh.exe
c:\windows\Rtyxog.exe
c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shellu.exe
c:\windows\Rtyxof.exe
c:\windows\Rtyxoe.exe
c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shell.exe
c:\documents and settings\uzivatel\Data aplikací\juzjf.exe
c:\windows\Rtyxod.exe
C:\tsa.exe
c:\windows\Rtyxoc.exe
c:\windows\Rtyxob.exe
c:\windows\Rtyxoa.exe
C:\Documents and Settings\uzivatel\Local Settings\temp\flx16120.exe
c:\\WINDOWS\\jusched.exe

Folder::
c:\documents and settings\uzivatel\Data aplikací\Microsoft-5858-2574
C:\New Folder

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pojdpebh"=-
"MicrosoftMSDUpdateService"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=-
"pojdpebh"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"=-

DDS::
uStart Page = -
mStart Page = -

Firefox::
FF - ProfilePath - c:\documents and settings\uzivatel\Data aplikací\Mozilla\Firefox\Profiles\yszyddqx.default\
FF - prefs.js: browser.search.selectedEngine - 
FF - prefs.js: keyword.URL -
FF - component: c:\documents and settings\uzivatel\Data aplikací\Mozilla\Firefox\Profiles\yszyddqx.default\extensions\ffxtlbr@Facemoods.com

dalším krokem je Gmer

http://www.gmer.net/gmer.zip

Stáhni a rozbal přímo na C: a spusť
po ukonční scanu se zobrazí výsledek > "Save" > uloží log který zkopíruj do svého příspěvku.

dále:
Při zaškrtnutých všech položkách v pravém sloupci klik na "Scan"
po dokončení scanu opět "Save" > uloží se log který rovněž zkopíruj na fórum.

http://www.viry.cz/forum/viewtopic.php?f=29&t=62878 - kompletní návod

Mack556 · #6 Příspěvek od **Mack556** » 19 lis 2010 20:06

Log z Combofixu
ComboFix 10-11-17.03 - uzivatel 19.11.2010 19:18:16.2.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.2047.1733 [GMT 1:00]
Running from: c:\documents and settings\uzivatel\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\uzivatel\Plocha\CFscript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

FILE ::
"c:\\WINDOWS\\jusched.exe"
"c:\documents and settings\uzivatel\Data aplikací\juzjf.exe"
"c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shell.exe"
"c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shellu.exe"
"c:\documents and settings\uzivatel\Local Settings\Data aplikací\odutxn.exe"
"c:\documents and settings\uzivatel\Local Settings\temp\flx16120.exe"
"C:\New Folder .exe"
"C:\QuickTime1.exe"
"C:\t6.exe"
"C:\tsa.exe"
"c:\windows\Rtyxo0.exe"
"c:\windows\Rtyxo1.exe"
"c:\windows\Rtyxo2.exe"
"c:\windows\Rtyxo3.exe"
"c:\windows\Rtyxoa.exe"
"c:\windows\Rtyxob.exe"
"c:\windows\Rtyxoc.exe"
"c:\windows\Rtyxod.exe"
"c:\windows\Rtyxoe.exe"
"c:\windows\Rtyxof.exe"
"c:\windows\Rtyxog.exe"
"c:\windows\Rtyxoh.exe"
"c:\windows\Rtyxoi.exe"
"c:\windows\Rtyxoj.exe"
"c:\windows\Rtyxok.exe"
"c:\windows\Rtyxol.exe"
"c:\windows\Rtyxom.exe"
"c:\windows\Rtyxon.exe"
"c:\windows\Rtyxoo.exe"
"c:\windows\Rtyxop.exe"
"c:\windows\Rtyxoq.exe"
"c:\windows\Rtyxor.exe"
"c:\windows\Rtyxos.exe"
"c:\windows\Rtyxot.exe"
"c:\windows\Rtyxou.exe"
"c:\windows\Rtyxov.exe"
"c:\windows\Rtyxow.exe"
"c:\windows\Rtyxox.exe"
"c:\windows\Rtyxoy.exe"
"c:\windows\Rtyxoz.exe"
"C:\winnt7.exe"
"C:\winscxs.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\\WINDOWS\\jusched.exe
c:\documents and settings\uzivatel\Data aplikací\Microsoft-5858-2574
c:\documents and settings\uzivatel\Data aplikací\Microsoft-5858-2574\winsvcrn.exe
c:\documents and settings\uzivatel\Local Settings\temp\flx16120.exe
c:\documents and settings\uzivatel\Recent\Thumbs.db
C:\New Folder .exe
C:\New Folder
C:\QuickTime1.exe
C:\t6.exe
C:\tsa.exe
c:\windows\jusched.exe
c:\windows\Rtyxo0.exe
c:\windows\Rtyxo1.exe
c:\windows\Rtyxo2.exe
c:\windows\Rtyxo3.exe
c:\windows\Rtyxoa.exe
c:\windows\Rtyxob.exe
c:\windows\Rtyxoc.exe
c:\windows\Rtyxod.exe
c:\windows\Rtyxoe.exe
c:\windows\Rtyxof.exe
c:\windows\Rtyxog.exe
c:\windows\Rtyxoh.exe
c:\windows\Rtyxoi.exe
c:\windows\Rtyxoj.exe
c:\windows\Rtyxok.exe
c:\windows\Rtyxol.exe
c:\windows\Rtyxom.exe
c:\windows\Rtyxon.exe
c:\windows\Rtyxoo.exe
c:\windows\Rtyxop.exe
c:\windows\Rtyxoq.exe
c:\windows\Rtyxor.exe
c:\windows\Rtyxos.exe
c:\windows\Rtyxot.exe
c:\windows\Rtyxou.exe
c:\windows\Rtyxov.exe
c:\windows\Rtyxow.exe
c:\windows\Rtyxox.exe
c:\windows\Rtyxoy.exe
c:\windows\Rtyxoz.exe
c:\windows\system32\sshnas21.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
C:\winnt7.exe
C:\winscxs.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Service_SSHNAS

((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.

2010-11-18 19:40 . 2010-11-18 19:40 597504 ----a-w- c:\documents and settings\uzivatel\Data aplikací\hotfix.exe
2010-11-18 19:40 . 2010-11-18 19:40 208 ----a-w- c:\documents and settings\uzivatel\Data aplikací\scgdfgasfbh.bat
2010-11-18 15:09 . 2010-11-18 15:09 -------- d-----w- c:\documents and settings\Administrator
2010-11-18 14:45 . 2010-11-18 16:55 -------- d-----w- c:\program files\trend micro
2010-11-18 14:45 . 2010-11-18 14:45 -------- d-----w- C:\rsit
2010-11-13 22:13 . 2010-11-13 22:13 64000 --s---r- c:\documents and settings\uzivatel\Local Settings\Data aplikací\odutxn.exe
2010-11-10 15:11 . 2010-11-13 10:09 -------- d-----w- c:\program files\Java
2010-10-28 12:00 . 2010-11-05 18:32 112128 ------w- c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shellu.exe
2010-10-21 16:59 . 2010-11-12 17:14 115200 ----a-w- c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shell.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-19 18:30 . 2010-11-19 18:30 64000 ----a-w- C:\New Folder .exe
2010-10-17 17:03 . 2010-10-17 17:03 93184 --sh--r- c:\documents and settings\uzivatel\Data aplikací\juzjf.exe
.

------- Sigcheck -------

[-] 2008-06-23 . 1E603EA2A3FDBAE9E5B88A8CB3C03124 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-11-18_15.44.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-30 15:22 . 2009-12-30 13:22 721904 c:\windows\system32\drivers\sptd.sys
- 2009-12-30 15:22 . 2009-12-30 14:22 721904 c:\windows\system32\drivers\sptd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"ICQ"="c:\program files\ICQ7.1\ICQ.exe" [2010-10-27 133432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-28 17331200]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"nwiz"="nwiz.exe" [2009-01-15 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-02-07 262144]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-7-1 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\VP-EYE\\avi\\avi.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\ICQ7.1\\ICQ.exe"=
"c:\\Program Files\\ICQ7.1\\aolload.exe"=
"c:\\Program Files\\Java\\jre-07\\bin\\jusched.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30.12.2009 16:22 721904]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21.12.2007 7:21 468224]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [1.5.2010 20:26 246520]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: {{71BFC818-0CED-42D6-9C87-5142918957EE} - c:\program files\ICQ7.1\ICQ.exe
FF - ProfilePath - c:\documents and settings\uzivatel\Data aplikací\Mozilla\Firefox\Profiles\yszyddqx.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Searchuser_pref(browser.startup.homepage, hxxp://domredi.com/1/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.2&q=
FF - component: c:\documents and settings\uzivatel\Data aplikací\Mozilla\Firefox\Profiles\yszyddqx.default\extensions\ffxtlbr@Facemoods.com\components\FFHst.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-19 19:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAJS-00L7A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89AD7EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x889d4872; SUB DWORD [EBP-0x4], 0x889d412e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E1397] -> \Device\Harddisk0\DR0[0x89B81AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E1397] -> \Device\00000068[0x89B439E8]
5 ACPI[0xF7495620] -> nt!IofCallDriver[0x804E1397] -> [0x89B83D98]
[0x89A47998] -> IRP_MJ_CREATE -> 0x89AD7EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskWDC_WD3200AAJS-00L7A0___________________01.03E01#5&abde2ff&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89AD7AEA
user & kernel MBR OK
sectors 625142446 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(780)
c:\windows\system32\msimtf.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-11-19 19:32:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-19 18:32
ComboFix2.txt 2010-11-18 15:47

Pre-Run: Volných bajtů: 303 602 716 672
Post-Run: Volných bajtů: 303 588 843 520

- - End Of File - - 72805DFE8A0E6442B8B7EF6526C700B2

Log z Gmer č.1
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-11-19 19:36:09
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD3200AAJS-00L7A0 rev.01.03E01
Running: gmer.exe; Driver: C:\DOCUME~1\uzivatel\LOCALS~1\Temp\pxtdapow.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 625142192 (+254): rootkit-like behavior;

---- System - GMER 1.0.15 ----

SSDT spke.sys ZwEnumerateKey [0xF74F4CA4]
SSDT spke.sys ZwEnumerateValueKey [0xF74F5032]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89AD7AEA
Device \Driver\atapi \Device\Ide\IdePort0 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89AD7AEA
Device \Driver\atapi \Device\Ide\IdePort1 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 89AD7AEA
Device \Driver\atapi \Device\Ide\IdePort2 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 89AD7AEA
Device \Driver\atapi \Device\Ide\IdePort3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-3 89AD7AEA
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \FileSystem\Ntfs \Ntfs 89BA01F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

Device \Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskWDC_WD3200AAJS-00L7A0___________________01.03E01#5&abde2ff&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----

Log z Gmer č.2
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-19 19:57:50
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD3200AAJS-00L7A0 rev.01.03E01
Running: gmer.exe; Driver: C:\DOCUME~1\uzivatel\LOCALS~1\Temp\pxtdapow.sys

---- System - GMER 1.0.15 ----

SSDT spke.sys ZwCreateKey [0xF74D60E0]
SSDT spke.sys ZwEnumerateKey [0xF74F4CA4]
SSDT spke.sys ZwEnumerateValueKey [0xF74F5032]
SSDT spke.sys ZwOpenKey [0xF74D60C0]
SSDT spke.sys ZwQueryKey [0xF74F510A]
SSDT spke.sys ZwQueryValueKey [0xF74F4F8A]
SSDT spke.sys ZwSetValueKey [0xF74F519C]

INT 0x62 ? 89BA1BF8
INT 0x63 ? 89BA1BF8
INT 0x63 ? 89BA1BF8
INT 0x63 ? 899BFBF8
INT 0x63 ? 89BA1BF8
INT 0x82 ? 89BA1BF8
INT 0x83 ? 899BFBF8
INT 0xA4 ? 899BFBF8
INT 0xB4 ? 899BFBF8

---- Kernel code sections - GMER 1.0.15 ----

? spke.sys Systém nemůže nalézt uvedený soubor. !
.rsrc C:\WINDOWS\system32\drivers\pci.sys entry point in ".rsrc" section [0xF748C994]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8D8D360, 0x3535DF, 0xE8000020]
.text USBPORT.SYS!DllUnload B8D298AC 5 Bytes JMP 899BF1D8
? C:\ComboFix\catchme.sys Systém nemůže nalézt uvedenou cestu. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Systém nemůže nalézt uvedený soubor. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\explorer.exe[780] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00E2000A
.text C:\WINDOWS\explorer.exe[780] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00E4000A
.text C:\WINDOWS\explorer.exe[780] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00E1000C
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1076] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\System32\svchost.exe[1408] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00E4000A
.text C:\WINDOWS\System32\svchost.exe[1408] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00E5000A
.text C:\WINDOWS\System32\svchost.exe[1408] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00E3000C
.text C:\WINDOWS\System32\svchost.exe[1408] ole32.dll!CoCreateInstance 774F057E 5 Bytes JMP 00FD000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 89C132D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7507C4C] spke.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7507CA0] spke.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74D7042] spke.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74D713E] spke.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74D70C0] spke.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74D7800] spke.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74D76D6] spke.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 899BF2D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74E6E9C] spke.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89BA01F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

Device \Driver\usbuhci \Device\USBPDO-0 899F3500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89C111F8
Device \Driver\dmio \Device\DmControl\DmConfig 89C111F8
Device \Driver\dmio \Device\DmControl\DmPnP 89C111F8
Device \Driver\dmio \Device\DmControl\DmInfo 89C111F8
Device \Driver\usbuhci \Device\USBPDO-1 899F3500
Device \Driver\usbuhci \Device\USBPDO-2 899F3500
Device \Driver\usbuhci \Device\USBPDO-3 899F3500
Device \Driver\usbehci \Device\USBPDO-4 899C01F8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

Device \Driver\usbstor \Device\00000070 8980C1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 89BA21F8
Device \Driver\usbstor \Device\00000071 8980C1F8
Device \Driver\Cdrom \Device\CdRom0 899851F8
Device \Driver\usbstor \Device\00000072 8980C1F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89AD7AEA
Device \Driver\atapi \Device\Ide\IdePort0 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89AD7AEA
Device \Driver\atapi \Device\Ide\IdePort1 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 89AD7AEA
Device \Driver\atapi \Device\Ide\IdePort2 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 89AD7AEA
Device \Driver\atapi \Device\Ide\IdePort3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-3 89AD7AEA
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\usbstor \Device\00000073 8980C1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C884D2D8-810D-47C3-9E03-0EAEC792D0FE} 8980B1F8
Device \Driver\usbstor \Device\00000074 8980C1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8980B1F8
Device \Driver\NetBT \Device\NetbiosSmb 8980B1F8

AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

Device \Driver\usbuhci \Device\USBFDO-0 899F3500
Device \Driver\usbuhci \Device\USBFDO-1 899F3500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 898153C8
Device \Driver\usbuhci \Device\USBFDO-2 899F3500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 898153C8
Device \Driver\usbuhci \Device\USBFDO-3 899F3500
Device \Driver\usbehci \Device\USBFDO-4 899C01F8
Device \Driver\Ftdisk \Device\FtControl 89BA21F8
Device \FileSystem\Cdfs \Cdfs 8983C1F8
Device \Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskWDC_WD3200AAJS-00L7A0___________________01.03E01#5&abde2ff&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x67 0x1F 0x5E 0xF2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x67 0x1F 0x5E 0xF2 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 625142192 (+254): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pci.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#7 Příspěvek od **cernohous13** » 19 lis 2010 20:53

Další CFsript - postup jako předchozí

Kód: Vybrat vše

KillAll::

File::
c:\documents and settings\uzivatel\Data aplikací\hotfix.exe
c:\documents and settings\uzivatel\Data aplikací\scgdfgasfbh.bat
c:\documents and settings\uzivatel\Local Settings\Data aplikací\odutxn.exe
c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shellu.exe
c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shell.exe
c:\documents and settings\uzivatel\Data aplikací\juzjf.exe
C:\New Folder .exe

Firefox::
FF - ProfilePath - c:\documents and settings\uzivatel\Data aplikací\Mozilla\Firefox\Profiles\yszyddqx.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Searchuser_pref(browser.startup.homepage,
FF - prefs.js: browser.search.selectedEngine - ICQ Searchuser_pref(browser.startup.homepage, hxxp://domredi.com/1/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_result ... 2.0.0.2&q=
FF - component: c:\documents and settings\uzivatel\Data aplikací\Mozilla\Firefox\Profiles\yszyddqx.default\extensions\ffxtlbr@Facemoods.com

TDL::
C:\WINDOWS\system32\drivers\pci.sys

Mack556 · #8 Příspěvek od **Mack556** » 19 lis 2010 21:11

ComboFix

ComboFix 10-11-17.03 - uzivatel 19.11.2010 21:00:44.3.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.2047.1752 [GMT 1:00]
Running from: c:\documents and settings\uzivatel\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\uzivatel\Plocha\CFscript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

FILE ::
"c:\documents and settings\uzivatel\Data aplikací\hotfix.exe"
"c:\documents and settings\uzivatel\Data aplikací\juzjf.exe"
"c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shell.exe"
"c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shellu.exe"
"c:\documents and settings\uzivatel\Data aplikací\scgdfgasfbh.bat"
"c:\documents and settings\uzivatel\Local Settings\Data aplikací\odutxn.exe"
"C:\New Folder .exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\New Folder .exe

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected
Restored copy from - Kitty had a snack :p
--
Infected copy of c:\windows\system32\DRIVERS\pci.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected
Restored copy from - Kitty had a snack :p
--
Infected copy of c:\windows\system32\DRIVERS\pci.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.

2010-11-19 18:34 . 2010-11-08 09:32 296448 ----a-w- C:\gmer.exe
2010-11-19 18:30 . 2010-11-19 18:30 -------- d-----w- C:\New Folder
2010-11-18 19:40 . 2010-11-18 19:40 597504 ----a-w- c:\documents and settings\uzivatel\Data aplikací\hotfix.exe
2010-11-18 19:40 . 2010-11-18 19:40 208 ----a-w- c:\documents and settings\uzivatel\Data aplikací\scgdfgasfbh.bat
2010-11-18 15:09 . 2010-11-18 15:09 -------- d-----w- c:\documents and settings\Administrator
2010-11-18 14:45 . 2010-11-18 16:55 -------- d-----w- c:\program files\trend micro
2010-11-18 14:45 . 2010-11-18 14:45 -------- d-----w- C:\rsit
2010-11-13 22:13 . 2010-11-13 22:13 64000 --s---r- c:\documents and settings\uzivatel\Local Settings\Data aplikací\odutxn.exe
2010-11-10 15:11 . 2010-11-13 10:09 -------- d-----w- c:\program files\Java
2010-10-28 12:00 . 2010-11-05 18:32 112128 ------w- c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shellu.exe
2010-10-21 16:59 . 2010-11-12 17:14 115200 ----a-w- c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shell.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-17 17:03 . 2010-10-17 17:03 93184 --sh--r- c:\documents and settings\uzivatel\Data aplikací\juzjf.exe
.

------- Sigcheck -------

[-] 2008-06-23 . 1E603EA2A3FDBAE9E5B88A8CB3C03124 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-11-18_15.44.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 06:10 . 2008-04-14 07:10 68736 c:\windows\system32\drivers\pci.sys
- 2008-04-14 06:10 . 2008-04-14 06:10 68736 c:\windows\system32\drivers\pci.sys
+ 2008-04-14 06:10 . 2008-04-14 07:10 68736 c:\windows\system32\dllcache\pci.sys
- 2008-04-14 06:10 . 2008-04-14 06:10 68736 c:\windows\system32\dllcache\pci.sys
+ 2009-12-30 14:22 . 2009-12-30 12:22 721904 c:\windows\system32\drivers\sptd.sys
- 2009-12-30 15:22 . 2009-12-30 14:22 721904 c:\windows\system32\drivers\sptd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"ICQ"="c:\program files\ICQ7.1\ICQ.exe" [2010-10-27 133432]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-28 17331200]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"nwiz"="nwiz.exe" [2009-01-15 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-02-07 262144]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-7-1 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\VP-EYE\\avi\\avi.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\ICQ7.1\\ICQ.exe"=
"c:\\Program Files\\ICQ7.1\\aolload.exe"=
"c:\\Program Files\\Java\\jre-07\\bin\\jusched.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30.12.2009 15:22 721904]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21.12.2007 7:21 468224]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [1.5.2010 20:26 246520]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: {{71BFC818-0CED-42D6-9C87-5142918957EE} - c:\program files\ICQ7.1\ICQ.exe
FF - ProfilePath - c:\documents and settings\uzivatel\Data aplikací\Mozilla\Firefox\Profiles\yszyddqx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-19 21:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(924)
c:\windows\system32\msimtf.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-11-19 21:09:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-19 20:09
ComboFix2.txt 2010-11-19 18:33
ComboFix3.txt 2010-11-18 15:47

Pre-Run: Volných bajtů: 303 621 820 416
Post-Run: Volných bajtů: 303 619 153 920

- - End Of File - - 1E35118818008702CC380CD4A5C33F7E

#9 Příspěvek od **cernohous13** » 19 lis 2010 21:18

Jak je na tom PC? - ještě nějaké problémy?

Mack556 · #10 Příspěvek od **Mack556** » 19 lis 2010 21:28

Nejde pracovná plocha, dolná lišta ide ale na ploche nie sú ikony. To je momentálne už asi jediný problém.

A tieto súbory sa stále nachádzajú na disku.
"c:\documents and settings\uzivatel\Data aplikací\hotfix.exe"
"c:\documents and settings\uzivatel\Data aplikací\juzjf.exe"
"c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shell.exe"
"c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shellu.exe"
"c:\documents and settings\uzivatel\Data aplikací\scgdfgasfbh.bat"
"c:\documents and settings\uzivatel\Local Settings\Data aplikací\odutxn.exe"
"C:\New Folder .exe"
Podla virustotal su to trojany.

#11 Příspěvek od **cernohous13** » 19 lis 2010 21:46

Stahni Avenger zde:
http://swandog46.geekstogo.com/avenger.exe
Spusť a všude souhlas „Yes“
Hlavní okno

dole dej fajfku do obou čtverečků

Do pole „Input script here“ zkopíruj zelený text scriptu -> „Execute“ -> „Yes“
Bude restart a je potřeba vyčkat na otevření Notepadu a jeho obsah sem vložit. (C:\avenger.txt)

Script

Kód: Vybrat vše

Files to delete:
c:\documents and settings\uzivatel\Data aplikací\hotfix.exe
c:\documents and settings\uzivatel\Data aplikací\juzjf.exe
c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shell.exe
c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shellu.exe
c:\documents and settings\uzivatel\Data aplikací\scgdfgasfbh.bat
c:\documents and settings\uzivatel\Local Settings\Data aplikací\odutxn.exe
C:\New Folder .exe

Mack556 · #12 Příspěvek od **Mack556** » 19 lis 2010 22:00

Tu je log a po štarte sa obnovil tento súbor "C:\New Folder .exe", ostatné sú preč, plocha stále prázdna.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\documents and settings\uzivatel\Data aplikací\hotfix.exe" deleted successfully.
File "c:\documents and settings\uzivatel\Data aplikací\juzjf.exe" deleted successfully.
File "c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shell.exe" deleted successfully.
File "c:\documents and settings\uzivatel\Data aplikací\Microsoft\Windows\shellu.exe" deleted successfully.
File "c:\documents and settings\uzivatel\Data aplikací\scgdfgasfbh.bat" deleted successfully.
File "c:\documents and settings\uzivatel\Local Settings\Data aplikací\odutxn.exe" deleted successfully.
File "C:\New Folder .exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

#13 Příspěvek od **cernohous13** » 19 lis 2010 22:05

Dej mi nový RSIT log - ráno na to kouknu

Mack556 · #14 Příspěvek od **Mack556** » 19 lis 2010 22:06

Logfile of random's system information tool 1.08 (written by random/random)
Run by uzivatel at 2010-11-19 22:06:15
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 290 GB (95%) free of 305 GB
Total RAM: 2047 MB (73% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:06:20, on 19.11.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ICQ7.1\ICQ.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\uzivatel\Dokumenty\Preberanie\RSIT.exe
C:\Program Files\trend micro\uzivatel.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.sk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched,] C:\Program Files\Java\jre-07\bin\jusched.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ7.1\ICQ.exe" silent loginmode=4
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: ICQ7.1 - {71BFC818-0CED-42D6-9C87-5142918957EE} - C:\Program Files\ICQ7.1\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ7.1 - {71BFC818-0CED-42D6-9C87-5142918957EE} - C:\Program Files\ICQ7.1\ICQ.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5033 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll []
{855F3B16-6D32-4FE6-8A56-BBB695989046} - ICQToolBar - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll [2010-01-03 1019128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-10-28 17331200]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-01-15 13680640]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-01-15 86016]
"tsnpstd3"=C:\WINDOWS\tsnpstd3.exe [2007-02-07 262144]
"snpstd3"=C:\WINDOWS\vsnpstd3.exe [2006-09-19 827392]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2007-12-21 1443072]
"SunJavaUpdateSched,"=C:\Program Files\Java\jre-07\bin\jusched.exe [2010-11-10 64000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2010-03-09 26100520]
"ICQ"=C:\Program Files\ICQ7.1\ICQ.exe [2010-10-27 133432]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll [2008-05-19 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\VP-EYE\avi\avi.exe"="C:\VP-EYE\avi\avi.exe:*:Enabled:Video Monitor"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\ICQ7.1\ICQ.exe"="C:\Program Files\ICQ7.1\ICQ.exe:*:Enabled:ICQ7.1"
"C:\Program Files\ICQ7.1\aolload.exe"="C:\Program Files\ICQ7.1\aolload.exe:*:Enabled:aolload.exe"
"C:\Program Files\Java\jre-07\bin\jusched.exe"="C:\Program Files\Java\jre-07\bin\jusched.exe:*:Enabled:JavaUpdate,"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ICQ7.1\ICQ.exe"="C:\Program Files\ICQ7.1\ICQ.exe:*:Enabled:ICQ7.1"
"C:\Program Files\ICQ7.1\aolload.exe"="C:\Program Files\ICQ7.1\aolload.exe:*:Enabled:aolload.exe"

======List of files/folders created in the last 1 months======

2010-11-19 21:55:37 ----A---- C:\New Folder .exe
2010-11-19 21:55:16 ----A---- C:\avenger 01.txt
2010-11-19 21:54:01 ----D---- C:\Avenger
2010-11-19 21:54:01 ----A---- C:\avenger.txt
2010-11-19 21:09:59 ----A---- C:\log combo 3.txt
2010-11-19 21:09:29 ----D---- C:\WINDOWS\temp
2010-11-19 21:09:27 ----A---- C:\ComboFix.txt
2010-11-19 19:34:38 ----A---- C:\gmer.exe
2010-11-19 19:33:19 ----A---- C:\log combo 2.txt
2010-11-19 19:30:30 ----HD---- C:\New Folder
2010-11-18 16:48:38 ----A---- C:\log combo 1.txt
2010-11-18 16:25:36 ----A---- C:\Boot.bak
2010-11-18 16:25:31 ----RASHD---- C:\cmdcons
2010-11-18 16:23:50 ----A---- C:\WINDOWS\zip.exe
2010-11-18 16:23:50 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-11-18 16:23:50 ----A---- C:\WINDOWS\SWSC.exe
2010-11-18 16:23:50 ----A---- C:\WINDOWS\SWREG.exe
2010-11-18 16:23:50 ----A---- C:\WINDOWS\sed.exe
2010-11-18 16:23:50 ----A---- C:\WINDOWS\PEV.exe
2010-11-18 16:23:50 ----A---- C:\WINDOWS\NIRCMD.exe
2010-11-18 16:23:50 ----A---- C:\WINDOWS\MBR.exe
2010-11-18 16:23:50 ----A---- C:\WINDOWS\grep.exe
2010-11-18 16:23:34 ----D---- C:\WINDOWS\ERDNT
2010-11-18 16:23:18 ----D---- C:\Qoobox
2010-11-18 16:09:38 ----SHD---- C:\WINDOWS\CSC
2010-11-18 16:09:32 ----A---- C:\WINDOWS\ntbtlog.txt
2010-11-18 15:45:36 ----D---- C:\Program Files\trend micro
2010-11-18 15:45:35 ----D---- C:\rsit
2010-11-13 13:43:43 ----H---- C:\www.google.com.htm
2010-11-10 16:11:11 ----D---- C:\Program Files\Java
2010-11-08 17:30:36 ----AH---- C:\Documents and Settings\uzivatel\Data aplikací\winsavesrc.txt
2010-10-24 19:45:53 ----AH---- C:\WINDOWS\soms.txt

======List of files/folders modified in the last 1 months======

2010-11-19 21:57:58 ----D---- C:\Documents and Settings\uzivatel\Data aplikací\Skype
2010-11-19 21:56:05 ----D---- C:\Program Files\Mozilla Firefox
2010-11-19 21:54:01 ----D---- C:\WINDOWS\system32\drivers
2010-11-19 21:54:01 ----D---- C:\WINDOWS
2010-11-19 21:53:12 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-11-19 21:08:46 ----D---- C:\WINDOWS\system32\CatRoot2
2010-11-19 21:07:15 ----A---- C:\WINDOWS\system.ini
2010-11-19 21:07:02 ----D---- C:\WINDOWS\system32\drivers\etc
2010-11-19 21:05:05 ----D---- C:\WINDOWS\system32
2010-11-19 21:05:05 ----D---- C:\WINDOWS\AppPatch
2010-11-19 21:05:02 ----D---- C:\Program Files\Common Files
2010-11-19 21:00:46 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-11-19 20:58:57 ----D---- C:\WINDOWS\system32\config
2010-11-19 20:13:31 ----D---- C:\Documents and Settings\uzivatel\Data aplikací\ICQ
2010-11-19 19:32:20 ----SD---- C:\WINDOWS\Tasks
2010-11-19 18:56:51 ----D---- C:\Documents and Settings\uzivatel\Data aplikací\skypePM
2010-11-18 17:36:16 ----D---- C:\Documents and Settings
2010-11-18 16:39:41 ----SD---- C:\Documents and Settings\uzivatel\Data aplikací\Microsoft
2010-11-18 16:25:36 ----RASH---- C:\boot.ini
2010-11-18 15:45:36 ----RD---- C:\Program Files
2010-11-13 22:32:27 ----D---- C:\WINDOWS\Prefetch
2010-11-07 13:42:04 ----D---- C:\WINDOWS\system32\dlls
2010-11-01 17:56:03 ----AH---- C:\Documents and Settings\uzivatel\Data aplikací\wimknrncds.txt
2010-11-01 08:35:40 ----D---- C:\Program Files\ICQ7.1
2010-10-31 13:12:26 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-10-29 18:06:41 ----HD---- C:\WINDOWS\inf
2010-10-29 18:06:34 ----D---- C:\WINDOWS\Minidump

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2009-12-30 721904]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2007-12-21 30216]
R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2007-12-21 53768]
R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40192]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2007-12-21 39944]
R2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2007-12-21 71176]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2007-12-21 30728]
R3 HDAudBus;Ovladač Microsoft UAA pro sběrnici High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-10-31 4942336]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-01-15 6301248]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-08-07 111360]
R3 usbstor;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 kbdhid;Ovladač klávesnice standardu HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CCDECODE;Dekodér Closed Caption; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 hidusb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-25 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SNPSTD3;USB PC Camera (SNPSTD3); C:\WINDOWS\system32\DRIVERS\snpstd3.sys [2007-04-06 10342784]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WSTCODEC;Dálnopisný kodek světového standardu; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2008-05-19 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-05-19 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;Eset Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R2 ICQ Service;ICQ Service; C:\Program Files\ICQ6Toolbar\ICQ Service.exe [2010-01-03 246520]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-01-15 163908]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2007-12-21 19200]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------

#15 Příspěvek od **cernohous13** » 20 lis 2010 06:34

Něčím ho zničit musíme - pár pokusů
další CFscript

Kód: Vybrat vše

KillAll::

RenV::
C:\New Folder .exe

--------------------------------------------------------------------

Stáhni "System Look" - http://jpshortstuff.247fixes.com/SystemLook.exe
Spusť jej a do okna zkopíruj

Kód: Vybrat vše

:regfind
New Folder .exe

Klik na Look a po scanu sem zkopíruj výsledek hledání
--------------------------------------------------------------------

Stáhni OTM z jednoho odkazu a rozbal nejlépe na plochu.
http://oldtimer.geekstogo.com/OTM.exe
http://www.itxassociates.com/OT-Tools/OTM.exe

Spusť program „OTM.exe“
Do okna pod žlutou čáru vlož celý text zeleným písmem ze „Scriptu“

Klikni na červené „Moveit!“
Do své odpovědi vlož obsah zeleného okna
Při nabídce restartu „YES“
a log potom najdeš v C:\_OTM\MovedFiles\

OTMscript

Kód: Vybrat vše

:Processes
explorer.exe

:Files
%windir%\system32\*.tmp.dll /s
%windir%\system32\SET*.tmp /s
%windir%\*.tmp /s
C:\New Folder .exe
C:\New Folder.exe
C:\Documents and Settings\uzivatel\Data aplikací\winsavesrc.txt
C:\Documents and Settings\uzivatel\Data aplikací\wimknrncds.txt
C:\WINDOWS\soms.txt
C:\New Folder

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched,"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

:Commands
[PURITY]
[RESETHOSTS]
[EMPTYTEMP]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[REBOOT]

----------------------------------------------------------------------

spusť C:\Program Files\trend micro\uzivatel.exe
klik -> Do a system scan only
pak dej fajfku do čtverečku před řádek R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
klik Fix Checked -> OK
----------------------------------------------------------------------

nový RSIT + CF + OTM + System Look logy

VIRY.CZ

pomalý počítač, nezobrazuje sa plocha.

pomalý počítač, nezobrazuje sa plocha.

Re: pomalý počítač. prosím o kontrolu

Re: pomalý počítač. prosím o kontrolu

Re: pomalý počítač, nezobrazuje sa plocha.

Re: pomalý počítač, nezobrazuje sa plocha.

Re: pomalý počítač, nezobrazuje sa plocha.

Re: pomalý počítač, nezobrazuje sa plocha.

Re: pomalý počítač, nezobrazuje sa plocha.

Re: pomalý počítač, nezobrazuje sa plocha.

Re: pomalý počítač, nezobrazuje sa plocha.

Re: pomalý počítač, nezobrazuje sa plocha.

Re: pomalý počítač, nezobrazuje sa plocha.

Re: pomalý počítač, nezobrazuje sa plocha.

Re: pomalý počítač, nezobrazuje sa plocha.

Re: pomalý počítač, nezobrazuje sa plocha.