Zaheslovaný systém W. XP

Zpráva

mabor · #1 Příspěvek od **mabor** » 02 led 2011 18:41

Na synové PC došlo k tomu ,že se nešlo přihlásit do systému ani jako uživatel ani jako administrator po rozlousknutí hesla "predator" se systém ihned po najetí sám restartuje.

Díky za pomoc

Logfile of random's system information tool 1.08 (written by random/random)
Run by Administrator at 2011-01-02 18:33:15
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 44 GB (55%) free of 81 GB
Total RAM: 1023 MB (81% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-12-12 297648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}]
Skype add-on for Internet Explorer - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2010-02-08 804136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll [2010-10-23 843832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}]
WhIeHelperObj Class - C:\Program Files\webHancer\programs\whiehlpr.dll [2001-05-18 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-09-15 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-09-15 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{855F3B16-6D32-4FE6-8A56-BBB695989046} - ICQToolBar - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll [2010-06-21 1018680]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-12-12 297648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"DWPersistentQueuedReporting"=C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [2008-11-04 435096]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-05-14 248552]
"avast5"=C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe [2010-06-28 2837864]
"CmPCIaudio"=RunDll32 CMICNFG3.cpl,CMICtrlWnd []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-06-20 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-09-21 932288]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"DivXUpdate"=C:\Program Files\DivX\DivX Update\DivXUpdate.exe [2010-08-20 1164584]
"webHancer Agent"=C:\Program Files\webHancer\Programs\whAgent.exe [2001-05-18 167936]
"PrnStatusMX"=C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe [2007-08-29 1077248]
"ImagePath"=C:\windows\system_32.bat [2011-01-02 44]
"system_tray"=shutdown -r -f -t 0 []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"KB976002-v5"=advpack.dll,LaunchINFSection OPMWXPUP.inf,BrowserChoiceGoo []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-01-12 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RailNotification]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2010-06-23 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2010-06-23 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2010-06-23 304128]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"D:\D-link\DNS-323\setup\easy_search.exe"="D:\D-link\DNS-323\setup\easy_search.exe:*:Enabled:D-Link Easy Search Utility"
"C:\Program Files\ICQ7.2\ICQ.exe"="C:\Program Files\ICQ7.2\ICQ.exe:*:Enabled:ICQ7.2"
"C:\Program Files\ICQ7.2\aolload.exe"="C:\Program Files\ICQ7.2\aolload.exe:*:Enabled:aolload.exe"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\Metin2\metin2client.bin"="C:\Program Files\Metin2\metin2client.bin:*:Enabled:metin2client"
"C:\Documents and Settings\Maja\Local Settings\Temporary Internet Files\Content.IE5\YKTX7UOZ\SweetImSetup[1].exe"="C:\Documents and Settings\Maja\Local Settings\Temporary Internet Files\Content.IE5\YKTX7UOZ\SweetImSetup[1].exe:*:Enabled:SweetIM Installer"
"C:\Documents and Settings\Maja\Local Settings\Temp\SweetIMReinstall\SweetImSetup[1].exe"="C:\Documents and Settings\Maja\Local Settings\Temp\SweetIMReinstall\SweetImSetup[1].exe:*:Enabled:SweetIM Installer"
"C:\Program Files\Metin2\metin2.bin"="C:\Program Files\Metin2\metin2.bin:*:Enabled:metin2"
"C:\Program Files\Outbreak\Outbreak.exe"="C:\Program Files\Outbreak\Outbreak.exe:*:Disabled:Codename: Outbrake"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ICQ7.2\ICQ.exe"="C:\Program Files\ICQ7.2\ICQ.exe:*:Enabled:ICQ7.2"
"C:\Program Files\ICQ7.2\aolload.exe"="C:\Program Files\ICQ7.2\aolload.exe:*:Enabled:aolload.exe"

======List of files/folders created in the last 1 months======

2011-01-02 18:33:16 ----D---- C:\Program Files\trend micro
2011-01-02 18:33:15 ----D---- C:\rsit
2011-01-02 18:03:53 ----D---- C:\WINDOWS\pss
2011-01-02 17:30:08 ----ASH---- C:\Documents and Settings\Administrator\Data aplikací\desktop.ini
2011-01-02 17:30:05 ----SD---- C:\Documents and Settings\Administrator\Data aplikací\Microsoft
2011-01-02 17:30:04 ----D---- C:\Documents and Settings\Administrator\Data aplikací\Sun
2011-01-02 16:07:20 ----A---- C:\WINDOWS\ntbtlog.txt
2011-01-02 10:31:07 ----A---- C:\WINDOWS\system_32.bat
2010-12-30 15:55:10 ----D---- C:\Program Files\Mozilla Firefox
2010-12-26 19:59:08 ----D---- C:\Program Files\EA GAMES
2010-12-26 19:59:07 ----RA---- C:\WINDOWS\system32\vp6vfw.dll
2010-12-20 19:28:48 ----HDC---- C:\WINDOWS\$NtUninstallKB2296199$
2010-12-20 19:28:11 ----HDC---- C:\WINDOWS\$NtUninstallKB2443105$
2010-12-20 19:27:44 ----HDC---- C:\WINDOWS\$NtUninstallKB2440591$
2010-12-20 19:27:00 ----HDC---- C:\WINDOWS\$NtUninstallKB2443685$
2010-12-20 19:26:56 ----HDC---- C:\WINDOWS\$NtUninstallKB2436673$
2010-12-20 19:26:49 ----HDC---- C:\WINDOWS\$NtUninstallKB2467659$
2010-12-15 15:30:40 ----D---- C:\1802f71bee8ab86f9b
2010-12-15 15:30:32 ----HDC---- C:\WINDOWS\$NtUninstallKB2423089$
2010-12-03 15:08:08 ----D---- C:\Program Files\Common Files\Skype

======List of files/folders modified in the last 1 months======

2011-01-02 18:33:16 ----RD---- C:\Program Files
2011-01-02 18:32:39 ----HD---- C:\WINDOWS\inf
2011-01-02 18:32:37 ----D---- C:\WINDOWS\system32\CatRoot2
2011-01-02 18:03:53 ----D---- C:\WINDOWS
2011-01-02 17:57:43 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-01-02 17:57:40 ----D---- C:\WINDOWS\Temp
2011-01-02 17:57:32 ----D---- C:\Documents and Settings\All Users\Data aplikací\Frag Games
2011-01-02 17:44:20 ----SHD---- C:\RECYCLER
2011-01-02 17:30:04 ----D---- C:\Documents and Settings
2011-01-02 11:32:24 ----D---- C:\WINDOWS\Prefetch
2011-01-01 20:09:08 ----D---- C:\WINDOWS\Microsoft.NET
2011-01-01 00:17:14 ----SHD---- C:\WINDOWS\Installer
2010-12-31 08:09:07 ----D---- C:\Program Files\Microsoft Silverlight
2010-12-26 21:44:14 ----D---- C:\WINDOWS\system32
2010-12-26 19:55:26 ----HD---- C:\Program Files\InstallShield Installation Information
2010-12-22 17:06:50 ----D---- C:\WINDOWS\system32\drivers
2010-12-22 17:06:32 ----D---- C:\Program Files\Metin2
2010-12-20 19:28:50 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-12-20 19:28:47 ----HD---- C:\WINDOWS\$hf_mig$
2010-12-20 19:28:44 ----D---- C:\Documents and Settings\All Users\Data aplikací\Microsoft Help
2010-12-20 19:28:14 ----A---- C:\WINDOWS\imsins.BAK
2010-12-20 19:28:06 ----D---- C:\Program Files\Internet Explorer
2010-12-20 19:27:56 ----D---- C:\WINDOWS\ie8updates
2010-12-15 15:30:42 ----A---- C:\WINDOWS\system32\MRT.exe
2010-12-15 15:30:34 ----D---- C:\Program Files\Outlook Express
2010-12-08 19:21:00 ----D---- C:\WINDOWS\system32\DirectX
2010-12-08 19:20:19 ----RSD---- C:\WINDOWS\assembly
2010-12-03 15:08:08 ----RD---- C:\Program Files\Skype
2010-12-03 15:08:08 ----D---- C:\Program Files\Common Files
2010-12-03 15:07:57 ----D---- C:\Documents and Settings\All Users\Data aplikací\Skype

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2010-08-12 45648]
R0 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2010-11-25 685816]
R0 uagp35;Filtr Microsoft AGPv3.5; C:\WINDOWS\system32\DRIVERS\uagp35.sys [2008-04-13 44672]
R0 viaagp1;VIA AGP Filter; C:\WINDOWS\system32\DRIVERS\viaagp1.sys [2003-07-02 27904]
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 vulfnths;VIA USB Host Controller Lower Filter; C:\WINDOWS\System32\Drivers\vulfnth.sys [2003-08-04 6912]
R3 vulfntrs;VIA USB Roothub Lower Filter; C:\WINDOWS\System32\Drivers\vulfntr.sys [2003-08-04 11392]
S1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2010-06-28 28880]
S1 AmdK7;Ovladač procesoru AMD K7; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2010-06-23 41600]
S1 aswSP;aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [2010-06-28 165456]
S1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2010-06-28 46672]
S1 DumpDrv;Crash Dump Driver; C:\WINDOWS\system32\drivers\DumpDrv.sys [2010-06-23 9472]
S2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\drivers\aswFsBlk.sys [2010-06-28 17744]
S2 aswMon2;aswMon2; C:\WINDOWS\system32\drivers\aswMon2.sys [2010-06-28 100176]
S2 rspndr;Odpovídající zařízení zjišťování topologie linkové vrstvy; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2010-06-23 62848]
S2 SetupNT;SetupNT; C:\WINDOWS\system32\SetupNT.sys [2000-10-25 3000]
S3 a61n5rgy;a61n5rgy; C:\WINDOWS\system32\drivers\a61n5rgy.sys []
S3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2010-06-28 23376]
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-01-12 2843136]
S3 CCDECODE;Dekodér Closed Caption; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 cmuda3;C-Media PCI Audio Interface; C:\WINDOWS\system32\drivers\cmudax3.sys [2010-08-20 1872320]
S3 EagleNT;EagleNT; \??\C:\WINDOWS\system32\drivers\EagleNT.sys []
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SoC PC-Camera Service;SoC PC-Camera; C:\WINDOWS\system32\DRIVERS\pfc027.sys [2004-06-17 136832]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 WSTCODEC;Dálnopisný kodek světového standardu; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2010-06-23 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2010-06-23 82944]
S4 exFat;exFat; C:\WINDOWS\system32\drivers\exFat.sys [2010-06-23 133632]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-01-12 512000]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-01-11 593920]
S2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-06-28 40384]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 gupdate;Služba Google Update (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-08-26 135664]
S2 ICQ Service;ICQ Service; C:\Program Files\ICQ6Toolbar\ICQ Service.exe [2010-06-21 246584]
S2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-09-15 153376]
S2 StarWindServiceAE;StarWind AE Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-05-28 275968]
S2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2010-06-23 439808]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe [2010-03-18 35160]
S3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-06-28 40384]
S3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-06-28 40384]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-08-26 182768]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WinRM;Windows Remote Management (WS-Management); C:\WINDOWS\system32\svchost.exe [2010-06-23 14848]
S3 WMPNetworkSvc;Služba Windows Media Player Network Sharing; C:\Program Files\Windows Media Player\WMPNetwk.exe [2010-06-23 913920]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPFFontCache_v0400.exe []
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2010-06-23 14848]
S4 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]

-----------------EOF-----------------

#2 Příspěvek od **Rudy** » 02 led 2011 19:31

Dejte log z ComboFix.

Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode, pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k nezadoucim kolizim s rezidentem antispyware

mabor · #3 Příspěvek od **mabor** » 02 led 2011 20:17

Program jsem stahl a spustil ,ale jen v nouzovém režimu (normální režim se ihned restartuje).

Sken proběhnul napsal ,že maže "webhancer"

poté se restartoval a najel do normalního režimu a zase se ihned restartoval.

mabor · #4 Příspěvek od **mabor** » 02 led 2011 20:24

teď mi syn řekl že spustil soubor který mu přišel jako příloha e-meilu a menoval se

(Hack na lvl.exe) a potom po znovunajetí systému to vše začalo

mabor · #5 Příspěvek od **mabor** » 02 led 2011 20:55

ComboFix 11-01-02.02 - Administrator 02.01.2011 20:35:54.2.1 - x86 MINIMAL
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1023.831 [GMT 1:00]
Spuštěný z: c:\documents and settings\Administrator\Plocha\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Předchozí spuštění -------
.
c:\program files\Webhancer\Programs\license.txt
c:\program files\Webhancer\Programs\readme.txt
c:\program files\Webhancer\Programs\sporder.dll
c:\program files\webhancer\Programs\wbhshare.dll
c:\program files\Webhancer\Programs\whAgent.exe
c:\program files\webhancer\Programs\whAgent.ini
c:\program files\webHancer\programs\whIEhlpr.dll
c:\program files\webhancer\Programs\whieshm.dll
c:\windows\webhdll.dll
c:\windows\whAgent.inf
c:\windows\whInstaller.exe
c:\windows\whInstaller.ini

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-12-02 do 2011-01-02 )))))))))))))))))))))))))))))))
.

2011-01-02 17:33 . 2011-01-02 17:33 -------- d-----w- c:\program files\trend micro
2011-01-02 17:33 . 2011-01-02 17:33 -------- d-----w- C:\rsit
2011-01-02 16:30 . 2011-01-02 16:30 -------- d-----w- c:\documents and settings\Administrator
2011-01-02 09:31 . 2011-01-02 09:32 44 ----a-w- c:\windows\system_32.bat
2011-01-02 09:31 . 2011-01-02 09:32 160 ----a-w- c:\windows\y.reg
2011-01-02 09:31 . 2011-01-02 09:32 156 ----a-w- c:\windows\z.reg
2010-12-30 14:55 . 2010-12-30 14:55 -------- d-----w- c:\documents and settings\Maja\Local Settings\Data aplikací\Mozilla
2010-12-26 18:59 . 2010-12-26 18:59 -------- d-----w- c:\program files\EA GAMES
2010-12-26 18:59 . 2005-02-09 18:15 442368 ----a-r- c:\windows\system32\vp6vfw.dll
2010-12-15 14:30 . 2011-01-02 16:26 -------- d-----w- C:\1802f71bee8ab86f9b

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-25 18:49 . 2010-11-25 18:49 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-11-25 18:19 . 2010-11-25 18:19 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-11-18 18:15 . 2010-08-20 18:43 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:24 . 2010-06-23 21:34 919552 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:24 . 2010-06-23 21:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:24 . 2010-06-23 21:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:00 . 2010-06-23 21:32 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-14 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:05 . 2010-06-23 21:32 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 14:04 . 2010-06-23 21:34 1862272 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[-] 2010-06-23 . 8F41FD1CC693054347C6FB7B0E618B07 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KB976002-v5"="advpack.dll" [2010-06-23 128512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"system_tray"="shutdown -r -f -t 0" [X]
"DWPersistentQueuedReporting"="c:\program files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE" [2008-11-03 435096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-08-20 1164584]
"PrnStatusMX"="c:\program files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" [2007-08-29 1077248]
"ImagePath"="c:\windows\system_32.bat" [2011-01-02 44]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"KB976002-v5"="advpack.dll" [2010-06-23 128512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2010-06-23 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\D-link\\DNS-323\\setup\\easy_search.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Metin2\\metin2client.bin"=
"c:\\Program Files\\Metin2\\metin2.bin"=
"c:\\Program Files\\Outbreak\\Outbreak.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [25.11.2010 19:19 685816]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [20.8.2010 20:36 165456]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [23.6.2010 22:37 9472]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [20.8.2010 20:36 17744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [20.8.2010 19:31 130384]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26.8.2010 9:24 135664]
S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [21.8.2010 9:36 246584]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [23.6.2010 22:34 14848]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPFFontCache_v0400.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Obsah adresáře 'Naplánované úlohy'

2011-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 08:24]

2011-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 08:24]
.
.
------- Doplňkový sken -------
.
FF - ProfilePath - c:\documents and settings\Maja\Data aplikací\Mozilla\Firefox\Profiles\ltc4c2xw.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKLM-Run-CmPCIaudio - CMICNFG3.cpl
Notify-RailNotification - (no file)
AddRemove-DivX Setup.divx.com - c:\documents and settings\All Users\Data aplikací\DivX\Setup\DivXSetup.exe
AddRemove-Microsoft .NET Framework 3.5 SP1 - c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
AddRemove-Microsoft .NET Framework 4 Client Profile - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\Setup.exe
AddRemove-Microsoft .NET Framework 4 Extended - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Extended\Setup.exe
AddRemove-{0A0CADCF-78DA-33C4-A350-CD51849B9702}.KB2416472 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Extended\setup.exe
AddRemove-{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2473228 - c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-02 20:41
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

c:\docume~1\ADMINI~1\LOCALS~1\Temp\Perflib_Perfdata_7a8.dat 16384 bytes

sken byl úspešně dokončen
skryté soubory: 1

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(284)
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2011-01-02 20:43:42
ComboFix-quarantined-files.txt 2011-01-02 19:43

Před spuštěním: Volných bajtů: 49 000 689 664
Po spuštění: Volných bajtů: 48 958 779 392

- - End Of File - - D4337EDBAA0DFE031F3E5AB1CA3F84F0

#6 Příspěvek od **Rudy** » 02 led 2011 21:05

Ještě dočistíme. Otevřte poznámkový blok a zkpírujte do něj:

Collect::
c:\windows\system_32.bat
c:\windows\y.reg
c:\windows\z.reg

Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.

Obrázek

mabor · #7 Příspěvek od **mabor** » 02 led 2011 21:24

ComboFix 11-01-02.02 - Administrator 02.01.2011 21:15:11.3.1 - x86 MINIMAL
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1023.763 [GMT 1:00]
Spuštěný z: c:\documents and settings\Administrator\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Administrator\Plocha\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!

file zipped: c:\windows\system_32.bat
file zipped: c:\windows\y.reg
file zipped: c:\windows\z.reg
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system_32.bat
c:\windows\y.reg
c:\windows\z.reg

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-12-02 do 2011-01-02 )))))))))))))))))))))))))))))))
.

2011-01-02 17:33 . 2011-01-02 17:33 -------- d-----w- c:\program files\trend micro
2011-01-02 17:33 . 2011-01-02 17:33 -------- d-----w- C:\rsit
2011-01-02 16:30 . 2011-01-02 16:30 -------- d-----w- c:\documents and settings\Administrator
2010-12-30 14:55 . 2010-12-30 14:55 -------- d-----w- c:\documents and settings\Maja\Local Settings\Data aplikací\Mozilla
2010-12-26 18:59 . 2010-12-26 18:59 -------- d-----w- c:\program files\EA GAMES
2010-12-26 18:59 . 2005-02-09 18:15 442368 ----a-r- c:\windows\system32\vp6vfw.dll
2010-12-15 14:30 . 2011-01-02 16:26 -------- d-----w- C:\1802f71bee8ab86f9b

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-25 18:49 . 2010-11-25 18:49 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-11-25 18:19 . 2010-11-25 18:19 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-11-18 18:15 . 2010-08-20 18:43 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:24 . 2010-06-23 21:34 919552 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:24 . 2010-06-23 21:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:24 . 2010-06-23 21:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:00 . 2010-06-23 21:32 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-14 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:05 . 2010-06-23 21:32 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 14:04 . 2010-06-23 21:34 1862272 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[-] 2010-06-23 . 8F41FD1CC693054347C6FB7B0E618B07 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KB976002-v5"="advpack.dll" [2010-06-23 128512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"system_tray"="shutdown -r -f -t 0" [X]
"DWPersistentQueuedReporting"="c:\program files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE" [2008-11-03 435096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-08-20 1164584]
"PrnStatusMX"="c:\program files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" [2007-08-29 1077248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"KB976002-v5"="advpack.dll" [2010-06-23 128512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2010-06-23 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\D-link\\DNS-323\\setup\\easy_search.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Metin2\\metin2client.bin"=
"c:\\Program Files\\Metin2\\metin2.bin"=
"c:\\Program Files\\Outbreak\\Outbreak.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [25.11.2010 19:19 685816]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [20.8.2010 20:36 165456]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [23.6.2010 22:37 9472]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [20.8.2010 20:36 17744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [20.8.2010 19:31 130384]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26.8.2010 9:24 135664]
S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [21.8.2010 9:36 246584]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [23.6.2010 22:34 14848]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPFFontCache_v0400.exe [?]

--- Ostatní služby/ovladače v paměti ---

*NewlyCreated* - CFCATCHME
*Deregistered* - CFcatchme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Obsah adresáře 'Naplánované úlohy'

2011-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 08:24]

2011-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 08:24]
.
.
------- Doplňkový sken -------
.
FF - ProfilePath - c:\documents and settings\Maja\Data aplikací\Mozilla\Firefox\Profiles\ltc4c2xw.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKLM-Run-ImagePath - c:\windows\system_32.bat

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-02 21:19
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(284)
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2011-01-02 21:21:16
ComboFix-quarantined-files.txt 2011-01-02 20:21
ComboFix2.txt 2011-01-02 19:43

Před spuštěním: Volných bajtů: 48 964 390 912
Po spuštění: Volných bajtů: 48 952 184 832

- - End Of File - - 17B3F30F58304AE7E49554B8DBA575B4

#8 Příspěvek od **Rudy** » 02 led 2011 22:17

Log již vypadá čistý. Nastala nějaká změna?

mabor · #9 Příspěvek od **mabor** » 03 led 2011 17:24

Pořád se systém po najetí ihned restartuje

ComboFix 11-01-02.04 - Administrator 03.01.2011 17:13:43.4.1 - x86 NETWORK
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1023.812 [GMT 1:00]
Spuštěný z: c:\documents and settings\Administrator\Plocha\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-12-03 do 2011-01-03 )))))))))))))))))))))))))))))))
.

2011-01-02 17:33 . 2011-01-02 17:33 -------- d-----w- c:\program files\trend micro
2011-01-02 17:33 . 2011-01-02 17:33 -------- d-----w- C:\rsit
2011-01-02 16:30 . 2011-01-02 16:30 -------- d-----w- c:\documents and settings\Administrator
2010-12-30 14:55 . 2010-12-30 14:55 -------- d-----w- c:\documents and settings\Maja\Local Settings\Data aplikací\Mozilla
2010-12-26 18:59 . 2010-12-26 18:59 -------- d-----w- c:\program files\EA GAMES
2010-12-26 18:59 . 2005-02-09 18:15 442368 ----a-r- c:\windows\system32\vp6vfw.dll
2010-12-15 14:30 . 2011-01-02 16:26 -------- d-----w- C:\1802f71bee8ab86f9b

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-25 18:49 . 2010-11-25 18:49 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-11-25 18:19 . 2010-11-25 18:19 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-11-18 18:15 . 2010-08-20 18:43 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:24 . 2010-06-23 21:34 919552 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:24 . 2010-06-23 21:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:24 . 2010-06-23 21:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:00 . 2010-06-23 21:32 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-14 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:05 . 2010-06-23 21:32 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 14:04 . 2010-06-23 21:34 1862272 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[-] 2010-06-23 . 8F41FD1CC693054347C6FB7B0E618B07 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KB976002-v5"="advpack.dll" [2010-06-23 128512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"system_tray"="shutdown -r -f -t 0" [X]
"DWPersistentQueuedReporting"="c:\program files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE" [2008-11-03 435096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-08-20 1164584]
"PrnStatusMX"="c:\program files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" [2007-08-29 1077248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"KB976002-v5"="advpack.dll" [2010-06-23 128512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2010-06-23 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\D-link\\DNS-323\\setup\\easy_search.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Metin2\\metin2client.bin"=
"c:\\Program Files\\Metin2\\metin2.bin"=
"c:\\Program Files\\Outbreak\\Outbreak.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [25.11.2010 19:19 685816]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [20.8.2010 20:36 165456]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [23.6.2010 22:37 9472]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [20.8.2010 20:36 17744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [20.8.2010 19:31 130384]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26.8.2010 9:24 135664]
S2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [21.8.2010 9:36 246584]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [23.6.2010 22:34 14848]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPFFontCache_v0400.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Obsah adresáře 'Naplánované úlohy'

2011-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 08:24]

2011-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 08:24]
.
.
------- Doplňkový sken -------
.
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-03 17:16
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2011-01-03 17:18:17
ComboFix-quarantined-files.txt 2011-01-03 16:18
ComboFix2.txt 2011-01-02 20:21
ComboFix3.txt 2011-01-02 19:43

Před spuštěním: Volných bajtů: 48 891 752 448
Po spuštění: Volných bajtů: 48 879 284 224

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F6649E9A17A5FC57F1C7875B218C2839

#10 Příspěvek od **Rudy** » 03 led 2011 17:52

Log vypadá čistý. Zkuste obnovu systému k daru, kdy korektně fungoval.

mabor · #11 Příspěvek od **mabor** » 03 led 2011 19:26

Děkuji moc již je vše v pořádku syn je opět spokojený

#12 Příspěvek od **Rudy** » 03 led 2011 20:31

Nemáte zač!

#13 Příspěvek od **Rudy** » 03 led 2011 20:47

Ještě maličkost by tam neměla být. Spusťte CF ještě jednou tímto skriptem:

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"system_tray"=-

Děkuji.

mabor · #14 Příspěvek od **mabor** » 04 led 2011 17:47

nejde mi již spustit combofix

#15 Příspěvek od **Rudy** » 04 led 2011 19:38

Zkuste stáhnout nový a spustit. Pokud nepůjde, použijte návod: http://www.viry.cz/forum/viewtopic.php?f=11&t=2791 a smázněte ručně.

VIRY.CZ

Zaheslovaný systém W. XP

Zaheslovaný systém W. XP

Re: Zaheslovaný systém W. XP

Re: Zaheslovaný systém W. XP

Re: Zaheslovaný systém W. XP

Re: Zaheslovaný systém W. XP

Re: Zaheslovaný systém W. XP

Re: Zaheslovaný systém W. XP

Re: Zaheslovaný systém W. XP

Re: Zaheslovaný systém W. XP

Re: Zaheslovaný systém W. XP

Re: Zaheslovaný systém W. XP

Re: Zaheslovaný systém W. XP

Re: Zaheslovaný systém W. XP

Re: Zaheslovaný systém W. XP

Re: Zaheslovaný systém W. XP