Rootkit - C:\Windows\System32\drivers\rmesth.sys

[motji]

No jasně, avenger ho má na whitelistu .
Já něco zítra vymyslím, zkuste kdyžtak rozchodit combofix
Ještě máme pár možností . Máte instalační DVD?

Odinstalujte combofix přes Start - Spustit
- zkopírujte do okénka:

ComboFix /Uninstall

-stiskněte Enter
-To odinstaluje ComboFix a smaže s ním související soubory a složky.


***********


Stáhněte T-Cleaner
http://sweb.cz/Marinus/T-Cleaner.exe

-Spusťte,pro potvrzení volby mačkejte klávesu A, Enter
-po použití prográmek vymažte.Pozor,antiviry ho mohou falešně označit za vir



***********
Stahněte Rkill z jednoho z odkazů, pokud by ho vir blokoval, zkuste stahnout jiný

Rkill EXE:
http://download.bleepingcomputer.com/grinler/rkill.exe

Rkill COM:
http://download.bleepingcomputer.com/grinler/rkill.com

Rkill SCR:
http://download.bleepingcomputer.com/grinler/rkill.scr

Rkill PIF:
http://download.bleepingcomputer.com/grinler/rkill.pif

-spusťte ho a nechejte pracovat. Sám se ukončí.

- Ted nerestartujte počítač!


Spusťte combofix podle tohoto návodu
http://www.bleepingcomputer.com/combofi ... t-combofix
-přejmenujte ho na motyka.com

[poharka]

ten combofix mi neslo odinstalovat, tak som ho dala do kosa

ten tcleaner mi nejde prevziat, furt mi tu antivir zablokuje stranku.

mozem spravit treti krok aj bez tychto?

je to strasne vycerpavajuce tieto virusy,vobec nechapem, preco to tu mam a preco sa toho nejde zbavit.

Mne firefox skoro stale zablokuje vsetky stranky s tym ze obsahuju virus dam si napr. profesia.sk a presmeruje to na nejaku inu stranku pod uplne podozrivym nazvom a potom mi tu vyskoci hlasenie, ze avast to zablokoval s podorzrenim na trojana.

skusala som ten combofix odinstalovat tak, ze som nan klikla,lenze on sa spustil. a potommi vypoisal, aby som odinstalovala avast, tak teraz neviem co mam robit, lebo ho odinstalovat nechcem, a uz som aj tak combofix hodila do kosa. Ach som to tu domotala

[motji]

Musíte před t-cleanerem vypnout avast .
Máte tam vir v exploreru, možná i něco víc, proto se vám přesměrují stránky a podobně.

[poharka]

a ako ho vypnem? vypnut znm. odinstalovat? ak ked ho odinastalujem, tak ma nenapadnu vsetky tie viry, ktore tu mam?

[motji]

Víte co , pokračujte rovnou tím Rkillem

[poharka]

spustila som rkill. Vyhodil mi log. Potom ale ako som zrusila log, mi subezne s tym vyskocil avast, ze nieco zablokoval. A na obrayovke bolo akurat pozadie. Tak som musela nasilym vypnut pc Je to takto ok? Mozem ist na combofix?

[poharka]

este pripajam ten log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on . 01. 2011 at 10:54:42.
Operating System: Windows 7 Professional


Processes terminated by Rkill or while it was running:



Rkill completed on . 01. 2011 at 10:54:51.

[motji]

Nee, nejdřív vypněte uplně avast, nejlépe když pujdete do nouzového režimu.
Pak spustíte Rkill a hned potom combofix, jinak to nemá cenu

[poharka]

aha, no ok, tak to spravim tak.

preto sa pytam, lebo ja netusim ze co a ako, a fakt sa toho chcem zbavit, len vidim ze to asi bude trvat este dlho. No idem na to

[poharka]

rkill log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on . 01. 2011 at 11:34:41.
Operating System: Windows 7 Professional


Processes terminated by Rkill or while it was running:



Rkill completed on . 01. 2011 at 11:34:43.


idem na combofix.

[motji]

Já ted musím od počítače, budete tu tak v 1 hodinu?

[poharka]

uz som v nudzovom rezime, ale stale mi combofix vypisuje ze nasiel aktivny avast. Ked idem do avastu, tak tam mi vypisuje, ze avast je zastaveny, alebo pracvuje v nestabilnom rezime. Mam aj tak na combofix kliknut ok a zacat?

[motji]

zkuste. Budu tu v jednu hodinu

[poharka]

log z combofixu:

ComboFix 11-01-04.01 - Saga . 01. 2011 11:52:38.2.2 - x86 NETWORK
Microsoft Windows 7 Professional 6.1.7600.0.1250.421.1051.18.2046.1639 [GMT 1:00]
Running from: c:\users\Saga\Desktop\motyka.com.exe
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Saga\SoftonicDownloader16261.exe
c:\users\Saga\TeamViewer_Setup.exe
c:\users\Saga\TeamViewerQS.exe
c:\windows\system32\kb.dll
c:\windows\system32\oem9.inf

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe

Infected copy of c:\windows\System32\wininit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-12-06 to 2011-01-06 )))))))))))))))))))))))))))))))
.

2011-01-06 10:56 . 2011-01-06 10:59 -------- d-----w- c:\users\Saga\AppData\Local\temp
2011-01-06 10:56 . 2011-01-06 10:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-06 10:41 . 2011-01-06 10:51 -------- d-----w- C:\32788R22FWJFW
2011-01-05 21:28 . 2011-01-05 21:28 -------- d-----w- C:\_OTL
2010-12-22 19:30 . 2010-12-22 19:30 -------- d-----w- C:\rsit
2010-12-14 06:16 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1C0A2001-82AB-40AE-A99B-63432606EA37}\mpengine.dll
2010-12-13 20:08 . 2011-01-03 17:56 -------- d-----w- c:\programdata\Kaspersky Lab
2010-12-12 10:54 . 2010-12-12 10:54 -------- d-----w- c:\users\Saga\AppData\Roaming\Malwarebytes
2010-12-12 10:54 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-12 10:54 . 2010-12-12 10:54 -------- d-----w- c:\programdata\Malwarebytes
2010-12-12 10:54 . 2011-01-02 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-12 10:54 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-11 21:41 . 2010-12-22 19:30 -------- d-----w- c:\program files\trend micro
2010-12-11 21:31 . 2010-12-11 21:31 -------- d-----w- c:\users\Saga\Pavark
2010-12-11 20:13 . 2010-12-11 20:13 -------- d-----w- c:\program files\Sophos
2010-12-11 11:32 . 2010-12-11 11:32 -------- d-----w- c:\users\Saga\Bluetooth Software
2010-12-11 11:29 . 2010-12-11 11:29 -------- d-----w- c:\program files\WIDCOMM
2010-12-11 11:24 . 2010-12-11 11:24 -------- d-----w- c:\users\Saga\AppData\Roaming\Dell
2010-12-11 11:24 . 2010-12-11 11:24 -------- d-----w- c:\program files\Cisco
2010-12-11 11:21 . 2009-01-20 14:36 87328 ----a-w- c:\windows\system32\bcmwlcoi.dll
2010-12-11 11:21 . 2009-01-20 14:36 1207288 ----a-w- c:\windows\system32\drivers\BCMWL6.SYS
2010-12-11 11:21 . 2009-01-20 14:36 3489792 ----a-w- c:\windows\system32\bcmihvui.dll
2010-12-11 11:21 . 2009-01-20 14:36 3829760 ----a-w- c:\windows\system32\bcmihvsrv.dll
2010-12-11 11:21 . 2010-12-11 11:21 -------- d-----w- c:\program files\Dell
2010-12-11 11:21 . 2010-12-11 11:21 -------- d-----w- c:\users\Saga\AppData\Roaming\InstallShield
2010-12-11 07:58 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-11 07:58 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-12-11 07:58 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-12-11 07:58 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-12-11 07:58 . 2010-09-07 15:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-12-11 07:58 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-12-11 07:58 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-20 3563520]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

.
.
------- Supplementary Scan -------
.
uStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Saga\AppData\Roaming\Mozilla\Firefox\Profiles\egogpyjf.default\
FF - prefs.js: browser.search.selectedEngine -
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\taskhost.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\STacSV.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-01-06 12:02:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-06 11:02

Pre-Run: 8 615 686 144 bytes free
Post-Run: 8 487 161 856 bytes free

- - End Of File - - E16C1457504EF71C1FE77260D3F00DDD

[poharka]

nemozem spustit ani mozilu ani i.explorer v normalnom rezime, musim ist cez safe mode. nieco mi vypise, a potom sa ma spyta, ci si prajem mozilu odstranit.