virus Win32/Oficla.HD trojan??

[Kubislav]

jeste se zeptam jestli to s tim nemuze mit nejakou souvislost: na outlooku mam vic uctu, ten zeny zacal mit problem, ze obcas stahuje neurcity pocet (ne vzdy vsechny) mailu z freemailu (tiscali) stale dokola, i kdyz uz jsou stazeny, takze po prijeti mailu se zniceho nic objevi 2 nove maily a 32 starych, ktere se tvari jako nove a pri dalsim stahnuti se opet stahuji...hruza

diky predem

[Caroprd111]

Ještě to prověříme.


Stáhněte a uložte, nejlépe na plochu http://download.bleepingcomputer.com/sUBs/ComboFix.exe

• Vypněte všechny rezidentní bezpečnostní programy - firewally, antiviry, antispywary
• Vložte do PC všechny flash disky, které používáte.
• Spusťte aplikaci pod účtem s oprávněním Administrátora (Správce), ihned po startu se zobrazí stránka s licenčními podmínkami, pokračujte stisknutím tlačítka "Ano"
• Dále postupujte dle pokynů, během scanu nespouštějte jiné aplikace a neklikejte do zobrazujícího se okna
• Scan by měl trvat okolo 5 - 10 minut, po dokončení Combofix zobrazí log C:\ComboFix.txt , který sem vložte.
• Během skenování může být počítač restartován.

[Kubislav]

ComboFix 10-06-10.04 - JW 11.06.2010 16:11:38.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.446.197 [GMT 1:00]
Spuštěný z: c:\documents and settings\JW\Plocha\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-05-11 do 2010-06-11 )))))))))))))))))))))))))))))))
.

2010-06-10 15:21 . 2010-06-10 15:21 -------- d-----w- C:\_OTL
2010-06-10 14:20 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-10 14:20 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-10 14:20 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-10 14:20 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-10 14:20 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-10 14:20 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-10 14:20 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-10 14:18 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-06-10 14:17 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-10 14:16 . 2010-06-10 14:16 -------- d-----w- c:\program files\Alwil Software
2010-06-10 09:16 . 2010-06-10 09:16 -------- d-----w- c:\program files\CCleaner
2010-06-10 08:59 . 2010-06-10 08:59 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-10 08:57 . 2010-06-10 08:57 -------- d-----w- c:\windows\Motorola
2010-06-10 08:57 . 2010-06-10 08:57 -------- d-----w- c:\program files\SoftMaker Viewer
2010-06-09 14:08 . 2010-06-10 14:37 -------- d-----w- c:\program files\trend micro
2010-06-09 14:08 . 2010-06-09 14:09 -------- d-----w- C:\rsit

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-10 14:29 . 2007-07-13 10:56 -------- d-----w- c:\program files\ESET
2010-06-10 11:15 . 2006-01-26 03:00 549418 ----a-w- c:\windows\system32\perfh005.dat
2010-06-10 11:15 . 2006-01-26 03:00 130830 ----a-w- c:\windows\system32\perfc005.dat
2010-06-10 09:04 . 2007-07-12 12:51 -------- d-----w- c:\program files\uTorrent
2010-06-10 08:57 . 2008-08-22 15:35 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-06-10 08:57 . 2008-03-18 18:22 -------- d-----w- c:\program files\VideoReDoPlus
2010-06-09 13:40 . 2006-01-26 07:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 06:48 . 2009-03-17 12:52 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-09 11:53 . 2010-05-09 11:53 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-05-09 11:53 . 2010-05-09 11:53 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-02 08:09 . 2006-01-26 03:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:32 . 2006-01-26 02:59 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:08 . 2006-01-26 03:00 668160 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:08 . 2006-01-26 03:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2008-10-25 11:09 . 2008-10-25 11:08 1851544 ----a-w- c:\program files\install_flash_player.exe
2008-09-14 20:32 . 2008-09-14 20:32 877 ----a-w- c:\program files\SolveigMM Video Splitter.lnk
2008-08-29 08:27 . 2008-08-29 08:27 405746 ----a-w- c:\program files\Diamond Tweak 0.5_English.cab
2008-08-22 15:37 . 2008-08-25 12:27 1161 ----a-w- c:\program files\Windows Mobile Resources.lnk
2008-06-17 17:00 . 2008-06-17 17:00 2391288 ----a-w- c:\program files\SVGView.exe
2008-04-30 09:37 . 2008-04-30 09:37 1793 ----a-w- c:\program files\Microsoft Flight Simulator 2004.lnk
2008-04-30 09:01 . 2008-04-30 09:01 1492 ----a-w- c:\program files\MagicISO.lnk
2008-03-18 18:22 . 2008-03-18 18:22 1544 ----a-w- c:\program files\VideoReDo Plus.lnk
2008-03-18 12:53 . 2008-03-18 12:50 11136896 ----a-w- c:\program files\VideoReDoPlus-2-5-6-512.exe
2008-03-15 11:37 . 2008-03-15 11:37 583 ----a-w- c:\program files\VideoCAM Look.lnk
2008-02-18 17:20 . 2008-02-18 17:20 154348 -c--a-w- c:\program files\ChessGenius_s60_3.sis
2007-12-21 14:35 . 2007-12-21 14:35 830 ----a-w- c:\program files\DVD Audio Ripper 4.lnk
2007-12-21 14:35 . 2007-12-21 14:34 4230820 ----a-w- c:\program files\dvd-audio-ripper.exe
2007-09-16 21:36 . 2007-09-16 21:36 1695 ----a-w- c:\program files\SUPER © Uninstall.lnk
2007-09-16 21:36 . 2007-09-16 21:36 1671 ----a-w- c:\program files\SUPER ©.lnk
2007-09-14 12:31 . 2007-09-14 12:29 9679815 ----a-w- c:\program files\vlc-0.8.6c-win32.exe
2007-08-20 08:21 . 2007-08-20 08:21 1888 ----a-w- c:\program files\3D Home Architect Home Design Deluxe 6.lnk
2007-08-09 14:01 . 2007-08-09 14:01 905 ----a-w- c:\program files\SmartMovie Converter.lnk
2007-08-08 20:55 . 2007-08-08 20:54 295160 ----a-w- c:\program files\fring91.sis
2007-07-31 09:43 . 2007-07-31 09:41 4526458 ----a-w- c:\program files\WinAVI_Video_Converter.exe
2007-07-30 14:53 . 2007-07-30 14:53 676 ----a-w- c:\program files\DVD Shrink 3.2.lnk
2007-07-22 10:40 . 2007-07-22 10:35 2383 ----a-w- c:\program files\Nokia PC Suite.lnk
2007-07-19 17:01 . 2007-07-19 17:01 582776 ----a-w- c:\program files\divx_311alpha.exe
2007-07-13 16:42 . 2007-07-13 16:41 762707 ----a-w- c:\program files\utorrent-setup.exe
2007-07-13 16:40 . 2007-07-13 16:40 122722 ----a-w- c:\program files\cestina_pro_irfanview.exe
2007-07-13 16:35 . 2007-07-13 16:35 1571 ----a-w- c:\program files\IrfanView Thumbnails.lnk
2007-07-13 16:34 . 2007-07-13 16:34 1156096 ----a-w- c:\program files\iview400.exe
2007-07-13 16:32 . 2007-07-13 16:32 1608 ----a-w- c:\program files\Mozilla Firefox.lnk
2007-07-13 16:32 . 2007-07-13 16:32 5822464 ----a-w- c:\program files\Firefox Setup 2.0.0.4.exe
2007-07-12 13:20 . 2007-07-12 13:20 10050902 ----a-w- c:\program files\Codecs6030_allin1.exe
2007-07-12 09:03 . 2007-07-12 09:03 1360 ----a-w- c:\program files\First Steps.lnk
2007-07-04 12:02 . 2007-09-16 21:32 28088805 ----a-w- c:\program files\SUPERsetup.exe
2007-05-28 17:29 . 2007-07-12 12:59 10609152 -c--a-w- c:\program files\abraclassic.exe
2003-02-26 19:55 . 2008-02-16 11:04 1254400 ----a-w- c:\program files\sachy.exe
2002-11-07 18:14 . 2008-02-16 11:04 25628 ----a-w- c:\program files\sachy.hlp
2006-05-03 09:06 . 2007-09-16 21:36 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2007-09-16 21:36 31232 --sha-r- c:\windows\system32\msfDX.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\JW\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2009-03-21 133104]
"AbacastDistributedOnDemand:11"="c:\documents and settings\JW\Local Settings\Data aplikací\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe" [2009-04-15 54712]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-22 344064]
"SoundMan"="SOUNDMAN.EXE" [2005-08-01 77824]
"SMSERIAL"="sm56hlpr.exe" [2005-07-06 544768]
"PowerManager"="c:\program files\Power Manager\PM.exe" [2005-12-14 159744]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"OdTray.exe"="c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe" [2005-05-18 1015871]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-14 98304]
"iRiver Updater"="\Updater.exe" [2004-07-01 212992]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-06-10 286720]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-25 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-06 1848648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2007-07-12 09:05 106496 ----a-w- c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\JW\\Plocha\\aceftp3free.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Sprite Software\\Sprite Backup\\spriteservice.exe"=
"c:\\Documents and Settings\\JW\\Local Settings\\Data aplikací\\AbacastDistributedOnDemand\\Node\\11\\AbacastDistributedOnDemand.exe"=
"c:\\Documents and Settings\\JW\\Local Settings\\Data aplikací\\Abacast\\Abaclient2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-05-09 691696]
S1 aswSP;aswSP; [x]
S1 PVR101Disk;PVR101Disk; [x]
S2 Aladdin SQL Server;Aladdin SQL Server;c:\program files\Aladdin\Aladdin SQL Server\AladdinSQL.exe [2010-03-20 136192]
S2 aswFsBlk;aswFsBlk; [x]
S2 Plánovač automatické aktualizace LiveUpdate;Plánovač automatické aktualizace LiveUpdate;c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-08-03 100032]
S3 EKBfltr;ENE Keyboard Controller;c:\windows\system32\DRIVERS\EKBfltr.sys [2005-08-01 5504]

.
Obsah adresáře 'Naplánované úlohy'
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://google.cz/
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com \office
DPF: {5F509E42-537E-482B-B66C-145BC170054C} - hxxp://sberna.fotostar.cz/snadno-vlozit-fotografie/fs/FotoStarPhotoUploader.dll
DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} - hxxp://asp.photoprintit.de/microsite/11466/defaults/activex/ips/IPSUploader4.cab
FF - ProfilePath - c:\documents and settings\JW\Data aplikací\Mozilla\Firefox\Profiles\yu6zca7o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.idnes.cz/
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npWebLaunch.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

SafeBoot-Wdf01000.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-11 16:27
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1256)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\odyEvent.dll
.
Celkový čas: 2010-06-11 16:38:39
ComboFix-quarantined-files.txt 2010-06-11 15:38

Před spuštěním: Volných bajtů: 11 683 979 264
Po spuštění: Volných bajtů: 11 652 550 656

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 9BD19D70A3B70B7405F9ED4F6E4DC0BD

[Caroprd111]

Následující soubor/y otestujte na http://www.virustotal.com/cs/
c:\documents and settings\JW\Local Settings\Data aplikací\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe

(Soubor/y nehledejte, jenom vložíte tučně označenou cestu, v případě hlášky "Soubor již byl testován" dejte otestovat znovu. Výsledek analýzy sem v podobě odkazu vložte.)


Máte nainstalovaný Norton Internet Worm Protection

[Kubislav]

Soubor AbacastDistributedOnDemand.exe přijatý 2010.06.12 19:25:32 (UTC)
Současný stav: Dokončeno
Výsledek: 0/40 (0%)
Formátované
Vytisknout výsledky
Antivirus Verze Poslední aktualizace Výsledek
a-squared 5.0.0.26 2010.06.12 -
AhnLab-V3 2010.06.13.00 2010.06.12 -
AntiVir 8.2.2.6 2010.06.11 -
Antiy-AVL 2.0.3.7 2010.06.11 -
Authentium 5.2.0.5 2010.06.12 -
Avast 4.8.1351.0 2010.06.12 -
Avast5 5.0.332.0 2010.06.12 -
AVG 9.0.0.787 2010.06.11 -
BitDefender 7.2 2010.06.12 -
CAT-QuickHeal 10.00 2010.06.12 -
ClamAV 0.96.0.3-git 2010.06.12 -
Comodo 5077 2010.06.12 -
DrWeb 5.0.2.03300 2010.06.12 -
eSafe 7.0.17.0 2010.06.10 -
eTrust-Vet 36.1.7629 2010.06.11 -
F-Prot 4.6.0.103 2010.06.12 -
F-Secure 9.0.15370.0 2010.06.12 -
Fortinet 4.1.133.0 2010.06.12 -
GData 21 2010.06.12 -
Ikarus T3.1.1.84.0 2010.06.12 -
Jiangmin 13.0.900 2010.06.12 -
Kaspersky 7.0.0.125 2010.06.12 -
McAfee 5.400.0.1158 2010.06.12 -
McAfee-GW-Edition 2010.1 2010.06.12 -
Microsoft 1.5802 2010.06.12 -
NOD32 5192 2010.06.12 -
Norman 6.04.12 2010.06.12 -
nProtect 2010-06-12.01 2010.06.12 -
Panda 10.0.2.7 2010.06.12 -
PCTools 7.0.3.5 2010.06.12 -
Rising 22.51.05.02 2010.06.12 -
Sophos 4.54.0 2010.06.12 -
Sunbelt 6441 2010.06.12 -
Symantec 20101.1.0.89 2010.06.12 -
TheHacker 6.5.2.0.298 2010.06.12 -
TrendMicro 9.120.0.1004 2010.06.12 -
TrendMicro-HouseCall 9.120.0.1004 2010.06.12 -
VBA32 3.12.12.5 2010.06.11 -
ViRobot 2010.6.12.3882 2010.06.12 -
VirusBuster 5.0.27.0 2010.06.12 -
Rozšiřující informace
File size: 54712 bytes
MD5...: ae7af97eceb36e7a92adaf4b674226ca
SHA1..: 524dc075d9164c183029f6cb18c71a20e9bb838f
SHA256: 888adbcb5f4cdab53840c23c07d8eee1b03581545911c0e31b0167a2aaa26012
ssdeep: 768:rA9S8GCA8GpTbw6XLOZ824SWCg+O1NMwseZn4L/R:rRp3C6Xi4pCgjNMwseZ
n4V
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1b44
timedatestamp.....: 0x48e1773e (Tue Sep 30 00:47:58 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd82 0x1000 5.56 4979d81c87ebbe4fee4c27d83fbc36f6
.rdata 0x2000 0x64e 0x1000 2.17 fb34adb6c979b9558f138d2d058adddc
.data 0x3000 0x16c 0x1000 0.47 2d0be99aeb6c2fbfa23730c78d89739b
.rsrc 0x4000 0x7d98 0x8000 4.95 c9fdf9a9093cc1e33f500a95a7285e0b

( 2 imports )
> KERNEL32.dll: GetStartupInfoA, GetProcAddress, LoadLibraryA, GetModuleFileNameA, GetCommandLineA, Sleep, InterlockedExchange, GetModuleHandleA, FreeLibrary
> MSVCRT.dll: _snprintf, strrchr, _unlink, rename, __CxxFrameHandler, _except_handler3, __2@YAPAXI@Z, __0exception@@QAE@ABV0@@Z, strncpy, memmove, _exit, __1exception@@UAE@XZ, __1type_info@@UAE@XZ, free, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, __0exception@@QAE@XZ, _CxxThrowException, _strdup

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
sigcheck:
publisher....: Abacast, Inc.
copyright....: Copyright (c) 2008 Abacast, Inc
product......: Abacast Distributed On-Demand
description..: Abacast Distributed On-Demand
original name: AbacastDistributedOnDemand.exe
internal name: AbacastDistributedOnDemand
file version.: 1, 9, 8, 0
comments.....: www.abacast.com
signers......: Abacast Inc.
Thawte Code Signing CA
Thawte Premium Server CA
signing date.: 7:35 PM 4/15/2009
verified.....: -

[Caroprd111]

Máte nainstalovaný Norton Internet Worm Protection

[Kubislav]

Norton Internet Worm Protection nemam,mam nainstalovat?

[Caroprd111]

Pokud nemáte, přesuňte Combofix na plochu

• Otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.

Kód: Vybrat vše

SecCenter::
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

Driver::
aswSP
PVR101Disk
aswFsBlk

• Uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
• Po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:
  
  
• Po aplikaci na Vás vypadne další log,vložte ho sem

Může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

[Kubislav]

tak se omlouvam, kdyz jsem pred spustenim Combo vypnul avast i firewall (coz jsem mel udelat nebo ne?) tak mi firewall nahlasil, ze je vypnut Norton Internet Worm Protection...takze ho asi mam jako soucast firewallu (?)

meni se tim neco? combo jsem prerusil a cekam, diky

[Caroprd111]

Jaký používáte firewall Příště do činnosti ComboFixu nezasahujte.

[Kubislav]

windows firewall, je to mozny? i kdyz je tam ten norton worm protection?

[Caroprd111]

OK, aplikujte ten skript do Combofixu.

[Kubislav]

ComboFix 10-06-10.04 - JW 12.06.2010 22:34:21.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.446.209 [GMT 2:00]
Spuštěný z: c:\documents and settings\JW\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\JW\Plocha\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASWFSBLK
-------\Legacy_ASWSP
-------\Legacy_PVR101DISK
-------\Service_aswFsBlk
-------\Service_aswSP
-------\Service_PVR101Disk


((((((((((((((((((((((((( Soubory vytvořené od 2010-05-12 do 2010-06-12 )))))))))))))))))))))))))))))))
.

2010-06-10 15:21 . 2010-06-10 15:21 -------- d-----w- C:\_OTL
2010-06-10 14:20 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-10 14:20 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-10 14:20 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-10 14:20 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-10 14:20 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-10 14:20 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-10 14:20 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-10 14:18 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-06-10 14:17 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-10 14:16 . 2010-06-10 14:16 -------- d-----w- c:\program files\Alwil Software
2010-06-10 09:16 . 2010-06-10 09:16 -------- d-----w- c:\program files\CCleaner
2010-06-10 08:59 . 2010-06-10 08:59 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-10 08:57 . 2010-06-10 08:57 -------- d-----w- c:\windows\Motorola
2010-06-10 08:57 . 2010-06-10 08:57 -------- d-----w- c:\program files\SoftMaker Viewer
2010-06-09 14:08 . 2010-06-10 14:37 -------- d-----w- c:\program files\trend micro
2010-06-09 14:08 . 2010-06-09 14:09 -------- d-----w- C:\rsit

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 21:14 . 2010-03-20 15:29 -------- d-----w- c:\program files\Aladdin
2010-06-10 14:29 . 2007-07-13 10:56 -------- d-----w- c:\program files\ESET
2010-06-10 11:15 . 2006-01-26 03:00 549418 ----a-w- c:\windows\system32\perfh005.dat
2010-06-10 11:15 . 2006-01-26 03:00 130830 ----a-w- c:\windows\system32\perfc005.dat
2010-06-10 09:04 . 2007-07-12 12:51 -------- d-----w- c:\program files\uTorrent
2010-06-10 08:57 . 2008-08-22 15:35 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-06-10 08:57 . 2008-03-18 18:22 -------- d-----w- c:\program files\VideoReDoPlus
2010-06-09 13:40 . 2006-01-26 07:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 06:48 . 2009-03-17 12:52 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-09 11:53 . 2010-05-09 11:53 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-02 08:09 . 2006-01-26 03:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:32 . 2006-01-26 02:59 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:08 . 2006-01-26 03:00 668160 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:08 . 2006-01-26 03:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2008-10-25 11:09 . 2008-10-25 11:08 1851544 ----a-w- c:\program files\install_flash_player.exe
2008-08-22 15:37 . 2008-08-25 12:27 1161 ----a-w- c:\program files\Windows Mobile Resources.lnk
2008-06-17 17:00 . 2008-06-17 17:00 2391288 ----a-w- c:\program files\SVGView.exe
2008-03-18 18:22 . 2008-03-18 18:22 1544 ----a-w- c:\program files\VideoReDo Plus.lnk
2008-03-18 12:53 . 2008-03-18 12:50 11136896 ----a-w- c:\program files\VideoReDoPlus-2-5-6-512.exe
2008-03-15 11:37 . 2008-03-15 11:37 583 ----a-w- c:\program files\VideoCAM Look.lnk
2008-02-18 17:20 . 2008-02-18 17:20 154348 -c--a-w- c:\program files\ChessGenius_s60_3.sis
2007-09-14 12:31 . 2007-09-14 12:29 9679815 ----a-w- c:\program files\vlc-0.8.6c-win32.exe
2007-08-08 20:55 . 2007-08-08 20:54 295160 ----a-w- c:\program files\fring91.sis
2007-07-31 09:43 . 2007-07-31 09:41 4526458 ----a-w- c:\program files\WinAVI_Video_Converter.exe
2007-07-19 17:01 . 2007-07-19 17:01 582776 ----a-w- c:\program files\divx_311alpha.exe
2007-07-13 16:42 . 2007-07-13 16:41 762707 ----a-w- c:\program files\utorrent-setup.exe
2007-07-13 16:40 . 2007-07-13 16:40 122722 ----a-w- c:\program files\cestina_pro_irfanview.exe
2007-07-13 16:35 . 2007-07-13 16:35 1571 ----a-w- c:\program files\IrfanView Thumbnails.lnk
2007-07-13 16:34 . 2007-07-13 16:34 1156096 ----a-w- c:\program files\iview400.exe
2007-07-13 16:32 . 2007-07-13 16:32 1608 ----a-w- c:\program files\Mozilla Firefox.lnk
2007-07-13 16:32 . 2007-07-13 16:32 5822464 ----a-w- c:\program files\Firefox Setup 2.0.0.4.exe
2007-07-12 13:20 . 2007-07-12 13:20 10050902 ----a-w- c:\program files\Codecs6030_allin1.exe
2007-07-12 09:03 . 2007-07-12 09:03 1360 ----a-w- c:\program files\First Steps.lnk
2007-07-04 12:02 . 2007-09-16 21:32 28088805 ----a-w- c:\program files\SUPERsetup.exe
2007-05-28 17:29 . 2007-07-12 12:59 10609152 -c--a-w- c:\program files\abraclassic.exe
2006-05-03 09:06 . 2007-09-16 21:36 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2007-09-16 21:36 31232 --sha-r- c:\windows\system32\msfDX.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\JW\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2009-03-21 133104]
"AbacastDistributedOnDemand:11"="c:\documents and settings\JW\Local Settings\Data aplikací\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe" [2009-04-15 54712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-22 344064]
"SoundMan"="SOUNDMAN.EXE" [2005-08-01 77824]
"SMSERIAL"="sm56hlpr.exe" [2005-07-06 544768]
"PowerManager"="c:\program files\Power Manager\PM.exe" [2005-12-14 159744]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"OdTray.exe"="c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\OdTray.exe" [2005-05-18 1015871]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-14 98304]
"iRiver Updater"="\Updater.exe" [2004-07-01 212992]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-06-10 286720]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-25 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-06 1848648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2007-07-12 09:05 106496 ----a-w- c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\JW\\Plocha\\aceftp3free.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Sprite Software\\Sprite Backup\\spriteservice.exe"=
"c:\\Documents and Settings\\JW\\Local Settings\\Data aplikací\\AbacastDistributedOnDemand\\Node\\11\\AbacastDistributedOnDemand.exe"=
"c:\\Documents and Settings\\JW\\Local Settings\\Data aplikací\\Abacast\\Abaclient2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 Aladdin SQL Server;Aladdin SQL Server;c:\program files\Aladdin\Aladdin SQL Server\AladdinSQL.exe [20.3.2010 17:29 136192]
R2 Plánovač automatické aktualizace LiveUpdate;Plánovač automatické aktualizace LiveUpdate;c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe [12.7.2007 13:13 100032]
R3 EKBfltr;ENE Keyboard Controller;c:\windows\system32\drivers\EKBfltr.sys [26.1.2006 5:03 5504]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9.5.2010 13:53 691696]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://google.cz/
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com \office
DPF: {5F509E42-537E-482B-B66C-145BC170054C} - hxxp://sberna.fotostar.cz/snadno-vlozit-fotografie/fs/FotoStarPhotoUploader.dll
DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} - hxxp://asp.photoprintit.de/microsite/11466/defaults/activex/ips/IPSUploader4.cab
FF - ProfilePath - c:\documents and settings\JW\Data aplikací\Mozilla\Firefox\Profiles\yu6zca7o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.idnes.cz/
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npWebLaunch.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-12 22:46
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1216)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\odyEvent.dll

- - - - - - - > 'explorer.exe'(2308)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Fujitsu Siemens Computers\Odyssey Client for Fujitsu Siemens Computers\odClientService.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\sm56hlpr.exe
c:\windows\system32\rundll32.exe
C:\Updater.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Celkový čas: 2010-06-12 22:51:35 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-06-12 20:51
ComboFix2.txt 2010-06-11 15:38

Před spuštěním: Volných bajtů: 11 467 059 200
Po spuštění: Volných bajtů: 11 395 588 096

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - EC48F072C34F42642C0D7A3CFF9FBEEA

[Kubislav]

combo po mne chtel pripojit se na internet a stahovat, coz se mi s vypnutym avastem a firewallem nechtelo, je to tak v poradku nebo jsem to mel dovolit?diky

[Caroprd111]

Příště komunikaci povolte. Jak se chová PC