VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log POMOC!

https://forum.viry.cz:443/viewtopic.php?t=106560

Stránka 2 z 4

Re: Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log PO

Napsal: 14 lis 2010 18:15
od vyosek
:arrow: CF neco pomazal, ale uvidime co dal :James008:

:arrow: Prihlaste se do nouzoveho rezimu (restart PC, mackat F8, zvolit Stav nouze s praci v siti)

:arrow: Stahnete RKill http://download.bleepingcomputer.com/grinler/rkill.com :arrow: Aplikujte ComboFix (Berusku) - log se nam snad vytvori

Re: Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log PO

Napsal: 14 lis 2010 18:45
od Yurda
tady to je !! sestra si bere zpatky notebook takze na dalsi krok budu pripraven o trosku pozdeji ale urcite se tu dneska jeste ukazu... na normalni PC mi totiz nejde vyhledavac zatim :( takze za par hodin ahoj a diky ;)



ComboFix 10-11-13.01 - Zbyněk Juroš 14.11.2010 18:46:18.2.2 - x86 NETWORK
Spuštěný z: c:\documents and settings\Zbyněk Juroš\Plocha\Beruska.com.exe
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Zbyněk Juroš\Data aplikací\Desktopicon
c:\documents and settings\Zbyněk Juroš\Data aplikací\Desktopicon\eBay.ico
c:\documents and settings\Zbyněk Juroš\Data aplikací\Desktopicon\uninst.exe
c:\documents and settings\Zbyněk Juroš\Data aplikací\Microsoft\svchost.exe
.
---- Předchozí spuštění -------
.
c:\documents and settings\.finf\Administrator
c:\documents and settings\All Users\Dokumenty\Server\admin.txt
c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0851
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\windows\daemon.dll
c:\windows\system32\CTF
c:\windows\system32\CTF\klog.dat
c:\windows\system32\drivers\svchost.jxe
c:\windows\Sysvxd.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

-- Předchozí spuštění --

Nakažená kopie c:\windows\system32\winlogon.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ServicePackFiles\i386\winlogon.exe

Nakažená kopie c:\windows\system32\winlogon.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ServicePackFiles\i386\winlogon.exe

Nakažená kopie c:\windows\explorer.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ServicePackFiles\i386\explorer.exe

--------

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BNDMSS
-------\Legacy_SSHNAS
-------\Legacy_SVCHOST32
-------\Service_BNDMSS
-------\Service_SSHNAS
-------\Service_svchost32


((((((((((((((((((((((((( Soubory vytvořené od 2010-10-14 do 2010-11-14 )))))))))))))))))))))))))))))))
.

2010-11-14 15:25 . 2010-11-14 15:25 -------- d-----w- C:\rsit
2010-11-14 15:25 . 2010-11-14 15:25 -------- d-----w- c:\program files\trend micro
2010-11-14 11:38 . 2010-11-14 16:47 -------- d-----w- c:\documents and settings\Administrator.HOME-E6AC245C59
2010-11-13 22:16 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-13 22:16 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-11-13 22:16 . 2010-09-07 15:53 340048 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-11-13 22:15 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-13 22:15 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-13 22:15 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-11-13 22:15 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-11-13 22:15 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-11-13 22:15 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-11-13 22:15 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-13 16:29 . 2010-11-13 19:41 -------- d-----w- C:\50cfb7d96da3dae3d7
2010-11-13 15:38 . 2010-11-13 15:38 133120 ----a-w- c:\documents and settings\Zbyněk Juroš\Data aplikací\Microsoft\Windows\shell.exe
2010-11-13 15:37 . 2010-11-13 15:37 201 ----a-w- c:\documents and settings\Zbyněk Juroš\Data aplikací\sdghzxfg.bat
2010-11-04 21:27 . 2010-11-04 21:27 -------- d-----w- c:\documents and settings\Zbyněk Juroš\Local Settings\Data aplikací\AOL
2010-11-04 21:24 . 2010-11-05 12:27 -------- d-----w- c:\program files\ICQ6Toolbar
2010-11-04 21:24 . 2010-11-04 21:27 -------- d-----w- c:\documents and settings\All Users\Data aplikací\ICQ
2010-11-04 21:23 . 2010-11-07 00:01 -------- d-----w- c:\documents and settings\Zbyněk Juroš\Data aplikací\ICQ
2010-11-04 21:23 . 2010-11-04 21:27 -------- d-----w- c:\program files\ICQ6.5
2010-11-04 21:19 . 2010-11-04 21:19 -------- d-----w- c:\program files\ICQToolbar
2010-11-03 22:38 . 2010-11-03 22:38 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Kaspersky Lab Setup Files
2010-11-03 13:32 . 2010-09-07 15:54 99792 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-11-03 13:32 . 2010-09-07 15:53 190416 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-11-03 13:31 . 2010-11-13 22:14 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Alwil Software
2010-11-03 13:31 . 2010-11-03 13:31 -------- d-----w- c:\program files\Alwil Software
2010-11-03 01:05 . 2010-11-05 17:51 -------- d-----w- c:\documents and settings\Zbyněk Juroš\Local Settings\Data aplikací\AskToolbar
2010-11-03 01:04 . 2010-11-03 01:04 -------- d-----w- c:\program files\CCleaner
2010-10-25 22:21 . 2010-10-25 22:23 -------- d-----w- c:\program files\Common Files\Macromedia
2010-10-25 22:21 . 2010-10-25 22:22 -------- d-----w- c:\program files\Macromedia
2010-10-25 22:21 . 2010-10-25 22:21 180224 ------w- c:\program files\Common Files\InstallShield\Driver\10\Intel 32\iGdiCnv.dll
2010-10-25 22:21 . 2010-10-25 22:21 409600 ------w- c:\program files\Common Files\InstallShield\Driver\10\Intel 32\ISRT.dll
2010-10-25 22:21 . 2010-10-25 22:21 32768 ------w- c:\program files\Common Files\InstallShield\Driver\10\Intel 32\objpscnv.dll
2010-10-25 22:21 . 2010-10-25 22:21 266240 ------w- c:\program files\Common Files\InstallShield\Driver\10\Intel 32\IScrCnv.dll
2010-10-25 22:21 . 2010-10-25 22:21 172032 ------w- c:\program files\Common Files\InstallShield\Driver\10\Intel 32\IUserCnv.dll
2010-10-25 22:21 . 2010-10-25 22:21 761856 ------w- c:\program files\Common Files\InstallShield\Driver\10\Intel 32\IDriver.exe
2010-10-25 22:21 . 2010-10-25 22:21 540772 ------w- c:\program files\Common Files\InstallShield\Driver\10\Intel 32\_ISRES1033.dll
2010-10-25 22:19 . 2002-09-03 11:02 72192 ----a-w- c:\windows\unlite3.exe
2010-10-25 22:19 . 2010-10-25 22:19 -------- d-----w- c:\program files\Bradbury

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 03:50 . 2010-05-19 20:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 01:29 . 2009-03-30 19:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-28 20:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-09-07 16:14 152160 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2010-08-23 1242448]
"Registry Cleaner Scheduler"="c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe" [2009-11-28 1401096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"IMONTRAY"="c:\program files\Intel\Intel(R) Active Monitor\imontray.exe" [2003-01-10 32768]
"FastTVSync"="c:\program files\Common Files\InterVideo\FastTVSync\FastTVSync.exe" [2003-06-04 241664]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"WinFoxV2"="c:\windows\system32\WF2K.EXE" [2009-03-30 1490944]
"WinFast2KLoadDefault"="c:\windows\system32\wf2kcpl.dll" [2009-03-30 668672]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.23\RivaTuner.exe" [2009-02-15 2777088]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-10-28 96816]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\REALTEK\\RTL8187 Wireless LAN Utility\\RtWLan.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\onndra\\counter-strike\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7113:TCP"= 7113:TCP:rfnxjln
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-09 691696]
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R2 ABBYY.Licensing.PDFTransformer.Classic.3.0;Aktivace aplikace ABBYY PDF Transformer 3.0 – Licenční služba;c:\program files\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe [2009-05-14 759048]
R2 aswFsBlk;aswFsBlk; [x]
R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [x]
R2 cdenable;cdenable;c:\windows\system32\Drivers\cdenable.sys [1999-06-10 6112]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-03-19 731840]
R2 gupdate1c9f8e0db4527b8;Služba Google Update (gupdate1c9f8e0db4527b8);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 133104]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2010-09-06 247096]
R2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2008-10-28 54960]
R3 GarenaPEngine;GarenaPEngine;c:\docume~1\ZBYNKJ~1\LOCALS~1\Temp\ECV7.tmp [x]
R3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-01-27 50704]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 332928]
R3 WFsys;WinFox Control I/O Driver;c:\windows\system32\DRIVERS\wfsys.sys [2002-04-22 13692]
S0 aswNdis2;avast! Firewall Core Firewall Service; [x]
S0 d347bus;d347bus;c:\windows\system32\DRIVERS\d347bus.sys [2004-08-22 155136]
S0 d347prt;d347prt;c:\windows\System32\Drivers\d347prt.sys [2004-08-22 5248]
S1 aswFW;avast! TDI Firewall driver; [x]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tifpz
.
Obsah adresáře 'Naplánované úlohy'

2009-09-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2010-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 17:41]

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 17:41]

2010-11-14 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-09-28 20:44]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://start.icq.com/
uDefault_Search_URL = hxxp://search.qip.ru
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: {1B397110-D1A9-40F4-9A33-88F97738CF03} = 195.146.100.105,195.146.100.100
FF - ProfilePath - c:\documents and settings\Zbyněk Juroš\Data aplikací\Mozilla\Firefox\Profiles\vs6ulzrw.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - plugin: c:\docume~1\ZBYNKJ~1\DATAAP~1\PowerChallenge\nppowerloader.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- NASTAVENÍ FIREFOXU ----
FF - user.js: yahoo.homepage.dontask - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKCU-Run-nvdisplay - c:\documents and settings\Zbyněk Juroš\Data aplikací\csrss.exe
HKLM-Run-egui - c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
ActiveSetup-{4FD0ADA0-A658-AACB-BFBA-3DEA7BBDBA2D} - c:\documents and settings\Zbyněk Juroš\Data aplikací\csrss.exe
AddRemove-eBay Icon - c:\documents and settings\Zbyněk Juroš\Data aplikací\Desktopicon\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-14 18:51
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\ZBYNKJ~1\LOCALS~1\Temp\ECV7.tmp"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1016)
c:\windows\SYSTEM32\RtlGina\RtlGina.DLL
.
Celkový čas: 2010-11-14 18:53:18
ComboFix-quarantined-files.txt 2010-11-14 17:53

Před spuštěním: 1 926 320 128
Po spuštění: 2 189 725 696

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - AC0EB1B5BE76FC42A9FFF240AC52D826

Re: Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log PO

Napsal: 14 lis 2010 18:54
od vyosek
:arrow: Chtelo by to dotahnout do konce, jelikoz tam havet jeste je a vesele si povida se svetem, takze ji muze vynaset nejake veci z ntb apod...Ja tu budu dnes pocitam tam do pulnoci minimalne :wink:

:arrow: Doporucuji odinstalovat c:\program files\CleanMyPC - existuji lepsi cistice - po ukonceni leceni tam nejaky dame :wink:

:arrow: Vidim tam Avast a ESET - jeden dejte pryc jinak bude dochazet ke kolizi - odinstalatory jsou zde http://www.viry.cz/forum/viewtopic.php?f=29&t=42886

:arrow: Pokud nemate, tak presunte Combofix na plochu
  • Spustte poznamkovy blok (Start-spustit-notepad)
  • Zkopirujte skript nize

  • Kód: Vybrat vše

    Folder::
c:\program files\ICQ6Toolbar

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"=-
"Registry Cleaner Scheduler"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"=-
"RivaTunerStartupDaemon"=-
"DAEMON Tools-1033"=-
"SunJavaUpdateSched"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=1
"DisableNotifications"=0
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7113:TCP"=-

Driver::
ICQ Service

NetSvc::
tifpz

File::
c:\windows\Tasks\AppleSoftwareUpdate.job
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

DDS::
uStart Page = hxxp://start.icq.com/
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip

Firefox::
FF - ProfilePath - c:\documents and settings\Zbyněk Juroš\Data aplikací\Mozilla\Firefox\Profiles\vs6ulzrw.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
  • Ulozte vytvoreny TXT jako CFScript.txt
  • Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
    Obrázek
  • Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte
:arrow: Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

Re: Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log PO

Napsal: 15 lis 2010 00:22
od Yurda
Omlouvam se ze jsem prisel az tedka sestra se ucila na dulezitou pisemku... kazdopadne jeste jsem potom spoustel avasta a naslo mi to 2 naky bamitaly avast je vymazal a pak jsem ten test delal jeste 2x a uz to nic nenaslo takze doufam ze toho uz mam z krku :) ! Jo a jedna dobra zprava nasel jsem v opere nastaveny naky proxy 127.0.0.1 50370 takze jsem to smaznul a uz jsem rozfakal trosku internet ale ne na 100% porad blbnou stranky a jak ktera se nacte treba zrovna sem na forum uz jsem se nedostal... Kdyz dam napriklad vyhledavat pres google a pak kliknu na nakej odkaz tak se nenacte proste jakoby nic tak to obchazim vzdycky pravym na archiv vedle toho odkazu a to uz sem tam neco spustit jde ale potrebovalo by to zprovoznit cely k tomu ale jiste dostaneme doufam :)! Jo a ten Avast a ESET co tam mam no s tim ESETEM je trosku problem ten tam jakoby nemam kdysi jsem ho odinstaloval jenze to neslo uplne vzdycky se uninstalace jakoby vratila zpatky tak jsem normalne vymazal adresar chtel jsem se toho zbavit :) nebylo to zrovna nejlepsi reseni ale jinak to neslo pac nakej eset uninstaler co jsem nasel na internetu mi nesel zprovoznit... A jelikoz jsem byl bez antiviraku a mel jsem s tim problemy tak mi kamos pujcil jeho licenci ale avast to stejne moc neporesil... Ale jak jste rikal smazal jsem aspon jeden z tech ativiraku vybral jsem teda avasta pac ten ESET zkratka pryc nejde... A zde mate muj log z toho scriptu

Folder::
c:\program files\ICQ6Toolbar

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"=-
"Registry Cleaner Scheduler"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"=-
"RivaTunerStartupDaemon"=-
"DAEMON Tools-1033"=-
"SunJavaUpdateSched"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=1
"DisableNotifications"=0
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7113:TCP"=-

Driver::
ICQ Service

NetSvc::
tifpz

File::
c:\windows\Tasks\AppleSoftwareUpdate.job
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

DDS::
uStart Page = hxxp://start.icq.com/
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip

Firefox::
FF - ProfilePath - c:\documents and settings\Zbyněk Juroš\Data aplikací\Mozilla\Firefox\Profiles\vs6ulzrw.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=

Re: Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log PO

Napsal: 15 lis 2010 00:24
od Yurda
Kazdopadne mockrat vam dekuji ze se mi venujete ! Absolutne si nedovedu predstavit co bych bez vas delal !

Re: Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log PO

Napsal: 15 lis 2010 00:56
od vyosek
:arrow: Odinstalujte ten ESET pomoci Rafazonu http://www.james008.net/download/index.php?dlid=62 pripadne pokud nepujde tak alterantivni navod je zde http://www.viry.cz/forum/viewtopic.php?p=889437#p889437

:arrow: To co jste mi dal neni log ale skript...

Re: Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log PO

Napsal: 15 lis 2010 01:36
od Yurda
log bude opet v qooboxu ? protoze jsem ho opet zpatene hledal

Re: Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log PO

Napsal: 15 lis 2010 05:05
od vyosek
Ne, mel by byt C:\Combofix2.txt...pripadne postup se skriptem opet opakujte v nouzovem rezimu...

Re: Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log PO

Napsal: 15 lis 2010 07:37
od vyosek
Pripadne se zkuste mrknout jestli neni v Qooboxu, jen pro ukazku, mel by zacinat nejak takto - dulezity je ten radek prepinace

ComboFix 10-11-13.01 - Jana 14.11.2010 18:08:02.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1023.450 [GMT 1:00]
Spuštěný z: d:\documents and settings\Jana\Plocha\ComboFix.exe
Použité ovládací přepínače :: d:\documents and settings\Jana\Plocha\CFScript.txt

Re: Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log PO

Napsal: 15 lis 2010 14:20
od Yurda
uz jsem tu a jdu se do toho pustit ! musime to zmaknout do 2 hodin pac sestra pak jde na kolej :X

Re: Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log PO

Napsal: 15 lis 2010 14:50
od Yurda
takze jsem udelal znova krok uplne nahore spustil jsem stav nouze(s praci v siti) do toho jsem zapnul jeste rkill a pak jsem spustil opet combofix ! a vypada to dobre protoze uz me jde na pocitaci celkem internet :) ! Zde pridavam log:




ComboFix 10-11-14.01 - Zbyněk Juroš 15.11.2010 14:42:47.4.2 - x86 NETWORK
Spuštěný z: c:\documents and settings\Zbyněk Juroš\Plocha\Beruska.com.exe
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Předchozí spuštění -------
.
c:\program files\ICQ6Toolbar
c:\program files\ICQ6Toolbar\config.xml
c:\program files\ICQ6Toolbar\Icons.bmp
c:\program files\ICQ6Toolbar\ICQ Service.exe
c:\program files\ICQ6Toolbar\icq6Toolbar.ico
c:\program files\ICQ6Toolbar\ICQToolBar.dll
c:\program files\ICQ6Toolbar\ICQUnToolbar.exe
c:\program files\ICQ6Toolbar\logo_small.gif
c:\program files\ICQ6Toolbar\ServiceStarter.exe
c:\program files\ICQ6Toolbar\short.wav
c:\program files\ICQ6Toolbar\Version.txt
c:\program files\ICQ6Toolbar\voucher.bmp
c:\program files\ICQ6Toolbar\voucher2.bmp
c:\windows\Tasks\AppleSoftwareUpdate.job
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
c:\windows\Tasks\Scheduled Update for Ask Toolbar.job

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ICQ_SERVICE
-------\Service_ICQ Service


((((((((((((((((((((((((( Soubory vytvořené od 2010-10-15 do 2010-11-15 )))))))))))))))))))))))))))))))
.

2010-11-14 15:25 . 2010-11-14 15:25 -------- d-----w- C:\rsit
2010-11-14 15:25 . 2010-11-14 15:25 -------- d-----w- c:\program files\trend micro
2010-11-14 11:38 . 2010-11-14 16:47 -------- d-----w- c:\documents and settings\Administrator.HOME-E6AC245C59
2010-11-13 16:29 . 2010-11-13 19:41 -------- d-----w- C:\50cfb7d96da3dae3d7
2010-11-13 15:38 . 2010-11-13 15:38 133120 ----a-w- c:\documents and settings\Zbyněk Juroš\Data aplikací\Microsoft\Windows\shell.exe
2010-11-13 15:37 . 2010-11-13 15:37 201 ----a-w- c:\documents and settings\Zbyněk Juroš\Data aplikací\sdghzxfg.bat
2010-11-04 21:27 . 2010-11-04 21:27 -------- d-----w- c:\documents and settings\Zbyněk Juroš\Local Settings\Data aplikací\AOL
2010-11-04 21:24 . 2010-11-04 21:27 -------- d-----w- c:\documents and settings\All Users\Data aplikací\ICQ
2010-11-04 21:23 . 2010-11-07 00:01 -------- d-----w- c:\documents and settings\Zbyněk Juroš\Data aplikací\ICQ
2010-11-04 21:23 . 2010-11-04 21:27 -------- d-----w- c:\program files\ICQ6.5
2010-11-04 21:19 . 2010-11-04 21:19 -------- d-----w- c:\program files\ICQToolbar
2010-11-03 22:38 . 2010-11-03 22:38 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Kaspersky Lab Setup Files
2010-11-03 13:32 . 2010-09-07 15:54 99792 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-11-03 13:32 . 2010-09-07 15:53 190416 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-11-03 13:31 . 2010-11-13 22:14 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Alwil Software
2010-11-03 13:31 . 2010-11-03 13:31 -------- d-----w- c:\program files\Alwil Software
2010-11-03 01:05 . 2010-11-05 17:51 -------- d-----w- c:\documents and settings\Zbyněk Juroš\Local Settings\Data aplikací\AskToolbar
2010-11-03 01:04 . 2010-11-03 01:04 -------- d-----w- c:\program files\CCleaner
2010-10-25 22:21 . 2010-10-25 22:23 -------- d-----w- c:\program files\Common Files\Macromedia
2010-10-25 22:21 . 2010-10-25 22:22 -------- d-----w- c:\program files\Macromedia
2010-10-25 22:21 . 2010-10-25 22:21 180224 ------w- c:\program files\Common Files\InstallShield\Driver\10\Intel 32\iGdiCnv.dll
2010-10-25 22:21 . 2010-10-25 22:21 409600 ------w- c:\program files\Common Files\InstallShield\Driver\10\Intel 32\ISRT.dll
2010-10-25 22:21 . 2010-10-25 22:21 32768 ------w- c:\program files\Common Files\InstallShield\Driver\10\Intel 32\objpscnv.dll
2010-10-25 22:21 . 2010-10-25 22:21 266240 ------w- c:\program files\Common Files\InstallShield\Driver\10\Intel 32\IScrCnv.dll
2010-10-25 22:21 . 2010-10-25 22:21 172032 ------w- c:\program files\Common Files\InstallShield\Driver\10\Intel 32\IUserCnv.dll
2010-10-25 22:21 . 2010-10-25 22:21 761856 ------w- c:\program files\Common Files\InstallShield\Driver\10\Intel 32\IDriver.exe
2010-10-25 22:21 . 2010-10-25 22:21 540772 ------w- c:\program files\Common Files\InstallShield\Driver\10\Intel 32\_ISRES1033.dll
2010-10-25 22:19 . 2002-09-03 11:02 72192 ----a-w- c:\windows\unlite3.exe
2010-10-25 22:19 . 2010-10-25 22:19 -------- d-----w- c:\program files\Bradbury

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 03:50 . 2010-05-19 20:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 01:29 . 2009-03-30 19:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"IMONTRAY"="c:\program files\Intel\Intel(R) Active Monitor\imontray.exe" [2003-01-10 32768]
"FastTVSync"="c:\program files\Common Files\InterVideo\FastTVSync\FastTVSync.exe" [2003-06-04 241664]
"WinFoxV2"="c:\windows\system32\WF2K.EXE" [2009-03-30 1490944]
"WinFast2KLoadDefault"="c:\windows\system32\wf2kcpl.dll" [2009-03-30 668672]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-10-28 96816]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\REALTEK\\RTL8187 Wireless LAN Utility\\RtWLan.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\onndra\\counter-strike\\hl.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-09 691696]
R2 ABBYY.Licensing.PDFTransformer.Classic.3.0;Aktivace aplikace ABBYY PDF Transformer 3.0 – Licenční služba;c:\program files\ABBYY PDF Transformer 3.0\NetworkLicenseServer.exe [2009-05-14 759048]
R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [x]
R2 cdenable;cdenable;c:\windows\system32\Drivers\cdenable.sys [1999-06-10 6112]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-03-19 731840]
R2 gupdate1c9f8e0db4527b8;Služba Google Update (gupdate1c9f8e0db4527b8);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-29 133104]
R2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2008-10-28 54960]
R3 GarenaPEngine;GarenaPEngine;c:\docume~1\ZBYNKJ~1\LOCALS~1\Temp\ECV7.tmp [x]
R3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-01-27 50704]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 332928]
R3 WFsys;WinFox Control I/O Driver;c:\windows\system32\DRIVERS\wfsys.sys [2002-04-22 13692]
S0 aswNdis2;avast! Firewall Core Firewall Service; [x]
S0 d347bus;d347bus;c:\windows\system32\DRIVERS\d347bus.sys [2004-08-22 155136]
S0 d347prt;d347prt;c:\windows\System32\Drivers\d347prt.sys [2004-08-22 5248]
S1 aswFW;avast! TDI Firewall driver; [x]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tifpz
.
.
------- Doplňkový sken -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: {1B397110-D1A9-40F4-9A33-88F97738CF03} = 195.146.100.105,195.146.100.100
FF - ProfilePath - c:\documents and settings\Zbyněk Juroš\Data aplikací\Mozilla\Firefox\Profiles\vs6ulzrw.default\

---- NASTAVENÍ FIREFOXU ----
FF - user.js: yahoo.homepage.dontask - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

AddRemove-ICQToolbar - c:\program files\ICQ6Toolbar\ICQUnToolbar.exe



**************************************************************************
skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\ZBYNKJ~1\LOCALS~1\Temp\ECV7.tmp"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\windows\SYSTEM32\RtlGina\RtlGina.DLL
.
Celkový čas: 2010-11-15 14:49:38
ComboFix-quarantined-files.txt 2010-11-15 13:49
ComboFix2.txt 2010-11-14 17:53

Před spuštěním: 2 039 672 832
Po spuštění: 2 022 682 624

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - B2AFE31C9F65DCA4947A2DE4CCA197A0

Re: Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log PO

Napsal: 15 lis 2010 14:51
od Yurda
Do tech 2 hodinech uz to stihat nemusime mame na to casu habadej ;) jo a navic jsem spustil ten rafazon a koukal jsem pres procesy ze zadnej ESET proces uz tam neni :)

Re: Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log PO

Napsal: 15 lis 2010 17:23
od Yurda
v kolik tu zhruba budete aby jsme tu byli ve stejny cas ? :) a leceni probehlo rychleji ;)

Re: Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log PO

Napsal: 15 lis 2010 17:26
od vyosek
Mmntik, uz tvorim dalsi skript...

Re: Win32:Bamital-AM ; Win32:Rootkit-gen [rtk] + Rsit log PO

Napsal: 15 lis 2010 17:30
od vyosek
:arrow: Takze se opet prihlaste do nouzoveho rezimu

:arrow: Pokud nemate, tak presunte Combofix na plochu
  • Spustte poznamkovy blok (Start-spustit-notepad)
  • Zkopirujte skript nize

  • Kód: Vybrat vše

    Collect::
c:\documents and settings\Zbyněk Juroš\Data aplikací\Microsoft\Windows\shell.exe
c:\documents and settings\Zbyněk Juroš\Data aplikací\sdghzxfg.bat

Folder::
c:\program files\ESET

Driver::
ekrn

NetSvc::
tifpz

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
  • Ulozte vytvoreny TXT jako CFScript.txt
  • Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
    Obrázek
  • Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte
:arrow: Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci
Všechny časy jsou v UTC+01:00
Stránka 2 z 4

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz