VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

Asi mám vir na 99%, CPU na 100% :-)))

https://forum.viry.cz:443/viewtopic.php?t=98856

Stránka 2 z 3

Re: Asi mám vir na 99%, CPU na 100% :-)))

Napsal: 13 bře 2010 18:18
od jaruzo
Počítač reštartovaný, Combofix tentokrát prebehol normálne (aj keď scan bol dosť krátky - asi 2 minuty), potom sa sám reštartoval, ale log som nikde nenašiel, namiesto toho mi po reštarte vybehlo toto: DAEMON TOOLS (Virtual SCSI driver not detected).

Re: Asi mám vir na 99%, CPU na 100% :-)))

Napsal: 13 bře 2010 19:09
od Unlimited_Killer
Zkusíme ho najít.

1) SystemLook
  • Stáhněte SystemLook na Plochu.
  • Dvojklikem spusťte soubor SystemLook.exe
  • Do textového pole vkopírujte následující skript:

    Kód: Vybrat vše

    :filefind
C:\ComboFix*.txt
D:\ComboFix*.txt
  • Nyní klikněte na 'Look'.
  • Poté se Vám otevře Poznámkový blok, jehož obsah vkopírujte sem do tématu.

Re: Asi mám vir na 99%, CPU na 100% :-)))

Napsal: 13 bře 2010 19:19
od jaruzo
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:15 on 13/03/2010 by jaro1 (Administrator - Elevation successful)

========== filefind ==========

Searching for "C:\ComboFix*.txt"
No files found.

Searching for "D:\ComboFix*.txt"

Re: Asi mám vir na 99%, CPU na 100% :-)))

Napsal: 13 bře 2010 19:27
od Unlimited_Killer
Já jsem blbec, znova...

1) SystemLook
  • Stáhněte SystemLook na Plochu.
  • Dvojklikem spusťte soubor SystemLook.exe
  • Do textového pole vkopírujte následující skript:

    Kód: Vybrat vše

    :filefind
ComboFix*.txt
  • Nyní klikněte na 'Look'.
  • Poté se Vám otevře Poznámkový blok, jehož obsah vkopírujte sem do tématu.

Re: Asi mám vir na 99%, CPU na 100% :-)))

Napsal: 13 bře 2010 19:31
od jaruzo
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:30 on 13/03/2010 by jaro1 (Administrator - Elevation successful)

========== filefind ==========

Searching for "ComboFix*.txt"
No files found.

-=End Of File=-

Re: Asi mám vir na 99%, CPU na 100% :-)))

Napsal: 13 bře 2010 19:51
od jaruzo
tak som to ešte niekolko krát skúsil a nakoniec sa to podarilo:



ComboFix 10-03-13.01 - jaro1 13.03.2010 19:41:32.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1033.18.511.116 [GMT 1:00]
Running from: c:\documents and settings\jaro1\My Documents\Preberanie\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\eSellerateEngine.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-13 to 2010-03-13 )))))))))))))))))))))))))))))))
.

2010-03-13 17:54 . 2010-03-13 17:54 -------- d-----w- c:\windows\system32\KB905474
2010-03-13 17:54 . 2009-03-10 21:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2010-03-13 17:54 . 2009-03-10 21:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2010-03-13 16:48 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-03-13 16:48 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-03-13 16:48 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-03-13 16:48 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-03-13 16:48 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-03-13 16:48 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-03-13 16:48 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-03-13 16:48 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-03-13 16:48 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-03-13 16:48 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-03-13 16:48 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-03-13 16:48 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-03-13 16:47 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-03-13 15:45 . 2010-03-13 15:45 -------- d-----w- c:\documents and settings\jaro1\Application Data\Malwarebytes
2010-03-13 15:44 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 15:44 . 2010-03-13 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-13 15:44 . 2010-03-13 15:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 15:44 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 14:59 . 2010-03-13 14:59 -------- d-----w- C:\_OTM
2010-03-13 10:33 . 2010-03-13 10:35 -------- d-----w- C:\rsit
2010-03-09 17:09 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-09 17:09 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-09 17:09 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-09 17:09 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-09 17:09 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-09 17:09 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-09 17:09 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-09 17:05 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-09 17:05 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-09 17:04 . 2010-03-09 17:04 -------- d-----w- c:\program files\Alwil Software
2010-03-09 17:04 . 2010-03-09 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-07 20:20 . 2008-04-13 19:40 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-03-07 20:20 . 2008-04-13 19:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-03-02 16:38 . 2010-03-13 16:43 -------- d-----w- c:\program files\trend micro
2010-02-26 20:19 . 2010-02-28 11:11 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-26 11:50 . 2008-04-13 19:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-02-26 11:50 . 2008-04-13 19:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-02-26 11:50 . 2008-04-13 19:40 8192 ----a-w- c:\windows\system32\drivers\Changer.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-13 18:35 . 2007-03-09 15:39 39368 ----a-w- c:\documents and settings\jaro1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-13 18:22 . 2010-03-13 18:22 -------- d-----w- c:\program files\MSBuild
2010-03-13 18:22 . 2010-03-13 18:22 -------- d-----w- c:\program files\Reference Assemblies
2010-03-11 22:10 . 2007-03-09 15:58 -------- d-----w- c:\program files\Eset
2010-03-11 21:43 . 2007-03-09 21:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-11 21:43 . 2007-03-09 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-11 21:38 . 2007-03-09 20:37 -------- d-----r- c:\program files\Skype
2010-03-11 21:38 . 2007-03-09 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-11 18:47 . 2008-02-28 19:14 -------- d-----w- c:\documents and settings\jaro1\Application Data\skypePM
2010-03-07 20:56 . 2007-03-25 13:41 -------- d-----w- c:\program files\Google
2010-03-07 20:20 . 2010-03-07 20:20 16 ----a-w- c:\documents and settings\jaro1\Application Data\rbuwzv.dat
2010-03-07 20:15 . 2007-09-20 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Bluetooth
2010-03-07 20:14 . 2007-03-09 15:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-07 20:09 . 2007-03-10 11:38 -------- d-----w- c:\program files\Codemasters
2010-03-07 20:07 . 2007-12-24 19:24 -------- d-----w- c:\program files\Common Files\muvee Technologies
2010-03-07 20:05 . 2007-09-19 21:59 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstPCSFEMsi.exe
2010-03-07 20:05 . 2007-09-19 21:59 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstCCD.exe
2010-03-07 20:05 . 2007-09-19 21:59 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstPCS.exe
2010-03-07 20:03 . 2007-03-19 08:50 -------- d-----w- c:\program files\Kyodai Mahjongg 2006
2010-03-07 20:00 . 2007-12-26 17:34 -------- d-----w- c:\program files\Activision
2010-03-07 19:55 . 2007-12-26 17:08 -------- d-----w- c:\program files\EA GAMES
2010-03-07 16:25 . 2010-02-26 11:48 12 ----a-w- c:\documents and settings\NetworkService\Application Data\rbuwzv.dat
2010-03-02 17:15 . 2009-07-05 13:26 -------- d-----w- c:\program files\Sierra
2010-02-28 10:34 . 2008-06-16 18:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-24 11:52 . 2008-08-13 14:22 138576 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-01-24 11:52 . 2008-08-13 14:22 215104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-12-31 16:50 . 2002-08-29 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21 . 2002-08-29 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2007-03-09 15:34 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-20 14:59 . 2008-08-13 14:22 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-20 12:34 . 2007-05-19 19:16 230432 ----a-w- C:\StiImg.dat
2009-12-14 07:08 . 2002-08-29 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-08 94208]
"BySoft FreeRAM"="c:\program files\BySoft FreeRAM\FreeRAM.exe" [2004-12-17 318976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-11-11 90112]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2004-06-11 83968]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2002-06-19 73728]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-27 61440]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\11davidko11\\counter-strike\\hl.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9.3.2010 18:09 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9.3.2010 18:09 19024]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [17.12.2007 19:21 716272]
S0 Stealth;Stealth;c:\windows\system32\Drivers\stealth.svs --> c:\windows\system32\Drivers\stealth.svs [?]
S3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\DRIVERS\pfc027.sys --> c:\windows\system32\DRIVERS\pfc027.sys [?]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [9.7.2009 20:26 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [9.7.2009 20:26 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [9.7.2009 20:26 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [9.7.2009 20:26 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [9.7.2009 20:26 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [9.7.2009 20:26 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [9.7.2009 20:26 109736]
.
Contents of the 'Scheduled Tasks' folder

2010-03-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-03-13 21:18]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\jaro1\Application Data\Mozilla\Firefox\Profiles\ssky59f4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL -
FF - plugin: c:\program files\Mozilla Firefox\plugins\npExentCtl.dll
FF - plugin: c:\program files\TV JOJ Media Player\np_JOJ_netscape_player.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-OM2_Monitor - c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-Sony Ericsson PC Suite - c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-13 19:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\atapi]
"ImagePath"="System32\Drivers\atapi.svs"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Stealth]
"ImagePath"="System32\Drivers\stealth.svs"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-861567501-1035525444-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:2e,17,3c,6a,c6,ca,d5,bb,6c,b3,c7,62,3b,a9,17,4b,de,6e,9d,0d,8d,1a,f5,
fa,8f,16,3b,52,a7,18,28,b8,89,63,79,27,4e,e2,b0,dc,f7,9c,25,95,85,8c,51,6a,\
"??"=hex:0b,5f,ec,d9,c5,95,56,b1,3a,83,ec,13,e9,36,d3,9e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-13 19:48:54
ComboFix-quarantined-files.txt 2010-03-13 18:48

Pre-Run: 144 270 852 096 bytes free
Post-Run: 15 adresárov, 144 228 687 872 voľných bajtov

Current=2 Default=2 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - C113FDE0146D5784BAB0B5885CF93329

Re: Asi mám vir na 99%, CPU na 100% :-)))

Napsal: 13 bře 2010 20:01
od jaruzo
nechcem nič zakríknuť, ale CPU vyzerá teraz dobre a aj PC ide OK :iefox:

Re: Asi mám vir na 99%, CPU na 100% :-)))

Napsal: 13 bře 2010 20:38
od Unlimited_Killer
To je dobře, taky se mi zdá, že havěť už tam není. :happy:

1) VirusTotal
  • Otestujte na VirusTotal soubory:

    Kód: Vybrat vše

    c:\windows\system32\Drivers\stealth.svs 
c:\windows\system32\Drivers\atapi.svs
  • Jednoduše tam vkopírujete cesty, co jsem napsal do code.
  • Jestliže Vám to napíše, že soubor byl již testován, nechte ho otestovat znovu.
  • Poté sem vložíte linky (odkazy) na jednotlivé testy.

Re: Asi mám vir na 99%, CPU na 100% :-)))

Napsal: 13 bře 2010 20:51
od jaruzo
http://www.virustotal.com/cs/analisis/c ... 1268509496

http://www.virustotal.com/cs/analisis/b ... 1268509794

Re: Asi mám vir na 99%, CPU na 100% :-)))

Napsal: 13 bře 2010 21:02
od Unlimited_Killer
Zvláštní...

1) SystemLook
  • Stáhněte SystemLook na Plochu.
  • Dvojklikem spusťte soubor SystemLook.exe
  • Do textového pole vkopírujte následující skript:

    Kód: Vybrat vše

    :filefind
atapi.svs
stealth.svs
  • Nyní klikněte na 'Look'.
  • Poté se Vám otevře Poznámkový blok, jehož obsah vkopírujte sem do tématu.

Re: Asi mám vir na 99%, CPU na 100% :-)))

Napsal: 13 bře 2010 21:11
od jaruzo
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:06 on 13/03/2010 by jaro1 (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.svs"
C:\WINDOWS\system32\drivers\atapi.svs --a--- 96512 bytes [12:00 29/08/2002] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

Searching for "stealth.svs "
No files found.

-=End Of File=-



Aby nedošlo k nedorozumeniu, napísali ste mi súbory atapi.svs a stealth.svs, ale ja som v tej ceste do Virustotal našiel iba s príponami .sys, tak pridávam aj s príponou .sys



SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:10 on 13/03/2010 by jaro1 (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [18:38 26/08/2008] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [18:47 13/03/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys -----c 96512 bytes [15:34 09/03/2007] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [12:00 29/08/2002] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys --a--- 95360 bytes [15:47 09/03/2007] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys --a--- 95360 bytes [15:47 09/03/2007] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

Searching for "stealth.sys "
C:\WINDOWS\system32\drivers\stealth.sys --a--- 80896 bytes [09:58 21/06/2002] [09:58 21/06/2002] E386443015A8644374FD293AA89A8C86

-=End Of File=-

Re: Asi mám vir na 99%, CPU na 100% :-)))

Napsal: 13 bře 2010 21:14
od Unlimited_Killer
Otestujte znovu C:\WINDOWS\system32\drivers\atapi.svs

Až se Vás VT zeptá na cestu - neproklikávejte se a rovnou tam tu cestu (C:\WINDOWS\system32\drivers\atapi.svs) vkopírujte. 0K?

Re: Asi mám vir na 99%, CPU na 100% :-)))

Napsal: 13 bře 2010 21:23
od jaruzo
http://www.virustotal.com/cs/analisis/b ... 1268511713

Re: Asi mám vir na 99%, CPU na 100% :-)))

Napsal: 13 bře 2010 22:44
od Unlimited_Killer
Dobrá.

1) OTMoveit3
  • Stáhněte OTM3 na Plochu.
  • Spusťte ho dvojklikem na OTM.exe, pokud to nepůjde, zkuste to s adminskými právy.
  • Do levého okna 'Paste Instructions for Items to be Moved' vkopírujte následující skript:

    Kód: Vybrat vše

    :reg
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Stealth]

:files
C:\WINDOWS\system32\*.tmp.dll /s
C:\WINDOWS\system32\SET*.tmp /s
C:\WINDOWS\*.tmp /s

:services
Stealth

:commands
[emptytemp]
[reboot]
  • Poté klikněte na červené tlačítko 'MoveIt!'.
  • V zeleném okně vpravo by se měl zobrazit log, ten vkopírujete sem do fóra.
  • Pokud se zobrazí hláška k restartování, klikněte na Yes.
  • Po restartu se log otevře sám, nebo ho najdete v C:\_OTM\MovedFiles
2) Nový RSIT log

Re: Asi mám vir na 99%, CPU na 100% :-)))

Napsal: 13 bře 2010 22:50
od jaruzo
All processes killed
========== REGISTRY ==========
Registry delete failed. HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Stealth\ scheduled to be deleted on reboot.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
========== FILES ==========
File/Folder C:\WINDOWS\system32\*.tmp.dll not found.
File/Folder C:\WINDOWS\system32\SET*.tmp not found.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
Folder move failed. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP143.tmp scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A.tmp scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B.tmp scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP227.tmp scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP252.tmp scheduled to be moved on reboot.
Folder move failed. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP26C.tmp scheduled to be moved on reboot.
========== SERVICES/DRIVERS ==========
Error: No service named Stealth was found to stop!
No service named Stealth was found to delete!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: jaro1

User: LocalService

User: NetworkService

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0,00 mb


OTM by OldTimer - Version 3.1.10.0 log created on 03132010_224826
Všechny časy jsou v UTC+01:00
Stránka 2 z 3

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz