Restartovani Pc

[motji]

Kamarád at si založí nový topic.At se tu logy nepletou, combofix u win7 jde.



Pokud nemáte, přesuňte Combofix na plochu
-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka

Kód: Vybrat vše

Rootkit::
c:\windows\system32\oqhre.dll

Driver::
oagkdsyd

Netsvc::
oagkdsyd

-uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:




-po aplikaci na Vás vypadne další log,vložte ho sem

Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

[Y0G1]

ComboFix 11-06-04.02 - Martin 05.06.2011 0:45.18.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1033.18.1023.736 [GMT 2:00]
Running from: c:\documents and settings\Martin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Martin\Desktop\CFScript.txt
FW: PC Tools Firewall Plus *Disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_OAGKDSYD
-------\Service_oagkdsyd
.
.
((((((((((((((((((((((((( Files Created from 2011-05-04 to 2011-06-04 )))))))))))))))))))))))))))))))
.
.
2011-06-04 06:45 . 2011-06-04 06:45 -------- d-----w- c:\windows\system32\oqhre.dll
2011-06-04 06:28 . 2011-06-04 06:29 -------- d-----w- c:\documents and settings\Martin\Application Data\GetRightToGo
2011-06-03 15:07 . 2011-06-03 15:07 -------- d-----w- c:\documents and settings\Martin\.system32
2011-05-29 12:36 . 2011-05-29 12:36 -------- d-----w- c:\documents and settings\Martin\Application Data\PCToolsFirewallPlus
2011-05-29 12:35 . 2009-11-23 11:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-05-29 12:35 . 2009-11-09 09:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-05-29 12:35 . 2010-01-07 10:40 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-05-29 12:34 . 2011-06-04 22:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-05-29 12:34 . 2011-05-29 12:35 -------- d-----w- c:\program files\Common Files\PC Tools
2011-05-29 12:34 . 2010-01-12 07:34 70664 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2011-05-29 12:34 . 2010-01-07 09:35 58816 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2011-05-29 12:34 . 2010-01-07 09:35 32680 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2011-05-29 12:34 . 2010-01-13 06:59 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2011-05-29 12:34 . 2011-05-29 12:36 -------- d-----w- c:\program files\PC Tools Firewall Plus
2011-05-29 12:28 . 2011-05-29 12:29 -------- d-----w- C:\UsbFix
2011-05-27 12:59 . 2011-05-27 20:23 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-27 12:59 . 2011-05-27 12:59 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-05-27 12:58 . 2011-05-27 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-05-25 14:22 . 2011-05-25 14:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-23 12:50 . 2004-05-17 06:00 33280 ----a-r- c:\windows\system32\drivers\NVENETFD.sys
2011-05-23 12:50 . 2004-05-17 05:49 198656 ----a-r- c:\windows\system32\fdco1.dll
2011-05-23 12:50 . 2004-05-10 00:53 32256 ----a-r- c:\windows\system32\nvconrm.dll
2011-05-23 12:50 . 2004-05-10 00:52 172032 ----a-w- c:\windows\system32\nvunrm.exe
2011-05-23 12:50 . 2004-05-17 06:00 12928 ----a-r- c:\windows\system32\drivers\nvnetbus.sys
2011-05-23 12:50 . 2004-05-17 06:00 56960 ----a-r- c:\windows\system32\drivers\nvnrm.sys
2011-05-23 12:50 . 2004-05-17 06:00 191232 ----a-r- c:\windows\system32\drivers\nvsnpu.sys
2011-05-23 12:50 . 2004-05-17 05:48 8192 ----a-r- c:\windows\system32\bdco1.dll
2011-05-23 12:18 . 2011-05-23 12:18 -------- d-----w- c:\program files\AMD
2011-05-23 12:18 . 2005-03-09 12:53 36352 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2011-05-23 12:08 . 2011-05-23 12:08 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-18 09:05 . 2011-05-04 11:54 302080 ----a-w- C:\gmer.exe
2011-05-18 07:58 . 2011-05-18 07:58 -------- d-----w- C:\_OTM
2011-05-15 15:28 . 2011-05-15 15:28 -------- d-----w- c:\documents and settings\Martin\Application Data\IObit
2011-05-15 15:28 . 2011-05-15 15:28 -------- d-----w- c:\program files\IObit
2011-05-15 15:27 . 2011-05-15 15:27 -------- d-----w- c:\documents and settings\All Users\Uniblue
2011-05-15 15:26 . 2011-05-15 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-05-14 06:49 . 2011-05-15 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2011-05-14 06:48 . 2011-04-08 05:14 944232 ----a-w- c:\windows\system32\nvdispco3220140.dll
2011-05-14 06:48 . 2011-04-08 05:14 855656 ----a-w- c:\windows\system32\nvgenco322060.dll
2011-05-12 12:40 . 2011-05-12 17:17 -------- d-----w- c:\documents and settings\Martin\Application Data\RIFT
2011-05-06 07:31 . 2008-04-14 03:41 33792 -c----w- c:\windows\system32\dllcache\custsat.dll
2011-05-06 07:30 . 2008-04-13 22:10 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 12:29 . 2011-05-29 12:29 30888 ----a-w- C:\UsbFix_Upload_Me_HELL-T2X5CI1VMH.zip
2011-05-28 14:04 . 2010-11-16 14:55 443448 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-04-26 16:49 . 2011-04-08 19:46 137464 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-04-26 16:49 . 2011-04-08 19:51 214520 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-04-26 16:49 . 2011-04-08 19:45 214520 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-04-26 15:55 . 2011-04-08 19:45 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-04-21 18:59 . 2011-04-08 19:46 22328 ----a-w- c:\documents and settings\Martin\Application Data\PnkBstrK.sys
2011-04-18 12:42 . 2011-04-18 12:39 2829 ----a-w- c:\windows\War3Unin.pif
2011-04-18 12:42 . 2011-04-18 12:39 139264 ----a-w- c:\windows\War3Unin.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-17_16.33.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 22:02 . 2009-07-11 22:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2011-06-04 15:27 . 2011-06-04 15:27 5120 c:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
- 2011-04-28 18:38 . 2011-04-28 18:38 5120 c:\windows\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
+ 2009-07-11 22:02 . 2009-07-11 22:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-11 22:05 . 2009-07-11 22:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2011-05-25 14:22 . 2011-05-25 14:22 239776 c:\windows\system32\Macromed\Flash\FlashUtil10q_Plugin.exe
+ 2009-07-11 22:02 . 2009-07-11 22:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2011-03-03 14:50 . 2011-05-23 12:08 1234520 c:\windows\system32\Restore\rstrlog.dat
+ 2010-11-15 17:39 . 2011-05-25 14:22 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-15 19:02 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\programy\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 03:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-01-07 17:56 13880424 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-01-07 17:56 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-11-04 06:51 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-05-17 10:48 77824 ----a-r- c:\windows\SOUNDMAN.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programy\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6756:TCP"= 6756:TCP:rvgbebls
.
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [29.5.2011 14:35 233136]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [29.5.2011 14:35 88040]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [29.5.2011 14:34 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [29.5.2011 14:34 58816]
S2 fudxls;Support Helper;c:\windows\system32\svchost.exe -k netsvcs [23.8.2001 14:00 14336]
S3 cpuz134;cpuz134;\??\c:\docume~1\Martin\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Martin\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\programy\Garena\safedrv.sys --> c:\programy\Garena\safedrv.sys [?]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [29.5.2011 14:34 115216]
S4 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fudxls
.
.
------- Supplementary Scan -------
.
uSearchAssistant =
TCP: DhcpNameServer = 195.12.128.1 195.72.0.3
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Martin\Application Data\Mozilla\Firefox\Profiles\ghya889f.default\
FF - prefs.js: browser.search.selectedEngine - QIP Search
FF - prefs.js: browser.startup.homepage - hxxp://www.azet.sk/
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-05 00:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fudxls]
"ServiceDll"="c:\program files\Movie Maker\oqhre.dll"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\System32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-06-05 00:54:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-04 22:54
ComboFix2.txt 2011-06-04 06:41
ComboFix3.txt 2011-06-02 18:01
ComboFix4.txt 2011-05-31 06:52
ComboFix5.txt 2011-06-04 22:44
.
Pre-Run: 70 376 345 600 bytes free
Post-Run: 12 adresárov, 70 362 898 432 voľných bajtov
.
- - End Of File - - 5741F2E12B98C0514EEE7DCC542AAF41

[motji]

Furt se to vrací , ten druhý pc je odpojený, jak jsme se domlouvali?
Udělejte znovu gmer .

[Y0G1]

jj bylo to odpojene ale ja nevim proc mu to tak trva udelat te topic ....

[motji]

Udělejte ten gmer a pak se uvidí.

[Y0G1]

Udělejte ten gmer a pak se uvidí.

jasny jdu na to

zajimala by mne jedna otazka je nejak mozny prenest vsechny ulozene stranky prihlasovacie udaje z mozili do google chrome?

[motji]

Nemám google chrome, ale zkuste si v mozille uložit záložky a potom v chrome je načíst.
Já tu budu ted asi do 10 hodin a pak až večer po 9.hodině.

[Y0G1]

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-05 10:53:36
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 MAXTOR_6L080L4 rev.A93.0500
Running: gmer.exe; Driver: C:\DOCUME~1\Martin\LOCALS~1\Temp\pfedrfow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF65083A0, 0x5FE082, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 01FAADBD
.text C:\WINDOWS\System32\svchost.exe[1092] NETAPI32.dll!NetpwPathCanonicalize 5B86A3A9 5 Bytes JMP 01FAAD54
.text C:\WINDOWS\System32\svchost.exe[1176] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 00C0ADBD

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] fudxls <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\fudxls@DisplayName Support Helper
Reg HKLM\SYSTEM\CurrentControlSet\Services\fudxls@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\fudxls@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\fudxls@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\fudxls@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\fudxls@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\fudxls@Description Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\fudxls\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\fudxls\Parameters@ServiceDll C:\Program Files\Movie Maker\oqhre.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programy\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x79 0x10 0x3A 0x69 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x85 0xA8 0xD1 0x3D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA4 0xC8 0x20 0xBD ...
Reg HKLM\SYSTEM\ControlSet002\Services\fudxls@DisplayName Support Helper
Reg HKLM\SYSTEM\ControlSet002\Services\fudxls@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\fudxls@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\fudxls@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\fudxls@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\fudxls@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\fudxls@Description Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\fudxls\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\fudxls\Parameters@ServiceDll C:\Program Files\Movie Maker\oqhre.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programy\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x79 0x10 0x3A 0x69 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x85 0xA8 0xD1 0x3D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA4 0xC8 0x20 0xBD ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programy\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x79 0x10 0x3A 0x69 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x85 0xA8 0xD1 0x3D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA4 0xC8 0x20 0xBD ...

---- EOF - GMER 1.0.15 ----

[motji]

Jeden z těch pc odpojte od netu a nechte trvale, ne že oba zase zapnete spolu.

Odpojte pc od netu, udělejte skript na combofix a pak znovu Fixdowndup.

Pokud nemáte, přesuňte Combofix na plochu
-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka

Kód: Vybrat vše

KillAll::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6756:TCP"=-

Rootkit::
c:\program files\Movie Maker\oqhre.dll

Driver::
fudxls

Netsvc::
fudxls

DDS::
DhcpNameServer = 195.12.128.1 195.72.0.3

-uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:




-po aplikaci na Vás vypadne další log,vložte ho sem

Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci


Použijte AVPtool z mého podpisu, stahněte ho než uděláte skript na combofix a odpojíte se od internetu.

Tuto IP adresu znáte?
DhcpNameServer = 195.12.128.1 195.72.0.3

[Y0G1]

tu ipadresu neznam ten pc ma byt dokdy odpojen od internetu ja pak s vama nebudu v kontaktu a take ten avp tool sem se snazil stahnou nesla nacitat stranka nwm mozna kvuli rootovi?

[motji]

Upravila jsem skript, pokud by Vám po něm nešel internet, odpojte a připojte znovu kabel.
Do doby než provedete AVPtool, případně at je aspon kamarád odpojený, at to zase nechytnete znovu od něj. Jinak už nevím, jak se té potvory zbavit, odkud se pořád Vrací

[Y0G1]

ha taky jak rikam kamos nema nejmensi potize

[motji]

Ale já nevím, jestli to jde od kamoše, jeho pc jsem neviděla, jen předpokládám. Pokud se toho ani ted nezbavíme, tak to zformátujte, protože sotva to smažeme, je to zpět a zdroj prostě nikde nevidím

[Y0G1]

no ja mu poslu odkaz na ten combo fix at si to udela to by bylo asi nejlepsi ne?

[motji]

At si založí nový topic, napíše že je pro mě a počká až přijdu. Ale bud mějte připojené pc Vy nebo on, oba ne.