virus Security tool

[Weenie]

cakam:)
inak dik za tvoj cas trva to uz dost dlho...tiez si viem predstavit stravit den inak ako takto

takze ten virustotal mozem zrusit?

[stell]

no, security tool, nie je sranda, a mne to nevadi, nakolko je to moje hobby,
ok, uz mozes pouzit script, este mozno 1-hodinka a bude to ok,

[Weenie]

ComboFix 10-08-23.05 - tam . 08. 2010 17:19:37.3.2 - x86 NETWORK
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.991.557 [GMT 2:00]
Running from: c:\documents and settings\tam\Plocha\ComboFix.exe
Command switches used :: c:\documents and settings\tam\Plocha\CFScript.txt

file zipped: c:\windows\system32\tnd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tnd.dll

c:\windows\system32\spoolsv.exe . . . is infected!!

.
--------------- FCopy ---------------

c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe --> c:\windows\system32\services.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ICQ_SERVICE
-------\Service_ICQ Service


((((((((((((((((((((((((( Files Created from 2010-07-24 to 2010-08-24 )))))))))))))))))))))))))))))))
.

2010-08-24 13:14 . 2010-08-24 13:14 -------- d-----w- C:\_OTM
2010-08-24 11:55 . 2010-08-24 15:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-24 11:30 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-24 11:30 . 2010-08-24 11:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-24 11:30 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-24 10:14 . 2010-08-24 12:40 -------- d-----w- c:\program files\trend micro
2010-08-24 10:07 . 2010-08-24 10:07 -------- d-----w- c:\windows\RegLooks
2010-08-24 10:03 . 2010-08-24 13:05 -------- d-----w- C:\rsit
2010-08-23 22:41 . 2010-08-23 22:41 -------- d-----w- c:\program files\Magic Bullet Suite 2.1
2010-08-23 22:40 . 2010-08-23 22:44 -------- d-----w- c:\program files\Magic Bullet Looks
2010-08-23 21:42 . 2004-10-03 15:41 167936 ----a-w- c:\windows\system32\Engine3D.dll
2010-08-23 21:34 . 2005-11-20 18:42 3272704 ----a-w- c:\windows\system32\sapphire_ae.dll
2010-08-23 12:16 . 2010-08-23 12:16 -------- d-----w- C:\NVIDIA
2010-08-23 11:50 . 2010-08-23 11:50 -------- d-----w- c:\program files\Magic Bullet Mojo Vegas
2010-08-23 11:47 . 2010-08-23 11:47 59392 --sha-r- c:\windows\system32\kbdfi9.dll
2010-08-23 11:47 . 2010-08-23 11:47 50400 ----a-w- c:\windows\system32\uepzunjvwporzc.exe
2010-08-22 07:47 . 2010-08-22 07:47 -------- d-----w- c:\program files\Audacity1.2.6
2010-08-22 07:05 . 2010-08-22 07:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-08-20 09:02 . 2010-08-20 09:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-08-19 19:52 . 2010-08-19 19:52 -------- d-----w- c:\program files\Cycore FX 1.0.1
2010-08-07 18:31 . 2010-08-07 18:31 -------- d-----w- c:\program files\Digieffects
2010-08-03 10:53 . 2010-08-03 10:53 36868 ----a-w- c:\program files\uninst-Particular.exe
2010-08-03 10:53 . 2010-08-03 10:53 -------- d-----w- C:\Presets
2010-08-03 10:51 . 2010-08-03 10:51 36868 ----a-w- c:\program files\uninst-Lux.exe
2010-08-03 10:50 . 2010-08-03 10:50 -------- d-----w- c:\program files\Trapcode Form
2010-08-03 10:47 . 2010-08-03 10:49 36868 ----a-w- c:\program files\uninst-Echospace.exe
2010-08-03 10:45 . 2010-08-03 10:56 -------- d-----w- c:\program files\Trapcode

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-24 14:03 . 2008-05-24 13:25 -------- d-----w- c:\program files\Steam
2010-08-24 13:39 . 2001-10-25 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-08-23 22:41 . 2010-08-23 22:41 3932 ----a-w- c:\program files\mbsuite21.log
2010-08-23 12:08 . 2009-11-24 20:14 -------- d-----w- c:\program files\BitComet
2010-08-21 15:22 . 2010-01-27 11:35 -------- d-----w- c:\program files\Counter-Strike 1.6
2010-08-16 12:18 . 2009-12-11 13:02 -------- d-----w- c:\program files\Absolute Poker
2010-08-15 07:54 . 2010-06-24 16:02 -------- d-----w- c:\program files\ICQ7.2
2010-08-03 10:56 . 2010-08-03 10:56 1999 ----a-w- c:\program files\trapcodeStarglow.log
2010-08-03 10:55 . 2010-08-03 10:55 1972 ----a-w- c:\program files\trapcodeShine.log
2010-08-03 10:50 . 2010-08-03 10:50 19549 ----a-w- c:\program files\trapcodeform.log
2010-08-03 10:45 . 2010-08-03 10:45 4556 ----a-w- c:\program files\trapcode3Dstroke.log
2010-07-22 16:58 . 2009-08-25 20:54 -------- d-----w- c:\program files\Boris FX, Inc
2010-07-22 16:57 . 2010-07-22 16:57 -------- d-----w- c:\program files\GenArts
2010-07-07 10:47 . 2009-12-20 13:30 -------- d-----w- c:\program files\Czech Soccer Manager 2002 FE
2010-07-06 16:51 . 2010-07-06 16:36 -------- d-----w- c:\program files\New Star Soccer 2
2010-07-06 16:36 . 2010-07-03 19:08 63473 ----a-w- c:\windows\system32\SpoonUninstall-New Star Soccer 2.dat
2010-07-06 16:36 . 2010-07-03 19:08 167936 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-07-06 16:27 . 2010-01-08 21:10 -------- d-----w- c:\program files\CamStudio
2010-07-05 21:21 . 2009-12-27 23:20 -------- d-----w- c:\program files\DivX
2010-07-02 20:16 . 2009-08-29 18:04 -------- d-----w- c:\program files\EslWire
2010-07-01 12:18 . 2010-07-01 12:14 -------- d-----w- c:\program files\LEGO Company
2010-06-17 09:25 . 2001-10-25 12:00 804456 ----a-w- c:\windows\system32\perfh005.dat
2010-06-17 09:25 . 2001-10-25 12:00 289656 ----a-w- c:\windows\system32\perfc005.dat
2010-06-16 11:56 . 2008-05-21 20:04 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-01-02 10:45 . 2010-01-02 10:34 91849619 ----a-w- c:\program files\rsk55ind.zip
2007-07-17 11:13 . 2007-07-12 09:51 61440 ----a-w- c:\program files\RGSGrowBounds.aex
2007-05-03 15:32 . 2007-05-03 15:32 434 ----a-w- c:\program files\setup_bs.exe
2005-06-13 11:46 . 2009-02-28 22:13 45 ----a-w- c:\program files\Setup.Ini
2001-09-25 20:05 . 2009-02-28 22:13 1707856 ----a-w- c:\program files\InstMsiA.Exe
2001-09-11 23:04 . 2009-02-28 22:13 1821008 ----a-w- c:\program files\InstMsiW.Exe
.

------- Sigcheck -------

[-] 2008-04-14 . 40E86B51C5C5079FB474E0CF195536C4 . 14848 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe

[-] 2009-02-09 . F05C88A421D6FECAF3BC7E4681D7A764 . 113152 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[7] 2009-02-09 . 3D107D45CCFDB266E91D84B52CD7F430 . 111104 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2008-04-14 . F0D2AE69035092BF22DAD6B50FAB85C2 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe

[-] 2008-04-14 . 567090A92EF6686F5BE2176B69E41DEC . 58880 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe

[-] 2008-04-14 . 3AC759C2CDA049E895B86BCC48BEA61B . 512000 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . FCAE1B20EFD0F6E662F87CE004B1F7CF . 17408 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe

[-] 2008-04-14 . C60DC1338C9A29C1DAF68BDF4638BC1F . 1036800 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2008-05-07 . F587B0981034E79FF9C447C16CB66380 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2010-08-24 1242448]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"Octoshape Streaming Services"="c:\documents and settings\tam\Data aplikací\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
"Google Update"="c:\documents and settings\tam\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-22 16858112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-26 202256]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-08 13762560]
"nwiz"="nwiz.exe" [2009-07-08 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-08 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HLSW\\hlsw.exe"=
"c:\\Program Files\\Counter-Strike 1.6\\hltv.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\phioneer\\dedicated server\\hltv.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\EslWire\\wire.exe"=
"c:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\lukesin15\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Documents and Settings\\tam\\Data aplikací\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Documents and Settings\\tam\\Local Settings\\Data aplikací\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\Program Files\\Steam\\steamapps\\phioneer\\dedicated server\\hlds.exe"=
"c:\\Documents and Settings\\tam\\Plocha\\NOVE MOVIE\\genArts sapphire plugins\\GENARTS_SAPPHIRE\\rlm.exe"=
"c:\\Program Files\\GenArts\\rlm\\rlm.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\Program Files\\Steam\\steamapps\\phioneer\\counter-strike\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12817:TCP"= 12817:TCP:BitComet 12817 TCP
"12817:UDP"= 12817:UDP:BitComet 12817 UDP
"14457:TCP"= 14457:TCP:BitComet 14457 TCP
"14457:UDP"= 14457:UDP:BitComet 14457 UDP

S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [21. 5. 2008 22:04 691696]
S2 gupdate1c99694d879faee;Služba Google Update (gupdate1c99694d879faee);c:\program files\Google\Update\GoogleUpdate.exe [24. 2. 2009 17:30 133104]
S2 RLM-GenArts;RLM-GenArts;c:\program files\GenArts\rlm\rlm.exe [22. 7. 2010 19:00 1540096]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [25. 11. 2008 20:42 27904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-14 19:00]

2010-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 15:30]

2010-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 15:30]

2010-08-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-329068152-764733703-1177238915-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09]

2010-08-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-764733703-1177238915-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 20:09]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Stáhnout odkaz s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: Stáhnout všechna videa s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: Stáhnout všechny odkazy s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
DPF: {2827941E-F3B4-11D1-870D-00006E30EA7D} - hxxp://ebanka.tuke.sk/Ib/sk/objects/SigningProj.cab
DPF: {A4735C9C-6626-4386-9B93-2D9B79047AB8} - hxxp://televizia.joj.sk/fileadmin/joj_player/JOJ_Explorer_Player.cab
DPF: {AC414988-E5BB-4C2C-873B-EA53D2F3D23A} - hxxp://t.live.cctv.com/ieocx/CCTVUpdateInstall.dll
FF - ProfilePath - c:\documents and settings\tam\Data aplikací\Mozilla\Firefox\Profiles\p79xkhnr.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.sk/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.4&q=
FF - component: c:\documents and settings\All Users\Data aplikací\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\TV JOJ Media Player\npplugin_netscape.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-24 17:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-764733703-1177238915-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:6d,4e,ec,71,67,9b,e6,a3,97,38,64,42,ea,66,3b,bb,27,7d,75,f5,12,32,38,
09,1d,e7,ce,e6,cf,f4,9c,f3,d3,87,c3,b7,3c,ec,71,9a,ca,c3,9e,35,36,37,b5,f9,\
"??"=hex:24,87,4a,ae,2e,96,d4,2c,9e,c5,0a,7e,0a,a2,54,3e

[HKEY_USERS\S-1-5-21-329068152-764733703-1177238915-1003\Software\SecuROM\License information*]
"datasecu"=hex:a8,54,bc,21,be,e4,ee,9c,b9,6e,d9,29,25,7a,20,c9,03,69,b0,e1,e0,
02,47,b9,00,b5,35,a8,40,7d,23,0d,d8,90,db,6f,04,42,40,66,84,04,3a,d5,3a,ad,\
"rkeysecu"=hex:c9,cf,ca,23,e6,27,fa,31,26,64,84,09,80,f6,2f,25
.
Completion time: 2010-08-24 17:29:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-24 15:29
ComboFix2.txt 2010-08-24 14:19

Pre-Run: Volných bajtů: 48 068 894 720
Post-Run: Volných bajtů: 48 058 208 256

- - End Of File - - 89AFA73D9BDF82E60233B7FBC9C5693F

[Weenie]

dufam ze som to dobre oskenoval to co si chcel...lebo ked som ten txt subor pretiahol na ten combofix tak sa akurat zacal aktualizovat a potom ked sa aktualizoval sa spustil sam odznova tak dufam ze dobre:)
inak stale som v nudzovom rezime je to v pohode?:)

[stell]

vsetko,ok
uz mozes do windows, este otestuj tieto subory:,Tu
http://virusscan.jotti.org/
c:\program files\GenArts\rlm\rlm.exe
c:\windows\system32\lsass.exe
c:\windows\system32\services.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\svchost.exe
c:\windows\explorer.exe
c:\windows\system32\sfcfiles.dll

linky, vloz sem,

[Weenie]

rlm.exe - http://virusscan.jotti.org/sk/scanresul ... fbcd2183bc

lsass.exe - http://virusscan.jotti.org/sk/scanresul ... c414ccd4a9

services.exe - http://virusscan.jotti.org/sk/scanresul ... f9d2fd6ebe

spoolsv.exe - http://virusscan.jotti.org/sk/scanresul ... f64e4b2857

winlogon.exe - http://virusscan.jotti.org/sk/scanresul ... 244d7e88a9

svchost.exe - http://virusscan.jotti.org/sk/scanresul ... 83b1e8793c

explorer.exe - http://virusscan.jotti.org/sk/scanresul ... 42527a6c1d

sfcfiles.dll - http://virusscan.jotti.org/sk/scanresul ... 5875d20444

tyvole okrem toho prveho a sfcfiles.dll vsade samy trojan

[stell]

ok,ideme najst , nahradu,
Stahni OTListIt2>> OTL
Označ položku Pro všechny uživatele.
Označ položky Kontrola na havěť "LOP" a Kontrola na havěť "Purity"
do ona vlastne skenovani/oprava- vlož script
Klikn na tlačítko Prohledat
Po dokončení, sem vlož logy OTL.Txt

Kód: Vybrat vše

msconfig
safebootminimal
activex
drivers32
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
lsass.exe
services.exe
spoolsv.exe
winlogon.exe
svchost.exe
explorer.exe
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90

[Weenie]

je to prilis dlhe nezmesti sa mi to tu zase

tu to mas:

http://leteckaposta.cz/324602112

a este jeden txt mi to vygenerovalo...extras.txt aj to ti treba? ale to vyzera ze to ej to iste:)

[Weenie]

co mam s tym spustenim otl robit? mozem to zavriet?

[stell]

netreba, cakaj spravim navod.

[stell]

no nahrada , nie je, windows mas slovensky alebo cesky""??

Stiahnes>>AVANGER
podla navodu vloz script,log po restarte vloz sem:

Kód: Vybrat vše

Files to move:
C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe|C:\WINDOWS\system32\services.exe

Files to delete:
C:\WINDOWS\system32\kbdfi9.dll

[Weenie]

windows mam po cesky...idem na ten avanger

[Weenie]

avenger log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\services.exe" is whitelisted
File move operation "C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe|C:\WINDOWS\system32\services.exe" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

File "C:\WINDOWS\system32\kbdfi9.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[stell]

ok, cakaj, ceske sytemove subory mam.

[stell]

http://leteckaposta.cz/453189259
stiahni na plochu-otvor./7zip-zlozku -vymena-skopiruj alebo vloz na C:\-takze bude to takto c:\vymena
spust AVANGER podla navodu vloz script, log po restarte vloz sem.

Kód: Vybrat vše

Begin copying here:
Files to move:
C:\vymena\explorer.exe | C:\WINDOWS\explorer.exe
C:\vymena\lsass.exe | c:\windows\system32\lsass.exe
C:\vymena\services.exe | c:\windows\system32\services.exe
C:\vymena\spoolsv.exe | c:\windows\system32\spoolsv.exe
C:\vymena\winlogon.exe | c:\windows\system32\winlogon.exe
C:\vymena\svchost.exe | c:\windows\system32\svchost.exe