přepsani souboru na připonu ENCODED

[stell]

spust OTL-do okna zkopiruj zeleny text a klik RunFix
log po restarte vloz sem.
Potom otestuj na www.virustotal.com subory
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dllcache\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
link z testov vloz sem, ak vypise ze uz boli testovane, daj reanalyse.

Kód: Vybrat vše

:OTL
IE - HKLM\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKLM\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
IE - HKU\.DEFAULT\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-682003330-776561741-1606980848-1004\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
IE - HKU\S-1-5-21-682003330-776561741-1606980848-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
[2010.10.21 23:09:53 | 000,026,684 | ---- | M] () -- C:\WINDOWS\Řeka Sumida.bmp.ENCODED
[2010.10.21 23:09:53 | 000,026,586 | ---- | M] () -- C:\WINDOWS\Zelený kámen.bmp.ENCODED
[2010.10.21 23:09:53 | 000,017,066 | ---- | M] () -- C:\WINDOWS\Zrnko kávy.bmp.ENCODED
[2010.10.21 23:09:53 | 000,009,526 | ---- | M] () -- C:\WINDOWS\Zapotec.bmp.ENCODED
[2010.10.21 23:09:52 | 002,359,354 | ---- | M] () -- C:\WINDOWS\Windows XP XII.BMP.ENCODED
[2010.10.21 23:09:52 | 000,048,684 | -HS- | M] () -- C:\WINDOWS\winnt256.bmp.ENCODED
[2010.10.21 23:09:52 | 000,048,684 | -HS- | M] () -- C:\WINDOWS\winnt.bmp.ENCODED
[2010.10.21 23:09:27 | 000,016,734 | ---- | M] () -- C:\WINDOWS\Textura peří.bmp.ENCODED
[2010.10.21 23:09:19 | 000,240,124 | ---- | M] () -- C:\WINDOWS\System32\setup.bmp.ENCODED
[2010.10.21 23:04:53 | 000,017,366 | ---- | M] () -- C:\WINDOWS\Rododendron.bmp.ENCODED
[2010.10.21 23:04:52 | 000,065,958 | ---- | M] () -- C:\WINDOWS\Prérijní vítr.bmp.ENCODED
[2010.10.21 23:04:29 | 000,065,982 | ---- | M] () -- C:\WINDOWS\Mýdlové bubliny.bmp.ENCODED
[2010.10.21 23:04:29 | 000,065,836 | ---- | M] () -- C:\WINDOWS\Omítka Santa Fe.bmp.ENCODED
[2010.10.21 23:04:29 | 000,017,340 | ---- | M] () -- C:\WINDOWS\Na rybách.bmp.ENCODED
[2010.10.21 23:04:29 | 000,001,276 | ---- | M] () -- C:\WINDOWS\Modrá krajka 16.bmp.ENCODED
[2010.10.21 23:04:21 | 000,082,948 | ---- | M] () -- C:\WINDOWS\clock.avi.ENCODED
:Commands
[resethosts]
[emptytemp]
[clearallrestorepoints]
[start explorer]
[EMPTYFLASH]
[Reboot]

[JayDee]

Log z OTL po restartu:


All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{855F3B16-6D32-4fe6-8A56-BBB695989046} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\ deleted successfully.
C:\Program Files\ICQ6Toolbar\ICQToolBar.dll moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{855F3B16-6D32-4fe6-8A56-BBB695989046} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\ not found.
File C:\Program Files\ICQ6Toolbar\ICQToolBar.dll not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{855F3B16-6D32-4fe6-8A56-BBB695989046} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\ not found.
File C:\Program Files\ICQ6Toolbar\ICQToolBar.dll not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Registry value HKEY_USERS\S-1-5-21-682003330-776561741-1606980848-1004\Software\Microsoft\Internet Explorer\URLSearchHooks\\{855F3B16-6D32-4fe6-8A56-BBB695989046} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\ not found.
File C:\Program Files\ICQ6Toolbar\ICQToolBar.dll not found.
HKU\S-1-5-21-682003330-776561741-1606980848-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{855F3B16-6D32-4fe6-8A56-BBB695989046} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\ not found.
File C:\Program Files\ICQ6Toolbar\ICQToolBar.dll not found.
C:\WINDOWS\Řeka Sumida.bmp.ENCODED moved successfully.
C:\WINDOWS\Zelený kámen.bmp.ENCODED moved successfully.
C:\WINDOWS\Zrnko kávy.bmp.ENCODED moved successfully.
C:\WINDOWS\Zapotec.bmp.ENCODED moved successfully.
C:\WINDOWS\Windows XP XII.BMP.ENCODED moved successfully.
C:\WINDOWS\winnt256.bmp.ENCODED moved successfully.
C:\WINDOWS\winnt.bmp.ENCODED moved successfully.
C:\WINDOWS\Textura peří.bmp.ENCODED moved successfully.
C:\WINDOWS\system32\setup.bmp.ENCODED moved successfully.
C:\WINDOWS\Rododendron.bmp.ENCODED moved successfully.
C:\WINDOWS\Prérijní vítr.bmp.ENCODED moved successfully.
C:\WINDOWS\Mýdlové bubliny.bmp.ENCODED moved successfully.
C:\WINDOWS\Omítka Santa Fe.bmp.ENCODED moved successfully.
C:\WINDOWS\Na rybách.bmp.ENCODED moved successfully.
C:\WINDOWS\Modrá krajka 16.bmp.ENCODED moved successfully.
C:\WINDOWS\clock.avi.ENCODED moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: ACDC
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 111826 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 819568 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,00 mb

Restore points cleared and new OTL Restore Point set!

[EMPTYFLASH]

User: ACDC
->Flash cache emptied: 0 bytes

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.2.17.1 log created on 10272010_163454

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[stell]

Dobre este otestuj tie subory
Tu mas nove .bmp
rozbal, otvor a zkopiruj ich do zlozky windows
http://leteckaposta.cz/200797668

[JayDee]

Linky z testování na virustotal.com

1

Kód: Vybrat vše

[url]http://www.virustotal.com/file-scan/report.html?id=049f340067b5cc40e20b3ae6a952745dd58ce0331075075c590eac8cf316ddd9-1288190929[/url]

2

Kód: Vybrat vše

[url]http://www.virustotal.com/file-scan/report.html?id=e9cd83ac12d271cf3fc78634f36a51ef8651ba8d7f1d915a0c923f1954515774-1288191547[/url]

3

Kód: Vybrat vše

[url]http://www.virustotal.com/file-scan/report.html?id=9b27fc06a05871bfe51c3ef68adbc56ecacb9017b2f50b52fd53a9851bcbf5d8-1288191401[/url]

[stell]

hm, parada
Mas inst CD?? nakolko musime nahradit infikovane systemove subory.

[JayDee]

Hotovo, soubory bmp nahrány do windows

[stell]

Mas inst CD?? nakolko musime nahradit infikovane systemove subory.

[JayDee]

hm, parada
Mas inst CD?? nakolko musime nahradit infikovane systemove subory.

Nejaky instal.CD mam, ale na tuhle verzi winXP zrejme ne....

[stell]

, aj ja mam na xp-prof, ale cakaj, uz som napisal kolegyni a ona ma
Microsoft Windows XP Home Edition
ak sa pripoji tak mi to posle a potom vymenime, ok,

[JayDee]

OK, počkám

[stell]

http://www.edisk.cz/stahni/40452/explor ... .54KB.html
stiahni na plochu>>rozbalit a systemove subory skopiruj na disk c:\
takze budu takto
c:\winlogon.exe
c:\explorer.exe

Pri tejto akcii je nutné mať ComboFix na ploche.

Vypni>FIREWALL>Antivir>Antispyware>vsetko rezidentne.

Otvor Notepad (Poznámkový blok) a zkopíruj do neho celý zeleny tex:

Kód: Vybrat vše

KILLALL::
FCOPY::
c:\winlogon.exe | c:\windows\system32\winlogon.exe
c:\explorer.exe | c:\windows\explorer.exe
c:\winlogon.exe | c:\windows\system32\dllcache\winlogon.exe

Potom klik na Subor -> Uložiť ako.. .. -> Ako je Názov souboru tak do toho riadku napiš:CFScript.txt
Typ súboru tak tam vyberies *všetky súbory
A ulož ho na plochu.> Pozor CFScript.txt>Neotvarat a nemoze byt ani>CFScript.txt.txt A Urobis Toto :


Po skonceni skenu vlož log čo ComboFix vytvorí

[JayDee]

Log z Combofixu:

ComboFix 10-10-26.03 - ACDC 27.10.2010 18:22:05.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1015.675 [GMT 2:00]
Spuštěný z: c:\documents and settings\ACDC\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\ACDC\Plocha\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\explorer.exe
C:\winlogon.exe

c:\windows\explorer.exe . . . je infikován!!

Nakažená kopie c:\windows\system32\winlogon.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{CC3AFB2F-7CED-4EB7-BF2B-B434EE538E07}\RP2\A0000353.exe

.
--------------- FCopy ---------------

c:\winlogon.exe --> c:\windows\system32\winlogon.exe
c:\explorer.exe --> c:\windows\explorer.exe
c:\winlogon.exe --> c:\windows\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-09-27 do 2010-10-27 )))))))))))))))))))))))))))))))
.

2010-10-27 14:34 . 2010-10-27 14:34 -------- d-----w- C:\_OTL
2010-10-26 14:49 . 2010-10-26 14:49 -------- d-----w- c:\documents and settings\ACDC\Data aplikací\Malwarebytes
2010-10-26 14:49 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 14:49 . 2010-10-26 14:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 14:49 . 2010-10-26 14:49 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Malwarebytes
2010-10-26 14:49 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-26 13:28 . 2010-10-26 13:28 -------- d-----w- C:\_OTM
2010-10-25 23:59 . 2010-10-25 23:59 -------- d-----w- c:\program files\trend micro
2010-10-25 23:59 . 2010-10-25 23:59 -------- d-----w- C:\rsit
2010-10-25 21:56 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-10-25 21:56 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-10-25 21:56 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-10-25 21:56 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-10-25 21:56 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-10-25 21:56 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-10-25 21:56 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-10-25 21:56 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-10-25 21:56 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-10-25 20:44 . 2010-10-25 20:44 -------- d-----w- c:\documents and settings\Administrator
2010-10-23 16:36 . 2010-10-23 16:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Data aplikací\Google
2010-10-23 16:32 . 2010-10-24 20:38 -------- d-----w- c:\documents and settings\ACDC\Local Settings\Data aplikací\Temp
2010-10-23 16:32 . 2010-10-23 16:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Data aplikací\Google
2010-10-23 16:28 . 2010-10-23 16:54 -------- d-----w- c:\documents and settings\ACDC\Local Settings\Data aplikací\Google
2010-10-23 16:28 . 2010-10-23 16:50 -------- d-----w- c:\program files\Google
2010-10-23 16:17 . 2010-10-25 21:55 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Alwil Software
2010-10-21 19:27 . 2010-10-26 13:29 -------- d-sh--r- c:\documents and settings\ACDC\Data aplikací\L-77685-67895-5687
2010-10-20 11:15 . 2010-10-20 11:15 93184 --sh--r- c:\documents and settings\ACDC\Data aplikací\juzjf.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-27 12:47 . 2006-03-02 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-08-17 13:17 . 2008-04-14 06:52 58880 ----a-w- c:\windows\system32\spoolsv.exe
.

------- Sigcheck -------

[-] 2009-08-17 . 6AD1ECEB3EDCFC6A48B4A6B9287FEE80 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2009-08-17 . 68F15AB3E766DBA1CAF5021BE96E1F6F . 1034240 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2008-06-30 . 1E603EA2A3FDBAE9E5B88A8CB3C03124 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-10-27_11.45.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-27 16:32 . 2010-10-27 16:32 16384 c:\windows\temp\Perflib_Perfdata_a54.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-20 88358]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-02-22 180224]
"ePowerManagement"="c:\acer\ePM\ePM.exe" [2005-02-22 2889216]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-01-11 516096]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-08 102491]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-08 692315]
"SoundMan"="SOUNDMAN.EXE" [2004-12-01 77824]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2010-02-07 278264]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-02-07 1797880]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^ACDC^Nabídka Start^Programy^Po spuštění^vwxnnjzz.exe]
path=c:\documents and settings\ACDC\Nabídka Start\Programy\Po spuštění\vwxnnjzz.exe
backup=c:\windows\pss\vwxnnjzz.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [25.10.2010 23:56 165584]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [7.2.2010 10:33 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [7.2.2010 10:33 31504]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [25.10.2010 23:56 17744]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [8.2.2010 18:58 246520]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23.10.2010 18:28 136176]
S3 adusbser;AnyDATA USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\adusbser.sys --> c:\windows\system32\DRIVERS\adusbser.sys [?]
S3 Axtmvflt;Axesstel USB Filter Service;c:\windows\system32\drivers\Axtmvflt.sys [14.2.2010 20:40 3456]
S3 Axtmvmdm;Axesstel USB Modem;c:\windows\system32\drivers\Axtmvmdm.sys [22.3.2010 16:55 40064]
S3 Axtmvprt;Axesstel Diagnostic Port;c:\windows\system32\drivers\Axtmvprt.sys [22.3.2010 16:57 38784]
.
Obsah adresáře 'Naplánované úlohy'

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-23 16:28]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-23 16:28]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-27 18:33
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(2812)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\rundll32.exe
c:\windows\AGRSMMSG.exe
c:\windows\SOUNDMAN.EXE
c:\acer\eManager\anbmServ.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Skype\Plugin Manager\SkypePM.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Celkový čas: 2010-10-27 18:38:45 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-10-27 16:38
ComboFix2.txt 2010-10-27 13:56
ComboFix3.txt 2010-10-27 13:13
ComboFix4.txt 2010-10-27 11:51

Před spuštěním: Volných bajtů: 25 726 820 352
Po spuštění: Volných bajtů: 25 753 518 080

- - End Of File - - B433691D5136D9982749890632617865

[stell]

daco si zmrvil, ako sa tam dostali do vymazu?/
C:\explorer.exe
C:\winlogon.exe

este raz a skontroluj ci na c:\mas systemove subory.

Pri tejto akcii je nutné mať ComboFix na ploche.

Vypni>FIREWALL>Antivir>Antispyware>vsetko rezidentne.

Otvor Notepad (Poznámkový blok) a zkopíruj do neho celý zeleny tex:

Kód: Vybrat vše

FCOPY::
c:\winlogon.exe | c:\windows\system32\winlogon.exe
c:\explorer.exe | c:\windows\explorer.exe
c:\winlogon.exe | c:\windows\system32\dllcache\winlogon.exe

Potom klik na Subor -> Uložiť ako.. .. -> Ako je Názov souboru tak do toho riadku napiš:CFScript.txt
Typ súboru tak tam vyberies *všetky súbory
A ulož ho na plochu.> Pozor CFScript.txt>Neotvarat a nemoze byt ani>CFScript.txt.txt A Urobis Toto :


Po skonceni skenu vlož log čo ComboFix vytvorí

[JayDee]

vsechno jsem delal jak bylo napsany, akorat po spuštění combofixu naskočilo "Založte originální CD se Service Packem 3", že je prý potřeba některé soubory obnovit. a CD s SP3 samozrejme nemam

[stell]

no co blbne combofix,
sprav to este raz, ale znova skopiruj systemove sybory na c:\musis to rozbalit a len systemove subory tam vloz.