VIRY.CZ

spust OTL-do okna zkopiruj zeleny text a klik RunFix
log po restarte vloz sem.
Potom otestuj na www.virustotal.com subory
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dllcache\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
link z testov vloz sem, ak vypise ze uz boli testovane, daj reanalyse.

Log z OTL po restartu:


All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{855F3B16-6D32-4fe6-8A56-BBB695989046} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\ deleted successfully.
C:\Program Files\ICQ6Toolbar\ICQToolBar.dll moved successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{855F3B16-6D32-4fe6-8A56-BBB695989046} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\ not found.
File C:\Program Files\ICQ6Toolbar\ICQToolBar.dll not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{855F3B16-6D32-4fe6-8A56-BBB695989046} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\ not found.
File C:\Program Files\ICQ6Toolbar\ICQToolBar.dll not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Registry value HKEY_USERS\S-1-5-21-682003330-776561741-1606980848-1004\Software\Microsoft\Internet Explorer\URLSearchHooks\\{855F3B16-6D32-4fe6-8A56-BBB695989046} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\ not found.
File C:\Program Files\ICQ6Toolbar\ICQToolBar.dll not found.
HKU\S-1-5-21-682003330-776561741-1606980848-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{855F3B16-6D32-4fe6-8A56-BBB695989046} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{855F3B16-6D32-4fe6-8A56-BBB695989046}\ not found.
File C:\Program Files\ICQ6Toolbar\ICQToolBar.dll not found.
C:\WINDOWS\Řeka Sumida.bmp.ENCODED moved successfully.
C:\WINDOWS\Zelený kámen.bmp.ENCODED moved successfully.
C:\WINDOWS\Zrnko kávy.bmp.ENCODED moved successfully.
C:\WINDOWS\Zapotec.bmp.ENCODED moved successfully.
C:\WINDOWS\Windows XP XII.BMP.ENCODED moved successfully.
C:\WINDOWS\winnt256.bmp.ENCODED moved successfully.
C:\WINDOWS\winnt.bmp.ENCODED moved successfully.
C:\WINDOWS\Textura peří.bmp.ENCODED moved successfully.
C:\WINDOWS\system32\setup.bmp.ENCODED moved successfully.
C:\WINDOWS\Rododendron.bmp.ENCODED moved successfully.
C:\WINDOWS\Prérijní vítr.bmp.ENCODED moved successfully.
C:\WINDOWS\Mýdlové bubliny.bmp.ENCODED moved successfully.
C:\WINDOWS\Omítka Santa Fe.bmp.ENCODED moved successfully.
C:\WINDOWS\Na rybách.bmp.ENCODED moved successfully.
C:\WINDOWS\Modrá krajka 16.bmp.ENCODED moved successfully.
C:\WINDOWS\clock.avi.ENCODED moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: ACDC
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 111826 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 819568 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,00 mb

Restore points cleared and new OTL Restore Point set!

[EMPTYFLASH]

User: ACDC
->Flash cache emptied: 0 bytes

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.2.17.1 log created on 10272010_163454

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Dobre este otestuj tie subory
Tu mas nove .bmp
rozbal, otvor a zkopiruj ich do zlozky windows
http://leteckaposta.cz/200797668

Linky z testování na virustotal.com

1 2 3

hm, parada
Mas inst CD?? nakolko musime nahradit infikovane systemove subory.

Hotovo, soubory bmp nahrány do windows

Mas inst CD?? nakolko musime nahradit infikovane systemove subory.

stell píše:hm, parada
Mas inst CD?? nakolko musime nahradit infikovane systemove subory.

Nejaky instal.CD mam, ale na tuhle verzi winXP zrejme ne....

, aj ja mam na xp-prof, ale cakaj, uz som napisal kolegyni a ona ma
Microsoft Windows XP Home Edition
ak sa pripoji tak mi to posle a potom vymenime, ok,

OK, počkám

http://www.edisk.cz/stahni/40452/explor ... .54KB.html
stiahni na plochu>>rozbalit a systemove subory skopiruj na disk c:\
takze budu takto
c:\winlogon.exe
c:\explorer.exe

Pri tejto akcii je nutné mať ComboFix na ploche.

Vypni>FIREWALL>Antivir>Antispyware>vsetko rezidentne.

Otvor Notepad (Poznámkový blok) a zkopíruj do neho celý zeleny tex: Potom klik na Subor -> Uložiť ako.. .. -> Ako je Názov souboru tak do toho riadku napiš:CFScript.txt
Typ súboru tak tam vyberies *všetky súbory
A ulož ho na plochu.> Pozor CFScript.txt>Neotvarat a nemoze byt ani>CFScript.txt.txt A Urobis Toto :


Po skonceni skenu vlož log čo ComboFix vytvorí

Log z Combofixu:

ComboFix 10-10-26.03 - ACDC 27.10.2010 18:22:05.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.1015.675 [GMT 2:00]
Spuštěný z: c:\documents and settings\ACDC\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\ACDC\Plocha\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\explorer.exe
C:\winlogon.exe

c:\windows\explorer.exe . . . je infikován!!

Nakažená kopie c:\windows\system32\winlogon.exe byla nalezena a vyléčena.
Obnovena kopie z - c:\system volume information\_restore{CC3AFB2F-7CED-4EB7-BF2B-B434EE538E07}\RP2\A0000353.exe

.
--------------- FCopy ---------------

c:\winlogon.exe --> c:\windows\system32\winlogon.exe
c:\explorer.exe --> c:\windows\explorer.exe
c:\winlogon.exe --> c:\windows\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-09-27 do 2010-10-27 )))))))))))))))))))))))))))))))
.

2010-10-27 14:34 . 2010-10-27 14:34 -------- d-----w- C:\_OTL
2010-10-26 14:49 . 2010-10-26 14:49 -------- d-----w- c:\documents and settings\ACDC\Data aplikací\Malwarebytes
2010-10-26 14:49 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 14:49 . 2010-10-26 14:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-26 14:49 . 2010-10-26 14:49 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Malwarebytes
2010-10-26 14:49 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-26 13:28 . 2010-10-26 13:28 -------- d-----w- C:\_OTM
2010-10-25 23:59 . 2010-10-25 23:59 -------- d-----w- c:\program files\trend micro
2010-10-25 23:59 . 2010-10-25 23:59 -------- d-----w- C:\rsit
2010-10-25 21:56 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-10-25 21:56 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-10-25 21:56 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-10-25 21:56 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-10-25 21:56 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-10-25 21:56 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-10-25 21:56 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-10-25 21:56 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-10-25 21:56 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-10-25 20:44 . 2010-10-25 20:44 -------- d-----w- c:\documents and settings\Administrator
2010-10-23 16:36 . 2010-10-23 16:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Data aplikací\Google
2010-10-23 16:32 . 2010-10-24 20:38 -------- d-----w- c:\documents and settings\ACDC\Local Settings\Data aplikací\Temp
2010-10-23 16:32 . 2010-10-23 16:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Data aplikací\Google
2010-10-23 16:28 . 2010-10-23 16:54 -------- d-----w- c:\documents and settings\ACDC\Local Settings\Data aplikací\Google
2010-10-23 16:28 . 2010-10-23 16:50 -------- d-----w- c:\program files\Google
2010-10-23 16:17 . 2010-10-25 21:55 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Alwil Software
2010-10-21 19:27 . 2010-10-26 13:29 -------- d-sh--r- c:\documents and settings\ACDC\Data aplikací\L-77685-67895-5687
2010-10-20 11:15 . 2010-10-20 11:15 93184 --sh--r- c:\documents and settings\ACDC\Data aplikací\juzjf.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-27 12:47 . 2006-03-02 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-08-17 13:17 . 2008-04-14 06:52 58880 ----a-w- c:\windows\system32\spoolsv.exe
.

------- Sigcheck -------

[-] 2009-08-17 . 6AD1ECEB3EDCFC6A48B4A6B9287FEE80 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2009-08-17 . 68F15AB3E766DBA1CAF5021BE96E1F6F . 1034240 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2008-06-30 . 1E603EA2A3FDBAE9E5B88A8CB3C03124 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-10-27_11.45.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-27 16:32 . 2010-10-27 16:32 16384 c:\windows\temp\Perflib_Perfdata_a54.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-20 88358]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-02-22 180224]
"ePowerManagement"="c:\acer\ePM\ePM.exe" [2005-02-22 2889216]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-01-11 516096]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-08 102491]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-08 692315]
"SoundMan"="SOUNDMAN.EXE" [2004-12-01 77824]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2010-02-07 278264]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-02-07 1797880]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^ACDC^Nabídka Start^Programy^Po spuštění^vwxnnjzz.exe]
path=c:\documents and settings\ACDC\Nabídka Start\Programy\Po spuštění\vwxnnjzz.exe
backup=c:\windows\pss\vwxnnjzz.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [25.10.2010 23:56 165584]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [7.2.2010 10:33 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [7.2.2010 10:33 31504]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [25.10.2010 23:56 17744]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [8.2.2010 18:58 246520]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23.10.2010 18:28 136176]
S3 adusbser;AnyDATA USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\adusbser.sys --> c:\windows\system32\DRIVERS\adusbser.sys [?]
S3 Axtmvflt;Axesstel USB Filter Service;c:\windows\system32\drivers\Axtmvflt.sys [14.2.2010 20:40 3456]
S3 Axtmvmdm;Axesstel USB Modem;c:\windows\system32\drivers\Axtmvmdm.sys [22.3.2010 16:55 40064]
S3 Axtmvprt;Axesstel Diagnostic Port;c:\windows\system32\drivers\Axtmvprt.sys [22.3.2010 16:57 38784]
.
Obsah adresáře 'Naplánované úlohy'

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-23 16:28]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-23 16:28]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-27 18:33
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(2812)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\rundll32.exe
c:\windows\AGRSMMSG.exe
c:\windows\SOUNDMAN.EXE
c:\acer\eManager\anbmServ.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Skype\Plugin Manager\SkypePM.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Celkový čas: 2010-10-27 18:38:45 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-10-27 16:38
ComboFix2.txt 2010-10-27 13:56
ComboFix3.txt 2010-10-27 13:13
ComboFix4.txt 2010-10-27 11:51

Před spuštěním: Volných bajtů: 25 726 820 352
Po spuštění: Volných bajtů: 25 753 518 080

- - End Of File - - B433691D5136D9982749890632617865

daco si zmrvil, ako sa tam dostali do vymazu?/
C:\explorer.exe
C:\winlogon.exe

este raz a skontroluj ci na c:\mas systemove subory.

Pri tejto akcii je nutné mať ComboFix na ploche.

Vypni>FIREWALL>Antivir>Antispyware>vsetko rezidentne.

Otvor Notepad (Poznámkový blok) a zkopíruj do neho celý zeleny tex: Potom klik na Subor -> Uložiť ako.. .. -> Ako je Názov souboru tak do toho riadku napiš:CFScript.txt
Typ súboru tak tam vyberies *všetky súbory
A ulož ho na plochu.> Pozor CFScript.txt>Neotvarat a nemoze byt ani>CFScript.txt.txt A Urobis Toto :


Po skonceni skenu vlož log čo ComboFix vytvorí

vsechno jsem delal jak bylo napsany, akorat po spuštění combofixu naskočilo "Založte originální CD se Service Packem 3", že je prý potřeba některé soubory obnovit. a CD s SP3 samozrejme nemam

no co blbne combofix,
sprav to este raz, ale znova skopiruj systemove sybory na c:\musis to rozbalit a len systemove subory tam vloz.