VIRY.CZ

Dobrý den,

po několika týdnech jsem preventivně zkontroloval počítač a našel několik desítek kusů nemilé havěti. Po kontrole MWAVem jsem je promazal a pak pro jistotu ještě projel CF. O paranoje MWAV vím, ale pokud se jedná o 50 - 60 infikovaných souborů(souborů, ne věcí typu ".... nalezen v souborovém systému..."), myslím si že většina poplachů nebyla falešná, ale vkládám log z CF a za chvíli dodám RSIT.

ComboFix 10-05-07.07 - Administrator 08.05.2010 20:31:31.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1023.536 [GMT 2:00]
Spuštěný z: L:\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Sunbelt Personal Firewall *enabled* {2736EE90-D7F8-499E-AA60-E65D4C2FE069}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\jestertb.dll
c:\windows\regedit.com
c:\windows\system32\taskmgr.com
c:\windows\system32\VB6KO.DLL
c:\windows\system32\winlogon.bak
c:\windows\system32\wl.exe

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-04-08 do 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-08 14:29 . 2010-05-08 18:13 -------- d-----w- C:\!KillBox
2010-05-08 14:03 . 2010-05-08 14:03 -------- d---a-w- c:\windows\rundll16.exe
2010-05-08 14:03 . 2010-05-08 14:03 -------- d---a-w- c:\windows\logo1_.exe
2010-04-30 18:14 . 1996-05-31 18:16 721168 ----a-w- c:\windows\system32\VB40032.DLL
2010-04-30 18:12 . 2000-07-21 07:14 274704 ----a-w- c:\windows\system32\ntwdblib.dll
2010-04-30 18:12 . 2000-07-21 07:23 1046288 ----a-w- c:\windows\system32\msjet35.dll
2010-04-30 18:09 . 2010-04-30 18:09 -------- d-----w- c:\program files\Common Files\Crystal Decisions
2010-04-30 16:02 . 2010-04-30 16:02 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-24 13:05 . 2010-04-24 13:11 -------- d-----w- c:\program files\ProfiCAD
2010-04-10 10:30 . 2006-10-26 17:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-04-10 10:30 . 2008-11-10 09:41 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-04-10 10:28 . 2010-04-10 12:04 -------- d-----w- c:\program files\Microsoft Works
2010-04-10 10:22 . 2010-04-10 10:22 -------- d-----r- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 18:16 . 2008-07-15 15:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-08 14:52 . 2010-01-22 21:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-01 11:35 . 2008-07-29 13:06 -------- d-----w- c:\program files\Scorpions WinCheater
2010-04-30 16:02 . 2008-07-15 15:56 -------- d-----w- c:\program files\Java
2010-04-10 10:57 . 2008-07-16 09:30 -------- d-----w- c:\program files\MSBuild
2010-04-09 18:01 . 2009-08-01 18:41 -------- d-----w- c:\program files\Opera
2010-04-02 06:46 . 2008-11-14 23:17 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-02 06:46 . 2008-10-15 17:43 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-02 06:45 . 2008-10-15 17:43 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-02 06:45 . 2008-11-14 23:50 682280 ----a-w- c:\windows\system32\pbsvc.exe
2010-03-28 11:07 . 2003-04-16 11:00 83630 ----a-w- c:\windows\system32\perfc005.dat
2010-03-28 11:07 . 2003-04-16 11:00 440310 ----a-w- c:\windows\system32\perfh005.dat
2010-03-27 18:21 . 2010-03-27 18:21 279712 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-03-27 18:21 . 2010-03-27 18:21 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-03-12 21:47 . 2010-03-12 21:47 -------- d-----w- c:\program files\Common Files\PCSuite
2010-03-12 21:47 . 2009-07-22 13:21 -------- d-----w- c:\program files\Common Files\Nokia
2010-03-12 21:47 . 2009-06-14 16:10 -------- d-----w- c:\program files\Nokia
2010-03-12 21:45 . 2010-03-12 21:45 -------- d-----w- c:\program files\PC Connectivity Solution
2010-03-12 15:17 . 2008-07-15 15:56 -------- d-----w- c:\program files\Common Files\Java
2010-03-10 06:17 . 2004-08-17 13:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 15:11 . 2008-12-26 19:13 1245 ----a-w- c:\windows\eReg.dat
2010-02-25 06:18 . 2004-08-17 13:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 12:31 . 2004-08-03 21:15 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 19:34 . 2004-08-17 15:45 2060544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 19:34 . 2004-08-17 13:45 2183552 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-12 10:03 . 2010-03-19 15:11 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:47 . 2004-08-17 13:49 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2004-08-03 21:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2004-10-01 13:00 . 2008-07-15 15:11 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

------- Sigcheck -------

[-] 2008-07-15 . 427E6DED3A2369D3432A683EB489EE14 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . CDDB1F8E1AEA356F3AD106F2CF9B7FEA . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\1dab8d41b73a912c39f7d3fd77a4df39\winlogon.exe

[-] 2008-04-14 . 56A6034E7764E23D9114223EB3523925 . 1571840 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\1dab8d41b73a912c39f7d3fd77a4df39\sfcfiles.dll
[-] 2004-11-28 13:36 . AB3D62010AF342203FFA60C2D94DBC68 . 8704 . . [1] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-09 7561216]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"nwiz"="nwiz.exe" [2006-03-09 1519616]
"NvMediaCenter"="NvMCTray.dll" [2006-03-09 86016]
"Kerio VPN Client"="c:\program files\Kerio\VPN Client\kvpncgui.exe" [2009-07-14 4986728]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-18 16207872]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"etMonitor"="c:\windows\etMon.exe" [2007-02-14 102400]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2008-07-15 77824]

c:\documents and settings\Administrator\Nabˇdka Start\Programy\Po spuçtŘnˇ\
miranda.lnk - c:\miranda im\miranda32.exe [2010-4-30 697443]
RTHDCPL.EXE.lnk - c:\windows\RTHDCPL.EXE [2008-7-15 16207872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 20:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
2006-03-24 08:38 1073152 ----a-w- c:\program files\ASUS\SmartDoctor\SmartDoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2004-09-07 10:55 1871872 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2008-06-29 22:01 52168 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"StarWindServiceAE"=2 (0x2)
"PnkBstrB"=3 (0x3)
"PnkBstrA"=2 (0x2)
"LightScribeService"=2 (0x2)
"Lavasoft Ad-Aware Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"KVPNCSvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"eset nod32"=c:\program files\ESET\ESET NOD32 Antivirus\egui.exe /w

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"Nová hodnota #1"=hex:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Hry\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"d:\\Hry\\S.T.A.L.K.E.R\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"d:\\Hry\\S.T.A.L.K.E.R\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [3.4.2009 16:24 26624]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [1.7.2008 9:04 35168]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [15.7.2008 17:34 269736]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [21.6.2008 4:54 66600]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [7.10.2009 10:16 472280]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [1.7.2008 10:51 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [1.7.2008 10:51 1357096]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [15.7.2008 17:34 65576]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 KVPNCSvc;Kerio VPN Client Service;c:\program files\Kerio\VPN Client\kvpncsvc.exe [14.7.2009 18:18 968552]
S2 lmgrd;Flexlm;"c:\orcad\OrCAD_10.5\IntelliCAD 4\LicenseManager\lmgrd.exe" --> c:\orcad\OrCAD_10.5\IntelliCAD 4\LicenseManager\lmgrd.exe [?]
S3 atidgllk;atidgllk;c:\program files\ASUS\SmartDoctor\atidgllk.sys [20.10.2005 10:29 5376]
S3 cpuz130;cpuz130;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 DCamUSBET;USB 2.0 WebCam;c:\windows\system32\drivers\etDevice.sys [16.1.2009 15:06 475392]
S3 e5d9f345-0127-47d1-873b-c17cedfa0505;e5d9f345-0127-47d1-873b-c17cedfa0505;\??\e:\player\cds300.dll --> e:\player\cds300.dll [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [10.7.2009 16:11 8704]
S3 esihdrv;esihdrv;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\esihdrv.sys [?]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [10.7.2009 16:11 3072]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\documents and settings\Administrator\Local Settings\Temp\{B0386FD8-F807-4277-B3D2-0C4999EDC625}\fsgk.sys --> c:\documents and settings\Administrator\Local Settings\Temp\{B0386FD8-F807-4277-B3D2-0C4999EDC625}\fsgk.sys [?]
S3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\drivers\etFilter.sys [16.1.2009 15:06 200832]
S3 kvnet;Kerio Virtual Network Adapter;c:\windows\system32\drivers\kvnet.sys [23.3.2009 11:25 29696]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\DRIVERS\kwflower.sys --> c:\windows\system32\DRIVERS\kwflower.sys [?]
S3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\drivers\etScan.sys [16.1.2009 15:06 6656]
.
Obsah adresáře 'Naplánované úlohy'
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.garena.com/portal/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com
FF - ProfilePath - c:\documents and settings\Administrator\Data aplikací\Mozilla\Firefox\Profiles\0zesmqsn.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.centrum.cz/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101795&gct=&gc=1&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
AddRemove-Nokia PC Suite - c:\documents and settings\All Users\Data aplikací\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_cze_web.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 20:39
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1844237615-220523388-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2b,40,e4,43,c5,0c,8d,45,88,a2,95,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2b,40,e4,43,c5,0c,8d,45,88,a2,95,\

[HKEY_USERS\S-1-5-21-1844237615-220523388-725345543-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1844237615-220523388-725345543-500\Software\SecuROM\License information*]
"datasecu"=hex:ab,cf,8a,3d,7b,6e,5a,b6,c0,1f,0f,02,1c,fc,01,fc,6b,05,98,bd,dc,
d1,b2,7a,3c,bd,31,34,54,d1,56,77,42,dc,ba,a4,76,f5,b3,09,29,a7,cf,ab,60,de,\
"rkeysecu"=hex:e4,e8,67,39,04,4b,31,40,fd,7f,7c,e8,ad,b3,4d,6e
.
Celkový čas: 2010-05-08 20:42:37
ComboFix-quarantined-files.txt 2010-05-08 18:42

Před spuštěním: Volných bajtů: 18 553 630 720
Po spuštění: Volných bajtů: 19 067 707 392

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - F009A98878C60C9DDCD65709D1041D11

přidávám log z RSIT pro úplnost, pokud bude třeba dodám ještě OTL nebo MWAV.

LOG:
Logfile of random's system information tool 1.07 (written by random/random)
Run by Administrator at 2010-05-08 21:03:23
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 18 GB (45%) free of 40 GB
Total RAM: 1023 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:04:12, on 8.5.2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Plocha\RSIT.exe
C:\Program Files\trend micro\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garena.com/portal/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kerio VPN Client] "C:\Program Files\Kerio\VPN Client\kvpncgui.exe" /tray
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [etMonitor] C:\WINDOWS\etMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: miranda.lnk = C:\Miranda IM\miranda32.exe
O4 - Startup: RTHDCPL.EXE.lnk = C:\WINDOWS\RTHDCPL.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6137025200
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kerio VPN Client Service (KVPNCSvc) - Kerio Technologies Inc. - C:\Program Files\Kerio\VPN Client\kvpncsvc.exe
O23 - Service: Flexlm (lmgrd) - Unknown owner - C:\OrCAD\OrCAD_10.5\IntelliCAD 4\LicenseManager\lmgrd.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 6992 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Podpora odkazu pro Adobe PDF Reader - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-04-30 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-04-30 79648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-03-09 7561216]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-03 59392]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-03 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-03 455168]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=NvMCTray.dll,NvTaskbarInit []
"Kerio VPN Client"=C:\Program Files\Kerio\VPN Client\kvpncgui.exe [2009-07-14 4986728]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-10-07 1461080]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-05-18 16207872]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]
"etMonitor"=C:\WINDOWS\etMon.exe [2007-02-14 102400]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0\bin\jusched.exe [2008-07-15 77824]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-11-07 21633320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe [2006-03-24 1073152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [2004-09-07 1871872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [2008-06-30 52168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3
"StarWindServiceAE"=2
"PnkBstrB"=3
"PnkBstrA"=2
"LightScribeService"=2
"Lavasoft Ad-Aware Service"=3
"JavaQuickStarterService"=2
"IDriverT"=3
"FLEXnet Licensing Service"=3
"KVPNCSvc"=2

C:\Documents and Settings\Administrator\Nabídka Start\Programy\Po spuštění
miranda.lnk - C:\Miranda IM\miranda32.exe
RTHDCPL.EXE.lnk - C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-08-11 267304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-17 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"D:\Hry\Call of Duty 4 - Modern Warfare\iw3mp.exe"="D:\Hry\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) "
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"
"D:\Hry\S.T.A.L.K.E.R\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe"="D:\Hry\S.T.A.L.K.E.R\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)"
"D:\Hry\S.T.A.L.K.E.R\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe"="D:\Hry\S.T.A.L.K.E.R\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-05-08 21:03:23 ----D---- C:\rsit
2010-05-08 20:42:44 ----D---- C:\WINDOWS\temp
2010-05-08 20:42:40 ----A---- C:\ComboFix.txt
2010-05-08 20:30:33 ----A---- C:\Boot.bak
2010-05-08 20:30:27 ----RASHD---- C:\cmdcons
2010-05-08 20:27:28 ----A---- C:\WINDOWS\zip.exe
2010-05-08 20:27:28 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-05-08 20:27:28 ----A---- C:\WINDOWS\SWSC.exe
2010-05-08 20:27:28 ----A---- C:\WINDOWS\SWREG.exe
2010-05-08 20:27:28 ----A---- C:\WINDOWS\sed.exe
2010-05-08 20:27:28 ----A---- C:\WINDOWS\PEV.exe
2010-05-08 20:27:28 ----A---- C:\WINDOWS\NIRCMD.exe
2010-05-08 20:27:28 ----A---- C:\WINDOWS\MBR.exe
2010-05-08 20:27:28 ----A---- C:\WINDOWS\grep.exe
2010-05-08 20:27:01 ----D---- C:\ComboFix
2010-05-08 20:25:54 ----D---- C:\Qoobox
2010-05-08 16:29:43 ----D---- C:\!KillBox
2010-05-08 16:03:08 ----AD---- C:\WINDOWS\rundll16.exe
2010-05-08 16:03:08 ----AD---- C:\WINDOWS\logo1_.exe
2010-04-30 20:14:28 ----A---- C:\WINDOWS\system32\VB40032.DLL
2010-04-30 20:12:14 ----A---- C:\WINDOWS\system32\ntwdblib.dll
2010-04-30 20:12:13 ----A---- C:\WINDOWS\system32\msjet35.dll
2010-04-30 20:09:54 ----D---- C:\Program Files\Common Files\Crystal Decisions
2010-04-30 19:34:34 ----A---- C:\WINDOWS\splash.INI
2010-04-30 18:02:51 ----A---- C:\WINDOWS\system32\javaws.exe
2010-04-30 18:02:51 ----A---- C:\WINDOWS\system32\deployJava1.dll
2010-04-30 18:02:50 ----A---- C:\WINDOWS\system32\javaw.exe
2010-04-30 18:02:50 ----A---- C:\WINDOWS\system32\java.exe
2010-04-24 15:05:54 ----D---- C:\Documents and Settings\Administrator\Data aplikací\ProfiCAD
2010-04-24 15:05:51 ----D---- C:\Program Files\ProfiCAD
2010-04-10 12:30:47 ----A---- C:\WINDOWS\system32\msonpmon.dll
2010-04-10 12:28:40 ----D---- C:\Program Files\Microsoft Works
2010-04-10 12:28:13 ----D---- C:\Program Files\Microsoft Visual Studio
2010-04-10 12:28:13 ----D---- C:\Program Files\Common Files\DESIGNER
2010-04-10 12:22:43 ----RD---- C:\MSOCache

======List of files/folders modified in the last 1 months======

2010-05-08 21:04:12 ----D---- C:\Program Files\Trend Micro
2010-05-08 20:42:44 ----D---- C:\WINDOWS
2010-05-08 20:41:27 ----SD---- C:\WINDOWS\Tasks
2010-05-08 20:40:09 ----D---- C:\WINDOWS\ERDNT
2010-05-08 20:39:28 ----A---- C:\WINDOWS\system.ini
2010-05-08 20:38:44 ----D---- C:\WINDOWS\system32
2010-05-08 20:35:34 ----D---- C:\WINDOWS\system32\drivers
2010-05-08 20:35:34 ----D---- C:\WINDOWS\AppPatch
2010-05-08 20:35:33 ----D---- C:\Program Files\Common Files
2010-05-08 20:31:09 ----D---- C:\WINDOWS\system32\CatRoot2
2010-05-08 20:30:33 ----RASH---- C:\boot.ini
2010-05-08 20:27:41 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-05-08 20:27:23 ----SHD---- C:\System Volume Information
2010-05-08 20:27:23 ----D---- C:\WINDOWS\system32\Restore
2010-05-08 20:27:07 ----D---- C:\WINDOWS\Prefetch
2010-05-08 20:26:32 ----A---- C:\WINDOWS\NeroDigital.ini
2010-05-08 20:24:32 ----A---- C:\WINDOWS\wincmd.ini
2010-05-08 20:20:10 ----D---- C:\Program Files
2010-05-08 20:19:22 ----D---- C:\Ccleaner zalohy
2010-05-08 20:18:53 ----D---- C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2010-05-08 20:16:25 ----HD---- C:\Program Files\InstallShield Installation Information
2010-05-08 20:16:24 ----SHD---- C:\WINDOWS\Installer
2010-05-08 19:54:06 ----D---- C:\totalcmd
2010-05-08 19:53:47 ----D---- C:\Program Files\WinRAR
2010-05-08 16:52:16 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-05-08 15:05:39 ----D---- C:\WINDOWS\system32\LogFiles
2010-05-08 14:53:10 ----D---- C:\Documents and Settings\Administrator\Data aplikací\Skype
2010-05-08 08:46:49 ----D---- C:\Documents and Settings\Administrator\Data aplikací\skypePM
2010-05-01 13:35:24 ----D---- C:\Program Files\Scorpions WinCheater
2010-05-01 11:58:04 ----SD---- C:\Documents and Settings\Administrator\Data aplikací\Microsoft
2010-05-01 11:57:53 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-04-30 22:44:27 ----A---- C:\WINDOWS\ODBC.INI
2010-04-30 18:02:22 ----D---- C:\Program Files\Java
2010-04-25 00:31:51 ----A---- C:\WINDOWS\win.ini
2010-04-24 08:28:20 ----HD---- C:\WINDOWS\inf
2010-04-24 08:28:20 ----D---- C:\WINDOWS\system32\DirectX
2010-04-17 23:20:33 ----D---- C:\Documents and Settings\All Users\Data aplikací\Microsoft Help
2010-04-15 18:31:13 ----D---- C:\WINDOWS\Debug
2010-04-15 12:47:40 ----D---- C:\WINDOWS\system32\DllCache
2010-04-15 12:47:30 ----HD---- C:\WINDOWS\$hf_mig$
2010-04-15 12:39:54 ----D---- C:\WINDOWS\ie8updates
2010-04-10 15:29:36 ----D---- C:\Documents and Settings\Administrator\Data aplikací\gtk-2.0
2010-04-10 14:04:39 ----RSD---- C:\WINDOWS\Fonts
2010-04-10 14:04:31 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-04-10 14:02:35 ----D---- C:\Program Files\Common Files\System
2010-04-10 12:57:00 ----D---- C:\Program Files\MSBuild
2010-04-10 12:33:32 ----D---- C:\WINDOWS\SHELLNEW
2010-04-10 12:30:41 ----D---- C:\WINDOWS\system32\config
2010-04-10 12:28:21 ----D---- C:\Program Files\Microsoft Office
2010-04-09 20:01:38 ----D---- C:\Program Files\Opera

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;Ovladač procesoru AMD; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-07-01 43008]
R1 Aspi32;Aspi32; C:\WINDOWS\System32\drivers\aspi32.sys [1999-09-10 25244]
R1 asuskbnt;Enhanced Display Driver Helper Service; C:\WINDOWS\system32\drivers\atkkbnt.sys [2005-10-18 11008]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2009-10-07 54184]
R1 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2008-07-21 24392]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-10-07 35168]
R1 SbFw;SbFw; C:\WINDOWS\system32\drivers\SbFw.sys [2008-06-21 269736]
R1 sbhips;Sunbelt HIPS Driver; C:\WINDOWS\system32\drivers\sbhips.sys [2008-06-21 66600]
R1 sdcplh;sdcplh; C:\WINDOWS\System32\drivers\sdcplh.sys [2005-11-09 55168]
R1 Tcpip6;Ovladač protokolu Microsoft IPv6; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2010-02-11 226880]
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2010-03-27 279712]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-10-07 40824]
R2 EIO;EIO; \??\C:\WINDOWS\system32\drivers\EIO.sys []
R2 irda;Protokol IrDA; C:\WINDOWS\system32\DRIVERS\irda.sys [2004-08-04 87424]
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2010-03-27 25888]
R2 NwlnkIpx;Transportní protokol kompatibilní s NWLink IPX/SPX/NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2004-08-03 88448]
R2 NwlnkNb;Služba NWLink pro rozhraní NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2003-04-16 63232]
R2 NwlnkSpx;Protokol NWLink SPX/SPXII; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2003-04-16 55936]
R2 rspndr;Odpovídající zařízení zjišťování topologie linkové vrstvy; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2006-11-08 62336]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 hidusb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2003-04-16 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-05-16 4275712]
R3 irsir;Microsoft Serial Infrared Driver; C:\WINDOWS\system32\DRIVERS\irsir.sys [2001-08-17 18688]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2003-04-16 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-03-09 3650368]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-03-22 52736]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-03-22 18944]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport; C:\WINDOWS\system32\DRIVERS\sbfwim.sys [2008-06-21 65576]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2004-08-17 12416]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 VClone;VClone; C:\WINDOWS\system32\DRIVERS\VClone.sys [2008-09-24 29184]
S3 atidgllk;atidgllk; \??\C:\Program Files\ASUS\SmartDoctor\atidgllk.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
S3 CCDECODE;Dekodér Closed Caption; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 cpuz130;cpuz130; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys []
S3 DCamUSBET;USB 2.0 WebCam; C:\WINDOWS\system32\DRIVERS\etDevice.sys [2007-10-12 475392]
S3 dtscsi;dtscsi; C:\WINDOWS\System32\Drivers\dtscsi.sys []
S3 e5d9f345-0127-47d1-873b-c17cedfa0505;e5d9f345-0127-47d1-873b-c17cedfa0505; \??\E:\Player\cds300.dll []
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 epmntdrv;epmntdrv; \??\C:\WINDOWS\system32\epmntdrv.sys []
S3 esihdrv;esihdrv; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\esihdrv.sys []
S3 EuGdiDrv;EuGdiDrv; \??\C:\WINDOWS\system32\EuGdiDrv.sys []
S3 FiltUSBET;ET USB Device Lower Filter; C:\WINDOWS\system32\DRIVERS\etFilter.sys [2007-11-23 200832]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter; \??\C:\Documents and Settings\Administrator\Local Settings\Temp\{B0386FD8-F807-4277-B3D2-0C4999EDC625}\fsgk.sys []
S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS []
S3 kvnet;Kerio Virtual Network Adapter; C:\WINDOWS\system32\DRIVERS\kvnet.sys [2009-03-23 29696]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer; C:\WINDOWS\system32\DRIVERS\kwflower.sys []
S3 mbr;mbr; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 nm;Ovladač programu Sledování sítě; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2004-08-03 40320]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\ccdcmb.sys [2009-10-06 17664]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2009-10-06 22016]
S3 PCASp50;PCASp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\PCASp50.sys [2004-10-25 17664]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2008-08-26 18816]
S3 RushTopDevice;RushTopDevice; \??\C:\Program Files\MSI\Core Center\RushTop.sys []
S3 ScanUSBET;ET USB Still Image Capture Device; C:\WINDOWS\system32\DRIVERS\etScan.sys [2007-09-07 6656]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2009-10-06 7936]
S3 usbaudio;Ovladač zvukové karty USB (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-04 59264]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbser;USB Modem Driver; C:\WINDOWS\system32\drivers\usbser.sys [2004-08-03 25600]
S3 UsbserFilt;UsbserFilt; C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2009-10-06 7936]
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2008-03-27 503008]
S3 WSTCODEC;Dálnopisný kodek světového standardu; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-01-18 83328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-04-16 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;Pomocná služba protokolu IPv6; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
R2 ATKKeyboardService;ATK Keyboard Service; C:\WINDOWS\ATKKBService.exe [2005-10-18 241152]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-10-07 472280]
R2 Irmon;Sledování infračerveného přenosu; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-03-09 143436]
R2 NwSapAgent;Agent SAP; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
R2 SbPF.Launcher;SbPF.Launcher; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-07-01 95528]
R2 SPF4;Sunbelt Personal Firewall 4; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-07-01 1357096]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
S2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
S2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-04-30 153376]
S2 KVPNCSvc;Kerio VPN Client Service; C:\Program Files\Kerio\VPN Client\kvpncsvc.exe [2009-07-14 968552]
S2 lmgrd;Flexlm; C:\OrCAD\OrCAD_10.5\IntelliCAD 4\LicenseManager\lmgrd.exe []
S3 aspnet_state;Stavová služba ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-10-07 20680]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Služba Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-12-19 654848]
S4 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-02-17 73728]
S4 NetTcpPortSharing;Služba sdílení portů Net.Tcp; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2010-04-02 66872]
S4 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2010-04-02 107832]
S4 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2009-10-27 657408]
S4 StarWindServiceAE;StarWind AE Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe []
S4 WMPNetworkSvc;Služba Windows Media Player Network Sharing; C:\Program Files\Windows Media Player\WMPNetwk.exe [2007-01-05 913920]

-----------------EOF-----------------

//edit: zprávu napsal, ale log nevložil... XD

Dobrý večer

Log z Mwawu, než jste soubory smazal, by nebyl?

Dejte soubor otestovat na http://www.virustotal.com

c:\windows\system32\EuGdiDrv.sys
c:\windows\system32\epmntdrv.sys
e:\player\cds300.dll
c:\windows\system32\winlogon.exe
c:\windows\system32\sfcfiles.dll

-Na virustotalu dáte procházet, a do spodního okénka nakopírujete přímo cestu k souboru a dáte odeslat
-z prohlížeče zkopírujete adresu ke stránce s výsledky
-pokud se Vás zeptá, dejte soubor otestovat znovu, tak aby to byl soubor z Vašeho počítače

Od F-secure něco používáte?

dobrý večer/ráno,
myslím že na počítači nic od F-Secure neběží (běží tam předplacený nod32 ve verzi 3.0.695 na WinXP), ze pak pro kontrolu jednou za čas MWAV, občas MBAM, pravidelně nodovská "hloubková kontrola", pak občas ještě věci typu SPYBOT S&D. Mršky se nejspíš do počítače dostaly přes flash disk s infikovanými instalačkami.

Bohužel první kontrolu dělala jiná osoba a ta "promazala" i viry, které MWAV našel a pak došlo tuším k restartu. Teď právě probíhá druhá kontrola MWAVem a log sem potom hodím. Jo a málem bych zapoměl na nově dodaný CFix.

Výsledky z virustotalu za chvíli dodám, jen co se dostanu k infikovanému PC.

virustotal:

c:\windows\system32\EuGdiDrv.sys - http://www.virustotal.com/cs/analisis/b ... 1273356702

c:\windows\system32\epmntdrv.sys - http://www.virustotal.com/cs/analisis/6 ... 1273356902

e:\player\cds300.dll - toto umístění už neexistuje - pravděpodobně něco na flash disku

c:\windows\system32\winlogon.exe - http://www.virustotal.com/cs/analisis/b ... 1273357096

c:\windows\system32\sfcfiles.dll - http://www.virustotal.com/cs/analisis/b ... 1273357280

Celkový výsledek: čisto(alespoň se zdá podle virustotalu).

A tu flešku jste již vyčistili? Docela ráda bych věděla, co konkrétně na ní bylo za vir, když byli infikované instalačky. Můžete mi pak ukázat ten nový log z mwavu?

Pokud nemáte, přesuňte Combofix na plochu
-otevřete si Poznámkový blok
-Do něj zkopírujte text z tohoto okénka

Kód: Vybrat vše

Restore::
c:\windows\system32\sfcfiles.dll
c:\windows\system32\winlogon.exe

Driver::
esihdrv
GMSIPCI
F-Secure Standalone Minifilter
e5d9f345-0127-47d1-873b-c17cedfa0505

File::
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\esihdrv.sys 
D:\INSTALL\GMSIPCI.SYS
C:\Documents and Settings\Administrator\Local Settings\Temp\{B0386FD8-F807-4277-B3D2-0C4999EDC625}\fsgk.sys
E:\Player\cds300.dll 

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"nwiz"=-
"NvMediaCenter"=-

Dirlook::
C:\Documents and Settings\Administrator\Local Settings\Temp\{B0386FD8-F807-4277-B3D2-0C4999EDC625}

DSS::
uStart Page = hxxp://www.garena.com/portal/

Firefox::
FF - ProfilePath - c:\documents and settings\Administrator\Data aplikací\Mozilla\Firefox\Profiles\0zesmqsn.default\
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=

-uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
-po uložení uchopte vámi vytvořený skript levým myšítkem a -přesuňte ho nad ikonu Combofixu, kde ho upustíte:

Obrázek

-po aplikaci na Vás vypadne další log,vložte ho sem

Upozornění : může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

VIRY.CZ

CF log- několik trojanů a spyware - konečná kontrola

CF log- několik trojanů a spyware - konečná kontrola

Re: CF log- několik trojanů a spyware - konečná kontrola

Re: CF log- několik trojanů a spyware - konečná kontrola

Re: CF log- několik trojanů a spyware - konečná kontrola

Re: CF log- několik trojanů a spyware - konečná kontrola

Re: CF log- několik trojanů a spyware - konečná kontrola