Bubnix-prosím pomoc

[Ovestinal]

Dobrý den
prosím pomozte mi jsem už opravdu bezradný

již nekolik hodin se potýkám s tímto virem..
začalo to tak že dnes rano jsem zapnul PC to normálně fungoval, pak se mi ukazaly aktualizace a tak jsem je stahl a nainstaloval a pak to peklo začalo..po restartu pc se mi zacala plnit karantena soubory s bubnixem.. zde davam log z esetu aby jste videli adresy...

zkousel jsem obnoveni systemu pred aktualizaci a taky den zpet a stejny vysledek.. co me ale zarazi je ze se mi take po aktualizacich objevila v systemu slozka lastgood ted tam ale zase neni..po obnoveni systemu se mi zobrazily take aktualizace ale uz jen dve..

OP mam win XP SP3
zde ten vypis z esetu : je toho hrozne moc tak zkopiruji jen par radku vsechno je to defacto v systemu32/drivers az teda na jeden soubor v prog files

12.8.2010 14:45:18 Rezidentní ochrana soubor C:\program files\aida32 - enterprise system information\aida32.sys varianta infiltrace Win32/Bubnix.AY trojský kůň vyléčen smazáním - uložen do karantény PETR-F2340861BA\Petr Tato skutečnost byla zjištěna na nově vytvořeném souboru aplikací: C:\Program Files\Internet Explorer\iexplore.exe.

12.8.2010 14:45:57 Rezidentní ochrana soubor C:\WINDOWS\LastGood\TMP17.tmp varianta infiltrace Win32/Bubnix.AY trojský kůň vyléčen smazáním - uložen do karantény NT AUTHORITY\SYSTEM Tato skutečnost byla zjištěna na souboru, který byl modifikován aplikací: C:\WINDOWS\system32\winlogon.exe.

12.8.2010 16:31:45 Rezidentní ochrana soubor C:\WINDOWS\system32\drivers\OLD31.tmp Win32/Bubnix.AU trojský kůň vyléčen smazáním - uložen do karantény PETR-F2340861BA\Petr Tato skutečnost byla zjištěna při pokusu o přístup k souboru aplikací: C:\WINDOWS\system32\dumprep.exe.

12.8.2010 16:31:53 Kontrola při startu soubor C:\Documents and Settings\Petr\Nabídka Start\Programy\Po spuštění\updpxe32.exe varianta infiltrace Win32/Kryptik.FWJ trojský kůň vyléčen smazáním (po nejbližším restartu) PETR-F2340861BA\Petr

fakt me už nic nenapadá




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:53:00, on 12.8.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Documents and Settings\Petr\Dokumenty\stažené\hijackthis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GEST] m‘|\ü
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: updpxe32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... ab_nvd.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1028688812
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8088 bytes

[riffman]

zdravim

stahnete a ulozte na plochu ComboFix

pote spustte aplikaci pod uctem s administratorskym opravnenim (nikoli pod uctem s omezenym opravnenim)

v operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano:



dale muze dojit k varovani ohledne rezidentniho stitu vaseho antiviru a upozorneni na nenainstalovanou konzoli pro zotaveni; tu zatim neinstalujte.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, deaktivujte jeho rezidentni stit, protoze dochazi pri skenu a vymazu pripadneho malware k nezadoucim kolizim Combofixu s rezidentem antispyware


po restartu aplikace vytvori log, ulozeny na C:/Combofix.txt (pri opakovanem pouziti jsou logy oznaceny Combofix2.txt atd.), jeho obsah vlozte sem

[Ovestinal]

děkuji hned na to jdu.. ted jsem projel system znovu esetem.. a naslo mi to jen toto :
C:\Documents and Settings\Petr\Nabídka Start\Programy\Po spuštění\updpxe32.exe - varianta infiltrace Win32/Kryptik.FWJ trojský kůň - vyléčen smazáním (po nejbližším restartu) [1,2]
C:\WINDOWS\system32\drivers\fivpdjq.sys - varianta infiltrace Win32/Bubnix.AY trojský kůň - vyléčen smazáním - uložen do karantény [1]
C:\WINDOWS\system32\drivers\ofwxr.sys - varianta infiltrace Win32/Bubnix.AY trojský kůň - vyléčen smazáním - uložen do karantény [1]
dale jsem stahl primo od microsoftu soubor na odstraneni skodliveho softwaru.. tak zkusim i to.. nebo myslite ze je lepsi zkusit nejdrive sken ?

[riffman]

zkuste se ridit mymi pokyny

[Ovestinal]

jsem Váš oddaný sluha tady je ten log ale pro mě je to spanelská vesnice..

ComboFix 10-08-11.05 - Petr 12.08.2010 17:32:49.1.8 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.3326.2897 [GMT 2:00]
Spuštěný z: c:\documents and settings\Petr\Dokumenty\stažené\ComboFix.exe
AV: ESET Smart Security 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Rezidentní štít AV je zapnutý


VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-07-12 do 2010-08-12 )))))))))))))))))))))))))))))))
.

2010-08-12 15:32 . 2010-08-12 15:32 -------- d-----w- c:\windows\LastGood
2010-08-12 15:26 . 2010-08-12 15:26 390144 ----a-w- c:\windows\system32\CF26546.exe
2010-08-12 15:24 . 2010-08-12 15:24 390144 ----a-w- c:\windows\system32\CF26194.exe
2010-08-12 14:27 . 2010-08-12 14:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-12 14:07 . 2010-08-12 14:13 -------- d-----w- c:\documents and settings\Administrator\Šablony
2010-08-12 14:07 . 2010-08-12 14:13 -------- d-----w- c:\documents and settings\Administrator\Data aplikací
2010-08-12 14:07 . 2010-08-12 14:13 -------- d-s---w- c:\documents and settings\Administrator
2010-07-30 15:34 . 2010-07-30 15:34 -------- d-----w- c:\program files\VideoLAN
2010-07-14 09:39 . 2010-07-14 09:39 -------- d-----w- c:\program files\Ubisoft
2010-07-14 09:23 . 2010-07-14 09:23 -------- d-----w- C:\Ubisoft
2010-07-14 08:22 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-12 15:28 . 2009-08-22 20:58 16608 ----a-w- c:\windows\gdrv.sys
2010-08-12 14:21 . 2009-08-22 21:44 -------- d-----w- c:\program files\AIDA32 - Enterprise System Information
2010-08-12 12:40 . 2006-03-02 12:00 83832 ----a-w- c:\windows\system32\perfc005.dat
2010-08-12 12:40 . 2006-03-02 12:00 440590 ----a-w- c:\windows\system32\perfh005.dat
2010-08-12 07:46 . 2009-08-24 21:27 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-12 07:46 . 2009-08-24 21:26 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-07-14 09:39 . 2009-08-22 20:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-17 09:34 . 2009-08-24 19:35 -------- d-----w- c:\program files\ICQ6.5
2010-06-14 14:31 . 2009-08-22 20:48 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="m‘|\ü" [X]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 55824]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 55824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-11 110696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-04-07 2145000]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-04-27 524632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-22 113664]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-10-12 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-12 784912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 08:10 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enGB-downloader.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enGB-downloader.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Updater.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Game.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Ubisoft\\Silent Hunter 5\\sh5.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [27.4.2010 19:34 64160]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7.4.2010 21:07 114984]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [16.2.2010 13:25 95024]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [7.4.2010 21:07 810120]
S2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [22.8.2009 22:59 68136]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17.10.2009 21:40 133104]
S3 AIDA32Driver;AIDA32Driver;c:\program files\AIDA32 - Enterprise System Information\aida32.sys [26.11.2003 3712]
S3 cpuz130;cpuz130;\??\c:\docume~1\Petr\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Petr\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18.1.2009 23:34 1029456]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [24.8.2009 23:58 722416]
.
Obsah adresáře 'Naplánované úlohy'

2010-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-17 19:40]

2010-08-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-17 19:40]

2010-08-12 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Petr\Data aplikací\Mozilla\Firefox\Profiles\jadg00d2.default\
FF - prefs.js: browser.startup.homepage - About:Blank
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKLM-Run-nwiz - nwiz.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-TNod - c:\program files\TNod User & Password Finder\uninst-TNod.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-12 17:39
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-746137067-1275210071-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:be,d3,42,2d,1a,7e,1f,f5,62,78,6a,df,b9,8a,d7,32,bf,b3,e3,fa,2e,
0e,bc,54,b4,d7,97,e7,24,74,0b,82,89,49,8a,5e,8f,2e,18,8c,9a,73,a7,ae,22,fb,\
"rkeysecu"=hex:9a,24,15,87,91,bd,0f,88,fc,73,46,16,fe,ae,16,6a
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1068)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Celkový čas: 2010-08-12 17:40:55
ComboFix-quarantined-files.txt 2010-08-12 15:40

Před spuštěním: Volných bajtů: 99 973 632 000
Po spuštění: Volných bajtů: 103 146 536 960

- - End Of File - - 33D423E326A8DA744410E8471824DF65

[Ovestinal]

ted po restartu a kontrole mi to nic nenachazi.. mam zkusit ten microsoft programek ?zase se mi ukazalo abych nainstaloval aktualizace jsem trochu vydesený...mám je nainstalovat a riskovat ten kolotoč znovu?

[riffman]

http://downloads.malwareremoval.com/CKScanner.exe

stahnout, spustit

Pro zacatek scanu je treba kliknout na "Search For Files". Po jeho skonceni klik na "Save List to File" -> "OK". Log s nazvem ckfiles.txt bude ulozeny na plose. Jeho obsah sem.

[Ovestinal]

je z toho predesleho scanu neco patrneho ?

brw co mam delat s tim co mam od eseta v karantene ? děkuji

a jeste dotaz.. co by jste delal s tema aktualizacema ?

[riffman]

ne, zatim neni

karantenu muzete smazat

aplikujte CKscanner

[Ovestinal]

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\petr\dokumenty\stažené\software\ad-awarepro\ad-aware8.0.3pro2009\crack\lavalicense.dll
c:\documents and settings\petr\dokumenty\stažené\software\ad-awarepro\ad-aware8.0.3pro2009\crack\read.txt
c:\documents and settings\petr\dokumenty\stažené\software\superdvd_creator98build2008611\superdvd creator 9.8 build 20080611\super dvd creator 9.8 build 20080611\keygen_core\core.nfo
c:\documents and settings\petr\dokumenty\stažené\software\superdvd_creator98build2008611\superdvd creator 9.8 build 20080611\super dvd creator 9.8 build 20080611\keygen_core\file_id.diz
c:\documents and settings\petr\dokumenty\stažené\software\superdvd_creator98build2008611\superdvd creator 9.8 build 20080611\super dvd creator 9.8 build 20080611\keygen_core\keygen.exe
c:\ubisoft\silent hunter 5\data\characters\animations\dcrack.gr2
c:\ubisoft\silent hunter 5\data\characters\animations\dcrack_mk9.gr2
scanner sequence 3.FA.11
----- EOF -----

[riffman]

jeste jednou vas tady nachytam s keygeny a cracky a stane se ze mne zlej moderator

c:\program files\AIDA32 - Enterprise System Information\aida32.sys otestujte na VIRUSTOTALu

(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet, najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor, ignorujte pripadne hlasky, ze soubor byl jiz testovan a provedte sken znova; dejte skenerum nejakych deset minut; vysledek sem vlozte at uz zkopirovanim textu, nebo pripadne vlozenim odkazu po ukonceni skenu)

[Ovestinal]

omlouvám se

ted jsem projel znovu system esetem.. nasel mi toto :

C:\System Volume Information\_restore{975866EF-B180-4416-BA15-0F2F3C8588F7}\RP27\A0020315.sys - varianta infiltrace Win32/Bubnix.AY trojský kůň - vyléčen smazáním - uložen do karantény [1]
C:\System Volume Information\_restore{975866EF-B180-4416-BA15-0F2F3C8588F7}\RP28\A0021367.sys - Win32/Bubnix.AU trojský kůň - vyléčen smazáním - uložen do karantény [1]
C:\System Volume Information\_restore{975866EF-B180-4416-BA15-0F2F3C8588F7}\RP28\A0021369.sys - varianta infiltrace Win32/Bubnix.AY trojský kůň - vyléčen smazáním - uložen do karantény [1]
C:\System Volume Information\_restore{975866EF-B180-4416-BA15-0F2F3C8588F7}\RP28\A0022247.sys - varianta infiltrace Win32/Bubnix.AY trojský kůň - vyléčen smazáním - uložen do karantény [1]
C:\System Volume Information\_restore{975866EF-B180-4416-BA15-0F2F3C8588F7}\RP28\A0022248.sys - varianta infiltrace Win32/Bubnix.AY trojský kůň - vyléčen smazáním - uložen do karantény [1]



tak jsem udelal to jak jsem se docetl ze jsem vypnul obnoveni systemu restartoval a zase jej zapnul..tim by se to melo odstranit, zkousel jsem system volume information projet znovu esetem a nic mi to nenaslo. ted jdu projet to jak jste mi řekl Vy

[Ovestinal]

http://www.virustotal.com/file-scan/rep ... 1281633240


0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: C:\Program Files\AIDA32 - Enterprise System Information\aida32.sys
Submission date: 2010-08-12 17:14:00 (UTC)
Current status: queued queued analysing finished


Result: 0/ 42 (0.0%)
VT Community

not reviewed
Safety score: -

Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.08.12.00 2010.08.11 -
AntiVir 8.2.4.34 2010.08.12 -
Antiy-AVL 2.0.3.7 2010.08.11 -
Authentium 5.2.0.5 2010.08.12 -
Avast 4.8.1351.0 2010.08.12 -
Avast5 5.0.332.0 2010.08.12 -
AVG 9.0.0.851 2010.08.12 -
BitDefender 7.2 2010.08.12 -
CAT-QuickHeal 11.00 2010.08.12 -
ClamAV 0.96.0.3-git 2010.08.12 -
Comodo 5715 2010.08.12 -
DrWeb 5.0.2.03300 2010.08.12 -
Emsisoft 5.0.0.37 2010.08.12 -
eSafe 7.0.17.0 2010.08.12 -
eTrust-Vet 36.1.7785 2010.08.12 -
F-Prot 4.6.1.107 2010.08.12 -
F-Secure 9.0.15370.0 2010.08.12 -
Fortinet 4.1.143.0 2010.08.12 -
GData 21 2010.08.12 -
Ikarus T3.1.1.88.0 2010.08.12 -
Jiangmin 13.0.900 2010.08.12 -
Kaspersky 7.0.0.125 2010.08.12 -
McAfee 5.400.0.1158 2010.08.12 -
McAfee-GW-Edition 2010.1 2010.08.12 -
Microsoft 1.6004 2010.08.12 -
NOD32 5361 2010.08.12 -
Norman 6.05.11 2010.08.12 -
nProtect 2010-08-12.03 2010.08.12 -
Panda 10.0.2.7 2010.08.12 -
PCTools 7.0.3.5 2010.08.12 -
Prevx 3.0 2010.08.12 -
Rising 22.60.03.04 2010.08.12 -
Sophos 4.56.0 2010.08.12 -
Sunbelt 6723 2010.08.12 -
SUPERAntiSpyware 4.40.0.1006 2010.08.12 -
Symantec 20101.1.1.7 2010.08.12 -
TheHacker 6.5.2.1.344 2010.08.12 -
TrendMicro 9.120.0.1004 2010.08.12 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.12 -
VBA32 3.12.14.0 2010.08.11 -
ViRobot 2010.8.9.3978 2010.08.12 -
VirusBuster 5.0.27.0 2010.08.12 -
Additional informationShow all
MD5 : 902c54e474d9c0f1d10d970193f895a9
SHA1 : c3ff538f25f389f1e141a66fdf4aed4313a3a515
SHA256: 7094914e4ecc344e95c4face890a7844cfd8e3e2b3f8beeee5697c44325ddba9
ssdeep: 48:IrNuaGP6Tl8zlwl15zOZOTYbpj6k/R9GzfOGHwawskatG/wHvaRrp:ZoTl8zlwl15qZOk1jj
vGaGzi1
File size : 3712 bytes
First seen: 2010-04-27 09:27:17
Last seen : 2010-08-12 17:14:00
TrID:
Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xB64
timedatestamp....: 0x3FC34748 (Tue Nov 25 12:12:56 2003)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x400, 0x7EA, 0x800, 6.27, 808beb446cb540f9c196fbe5a932ba26
.rdata, 0xC00, 0x91, 0x100, 2.85, abef85cacf1040b67e9a9a136c8d6af7
INIT, 0xD00, 0xFE, 0x100, 4.39, 9e0903aaeb9ed37bd9221d41ac00bc64
.reloc, 0xE00, 0x3E, 0x80, 2.05, 26dec42f29dba956999cfd96a12663d0

[[ 1 import(s) ]]
ntoskrnl.exe: IofCompleteRequest, MmUnmapIoSpace, MmMapIoSpace, IoDeleteDevice, IoDeleteSymbolicLink, RtlInitUnicodeString, IoCreateSymbolicLink, IoCreateDevice



VT Community

0
This file has never been reviewed by any VT Community member. Be the first one to comment on it!
VirusTotal Team
Add your comment... Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?
You can add basic styles to your comments using the following accepted bbcode tags:

text -- bold
text -- italics
text -- underline
[s]text[/s] -- strikethrough

Kód: Vybrat vše

text

-- preformatted text

You can also address comments to particular users using the "@" twitter-like mode. By prepending a "#" symbol to a word you can add custom tags to your comment, tags that can then be searched for.

[Ovestinal]

MD5 : 902c54e474d9c0f1d10d970193f895a9
SHA1 : c3ff538f25f389f1e141a66fdf4aed4313a3a515
SHA256: 7094914e4ecc344e95c4face890a7844cfd8e3e2b3f8beeee5697c44325ddba9
ssdeep: 48:IrNuaGP6Tl8zlwl15zOZOTYbpj6k/R9GzfOGHwawskatG/wHvaRrp:ZoTl8zlwl15qZOk1jj
vGaGzi1
File size : 3712 bytes
First seen: 2010-04-27 09:27:17
Last seen : 2010-08-12 17:14:00
TrID:
Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xB64
timedatestamp....: 0x3FC34748 (Tue Nov 25 12:12:56 2003)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x400, 0x7EA, 0x800, 6.27, 808beb446cb540f9c196fbe5a932ba26
.rdata, 0xC00, 0x91, 0x100, 2.85, abef85cacf1040b67e9a9a136c8d6af7
INIT, 0xD00, 0xFE, 0x100, 4.39, 9e0903aaeb9ed37bd9221d41ac00bc64
.reloc, 0xE00, 0x3E, 0x80, 2.05, 26dec42f29dba956999cfd96a12663d0

[[ 1 import(s) ]]
ntoskrnl.exe: IofCompleteRequest, MmUnmapIoSpace, MmMapIoSpace, IoDeleteDevice, IoDeleteSymbolicLink, RtlInitUnicodeString, IoCreateSymbolicLink, IoCreateDevice

[riffman]

fajn, ted uz tam nic nevidim