nákaza nejspis nejakym DOWNLOADER virem

[dzejsek]

mam takovej problem vcera, nevim jakse mi tam dostala nejaka havet kdyz nod32 zpravidla vsechno ohlásí, no nic, zaclo to takle ze si jentak hraju nejakou hru kdyz najednou miji "neco" minimalizuje a uprostred je bila obrazovka s jednim tlacitkem a nejde vypnout a ani zapnout spravce uloh, uz v ten moment mi doslo zesem nakazenej, bylo tam psano neco ve stylu zesem nakazenej virem a ze tim tlacitkem to obnovim boco, po restartu pc mitotam nabehlo hned znova a prace s pc byla znemoznena, tak sem se po par pokusech to nejak vypnout premohl a stiskl to tlacitku, vtu ranu tam bylo neco nainstalovano(cesta tam byla nekam k uzivatelskym uctum pokud si pamatuju, pokracovalotom nejak este do Microsoft Volume slozky, nevim nepamatujusi a nevyznam se vtom:D ), pc se restartoval, kdyz nabehl tak sem jen cumel nato cose deje behem 10 vterin pc sám mysi zapl mozilu skocila tam tahle stranka
http://www.chameleontom.com/api/install ... F7&lang=en (bacha je zavirovaná)
stihl sem neco precist o objednavce este nejaky veci tam nabehli a pc se vypl, kdyz semto znova zapl tak tak seten PC tvari jakobysenic nedelo akorat mitam cas odcasu(kazdou hodinu zhruba) i kdyz nic nedelam nod hlasi ze je zjisten pokus o infiltraci kerymu dycky zabranim(nejakej kryptikse tam chce dostat), tak co stim ted?
a mam pocit ze muj internet je trosku zabrzdenej ale jen malo


zdeje log

Logfile of random's system information tool 1.08 (written by random/random)
Run by DjJezek at 2010-08-23 11:04:42
Microsoft Windows 7 Home Premium
System drive C: has 54 GB (53%) free of 102 GB
Total RAM: 4095 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:04:48, on 23.8.2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files (x86)\ESET\nod32kui.exe
C:\Windows\SysWOW64\explorer.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\trend micro\DjJezek.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chameleonsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuze.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office12\GR469A~1.DLL
O2 - BHO: wit for ie - {75ED56AF-4DC9-4243-A30C-4EF4DD0CA28F} - C:\Program Files (x86)\ChameleonTom\wit4ie.dll
O2 - BHO: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuze.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuze.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files (x86)\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [HKLM] C:\Users\DjJezek\AppData\Roaming\winlog\winlog.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [HKCU] C:\Users\DjJezek\AppData\Roaming\winlog\winlog.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: msnmsngr.ink.lnk = DjJezek\AppData\Local\Temp\DokterWatson.exe
O4 - Startup: Výřezy obrazovky a spuštění aplikace OneNote 2007.lnk = C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: ChameleonTom - {14CD42DD-ABCD-3586-DCAB-40E3693E3737} - C:\Program Files (x86)\ChameleonTom\ct.htm
O9 - Extra 'Tools' menuitem: ChameleonTom - {14CD42DD-ABCD-3586-DCAB-40E3693E3737} - C:\Program Files (x86)\ChameleonTom\ct.htm
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6.5\ICQ.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~3\Office12\GRA32A~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\SysWow64\DreamScene.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nl_license_manager - Unknown owner - C:\Program Files (x86)\Next Limit\Licence Manager\nl_license_manager.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files (x86)\Eset\nod32krn.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10237 bytes

======Listing Processes======

\SystemRoot\System32\smss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
wininit.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
winlogon.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
atieclxx
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
"taskhost.exe"
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
taskeng.exe {F7060D0F-CDE1-4B1B-9F2D-148A9E3AD9FC}
"C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe" /startup
"C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe" -s
"C:\Program Files (x86)\Eset\nod32krn.exe"
C:\Windows\SysWOW64\PnkBstrA.exe
"C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe"
"C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
"C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
"C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe"
"C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe"
"C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe" -Embedding
"C:\Program Files (x86)\ESET\nod32kui.exe" /WAITSERVICE
explorer.exe
"C:\Program Files (x86)\Winamp\winampa.exe"
"C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
"C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM"
C:\Windows\system32\SearchIndexer.exe /Embedding
"C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe" 0
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel=4760.b489120.1172980682 "C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll" 4760 plugin \\.\pipe\gecko-crash-server-pipe.4760
C:\Windows\System32\svchost.exe -k NetworkServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
"C:\totalcmd\TOTALCMD.EXE"
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\DjJezek\Desktop\TS ip.txt
"D:\Stazené soubory\RSITx64.exe"
C:\Windows\system32\wbem\wmiprvse.exe

======Scheduled tasks folder======

C:\Windows\tasks\AWC Startup.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~2\MICROS~3\Office12\GR469A~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75ED56AF-4DC9-4243-A30C-4EF4DD0CA28F}]
WitBHO Class - C:\Program Files (x86)\ChameleonTom\wit4ie.dll [2009-06-08 215552]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
Vuze Remote Toolbar - C:\Program Files (x86)\Vuze_Remote\tbVuze.dll [2010-04-15 2515552]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2010-02-18 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Internet Explorer\Toolbar]
{ba14329e-9550-4989-b3f2-9732e92d17cc} - Vuze Remote Toolbar - C:\Program Files (x86)\Vuze_Remote\tbVuze.dll [2010-04-15 2515552]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"=C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2009-05-24 7833120]
"Skytel"=C:\Program Files\Realtek\Audio\HDA\Skytel.exe [2009-05-24 1833504]
"AdobeAAMUpdater-1.0"=C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2010-03-06 500208]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-07-14 1475072]
"DAEMON Tools Lite"=C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [2009-10-30 369200]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-06-27 152872]
"ISUSPM Startup"=C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe [2004-06-16 221184]
"HKCU"=C:\Users\DjJezek\AppData\Roaming\winlog\winlog.exe [2006-06-15 354304]

[HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"=C:\Program Files (x86)\Eset\nod32kui.exe [2010-02-26 949376]
"WinampAgent"=C:\Program Files (x86)\Winamp\winampa.exe [2010-01-14 37888]
"GrooveMonitor"=C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
"LogMeIn Hamachi Ui"=C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe [2010-03-30 1820040]
"DivXUpdate"=C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [2010-03-05 1135912]
"Adobe Reader Speed Launcher"=C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-12-22 35760]
"Adobe ARM"=C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832]
"SwitchBoard"=C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
"AdobeCS5ServiceManager"=C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [2010-02-22 406992]
"ATICustomerCare"=C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe [2010-03-04 311296]
"ISUSScheduler"=C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe [2004-06-16 81920]
"QuickTime Task"=C:\Program Files (x86)\QuickTime\QTTask.exe [2010-03-17 421888]
"StartCCC"=C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2010-07-06 98304]
"HKLM"=C:\Users\DjJezek\AppData\Roaming\winlog\winlog.exe [2006-06-15 354304]

C:\Users\DjJezek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
msnmsngr.ink.lnk - C:\Users\DjJezek\AppData\Local\Temp\DokterWatson.exe
Výřezy obrazovky a spuštění aplikace OneNote 2007.lnk - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~2\MICROS~3\Office12\GR469A~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Hamachi2Svc]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=5
"ConsentPromptBehaviorUser"=3
"EnableLUA"=0
"EnableUIADesktopToggle"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=1
"NoActiveDesktopChanges"=1
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*
.reg - open - "regedit.exe" "%1"

======List of files/folders created in the last 1 months======

2010-08-23 01:09:31 ----D---- C:\rsit
2010-08-23 01:09:31 ----D---- C:\Program Files\trend micro
2010-08-23 00:23:09 ----D---- C:\Program Files (x86)\ChameleonTom
2010-08-23 00:22:13 ----D---- C:\Windows\SYSWOW64\winlog
2010-08-08 18:53:31 ----D---- C:\ProgramData\ATI
2010-07-28 23:04:21 ----D---- C:\Users\DjJezek\AppData\Roaming\New Technology Studio
2010-07-25 08:26:37 ----D---- C:\Program Files (x86)\Next Limit
2010-07-24 01:53:55 ----D---- C:\ProgramData\Apple Computer
2010-07-24 01:49:16 ----D---- C:\Windows\SYSWOW64\madll
2010-07-24 01:49:13 ----D---- C:\Program Files (x86)\Abdio

======List of files/folders modified in the last 1 months======

2010-08-23 11:04:47 ----D---- C:\Windows\Temp
2010-08-23 10:37:27 ----D---- C:\Windows\System32
2010-08-23 10:37:27 ----D---- C:\Windows\inf
2010-08-23 10:37:27 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-08-23 01:19:55 ----D---- C:\Program Files (x86)\Teamspeak2_RC2
2010-08-23 01:09:31 ----RD---- C:\Program Files
2010-08-23 00:34:53 ----D---- C:\Program Files (x86)\ESET
2010-08-23 00:23:09 ----RD---- C:\Program Files (x86)
2010-08-23 00:22:13 ----D---- C:\Windows\SysWOW64
2010-08-23 00:14:22 ----D---- C:\Users\DjJezek\AppData\Roaming\Azureus
2010-08-22 20:05:42 ----SHD---- C:\System Volume Information
2010-08-22 15:23:22 ----D---- C:\Program Files (x86)\Garena
2010-08-21 22:41:55 ----A---- C:\Windows\SYSWOW64\PnkBstrB.exe
2010-08-20 18:58:42 ----HD---- C:\Program Files (x86)\InstallShield Installation Information
2010-08-14 19:51:00 ----D---- C:\Windows\Prefetch
2010-08-09 11:18:04 ----D---- C:\Windows
2010-08-08 18:53:31 ----HD---- C:\ProgramData
2010-08-08 18:53:30 ----SHD---- C:\Windows\Installer
2010-08-08 18:53:25 ----D---- C:\Program Files\ATI Technologies
2010-08-08 18:53:02 ----D---- C:\Windows\system32\catroot2
2010-08-08 18:53:02 ----D---- C:\Windows\system32\catroot
2010-08-08 18:52:47 ----D---- C:\Windows\system32\drivers
2010-08-08 18:52:42 ----D---- C:\Windows\system32\DriverStore
2010-08-05 21:05:31 ----D---- C:\Windows\system32\config
2010-08-05 14:38:44 ----D---- C:\Users\DjJezek\AppData\Roaming\ICQ
2010-07-27 18:44:48 ----RSD---- C:\Windows\assembly
2010-07-27 12:34:31 ----D---- C:\Users\DjJezek\AppData\Roaming\AIMP
2010-07-26 13:08:21 ----D---- C:\Program Files (x86)\Mozilla Firefox
2010-07-25 08:27:19 ----D---- C:\Windows\winsxs
2010-07-24 01:54:02 ----D---- C:\Program Files (x86)\QuickTime
2010-07-24 01:53:13 ----D---- C:\Program Files (x86)\Common Files

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 AtiPcie;AMD PCI Express (3GIO) Filter; C:\Windows\system32\DRIVERS\AtiPcie.sys [2009-05-06 16440]
R0 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys [2009-07-14 12352]
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2009-07-14 214096]
R0 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys [2010-02-27 834544]
R2 AMON;AMON; C:\Windows\system32\drivers\amon.sys [2010-02-26 146704]
R3 amdkmdag;amdkmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2010-07-07 7195648]
R3 amdkmdap;amdkmdap; C:\Windows\system32\DRIVERS\atikmpag.sys [2010-07-07 265728]
R3 hamachi;Hamachi Network Interface; C:\Windows\system32\DRIVERS\hamachi.sys [2009-09-23 33856]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys [2009-05-24 1762080]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\Windows\system32\DRIVERS\ASACPI.sys [2009-05-14 15416]
R3 RTL8167;Realtek 8167 NT Driver; C:\Windows\system32\DRIVERS\Rt64win7.sys [2010-03-22 347680]
S2 atksgt;atksgt; C:\Windows\system32\DRIVERS\atksgt.sys [2010-06-09 303616]
S2 lirsgt;lirsgt; C:\Windows\system32\DRIVERS\lirsgt.sys [2010-06-09 35328]
S3 acuopoil;acuopoil; C:\Windows\system32\drivers\acuopoil.sys []
S3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2010-07-07 7195648]
S3 usbscan;Ovladač skeneru USB; C:\Windows\system32\DRIVERS\usbscan.sys [2009-07-14 41984]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AMD External Events Utility;AMD External Events Utility; C:\Windows\system32\atiesrxx.exe [2010-07-07 203264]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine; C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2010-03-30 1823112]
R2 NOD32krn;NOD32 Kernel Service; C:\Program Files (x86)\Eset\nod32krn.exe [2010-02-26 552064]
R2 PnkBstrA;PnkBstrA; C:\Windows\syswow64\PnkBstrA.exe [2010-02-26 75064]
R3 NMIndexingService;NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848]
S2 gupdate;Google Update Service (gupdate); C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-05-12 136176]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 NBService;NBService; C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-06-29 800040]
S3 nl_license_manager;nl_license_manager; C:\Program Files (x86)\Next Limit\Licence Manager\nl_license_manager.exe [2010-05-03 167424]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SwitchBoard;SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

-----------------EOF-----------------

[JaRon]

stiahni a uloz na plochu ComboFix

potom spust pod uctom s administratorskym opravnenim


akcia trva cca. 5-10 minut, niekedy i dlhsie -, Pocas scanu nespustaj ziadne ine aplikacie

Nie je dovod na paniku ak stroj bude restartovany
upozornenie: ak pouzivas antispyware s rezidentnim stitem, ten pred scanom vypni.

po restarte aplikacie vytvori log, ulozeny na C:\Combofix.txt (jeho obsah vloz sem)

[dzejsek]

pisemito zeje nekompatibilní s mím systemem ze pracuje jen na xp nebo 2000, mam windows 7 64bit

[JaRon]

skus spustit v Režime kompatibility s Windows XP

[dzejsek]

nefunguje:( na netu sem neco cetl zeto nefacha pod 64bit systemem, tohlemito hlasi at zkousim jakoukoliv kompatibilitu
http://img52.imageshack.us/f/nefacha.jpg/

[JaRon]

nechaj otestovat subor C:\Users\DjJezek\AppData\Roaming\winlog\winlog.exe na www.virustotal.com vysledky vloz

[dzejsek]

hmm zde vidis vysledek, bud sem neschopnej ja nebo semi to nedarí najít:D
http://img191.imageshack.us/f/zasenic.jpg/
btw asi pred 30minutama sem zase ztratil kontrolu nad pc a zase to najelo na tamtu stranku neco tam odeslalo, stahlo doplnek do mozili na nejakej chameleontom a prenastavilo mito domovskou stranku na nejakej vyhledavac chameleontoma, uz sem doplnek smazal ale jinak nod furt hlasi ty infiltrace kryptikem, teda spis pokusy

[JaRon]

skus tam spustit MBAM

[dzejsek]

zde vysledek



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Verze databáze: 4465

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

23.8.2010 14:08:13
mbam-log-2010-08-23 (14-08-13).txt

Typ skenu: Úplný sken (C:\|)
Skenované objekty: 276768
Uplynulý čas: 28 minuta(y), 30 sekunda(y)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 2
Infikované hodnoty registru: 0
Infikované datové položky registru: 1
Infikované složky: 0
Infikované soubory: 8

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{hb3eh0a2-ms63-v852-d2h7-o46036mgqs88} (Generic.Bot.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\HavingFunOnline (Adware.BHO.FL) -> No action taken.

Infikované hodnoty registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky registru:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
C:\Users\DjJezek\AppData\Roaming\winlog\winlog.exe (Generic.Bot.H) -> No action taken.
C:\Users\DjJezek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\793TE38Q\e4u-pfatch[1].exe (Trojan.Downloader) -> No action taken.
C:\Users\DjJezek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HUE06QRX\e4u-pfatch[1].exe (Trojan.Downloader) -> No action taken.
C:\Users\DjJezek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HUE06QRX\e4u-pfatch[2].exe (Trojan.Downloader) -> No action taken.
C:\Users\DjJezek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YS4GVMT1\e4u-pfatch[1].exe (Trojan.Downloader) -> No action taken.
C:\Users\DjJezek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YS4GVMT1\e4u-pfatch[2].exe (Trojan.Downloader) -> No action taken.
C:\Users\DjJezek\AppData\Local\Temp\e4u-pfatch.exe (Trojan.Downloader) -> No action taken.
C:\Users\DjJezek\AppData\Local\Temp\xxxyyyzzz.dat (Malware.Trace) -> No action taken.

[JaRon]

no fajn, vsetko najdene v MBAM nechaj odstranit - restart - zopakuj kontrolu - staci rychla

[dzejsek]

snad neni pravda... jen cose ten pc restartoval tak jak nabehl tak zase to same, stahlo to neco do mozili ten doplnek, zase vsude chameleontom a reklamy na strankach a novej sken nasel dalsi 4 infekce, jakmile provedu ten scan hned potom znova tak tam sou porad dalsi infekce:(


Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Verze databáze: 4465

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

23.8.2010 14:23:14
mbam-log-2010-08-23 (14-23-14).txt

Typ skenu: Rychlý sken
Skenované objekty: 136921
Uplynulý čas: 3 minuta(y), 19 sekunda(y)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 1
Infikované hodnoty registru: 0
Infikované datové položky registru: 0
Infikované složky: 0
Infikované soubory: 3

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{hb3eh0a2-ms63-v852-d2h7-o46036mgqs88} (Generic.Bot.H) -> Quarantined and deleted successfully.

Infikované hodnoty registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
C:\Users\DjJezek\AppData\Roaming\winlog\winlog.exe (Generic.Bot.H) -> Quarantined and deleted successfully.
C:\Users\DjJezek\AppData\Local\Temp\nsfC987.tmp\nswebgui.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\DjJezek\AppData\Local\Temp\xxxyyyzzz.dat (Malware.Trace) -> Quarantined and deleted successfully.

[JaRon]

bude to chciet trochu trpezlivosti
odstran co nasiel MBAM - restart - chvilu nepouzivaj mozillu, ale MSIE + prescanuj PC s CureIT

[dzejsek]

ten CureIT nasel pouze zase ten winlog.exe a ten setam furt hned zase vytvari jakmile je smazan
zatim sme se ale uz nekam posunuly, uz asi 2 hodiny mi neskocil pokus o infiltraci tim kryptikem

[dzejsek]

ten CureIT nasel pouze zase ten winlog.exe a ten setam furt hned zase vytvari jakmile je smazan
zatim sme se ale uz nekam posunuly, uz asi 2 hodiny mi neskocil pokus o infiltraci tim kryptikem

tak beru zpet, jetotam porad, sakra pokazde kdyz odeberu chameleontom z mozili a este ho odinstaluju(je v program files este) tak pak po nejaky dobe zase ztratim kontrolu nad pc a sam semi zase stahne a nainstaluje, na netu sem se docetl zejeto "jakoby" doplnek k facebooku, byme zajimalo jaksemi dostal do pc kdyz facebook skoro nepouzivam

[motji]

Dobrý večer, záskok za kolegu


Stahněte OTL http://oldtimer.geekstogo.com/OTL.exe
-uložte ho na plochu a spustte soubor OTL.exe.
-do bílého okna dole skopírujte tento skript:

Kód: Vybrat vše

netsvcs
drivers32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /s
c:\windows\*.* /U
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
ndis.sys
winlogon.exe
explorer.exe
userinit.exe
lsass.exe
svchost.exe
smss.exe
hal.dll
ws2_32.dll
tcpip.sys
cryptsvc.dll
Changer.sys
JakNDis.sys
isapnp.sys
cdrom.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\*.dll /lockedfiles
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon" /v GinaDLL /c
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v ImagePath /c
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v ImagePath /c
%systemroot%\system32\drivers\*.sys /3
%systemroot%\system32\*.* /3
CREATERESTOREPOINT 

- zaškrtněte okénko Pro všechny uživatele.
-označte okénka Kontrola na havěť "LOP" a Kontrola na havěť "Purity"
- Klikněte na tlačítko Prohledat
-po dokončení skenu se objeví logy OTL.Txt a Extras.txt, vložte je zde