VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

Backdoor:Win32/IRCot.gen!M - PROSIM O POMOC

https://forum.viry.cz:443/viewtopic.php?t=106137

Stránka 1 z 1

Backdoor:Win32/IRCot.gen!M - PROSIM O POMOC

Napsal: 31 říj 2010 19:53
od mistery
Dobrý večer - hneď na začiatku sa musím ospravedlniť za to že nie som moc počítačovo zdatný a preto Vás chcem poprosiť o trošku trpezlivosti v prípade že sa rozhodnete mi pomôcť... :) Som tu na fóre nový a nemám skúsenosti s odstraňovaním škodlivého softvéru, preto by som Vás chcel poprosiť o čo najpodrobnejší návod ak mi budete vedieť poradiť. Windows Defender mi pri každom spustení PC hlási že našiel Backdoor:Win32/IRCot.gen!M zakaždým ho dám zmazať ale pri ďalšom spustení PC to vyskočí znova. Našiel som tu podobný problém: http://www.viry.cz/forum/viewtopic.php?f=13&t=106096 a chcel som to riešiť podobne ale potom som si všimol že ten reg. od vyosek do OTM je "ušitý" priamo na karosove PC. Asi to nemôžem použiť alebo áno? Poradíte mi prosím ako mám postupovať? Spravil som si log v RSIT (uvádzam nižšie) chcel som spraviť aj ComboFix ale nie som si istý či všetko treba vypnúť :( Mám Norton internet security a v ňom viem vypnúť iba funkciu Auto-Protect - to je ta rezidentná ochrana ktorú treba vypnúť? Log v RSIT som robil až potom čo som dal W. Defenderom odstrániť tú hrozbu je to tak OK alebo to mám spustiť znovu? Ak sa dá prosím Vás o pomoc. Ďakujem.

Môj log. z RSIT:

Logfile of random's system information tool 1.08 (written by random/random)
Run by Miroslav at 2010-10-31 18:49:30
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 70 GB (21%) free of 335 GB
Total RAM: 3070 MB (44% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:50:09, on 31. 10. 2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Miroslav\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Miroslav\Desktop\Cistenie\RSIT.exe
C:\Program Files\trend micro\Miroslav.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cndt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.sk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WebTransBHO Class - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - C:\ProgramData\LangSoft\WebIE.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\ProgramData\LangSoft\WebIE.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [googletalk] C:\Users\Miroslav\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [NVIDIA driver monitor] C:\Users\Public\nvsvc32.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xportovať do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: WebTran - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - C:\ProgramData\LangSoft\WebIE.dll
O9 - Extra button: Zdroje informácií - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\ProgramData\LangSoft\WebIE.dll
O9 - Extra 'Tools' menuitem: &Nastavit překladač - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\ProgramData\LangSoft\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\ProgramData\LangSoft\WebIE.dll
O9 - Extra 'Tools' menuitem: &Slovník - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\ProgramData\LangSoft\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\ProgramData\LangSoft\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\ProgramData\LangSoft\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\ProgramData\LangSoft\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\ProgramData\LangSoft\WebIE.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Plánovač automatické aktualizace LiveUpdate (Automatic LiveUpdate Scheduler) - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Služba Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 10963 bytes

======Scheduled tasks folder======

C:\Windows\tasks\1-Click Maintenance.job
C:\Windows\tasks\AWC AutoSweep.job
C:\Windows\tasks\AWC Startup.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\Norton Internet Security - Prověřit tento počítač - Miroslav.job
C:\Windows\tasks\Norton Security Scan for Miroslav.job
C:\Windows\tasks\User_Feed_Synchronization-{87BD9793-18B8-406E-AF7F-A413740534DC}.job
C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-09-23 1088296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DB66063-BB98-466A-AA0D-3E7ACF5ED853}]
WebTransBHO Class - C:\ProgramData\LangSoft\WebIE.dll [2008-11-10 520192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll [2007-08-24 316784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [2008-12-13 116088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-10-24 297648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll [2010-10-24 843832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-08-04 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BFC32E1D-EE75-4A48-BC60-104E11EE2431} - WebTranslator - C:\ProgramData\LangSoft\WebIE.dll [2008-11-10 520192]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Show Norton Toolbar - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 316784]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-10-24 297648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-21 1008184]
"hpsysdrv"=c:\hp\support\hpsysdrv.exe [2007-04-18 65536]
"KBD"=C:\HP\KBD\KbdStub.EXE [2006-12-08 65536]
"StartCCC"=c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-01-21 61440]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-03-31 5369856]
"HP Software Update"=c:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-05-08 54840]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2008-10-17 51048]
"amd_dc_opt"=C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe [2008-07-22 77824]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-09-23 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-09-20 932288]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-05-14 248552]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-21 125952]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-02-16 39408]
"googletalk"=C:\Users\Miroslav\AppData\Roaming\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"AlcoholAutomount"=C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe [2007-08-01 222592]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-05-16 153136]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-09-23 21755688]
"NVIDIA driver monitor"=C:\Users\Public\nvsvc32.exe [2010-10-15 62464]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=0
"NoActiveDesktopChanges"=0
"NoSetActiveDesktop"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-10-31 18:49:33 ----D---- C:\Program Files\trend micro
2010-10-31 18:49:30 ----D---- C:\rsit
2010-10-27 10:38:23 ----A---- C:\Windows\system32\gameux.dll
2010-10-27 10:38:23 ----A---- C:\Windows\system32\Apphlpdm.dll
2010-10-27 10:38:22 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2010-10-17 17:26:25 ----D---- C:\Users\Miroslav\AppData\Roaming\Zoner
2010-10-14 13:06:44 ----A---- C:\Windows\system32\wmp.dll
2010-10-14 13:06:43 ----A---- C:\Windows\system32\wmploc.DLL
2010-10-14 13:06:28 ----A---- C:\Windows\system32\srvsvc.dll
2010-10-14 13:06:28 ----A---- C:\Windows\system32\netevent.dll
2010-10-14 13:06:28 ----A---- C:\Windows\system32\drivers\srvnet.sys
2010-10-14 13:06:28 ----A---- C:\Windows\system32\drivers\srv2.sys
2010-10-14 13:06:28 ----A---- C:\Windows\system32\drivers\srv.sys
2010-10-14 13:06:21 ----A---- C:\Windows\system32\schannel.dll
2010-10-14 13:06:20 ----A---- C:\Windows\system32\ole32.dll
2010-10-14 13:06:18 ----A---- C:\Windows\system32\t2embed.dll
2010-10-14 13:06:16 ----A---- C:\Windows\system32\mshtml.dll
2010-10-14 13:06:15 ----A---- C:\Windows\system32\urlmon.dll
2010-10-14 13:06:15 ----A---- C:\Windows\system32\msfeeds.dll
2010-10-14 13:06:15 ----A---- C:\Windows\system32\licmgr10.dll
2010-10-14 13:06:15 ----A---- C:\Windows\system32\ieframe.dll
2010-10-14 13:06:14 ----A---- C:\Windows\system32\wininet.dll
2010-10-14 13:06:14 ----A---- C:\Windows\system32\mstime.dll
2010-10-14 13:06:14 ----A---- C:\Windows\system32\mshtmled.dll
2010-10-14 13:06:14 ----A---- C:\Windows\system32\iertutil.dll
2010-10-14 13:06:13 ----A---- C:\Windows\system32\occache.dll
2010-10-14 13:06:13 ----A---- C:\Windows\system32\msfeedssync.exe
2010-10-14 13:06:13 ----A---- C:\Windows\system32\msfeedsbs.dll
2010-10-14 13:06:13 ----A---- C:\Windows\system32\jsproxy.dll
2010-10-14 13:06:13 ----A---- C:\Windows\system32\ieUnatt.exe
2010-10-14 13:06:13 ----A---- C:\Windows\system32\ieui.dll
2010-10-14 13:06:13 ----A---- C:\Windows\system32\iesysprep.dll
2010-10-14 13:06:13 ----A---- C:\Windows\system32\iesetup.dll
2010-10-14 13:06:13 ----A---- C:\Windows\system32\iernonce.dll
2010-10-14 13:06:13 ----A---- C:\Windows\system32\iepeers.dll
2010-10-14 13:06:13 ----A---- C:\Windows\system32\iedkcs32.dll
2010-10-14 13:06:13 ----A---- C:\Windows\system32\ie4uinit.exe
2010-10-14 13:06:12 ----A---- C:\Windows\system32\mfc40u.dll
2010-10-14 13:06:12 ----A---- C:\Windows\system32\mfc40.dll
2010-10-14 13:06:11 ----A---- C:\Windows\system32\win32k.sys
2010-10-14 13:06:09 ----A---- C:\Windows\system32\msshsq.dll
2010-10-14 13:06:08 ----A---- C:\Windows\system32\wmpmde.dll
2010-10-14 13:06:07 ----A---- C:\Windows\system32\comctl32.dll
2010-10-10 19:43:50 ----A---- C:\Windows\system32\javaws.exe
2010-10-10 19:43:50 ----A---- C:\Windows\system32\javaw.exe
2010-10-10 19:43:50 ----A---- C:\Windows\system32\java.exe
2010-10-10 10:06:46 ----D---- C:\Program Files\Adobe
2010-10-04 22:28:29 ----RA---- C:\Windows\system32\tmpD377.tmp
2010-10-04 20:07:33 ----D---- C:\Pcsx2

======List of files/folders modified in the last 1 months======

2010-10-31 18:49:59 ----D---- C:\Windows\Prefetch
2010-10-31 18:49:50 ----D---- C:\Windows\Temp
2010-10-31 18:49:33 ----D---- C:\Program Files
2010-10-31 18:48:19 ----D---- C:\Stiahnute
2010-10-31 18:36:04 ----D---- C:\Users\Miroslav\AppData\Roaming\Skype
2010-10-31 16:07:13 ----D---- C:\Users\Miroslav\AppData\Roaming\skypePM
2010-10-31 11:04:58 ----SHD---- C:\System Volume Information
2010-10-31 10:56:54 ----D---- C:\Filmy
2010-10-31 10:02:26 ----D---- C:\Windows\System32
2010-10-31 10:02:26 ----D---- C:\Windows\inf
2010-10-31 10:02:26 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-10-28 20:59:06 ----D---- C:\Program Files\Mozilla Firefox
2010-10-28 06:59:13 ----D---- C:\Windows\winsxs
2010-10-28 06:59:12 ----D---- C:\Windows\AppPatch
2010-10-27 10:37:53 ----D---- C:\Windows\system32\catroot2
2010-10-27 10:37:53 ----D---- C:\Windows\system32\catroot
2010-10-24 17:22:58 ----SHD---- C:\Windows\Installer
2010-10-23 20:59:29 ----D---- C:\Windows\system32\wbem
2010-10-23 20:59:29 ----D---- C:\Windows
2010-10-23 20:57:21 ----D---- C:\Program Files\Common Files\Skype
2010-10-23 20:57:17 ----D---- C:\Windows\Tasks
2010-10-23 20:57:17 ----D---- C:\Windows\system32\Tasks
2010-10-23 20:57:16 ----RSD---- C:\Windows\Media
2010-10-23 20:57:16 ----D---- C:\Windows\system32\spool
2010-10-23 20:57:16 ----D---- C:\Windows\system32\sk-SK
2010-10-23 20:57:16 ----D---- C:\Windows\system32\restore
2010-10-23 20:57:16 ----D---- C:\Windows\system32\migration
2010-10-23 20:57:16 ----D---- C:\Windows\system32\en-US
2010-10-23 20:57:16 ----D---- C:\Windows\system32\drivers
2010-10-23 20:57:16 ----D---- C:\Windows\system32\CodeIntegrity
2010-10-23 20:57:16 ----D---- C:\Windows\SMINST
2010-10-23 20:57:16 ----D---- C:\Windows\rescache
2010-10-23 20:57:14 ----SD---- C:\Windows\Downloaded Program Files
2010-10-23 20:57:14 ----RSD---- C:\Windows\Fonts
2010-10-23 20:57:14 ----RSD---- C:\Windows\assembly
2010-10-23 20:57:14 ----D---- C:\Users\Miroslav\AppData\Roaming\vlc
2010-10-23 20:57:13 ----RD---- C:\Users
2010-10-23 20:57:13 ----D---- C:\Program Files\Windows Media Player
2010-10-23 20:57:13 ----D---- C:\Program Files\OpenAL
2010-10-23 20:57:12 ----D---- C:\Windows\registration
2010-10-23 20:57:12 ----D---- C:\Program Files\Microsoft Works
2010-10-23 20:57:12 ----D---- C:\Program Files\Internet Explorer
2010-10-23 20:26:07 ----D---- C:\Program Files\Common Files\Java
2010-10-23 20:26:07 ----D---- C:\Program Files\Common Files\Adobe
2010-10-23 19:57:38 ----D---- C:\Downloads
2010-10-21 09:13:27 ----D---- C:\katka
2010-10-19 10:41:44 ----N---- C:\Windows\system32\MpSigStub.exe
2010-10-14 22:40:14 ----A---- C:\Windows\system32\mrt.exe
2010-10-10 19:43:48 ----D---- C:\Program Files\Java
2010-10-10 10:06:50 ----D---- C:\ProgramData\Adobe
2010-10-09 06:33:43 ----D---- C:\Windows\Microsoft.NET
2010-10-04 22:29:11 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-10-04 22:28:29 ----A---- C:\Windows\system32\wrap_oal.dll
2010-10-04 22:28:29 ----A---- C:\Windows\system32\OpenAL32.dll
2010-10-03 17:06:38 ----D---- C:\Users\Miroslav\AppData\Roaming\Vso
2010-10-02 20:20:09 ----D---- C:\Hry

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 nvstor32;nvstor32; C:\Windows\system32\drivers\nvstor32.sys [2008-01-25 140832]
R0 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys [2008-12-23 717296]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [2010-05-26 371248]
R1 IDSvix86;Symantec Intrusion Prevention Driver; \??\C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20101028.001\IDSvix86.sys [2010-09-15 287792]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [2008-09-05 447024]
R1 SRTSP;SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [2007-11-30 279088]
R1 SRTSPX;SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [2007-11-30 43696]
R1 StarOpen;StarOpen; C:\Windows\system32\drivers\StarOpen.sys [2009-02-10 5632]
R1 SymIM;Symantec Network Security Intermediate Filter Driver; C:\Windows\system32\DRIVERS\SymIMv.sys [2009-02-19 24112]
R1 SYMTDI;SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [2009-02-19 184496]
R2 atksgt;atksgt; C:\Windows\system32\DRIVERS\atksgt.sys [2008-12-27 278984]
R2 CO_Mon;CO_Mon; \??\C:\Windows\system32\drivers\CO_Mon.sys [2007-08-08 36056]
R2 lirsgt;lirsgt; C:\Windows\system32\DRIVERS\lirsgt.sys [2008-12-27 25416]
R3 AmdLLD;AMD Low Level Device Driver; C:\Windows\system32\DRIVERS\AmdLLD.sys [2007-06-29 34304]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2008-02-26 3520512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-26 102448]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-03-31 2103512]
R3 NAVENG;NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VirusDefs\20101031.002\NAVENG.SYS [2010-09-29 86064]
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VirusDefs\20101031.002\NAVEX15.SYS [2010-09-29 1371184]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2008-01-29 1042464]
R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver; \??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms [2008-03-26 21280]
R3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2008-11-20 47360]
R3 Ps2;PS2; C:\Windows\system32\DRIVERS\PS2.sys [2005-12-12 19072]
R3 SYMDNS;SYMDNS; C:\Windows\System32\Drivers\SYMDNS.SYS [2009-02-19 13616]
R3 SymEvent;SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [2009-01-06 124464]
R3 SYMFW;SYMFW; C:\Windows\System32\Drivers\SYMFW.SYS [2009-02-19 96560]
R3 SYMNDISV;SYMNDISV; C:\Windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]
R3 SYMREDRV;SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [2009-02-19 22320]
R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-21 35328]
R3 V0260VID;Live! Cam Vista IM; C:\Windows\system32\DRIVERS\V0260Vid.sys [2007-05-25 154560]
S3 afzig2he;afzig2he; C:\Windows\system32\drivers\afzig2he.sys []
S3 COH_Mon;COH_Mon; \??\C:\Windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632]
S3 HdAudAddService;Ovladač funkce Microsoft 1.1 UAA pro službu zvuku High Definition Audio; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 MSKSSRV;Server proxy služby datových proudů Microsoft; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192]
S3 MSPCLOCK;Server proxy hodin datových proudů Microsoft; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888]
S3 MSPQM;Server proxy správce kvality datových proudů Microsoft; C:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504]
S3 MSTEE;Konvertor jímka-jímka typu T datových proudů Microsoft; C:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016]
S3 SRTSPL;SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [2007-11-30 317616]
S3 SymIMMP;SymIMMP; C:\Windows\system32\DRIVERS\SymIM.sys []
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-10-01 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]
S4 nvrd32;NVIDIA nForce RAID Driver; C:\Windows\system32\drivers\nvrd32.sys [2008-01-25 132128]
S4 nvsmu;nvsmu; C:\Windows\system32\drivers\nvsmu.sys [2007-10-12 13312]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2008-02-25 655360]
R2 Automatic LiveUpdate Scheduler;Plánovač automatické aktualizace LiveUpdate; C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe [2007-08-31 243064]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R2 HP Health Check Service;HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2008-03-14 94208]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [2008-03-17 73728]
R2 LiveUpdate Notice;LiveUpdate Notice; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 PnkBstrA;PnkBstrA; C:\Windows\system32\PnkBstrA.exe [2008-12-20 66872]
R2 PnkBstrB;PnkBstrB; C:\Windows\system32\PnkBstrB.exe [2008-12-20 107832]
R2 StarWindServiceAE;StarWind AE Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-05-28 275968]
R2 UxTuneUp;@%SystemRoot%\System32\uxtuneup.dll,-4096; C:\Windows\System32\svchost.exe [2008-01-21 21504]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-05-16 271920]
R3 Symantec Core LC;Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2008-12-13 1251720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 gupdate;Služba Google Update (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-12 135664]
S3 comHost;COM Host; C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe [2007-08-22 55640]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-21 21504]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-30 182768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 LiveUpdate;LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE [2007-08-23 3192184]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-04-13 792112]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 TuneUp.Defrag;@%SystemRoot%\System32\TuneUpDefragService.exe,-1; C:\Windows\System32\TuneUpDefragService.exe [2008-12-21 306432]
S3 WPFFontCache_v0400;@C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

-----------------EOF-----------------

Ešte raz ďakujem za akúkoľvek pomoc.

Re: Backdoor:Win32/IRCot.gen!M - PROSIM O POMOC

Napsal: 31 říj 2010 19:56
od vyosek
Zdravim,pekny vecer preji a vitam Vas u nas na foru :welcome:

Vas log se studuje Obrázek a pracuje se na nem Obrázek.
Prosim o strpeni!Obrázek

Re: Backdoor:Win32/IRCot.gen!M - PROSIM O POMOC

Napsal: 31 říj 2010 20:00
od mistery
To je rýchlosť - klobúk dolu :D

Ďakujem za snahu a ochotu.

Re: Backdoor:Win32/IRCot.gen!M - PROSIM O POMOC

Napsal: 31 říj 2010 20:03
od vyosek
:arrow: Ja tenhle typ haveti rad :wub: :D Nemuzu si jej nechat ujit, jste uz muj dneska tusim treti s timhle typem haveti :lol:

:arrow: Je dobre ze jste ComboFix nepouzij, vize nize...Dale je treba ke kazdemu PC pristupovat individualne, nelze napsat obecny skript na mazani haveti :wink:

:arrow: Nebezpeci CFka
  • Je urcen primarne pro radce - jeho svevolnym pouzitim ztracite narok na podporu
  • Maze stopy po haveti, takze v logu z RSIT neni nic videt
  • Jeho log je treba dolustit, jelikoz neumi smazat vse - to ovsem tezko zvladnete pokud k tomu nejste vyskolen
  • CF muze mit bug = sunda Vam system, pokud nevite kam co uklada, jak co obnovit, mate system v kytkam a ceka Vas reinstal
  • CF taky bohuzel prozatim nekontroluje nektere dulezite knihovny (napr. hal.dll) - ty treba mazou nektere typy haveti (napr. angela) - smaze Vam po restartu hal.dll = nenajede Vam system a jste o radek vyse = reinstal
:arrow: Kliknete na Start a pote Spustit, pripadne pouzijte klavesou zkratku Win+R
  • Vyskoci na Vas okenko, do ktereho zkopirujte text nize

  • Kód: Vybrat vše

    services.msc
  • Kliknete na OK
  • Najdete sluzby nize
  • Služba Google Update
    Google Software Updater
    NBService
  • U kazde provedte toto
    • Klik na ni pravym mysidlem a zvolit Vlastnosti
    • Nyní klik na Zastavit
    • Typ spousteni nastavit na Zakazano
    • Potvrdte kliknutim na OK
:arrow: Spustte HJT a provedeme fixnuti polozek
  • HJT najdete zde C:\Program Files\trend micro\Miroslav.exe
  • Otevre se Vam okno, kliknete na Do a system scan only
  • V dalsim okne najdete radky které jsem Vam vypsal nize, vedle nich je ctverecek, do ktereho udelate zatrzitko
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cndt
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cndt
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... on&pf=cndt
  • Kliknete na Fix checked (vlevo dole)
  • HJT se Vas zepta zda opravdu ANO, s tim souhlasite a je hotovo Obrázek
:arrow: Stahnete OTM (viz muj podpis)
  • Pokud pouzivate Win Vista ci W7, kliknete na OTM pravym a dejte Run As Administrator ci Spustit jako spravce
  • Do leveho okna Paste Instructions for Items to be Moved (pod zlutou caru) vlozte obsah, ktery mate nize

  • Kód: Vybrat vše

    :reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{BFC32E1D-EE75-4A48-BC60-104E11EE2431}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"=-
"NeroFilterCheck"=-
"Adobe Reader Speed Launcher"=-
"Adobe ARM"=-
"SunJavaUpdateSched"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"=-
"swg"=-
"googletalk"=-
"AlcoholAutomount"=-
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=-
"Skype"=-
"NVIDIA driver monitor"=-

:files
C:\Users\Public\nvsvc32.exe
C:\Windows\tasks\User_Feed_Synchronization-{87BD9793-18B8-406E-AF7F-A413740534DC}.job
C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
C:\Windows\tasks\AWC AutoSweep.job
C:\Windows\tasks\AWC Startup.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
%windir%\system32\*.tmp.dll /s
%windir%\system32\SET*.tmp /s
%windir%\*.tmp /s

:commands
[RESETHOSTS]
[EMPTYTEMP]
[EMPTYFLASH]
  • Kliknete na cervene tlacitko MoveIt!
  • Budete vyzvani na restart, dejte Yes, log pote najdete C:\_OTM\MovedFiles, obsah sem vlozte

Re: Backdoor:Win32/IRCot.gen!M - PROSIM O POMOC

Napsal: 31 říj 2010 20:29
od mistery
Aby som niečo nepokazil: je možne že tie programy v prvom kroku čo ste mi napísal boli všetky vypnuté? (Služba Google Update, Google Software Updater, NBService - stopped) dal som len disabled... môže byť? je to tak ok?

Re: Backdoor:Win32/IRCot.gen!M - PROSIM O POMOC

Napsal: 31 říj 2010 20:31
od vyosek
:arrow: Je to mozne, udelal jste to spravne :wink:

:arrow: Kdyby byly nejake problemy ci nejasnosti, tak se ptat :turned:

Re: Backdoor:Win32/IRCot.gen!M - PROSIM O POMOC

Napsal: 31 říj 2010 20:55
od mistery
Tak myslím že som to zvládol úspešne :D

tu je log z OTM:

All processes killed
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{BFC32E1D-EE75-4A48-BC60-104E11EE2431}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BFC32E1D-EE75-4A48-BC60-104E11EE2431}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\HP Software Update deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NeroFilterCheck deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe Reader Speed Launcher deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe ARM deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ehTray.exe deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\swg deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\googletalk deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\AlcoholAutomount deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Skype deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\NVIDIA driver monitor deleted successfully.
========== FILES ==========
C:\Users\Public\nvsvc32.exe moved successfully.
C:\Windows\tasks\User_Feed_Synchronization-{87BD9793-18B8-406E-AF7F-A413740534DC}.job moved successfully.
C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job moved successfully.
C:\Windows\tasks\AWC AutoSweep.job moved successfully.
C:\Windows\tasks\AWC Startup.job moved successfully.
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job moved successfully.
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job moved successfully.
File/Folder C:\Windows\system32\*.tmp.dll not found.
File/Folder C:\Windows\system32\SET*.tmp not found.
C:\Windows\95FC26FB19FD4A96BBB1B1062E8648F5.TMP folder moved successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1322.tmp folder moved successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1323.tmp folder moved successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1EC6.tmp folder moved successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp folder moved successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3745.tmp folder moved successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5C42.tmp folder moved successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7722.tmp folder moved successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp folder moved successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp folder moved successfully.
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp folder moved successfully.
C:\Windows\System32\tmpD356.tmp moved successfully.
C:\Windows\System32\tmpD377.tmp moved successfully.
C:\Windows\Temp\DWD49FB.tmp folder moved successfully.
C:\Windows\Temp\DWDBE5F.tmp folder moved successfully.
C:\Windows\Temp\DWDD355.tmp folder moved successfully.
File move failed. C:\Windows\Temp\JETCFCC.tmp scheduled to be moved on reboot.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Miroslav
->Temp folder emptied: 1140412 bytes
->Temporary Internet Files folder emptied: 10965257 bytes
->Java cache emptied: 52624593 bytes
->FireFox cache emptied: 102532335 bytes
->Flash cache emptied: 898 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3217549 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 13603161 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 176,00 mb


OTM by OldTimer - Version 3.1.17.1 log created on 10312010_204119

Files moved on Reboot...
File C:\Windows\Temp\JETCFCC.tmp not found!

Registry entries deleted on Reboot...

Defender už prestal vyskakovať že našiel hrozbu.

Re: Backdoor:Win32/IRCot.gen!M - PROSIM O POMOC

Napsal: 31 říj 2010 20:59
od vyosek
:arrow: Ja si to nemyslim, ja to vim :wink:

:arrow: Defender je potichu, jelikoz hrozba uz si pekne stele v karantene pro OTM ale brzy poleti z PC uplne

:arrow: OTC http://oldtimer.geekstogo.com/OTC.exe
  • Stahnete a spustte
  • Kliknete na CleanUp a potvrdte YES
  • Program uklidi a restartuje PC

:arrow: TFC http://oldtimer.geekstogo.com/TFC.exe
  • Stahnete a spustte
  • Kliknete na Start a potvrdte OK
  • Program uklidi a restartuje pc
  • Po pouziti utilitu smazte
:arrow: Stahnete Ccleaner (viz muj podpis), pri instalaci dejte fajfku pryc u yahoo toolbaru
Panel čistič
  • Vse nechte jak je, jen dejte Analyzovat a pote Spustit CCleaner
Panel registry
  • dejte Hledej problémy
  • nasledne Opravit problémy - zalohu registru doporucuji udelat, opravte vsechny problemy
  • postup opakujte dokud nebude bez problemu - vetsinou cca 3x
Panel nástroje
  • Zde muzete odinstalovat nepotrebne programy
CCleaner doporucuji pouzivat cca jednou za 14 dni

:arrow: A muzem si placnout, jelikoz havet by v PC byt nemela :fr:

Re: Backdoor:Win32/IRCot.gen!M - PROSIM O POMOC

Napsal: 31 říj 2010 21:09
od mistery
Super - ďakujem. Som nadšený - s takou ochotou a profesionalitou sa človek nestretne na každom rohu.
Idem čistiť :D
Ešte raz ďakujem.

Re: Backdoor:Win32/IRCot.gen!M - PROSIM O POMOC

Napsal: 31 říj 2010 21:12
od vyosek
Nemate zac, rad jsem pomohl :). Dekuji za spolupraci Obrázek. Zase nekdy nashledanou Obrázek.
Všechny časy jsou v UTC+01:00
Stránka 1 z 1

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz