překvapivě - FB vir

[Lena23]

Moje setra to taky neprokoukla, takže mám zavirovaný pc.. odrovnalo to antivirus, instalace nového končí vždy neúspěchem.. můžu prosit o radu..?

[vyosek]

Zdravim, pekny den preji a vitam vas u nas na foru

Sestru poslat ven za klukama, kdyz nevi roupama na co by klikla

Stahnete RogueKiller http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe

• Ukoncete vsechny programy
• Pokud pouzivate Win Vista ci W7, kliknete na RogueKiller pravym a dejte Run As Administrator ci Spustit jako spravce
• Zvolte moznost 2 a potvrte enterem
• Utilita provede svou cinnost a da log - ten sem vlozte
• Nyni znovu, ale zvolte moznost 3 a pote jeste 4 - logy opet vlozte

[Lena23]

2

Bad processes: 5
[SUSP PATH] l1rezerv.exe -- c:\windows\l1rezerv.exe -> KILLED
[SVCHOST] svchost.exe -- c:\windows\update.tray-12-0\svchost.exe -> KILLED
[SVCHOST] svchost.exe -- c:\windows\update.tray-7-0\svchost.exe -> KILLED
[SVCHOST] svchost.exe -- c:\windows\update.tray-3-0\svchost.exe -> KILLED
[SVCHOST] svchost.exe -- c:\windows\update.tray-2-0\svchost.exe -> KILLED

Registry Entries: 14
[ROGUE ST] HKCU\[...]\Run : 62487094788723824994395355246397 (C:\Program Files\XP Antivirus\xpa.exe) -> DELETED
[SUSP PATH] HKLM\[...]\Run : l1rezerv.exe ("C:\WINDOWS\l1rezerv.exe") -> DELETED
[SUSP PATH] HKLM\[...]\Run : sysdriver32_.exe ("C:\WINDOWS\sysdriver32_.exe" rezerv) -> DELETED
[SUSP PATH] HKLM\[...]\Run : 7157519.exe ("C:\DOCUME~1\SLEZAK~1\LOCALS~1\Temp\7157519.exe") -> DELETED
[SUSP PATH] HKLM\[...]\Run : 8932295.exe ("C:\WINDOWS\TEMP\8932295.exe") -> DELETED
[SUSP PATH] HKLM\[...]\Run : 44963469-loader2.exe ("C:\WINDOWS\TEMP\44963469-loader2.exe") -> DELETED
[SUSP PATH] HKLM\[...]\Run : sysdriver32.exe ("C:\WINDOWS\sysdriver32.exe" rezerv) -> DELETED
[SUSP PATH] HKLM\[...]\Run : 9661291.exe ("C:\WINDOWS\TEMP\9661291.exe") -> DELETED
[BLACKLIST DLL] HKLM\[...]\RunOnce : Uninstall Adobe Download Manager ("C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp) -> DELETED
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

HOSTS File:


Finished : << RKreport[1].txt >>
RKreport[1].txt

[Lena23]

3
RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: slezakovi [Admin rights]
Mode: HOSTSFix -- Date : 07/27/2011 00:31:21

Bad processes: 0

HOSTS File:


Resetted HOSTS:
127.0.0.1 localhost

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

[Lena23]

RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: slezakovi [Admin rights]
Mode: ProxyFix -- Date : 07/27/2011 00:33:25

Bad processes: 0

Registry Entries: 0

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

[vyosek]

vyborne Pujdem dale

PROSIM CTETE DUKLADNE NAVOD - TATO UTILITA MA VELKOU SCHOPNOST MAZAT A JE NUTNE JI APLIKOVAT JEN NA DOPORUCENI, JINAK VAM MUZE JIT SYSTEM DO KYTEK
Stahnete a ulozte na plochu Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

• Ihned po startu se zobrazi stranka s licencnim ujednanim, pokracujte kliknutim na Ano
• Pokud Vam CF nabidne instalaci Konzoly pro zotaveni, tak souhlaste
• Dale postupujte dle pokynu, behem scanu nechte PC naprosto v klidu - nespoustejte zadne aplikace a neklikejte do zobrazujiciho se okna
• Scan by mel trvat cca 10 min, ale pokud bude PC hodne zaneseno, muze se cas prodlouzit
• Po dokonceni skenu a pripadnem restartu CF zobrazi log, pripadne jej najdete zde C:\ComboFix.txt, jeho obsah sem vlozte
• Detailni postup vc. obrazku mate zde http://www.bleepingcomputer.com/combofi ... t-combofix

[Lena23]

ok, ale teda ten obrázek k tomu postupu mi nejde zobrazit...

[Lena23]

tak už jo..

[vyosek]

Oki, pockam na log z CFka

[Lena23]

jo a co znamená to CF?
jinak v tom návodu píšou, že mám vypnout 1)antiviry - jak je mám vypnout když ten virus je oddělal? myslím, že to ani nejde ne.. 2)antispywary - nic takovýho asi nemám.. 3) firewall - to nevím jak na to, je tam sice odkaz, ale je to v angličtině a je to na mě moc složitý..

[vyosek]

CF = ComboFix

Jelikoz je zabezpeceni poskozeno, je s nim tezka domluva - nechte to tak, pripadnou hlasku ComboFixu o jeho zapnuti ignorujte a odkliknete

[Lena23]

konzolu pro nastavení se nepodařilo naistalovat, takže jak říkal návod ji teď půjdu nainstalovat ručně.. a tady je ten log..

ComboFix 11-07-27.01 - slezakovi 27.07.2011 11:14:11.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.511.248 [GMT 2:00]
Spuštěný z: c:\documents and settings\slezakovi\Plocha\ComboFix.exe
.
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\slezakovi\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}
c:\documents and settings\slezakovi\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\bg.jpg
c:\documents and settings\slezakovi\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\CurrentVersion.xml
c:\documents and settings\slezakovi\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\Data\ProductInfo.mx
c:\documents and settings\slezakovi\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\icon.ico
c:\documents and settings\slezakovi\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\productinfo.dll
c:\documents and settings\slezakovi\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\Setup.exe
c:\documents and settings\slezakovi\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\stbup.exe
c:\documents and settings\slezakovi\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\tdf.dat
c:\documents and settings\slezakovi\WINDOWS
c:\program files\driver
c:\windows\update.1
c:\windows\update.1\svchost.exe
c:\windows\update.2
c:\windows\update.5.0
.
.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SRVBTCCLIENT
-------\Legacy_SRVIECHECK
-------\Legacy_SRVSYSDRIVER32
-------\Legacy_WXPDRIVERS
-------\Service_srvbtcclient
-------\Service_srviecheck
-------\Service_srvsysdriver32
-------\Service_wxpdrivers
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-06-27 do 2011-07-27 )))))))))))))))))))))))))))))))
.
.
2011-07-26 20:44 . 2011-07-26 20:44 -------- d-----w- c:\documents and settings\slezakovi\Data aplikací\AVG10
2011-07-26 20:32 . 2011-07-26 20:34 -------- d-----w- c:\windows\system32\drivers\AVG
2011-07-26 20:23 . 2011-07-26 20:23 -------- d--h--w- c:\documents and settings\All Users\Data aplikací\Common Files
2011-07-26 20:15 . 2011-07-26 20:31 -------- d-----w- c:\documents and settings\All Users\Data aplikací\MFAData
2011-07-26 19:35 . 2011-07-26 19:35 -------- d--h--w- c:\windows\update.tray-3-0-lnk
2011-07-26 19:35 . 2011-07-26 19:35 -------- d--h--w- c:\windows\update.tray-2-0
2011-07-26 19:35 . 2011-07-26 19:35 -------- d--h--w- c:\windows\update.tray-2-0-lnk
2011-07-26 17:50 . 2011-07-26 17:50 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-07-26 17:43 . 2011-07-26 17:43 -------- d-----w- c:\documents and settings\Administrator
2011-07-26 17:18 . 2011-07-26 17:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Data aplikací\ESET
2011-07-26 16:48 . 2011-07-26 16:48 114176 ----a-w- c:\windows\systemup.exe
2011-07-26 11:43 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-26 11:23 . 2011-07-26 11:23 -------- d-----w- c:\windows\ufa
2011-07-26 11:23 . 2011-07-26 11:23 -------- d-----w- c:\windows\rpcminer
2011-07-26 11:23 . 2011-07-26 11:23 -------- d-----w- c:\windows\phoenix
2011-07-26 11:21 . 2011-07-26 11:21 232960 ----a-w- c:\windows\l1rezerv.exe
2011-07-26 11:18 . 2011-07-26 11:23 246272 ----a-w- c:\windows\unrar.exe
2011-07-26 11:15 . 2011-07-26 19:37 -------- d-----w- c:\windows\av_ico
2011-07-26 11:14 . 2011-07-26 11:14 -------- d--h--w- c:\windows\update.tray-7-0
2011-07-26 11:14 . 2011-07-26 11:14 -------- d--h--w- c:\windows\update.tray-7-0-lnk
2011-07-26 11:14 . 2011-07-26 11:14 -------- d--h--w- c:\windows\update.tray-3-0
2011-07-26 11:03 . 2011-07-26 11:03 -------- d-----w- c:\documents and settings\LocalService\Nabídka Start
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-04 11:43 . 2010-12-14 08:01 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:43 . 2008-07-09 18:25 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-04 11:36 . 2008-07-09 18:26 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-04 11:35 . 2008-07-09 18:26 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-04 11:35 . 2008-07-09 18:26 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-07-04 11:35 . 2008-07-09 18:26 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-07-04 11:32 . 2008-07-09 18:26 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-04 11:32 . 2008-07-09 18:26 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-07-04 11:32 . 2008-07-09 18:26 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-06-06 11:35 . 2004-08-18 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:32 . 2007-07-22 16:25 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-18 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-18 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2007-12-16 12:43 . 2007-12-16 12:42 1202152 ----a-w- c:\program files\toolbar.exe
2011-06-22 22:49 . 2011-03-28 21:15 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2010-06-16 138552]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2010-06-16 10:35 1444664 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2010-06-16 1444664]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2010-06-16 1444664]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-02-08 95800]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-18 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Device Detector"="DevDetect.exe -autorun" [X]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-15 6803456]
"nwiz"="nwiz.exe" [2005-06-15 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-06-15 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"l1rezerv.exe"="c:\windows\l1rezerv.exe" [2011-07-26 232960]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableSecureUIAPaths"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"DisableThumbnailCache"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\QIP 2010\\qip.exe"=
"c:\\Program Files\\ICQ7.4\\ICQ.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\update.tray-7-0\\svchost.exe"=
"c:\\WINDOWS\\update.tray-3-0\\svchost.exe"=
"c:\\WINDOWS\\update.tray-7-0-lnk\\svchost.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17669:TCP"= 17669:TCP:BitComet 17669 TCP
"17669:UDP"= 17669:UDP:BitComet 17669 UDP
"19993:TCP"= 19993:TCP:BitComet 19993 TCP
"19993:UDP"= 19993:UDP:BitComet 19993 UDP
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [22.2.2011 8:13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [16.3.2011 16:03 32592]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [22.7.2007 20:00 682232]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7.1.2011 6:41 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [5.4.2011 0:59 297168]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [22.7.2007 18:44 13696]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [11.3.2009 20:30 247096]
R2 UltiDev Cassini Web Server for ASP.NET 2.0;UltiDev Cassini Web Server for ASP.NET 2.0;c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe [8.2.2007 1:06 49152]
R2 WF23880;WinFast TV2000/DV2000 WDM Video Capture.;c:\windows\system32\drivers\wf88vcap.sys [7.2.2010 23:15 208851]
R2 WF88XBAR;WinFast TV2000/DV2000 WDM Crossbar.;c:\windows\system32\drivers\WF88XBAR.sys [7.2.2010 23:15 10324]
R2 WFTUNE;WinFast TV2000/DV2000 WDM Tuner.;c:\windows\system32\drivers\wf88tune.sys [7.2.2010 23:15 34789]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12.7.2010 4:33 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [14.4.2011 21:28 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [10.2.2011 7:53 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10.2.2011 7:53 27216]
S2 avgfws;AVG Firewall;"c:\program files\AVG\AVG10\avgfws.exe" --> c:\program files\AVG\AVG10\avgfws.exe [?]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S2 avgwd;AVG WatchDog;"c:\program files\AVG\AVG10\avgwdsvc.exe" --> c:\program files\AVG\AVG10\avgwdsvc.exe [?]
S2 gupdate1c9c01949cb8f84;Služba Google Update (gupdate1c9c01949cb8f84);c:\program files\Google\Update\GoogleUpdate.exe [18.4.2009 13:31 133104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12.7.2010 4:33 30432]
S3 gupdatem;Služba Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [18.4.2009 13:31 133104]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);c:\windows\system32\drivers\se46bus.sys [27.12.2007 17:40 61536]
S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;c:\windows\system32\drivers\se46mdfl.sys [29.12.2007 18:00 9360]
S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;c:\windows\system32\drivers\se46mdm.sys [29.12.2007 18:00 97088]
S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\se46mgmt.sys [12.1.2008 22:16 88624]
S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se46nd5.sys [16.1.2008 0:26 18704]
S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;c:\windows\system32\drivers\se46obex.sys [12.1.2008 22:16 86432]
S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se46unic.sys [12.1.2008 22:16 90800]
S3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFTVFM\WFIOCTL.SYS --> c:\program files\WinFast\WFTVFM\WFIOCTL.SYS [?]
.
Obsah adresáře 'Naplánované úlohy'
.
2011-07-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-18 11:29]
.
2011-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 11:31]
.
2011-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 11:31]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://start.qip.ru/
uDefault_Search_URL = hxxp://search.qip.ru
mStart Page = hxxp://home.sweetim.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Stáhnout všechny odkazy s použitím BitCometu - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: {{73C6DCFB-B606-47F3-BDFA-9A4FBF931E37} - c:\program files\ICQ7.4\ICQ.exe
TCP: DhcpNameServer = 192.168.8.1 192.168.20.1
FF - ProfilePath - c:\documents and settings\slezakovi\Data aplikací\Mozilla\Firefox\Profiles\q9vypscq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&crg=1.54000&q=
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - c:\program files\AVAST Software\Avast\ashShell.dll
HKLM-Run-OPSE reminder - c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe
HKLM-Run-WinFast Schedule - c:\program files\WinFast\WFTVFM\WFWIZ.exe
HKLM-Run-egui - c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
HKLM-Run-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
AddRemove-avast - c:\program files\AVAST Software\Avast\aswRunDll.exe
AddRemove-AVG - c:\program files\AVG\AVG10\avgmfapx.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-27 11:31
Windows 5.1.2600 Service Pack 3 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'explorer.exe'(2128)
c:\windows\system32\webcheck.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Common Files\ACD Systems\EN\DevDetect.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Celkový čas: 2011-07-27 11:37:12 - počítač byl restartován
ComboFix-quarantined-files.txt 2011-07-27 09:36
.
Před spuštěním: 4 618 149 888
Po spuštění: 5 869 551 616
.
Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - A8ADE89DB4D6351424A89316266A713D

[vyosek]

Rucne ji neinstalujte, nechte to tak...soubory nejsou infikovane, neni ji potreba...jeste vydrzte, napisu dalsi postup

[Lena23]

ok

[vyosek]

Prejmenujte ComboFix na pitomec.com at si uvedomite ze na blbiny se neklika

Pokud nemate, tak presunte Combofix na plochu

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  KillAll::
  
  RegLock::
  [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
  
  Firefox::
  FF - ProfilePath - c:\documents and settings\slezakovi\Data aplikací\Mozilla\Firefox\Profiles\q9vypscq.default\
  FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?sr ... 1.54000&q=
  FF - prefs.js: browser.search.selectedEngine - ICQ Search
  FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
  
  DDS::
  uStart Page = hxxp://start.qip.ru/
  uDefault_Search_URL = hxxp://search.qip.ru
  mStart Page = hxxp://home.sweetim.com
  mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
  uInternet Connection Wizard,ShellNext = iexplore
  uSearchAssistant = hxxp://search.qip.ru/ie
  uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
  
  File::
  c:\windows\Tasks\Google Software Updater.job
  c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
  c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
  
  Collect::
  c:\windows\l1rezerv.exe
  c:\windows\systemup.exe
  c:\windows\unrar.exe
  
  Driver::
  ICQ Service
  gupdatem
  gupdate1c9c01949cb8f84
  
  Folder::
  c:\program files\ICQ6Toolbar
  c:\program files\SweetIM
  c:\windows\update.tray-3-0-lnk
  c:\windows\update.tray-2-0
  c:\windows\update.tray-2-0-lnk
  c:\windows\ufa
  c:\windows\rpcminer
  c:\windows\phoenix
  c:\windows\av_ico
  c:\windows\update.tray-7-0
  c:\windows\update.tray-7-0-lnk
  c:\windows\update.tray-3-0
  
  Registry::
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
  "c:\\WINDOWS\\update.tray-7-0\\svchost.exe"=-
  "c:\\WINDOWS\\update.tray-3-0\\svchost.exe"=-
  "c:\\WINDOWS\\update.tray-7-0-lnk\\svchost.exe"=-
  [HKEY_LOCAL_MACHINE\software\microsoft\security center]
  "FirewallOverride"=dword:00000000
  "DisableThumbnailCache"=dword:00000000
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "NeroFilterCheck"=-
  "Adobe Reader Speed Launcher"=-
  "l1rezerv.exe"=-
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=-
  "swg"=-
  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
  "{EEE6C35D-6118-11DC-9C72-001320C79847}"=-
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
  "{EEE6C35B-6118-11DC-9C72-001320C79847}"=-
  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
  "{EEE6C35B-6118-11DC-9C72-001320C79847}"=-
  [-HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
  [-HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
  [-HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
  [-HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
  
  FixCSet::
  
  AtJob::
  
  Reboot::

• Ulozte vytvoreny TXT jako CFScript.txt
• Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
  
• Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci