BV:AutoRun-S [Wrm]

[amanes]

Dobrý den, pravděpodobně přes flashdisk sem se nakazil virem BV:AutoRun-S [Wrm]. Teď ho mám na kartě do foťáku, možná i v druhém PC. Už jsem ho zkoušel několikrát sám odstranit, ale bez úspěchu, proto žádám o pomoc.

Zde je log z combofixu, díky Petr

ComboFix 12-07-16.01 - Irenka 16.07.2012 18:28:22.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2431.1967 [GMT 2:00]
Spuštěný z: c:\documents and settings\Irenka\Dokumenty\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 120716-0] *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Vytvořen nový Bod Obnovení
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Irenka\Data aplikací\ACD Systems\ACDSee\ImageDB.ddf
c:\windows\iun6002.exe
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2012-06-16 do 2012-07-16 )))))))))))))))))))))))))))))))
.
.
2012-07-10 15:21 . 2012-07-10 15:20 101 ----a-w- C:\autorun-remover.bat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-22 16:52 . 2012-05-22 16:52 15781 ----a-w- c:\windows\system32\drivers\mdc8021x.sys
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-06-06 1519304]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-06-06 19:33 1519304 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-06-06 1519304]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-06-06 1519304]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-27 7561216]
"nwiz"="nwiz.exe" [2006-04-27 1519616]
"NvMediaCenter"="NvMCTray.dll" [2006-04-27 86016]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-06-06 1564872]
"SkyTel"="SkyTel.EXE" [2007-05-07 1826816]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 16342528]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
.
c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-11-13 110592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-17 15:49 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\StrongDC++\\StrongDC.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3069:TCP"= 3069:TCP:zyphvr
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12.11.2011 21:39 642560]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [22.5.2012 19:25 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [22.5.2012 19:25 20560]
S2 psldmvf;Image Network;c:\windows\system32\svchost.exe -k netsvcs [17.8.2004 17:49 14336]
S3 azvrqge;azvrqge;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 bekbgvwx;bekbgvwx;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 bniiiokur;bniiiokur;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 brbcml;brbcml;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 bxjgy;bxjgy;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 cixboun;cixboun;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 ctcbwpwrv;ctcbwpwrv;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 eextwwqbm;eextwwqbm;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 eomjgbd;eomjgbd;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 etfshrhi;etfshrhi;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 fkjbu;fkjbu;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 gbaaxiw;gbaaxiw;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 gpwgwlq;gpwgwlq;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 gzzfaf;gzzfaf;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 hkobwuyv;hkobwuyv;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]
S3 iafus;iafus;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 iglknng;iglknng;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 ijjldafba;ijjldafba;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 iobccpr;iobccpr;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 joegemylz;joegemylz;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 kdtbnvjs;kdtbnvjs;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 kkvikbq;kkvikbq;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 kpfmgr;kpfmgr;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 lchee;lchee;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 lkvic;lkvic;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 mfleczaj;mfleczaj;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 mguizmfj;mguizmfj;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 nkacvp;nkacvp;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 nxaeiiucn;nxaeiiucn;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 onwwkkb;onwwkkb;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 oukvfbkm;oukvfbkm;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 ppypksi;ppypksi;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 psjamdabl;psjamdabl;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 pztufnit;pztufnit;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 qpypgx;qpypgx;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 rhirg;rhirg;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 rkforgmc;rkforgmc;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 rzsugxh;rzsugxh;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 soqlka;soqlka;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 stveyj;stveyj;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 szcmdow;szcmdow;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 szjxklw;szjxklw;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 thlsoxha;thlsoxha;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 tlhywlzq;tlhywlzq;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 tpsfvlfy;tpsfvlfy;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 umikpyub;umikpyub;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 unqayrnxp;unqayrnxp;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 vytegrhmp;vytegrhmp;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 waoiis;waoiis;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 xghbpu;xghbpu;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 xxuatzvvd;xxuatzvvd;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 xyrohqf;xyrohqf;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 xywjffehv;xywjffehv;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 ycjdac;ycjdac;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 ydkzvzuer;ydkzvzuer;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 zltkzxuhi;zltkzxuhi;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 zrmido;zrmido;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 zshwqq;zshwqq;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 zxdeq;zxdeq;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 zyeuuuyp;zyeuuuyp;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
psldmvf
.
Obsah adresáře 'Naplánované úlohy'
.
2012-07-16 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2012-06-06 19:33]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.ask.com?o=10148&l=dis&tb=STT
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.109.255.109 10.109.255.254 192.168.1.254
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
.
AddRemove-Cool's_Codec_pack_4.12 - c:\windows\iun6002.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-16 18:32
Windows 5.1.2600 Service Pack 2 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\azvrqge]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\bekbgvwx]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\bniiiokur]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\brbcml]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\bxjgy]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\cixboun]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ctcbwpwrv]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\eextwwqbm]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\eomjgbd]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\etfshrhi]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\fkjbu]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\gbaaxiw]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\gpwgwlq]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\gzzfaf]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hkobwuyv]
"ImagePath"="\??\c:\windows\system32\02.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\iafus]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\iglknng]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ijjldafba]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\iobccpr]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\joegemylz]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kdtbnvjs]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kkvikbq]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kpfmgr]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\lchee]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\lkvic]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mfleczaj]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mguizmfj]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\nkacvp]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\nxaeiiucn]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\onwwkkb]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\oukvfbkm]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ppypksi]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\psjamdabl]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pztufnit]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\qpypgx]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\rhirg]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\rkforgmc]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\rzsugxh]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\soqlka]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\stveyj]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\szcmdow]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\szjxklw]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\thlsoxha]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tlhywlzq]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tpsfvlfy]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\umikpyub]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\unqayrnxp]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vytegrhmp]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\waoiis]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xghbpu]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xxuatzvvd]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xyrohqf]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xywjffehv]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ycjdac]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ydkzvzuer]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\zltkzxuhi]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\zrmido]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\zshwqq]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\zxdeq]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\zyeuuuyp]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\psldmvf]
"ServiceDll"="c:\windows\system32\jcvjgwd.dll"
.
Celkový čas: 2012-07-16 18:33:22
ComboFix-quarantined-files.txt 2012-07-16 16:33
.
Před spuštěním: Volných bajtů: 22 516 736 000
Po spuštění: Volných bajtů: 23 717 511 168
.
WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - C31979AE726C22C0E25D87F179093D14

[Rudy]

Zdravím!
Poprosím o log ComboFix.

Stahnete a ulozte nejlepe na plochu ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano.

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se

jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine

aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode,

pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k

nezadoucim kolizim s rezidentem antispyware

[amanes]

Log je vložen výše, nebo se mýlím? )

[Rudy]

Log je vložen výše, nebo se mýlím? )

Bývá zvykem dávat nejprve log RSIT a CF teprve na vyzvání rádce. Přesuňte ComboFix na plochu. Otevřte poznámkový blok a zkopírujte do něj:

KillAll::

Folder::
c:\program files\Ask.com

Collect::
c:\windows\system32\01.tmp
c:\windows\system32\02.tmp

Driver::
zyeuuuyp
zxdeq
zshwqq
zrmido
zltkzxuhi
ydkzvzuer
ycjdac
xywjffehv
xyrohqf
xxuatzvvd
xghbpu
waoiis
vytegrhmp
unqayrnxp
umikpyub
tpsfvlfy
tlhywlzq
thlsoxha
szjxklw
szcmdow
stveyj
soqlka
rzsugxh
rkforgmc
rhirg
qpypgx
pztufnit
psjamdabl
ppypksi
oukvfbkm
onwwkkb
nxaeiiucn
nkacvp
mguizmfj
mfleczaj
lkvic
lchee
kpfmgr
kkvikbq
kdtbnvjs
joegemylz
iobccpr
ijjldafba
iglknng
iafus
hkobwuyv
gzzfaf
gpwgwlq
gbaaxiw
fkjbu
etfshrhi
eomjgbd
eextwwqbm
ctcbwpwrv
cixboun
bxjgy
brbcml
bniiiokur
bekbgvwx
azvrqge
psldmvf

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=-
[-HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ApnUpdater"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3069:TCP"=-

Reboot::

Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.

[amanes]

ok, to sem nevěděl, tak se omlouvám a moc děkuji za pomoc, problém se zdá být vyřešen.

[Rudy]

Ještě poprosím o log CF po posledním skenu.

[amanes]

ajaj, já už ho smazal, mám ho tedy znovu vytvořit?

[Rudy]

Ono tam bylo dost fake driverů a rád bych věděl, jestli tam nějaký nezbyl. Takže vás poprosím.

[amanes]

Tak tady ještě ten log:


ComboFix 12-07-16.01 - Irenka 18.07.2012 18:05:50.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.2431.2049 [GMT 2:00]
Spuštěný z: c:\documents and settings\Irenka\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 120718-0] *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Vytvořen nový Bod Obnovení
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2012-06-18 do 2012-07-18 )))))))))))))))))))))))))))))))
.
.
2012-07-16 19:40 . 2012-07-17 18:51 -------- d-----w- c:\windows\SxsCaPendDel
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-17 11:45 . 2011-11-12 19:39 96256 ----a-w- c:\windows\system32\drivers\sptd4365.sys
2012-05-22 16:52 . 2012-05-22 16:52 15781 ------w- c:\windows\system32\drivers\mdc8021x.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-16_16.32.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-18 15:29 . 2012-07-18 15:29 16384 c:\windows\Temp\Perflib_Perfdata_694.dat
- 2001-10-25 16:00 . 2012-07-16 10:14 59774 c:\windows\system32\perfc009.dat
+ 2001-10-25 16:00 . 2012-07-18 15:34 59774 c:\windows\system32\perfc009.dat
- 2001-10-25 16:00 . 2012-07-16 10:14 70304 c:\windows\system32\perfc005.dat
+ 2001-10-25 16:00 . 2012-07-18 15:34 70304 c:\windows\system32\perfc005.dat
+ 2001-10-25 16:00 . 2012-07-18 15:34 395534 c:\windows\system32\perfh009.dat
- 2001-10-25 16:00 . 2012-07-16 10:14 395534 c:\windows\system32\perfh009.dat
- 2001-10-25 16:00 . 2012-07-16 10:14 393430 c:\windows\system32\perfh005.dat
+ 2001-10-25 16:00 . 2012-07-18 15:34 393430 c:\windows\system32\perfh005.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-27 7561216]
"nwiz"="nwiz.exe" [2006-04-27 1519616]
"NvMediaCenter"="NvMCTray.dll" [2006-04-27 86016]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"SkyTel"="SkyTel.EXE" [2007-05-07 1826816]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 16342528]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
.
c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-11-13 110592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-17 15:49 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\StrongDC++\\StrongDC.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12.11.2011 21:39 642560]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [22.5.2012 19:25 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [22.5.2012 19:25 20560]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.ask.com?o=10148&l=dis&tb=STT
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.109.255.109 10.109.255.254 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-18 18:09
Windows 5.1.2600 Service Pack 2 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
Celkový čas: 2012-07-18 18:10:37
ComboFix-quarantined-files.txt 2012-07-18 16:10
ComboFix2.txt 2012-07-16 19:26
ComboFix3.txt 2012-07-16 16:33
.
Před spuštěním: Volných bajtů: 25 948 020 736
Po spuštění: Volných bajtů: 25 953 284 096
.
- - End Of File - - CEB433FD7A4104AB7395E46FF4DC37B7

[Rudy]

Ano, problém je vyřešen, vše bylo smazáno.

[amanes]

Supr, ještě jednou moc DĚKUJI!

[Rudy]

Rádo se stalo!