davidsojka: problém s trojanem

[davidsojka]

ComboFix 07-11-08.3 - David Sojka 2007-11-14 22:53:17.6 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.519 [GMT 1:00]
Running from: C:\Documents and Settings\David Sojka\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Sojka\Plocha\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\onystadi.dll
C:\WINDOWS\system32\temp_13.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Nabídka Start\Live Safety Center.lnk
C:\Documents and Settings\All Users\Nabídka Start\Online Security Guide.lnk
C:\Documents and Settings\David Sojka\Oblíbené položky\Online Security Guide.lnk
C:\Documents and Settings\David Sojka\Plocha\Live Safety Center.lnk
C:\Documents and Settings\David Sojka\Plocha\Online Security Guide.lnk
C:\WINDOWS\system32\onystadi.dll
C:\WINDOWS\system32\onystadi.dllbox
C:\WINDOWS\system32\temp_13.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-13 19:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-12 22:34 3,282 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-12 21:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 21:36 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-07 21:52 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-11-06 21:14 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-06 20:20 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-06 20:20 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-06 17:18 145,984 --------- C:\WINDOWS\system32\onystadi.dll
2007-11-04 18:22 <DIR> d-------- C:\Program Files\Lighthouse Interactive
2007-10-31 19:34 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0 Sprint
2007-10-31 19:30 76,800 --a------ C:\WINDOWS\system32\E_FLBCDE.DLL
2007-10-31 19:30 62,976 --a------ C:\WINDOWS\system32\E_FD4BCDE.DLL
2007-10-31 19:30 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-31 19:30 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-10-31 19:28 <DIR> d-------- C:\Program Files\epson
2007-10-31 19:28 67,072 --a------ C:\WINDOWS\system32\escwiad.dll
2007-10-27 19:57 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-10-27 19:57 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-10-27 19:57 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 21:53 --------- d-----w C:\Program Files\ICQToolbar
2007-11-14 16:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-04 17:14 --------- d-----w C:\Program Files\Winamp
2007-11-04 06:59 --------- d-----w C:\Program Files\Common Files\Nero
2007-11-04 06:57 --------- d-----w C:\Program Files\Nero
2007-11-04 06:51 --------- d-----w C:\Program Files\Ahead
2007-11-03 14:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-01 05:09 --------- d-----w C:\Program Files\Orbitdownloader
2007-10-27 18:55 --------- d-----w C:\Program Files\Electronic Arts
2007-10-18 18:13 --------- d-----w C:\Program Files\Java
2007-10-14 06:42 --------- d-----w C:\Program Files\betway
2007-10-10 18:14 --------- d-----w C:\Program Files\Disc2Phone
2007-10-10 17:51 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-10-10 17:51 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2007-10-10 17:50 --------- d-----w C:\Program Files\Sony Ericsson
2007-09-24 08:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 08:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-20 08:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 08:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 08:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-21 19:12 3,009 ----a-w C:\naver.vbs
.

((((((((((((((((((((((((((((( snapshot@2007-11-12_21.56.00.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-14 21:58:19 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_62c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-14 22:57 145984 --------- C:\WINDOWS\system32\onystadi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\onystadi.dll [2007-11-14 22:57 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 16:12]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 16:34]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 19:15]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 00:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"EPSON Stylus DX7400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.exe" [2007-04-12 07:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\onystadi]
onystadi.dll 2007-11-14 22:57 145984 C:\WINDOWS\system32\onystadi.dll

R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
S3 SE2Bbus;Sony Ericsson Device 043 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Bbus.sys
S3 SE2Bmdfl;Sony Ericsson Device 043 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Bmdfl.sys
S3 SE2Bmdm;Sony Ericsson Device 043 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Bmdm.sys
S3 SE2Bmgmt;Sony Ericsson Device 043 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Bmgmt.sys
S3 se2Bnd5;Sony Ericsson Device 043 USB Ethernet Emulation SEMC43 (NDIS);C:\WINDOWS\system32\DRIVERS\se2Bnd5.sys
S3 SE2Bobex;Sony Ericsson Device 043 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Bobex.sys
S3 se2Bunic;Sony Ericsson Device 043 USB Ethernet Emulation SEMC43 (WDM);C:\WINDOWS\system32\DRIVERS\se2Bunic.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-08-22 10:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 22:58:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\onystadi.dllbox

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-11-14 22:59:41 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-14 20:46
C:\ComboFix3.txt ... 2007-11-14 18:00
.
--- E O F ---

[Reklama]

[fredik]

Stáhni si Avengera spusť ho pod účtem administrátora.
Zvol možnost - Input script manually a klikni na ikonku lupy vyskočí prázdné okno kam zkopíruj tento tučný text:
Files to delete:
C:\WINDOWS\system32\onystadi.dll
C:\WINDOWS\system32\onystadi.dllbox

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\onystadi

Registry values to delete:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {11A69AE4-FBED-4832-A2BF-45AF82825583}

Poté klikni na Done.
Pak klikni na ikonku semafory.
Vyskočí ti hláška kde odklikni Yes. PC se restartuje po restartu by ti měl "vyskočit" výpis z Avengeru tak ho sem zkopíruj.
+
Po použití avengeru, smaž Combofix co máš na ploše a stáhni si ho znovu z odkazu. Pak ho spusť a vlož sem log co se ti zobrazí po jeho proběhnutí.

[davidsojka]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ciesepf^

*******************

Script file located at: \??\C:\Documents and Settings\yqhsdsqh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\onystadi.dll deleted successfully.
File C:\WINDOWS\system32\onystadi.dllbox deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\onystadi deleted successfully.
Registry value HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{11A69AE4-FBED-4832-A2BF-45AF82825583} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[davidsojka]

ComboFix 07-11-08.3 - David Sojka 2007-11-15 21:53:10.7 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.595 [GMT 1:00]
Running from: C:\Documents and Settings\David Sojka\Plocha\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Nabídka Start\Live Safety Center.lnk
C:\Documents and Settings\All Users\Nabídka Start\Online Security Guide.lnk
C:\Documents and Settings\David Sojka\Oblíbené položky\Online Security Guide.lnk
C:\Documents and Settings\David Sojka\Plocha\Live Safety Center.lnk
C:\Documents and Settings\David Sojka\Plocha\Online Security Guide.lnk

.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-13 19:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-13 19:27 <DIR> d-------- C:\Documents and Settings\David Sojka\Data aplikací\SUPERAntiSpyware.com
2007-11-13 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\SUPERAntiSpyware.com
2007-11-12 22:34 3,282 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-12 21:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 21:36 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-07 21:52 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-11-06 21:14 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-06 21:14 <DIR> d-------- C:\Documents and Settings\David Sojka\Data aplikací\Lavasoft
2007-11-06 20:20 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-06 20:20 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-06 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2007-11-04 18:22 <DIR> d-------- C:\Program Files\Lighthouse Interactive
2007-11-04 08:00 <DIR> d-------- C:\Documents and Settings\David Sojka\Data aplikací\Nero
2007-11-04 07:57 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Nero
2007-10-31 19:58 <DIR> d-------- C:\Documents and Settings\David Sojka\Data aplikací\EPSON
2007-10-31 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\UDL
2007-10-31 19:34 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0 Sprint
2007-10-31 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\EPSON
2007-10-31 19:30 76,800 --a------ C:\WINDOWS\system32\E_FLBCDE.DLL
2007-10-31 19:30 62,976 --a------ C:\WINDOWS\system32\E_FD4BCDE.DLL
2007-10-31 19:30 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-31 19:30 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-10-31 19:28 <DIR> d-------- C:\Program Files\epson
2007-10-31 19:28 67,072 --a------ C:\WINDOWS\system32\escwiad.dll
2007-10-27 19:57 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-10-27 19:57 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-10-27 19:57 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 20:47 --------- d-----w C:\Documents and Settings\David Sojka\Data aplikací\Orbit
2007-11-15 17:22 --------- d-----w C:\Program Files\ICQ6
2007-11-15 16:26 --------- d-----w C:\Program Files\ICQToolbar
2007-11-14 16:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-04 17:14 --------- d-----w C:\Program Files\Winamp
2007-11-04 06:59 --------- d-----w C:\Program Files\Common Files\Nero
2007-11-04 06:57 --------- d-----w C:\Program Files\Nero
2007-11-04 06:51 --------- d-----w C:\Program Files\Ahead
2007-11-03 14:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-01 05:09 --------- d-----w C:\Program Files\Orbitdownloader
2007-10-27 18:55 --------- d-----w C:\Program Files\Electronic Arts
2007-10-18 18:13 --------- d-----w C:\Program Files\Java
2007-10-14 06:42 --------- d-----w C:\Program Files\betway
2007-10-10 18:14 --------- d-----w C:\Program Files\Disc2Phone
2007-10-10 17:53 --------- d-----w C:\Documents and Settings\David Sojka\Data aplikací\Teleca
2007-10-10 17:53 --------- d-----w C:\Documents and Settings\David Sojka\Data aplikací\Sony Ericsson
2007-10-10 17:51 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-10-10 17:51 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2007-10-10 17:51 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Teleca
2007-10-10 17:51 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Sony Ericsson
2007-10-10 17:50 --------- d-----w C:\Program Files\Sony Ericsson
2007-09-24 08:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 08:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-20 10:12 --------- d-----w C:\Documents and Settings\David Sojka\Data aplikací\ICQ
2007-09-20 08:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 08:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 08:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-21 19:12 3,009 ----a-w C:\naver.vbs
.

((((((((((((((((((((((((((((( snapshot@2007-11-12_21.56.00.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-15 20:49:01 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_61c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 16:12]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 16:34]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 19:15]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 00:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"EPSON Stylus DX7400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.exe" [2007-04-12 07:00]

C:\Documents and Settings\David Sojka\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Intranet Chat.lnk - C:\Program Files\IChat\iChat.exe [2007-04-16 20:01:24]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Orbit.lnk - C:\Program Files\Orbitdownloader\orbitdm.exe [2007-05-14 16:55:21]

R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
S3 SE2Bbus;Sony Ericsson Device 043 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Bbus.sys
S3 SE2Bmdfl;Sony Ericsson Device 043 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Bmdfl.sys
S3 SE2Bmdm;Sony Ericsson Device 043 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Bmdm.sys
S3 SE2Bmgmt;Sony Ericsson Device 043 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Bmgmt.sys
S3 se2Bnd5;Sony Ericsson Device 043 USB Ethernet Emulation SEMC43 (NDIS);C:\WINDOWS\system32\DRIVERS\se2Bnd5.sys
S3 SE2Bobex;Sony Ericsson Device 043 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Bobex.sys
S3 se2Bunic;Sony Ericsson Device 043 USB Ethernet Emulation SEMC43 (WDM);C:\WINDOWS\system32\DRIVERS\se2Bunic.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-08-22 10:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 21:55:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 21:55:58
C:\ComboFix2.txt ... 2007-11-14 22:59
C:\ComboFix3.txt ... 2007-11-14 20:46
.
--- E O F ---

[fredik]

Spusť znovu HijackThis a zaškrtni v něm okénka před řádky:
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp2.cab
po zaškrtnutí klikni na tlačítko Fix Checked

Pro lepší zabezpečení by bylo dobré si doinstalovat firewall, můžeš si vybrat některý zde uvedený nebo některý jiný z odkazu: Přehled osobních firewallů
Firewally zdarma:
Comodo - kvalitní, pokročilý, s mnoha funkcemi, originálně v angličtině, čeština by měla být asi až od verze 3 která by se měl objevit v brzké době
Kerio - přehledný, větší možnosti nastavení, náročnější na systémové prostředky, v češtině
ZoneAlarm - jednoduchý, kompatibilní, nenáročný na systémové prostředky, málo možností nastavení, v angličtině

Dej sem pak nový log z HJT.

[davidsojka]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58:19, on 16.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Hry\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\IChat\iChat.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\David Sojka\Plocha\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mojebanka.cz/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus DX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE /FU "C:\WINDOWS\TEMP\E_S109.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Intranet Chat.lnk = C:\Program Files\IChat\iChat.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DA0545B-2FC5-452D-934D-3F0579A48124}: NameServer = 213.194.204.126,192.168.128.1
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Hry\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe

--
End of file - 9071 bytes

[fredik]

Smaž adresář/složku kterou vytvořil Avenger:
C:\Avenger

Jdi přes Start -> Spustit... a napiš do okna tento příkaz označený modře ComboFix /u (mezi comobofix a /u musí být mezera) a dej Ok.

Logy vypadají dobře, pokud nemáš další problémy tak by to bylo vše.

[davidsojka]

SUPER CHLAPE!! , to svinstvo je pryč, moc moc moc dekuji!!!!!!!!!!!!!!!!!!!!!!! Nainstaloval jsem si firewall comodo. Jeste se chci zeptat jestli muzu smazat combofix,avenger,HJT???

[fredik]

Smaž adresář Avengeru jak jsem už psal.
Co se týká samotného Avengeru tak ten můžeš smazat, když použiješ ten příkaz (modře) co tu byl zmíněný tak ten odinstaluje ComboFix.

HJT si můžeš nechat pokud bys chtěl např. někdy v budoucnu provést preventivní kontrolu, nebo se vyskytly problémy, ale klidně ho můžeš smazat záleží na tobě.

Nemáš za co

[davidsojka]

prosim jenom jeste takovej malej kosmetickej problem. Nemuzu smazat z plochy dva soubory: cwshredder a 30941. Prosim poradite mi jeste??

[fredik]

Můžeš to zkusit smazat pomocí Avengeru, vlož tam tento skript označený tučně:
Files to delete:
%userprofile%\Plocha\30941.exe
%userprofile%\Plocha\cwshredder.exe

Pokud by se nepodařilo tak řekni.

[davidsojka]

Promin ze porad otravuju, ale nejak to neslo smazat ani pres toho avengera