pomoc s virem

[Prasek]

za 1) http://www.virustotal.com/cs/resultado. ... 59a81f55a0 mel by byt v poradku

za 3)

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uhcwtwyo

*******************

Script file located at: \??\C:\WINDOWS\System32\xcmkiovv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\scricon.exe deleted successfully.
File C:\WINDOWS\System32\wupdate.exe deleted successfully.


File C:\WINDOWS\System32\ii not found!
Deletion of file C:\WINDOWS\System32\ii failed!

Could not process line:
C:\WINDOWS\System32\ii
Status: 0xc0000034

File C:\WINDOWS\System32\ttvyb.bak2 deleted successfully.
File C:\WINDOWS\System32\ttvyb.bak1 deleted successfully.
File C:\WINDOWS\system32\crehcjid.dll deleted successfully.


File c:\windows\system32\awtqolk.dll not found!
Deletion of file c:\windows\system32\awtqolk.dll failed!

Could not process line:
c:\windows\system32\awtqolk.dll
Status: 0xc0000034

Registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

[Reklama]

[Prasek]

a este tu mam ten log z ComboFix

ComboFix 07-11-19.4 - Skupina 2007-11-27 21:02:52.4 - NTFSx86

Running from: C:\Documents and Settings\Skupina\Plocha\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_RUNTIME
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-27 20:25 0 -ra------ C:\WINDOWS\system32\TFTP2844
2007-11-27 19:19 <DIR> d-------- C:\Program Files\InfraRecorder
2007-11-27 18:53 0 -ra------ C:\WINDOWS\system32\TFTP3528
2007-11-27 18:17 0 -ra------ C:\WINDOWS\system32\TFTP1488
2007-11-27 16:56 0 -ra------ C:\WINDOWS\system32\TFTP3324
2007-11-27 14:14 0 -ra------ C:\WINDOWS\system32\TFTP3048
2007-11-27 13:59 0 -ra------ C:\WINDOWS\system32\TFTP2752
2007-11-26 21:45 0 -ra------ C:\WINDOWS\system32\TFTP2376
2007-11-26 20:09 544,768 --a------ C:\WINDOWS\system32\msnmanegrs.exe
2007-11-26 19:15 0 -ra------ C:\WINDOWS\system32\TFTP2104
2007-11-26 18:46 0 -ra------ C:\WINDOWS\system32\TFTP952
2007-11-26 18:46 0 -ra------ C:\WINDOWS\system32\TFTP3716
2007-11-26 17:26 0 -ra------ C:\WINDOWS\system32\TFTP55040
2007-11-25 12:03 0 -ra------ C:\WINDOWS\system32\TFTP3704
2007-11-25 11:28 <DIR> d-------- C:\Deckard
2007-11-24 22:41 <DIR> d-------- C:\Documents and Settings\Skupina\Phone Browser
2007-11-24 19:10 <DIR> d-------- C:\Program Files\SimpleCenter
2007-11-24 19:10 <DIR> d-------- C:\Program Files\Common Files\i4j_jres
2007-11-24 19:04 <DIR> d-------- C:\Program Files\DIFX
2007-11-24 19:03 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-11-24 19:01 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-11-24 19:01 <DIR> d-------- C:\Program Files\Nokia
2007-11-24 19:01 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-11-24 18:57 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2007-11-22 12:55 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-21 18:33 <DIR> d-------- C:\Program Files\Hamachi
2007-11-21 18:33 17,480 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-11-21 15:58 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-20 22:58 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-20 21:05 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-11-20 20:53 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-11-20 20:30 <DIR> d-------- C:\Program Files\7-Zip
2007-11-20 20:29 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-11-20 20:29 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-11-20 20:26 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-11-20 20:26 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-19 20:47 6,607 --ahs---- C:\WINDOWS\system32\ttvyb.ini
2007-11-19 19:33 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys
2007-11-19 19:22 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-11-19 19:22 1,474,560 --a------ C:\WINDOWS\adiras.exe
2007-11-19 19:22 143,360 --a------ C:\WINDOWS\autoclk.exe
2007-11-19 19:22 135,168 --a------ C:\WINDOWS\system32\unaddrv.exe
2007-11-19 19:22 46,167 --a------ C:\WINDOWS\system32\drivers\adildr.sys
2007-11-19 19:22 8,208 --a------ C:\WINDOWS\system32\drivers\adildr.cat
2007-11-19 19:22 23 --a------ C:\WINDOWS\system32\drivers\adidsl.cfg
2007-11-19 19:21 <DIR> d-------- C:\Program Files\SAGEM
2007-11-19 18:27 <DIR> d-------- C:\WINDOWS\nview
2007-11-19 18:26 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-11-19 18:25 <DIR> d-------- C:\NVIDIA
2007-11-19 18:17 8 -r-hs---- C:\WINDOWS\system32\E7034D519E.dll
2007-11-19 18:00 1,230,336 --a------ C:\WINDOWS\system32\msvidctl.dll
2007-11-19 18:00 130,304 --a------ C:\WINDOWS\system32\drivers\ks.sys
2007-11-19 18:00 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-11-19 18:00 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-11-19 18:00 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2007-11-19 18:00 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2007-11-19 18:00 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys
2007-11-19 18:00 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2007-11-19 18:00 7,424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2007-11-19 18:00 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2007-11-19 18:00 5,248 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2007-11-19 18:00 4,608 --a------ C:\WINDOWS\system32\drivers\mspqm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 19:56 403,456 ----a-w C:\WINDOWS\system32\fuck.exe
2007-11-27 17:33 530,432 ----a-w C:\WINDOWS\system32\binlw.exe
2007-11-27 17:27 391,168 ----a-w C:\WINDOWS\system32\wbt.exe
2007-11-27 14:57 541,696 ----a-w C:\WINDOWS\system32\pinlw.exe
2007-11-25 19:36 451,584 ----a-w C:\WINDOWS\system32\fu1.exe
2007-11-24 23:03 83,964 ----a-w C:\WINDOWS\Web\wcxnjhhj.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\zejthvxk.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\tlrrsvlj.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\necxlsbh.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\hsxenjvk.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\hnshlbtv.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\ewznktww.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\ecrvhvjh.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\tehbbexs.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\qnkstrhn.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\hzenbhql.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\cszbbkjb.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\cjrhtnee.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\sljktqsl.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\vhzlshll.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\heclkcje.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\bbcrvske.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Common\slkweqkr.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\resrzjkr.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\kcqrjjel.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\hlnbkbjt.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\cqlwbrtn.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Common\vtxbneqq.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Common\jqnsbclx.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\zeektjlr.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\tjsnlncx.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\NetDiag\stleqtrb.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\NetDiag\bnkrcrqq.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\errors\xnejeese.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\ErrMsg\nvsbqtlx.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\DVDUpgrd\kvzexhbs.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\jlskvkjt.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\hhktjkel.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\CompatCtr\tcjqbtst.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\CompatCtr\nrbhslcz.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Cnt\tjnbzhbh.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\lllknblj.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\Help\jjlenkbt.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\Help\jbnshhqj.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\Help\hwexrtne.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\Help\bzehxvnz.exe
2007-11-19 16:27 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-25 13:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2001-10-25 13:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2001-10-25 13:00 C:\WINDOWS\system32\rundll32.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-20 20:25]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2007-11-20 21:04]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 01:12]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-10-25 13:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-20 20:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ X]
X

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crehcjid]
crehcjid.dll

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\System32\DRIVERS\psched.sys
S2 MSWindows;Network Windows Service;"C:\WINDOWS\System32\urdvxc.exe" /service

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 21:10:50
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-27 21:12:13 - machine was rebooted
.
--- E O F ---

[fredik]

1)
Otestuj postupně tyto soubory na VirusTotall a dej sem výsledky:
C:\WINDOWS\system32\msnmanegrs.exe
C:\WINDOWS\system32\fuck.exe
C:\WINDOWS\system32\binlw.exe
C:\WINDOWS\system32\wbt.exe

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

2)
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

Driver::
MSWindows

File::
C:\WINDOWS\system32\TFTP2844
C:\WINDOWS\system32\TFTP3528
C:\WINDOWS\system32\TFTP1488
C:\WINDOWS\system32\TFTP3324
C:\WINDOWS\system32\TFTP3048
C:\WINDOWS\system32\TFTP2752
C:\WINDOWS\system32\TFTP2376
C:\WINDOWS\system32\TFTP2104
C:\WINDOWS\system32\TFTP952
C:\WINDOWS\system32\TFTP3716
C:\WINDOWS\system32\TFTP55040
C:\WINDOWS\system32\TFTP3704
C:\WINDOWS\system32\ttvyb.ini
C:\WINDOWS\Web\wcxnjhhj.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\zejthvxk.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\tlrrsvlj.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\necxlsbh.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\hsxenjvk.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\hnshlbtv.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\ewznktww.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\ecrvhvjh.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\tehbbexs.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\qnkstrhn.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\hzenbhql.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\cszbbkjb.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\cjrhtnee.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\sljktqsl.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\vhzlshll.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\heclkcje.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\bbcrvske.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Common\slkweqkr.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\resrzjkr.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\kcqrjjel.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\hlnbkbjt.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Common\vtxbneqq.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Common\jqnsbclx.exe C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\cqlwbrtn.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\zeektjlr.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\tjsnlncx.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\NetDiag\stleqtrb.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\NetDiag\bnkrcrqq.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\errors\xnejeese.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\ErrMsg\nvsbqtlx.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\DVDUpgrd\kvzexhbs.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\jlskvkjt.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\hhktjkel.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\CompatCtr\tcjqbtst.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\CompatCtr\nrbhslcz.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Cnt\tjnbzhbh.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\lllknblj.exe
C:\WINDOWS\system32\pinlw.exe
C:\WINDOWS\system32\fu1.exe
C:\WINDOWS\System32\urdvxc.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ X]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crehcjid]

Zvol možnost Uložit soubor jako, pojmenuj soubor CFScript.txt a zvol Uložit jako typ: Všechny soubory.
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

V následujícím příspěvku sem vlož tyto logy/výsledky:
- výsledky z VirusTotal
- nový log z ComboFix, po použití skriptu

[Prasek]

takze za 1) kdyz tam vlozim tu cestu a pak dam odeslat tak mi to u vsech 4 mi to pise chybu:
0 bytes size received / Se ha recibido un archivo vacio

[Prasek]

a tady mam este ten log

ComboFix 07-11-19.4C - Skupina 2007-11-29 17:18:46.5 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.0.1250.1.1029.18.121 [GMT 1:00]
Running from: C:\Documents and Settings\Skupina\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Skupina\Plocha\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\lllknblj.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Cnt\tjnbzhbh.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\CompatCtr\nrbhslcz.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\CompatCtr\tcjqbtst.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\hhktjkel.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\jlskvkjt.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\DVDUpgrd\kvzexhbs.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\ErrMsg\nvsbqtlx.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\errors\xnejeese.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\NetDiag\bnkrcrqq.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\NetDiag\stleqtrb.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\tjsnlncx.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\zeektjlr.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Common\jqnsbclx.exe C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\cqlwbrtn.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Common\vtxbneqq.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\hlnbkbjt.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\kcqrjjel.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\resrzjkr.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Common\slkweqkr.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\bbcrvske.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\heclkcje.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\vhzlshll.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\sljktqsl.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\cjrhtnee.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\cszbbkjb.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\hzenbhql.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\qnkstrhn.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\tehbbexs.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\ecrvhvjh.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\ewznktww.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\hnshlbtv.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\hsxenjvk.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\necxlsbh.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\tlrrsvlj.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\zejthvxk.exe
C:\WINDOWS\system32\fu1.exe
C:\WINDOWS\system32\pinlw.exe
C:\WINDOWS\system32\TFTP1488
C:\WINDOWS\system32\TFTP2104
C:\WINDOWS\system32\TFTP2376
C:\WINDOWS\system32\TFTP2752
C:\WINDOWS\system32\TFTP2844
C:\WINDOWS\system32\TFTP3048
C:\WINDOWS\system32\TFTP3324
C:\WINDOWS\system32\TFTP3528
C:\WINDOWS\system32\TFTP3704
C:\WINDOWS\system32\TFTP3716
C:\WINDOWS\system32\TFTP55040
C:\WINDOWS\system32\TFTP952
C:\WINDOWS\system32\ttvyb.ini
C:\WINDOWS\System32\urdvxc.exe
C:\WINDOWS\Web\wcxnjhhj.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\lllknblj.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Cnt\tjnbzhbh.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\CompatCtr\nrbhslcz.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\CompatCtr\tcjqbtst.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\hhktjkel.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\jlskvkjt.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\DVDUpgrd\kvzexhbs.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\ErrMsg\nvsbqtlx.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\errors\xnejeese.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\NetDiag\bnkrcrqq.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\NetDiag\stleqtrb.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\tjsnlncx.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\zeektjlr.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Common\vtxbneqq.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\hlnbkbjt.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\kcqrjjel.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\resrzjkr.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Common\slkweqkr.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\bbcrvske.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\heclkcje.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Server\vhzlshll.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\sljktqsl.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\cjrhtnee.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\cszbbkjb.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\hzenbhql.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\qnkstrhn.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\tehbbexs.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\ecrvhvjh.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\ewznktww.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\hnshlbtv.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\hsxenjvk.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\UpdateCtr\necxlsbh.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\tlrrsvlj.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\zejthvxk.exe
C:\WINDOWS\system32\.exe
C:\WINDOWS\system32\fu1.exe
C:\WINDOWS\system32\pinlw.exe
C:\WINDOWS\system32\TFTP1488
C:\WINDOWS\system32\TFTP2104
C:\WINDOWS\system32\TFTP2376
C:\WINDOWS\system32\TFTP2752
C:\WINDOWS\system32\TFTP2844
C:\WINDOWS\system32\TFTP3048
C:\WINDOWS\system32\TFTP3324
C:\WINDOWS\system32\TFTP3528
C:\WINDOWS\system32\TFTP3704
C:\WINDOWS\system32\TFTP3716
C:\WINDOWS\system32\TFTP55040
C:\WINDOWS\system32\TFTP952
C:\WINDOWS\system32\ttvyb.ini
C:\WINDOWS\system32\windows.exe
C:\WINDOWS\Web\wcxnjhhj.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSWINDOWS
-------\MSWindows


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-28 22:35 82,820 -ra------ C:\WINDOWS\system32\TFTP592
2007-11-28 21:04 0 -ra------ C:\WINDOWS\system32\TFTP1252
2007-11-28 20:19 0 -ra------ C:\WINDOWS\system32\TFTP1568
2007-11-28 19:09 82,820 -ra------ C:\WINDOWS\system32\TFTP212
2007-11-28 18:54 0 -ra------ C:\WINDOWS\system32\TFTP1080
2007-11-28 17:21 82,820 -ra------ C:\WINDOWS\system32\TFTP1504
2007-11-28 16:03 0 -ra------ C:\WINDOWS\system32\TFTP1820
2007-11-27 21:45 0 -ra------ C:\WINDOWS\system32\TFTP624
2007-11-27 21:34 82,820 -ra------ C:\WINDOWS\system32\TFTP972
2007-11-27 21:31 17,408 -ra------ C:\WINDOWS\system32\TFTP1464
2007-11-27 21:20 82,820 --a------ C:\WINDOWS\system32\scricon.exe
2007-11-27 19:19 <DIR> d-------- C:\Program Files\InfraRecorder
2007-11-26 20:09 544,768 --a------ C:\WINDOWS\system32\msnmanegrs.exe
2007-11-25 11:28 <DIR> d-------- C:\Deckard
2007-11-24 22:41 <DIR> d-------- C:\Documents and Settings\Skupina\Phone Browser
2007-11-24 19:10 <DIR> d-------- C:\Program Files\SimpleCenter
2007-11-24 19:10 <DIR> d-------- C:\Program Files\Common Files\i4j_jres
2007-11-24 19:04 <DIR> d-------- C:\Program Files\DIFX
2007-11-24 19:03 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-11-24 19:01 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-11-24 19:01 <DIR> d-------- C:\Program Files\Nokia
2007-11-24 19:01 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-11-24 18:57 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2007-11-22 12:55 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-21 18:33 <DIR> d-------- C:\Program Files\Hamachi
2007-11-21 18:33 17,480 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-11-21 15:58 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-20 22:58 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-20 21:05 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-11-20 20:53 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-11-20 20:30 <DIR> d-------- C:\Program Files\7-Zip
2007-11-20 20:29 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-11-20 20:29 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-11-20 20:26 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-11-20 20:26 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-19 19:33 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys
2007-11-19 19:22 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-11-19 19:22 1,474,560 --a------ C:\WINDOWS\adiras.exe
2007-11-19 19:22 143,360 --a------ C:\WINDOWS\autoclk.exe
2007-11-19 19:22 135,168 --a------ C:\WINDOWS\system32\unaddrv.exe
2007-11-19 19:22 46,167 --a------ C:\WINDOWS\system32\drivers\adildr.sys
2007-11-19 19:22 8,208 --a------ C:\WINDOWS\system32\drivers\adildr.cat
2007-11-19 19:22 23 --a------ C:\WINDOWS\system32\drivers\adidsl.cfg
2007-11-19 19:21 <DIR> d-------- C:\Program Files\SAGEM
2007-11-19 18:27 <DIR> d-------- C:\WINDOWS\nview
2007-11-19 18:26 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-11-19 18:25 <DIR> d-------- C:\NVIDIA
2007-11-19 18:17 8 -r-hs---- C:\WINDOWS\system32\E7034D519E.dll
2007-11-19 18:00 130,304 --a------ C:\WINDOWS\system32\drivers\ks.sys
2007-11-19 18:00 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-11-19 18:00 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-11-19 18:00 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2007-11-19 18:00 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2007-11-19 18:00 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys
2007-11-19 18:00 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2007-11-19 18:00 7,424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2007-11-19 18:00 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2007-11-19 18:00 5,248 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2007-11-19 18:00 4,608 --a------ C:\WINDOWS\system32\drivers\mspqm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 21:17 403,456 ----a-w C:\WINDOWS\system32\fuck.exe
2007-11-27 17:33 530,432 ----a-w C:\WINDOWS\system32\binlw.exe
2007-11-27 17:27 391,168 ----a-w C:\WINDOWS\system32\wbt.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\cqlwbrtn.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Common\jqnsbclx.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\Help\jjlenkbt.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\Help\jbnshhqj.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\Help\hwexrtne.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\Help\bzehxvnz.exe
2007-11-19 16:27 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-25 13:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2001-10-25 13:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2001-10-25 13:00 C:\WINDOWS\system32\rundll32.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-20 20:25]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2007-11-20 21:04]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 01:12]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-10-25 13:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-20 20:25]

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\System32\DRIVERS\psched.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 17:29:57
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 17:30:59 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-27 21:12
.
--- E O F ---

[fredik]

Než budeme pokračovat, udělej prosím tě toto:

Stáhni si Suspicious File Packer
Rozbal ho a spusť ho (soubor sfp.exe)
Do okna které se ti zobrazí zkopíruj a vlož tento tučně označený text:
C:\WINDOWS\system32\msnmanegrs.exe
C:\WINDOWS\system32\fuck.exe
C:\WINDOWS\system32\binlw.exe
C:\WINDOWS\system32\wbt.exe
C:\WINDOWS\system32\scricon.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Common\jqnsbclx.exe
C:\WINDOWS\Help\jjlenkbt.exe
C:\WINDOWS\Help\jbnshhqj.exe

pak klikni na tlačítko Continue
Program se ti přepne do druhého okna Step2: Create archive
Zavři program.
Na ploše se ti vytvoří soubor requested-files[2007-07-30_HH_MM].cab (místo 2007-07-30 budeš mít aktuální datum a kde HH - hodina a MM minuty)
Ten pak zkus vložit ke svému příspěvku jako přílohu.

Poznámka: Je možné že už dané soubory nebudeš mít na disku, takže se ti nemusí vytvořit archiv.

Pokud se ti daný soubor vytvoří zabal ho např. do zipu a vlož ho ke svému příspěvku jako přílohu. Pokud by nešel vložit ohledně velikost souboru, tak mi ho pošli viz. SZ

[Prasek]

tak tady ho mam

Dík

[fredik]

Vytvoř si nový CFScript a tentokrát vlož do něho toto:

Kód: Vybrat vše

File::
C:\WINDOWS\system32\TFTP592
C:\WINDOWS\system32\TFTP1252
C:\WINDOWS\system32\TFTP1568
C:\WINDOWS\system32\TFTP212
C:\WINDOWS\system32\TFTP1080
C:\WINDOWS\system32\TFTP1504
C:\WINDOWS\system32\TFTP1820
C:\WINDOWS\system32\TFTP624
C:\WINDOWS\system32\TFTP972
C:\WINDOWS\system32\TFTP1464
C:\WINDOWS\system32\scricon.exe
C:\WINDOWS\system32\msnmanegrs.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\cqlwbrtn.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Common\jqnsbclx.exe
C:\WINDOWS\Help\jjlenkbt.exe
C:\WINDOWS\Help\jbnshhqj.exe
C:\WINDOWS\Help\hwexrtne.exe
C:\WINDOWS\Help\bzehxvnz.exe
C:\WINDOWS\system32\binlw.exe

FileLook::
C:\WINDOWS\system32\wbt.exe
C:\WINDOWS\system32\fuck.exe

Vlož sem pak log z Combofix, který se ti zobrazí + dej sem nový log z HJT.

Udělej a vlož sem pak ještě log z Mwav. Pokud by byl log z něho moc dlouhý a nevešel se sem, tak vynech v něm řádky, kde bude napsáno (odkazuje na neplatný objekt)

[Prasek]

takze log z Combofix

ComboFix 07-11-19.4C - Skupina 2007-12-01 20:34:58.5 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.0.1250.1.1029.18.61 [GMT 1:00]
Running from: C:\Documents and Settings\Skupina\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Skupina\Plocha\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\Help\bzehxvnz.exe
C:\WINDOWS\Help\hwexrtne.exe
C:\WINDOWS\Help\jbnshhqj.exe
C:\WINDOWS\Help\jjlenkbt.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Common\jqnsbclx.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\cqlwbrtn.exe
C:\WINDOWS\system32\binlw.exe
C:\WINDOWS\system32\msnmanegrs.exe
C:\WINDOWS\system32\scricon.exe
C:\WINDOWS\system32\TFTP1080
C:\WINDOWS\system32\TFTP1252
C:\WINDOWS\system32\TFTP1464
C:\WINDOWS\system32\TFTP1504
C:\WINDOWS\system32\TFTP1568
C:\WINDOWS\system32\TFTP1820
C:\WINDOWS\system32\TFTP212
C:\WINDOWS\system32\TFTP592
C:\WINDOWS\system32\TFTP624
C:\WINDOWS\system32\TFTP972
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Help\bzehxvnz.exe
C:\WINDOWS\Help\hwexrtne.exe
C:\WINDOWS\Help\jbnshhqj.exe
C:\WINDOWS\Help\jjlenkbt.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Common\jqnsbclx.exe
C:\WINDOWS\PCHEALTH\HELPCTR\System\Remote Assistance\Interaction\Client\cqlwbrtn.exe
C:\WINDOWS\system32\.exe
C:\WINDOWS\system32\binlw.exe
C:\WINDOWS\system32\msnmanegrs.exe
C:\WINDOWS\system32\scricon.exe
C:\WINDOWS\system32\TFTP1080
C:\WINDOWS\system32\TFTP1252
C:\WINDOWS\system32\TFTP1464
C:\WINDOWS\system32\TFTP1504
C:\WINDOWS\system32\TFTP1568
C:\WINDOWS\system32\TFTP1820
C:\WINDOWS\system32\TFTP212
C:\WINDOWS\system32\TFTP592
C:\WINDOWS\system32\TFTP624
C:\WINDOWS\system32\TFTP972
C:\WINDOWS\system32\windows.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-01 to 2007-12-01 )))))))))))))))))))))))))))))))
.

2007-12-01 18:39 0 -ra------ C:\WINDOWS\system32\TFTP3796
2007-12-01 17:31 0 -ra------ C:\WINDOWS\system32\TFTP2600
2007-12-01 16:45 0 -ra------ C:\WINDOWS\system32\TFTP1116
2007-12-01 16:35 58,820 -ra------ C:\WINDOWS\system32\scrcs.exe
2007-12-01 16:20 0 -ra------ C:\WINDOWS\system32\TFTP1964
2007-12-01 14:43 80,200 -ra------ C:\WINDOWS\system32\ssms.exe
2007-12-01 14:27 <DIR> d-------- C:\Documents and Settings\Administrator\Šablony
2007-12-01 14:27 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací
2007-11-30 19:06 0 -ra------ C:\WINDOWS\system32\TFTP3676
2007-11-30 18:54 82,820 -ra------ C:\WINDOWS\system32\TFTP2272
2007-11-29 21:25 82,820 -ra------ C:\WINDOWS\system32\TFTP4220
2007-11-29 20:44 82,820 -ra------ C:\WINDOWS\system32\TFTP2624
2007-11-29 19:39 0 -ra------ C:\WINDOWS\system32\TFTP3340
2007-11-29 19:37 <DIR> d-------- C:\Program Files\ICQToolbar
2007-11-29 19:35 82,820 -ra------ C:\WINDOWS\system32\TFTP4068
2007-11-29 19:12 <DIR> d-------- C:\Program Files\ICQLite
2007-11-29 19:12 <DIR> d-------- C:\Documents and Settings\Skupina\Data aplikací\ICQLite
2007-11-29 19:02 0 -ra------ C:\WINDOWS\system32\TFTP2788
2007-11-29 18:53 0 -ra------ C:\WINDOWS\system32\TFTP2472
2007-11-29 18:10 0 -ra------ C:\WINDOWS\system32\TFTP1636
2007-11-29 17:43 25,088 -ra------ C:\WINDOWS\system32\TFTP1164
2007-11-27 19:21 <DIR> d-------- C:\Documents and Settings\Skupina\Data aplikací\InfraRecorder
2007-11-27 19:19 <DIR> d-------- C:\Program Files\InfraRecorder
2007-11-25 11:28 <DIR> d-------- C:\Deckard
2007-11-24 22:41 <DIR> d-------- C:\Documents and Settings\Skupina\Phone Browser
2007-11-24 19:10 <DIR> d-------- C:\Program Files\SimpleCenter
2007-11-24 19:10 <DIR> d-------- C:\Program Files\Common Files\i4j_jres
2007-11-24 19:04 <DIR> d-------- C:\Program Files\DIFX
2007-11-24 19:03 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-11-24 19:02 <DIR> d-------- C:\Documents and Settings\Skupina\Data aplikací\PC Suite
2007-11-24 19:02 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\PC Suite
2007-11-24 19:01 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-11-24 19:01 <DIR> d-------- C:\Program Files\Nokia
2007-11-24 19:01 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-11-24 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Downloaded Installations
2007-11-24 18:57 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2007-11-22 12:55 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-21 18:34 <DIR> d-------- C:\Documents and Settings\Skupina\Data aplikací\Hamachi
2007-11-21 18:33 <DIR> d-------- C:\Program Files\Hamachi
2007-11-21 18:33 17,480 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-11-21 15:58 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-20 22:58 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-20 21:05 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-11-20 20:53 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-11-20 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spyware Terminator
2007-11-20 20:30 <DIR> d-------- C:\Program Files\7-Zip
2007-11-20 20:29 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-11-20 20:29 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-11-20 20:26 <DIR> d-------- C:\Documents and Settings\Skupina\Data aplikací\AVG7
2007-11-20 20:26 <DIR> d-------- C:\Documents and Settings\LocalService\Data aplikací\AVG7
2007-11-20 20:26 <DIR> d-------- C:\Documents and Settings\LocalService\Data aplikací\AVG7
2007-11-20 20:26 <DIR> d-------- C:\Documents and Settings\LocalService\Data aplikací\AVG7
2007-11-20 20:26 <DIR> d-------- C:\Documents and Settings\LocalService\Data aplikací\AVG7
2007-11-20 20:26 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-11-20 20:26 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-20 20:25 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Grisoft
2007-11-20 20:25 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\avg7
2007-11-19 20:47 6,607 --ahs---- C:\WINDOWS\system32\ttvyb.ini
2007-11-19 19:33 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys
2007-11-19 19:22 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-11-19 19:22 1,474,560 --a------ C:\WINDOWS\adiras.exe
2007-11-19 19:22 143,360 --a------ C:\WINDOWS\autoclk.exe
2007-11-19 19:22 135,168 --a------ C:\WINDOWS\system32\unaddrv.exe
2007-11-19 19:22 46,167 --a------ C:\WINDOWS\system32\drivers\adildr.sys
2007-11-19 19:22 8,208 --a------ C:\WINDOWS\system32\drivers\adildr.cat
2007-11-19 19:22 23 --a------ C:\WINDOWS\system32\drivers\adidsl.cfg
2007-11-19 19:21 <DIR> d-------- C:\Program Files\SAGEM
2007-11-19 18:27 <DIR> d-------- C:\WINDOWS\nview
2007-11-19 18:26 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-11-19 18:25 <DIR> d-------- C:\NVIDIA
2007-11-19 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Trymedia
2007-11-19 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Protexis
2007-11-19 18:17 8 -r-hs---- C:\WINDOWS\system32\E7034D519E.dll
2007-11-19 18:00 130,304 --a------ C:\WINDOWS\system32\drivers\ks.sys
2007-11-19 18:00 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-11-19 18:00 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-11-19 18:00 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2007-11-19 18:00 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys
2007-11-19 18:00 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2007-11-19 18:00 7,424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2007-11-19 18:00 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2007-11-19 18:00 5,248 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2007-11-19 18:00 4,608 --a------ C:\WINDOWS\system32\drivers\mspqm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 19:30 403,456 ----a-w C:\WINDOWS\system32\fuck.exe
2007-12-01 18:40 391,168 ----a-w C:\WINDOWS\system32\wbt.exe
2007-11-28 18:29 542,720 ----a-w C:\WINDOWS\system32\pinlw.exe
2007-11-25 19:36 451,584 ----a-w C:\WINDOWS\system32\fu1.exe
2007-11-24 23:03 83,964 ----a-w C:\WINDOWS\Web\wcxnjhhj.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Cnt\tjnbzhbh.exe
2007-11-24 23:02 83,964 ----a-w C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\lllknblj.exe
2007-11-19 16:27 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2007-11-27_21.11.04.08 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 12:51:22 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-01 19:31:09 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-27 12:51:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-01 19:31:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-27 12:51:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-01 19:31:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-01 19:34:49 270,336 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-12-01 13:35:32 464,912 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2007-12-01 15:36:14 58,820 --sh--r C:\WINDOWS\system32\wbem\scrcs.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-25 13:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]
"WMI Standard Event Consumer - hosting"="C:\WINDOWS\System32\wbem\scrcs.exe" [2007-12-01 16:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"WMI Standard Event Consumer - hosting"="C:\WINDOWS\System32\wbem\scrcs.exe" [2007-12-01 16:36]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2001-10-25 13:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2001-10-25 13:00 C:\WINDOWS\system32\rundll32.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-20 20:25]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2007-11-20 21:04]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 01:12]
"WMI Standard Event Consumer - hosting"="C:\WINDOWS\System32\wbem\scrcs.exe" [2007-12-01 16:36]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"WMI Standard Event Consumer - hosting"="C:\WINDOWS\System32\wbem\scrcs.exe" [2007-12-01 16:36]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-10-25 13:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-20 20:25]
"WMI Standard Event Consumer - hosting"="C:\WINDOWS\System32\wbem\scrcs.exe" [2007-12-01 16:36]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"WMI Standard Event Consumer - hosting"="C:\WINDOWS\System32\wbem\scrcs.exe" [2007-12-01 16:36]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-11-19 19:22:20]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ X]
X

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crehcjid]
crehcjid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"WMI Standard Event Consumer - hosting"= C:\WINDOWS\System32\wbem\scrcs.exe

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\System32\DRIVERS\psched.sys
S2 MSWindows;Network Windows Service;"C:\WINDOWS\System32\urdvxc.exe" /service

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-01 21:42:49
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-01 21:43:32
C:\ComboFix2.txt ... 2007-11-29 17:30
C:\ComboFix3.txt ... 2007-11-27 21:12
.
--- E O F ---

[Prasek]

+ log z Hijak This

Logfile of HijackThis v1.99.1
Scan saved at 21:48:12, on 1.12.2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wbem\scrcs.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Skupina\Plocha\anitiviry\HijakThis\Skupina.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [WMI Standard Event Consumer - hosting] C:\WINDOWS\System32\wbem\scrcs.exe
O4 - HKLM\..\RunServices: [WMI Standard Event Consumer - hosting] C:\WINDOWS\System32\wbem\scrcs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMI Standard Event Consumer - hosting] C:\WINDOWS\System32\wbem\scrcs.exe
O4 - HKCU\..\RunServices: [WMI Standard Event Consumer - hosting] C:\WINDOWS\System32\wbem\scrcs.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4D07D05-593E-46E6-82B0-B33670CE2C3F}: NameServer = 194.228.41.65 194.228.41.113
O20 - Winlogon Notify: X - X (file missing)
O20 - Winlogon Notify: crehcjid - crehcjid.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe

[fredik]

Pro lepší zabezpečení by bylo dobré si doinstalovat firewall, můžeš si vybrat některý zde uvedený nebo některý jiný z odkazu: Přehled osobních firewallů
Firewally zdarma:
Comodo - kvalitní, pokročilý, s mnoha funkcemi, originálně v angličtině, čeština by měla být asi až od verze 3 která by se měl objevit v brzké době
Kerio - přehledný, větší možnosti nastavení, náročnější na systémové prostředky, v češtině
ZoneAlarm - jednoduchý, kompatibilní, nenáročný na systémové prostředky, málo možností nastavení, v angličtině

Vytvoř si nový CFScript a tentokrát vlož do něho toto:

Kód: Vybrat vše

Driver::
MSWindows

File::
C:\WINDOWS\system32\TFTP3796
C:\WINDOWS\system32\TFTP2600
C:\WINDOWS\system32\TFTP1116
C:\WINDOWS\system32\scrcs.exe
C:\WINDOWS\system32\TFTP1964
C:\WINDOWS\system32\ssms.exe
C:\WINDOWS\system32\TFTP3676
C:\WINDOWS\system32\TFTP2272
C:\WINDOWS\system32\TFTP4220
C:\WINDOWS\system32\TFTP2624
C:\WINDOWS\system32\TFTP3340
C:\WINDOWS\system32\TFTP4068
C:\WINDOWS\system32\TFTP2788
C:\WINDOWS\system32\TFTP2472
C:\WINDOWS\system32\TFTP1636
C:\WINDOWS\system32\TFTP1164
C:\WINDOWS\system32\ttvyb.ini
C:\WINDOWS\system32\fuck.exe
C:\WINDOWS\system32\wbt.exe
C:\WINDOWS\system32\pinlw.exe
C:\WINDOWS\system32\fu1.exe
C:\WINDOWS\System32\urdvxc.exe
C:\WINDOWS\Web\wcxnjhhj.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Cnt\tjnbzhbh.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\lllknblj.exe
C:\WINDOWS\system32\wbem\scrcs.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMI Standard Event Consumer - hosting"=-
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"WMI Standard Event Consumer - hosting"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMI Standard Event Consumer - hosting"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"WMI Standard Event Consumer - hosting"=
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"WMI Standard Event Consumer - hosting"=-
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"WMI Standard Event Consumer - hosting"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ X]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crehcjid]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"WMI Standard Event Consumer - hosting"=-

Vlož sem pak log z ComboFix.

Projeď pak pc tímto: Mwav a vlož sem log jak je napsáno.

Poznámka:
Používáš starší verzi HijackThis, stáhni si aktuální verzi zde a tu starou před použitím vymaž.

[Prasek]

ComboFix 07-11-19.4C - Skupina 2007-12-02 15:20:22.6 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.0.1250.1.1029.18.57 [GMT 1:00]
Running from: C:\Documents and Settings\Skupina\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Skupina\Plocha\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\lllknblj.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Cnt\tjnbzhbh.exe
C:\WINDOWS\system32\fu1.exe
C:\WINDOWS\system32\fuck.exe
C:\WINDOWS\system32\pinlw.exe
C:\WINDOWS\system32\scrcs.exe
C:\WINDOWS\system32\ssms.exe
C:\WINDOWS\system32\TFTP1116
C:\WINDOWS\system32\TFTP1164
C:\WINDOWS\system32\TFTP1636
C:\WINDOWS\system32\TFTP1964
C:\WINDOWS\system32\TFTP2272
C:\WINDOWS\system32\TFTP2472
C:\WINDOWS\system32\TFTP2600
C:\WINDOWS\system32\TFTP2624
C:\WINDOWS\system32\TFTP2788
C:\WINDOWS\system32\TFTP3340
C:\WINDOWS\system32\TFTP3676
C:\WINDOWS\system32\TFTP3796
C:\WINDOWS\system32\TFTP4068
C:\WINDOWS\system32\TFTP4220
C:\WINDOWS\system32\ttvyb.ini
C:\WINDOWS\System32\urdvxc.exe
C:\WINDOWS\system32\wbem\scrcs.exe
C:\WINDOWS\system32\wbt.exe
C:\WINDOWS\Web\wcxnjhhj.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Audio\lllknblj.exe
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Cnt\tjnbzhbh.exe
C:\WINDOWS\system32\.exe
C:\WINDOWS\system32\fuck.exe
C:\WINDOWS\system32\scrcs.exe
C:\WINDOWS\system32\TFTP1116
C:\WINDOWS\system32\TFTP1636
C:\WINDOWS\system32\TFTP1964
C:\WINDOWS\system32\TFTP2472
C:\WINDOWS\system32\TFTP2600
C:\WINDOWS\system32\TFTP2788
C:\WINDOWS\system32\TFTP3340
C:\WINDOWS\system32\TFTP3676
C:\WINDOWS\system32\TFTP3796
C:\WINDOWS\system32\ttvyb.ini
C:\WINDOWS\system32\wbem\scrcs.exe
C:\WINDOWS\Web\wcxnjhhj.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSWINDOWS
-------\MSWindows


((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-02 12:54 0 -ra------ C:\WINDOWS\system32\TFTP3308
2007-12-02 03:41 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-01 14:27 <DIR> d-------- C:\Documents and Settings\Administrator\ćablony
2007-12-01 14:27 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikacˇ
2007-11-29 19:37 <DIR> d-------- C:\Program Files\ICQToolbar
2007-11-29 19:12 <DIR> d-------- C:\Program Files\ICQLite
2007-11-27 19:19 <DIR> d-------- C:\Program Files\InfraRecorder
2007-11-25 11:28 <DIR> d-------- C:\Deckard
2007-11-24 22:41 <DIR> d-------- C:\Documents and Settings\Skupina\Phone Browser
2007-11-24 19:10 <DIR> d-------- C:\Program Files\SimpleCenter
2007-11-24 19:10 <DIR> d-------- C:\Program Files\Common Files\i4j_jres
2007-11-24 19:04 <DIR> d-------- C:\Program Files\DIFX
2007-11-24 19:03 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-11-24 19:01 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-11-24 19:01 <DIR> d-------- C:\Program Files\Nokia
2007-11-24 19:01 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-11-24 18:57 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2007-11-22 12:55 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-21 18:33 <DIR> d-------- C:\Program Files\Hamachi
2007-11-21 18:33 17,480 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-11-21 15:58 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-20 22:58 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-20 21:05 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-11-20 20:53 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-11-20 20:30 <DIR> d-------- C:\Program Files\7-Zip
2007-11-20 20:29 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-11-20 20:29 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-11-20 20:26 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-11-20 20:26 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-19 19:33 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys
2007-11-19 19:22 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-11-19 19:22 1,474,560 --a------ C:\WINDOWS\adiras.exe
2007-11-19 19:22 143,360 --a------ C:\WINDOWS\autoclk.exe
2007-11-19 19:22 135,168 --a------ C:\WINDOWS\system32\unaddrv.exe
2007-11-19 19:22 46,167 --a------ C:\WINDOWS\system32\drivers\adildr.sys
2007-11-19 19:22 8,208 --a------ C:\WINDOWS\system32\drivers\adildr.cat
2007-11-19 19:22 23 --a------ C:\WINDOWS\system32\drivers\adidsl.cfg
2007-11-19 19:21 <DIR> d-------- C:\Program Files\SAGEM
2007-11-19 18:27 <DIR> d-------- C:\WINDOWS\nview
2007-11-19 18:26 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-11-19 18:25 <DIR> d-------- C:\NVIDIA
2007-11-19 18:17 8 -r-hs---- C:\WINDOWS\system32\E7034D519E.dll
2007-11-19 18:00 130,304 --a------ C:\WINDOWS\system32\drivers\ks.sys
2007-11-19 18:00 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-11-19 18:00 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-11-19 18:00 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2007-11-19 18:00 47,104 --a--c--- C:\WINDOWS\system32\dllcache\wstdecod.dll
2007-11-19 18:00 27,648 --a--c--- C:\WINDOWS\system32\dllcache\vbisurf.ax
2007-11-19 18:00 18,688 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-11-19 18:00 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2007-11-19 18:00 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys
2007-11-19 18:00 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2007-11-19 18:00 7,424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2007-11-19 18:00 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2007-11-19 18:00 5,248 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2007-11-19 18:00 4,608 --a------ C:\WINDOWS\system32\drivers\mspqm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 16:27 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2007-11-27_21.11.04.08 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 12:51:22 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-02 12:35:54 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-27 12:51:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-02 12:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-27 12:51:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-02 12:35:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-02 14:20:11 270,336 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2001-08-17 21:03:22 21,760 ----a-w C:\WINDOWS\system32\drivers\USBSTOR.SYS
+ 2007-12-01 13:35:32 464,912 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-25 13:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"WMI Standard Event Consumer - hosting"="C:\WINDOWS\System32\wbem\scrcs.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2001-10-25 13:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2001-10-25 13:00 C:\WINDOWS\system32\rundll32.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-20 20:25]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2007-11-20 21:04]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 01:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"WMI Standard Event Consumer - hosting"="C:\WINDOWS\System32\wbem\scrcs.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2001-10-25 13:00]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-20 20:25]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"WMI Standard Event Consumer - hosting"="C:\WINDOWS\System32\wbem\scrcs.exe" []

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\System32\DRIVERS\psched.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 15:28:14
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 15:29:42 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-01 21:43
C:\ComboFix3.txt ... 2007-11-29 17:30
.
--- E O F ---