trojan

[Lucka Kolísková]

Mám problém: při zapnutí PC se mi v bublině napíše, že v počítači byl nalezen nějaký trojan - přesný název už si nepamatuji. Tady zasílám log z hijacku:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:41:03, on 8.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
d:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Admin\Plocha\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [nod32kui] "d:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DAEMON Tools] "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: RAID Tool.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BAFBA6D-5878-4ADB-A111-3E4CD2297F9F}: NameServer = 62.240.161.226,213.192.21.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{5BAFBA6D-5878-4ADB-A111-3E4CD2297F9F}: NameServer = 62.240.161.226,213.192.21.70
O17 - HKLM\System\CS2\Services\Tcpip\..\{5BAFBA6D-5878-4ADB-A111-3E4CD2297F9F}: NameServer = 62.240.161.226,213.192.21.70
O20 - AppInit_DLLs: systems.txt
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - d:\Program Files\Eset\nod32krn.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 6224 bytes


Děkuji předem za pomoc.
S pozdravem Lucka

[Reklama]

[fredik]

Vítej na fóru:

Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem klávesy 1
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[Lucka Kolísková]

ahoj...
děkuji za rychlou odpověď

pred chvili mi toho trojana vyhledal i antivir a napsal toto: c:\windows\system32\vtr.dll - a variant of Win32/TrojanDownloader.Agent.NPQ trojan

tady je log z combofixu......

ComboFix 07-11-08.1 - Admin 2007-11-08 18:23:14.1 - NTFSx86
Running from: C:\Documents and Settings\Admin\Plocha\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-08 18:22 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-15 16:02 7,395 --a------ C:\syszubi.exe
2007-10-13 14:17 58,368 --a------ C:\systcgd.exe
2007-10-13 14:17 58,368 --a------ C:\syspvsh.exe
2007-10-13 14:17 58,368 --a------ C:\syshowq.exe
2007-10-13 14:17 58,368 --a------ C:\sysdsbz.exe
2007-10-13 14:16 7,395 --a------ C:\syswhwx.exe
2007-10-13 14:16 7,395 --a------ C:\sysvduw.exe
2007-10-13 14:16 7,395 --a------ C:\sysuyhc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 19:00 --------- d-----w C:\Program Files\ICQToolbar
2007-11-03 11:08 --------- d-----w C:\Program Files\SimTractor 3.5
2007-10-07 18:52 --------- d-----w C:\Program Files\Mystical Mahjong
2007-09-08 19:03 215,620 ----a-w C:\WINDOWS\MP3Producer Uninstaller.exe
2007-08-17 13:16 55,808 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-05-09 07:36 4,660,814 ----a-w C:\Program Files\Krtecek_1_9b7.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-03-27 09:34 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-10-28 21:10]
"nod32kui"="d:\Program Files\Eset\nod32kui.exe" [2007-03-13 22:19]
"DAEMON Tools"="d:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 11:48]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"CHotkey"="mHotkey.exe" [2002-10-09 11:56 C:\WINDOWS\mHotkey.exe]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 19:12]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 15:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-17 15:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"=C:\Program Files\ICQLite\ICQLite.exe -trayboot

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
S3 actvcomm;actvcomm;C:\WINDOWS\system32\drivers\actvcomm.sys
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys
S3 siusbmod;siusbmod;C:\WINDOWS\system32\DRIVERS\siusbmod.sys
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5335b5d8-fc87-11db-a657-000d6110856c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86475c5a-fa21-11db-a651-000d6110856c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{908a35f2-d294-11db-a615-000d6110856c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 18:27:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"CHotkey"="mHotkey.exe"
.
Completion time: 2007-11-08 18:29:12 - machine was rebooted
.
--- E O F ---

[fredik]

Otestuj některý z těchto souboru (jedno jaký) na VirusTotall a dej sem výsledek:
C:\syszubi.exe
C:\systcgd.exe
C:\syspvsh.exe
C:\syshowq.exe
C:\sysdsbz.exe
C:\syswhwx.exe
C:\sysvduw.exe
C:\sysuyhc.exe
pokud by to nešel vyhledat, tak tam zkopíruj celou cestu bez vyhledání a nech ho otestovat.

[Lucka Kolísková]

1 0 bytes size received / Se ha recibido un archivo vacio
2 0 bytes size received / Se ha recibido un archivo vacio
3 0 bytes size received / Se ha recibido un archivo vacio
4 0 bytes size received / Se ha recibido un archivo vacio
5 Antivirus Verze Poslední aktualizace Výsledek
AhnLab-V3 2007.11.9.1 2007.11.09 -
AntiVir 7.6.0.34 2007.11.09 TR/Small.RV
Authentium 4.93.8 2007.11.09 -
Avast 4.7.1074.0 2007.11.08 Win32:Small-IAD
AVG 7.5.0.503 2007.11.09 Generic8.GSP
BitDefender 7.2 2007.11.09 Trojan.Small.NDL
CAT-QuickHeal 9.00 2007.11.09 Trojan.Small.rv
ClamAV 0.91.2 2007.11.09 Trojan.Small-4245
DrWeb 4.44.0.09170 2007.11.09 Trojan.DownLoader.35886
eSafe 7.0.15.0 2007.11.08 -
eTrust-Vet 31.2.5282 2007.11.09 Win32/Chepvil!generic
Ewido 4.0 2007.11.09 Trojan.Small.rv
FileAdvisor 1 2007.11.09 -
Fortinet 3.11.0.0 2007.10.19 W32/Small.RV!tr
F-Prot 4.4.2.54 2007.11.09 W32/Trojan2.AEV
F-Secure 6.70.13030.0 2007.11.09 Trojan.Win32.Small.rv
Ikarus T3.1.1.12 2007.11.09 Trojan-Downloader.Win32.Small.evh
Kaspersky 7.0.0.125 2007.11.09 Trojan.Win32.Small.rv
McAfee 5159 2007.11.08 Downloader-BFK
Microsoft 1.3007 2007.11.09 Trojan:Win32/Small
NOD32v2 2649 2007.11.09 a variant of Win32/TrojanDownloader.Nurech.NCD
Norman 5.80.02 2007.11.08 W32/Wow.BYE
Panda 9.0.0.4 2007.11.09 Trj/Downloader.MDW
Prevx1 V2 2007.11.09 -
Rising 20.17.41.00 2007.11.09 Trojan.Win32.Small.rv
Sophos 4.23.0 2007.11.09 Mal/Generic-A
Sunbelt 2.2.907.0 2007.11.09 Trojan.Win32.Small.rv
Symantec 10 2007.11.09 -
TheHacker 6.2.9.122 2007.11.09 Trojan/Small.rv
VBA32 3.12.2.4 2007.11.08 Trojan.Win32.Small.rv
VirusBuster 4.3.26:9 2007.11.08 -
Webwasher-Gateway 6.0.1 2007.11.09 Trojan.Small.RV
Rozšiřující informace
File size: 7395 bytes
MD5: a121762fabb7de603f5f3e52821dc4b9
SHA1: 041cfa115d96c7f084be5022661f1f41080b8245

6 Antivirus Verze Poslední aktualizace Výsledek
AhnLab-V3 2007.11.9.1 2007.11.09 -
AntiVir 7.6.0.34 2007.11.09 TR/Small.RV
Authentium 4.93.8 2007.11.09 -
Avast 4.7.1074.0 2007.11.08 Win32:Small-IAD
AVG 7.5.0.503 2007.11.09 Generic8.GSP
BitDefender 7.2 2007.11.09 Trojan.Small.NDL
CAT-QuickHeal 9.00 2007.11.09 Trojan.Small.rv
ClamAV 0.91.2 2007.11.09 Trojan.Small-4245
DrWeb 4.44.0.09170 2007.11.09 Trojan.DownLoader.35886
eSafe 7.0.15.0 2007.11.08 -
eTrust-Vet 31.2.5282 2007.11.09 Win32/Chepvil!generic
Ewido 4.0 2007.11.09 Trojan.Small.rv
FileAdvisor 1 2007.11.09 -
Fortinet 3.11.0.0 2007.10.19 W32/Small.RV!tr
F-Prot 4.4.2.54 2007.11.09 W32/Trojan2.AEV
F-Secure 6.70.13030.0 2007.11.09 Trojan.Win32.Small.rv
Ikarus T3.1.1.12 2007.11.09 Trojan-Downloader.Win32.Small.evh
Kaspersky 7.0.0.125 2007.11.09 Trojan.Win32.Small.rv
McAfee 5159 2007.11.08 Downloader-BFK
Microsoft 1.3007 2007.11.09 Trojan:Win32/Small
NOD32v2 2649 2007.11.09 a variant of Win32/TrojanDownloader.Nurech.NCD
Norman 5.80.02 2007.11.08 W32/Wow.BYE
Panda 9.0.0.4 2007.11.09 Trj/Downloader.MDW
Prevx1 V2 2007.11.09 -
Rising 20.17.41.00 2007.11.09 Trojan.Win32.Small.rv
Sophos 4.23.0 2007.11.09 Mal/Generic-A
Sunbelt 2.2.907.0 2007.11.09 Trojan.Win32.Small.rv
Symantec 10 2007.11.09 -
TheHacker 6.2.9.122 2007.11.09 Trojan/Small.rv
VBA32 3.12.2.4 2007.11.08 Trojan.Win32.Small.rv
VirusBuster 4.3.26:9 2007.11.08 -
Webwasher-Gateway 6.0.1 2007.11.09 Trojan.Small.RV
Rozšiřující informace
File size: 7395 bytes
MD5: a121762fabb7de603f5f3e52821dc4b9
SHA1: 041cfa115d96c7f084be5022661f1f41080b8245

7 Antivirus Verze Poslední aktualizace Výsledek
AhnLab-V3 2007.11.9.1 2007.11.09 -
AntiVir 7.6.0.34 2007.11.09 TR/Small.RV
Authentium 4.93.8 2007.11.09 -
Avast 4.7.1074.0 2007.11.08 Win32:Small-IAD
AVG 7.5.0.503 2007.11.09 Generic8.GSP
BitDefender 7.2 2007.11.09 Trojan.Small.NDL
CAT-QuickHeal 9.00 2007.11.09 Trojan.Small.rv
ClamAV 0.91.2 2007.11.09 Trojan.Small-4245
DrWeb 4.44.0.09170 2007.11.09 Trojan.DownLoader.35886
eSafe 7.0.15.0 2007.11.08 -
eTrust-Vet 31.2.5282 2007.11.09 Win32/Chepvil!generic
Ewido 4.0 2007.11.09 Trojan.Small.rv
FileAdvisor 1 2007.11.09 -
Fortinet 3.11.0.0 2007.10.19 W32/Small.RV!tr
F-Prot 4.4.2.54 2007.11.09 W32/Trojan2.AEV
F-Secure 6.70.13030.0 2007.11.09 Trojan.Win32.Small.rv
Ikarus T3.1.1.12 2007.11.09 Trojan-Downloader.Win32.Small.evh
Kaspersky 7.0.0.125 2007.11.09 Trojan.Win32.Small.rv
McAfee 5159 2007.11.08 Downloader-BFK
Microsoft 1.3007 2007.11.09 Trojan:Win32/Small
NOD32v2 2649 2007.11.09 a variant of Win32/TrojanDownloader.Nurech.NCD
Norman 5.80.02 2007.11.08 W32/Wow.BYE
Panda 9.0.0.4 2007.11.09 Trj/Downloader.MDW
Rising 20.17.41.00 2007.11.09 Trojan.Win32.Small.rv
Sophos 4.23.0 2007.11.09 Mal/Generic-A
Sunbelt 2.2.907.0 2007.11.09 Trojan.Win32.Small.rv
Symantec 10 2007.11.09 -
TheHacker 6.2.9.122 2007.11.09 Trojan/Small.rv
VBA32 3.12.2.4 2007.11.08 Trojan.Win32.Small.rv
VirusBuster 4.3.26:9 2007.11.08 -
Webwasher-Gateway 6.0.1 2007.11.09 Trojan.Small.RV
Rozšiřující informace
File size: 7395 bytes
MD5: a121762fabb7de603f5f3e52821dc4b9
SHA1: 041cfa115d96c7f084be5022661f1f41080b8245


8 Antivirus Verze Poslední aktualizace Výsledek
AhnLab-V3 2007.11.9.1 2007.11.09 -
AntiVir 7.6.0.34 2007.11.09 TR/Small.RV
Authentium 4.93.8 2007.11.09 -
Avast 4.7.1074.0 2007.11.08 Win32:Small-IAD
AVG 7.5.0.503 2007.11.09 Generic8.GSP
BitDefender 7.2 2007.11.09 Trojan.Small.NDL
CAT-QuickHeal 9.00 2007.11.09 Trojan.Small.rv
ClamAV 0.91.2 2007.11.09 Trojan.Small-4245
DrWeb 4.44.0.09170 2007.11.09 Trojan.DownLoader.35886
eSafe 7.0.15.0 2007.11.08 -
eTrust-Vet 31.2.5282 2007.11.09 Win32/Chepvil!generic
Ewido 4.0 2007.11.09 Trojan.Small.rv
FileAdvisor 1 2007.11.09 -
Fortinet 3.11.0.0 2007.10.19 W32/Small.RV!tr
F-Prot 4.4.2.54 2007.11.09 W32/Trojan2.AEV
F-Secure 6.70.13030.0 2007.11.09 Trojan.Win32.Small.rv
Ikarus T3.1.1.12 2007.11.09 Trojan-Downloader.Win32.Small.evh
Kaspersky 7.0.0.125 2007.11.09 Trojan.Win32.Small.rv
McAfee 5159 2007.11.08 Downloader-BFK
Microsoft 1.3007 2007.11.09 Trojan:Win32/Small
NOD32v2 2649 2007.11.09 a variant of Win32/TrojanDownloader.Nurech.NCD
Norman 5.80.02 2007.11.08 W32/Wow.BYE
Panda 9.0.0.4 2007.11.09 Trj/Downloader.MDW
Prevx1 V2 2007.11.09 -
Rising 20.17.41.00 2007.11.09 Trojan.Win32.Small.rv
Sophos 4.23.0 2007.11.09 Mal/Generic-A
Sunbelt 2.2.907.0 2007.11.09 Trojan.Win32.Small.rv
Symantec 10 2007.11.09 -
TheHacker 6.2.9.122 2007.11.09 Trojan/Small.rv
VBA32 3.12.2.4 2007.11.08 Trojan.Win32.Small.rv
VirusBuster 4.3.26:9 2007.11.08 -
Webwasher-Gateway 6.0.1 2007.11.09 Trojan.Small.RV
Rozšiřující informace
File size: 7395 bytes
MD5: a121762fabb7de603f5f3e52821dc4b9
SHA1: 041cfa115d96c7f084be5022661f1f41080b8245

[fredik]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

File::
C:\syszubi.exe
C:\systcgd.exe
C:\syspvsh.exe
C:\syshowq.exe
C:\sysdsbz.exe
C:\syswhwx.exe
C:\sysvduw.exe
C:\sysuyhc.exe

Folder::
C:\Recycled
D:\Recycled

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5335b5d8-fc87-11db-a657-000d6110856c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86475c5a-fa21-11db-a651-000d6110856c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{908a35f2-d294-11db-a615-000d6110856c}]

Zvol možnost Uložit soubor jako, pojmenuj soubor CFScript.txt a zvol Uložit jako typ: Všechny soubory.
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Stáhni tento program: Flash Disinfector (by sUBs) a spusť ho.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Dej sem pak také nový log z HJT.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

V následujícím příspěvku sem vlož tyto logy/výsledky:
- log z Combofix po použití skryptu
- nový log z HijackThis

[Lucka Kolísková]

Ahoj zasílám ....... Děkuji ......

log z combofixu po scriptu:

ComboFix 07-11-08.1 - Admin 2007-11-10 14:47:06.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.55 [GMT 1:00]
Running from: C:\Documents and Settings\Admin\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Plocha\CFScript.txt
* Created a new restore point

FILE
C:\sysdsbz.exe
C:\syshowq.exe
C:\syspvsh.exe
C:\systcgd.exe
C:\sysuyhc.exe
C:\sysvduw.exe
C:\syswhwx.exe
C:\syszubi.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Recycled
C:\Recycled\desktop.ini
C:\Recycled\INFO2
C:\sysdsbz.exe
C:\syshowq.exe
C:\syspvsh.exe
C:\systcgd.exe
C:\sysuyhc.exe
C:\sysvduw.exe
C:\syswhwx.exe
C:\syszubi.exe
D:\Recycled
D:\Recycled\ctfmon.exe
D:\Recycled\desktop.ini
D:\Recycled\INFO2

.
((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-09 21:06 929,155 --a------ C:\WINDOWS\CLAASAVE.EXE
2007-11-09 21:06 49,952 --a------ C:\WINDOWS\CLAAS.SCR
2007-11-08 18:22 51,200 --a------ C:\WINDOWS\NirCmd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 17:47 --------- d-----w C:\Program Files\ICQToolbar
2007-11-03 11:08 --------- d-----w C:\Program Files\SimTractor 3.5
2007-10-07 18:52 --------- d-----w C:\Program Files\Mystical Mahjong
2007-09-08 19:03 215,620 ----a-w C:\WINDOWS\MP3Producer Uninstaller.exe
2007-08-17 13:16 55,808 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-05-09 07:36 4,660,814 ----a-w C:\Program Files\Krtecek_1_9b7.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-03-27 09:34 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-10-28 21:10]
"nod32kui"="d:\Program Files\Eset\nod32kui.exe" [2007-03-13 22:19]
"DAEMON Tools"="d:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 11:48]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"CHotkey"="mHotkey.exe" [2002-10-09 11:56 C:\WINDOWS\mHotkey.exe]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 19:12]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 15:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-17 15:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"=C:\Program Files\ICQLite\ICQLite.exe -trayboot

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
S3 actvcomm;actvcomm;C:\WINDOWS\system32\drivers\actvcomm.sys
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys
S3 siusbmod;siusbmod;C:\WINDOWS\system32\DRIVERS\siusbmod.sys
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 14:56:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"CHotkey"="mHotkey.exe"
.
Completion time: 2007-11-10 14:57:41 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-08 18:29
.
--- E O F ---


nový log z Hijacku:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:03:46, on 10.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
d:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Admin\Plocha\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [nod32kui] "d:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DAEMON Tools] "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: RAID Tool.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BAFBA6D-5878-4ADB-A111-3E4CD2297F9F}: NameServer = 62.240.161.226,213.192.21.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{5BAFBA6D-5878-4ADB-A111-3E4CD2297F9F}: NameServer = 62.240.161.226,213.192.21.70
O17 - HKLM\System\CS2\Services\Tcpip\..\{5BAFBA6D-5878-4ADB-A111-3E4CD2297F9F}: NameServer = 62.240.161.226,213.192.21.70
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Proces mezipaměti kategorií součástí - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - d:\Program Files\Eset\nod32krn.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 5893 bytes



Děkuji moc....S pozdravem Lucie

[fredik]

Otestuj ještě na VirusTotal tento soubor a dej sem výsledek:
C:\WINDOWS\CLAASAVE.EXE

[Lucka Kolísková]

zasílám soubor otestovaný totallem:

Antivirus Verze Poslední aktualizace Výsledek
AhnLab-V3 2007.11.10.0 2007.11.09 -
AntiVir 7.6.0.34 2007.11.09 -
Authentium 4.93.8 2007.11.10 -
Avast 4.7.1074.0 2007.11.10 -
AVG 7.5.0.503 2007.11.10 -
BitDefender 7.2 2007.11.10 -
CAT-QuickHeal 9.00 2007.11.10 -
ClamAV 0.91.2 2007.11.10 -
DrWeb 4.44.0.09170 2007.11.10 -
eSafe 7.0.15.0 2007.11.08 -
eTrust-Vet 31.2.5284 2007.11.09 -
Ewido 4.0 2007.11.10 -
FileAdvisor 1 2007.11.10 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.09 -
F-Secure 6.70.13030.0 2007.11.10 -
Ikarus T3.1.1.12 2007.11.10 -
Kaspersky 7.0.0.125 2007.11.10 -
McAfee 5160 2007.11.09 -
Microsoft 1.3007 2007.11.10 -
NOD32v2 2651 2007.11.10 -
Norman 5.80.02 2007.11.09 -
Panda 9.0.0.4 2007.11.10 -
Prevx1 V2 2007.11.10 -
Rising 20.17.52.00 2007.11.10 -
Sophos 4.23.0 2007.11.10 -
Sunbelt 2.2.907.0 2007.11.09 -
Symantec 10 2007.11.10 -
TheHacker 6.2.9.123 2007.11.10 -
VBA32 3.12.2.4 2007.11.08 -
VirusBuster 4.3.26:9 2007.11.10 -
Webwasher-Gateway 6.0.1 2007.11.10 -
Rozšiřující informace
File size: 929155 bytes
MD5: 414b974d15f336f233f52829135b6bfb
SHA1: 13dd8fa4be4c2284c57bcec7ce7ba98e80dc2a6a
packers: OptLink

Děkuji mnohokrát..........S pozdravem Lucie

[fredik]

Jdi přes Start -> Spustit... a napiš do okna tento příkaz označený modře ComboFix /u (mezi comobofix a /u musí být mezera) a dej Ok.

Pro lepší zabezpečení by bylo dobré si doinstalovat firewall, můžeš si vybrat některý zde uvedený nebo některý jiný z odkazu: Přehled osobních firewallů
Firewally zdarma:
Comodo - kvalitní, pokročilý, s mnoha funkcemi, originálně v angličtině, čeština by měla být asi až od verze 3 která by se měl objevit v brzké době
Kerio - přehledný, větší možnosti nastavení, náročnější na systémové prostředky, v češtině
ZoneAlarm - jednoduchý, kompatibilní, nenáročný na systémové prostředky, málo možností nastavení, v angličtině

Logy vypadají dobře, máš ještě problémy?

[Lucka Kolísková]

Děkuji moc za pomoc

[fredik]

Nemáš za co