PC-HELP.CZ

České diskuzní fórum o počítačích
https://pc-help.cnews.cz/

davidsojka: problém s trojanem

https://pc-help.cnews.cz/viewtopic.php?f=47&t=20418

Stránka 1 z 3

davidsojka: problém s trojanem

Napsal: 12 lis 2007 22:18
od davidsojka
Dobry den, prosim mam prozdu jestli mi pomuzete. Bohuzel jsem chytil taky toho trojana viz diskuze http://www.pc-help.cz/viewtopic.php?t=20216 . Zkousel jsem ho odstranit podle Vaseho navodu, ale nepodarilo se. zrejmne mi neco uniklo a vubec nevim co mam delat, prosim pomuzete mi? Dekuji david sojka

Napsal: 12 lis 2007 23:05
od fredik
Vítej na fóru

Vlož sem log z HijackThis

PS: příště si založ prosím tě vlastní téma, i kdyby se jednalo o stejný problém. Dík.

Napsal: 13 lis 2007 10:28
od nafik
mohl by ti pomoci i tenhle programek umi to dokonale vycistit .... http://www.pegasoft.cz/cz/Trojan-Remover-6.6.4.2499/ :idea:

Napsal: 13 lis 2007 20:42
od davidsojka
Omluvam se a dekuji za snahu mi pomoci, dekuji

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:40:48, on 13.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Hry\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Down(1).exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\IChat\iChat.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\David Sojka\Plocha\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mojebanka.cz/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\onystadi.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [5c9006a0] rundll32.exe "C:\WINDOWS\system32\kgogfyau.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus DX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE /FU "C:\WINDOWS\TEMP\E_S109.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Intranet Chat.lnk = C:\Program Files\IChat\iChat.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DA0545B-2FC5-452D-934D-3F0579A48124}: NameServer = 213.194.204.126,192.168.128.1
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Hry\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: Windows Accounts Driver (WindowsRemote) - Unknown owner - C:\WINDOWS\system32\Down(1).exe

--
End of file - 8876 bytes

Napsal: 13 lis 2007 21:54
od fredik
Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem klávesy 1
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

Napsal: 14 lis 2007 11:11
od davidsojka
Momentalne jsem v práci a u domácího PC budu az kolem 18h. dekuji za zajem, log napisi az po 18h. dekuji

Napsal: 14 lis 2007 18:01
od davidsojka
ComboFix 07-11-08.3 - David Sojka 2007-11-14 17:55:14.4 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.578 [GMT 1:00]
Running from: C:\Documents and Settings\David Sojka\Plocha\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Nabídka Start\Live Safety Center.lnk
C:\Documents and Settings\All Users\Nabídka Start\Online Security Guide.lnk
C:\Documents and Settings\David Sojka\Oblíbené položky\Online Security Guide.lnk
C:\Documents and Settings\David Sojka\Plocha\Live Safety Center.lnk
C:\Documents and Settings\David Sojka\Plocha\Online Security Guide.lnk
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\onystadi.dllbox
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini2

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-13 19:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-12 22:34 3,282 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-12 21:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 21:36 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-12 21:21 89,664 --a------ C:\WINDOWS\system32\kgogfyau.dll
2007-11-12 21:18 81,472 --a------ C:\WINDOWS\system32\qmkdlmst.dll
2007-11-12 21:12 71,232 --a------ C:\WINDOWS\system32\gfkympml.exe
2007-11-11 17:42 79,936 --a------ C:\WINDOWS\system32\phpdmtqe.dll
2007-11-11 17:40 71,232 --a------ C:\WINDOWS\system32\axvpfjut.exe
2007-11-11 16:15 79,936 --a------ C:\WINDOWS\system32\krumxqwa.dll
2007-11-11 16:07 71,232 --a------ C:\WINDOWS\system32\ndbptevm.exe
2007-11-10 07:47 81,472 --a------ C:\WINDOWS\system32\iooudepe.dll
2007-11-10 07:42 71,232 --a------ C:\WINDOWS\system32\jtvupcqm.exe
2007-11-08 21:46 80,448 --a------ C:\WINDOWS\system32\mmlptxmm.dll
2007-11-08 21:46 71,232 --a------ C:\WINDOWS\system32\meymjpby.exe
2007-11-07 21:56 86,080 --a------ C:\WINDOWS\system32\cntmfpfe.dll
2007-11-07 21:53 79,936 --a------ C:\WINDOWS\system32\oswwnyyn.dll
2007-11-07 21:52 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-11-07 21:47 71,232 --a------ C:\WINDOWS\system32\yvxvbfpj.exe
2007-11-06 21:14 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-06 20:20 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-06 20:20 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-06 17:20 81,472 --a------ C:\WINDOWS\system32\wbflnily.dll
2007-11-06 17:20 71,232 --a------ C:\WINDOWS\system32\hjnghmqh.exe
2007-11-06 17:18 145,984 --a------ C:\WINDOWS\system32\onystadi.dll
2007-11-06 17:18 145,984 --a------ C:\WINDOWS\system32\ahrwpbnp.dll
2007-11-04 18:22 <DIR> d-------- C:\Program Files\Lighthouse Interactive
2007-11-04 07:55 32,256 --a------ C:\WINDOWS\system32\byxwwvt.dll
2007-10-31 19:34 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0 Sprint
2007-10-31 19:30 76,800 --a------ C:\WINDOWS\system32\E_FLBCDE.DLL
2007-10-31 19:30 62,976 --a------ C:\WINDOWS\system32\E_FD4BCDE.DLL
2007-10-31 19:30 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-31 19:30 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-10-31 19:28 <DIR> d-------- C:\Program Files\epson
2007-10-31 19:28 67,072 --a------ C:\WINDOWS\system32\escwiad.dll
2007-10-27 19:57 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-10-27 19:57 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-10-27 19:57 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-10-14 17:12 30,812 --a------ C:\WINDOWS\system32\temp_13.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 16:56 --------- d-----w C:\Program Files\ICQToolbar
2007-11-14 16:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-04 17:14 --------- d-----w C:\Program Files\Winamp
2007-11-04 06:59 --------- d-----w C:\Program Files\Common Files\Nero
2007-11-04 06:57 --------- d-----w C:\Program Files\Nero
2007-11-04 06:51 --------- d-----w C:\Program Files\Ahead
2007-11-03 14:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-01 05:09 --------- d-----w C:\Program Files\Orbitdownloader
2007-10-27 18:55 --------- d-----w C:\Program Files\Electronic Arts
2007-10-18 18:13 --------- d-----w C:\Program Files\Java
2007-10-14 06:42 --------- d-----w C:\Program Files\betway
2007-10-10 18:14 --------- d-----w C:\Program Files\Disc2Phone
2007-10-10 17:51 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-10-10 17:51 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2007-10-10 17:50 --------- d-----w C:\Program Files\Sony Ericsson
2007-09-24 08:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 08:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-21 19:15 19,323 ----a-w C:\WINDOWS\system32\Down(1).exe
2007-09-20 08:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 08:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 08:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-21 19:12 3,009 ----a-w C:\naver.vbs
.

((((((((((((((((((((((((((((( snapshot@2007-11-12_21.56.00.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-14 16:59:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_64c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F5F0160-20D8-4C4F-AF4C-02AD925015CD}]
2007-11-04 07:55 32256 --a------ C:\WINDOWS\system32\byxwwvt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-06 17:18 145984 --a------ C:\WINDOWS\system32\onystadi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d527892b-6c89-4a71-be85-dd73c9007217}]
2007-11-12 21:18 81472 --a------ C:\WINDOWS\system32\qmkdlmst.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\onystadi.dll [2007-11-06 17:18 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 16:12]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 16:34]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 19:15]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 00:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []
"5c9006a0"="C:\WINDOWS\system32\kgogfyau.dll" [2007-11-12 21:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"EPSON Stylus DX7400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.exe" [2007-04-12 07:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1F5F0160-20D8-4C4F-AF4C-02AD925015CD}"= C:\WINDOWS\system32\byxwwvt.dll [2007-11-04 07:55 32256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwwvt]
byxwwvt.dll 2007-11-04 07:55 32256 C:\WINDOWS\system32\byxwwvt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\onystadi]
onystadi.dll 2007-11-06 17:18 145984 C:\WINDOWS\system32\onystadi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtst.dll

R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R2 WindowsRemote;Windows Accounts Driver;C:\WINDOWS\system32\Down(1).exe
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
S3 SE2Bbus;Sony Ericsson Device 043 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Bbus.sys
S3 SE2Bmdfl;Sony Ericsson Device 043 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Bmdfl.sys
S3 SE2Bmdm;Sony Ericsson Device 043 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Bmdm.sys
S3 SE2Bmgmt;Sony Ericsson Device 043 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Bmgmt.sys
S3 se2Bnd5;Sony Ericsson Device 043 USB Ethernet Emulation SEMC43 (NDIS);C:\WINDOWS\system32\DRIVERS\se2Bnd5.sys
S3 SE2Bobex;Sony Ericsson Device 043 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Bobex.sys
S3 se2Bunic;Sony Ericsson Device 043 USB Ethernet Emulation SEMC43 (WDM);C:\WINDOWS\system32\DRIVERS\se2Bunic.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-08-22 10:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 18:00:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-14 18:00:54 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-12 22:05
C:\ComboFix3.txt ... 2007-11-12 21:56
.
--- E O F ---

Napsal: 14 lis 2007 20:25
od fredik
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

Driver::
WindowsRemote

File::
C:\WINDOWS\system32\onystadi.dll
C:\WINDOWS\system32\byxwwvt.dll
C:\WINDOWS\system32\qmkdlmst.dll
C:\WINDOWS\system32\kgogfyau.dll
C:\WINDOWS\system32\kgogfyau.dll
C:\WINDOWS\system32\gfkympml.exe
C:\WINDOWS\system32\phpdmtqe.dll
C:\WINDOWS\system32\axvpfjut.exe
C:\WINDOWS\system32\krumxqwa.dll
C:\WINDOWS\system32\ndbptevm.exe
C:\WINDOWS\system32\iooudepe.dll
C:\WINDOWS\system32\jtvupcqm.exe
C:\WINDOWS\system32\mmlptxmm.dll
C:\WINDOWS\system32\meymjpby.exe
C:\WINDOWS\system32\cntmfpfe.dll
C:\WINDOWS\system32\oswwnyyn.dll
C:\WINDOWS\system32\yvxvbfpj.exe
C:\WINDOWS\system32\wbflnily.dll
C:\WINDOWS\system32\hjnghmqh.exe
C:\WINDOWS\system32\ahrwpbnp.dll
C:\WINDOWS\system32\Down(1).exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F5F0160-20D8-4C4F-AF4C-02AD925015CD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d527892b-6c89-4a71-be85-dd73c9007217}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5c9006a0"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1F5F0160-20D8-4C4F-AF4C-02AD925015CD}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwwvt]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\onystadi]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Zvol možnost Uložit soubor jako, pojmenuj soubor CFScript.txt a zvol Uložit jako typ: Všechny soubory.
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť
Obrázek
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu

Dej sem po tom taky nový log z HJT

PS:
ještě jsem zapomněl, otestuj tento soubor na VirusTotall a vlož sem výsledek
C:\WINDOWS\system32\temp_13.exe

Napsal: 14 lis 2007 21:01
od davidsojka
Soubor temp_13.exe přijatý 2007.11.14 20:50:42 (CET)
Současný stav: Čekejte ... Ve frontě Čekání Testování Dokončeno NENALEZENO ZASTAVENO
Výsledek: 25/32 (78.13%)
Načítám informace ze serveru...
Váš soubor čeká ve frontě na pozici: 3.
Odhadovaný čas začátku mezi 44 a 63 sekundami.
Nezavírejte toto okno dokud nebude test dokončen.
Právě testující program byl je zastaven, probíhá čekání na program.
Za chvíli bude proveden další pokus o otestování souboru.
Pokud budete čekat déle než-li pět minut odešlete Váš soubor znovu.
Váš soubor je nyní testován pomocí VirusTotal,
výsledky budou zobrazeny po dokončení.
Formátované Formátované
Vytisknout výsledky Vytisknout výsledky
Váš soubor není platný, nebo neexistuje.
Služba je pozastavena v tuto chvíli, váš soubor čeká na otestování (pozice: ) po nespecifikovanou dobu.

Nyní čekejte na odezvu webu (automatické obnovení), nebo napište email do pole a klikněte na "vyžádat" a systém Vám zašle email s výsledky až bude test hotov.
Email:

Antivirus Verze Poslední aktualizace Výsledek
AhnLab-V3 2007.11.15.0 2007.11.14 Win-Trojan/Agent.65584
AntiVir 7.6.0.34 2007.11.14 TR/Delphi.Downloader.Gen
Authentium 4.93.8 2007.11.14 Possibly a new variant of W32/Downloader-Web-based!Maximus
Avast 4.7.1074.0 2007.11.13 Win32:AutoRun-FI
AVG 7.5.0.503 2007.11.14 Downloader.Agent.TRH
BitDefender 7.2 2007.11.14 Generic.Malware.SP!dldPk!g.EE38B44B
CAT-QuickHeal 9.00 2007.11.14 -
ClamAV 0.91.2 2007.11.14 Trojan.Delf-818
DrWeb 4.44.0.09170 2007.11.14 Win32.HLLW.Autoruner.303
eSafe 7.0.15.0 2007.11.14 suspicious Trojan/Worm
eTrust-Vet 31.2.5294 2007.11.14 Win32/Mocmex!generic
Ewido 4.0 2007.11.14 Heuristic.Win32.AVKiller
FileAdvisor 1 2007.11.14 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.14 W32/Downloader-Web-based!Maximus
F-Secure 6.70.13030.0 2007.11.14 Trojan-Downloader.Win32.Agent.dpi
Ikarus T3.1.1.12 2007.11.14 Worm.Win32.Delf.ce
Kaspersky 7.0.0.125 2007.11.14 Trojan-Downloader.Win32.Agent.dpi
McAfee 5163 2007.11.14 -
Microsoft 1.3007 2007.11.12 Worm:Win32/Emerleox.gen!A
NOD32v2 2658 2007.11.14 a variant of Win32/Delf.NDF
Norman 5.80.02 2007.11.14 -
Panda 9.0.0.4 2007.11.14 Trj/Maran.CG
Prevx1 V2 2007.11.14 Heuristic: Suspicious File With Covert Attributes
Rising 20.18.20.00 2007.11.14 Worm.Win32.AVKiller.e
Sophos 4.23.0 2007.11.14 W32/SillyFDC-AS
Sunbelt 2.2.907.0 2007.11.14 -
Symantec 10 2007.11.14 W32.SillyFDC
TheHacker 6.2.9.128 2007.11.14 -
VBA32 3.12.2.4 2007.11.11 Trojan-Downloader.Win32.Agent.dpi
VirusBuster 4.3.26:9 2007.11.14 Trojan.DL.Agent.WPC
Webwasher-Gateway 6.0.1 2007.11.14 Trojan.Delphi.Downloader.Gen
Rozšiřující informace
File size: 30812 bytes
MD5: 3358cf2b4352458a6a53eec372b47481
SHA1: 6e9a82705d09d5f87a58533efa33882fdaa13ce9
packers: UPX
packers: UPX
packers: UPX
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp? ... 00ACA08041

Napsal: 14 lis 2007 21:01
od davidsojka
ComboFix 07-11-08.3 - David Sojka 2007-11-14 20:37:32.5 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.454 [GMT 1:00]
Running from: C:\Documents and Settings\David Sojka\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Sojka\Plocha\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\ahrwpbnp.dll
C:\WINDOWS\system32\axvpfjut.exe
C:\WINDOWS\system32\byxwwvt.dll
C:\WINDOWS\system32\cntmfpfe.dll
C:\WINDOWS\system32\Down(1).exe
C:\WINDOWS\system32\gfkympml.exe
C:\WINDOWS\system32\hjnghmqh.exe
C:\WINDOWS\system32\iooudepe.dll
C:\WINDOWS\system32\jtvupcqm.exe
C:\WINDOWS\system32\kgogfyau.dll
C:\WINDOWS\system32\krumxqwa.dll
C:\WINDOWS\system32\meymjpby.exe
C:\WINDOWS\system32\mmlptxmm.dll
C:\WINDOWS\system32\ndbptevm.exe
C:\WINDOWS\system32\onystadi.dll
C:\WINDOWS\system32\oswwnyyn.dll
C:\WINDOWS\system32\phpdmtqe.dll
C:\WINDOWS\system32\qmkdlmst.dll
C:\WINDOWS\system32\wbflnily.dll
C:\WINDOWS\system32\yvxvbfpj.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Nabídka Start\Live Safety Center.lnk
C:\Documents and Settings\All Users\Nabídka Start\Online Security Guide.lnk
C:\Documents and Settings\David Sojka\Oblíbené položky\Online Security Guide.lnk
C:\Documents and Settings\David Sojka\Plocha\Live Safety Center.lnk
C:\Documents and Settings\David Sojka\Plocha\Online Security Guide.lnk
C:\WINDOWS\system32\ahrwpbnp.dll
C:\WINDOWS\system32\axvpfjut.exe
C:\WINDOWS\system32\byxwwvt.dll
C:\WINDOWS\system32\cntmfpfe.dll
C:\WINDOWS\system32\Down(1).exe
C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkj.ini2
C:\WINDOWS\system32\gfkympml.exe
C:\WINDOWS\system32\hjnghmqh.exe
C:\WINDOWS\system32\iooudepe.dll
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\jtvupcqm.exe
C:\WINDOWS\system32\kgogfyau.dll
C:\WINDOWS\system32\krumxqwa.dll
C:\WINDOWS\system32\meymjpby.exe
C:\WINDOWS\system32\mmlptxmm.dll
C:\WINDOWS\system32\ndbptevm.exe
C:\WINDOWS\system32\onystadi.dll
C:\WINDOWS\system32\onystadi.dllbox
C:\WINDOWS\system32\oswwnyyn.dll
C:\WINDOWS\system32\phpdmtqe.dll
C:\WINDOWS\system32\qmkdlmst.dll
C:\WINDOWS\system32\wbflnily.dll
C:\WINDOWS\system32\yvxvbfpj.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_WINDOWSREMOTE
-------\WindowsRemote


((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-13 19:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-12 22:34 3,282 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-12 21:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 21:36 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-07 21:52 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-11-06 21:14 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-06 20:20 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-06 20:20 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-06 17:18 145,984 --------- C:\WINDOWS\system32\onystadi.dll
2007-11-04 18:22 <DIR> d-------- C:\Program Files\Lighthouse Interactive
2007-10-31 19:34 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0 Sprint
2007-10-31 19:30 76,800 --a------ C:\WINDOWS\system32\E_FLBCDE.DLL
2007-10-31 19:30 62,976 --a------ C:\WINDOWS\system32\E_FD4BCDE.DLL
2007-10-31 19:30 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-10-31 19:30 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-10-31 19:28 <DIR> d-------- C:\Program Files\epson
2007-10-31 19:28 67,072 --a------ C:\WINDOWS\system32\escwiad.dll
2007-10-27 19:57 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-10-27 19:57 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-10-27 19:57 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-10-14 17:12 30,812 --a------ C:\WINDOWS\system32\temp_13.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 17:03 --------- d-----w C:\Program Files\ICQToolbar
2007-11-14 16:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-04 17:14 --------- d-----w C:\Program Files\Winamp
2007-11-04 06:59 --------- d-----w C:\Program Files\Common Files\Nero
2007-11-04 06:57 --------- d-----w C:\Program Files\Nero
2007-11-04 06:51 --------- d-----w C:\Program Files\Ahead
2007-11-03 14:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-01 05:09 --------- d-----w C:\Program Files\Orbitdownloader
2007-10-27 18:55 --------- d-----w C:\Program Files\Electronic Arts
2007-10-18 18:13 --------- d-----w C:\Program Files\Java
2007-10-14 06:42 --------- d-----w C:\Program Files\betway
2007-10-10 18:14 --------- d-----w C:\Program Files\Disc2Phone
2007-10-10 17:51 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-10-10 17:51 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2007-10-10 17:50 --------- d-----w C:\Program Files\Sony Ericsson
2007-09-24 08:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 08:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-20 08:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 08:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 08:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-08-21 19:12 3,009 ----a-w C:\naver.vbs
.

((((((((((((((((((((((((((((( snapshot@2007-11-12_21.56.00.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-14 19:42:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_630.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-14 20:41 145984 --------- C:\WINDOWS\system32\onystadi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\onystadi.dll [2007-11-14 20:41 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 16:12]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 16:34]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 19:15]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 00:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"EPSON Stylus DX7400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.exe" [2007-04-12 07:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\onystadi]
onystadi.dll 2007-11-14 20:41 145984 C:\WINDOWS\system32\onystadi.dll

R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
S3 SE2Bbus;Sony Ericsson Device 043 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Bbus.sys
S3 SE2Bmdfl;Sony Ericsson Device 043 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Bmdfl.sys
S3 SE2Bmdm;Sony Ericsson Device 043 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Bmdm.sys
S3 SE2Bmgmt;Sony Ericsson Device 043 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Bmgmt.sys
S3 se2Bnd5;Sony Ericsson Device 043 USB Ethernet Emulation SEMC43 (NDIS);C:\WINDOWS\system32\DRIVERS\se2Bnd5.sys
S3 SE2Bobex;Sony Ericsson Device 043 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Bobex.sys
S3 se2Bunic;Sony Ericsson Device 043 USB Ethernet Emulation SEMC43 (WDM);C:\WINDOWS\system32\DRIVERS\se2Bunic.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-08-22 10:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 20:45:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-14 20:46:32 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-14 18:00
C:\ComboFix3.txt ... 2007-11-12 22:05
.
--- E O F ---

Napsal: 14 lis 2007 21:02
od davidsojka
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:02:17, on 14.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Hry\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\IChat\iChat.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\David Sojka\Plocha\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mojebanka.cz/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\onystadi.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\onystadi.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus DX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE /FU "C:\WINDOWS\TEMP\E_S109.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Intranet Chat.lnk = C:\Program Files\IChat\iChat.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DA0545B-2FC5-452D-934D-3F0579A48124}: NameServer = 213.194.204.126,192.168.128.1
O20 - Winlogon Notify: onystadi - C:\WINDOWS\SYSTEM32\onystadi.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Hry\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe

--
End of file - 9591 bytes

Napsal: 14 lis 2007 21:52
od fredik
Vytvoř si nový CFScript a tentokrát vlož do něho toto:

Kód: Vybrat vše

File::
C:\WINDOWS\system32\onystadi.dll
C:\WINDOWS\system32\temp_13.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\onystadi]


Vlož sem pak log z Combofix, který se ti zobrazí.
Časové pásmo: UTC+02:00
Stránka 1 z 3
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/