PC-HELP.CZ

České diskuzní fórum o počítačích
https://pc-help.cnews.cz/

win32/Nuwar červ, prosím kontrolu logu (vyřešeno)

https://pc-help.cnews.cz/viewtopic.php?f=47&t=25595

Stránka 1 z 2

win32/Nuwar červ, prosím kontrolu logu (vyřešeno)  Vyřešeno

Napsal: 20 bře 2008 19:40
od Jagud
Antivir NOD32 zachycuje odkazy na ruzne ww stranky a oznamuje červa win32/Nuwar. Spustil jsem Ccleaner, Regcleaner, Ad-Aware2007, Spybot- Search. Po restartu se hlaska objevi opet. Prosim o kontrolu logu z Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 19:23:23, on 20.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\GoQ - NetRadio\NetRadio.exe
C:\Program Files\GoQ - NetRadio\goq.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINCMD32\WINCMD32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Install\HIJAC\HIJACK~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {185619B3-626B-4E9B-88E4-79B6AB386516} - C:\WINDOWS\system32\jkkjh.dll
O2 - BHO: (no name) - {3C287E30-797D-4D31-A616-30B79700243A} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\tuvwuuu.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: (no name) - {2F63DD45-30A0-422E-AF1E-01DD88BA9A5C} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Ruzicka\Local Settings\Application Data\cftmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [IExplorerService] C:\WINDOWS\system32\WinSock.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Ruzicka\Local Settings\Application Data\cftmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{94A9D11C-B81D-4D52-96B6-8B265A7D430F}: NameServer = 85.255.115.238,85.255.112.78
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.238 85.255.112.78
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.238 85.255.112.78
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: tuvwuuu - C:\WINDOWS\SYSTEM32\tuvwuuu.dll
O21 - SSODL: bokpkov - {2B071477-E216-492F-8B05-3C32871270B8} - C:\WINDOWS\bokpkov.dll
O21 - SSODL: altvxvm - {5E4FC87D-A59D-415D-9974-04B65F2B4A1D} - C:\WINDOWS\altvxvm.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Prohledávání počítačů Browsersrservice (Browsersrservice) - Unknown owner - C:\WINDOWS\system32\msdnc1.exe (file missing)
O23 - Service: CcEvtSvc - Unknown owner - C:\WINDOWS\System32\CcEvtSvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Díky

Re: win32/Nuwar červ, prosím kontrolu logu

Napsal: 20 bře 2008 19:45
od fredik
Stáhni si SDFix
- Spusť ho a rozbalí se ti na disk kde je nainstalovaný Windows (typicky to je C:\SDfix)
- Pak restartuj PC do nouzového režimu (zvol možnost: Stav nouze, ne Stav nouze s práci v síti)
- Otevři adresář kde je vybalený SDFix a spusť soubor RunThis.bat tím spustíš program.
* Pak stiskni klávesu Y a pak Enter pro zahájení čistícího procesu.
* Pro dokončení kontroly budeš vyzván ke stisknoutí libovolné klávesy a počítač se restartuje.
* Při nabíhání operačního systému se program spustí znovu a dokončí čistící proces. Až se objeví Finish, budeš muset po vyzvání stisknout libovolnou klávesu, tim se ukončí program a zobrazí se ti ikony na ploše
- Když se skončí načítání ikon na ploše, otevře se ti na obrazovce log z SDFix a zároveň ho uloží do adresáře kde je rozbalený SDFix jako soubor Report.txt
Pak sem zkopíruj jeho obsah.

Použij Fixwareout podle návodu a vlož sem z něho log.

V následujícím příspěvku sem vlož tyto logy/výsledky:
- log z SDFix
- log z Fixwareout
- nový log z HJT

Re: win32/Nuwar červ, prosím kontrolu logu

Napsal: 20 bře 2008 20:39
od Jagud
Postupoval jsem podle navodu, hlaska o pritomnosti win32/Nuwar se zatim neobjevila, tady jsou vypisy:

SDFix: Version 1.159
Run by Ruzicka on źt 20.03.2008 at 19:59
Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix
Checking Services :
Name:
CcEvtSvc
ndisaluo

Path:
%SystemRoot%\System32\CcEvtSvc.exe -k netsvcs
\??\C:\WINDOWS\system32\Drivers\ndisaluo.sys

CcEvtSvc - Deleted
ndisaluo - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\kdkqj.exe - Deleted
C:\96E.TMP - Deleted
C:\WINDOWS\system32\msdnc2.exe - Deleted
C:\DOCUME~1\Ruzicka\LOCALS~1\Temp\ac8zt2.dat - Deleted
C:\WINDOWS\altvxvm.dll - Deleted
C:\WINDOWS\bokpkov.dll - Deleted
C:\WINDOWS\fmsxwqs.exe - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\system32\users32.dat - Deleted
C:\WINDOWS\system32\drivers\spools.exe - Deleted

The below files have been patched by Trojan.Agent to load users32.dat and should be replaced:

C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Eset\nod32kui.exe

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 20:12:46
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"D:\\World of Warcraft\\BackgroundDownloader.exe"="D:\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Gadu-Gadu\\GG.EXE"="C:\\Program Files\\Gadu-Gadu\\GG.EXE:*:Disabled:Gadu-Gadu - program gˆ˘wny"
"D:\\cs 1.6\\CS1.6\\hl.exe"="D:\\cs 1.6\\CS1.6\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Vietcong2\\vc2ded.exe"="C:\\Vietcong2\\vc2ded.exe:*:Enabled:vc2ded"
"D:\\cs 1.6\\CS1.6\\hltv.exe"="D:\\cs 1.6\\CS1.6\\hltv.exe:*:Enabled:HLTV Launcher"
"D:\\quake 4\\Quake4Ded.exe"="D:\\quake 4\\Quake4Ded.exe:*:Enabled:Quake 4"
"C:\\Documents and Settings\\Ruzicka\\Local Settings\\Temp\\winlogon.exe"="C:\\Documents and Settings\\Ruzicka\\Local Settings\\Temp\\winlogon.exe:*:Enabled:winlogon"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\WINDOWS\\system32\\WinSock.exe"="C:\\WINDOWS\\system32\\WinSock.exe:*:Enabled:WinSock"
"C:\\Documents and Settings\\Ruzicka\\Plocha\\winsock.exe"="C:\\Documents and Settings\\Ruzicka\\Plocha\\winsock.exe:*:Enabled:winsock"
"C:\\WINDOWS\\system32\\old.exe"="C:\\WINDOWS\\system32\\old.exe:*:Enabled:old"
"C:\\WINDOWS\\system32\\update.exe"="C:\\WINDOWS\\system32\\update.exe:*:Enabled:update"
"C:\\WINDOWS\\system32\\iexplor.exe"="C:\\WINDOWS\\system32\\iexplor.exe:*:Enabled:iexplor"
@=":*:Enabled:"
"C:\\Documents and Settings\\Ruzicka\\WinSock.exe"="C:\\Documents and Settings\\Ruzicka\\WinSock.exe:*:Enabled:WinSock"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 28 Sep 2006 2,045 ...H. --- "C:\WINDOWS\system32\whlb32g.dll"
Tue 17 Aug 2004 1,667,584 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 17 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Sat 27 Mar 2004 40,448 A..H. --- "C:\System Volume Information\_restore{6765F50C-626C-48BD-9B9E-BD981AD8465F}\RP73\A0519577.DLL"
Sat 27 Mar 2004 40,448 A..H. --- "C:\System Volume Information\_restore{6765F50C-626C-48BD-9B9E-BD981AD8465F}\RP73\A0519519.dll"
Sat 27 Mar 2004 40,448 A..H. --- "C:\System Volume Information\_restore{6765F50C-626C-48BD-9B9E-BD981AD8465F}\RP74\A0520681.DLL"
Sat 27 Mar 2004 40,448 A..H. --- "C:\System Volume Information\_restore{6765F50C-626C-48BD-9B9E-BD981AD8465F}\RP74\A0521740.DLL"
Sat 27 Mar 2004 40,448 A..H. --- "C:\System Volume Information\_restore{6765F50C-626C-48BD-9B9E-BD981AD8465F}\RP75\A0524790.dll"
Sat 27 Mar 2004 40,448 A..H. --- "C:\System Volume Information\_restore{6765F50C-626C-48BD-9B9E-BD981AD8465F}\RP80\A0555304.DLL"

Finished!

*********************************************************************************************************************

Username "Ruzicka" - 20.03.2008 20:15:40 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.238 85.255.112.78" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{94A9D11C-B81D-4D52-96B6-8B265A7D430F}
"nameserver"="85.255.115.238,85.255.112.78" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9853E2F2-5676-420C-819F-C5CE8D0E4E4A}
"DhcpNameServer"="85.255.115.238,85.255.112.78" <Value cleared.

Mezipaměť překládání DNS byla úspěšně vyprázdněna.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="\"C:\\Program Files\\Creative\\Sync Manager Unicode\\CTSyncU.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

************************************************************************************************************************
Logfile of HijackThis v1.99.1
Scan saved at 20:21:51, on 20.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINCMD32\WINCMD32.EXE
C:\Install\HIJAC\HIJACK~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {3C287E30-797D-4D31-A616-30B79700243A} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\tuvwuuu.dll
O2 - BHO: (no name) - {CAF26351-BE57-46E3-9C62-9E894D42D700} - C:\WINDOWS\system32\jkkjh.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: (no name) - {2F63DD45-30A0-422E-AF1E-01DD88BA9A5C} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: tuvwuuu - C:\WINDOWS\SYSTEM32\tuvwuuu.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Prohledávání počítačů Browsersrservice (Browsersrservice) - Unknown owner - C:\WINDOWS\system32\msdnc1.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Re: win32/Nuwar červ, prosím kontrolu logu

Napsal: 20 bře 2008 21:49
od fredik
Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

Re: win32/Nuwar červ, prosím kontrolu logu

Napsal: 20 bře 2008 22:16
od Jagud
ComboFix 08-03-20.1 - Ruzicka 2008-03-20 22:02:02.1 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.277 [GMT 1:00]
Running from: C:\Documents and Settings\Ruzicka\Plocha\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\DATAAP~1\Microsoft\Network\Downloader\qmgr0.dat
C:\DOCUME~1\ALLUSE~1\DATAAP~1\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Ruzicka\iexplorer.exe
C:\WINDOWS\msettings.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.ini2
C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\tuvwuuu.dll
C:\WINDOWS\system32\wpcap.dll

----- BITS: Possible infected sites -----

hxxp://supertds.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-20 20:15 . 2008-03-20 20:15 <DIR> d-------- C:\fixwareout
2008-03-20 19:58 . 2004-08-17 15:49 577,024 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-03-20 19:55 . 2008-03-20 19:55 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-20 19:46 . 2008-03-20 04:14 <DIR> d-------- C:\SDFix
2008-03-20 19:19 . 2008-03-20 19:19 <DIR> d--hs---- C:\FOUND.005
2008-03-20 19:06 . 2008-03-20 19:19 5,120 --a------ C:\WINDOWS\system32\ftpdll.dll
2008-03-20 19:06 . 2008-03-20 19:19 5,120 --a------ C:\Documents and Settings\Ruzicka\ftpdll.dll
2008-03-20 12:45 . 2008-03-20 12:45 391,448 --a------ C:\Documents and Settings\Ruzicka\wmvcodec2[1].03.exe
2008-03-20 12:44 . 2008-03-20 12:44 92,172 --a------ C:\Documents and Settings\Ruzicka\shlyapa.exe
2008-03-20 12:44 . 2008-03-20 12:44 325 --a------ C:\Documents and Settings\Ruzicka\lex.exe
2008-03-20 11:56 . 2008-03-20 11:56 155,648 --a------ C:\WINDOWS\system32\nerocheck.exe
2008-03-20 11:29 . 2008-03-20 11:29 <DIR> d--hs---- C:\FOUND.004
2008-03-14 00:05 . 2008-03-14 00:05 32 --a------ C:\DOCUME~1\ALLUSE~1\DATAAP~1\ezsid.dat
2008-03-14 00:03 . 2008-03-14 00:03 <DIR> d-------- C:\Program Files\Skype
2008-03-14 00:03 . 2008-03-14 00:03 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-14 00:03 . 2008-03-14 00:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Skype
2008-03-09 22:44 . 2008-03-09 22:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-09 22:44 . 2008-03-09 22:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-09 22:44 . 2008-03-09 22:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Lavasoft
2008-03-03 19:16 . 2008-03-03 19:16 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-03-03 19:16 . 2008-03-03 19:16 274,432 --a------ C:\WINDOWS\system32\imon.dll
2008-03-01 19:18 . 2008-03-01 19:18 <DIR> d--hs---- C:\FOUND.003
2008-02-22 22:07 . 2008-02-22 22:07 <DIR> d--hs---- C:\FOUND.002

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 14:45 0 ----a-w C:\z1.dat
2007-10-03 13:32 320 --sha-w C:\WINDOWS\system32\2339109842.dat
.
Files Infected - Win32.Agent.zb
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Eset\nod32kui.exe
.

------- Sigcheck -------

2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys
2001-10-25 12:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 14:32 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 07:32 5537792]
"nwiz"="nwiz.exe" [2005-02-24 07:32 1495040 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 07:32 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-03-20 11:56 155648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-03-20 11:56 921600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0E9D1F65-6417-48E3-AC6F-81DC5F99BE4E}"= C:\WINDOWS\system32\DoubleHook.dll [2005-10-27 16:04 683520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwuuu]
tuvwuuu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 17:22 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"D:\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Gadu-Gadu\\GG.EXE"=
"C:\\Vietcong2\\vc2ded.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S2 Browsersrservice;Prohledávání počítačů Browsersrservice;C:\WINDOWS\system32\msdnc1.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e42f368d-dc83-11db-ae5d-000e2e091e79}]
\shell\open\command - %SystemRoot%\Explorer.exe /idlist,%I,%L

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 22:07:36
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NPF]
"ImagePath"="system32\drivers\npf.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-20 22:09:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-20 21:09:34

Re: win32/Nuwar červ, prosím kontrolu logu

Napsal: 21 bře 2008 13:00
od Jagud
Jestli je výpis vpořádku, tak moc díky. Žádné hlášky se neobjevují a počítač znatelně zrychlil.

Re: win32/Nuwar červ, prosím kontrolu logu (vyřešeno!?)

Napsal: 22 bře 2008 08:28
od fredik
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

Driver::
Browsersrservice
NPF

File::
C:\WINDOWS\system32\ftpdll.dll
C:\Documents and Settings\Ruzicka\ftpdll.dll
C:\WINDOWS\system32\DoubleHook.dll
C:\WINDOWS\system32\msdnc1.exe

Folder::
C:\FOUND.005
C:\FOUND.004
C:\FOUND.003
C:\FOUND.002

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0E9D1F65-6417-48E3-AC6F-81DC5F99BE4E}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwuuu]

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť
Obrázek
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Otestuj ještě tyto soubory na Virustotal (momentálně nejsou v návodu obrázky, ale vše podstatné tam je zmíněno):
C:\Documents and Settings\Ruzicka\shlyapa.exe
C:\Documents and Settings\Ruzicka\lex.exe
Stačí zkopírovat tam celou cestu, vlož sem pak výsledky.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Proveď kontrolu a vlož sem log z Kaspersky Online Scanner! (potřeba spustit v IE)
- klikni na tlačítko Accept
- budeš vyzván k nainstalovaní ActiveX komponenty od Kasperského, tak to povol
- program si stáhne potřebnou databázi
- po stažení klikni na volbu: Obrázek
Po té klikni na tlačítko: Scan Settings
- dostaneš se do okna Scan settings a tam zvol následující možnosti vyber následující:

Pod položkou: Scan using the following antivirus database:
    standard - detect viruses, worms, Trojans, rootkits
Pod položkou: Scan Options: - nech zvlolené obě možnosti:
    Scan Archives - scan files inside archives
    Scan Mail Bases - scan e-mails/attachments inside mail base files
Pak klikni na tlačítko OK

Nyní pak pod položkou Please select a target to scan zvol možnost:
Obrázek
- spustí se kontrola systému
- po jejím proběhnutí se ti zobrazí seznam co našel
Klikni na tlačítko Save Report As...
- ulož si ho třeba na plochu a zvol tyto parametry:
- Název souboru: zde napiš: Kavlog
- Uložit jako typ: tak tam vyber: Text file (*.txt)

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

V následujícím příspěvku sem vlož tyto logy/výsledky:
- log z ComboFix po použití skriptu
- Výsledky z VirusTotal
- log z Kaspersky Online Scanner
- nový log z HJT

Re: win32/Nuwar červ, prosím kontrolu logu (vyřešeno!?)

Napsal: 06 dub 2008 15:25
od Jagud
Omlouvám se, že reaguju dost pozdě. Dodržel jsem poslední pokyny. Hlášení o virech se neobjevuje. Tak dvakrát týdně se PC sam restartuje nebo vytuhne, jinak žádný nestandatrni projev.

Posílám:

- log z ComboFix po použití skriptu
- Výsledky z VirusTotal
- log z Kaspersky Online Scanner
- nový log z HJT


ComboFix 08-04-04.1 - Ruzicka 2008-04-05 21:58:12.2 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.291 [GMT 2:00]
Running from: C:\Documents and Settings\Ruzicka\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ruzicka\Plocha\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Ruzicka\ftpdll.dll
C:\WINDOWS\system32\DoubleHook.dll
C:\WINDOWS\system32\ftpdll.dll
C:\WINDOWS\system32\msdnc1.exe
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.002
C:\FOUND.002\FILE0000.CHK
C:\FOUND.003
C:\FOUND.003\FILE0000.CHK
C:\FOUND.003\FILE0001.CHK
C:\FOUND.003\FILE0002.CHK
C:\FOUND.003\FILE0003.CHK
C:\FOUND.004
C:\FOUND.004\FILE0000.CHK
C:\FOUND.004\FILE0001.CHK
C:\FOUND.004\FILE0002.CHK
C:\FOUND.004\FILE0003.CHK
C:\FOUND.004\FILE0004.CHK
C:\FOUND.004\FILE0005.CHK
C:\FOUND.004\FILE0006.CHK
C:\FOUND.004\FILE0007.CHK
C:\FOUND.004\FILE0008.CHK
C:\FOUND.004\FILE0009.CHK
C:\FOUND.004\FILE0010.CHK
C:\FOUND.004\FILE0011.CHK
C:\FOUND.004\FILE0012.CHK
C:\FOUND.004\FILE0013.CHK
C:\FOUND.004\FILE0014.CHK
C:\FOUND.004\FILE0015.CHK
C:\FOUND.004\FILE0016.CHK
C:\FOUND.004\FILE0017.CHK
C:\FOUND.004\FILE0018.CHK
C:\FOUND.004\FILE0019.CHK
C:\FOUND.004\FILE0020.CHK
C:\FOUND.004\FILE0021.CHK
C:\FOUND.004\FILE0022.CHK
C:\FOUND.004\FILE0023.CHK
C:\FOUND.004\FILE0024.CHK
C:\FOUND.004\FILE0025.CHK
C:\FOUND.004\FILE0026.CHK
C:\FOUND.004\FILE0027.CHK
C:\FOUND.004\FILE0028.CHK
C:\FOUND.004\FILE0029.CHK
C:\FOUND.004\FILE0030.CHK
C:\FOUND.004\FILE0031.CHK
C:\FOUND.004\FILE0032.CHK
C:\FOUND.004\FILE0033.CHK
C:\FOUND.004\FILE0034.CHK
C:\FOUND.004\FILE0035.CHK
C:\FOUND.004\FILE0036.CHK
C:\FOUND.004\FILE0037.CHK
C:\FOUND.004\FILE0038.CHK
C:\FOUND.004\FILE0039.CHK
C:\FOUND.004\FILE0040.CHK
C:\FOUND.004\FILE0041.CHK
C:\FOUND.004\FILE0042.CHK
C:\FOUND.004\FILE0043.CHK
C:\FOUND.004\FILE0044.CHK
C:\FOUND.004\FILE0045.CHK
C:\FOUND.004\FILE0046.CHK
C:\FOUND.004\FILE0047.CHK
C:\FOUND.004\FILE0048.CHK
C:\FOUND.004\FILE0049.CHK
C:\FOUND.004\FILE0050.CHK
C:\FOUND.004\FILE0051.CHK
C:\FOUND.004\FILE0052.CHK
C:\FOUND.004\FILE0053.CHK
C:\FOUND.004\FILE0054.CHK
C:\FOUND.004\FILE0055.CHK
C:\FOUND.004\FILE0056.CHK
C:\FOUND.004\FILE0057.CHK
C:\FOUND.004\FILE0058.CHK
C:\FOUND.004\FILE0059.CHK
C:\FOUND.004\FILE0060.CHK
C:\FOUND.004\FILE0061.CHK
C:\FOUND.004\FILE0062.CHK
C:\FOUND.004\FILE0063.CHK
C:\FOUND.004\FILE0064.CHK
C:\FOUND.004\FILE0065.CHK
C:\FOUND.004\FILE0066.CHK
C:\FOUND.004\FILE0067.CHK
C:\FOUND.004\FILE0068.CHK
C:\FOUND.004\FILE0069.CHK
C:\FOUND.004\FILE0070.CHK
C:\FOUND.004\FILE0071.CHK
C:\FOUND.004\FILE0072.CHK
C:\FOUND.004\FILE0073.CHK
C:\FOUND.004\FILE0074.CHK
C:\FOUND.004\FILE0075.CHK
C:\FOUND.004\FILE0076.CHK
C:\FOUND.004\FILE0077.CHK
C:\FOUND.004\FILE0078.CHK
C:\FOUND.004\FILE0079.CHK
C:\FOUND.004\FILE0080.CHK
C:\FOUND.004\FILE0081.CHK
C:\FOUND.004\FILE0082.CHK
C:\FOUND.004\FILE0083.CHK
C:\FOUND.004\FILE0084.CHK
C:\FOUND.004\FILE0085.CHK
C:\FOUND.004\FILE0086.CHK
C:\FOUND.004\FILE0087.CHK
C:\FOUND.004\FILE0088.CHK
C:\FOUND.004\FILE0089.CHK
C:\FOUND.004\FILE0090.CHK
C:\FOUND.004\FILE0091.CHK
C:\FOUND.004\FILE0092.CHK
C:\FOUND.004\FILE0093.CHK
C:\FOUND.004\FILE0094.CHK
C:\FOUND.004\FILE0095.CHK
C:\FOUND.004\FILE0096.CHK
C:\FOUND.004\FILE0097.CHK
C:\FOUND.004\FILE0098.CHK
C:\FOUND.004\FILE0099.CHK
C:\FOUND.004\FILE0100.CHK
C:\FOUND.004\FILE0101.CHK
C:\FOUND.004\FILE0102.CHK
C:\FOUND.004\FILE0103.CHK
C:\FOUND.004\FILE0104.CHK
C:\FOUND.004\FILE0105.CHK
C:\FOUND.004\FILE0106.CHK
C:\FOUND.004\FILE0107.CHK
C:\FOUND.004\FILE0108.CHK
C:\FOUND.004\FILE0109.CHK
C:\FOUND.004\FILE0110.CHK
C:\FOUND.004\FILE0111.CHK
C:\FOUND.004\FILE0112.CHK
C:\FOUND.004\FILE0113.CHK
C:\FOUND.004\FILE0114.CHK
C:\FOUND.004\FILE0115.CHK
C:\FOUND.004\FILE0116.CHK
C:\FOUND.004\FILE0117.CHK
C:\FOUND.004\FILE0118.CHK
C:\FOUND.004\FILE0119.CHK
C:\FOUND.004\FILE0120.CHK
C:\FOUND.004\FILE0121.CHK
C:\FOUND.004\FILE0122.CHK
C:\FOUND.004\FILE0123.CHK
C:\FOUND.004\FILE0124.CHK
C:\FOUND.004\FILE0125.CHK
C:\FOUND.004\FILE0126.CHK
C:\FOUND.004\FILE0127.CHK
C:\FOUND.004\FILE0128.CHK
C:\FOUND.004\FILE0129.CHK
C:\FOUND.004\FILE0130.CHK
C:\FOUND.004\FILE0131.CHK
C:\FOUND.004\FILE0132.CHK
C:\FOUND.004\FILE0133.CHK
C:\FOUND.004\FILE0134.CHK
C:\FOUND.004\FILE0135.CHK
C:\FOUND.004\FILE0136.CHK
C:\FOUND.004\FILE0137.CHK
C:\FOUND.004\FILE0138.CHK
C:\FOUND.004\FILE0139.CHK
C:\FOUND.004\FILE0140.CHK
C:\FOUND.004\FILE0141.CHK
C:\FOUND.004\FILE0142.CHK
C:\FOUND.004\FILE0143.CHK
C:\FOUND.004\FILE0144.CHK
C:\FOUND.004\FILE0145.CHK
C:\FOUND.004\FILE0146.CHK
C:\FOUND.004\FILE0147.CHK
C:\FOUND.004\FILE0148.CHK
C:\FOUND.004\FILE0149.CHK
C:\FOUND.004\FILE0150.CHK
C:\FOUND.004\FILE0151.CHK
C:\FOUND.004\FILE0152.CHK
C:\FOUND.004\FILE0153.CHK
C:\FOUND.004\FILE0154.CHK
C:\FOUND.004\FILE0155.CHK
C:\FOUND.004\FILE0156.CHK
C:\FOUND.004\FILE0157.CHK
C:\FOUND.004\FILE0158.CHK
C:\FOUND.004\FILE0159.CHK
C:\FOUND.004\FILE0160.CHK
C:\FOUND.004\FILE0161.CHK
C:\FOUND.004\FILE0162.CHK
C:\FOUND.004\FILE0163.CHK
C:\FOUND.004\FILE0164.CHK
C:\FOUND.004\FILE0165.CHK
C:\FOUND.004\FILE0166.CHK
C:\FOUND.004\FILE0167.CHK
C:\FOUND.004\FILE0168.CHK
C:\FOUND.004\FILE0169.CHK
C:\FOUND.004\FILE0170.CHK
C:\FOUND.004\FILE0171.CHK
C:\FOUND.004\FILE0172.CHK
C:\FOUND.004\FILE0173.CHK
C:\FOUND.004\FILE0174.CHK
C:\FOUND.004\FILE0175.CHK
C:\FOUND.004\FILE0176.CHK
C:\FOUND.004\FILE0177.CHK
C:\FOUND.004\FILE0178.CHK
C:\FOUND.005
C:\FOUND.005\FILE0000.CHK
C:\WINDOWS\file295.exe
C:\WINDOWS\system32\DoubleHook.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
.

2008-04-05 09:00 . 2008-04-05 09:00 <DIR> d-------- C:\Program Files\Winamp Toolbar
2008-04-05 09:00 . 2008-04-05 09:00 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Winamp Toolbar
2008-04-05 08:59 . 2008-04-05 08:59 <DIR> d-------- C:\Program Files\Winamp Remote
2008-04-05 08:59 . 2008-04-05 08:59 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\OrbNetworks
2008-04-03 21:55 . 2008-04-03 21:55 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-04-03 21:55 . 2008-04-03 21:55 274,432 --a------ C:\WINDOWS\system32\imon.dll
2008-04-03 12:39 . 2008-04-03 12:39 <DIR> d--hs---- C:\FOUND.007
2008-04-03 12:06 . 2008-04-03 12:06 <DIR> d--hs---- C:\FOUND.006
2008-04-02 22:39 . 2003-05-23 13:28 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-04-02 22:39 . 2003-05-23 13:28 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-04-02 22:37 . 2008-04-02 22:37 <DIR> d-------- C:\Program Files\Max Payne 2
2008-04-02 22:37 . 2003-05-23 13:28 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-03-23 19:29 . 2008-03-23 19:29 <DIR> d-------- C:\Documents and Settings\Ruzicka\Data aplikací\CoolFlvMan
2008-03-23 19:26 . 2008-03-23 19:26 <DIR> d-------- C:\Videos
2008-03-23 19:25 . 2008-03-23 19:25 <DIR> d-------- C:\Documents and Settings\Ruzicka\Data aplikací\CoolYouTubeDownloader
2008-03-20 20:15 . 2008-03-20 20:15 <DIR> d-------- C:\fixwareout
2008-03-20 19:58 . 2004-08-17 15:49 577,024 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-03-20 19:55 . 2008-03-20 19:55 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-20 19:46 . 2008-03-20 04:14 <DIR> d-------- C:\SDFix
2008-03-20 12:44 . 2008-03-20 12:44 92,172 --a------ C:\Documents and Settings\Ruzicka\shlyapa.exe
2008-03-20 12:44 . 2008-03-20 12:44 325 --a------ C:\Documents and Settings\Ruzicka\lex.exe
2008-03-20 11:56 . 2008-03-20 11:56 155,648 --a------ C:\WINDOWS\system32\nerocheck.exe
2008-03-14 00:05 . 2008-03-14 00:05 <DIR> d-------- C:\Documents and Settings\Ruzicka\Data aplikací\skypePM
2008-03-14 00:05 . 2008-03-14 00:05 32 --a------ C:\Documents and Settings\All Users\Data aplikací\ezsid.dat
2008-03-14 00:03 . 2008-03-14 00:03 <DIR> d-------- C:\Program Files\Skype
2008-03-14 00:03 . 2008-03-14 00:03 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-14 00:03 . 2008-03-14 00:03 <DIR> d-------- C:\Documents and Settings\Ruzicka\Data aplikací\Skype
2008-03-14 00:03 . 2008-03-14 00:03 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Skype
2008-03-09 22:44 . 2008-03-09 22:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-09 22:44 . 2008-03-09 22:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-09 22:44 . 2008-03-09 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 08:12 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-02-04 13:45 0 ----a-w C:\z1.dat
.
Files Infected - Win32.Agent.zb
C:\WINDOWS\system32\NeroCheck.exe
.

------- Sigcheck -------

2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys
2001-10-25 12:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2008-03-20 00:36 1267040 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2008-03-20 00:36 1267040]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2008-03-20 00:36 1267040]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-03-25 04:59 507904]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 19:12 3142236]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 07:32 5537792]
"nwiz"="nwiz.exe" [2005-02-24 07:32 1495040 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 07:32 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-03-20 11:56 155648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-03 21:55 921600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
--------- 2006-06-12 14:32 700416 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 17:22 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"D:\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Gadu-Gadu\\GG.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S2 Browsersrservice;Prohledávání počítačů Browsersrservice;C:\WINDOWS\system32\msdnc1.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e42f368d-dc83-11db-ae5d-000e2e091e79}]
\shell\open\command - %SystemRoot%\Explorer.exe /idlist,%I,%L

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 22:00:21
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-04-05 22:00:37
ComboFix-quarantined-files.txt 2008-04-05 20:00:36
ComboFix3.txt 2008-03-20 20:09:38
ComboFix2.txt 2008-04-01 16:28:02
Adresářů: 21, Volných bajtů: 16,514,875,392
Adresářů: 27, Volných bajtů: 16,504,946,688


VIRUS TOTAL

Soubor shlyapa.exe přijatý 2008.04.05 22:04:59 (CET)
Současný stav: Čekejte ... Ve frontě Čekání Testování Dokončeno NENALEZENO ZASTAVENO


Výsledek: 17/32 (53.13%)


Antivirus Verze Poslední aktualizace Výsledek
AhnLab-V3 2008.4.4.1 2008.04.04 -
AntiVir 7.6.0.81 2008.04.04 TR/Dldr.Zlob.jbe.37
Authentium 4.93.8 2008.04.05 -
Avast 4.7.1098.0 2008.04.04 Win32:Zlob-BVB
AVG 7.5.0.516 2008.04.05 Downloader.Zlob.12.I
BitDefender 7.2 2008.04.05 Trojan.Downloader.Zlob.ABPK
CAT-QuickHeal 9.50 2008.04.05 Win32.Trojan-Downloader.ZLob.jbe.3
ClamAV 0.92.1 2008.04.05 Trojan.Zlob-2149
DrWeb 4.44.0.09170 2008.04.05 -
eSafe 7.0.15.0 2008.04.01 Suspicious File
eTrust-Vet 31.3.5672 2008.04.04 -
Ewido 4.0 2008.04.05 -
F-Prot 4.4.2.54 2008.04.05 W32/Downldr2.BFFZ
F-Secure 6.70.13260.0 2008.04.05 -
FileAdvisor 1 2008.04.05 -
Fortinet 3.14.0.0 2008.04.05 W32/Tibs.NU!tr.dldr
Ikarus T3.1.1.20.0 2008.04.05 -
Kaspersky 7.0.0.125 2008.04.05 -
McAfee 5267 2008.04.04 Tibs-Packed
Microsoft 1.3408 2008.04.05 Trojan:Win32/Tibs.gen!G
NOD32v2 3004 2008.04.05 -
Norman 5.80.02 2008.04.04 W32/Zlob.BHIC
Panda 9.0.0.4 2008.04.05 -
Prevx1 V2 2008.04.05 -
Rising 20.38.60.00 2008.04.03 -
Sophos 4.28.0 2008.04.05 Mal/EncPk-DA
Sunbelt 3.0.1032.0 2008.04.05 -
Symantec 10 2008.04.05 -
TheHacker 6.2.92.265 2008.04.04 Trojan/Downloader.Zlob.jbe
VBA32 3.12.6.3 2008.03.25 MalwareScope.Worm.Nuwar-Glowa.1
VirusBuster 4.3.26:9 2008.04.05 Trojan.DL.Zlob.Gen!Pac.46
Webwasher-Gateway 6.6.2 2008.04.04 Trojan.Dldr.Zlob.jbe.37
Rozšiřující informace
File size: 92172 bytes
MD5...: e57890343d2afca6ea33fbf64fe3e135
SHA1..: 3ca989d7ee69a711e93f20d65c068d2371c7b4d9
SHA256: b7d3478d71f9336a5c74c47036bc8ae553e0a4cf2753dbaeceddcb80df12888a
SHA512: 8cf6d0915699eb356f18ea6142936071634a1a95c48b6d8d7b53a210bd6de7db
e900fe226f15febcec958b20148473f80eed5b49c8eadba9c799fb5842fb8e82
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402476
timedatestamp.....: 0x47dea8ca (Mon Mar 17 17:22:18 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x166da 0x10400 8.00 79c8eff1961176ec46682fedf36f2e2e
.rdata 0x18000 0x6244 0x3400 7.99 6b5e52e29f17e76232333d6ee5c6619b
.data 0x1f000 0x4000 0x2000 5.33 91abb78e4ece5a0563512c69a247c61b

( 2 imports )
> user32.dll: MessageBoxA, MessageBoxExA, SetDlgItemTextA, GetDlgItemTextA
> wininet.dll: InternetSetCookieExA, FtpDeleteFileA, InternetSetOptionW

( 0 exports )


Soubor lex.exe přijatý 2008.04.05 22:09:29 (CET)


Výsledek: 0/32 (0%)


Antivirus Verze Poslední aktualizace Výsledek
AhnLab-V3 2008.4.4.1 2008.04.04 -
AntiVir 7.6.0.81 2008.04.04 -
Authentium 4.93.8 2008.04.05 -
Avast 4.7.1098.0 2008.04.04 -
AVG 7.5.0.516 2008.04.05 -
BitDefender 7.2 2008.04.05 -
CAT-QuickHeal 9.50 2008.04.05 -
ClamAV 0.92.1 2008.04.05 -
DrWeb 4.44.0.09170 2008.04.05 -
eSafe 7.0.15.0 2008.04.01 -
eTrust-Vet 31.3.5672 2008.04.04 -
Ewido 4.0 2008.04.05 -
F-Prot 4.4.2.54 2008.04.05 -
F-Secure 6.70.13260.0 2008.04.05 -
FileAdvisor 1 2008.04.05 -
Fortinet 3.14.0.0 2008.04.05 -
Ikarus T3.1.1.20.0 2008.04.05 -
Kaspersky 7.0.0.125 2008.04.05 -
McAfee 5267 2008.04.04 -
Microsoft 1.3408 2008.04.05 -
NOD32v2 3004 2008.04.05 -
Norman 5.80.02 2008.04.04 -
Panda 9.0.0.4 2008.04.05 -
Prevx1 V2 2008.04.05 -
Rising 20.38.60.00 2008.04.03 -
Sophos 4.28.0 2008.04.05 -
Sunbelt 3.0.1032.0 2008.04.05 -
Symantec 10 2008.04.05 -
TheHacker 6.2.92.265 2008.04.04 -
VBA32 3.12.6.3 2008.03.25 -
VirusBuster 4.3.26:9 2008.04.05 -
Webwasher-Gateway 6.6.2 2008.04.04 -
Rozšiřující informace
File size: 325 bytes
MD5...: bf2997a265dfa4888c6cd62c0591f509
SHA1..: 732c47bd8c70ea143a7937baee7d7240d98e1791
SHA256: dfc292a4e899fc1f917da4c0e6627d58c0992ac6feef16bff6b6843a92ead8b5
SHA512: c098f1b5512a8c2411f4631267e669a6e037bc5038efb165f05160a10c2f8adf
2c6fb438e95e0db0e08f384a2348536eb77ccfcb3d5940c9a28dc06dde03bdc6
PEiD..: -

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, April 06, 2008 12:58:28 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/04/2008
Kaspersky Anti-Virus database records: 615914
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 53000
Number of viruses found: 3
Number of infected objects: 4
Number of suspicious objects: 2
Duration of the scan process: 00:42:12

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy\Recovery\ZlobDownloadervdt.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy\Recovery\ZlobDownloadervdt.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Data aplikací\OrbNetworks\Logs\OrbTrayIcon.log Object is locked skipped
C:\Documents and Settings\All Users\Data aplikací\OrbNetworks\Logs\OrbErrors.log Object is locked skipped
C:\Documents and Settings\All Users\Data aplikací\OrbNetworks\Logs\CabDirectory.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ruzicka\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ruzicka\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Ruzicka\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ruzicka\Local Settings\History\History.IE5\MSHist012008040620080407\index.dat Object is locked skipped
C:\Documents and Settings\Ruzicka\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ruzicka\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ruzicka\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ruzicka\Local Settings\Temp\~DF641B.tmp Object is locked skipped
C:\Documents and Settings\Ruzicka\Local Settings\Temp\~DF6424.tmp Object is locked skipped
C:\Documents and Settings\Ruzicka\Local Settings\Temp\~DF7F19.tmp Object is locked skipped
C:\Documents and Settings\Ruzicka\Cookies\index.dat Object is locked skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\System Volume Information\_restore{6765F50C-626C-48BD-9B9E-BD981AD8465F}\RP88\change.log Object is locked skipped
C:\SDFix\backups_old\backups.zip/backups/msdnc2.exe Infected: Trojan-Downloader.Win32.Small.uaz skipped
C:\SDFix\backups_old\backups.zip ZIP: infected - 1 skipped
C:\SDFix\backups\backups.zip/backups/iasl.exe Infected: Trojan-Clicker.Win32.Delf.ug skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped

Scan process completed.

Re: win32/Nuwar červ, prosím kontrolu logu (vyřešeno!?)

Napsal: 06 dub 2008 18:16
od fredik
Koukám že jsi přeinstaloval Nod, tak ještě si přeinstaluj Nero.

Vytvoř si nový CFScript a použij ho stejným způsobem jako ten předchozí, ale s tím rozdílem že si do něho vlož tentokrát toto:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

Driver::
Browsersrservice

File::
C:\Documents and Settings\Ruzicka\shlyapa.exe
C:\z1.dat

Vlož sem pak log, který se vytvoří po proběhnutí ComboFixu + Nový log z HJT

Re: win32/Nuwar červ, prosím kontrolu logu (vyřešeno!?)

Napsal: 06 dub 2008 21:58
od Jagud
Nod musím přeinstalovávat každý měsíc, Nera jsem zatím vyhodil. Teď už jsem přiložil i Logfile of HijackThis. Díky

ComboFix 08-04-04.1 - Ruzicka 2008-04-06 21:47:57.4 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.272 [GMT 2:00]
Running from: C:\Documents and Settings\Ruzicka\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ruzicka\Plocha\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Ruzicka\shlyapa.exe
C:\z1.dat
.

((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-04-05 22:16 . 2008-04-05 22:16 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-05 22:16 . 2008-04-05 22:16 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Kaspersky Lab
2008-04-05 09:00 . 2008-04-05 09:00 <DIR> d-------- C:\Program Files\Winamp Toolbar
2008-04-05 09:00 . 2008-04-05 09:00 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Winamp Toolbar
2008-04-05 08:59 . 2008-04-05 08:59 <DIR> d-------- C:\Program Files\Winamp Remote
2008-04-05 08:59 . 2008-04-05 08:59 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\OrbNetworks
2008-04-03 21:55 . 2008-04-03 21:55 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-04-03 21:55 . 2008-04-03 21:55 274,432 --a------ C:\WINDOWS\system32\imon.dll
2008-04-03 12:39 . 2008-04-03 12:39 <DIR> d--hs---- C:\FOUND.007
2008-04-03 12:06 . 2008-04-03 12:06 <DIR> d--hs---- C:\FOUND.006
2008-04-02 22:39 . 2003-05-23 13:28 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-04-02 22:39 . 2003-05-23 13:28 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-04-02 22:37 . 2008-04-02 22:37 <DIR> d-------- C:\Program Files\Max Payne 2
2008-04-02 22:37 . 2003-05-23 13:28 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-03-23 19:29 . 2008-03-23 19:29 <DIR> d-------- C:\Documents and Settings\Ruzicka\Data aplikací\CoolFlvMan
2008-03-23 19:26 . 2008-03-23 19:26 <DIR> d-------- C:\Videos
2008-03-23 19:25 . 2008-03-23 19:25 <DIR> d-------- C:\Documents and Settings\Ruzicka\Data aplikací\CoolYouTubeDownloader
2008-03-20 20:15 . 2008-03-20 20:15 <DIR> d-------- C:\fixwareout
2008-03-20 19:58 . 2004-08-17 15:49 577,024 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-03-20 19:55 . 2008-03-20 19:55 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-20 19:46 . 2008-03-20 04:14 <DIR> d-------- C:\SDFix
2008-03-20 12:44 . 2008-03-20 12:44 325 --a------ C:\Documents and Settings\Ruzicka\lex.exe
2008-03-14 00:05 . 2008-03-14 00:05 <DIR> d-------- C:\Documents and Settings\Ruzicka\Data aplikací\skypePM
2008-03-14 00:05 . 2008-03-14 00:05 32 --a------ C:\Documents and Settings\All Users\Data aplikací\ezsid.dat
2008-03-14 00:03 . 2008-03-14 00:03 <DIR> d-------- C:\Program Files\Skype
2008-03-14 00:03 . 2008-03-14 00:03 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-14 00:03 . 2008-03-14 00:03 <DIR> d-------- C:\Documents and Settings\Ruzicka\Data aplikací\Skype
2008-03-14 00:03 . 2008-03-14 00:03 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Skype
2008-03-09 22:44 . 2008-03-09 22:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-09 22:44 . 2008-03-09 22:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-09 22:44 . 2008-03-09 22:44 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 08:12 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
.

------- Sigcheck -------

2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys
2001-10-25 12:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2008-03-20 00:36 1267040 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2008-03-20 00:36 1267040]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2008-03-20 00:36 1267040]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-03-25 04:59 507904]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-27 19:12 3142236]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 07:32 5537792]
"nwiz"="nwiz.exe" [2005-02-24 07:32 1495040 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 07:32 86016]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-03 21:55 921600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
--------- 2006-06-12 14:32 700416 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 17:22 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"D:\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Gadu-Gadu\\GG.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S2 Browsersrservice;Prohledávání počítačů Browsersrservice;C:\WINDOWS\system32\msdnc1.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e42f368d-dc83-11db-ae5d-000e2e091e79}]
\shell\open\command - %SystemRoot%\Explorer.exe /idlist,%I,%L

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-06 21:49:01
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-04-06 21:49:17
ComboFix3.txt 2008-04-05 20:00:40
ComboFix-quarantined-files.txt 2008-04-06 19:49:16
ComboFix2.txt 2008-04-06 19:35:42
Adresářů: 21, Volných bajtů: 19,414,908,928
Adresářů: 27, Volných bajtů: 19,405,897,728


Logfile of HijackThis v1.99.1
Scan saved at 21:50:26, on 6.4.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINCMD32\WINCMD32.EXE
C:\Install\HIJAC\HIJACK~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: (no name) - {2F63DD45-30A0-422E-AF1E-01DD88BA9A5C} - (no file)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Data aplikací\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Prohledávání počítačů Browsersrservice (Browsersrservice) - Unknown owner - C:\WINDOWS\system32\msdnc1.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Re: win32/Nuwar červ, prosím kontrolu logu (vyřešeno!?)

Napsal: 07 dub 2008 20:05
od fredik
Jdi přes Start -> Spustit... a napiš do okna tento příkaz označený modře ComboFix /u a dej Ok.
- mezi comobofix a /u musí být mezera

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Jdi přes Start -> Spustit... otevře se ti okno kde do volného řádku napiš/zkopíruj postupně příkazy označené tučně:
sc stop Browsersrservice
klikni buď na tlačítko OK nebo dej Enter
pak tam zkopíruj tento příkaz
sc delete Browsersrservice
a zase buď klikni na tlačítko OK nebo dej Enter
Restartuj PC.

Dej sem pak nový log z HJT.

Re: win32/Nuwar červ, prosím kontrolu logu (vyřešeno!?)

Napsal: 08 dub 2008 12:25
od Jagud
Spustil jsem popsané příkazy a posílam logfile:

Logfile of HijackThis v1.99.1
Scan saved at 12:20:57, on 8.4.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\WINCMD32\WINCMD32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Install\HIJAC\HIJACK~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: (no name) - {2F63DD45-30A0-422E-AF1E-01DD88BA9A5C} - (no file)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Data aplikací\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Časové pásmo: UTC+02:00
Stránka 1 z 2
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/