Nejde odstranit Win32:SysPatch

Mikka.M5 · Příspěvekod **Mikka.M5** » 30 pro 2008 19:21

Problem je v souboru C:\windows\system32\user32.dll - je nakazen virem Win32:SysPatch a nejde vymazat ani vylecit, vir se tam drzí i pres pouziti programu combofix a sdfix, je tam i v nouzovém režimu...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:48:53, on 30.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Rockstar Games\Rockstar Games Social Club\1_1_3_0\RGSC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RGSC] D:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0655328406
O17 - HKLM\System\CCS\Services\Tcpip\..\{84A634DD-D4C0-444C-A1F1-AC6610019E1B}: NameServer = 81.31.33.19,80.79.16.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 3814 bytes

ComboFix 08-12-29.02 - Uzivatel 2008-12-30 17:20:20.4 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.3071.2615 [GMT 1:00]
Spuštěný z: c:\documents and settings\Uzivatel\Plocha\ComboFix.exe

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((( Soubory vytvořené od 2008-11-28 do 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-30 17:19 . 2008-12-30 17:19 5,120 --ahs---- c:\windows\system32\Thumbs.db
2008-12-29 17:26 . 2008-11-12 13:45 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-29 17:26 . 2008-11-12 14:54 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-29 17:26 . 2008-12-29 17:28 203,188 --a------ c:\windows\system32\nvapps.xml
2008-12-29 17:26 . 2008-11-12 14:54 18,537 --a------ c:\windows\system32\nvdisp.nvu
2008-12-29 16:44 . 2008-12-29 16:44 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-29 16:43 . 2008-12-29 16:43 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-29 16:43 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-12-29 16:33 . 2008-12-29 16:33 <DIR> dr-h----- c:\documents and settings\Uzivatel\Data aplikací\SecuROM
2008-12-29 16:31 . 2008-12-29 16:52 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2008-12-29 14:23 . 2008-12-29 14:23 <DIR> d-------- c:\program files\CCleaner
2008-12-29 14:22 . 2008-12-29 14:22 <DIR> d-------- c:\program files\Trend Micro
2008-12-29 14:01 . 2008-12-29 14:01 <DIR> d-------- C:\totalcmd
2008-12-29 14:01 . 2008-12-29 14:40 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-29 14:01 . 2008-12-30 17:04 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Spybot - Search & Destroy
2008-12-29 14:01 . 2008-12-30 17:05 1,036 --a------ c:\windows\wincmd.ini
2008-12-29 14:01 . 2008-08-08 07:04 545 --a------ c:\windows\UC.PIF
2008-12-29 14:01 . 2008-08-08 07:04 545 --a------ c:\windows\RAR.PIF
2008-12-29 14:01 . 2008-08-08 07:04 545 --a------ c:\windows\PKZIP.PIF
2008-12-29 14:01 . 2008-08-08 07:04 545 --a------ c:\windows\PKUNZIP.PIF
2008-12-29 14:01 . 2008-08-08 07:04 545 --a------ c:\windows\NOCLOSE.PIF
2008-12-29 14:01 . 2008-08-08 07:04 545 --a------ c:\windows\LHA.PIF
2008-12-29 14:01 . 2008-08-08 07:04 545 --a------ c:\windows\ARJ.PIF
2008-12-29 13:57 . 2008-12-29 17:08 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-29 13:05 . 2008-12-29 13:05 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\ESET
2008-12-29 12:55 . 2008-12-29 12:55 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\IsolatedStorage
2008-12-28 16:36 . 2008-12-28 16:36 <DIR> d-------- c:\program files\Alwil Software
2008-12-28 16:32 . 2008-12-28 16:32 <DIR> d-------- c:\program files\Webteh
2008-12-28 12:29 . 2008-12-28 12:29 8,703 ---h----- c:\documents and settings\Uzivatel\.exe
2008-12-27 20:26 . 2008-12-27 20:26 65,024 --a------ c:\windows\system32\2rg3.es
2008-12-27 20:26 . 2008-12-27 20:26 64,512 --a------ c:\windows\system32\ef3p.ee
2008-12-27 20:26 . 2008-12-27 20:26 32,768 --a------ c:\windows\system32\zred.pa
2008-12-27 20:26 . 2008-12-27 20:26 32,768 --a------ c:\windows\system32\fks.as
2008-12-27 20:26 . 2008-12-27 20:26 24,576 --a------ c:\windows\system32\4rr.pa
2008-12-27 20:26 . 2008-12-27 20:26 21,504 --a------ c:\windows\system32\gr1.e
2008-12-26 13:56 . 2008-12-26 13:56 <DIR> d-------- c:\program files\MPMAN
2008-12-25 21:44 . 2008-12-25 21:44 <DIR> d-------- c:\windows\system32\xlive
2008-12-20 15:49 . 2008-12-20 15:49 <DIR> d-------- c:\documents and settings\Uzivatel\Data aplikací\DAEMON Tools Pro
2008-12-20 15:48 . 2008-12-20 15:48 <DIR> d-------- c:\program files\DAEMON Tools Lite
2008-12-20 15:48 . 2008-12-20 15:49 <DIR> d-------- c:\documents and settings\Uzivatel\Data aplikací\DAEMON Tools Lite
2008-12-20 15:48 . 2008-12-20 15:48 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\DAEMON Tools Lite
2008-12-19 14:57 . 2008-12-19 14:58 <DIR> d-------- c:\program files\Hfs Evidence
2008-12-18 14:06 . 2008-12-18 14:06 <DIR> d-------- c:\program files\CENZURA
2008-12-07 16:24 . 2008-04-14 08:51 21,504 --a------ c:\windows\system32\hidserv.dll
2008-12-07 16:24 . 2008-04-14 08:51 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-12-07 16:24 . 2008-04-14 07:59 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-12-07 16:24 . 2008-04-14 07:59 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-12-02 13:49 . 2008-12-03 14:18 <DIR> d-------- c:\program files\sunmedia
2008-11-26 12:28 . 2008-12-19 17:30 <DIR> d-------- c:\program files\DivX
2008-11-26 12:28 . 2008-11-26 12:29 404 --a------ c:\windows\VFO.VST
2008-11-26 12:28 . 2008-11-26 12:28 41 --a------ c:\windows\system32\blue.SITENAME
2008-11-26 12:12 . 2008-11-26 12:30 <DIR> d-------- c:\program files\Steinberg
2008-11-26 12:12 . 2008-11-26 12:12 2,019 --a------ c:\windows\NewRecorder.reg
2008-11-26 12:11 . 2008-11-26 12:11 <DIR> d-------- c:\program files\Jasc Software Inc
2008-11-26 12:11 . 2008-11-26 12:11 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\InstallShield
2008-11-26 12:05 . 2003-03-16 00:15 90,112 --a------ c:\windows\unvise32.exe
2008-11-26 11:58 . 2005-06-02 19:28 171,008 --a------ c:\windows\system32\drivers\MarvinBus.sys
2008-11-26 11:58 . 2004-07-02 17:28 89,088 --a------ c:\windows\system32\atl71.dll
2008-11-26 11:58 . 2004-07-02 17:28 84,992 --a------ c:\windows\system32\ATL70.DLL
2008-11-26 11:58 . 2008-11-26 12:33 1,182 --a------ c:\windows\VFO.INI
2008-11-26 11:55 . 2008-11-26 11:55 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Pinnacle Studio
2008-11-26 11:52 . 2008-11-26 20:44 <DIR> d-------- c:\program files\Pinnacle
2008-11-26 11:52 . 2008-11-26 12:29 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Pinnacle
2008-11-26 11:52 . 2005-02-09 12:59 14,165 --a------ c:\windows\system32\drivers\Pclepci.sys
2008-11-21 19:45 . 2008-11-21 19:46 <DIR> d-------- c:\program files\Agent Hugo - Hula Holiday
2008-11-20 15:46 . 2008-11-20 15:46 <DIR> d-------- c:\program files\AC3Filter
2008-11-20 15:46 . 2007-08-18 08:54 380,928 --a------ c:\windows\system32\ac3filter.acm
2008-11-13 09:55 . 2008-10-24 12:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-04 18:21 . 2008-11-04 18:21 <DIR> d-------- c:\program files\Centauri

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 15:06 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-29 17:50 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-12-29 16:06 --------- d-----w c:\program files\Norton Security Scan
2008-12-29 16:05 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-29 15:46 --------- d-----w c:\program files\MSBuild
2008-12-27 19:26 578,560 ----a-w c:\windows\system32\user32.DLL
2008-12-24 11:56 183,112 ----a-w c:\windows\system32\PnkBstrB.exe
2008-12-24 11:56 138,184 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-23 22:36 --------- d-----w c:\documents and settings\Uzivatel\Data aplikací\Skype
2008-12-23 17:25 --------- d-----w c:\documents and settings\Uzivatel\Data aplikací\skypePM
2008-12-20 14:49 --------- d-----w c:\documents and settings\Uzivatel\Data aplikací\DAEMON Tools
2008-12-10 21:14 --------- d-----w c:\documents and settings\All Users\Data aplikací\Microsoft Help
2008-11-26 11:11 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-10 20:28 15,398 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-11-10 20:28 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-09 12:54 682,280 ----a-w c:\windows\system32\pbsvc.exe
2008-11-09 12:54 22,328 ----a-w c:\documents and settings\Uzivatel\Data aplikací\PnkBstrK.sys
2008-10-28 16:41 14,303,392 ----a-w c:\windows\system32\xlive.dll
2008-10-28 16:41 13,643,936 ----a-w c:\windows\system32\xlivefnt.dll
2008-10-23 12:42 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:33 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:04 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-23 12:15 4,608 ----a-w c:\windows\system32\w95inf32.dll
2008-09-23 12:15 2,272 ----a-w c:\windows\system32\w95inf16.dll
2008-09-15 15:27 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:16 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-09 13:16 86,016 ----a-w c:\windows\system32\OpenAL32.dll
2008-09-09 13:16 262,144 ----a-w c:\windows\system32\wrap_oal.dll
2008-09-09 12:49 315,392 ----a-w c:\windows\HideWin.exe
2008-09-09 12:41 737,280 ----a-w c:\windows\iun6002.exe
2008-09-04 17:17 1,106,944 ----a-w c:\windows\system32\msxml3.dll
.
c:\windows\system32\user32.dll ... je infikován !!
578,560 2008-12-27 19:26:05 c:\windows\system32\user32.DLL

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"RGSC"="d:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [2008-12-29 306088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-11-26 18:18 81000 c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 07:52 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-12-10 10:02 216520 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList]
--a------ 2008-04-14 07:52 26112 c:\program files\Pinnacle\Studio 10\launchlist.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 07:52 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-11-12 14:54 13672448 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-11-12 14:54 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RGSC]
--a------ 2008-12-29 16:47 306088 d:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 11:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-11-12 14:54 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2008-02-13 07:31 16857600 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"IDriverT"=3 (0x3)
"ICQ Service"=2 (0x2)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"aawservice"=2 (0x2)
"idsvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"d:\\Program Files\\EA Sports\\NHL08\\nhl2008.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"d:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"c:\\Documents and Settings\\Uzivatel\\Dokumenty\\strong dc\\StrongDC.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Counter-Strike Source\\hl2.exe"=
"d:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"=
"d:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"d:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"d:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"d:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"d:\\Program Files\\EA Sports\\NHL 09\\nhl2009.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\Empire Interactive\\FlatOut Ultimate Carnage\\Fouc.exe"=
"d:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"d:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"d:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"d:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault(tm)\\mohpa.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-29 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-29 20560]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\DRIVERS\psched.sys [2008-04-13 69120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32ac16c6-d5a8-11dd-9d9c-d13e46599287}]
\Shell\AutoRun\command - G:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b02aead-d32e-11dd-9d8b-002185104351}]
\Shell\Auto\command - cmd /C launch.bat
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL cmd /C launch.bat
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
TCP: {84A634DD-D4C0-444C-A1F1-AC6610019E1B} = 81.31.33.19,80.79.16.3
FF - ProfilePath - c:\documents and settings\Uzivatel\Data aplikací\Mozilla\Firefox\Profiles\4wr4ceht.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 17:21:20
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
Celkový čas: 2008-12-30 17:21:48
ComboFix-quarantined-files.txt 2008-12-30 16:21:44
ComboFix2.txt 2008-12-30 16:08:35

Před spuštěním: Volných bajtů: 216 356 929 536
Po spuštění: Volných bajtů: 216,345,321,472

242 --- E O F --- 2008-12-18 15:41:31

SDFix: Version 1.240
Run by Uzivatel on Łt 30.12.2008 at 17:30

Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix

Checking Services :

Infected user32.dll Found!

user32.dll File Locations:

"C:\WINDOWS\system32\user32.DLL" 578560 27.12.2008 20:26
"C:\WINDOWS\system32\dllcache\user32.dll" 578560 30.12.2008 17:29

[C:\WINDOWS\system32\user32.DLL] 69898947F36A8983F8C7FA14682B0AC3
[C:\WINDOWS\system32\dllcache\user32.dll] 69898947F36A8983F8C7FA14682B0AC3

[C:\WINDOWS\System32\fkgyonoom] E16E0990967374E76F3E40CACAFD3D53

Note: SDFix does not repair this file!

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 17:35:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:ba,1a,73,b3,45,ec,02,8e,3f,08,65,d6,b5,63,fb,12,62,c5,e4,a3,6b,..
"p0"="C:\Program Files\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,a2,c4,6f,c2,bb,df,e1,2a,fe,cc,3b,d9,02,36,3a,0e,14,..
"khjeh"=hex:c6,11,5c,4d,d6,d9,87,1a,1b,07,7c,2a,f6,d7,20,ee,00,df,74,2c,db,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:af,dd,4e,a4,42,45,e1,d5,f2,71,e1,0f,8f,48,a7,2a,12,6d,f4,30,21,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:ba,1a,73,b3,45,ec,02,8e,3f,08,65,d6,b5,63,fb,12,62,c5,e4,a3,6b,..
"p0"="C:\Program Files\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,a2,c4,6f,c2,bb,df,e1,2a,fe,cc,3b,d9,02,36,3a,0e,14,..
"khjeh"=hex:c6,11,5c,4d,d6,d9,87,1a,1b,07,7c,2a,f6,d7,20,ee,00,df,74,2c,db,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:af,dd,4e,a4,42,45,e1,d5,f2,71,e1,0f,8f,48,a7,2a,12,6d,f4,30,21,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?é?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1í?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000163

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"D:\\Program Files\\EA Sports\\NHL08\\nhl2008.exe"="D:\\Program Files\\EA Sports\\NHL08\\nhl2008.exe:*:Enabled:nhl2008"
"D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)"
"D:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"="D:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe:*:Enabled:Test Drive Unlimited"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"D:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"="D:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe:*:Enabled:Tom Clancy's Rainbow Six Vegas 2"
"D:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"="D:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe:*:Enabled:Tom Clancy's Rainbow Six Vegas 2 Update"
"C:\\Documents and Settings\\Uzivatel\\Dokumenty\\strong dc\\StrongDC.exe"="C:\\Documents and Settings\\Uzivatel\\Dokumenty\\strong dc\\StrongDC.exe:*:Enabled:StrongDC++"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"D:\\Program Files\\Counter-Strike Source\\hl2.exe"="D:\\Program Files\\Counter-Strike Source\\hl2.exe:*:Enabled:hl2"
"D:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe"="D:\\Program Files\\EA GAMES\\Need For Speed Underground\\Speed.exe:*:Enabled:Speed"
"D:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="D:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Disabled:CoD2MP_s"
"D:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"="D:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe:*:Enabled:Medal of Honor Airborne"
"D:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"="D:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe:*:Enabled:Call of Duty(R) - World at War(TM)"
"D:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"="D:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe:*:Enabled:Call of Duty(R) - World at War(TM)"
"D:\\Program Files\\EA Sports\\NHL 09\\nhl2009.exe"="D:\\Program Files\\EA Sports\\NHL 09\\nhl2009.exe:*:Enabled:nhl2009"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"D:\\Program Files\\Empire Interactive\\FlatOut Ultimate Carnage\\Fouc.exe"="D:\\Program Files\\Empire Interactive\\FlatOut Ultimate Carnage\\Fouc.exe:*:Enabled:FlatOut Ultimate Carnage"
"D:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"="D:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe:*:Enabled:Grand Theft Auto IV"
"D:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"="D:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe:*:Enabled:Rockstar Games Social Club"
"D:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"="D:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe:*:Enabled:Grand Theft Auto IV"
"D:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault(tm)\\mohpa.exe"="D:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault(tm)\\mohpa.exe:*:Enabled:Medal of Honor Pacific Assault(tm)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Tue 9 Sep 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 29 Dec 2008 67,498,308 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\36a9ee1611bc403067208863e061dbe7\BIT5.tmp"
Mon 29 Dec 2008 1,767 ...HR --- "C:\Documents and Settings\Uzivatel\Data aplikacĄ\SecuROM\UserData\securom_v7_01.bak"

Finished!

Reklama

Nejde odstranit Win32:SysPatch

Nejde odstranit Win32:SysPatch

Kdo je online