Kontrola logu Vyřešeno

[Nharko]

Dobry den.

Dnes jsem pres hijackthis v pocitaci nasel tuto polozku O4 - Startup: rncsys32.exe
Zkusil jsem to vygooglit a nasel jsem tento topic: viewtopic.php?f=70&t=42326&start=0 ... Asi to byla chyba, ale postupoval jsem presne podle pokynu az do prispevku uzivatele Damned postnuty v 13 Črc 2009 00:15.

Nevyznam se v logach Combofixu, tak prosim, jestli by se nekdo mohl podivat na me logy a poradit, jak mam pokracovat, nebo jestli je vubec potreba pokracovat... Predem dekuji...

aktualni log hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:24, on 17.7.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\wincommander 5.00\WINCMD32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 5254 bytes



text ze souboru File.txt

Svazek v jednotce C je system.
S‚riov‚ źˇslo svazku je 90F1-DF9D.



combofix log

ComboFix 09-07-14.08 - ErROr 17.07.2009 12:13.1.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1023.653 [GMT 2:00]
Spuštěný z: c:\documents and settings\ErROr.CP-55F156BD35C7\Plocha\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Vytvořen nový Bod Obnovení
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1085031214-776561741-839522115-1003
c:\recycler\S-1-5-21-1085031214-776561741-839522115-1005
c:\windows\system32\_id.dat

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSDIRECTX


((((((((((((((((((((((((( Soubory vytvořené od 2009-06-17 do 2009-07-17 )))))))))))))))))))))))))))))))
.

2009-07-17 09:54 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-17 09:54 . 2009-07-17 09:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 09:54 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-12 09:45 . 2009-07-12 09:45 -------- d-sh--w- c:\windows\ftpcache
2009-07-12 09:33 . 2009-07-12 09:33 -------- d-----w- C:\Prototype
2009-07-02 10:08 . 2009-03-09 13:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-07-02 10:08 . 2009-03-09 13:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-07-02 10:08 . 2009-03-09 13:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-07-02 10:08 . 2009-03-16 12:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-07-02 10:08 . 2009-03-16 12:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-07-02 10:08 . 2009-03-16 12:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-07-02 10:06 . 2009-07-02 10:06 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-06-22 19:01 . 2009-06-22 19:01 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-22 19:01 . 2009-06-22 19:01 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-22 19:01 . 2009-06-22 19:01 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-06-22 19:00 . 2009-06-22 19:00 2337865 ----a-w- c:\windows\system32\pbsvc.exe
2009-06-22 15:34 . 2009-06-22 15:37 -------- d-----w- c:\program files\MediaCoder

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 10:15 . 2009-01-19 19:55 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000001-00000000-00000002-00001102-00000004-00521102}.dat
2009-07-17 10:15 . 2009-01-19 19:55 24 ----a-w- c:\windows\system32\DVCState-{00000001-00000000-00000002-00001102-00000004-00521102}.dat
2009-07-12 10:02 . 2007-11-13 16:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-08 10:08 . 2008-03-24 12:44 -------- d-----w- c:\program files\ICQ6
2009-06-21 18:13 . 2008-09-04 14:58 -------- d-----w- c:\program files\BSPlayer
2009-04-21 22:20 . 2009-04-21 22:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-21 22:20 . 2009-04-21 22:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-01-14 15:18 . 2009-01-12 16:47 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-01-14 15:18 . 2009-01-12 16:47 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-14 15:18 . 2009-01-12 16:47 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-01-14 15:18 . 2009-01-12 16:47 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-01-14 15:18 . 2009-01-12 16:47 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-02 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\ErROr.CP-55F156BD35C7\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Games\\StreetFighterIV\\StreetFighterIV.exe"=
"d:\\Games\\Prototype\\prototypef.exe"=

R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21.12.2007 9:21 468224]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [25.9.2007 16:59 15152]
.
.
------- Doplňkový sken -------
.
IE: Download Using &BitSpirit - c:\program files\BitSpirit\bsurl.htm
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: ÓñČĚŘľ«ÁéĎÂÔŘ(&B)
FF - ProfilePath - c:\documents and settings\ErROr.CP-55F156BD35C7\Data aplikací\Mozilla\Firefox\Profiles\q6ojs1uu.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-17 12:17
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="D414DD62173654AB6812356A312A13ED3079932D7CFBBBFEB6B1A6F0C07FBD432F7AA32DC1F0E4DDA8CDA582541C5AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B5555D575E7D6A3B9808A6A0AC4980AC7933A37AFD56F958C4F8F002F1DA546A0532A45885296B4FC6D275A7C20739B23547528AB4CB528188614CBFC8B9DB8634D595AEBB2893539E11143E2974E3036DD27A748ED38C405DA07A717967D7A5AE8701ADB5A4E2E9A02D86950F0FF15B782C6DE2A3BDD52B1F47EDDEC9B8688DCAEB985D7E1D0B24B97FE112EA9844B8FA00C0B8F42F614DCB78DD0860D7AD7600B9D475875F3E867B75FC4A9624BE0E4093CC8762A1E1A6076A441C4842D00AE73FF066248CB30A998F750CCE1A4C41B53AAF9A34E013A717EADE0271C9F9EAC5DAEA520D9CA89C6EE32BD3B5B556AC6CDF49EC938D33BAE656AFD2AF945AAB7B02860FDEDADB1D759C4158CF86CF9D1A8240AF109C82380622FD5B389C235512BBCAA81BE590E2D075A0FE87EF2DD59AB37D479B574670A754519EA82F0AE234A6835CA3300F37C43F75E3282BE60DEA1BACCB8CD9C9262188FAD17F6DCCC432703E9D427FA2553BE1AFD66543F7EA2D71BF0B1C95D990EDEE0BDD214FA6DE80DFCF91A4EF1BEEBED3035B5418E30F2686ED04EA4F485A2E49D8DFD21CDB0A364B4E1458EFCBA88225E8A86DDCAD0C403BACEBF99EE923A26F7DAAC273B311109E9534D4420D9CDAF41C2A8E9ADC6689073CAA317119FCB44D57437DC478B56E5C45B16F7EB9D6C0F79DFEF8AB8119B3F21CDDD80834EFECE10A62F8D8F7A95317BE06678DB3D8CF79B1FB5340A811161F91D520F71C76FB3FF9768BC7849668782B5ADBB0DA974BD5DFA725DBE93228BBA61699A9B57F330F512170FE7698F73BF38DD0F7197B16FE75BEDBD7DAD00A902858BBD9EBEE0B8AFEB746C1A73EF33049322F4CDA63B8F880AE4A5E1B37FBF6A688E1982C1B1E02B54312A4768DED3B1F8EC2668D1E625E579CA570C9A4655DF748484BE74EAAD76A813A12C5FC20D5AA9DBCD7A6F1E2DA90E006E00BC9CE47346913AA93C8140457E30B47FB79E48B670CB1011E97AEB109046AD6094D66C83A77C7442C3DE012FB11B2D584E23CFB95401A996D3D5F36E148B3CFEFC8FE0EA92ED1F62B52BBA0986146244D8CCADC38CCD02C9502B0537DA0A51A6FCA8DD468FB7E799524746335E23B6C49BF58F5957E97981A7B068504336C5B3D55AC6E200801D36FBFFC219AD6EDBB6FB750A3B9D2929083B2E05EE3DC9389915E99C2BC29ED6242A9ED36D6B29D733924C2D4F27CCA1ADBA56C034A2D0DF029CFB6CAEEEDC2D61CD900103D9F6ECA2729630F55E2AA913444F42CAD67AEB0458789952F"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2424)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2009-07-17 12:20 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-07-17 10:20

Před spuštěním: 1 104 244 736
Po spuštění: 2 113 187 840

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

146

[Reklama]

[Damned]

Příště se nejdřív poraď.

Start-spustit-napiš: notepad .do něho vlož tento celý text:

Kód: Vybrat vše

dir \rncsys32.exe /a h /s > File.txt

uložit na plochu s názvem: find.bat (typ souboru- všechny soubory)
Najdi ho na ploše, poklepej na něj a počkej až se okno zavře a objeví se soubor.txt
Vlož sem potom celý text z tohoto souboru.

[Nharko]

Svazek v jednotce C je system.
Sériové číslo svazku je 90F1-DF9D.

[Damned]

Odinstaluj si BSPlayer, nezmám instalačku od Webtehu, co by neměla adware nebo malware.

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok).
Zkopíruj do něj následující celý text označený zeleně:

DirLook::
C:\Prototype

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000000




Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.


Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe
a když se oba soubory překryjí, skript upusť.


- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT a popiš chování počítače

[Nharko]

Pocitac bezi v pohode, mozna krome toho, ze na nekterejch internetovejch strankach se obcas sam od sebe pusti Acrobat Reader, i kdyz neotviram zadny pdfko, coz me trochu znepokojuje. Jinak si nejsem niceho vedom, chtel jsem se hlavne zbavit toho rncsys32.exe


ComboFix 09-07-14.08 - ErROr 17.07.2009 13:16.2.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1023.662 [GMT 2:00]
Spuštěný z: c:\documents and settings\ErROr.CP-55F156BD35C7\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\ErROr.CP-55F156BD35C7\Plocha\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((( Soubory vytvořené od 2009-06-17 do 2009-07-17 )))))))))))))))))))))))))))))))
.

2009-07-17 09:54 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-17 09:54 . 2009-07-17 09:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 09:54 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-12 09:45 . 2009-07-12 09:45 -------- d-sh--w- c:\windows\ftpcache
2009-07-12 09:33 . 2009-07-12 09:33 -------- d-----w- C:\Prototype
2009-07-02 10:08 . 2009-03-09 13:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-07-02 10:08 . 2009-03-09 13:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-07-02 10:08 . 2009-03-09 13:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-07-02 10:08 . 2009-03-16 12:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-07-02 10:08 . 2009-03-16 12:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-07-02 10:08 . 2009-03-16 12:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-07-02 10:06 . 2009-07-02 10:06 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-06-22 19:01 . 2009-06-22 19:01 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-22 19:01 . 2009-06-22 19:01 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-22 19:01 . 2009-06-22 19:01 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-06-22 19:00 . 2009-06-22 19:00 2337865 ----a-w- c:\windows\system32\pbsvc.exe
2009-06-22 15:34 . 2009-06-22 15:37 -------- d-----w- c:\program files\MediaCoder

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 10:15 . 2009-01-19 19:55 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000001-00000000-00000002-00001102-00000004-00521102}.dat
2009-07-17 10:15 . 2009-01-19 19:55 24 ----a-w- c:\windows\system32\DVCState-{00000001-00000000-00000002-00001102-00000004-00521102}.dat
2009-07-12 10:02 . 2007-11-13 16:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-08 10:08 . 2008-03-24 12:44 -------- d-----w- c:\program files\ICQ6
2009-04-21 22:20 . 2009-04-21 22:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-21 22:20 . 2009-04-21 22:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-01-14 15:18 . 2009-01-12 16:47 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-01-14 15:18 . 2009-01-12 16:47 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-14 15:18 . 2009-01-12 16:47 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-01-14 15:18 . 2009-01-12 16:47 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-01-14 15:18 . 2009-01-12 16:47 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\Prototype ----

2009-07-12 09:33 . 2009-06-09 19:06 7969767424 ----a-w- c:\prototype\rzr-prot.iso


(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-02 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\ErROr.CP-55F156BD35C7\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Games\\StreetFighterIV\\StreetFighterIV.exe"=
"d:\\Games\\Prototype\\prototypef.exe"=

R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21.12.2007 9:21 468224]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [25.9.2007 16:59 15152]
.
.
------- Doplňkový sken -------
.
IE: Download Using &BitSpirit - c:\program files\BitSpirit\bsurl.htm
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: ÓñČĚŘľ«ÁéĎÂÔŘ(&B)
FF - ProfilePath - c:\documents and settings\ErROr.CP-55F156BD35C7\Data aplikací\Mozilla\Firefox\Profiles\q6ojs1uu.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-17 13:19
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="D414DD62173654AB6812356A312A13ED3079932D7CFBBBFEB6B1A6F0C07FBD432F7AA32DC1F0E4DDA8CDA582541C5AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B5555D575E7D6A3B9808A6A0AC4980AC7933A37AFD56F958C4F8F002F1DA546A0532A45885296B4FC6D275A7C20739B23547528AB4CB528188614CBFC8B9DB8634D595AEBB2893539E11143E2974E3036DD27A748ED38C405DA07A717967D7A5AE8701ADB5A4E2E9A02D86950F0FF15B782C6DE2A3BDD52B1F47EDDEC9B8688DCAEB985D7E1D0B24B97FE112EA9844B8FA00C0B8F42F614DCB78DD0860D7AD7600B9D475875F3E867B75FC4A9624BE0E4093CC8762A1E1A6076A441C4842D00AE73FF066248CB30A998F750CCE1A4C41B53AAF9A34E013A717EADE0271C9F9EAC5DAEA520D9CA89C6EE32BD3B5B556AC6CDF49EC938D33BAE656AFD2AF945AAB7B02860FDEDADB1D759C4158CF86CF9D1A8240AF109C82380622FD5B389C235512BBCAA81BE590E2D075A0FE87EF2DD59AB37D479B574670A754519EA82F0AE234A6835CA3300F37C43F75E3282BE60DEA1BACCB8CD9C9262188FAD17F6DCCC432703E9D427FA2553BE1AFD66543F7EA2D71BF0B1C95D990EDEE0BDD214FA6DE80DFCF91A4EF1BEEBED3035B5418E30F2686ED04EA4F485A2E49D8DFD21CDB0A364B4E1458EFCBA88225E8A86DDCAD0C403BACEBF99EE923A26F7DAAC273B311109E9534D4420D9CDAF41C2A8E9ADC6689073CAA317119FCB44D57437DC478B56E5C45B16F7EB9D6C0F79DFEF8AB8119B3F21CDDD80834EFECE10A62F8D8F7A95317BE06678DB3D8CF79B1FB5340A811161F91D520F71C76FB3FF9768BC7849668782B5ADBB0DA974BD5DFA725DBE93228BBA61699A9B57F330F512170FE7698F73BF38DD0F7197B16FE75BEDBD7DAD00A902858BBD9EBEE0B8AFEB746C1A73EF33049322F4CDA63B8F880AE4A5E1B37FBF6A688E1982C1B1E02B54312A4768DED3B1F8EC2668D1E625E579CA570C9A4655DF748484BE74EAAD76A813A12C5FC20D5AA9DBCD7A6F1E2DA90E006E00BC9CE47346913AA93C8140457E30B47FB79E48B670CB1011E97AEB109046AD6094D66C83A77C7442C3DE012FB11B2D584E23CFB95401A996D3D5F36E148B3CFEFC8FE0EA92ED1F62B52BBA0986146244D8CCADC38CCD02C9502B0537DA0A51A6FCA8DD468FB7E799524746335E23B6C49BF58F5957E97981A7B068504336C5B3D55AC6E200801D36FBFFC219AD6EDBB6FB750A3B9D2929083B2E05EE3DC9389915E99C2BC29ED6242A9ED36D6B29D733924C2D4F27CCA1ADBA56C034A2D0DF029CFB6CAEEEDC2D61CD900103D9F6ECA2729630F55E2AA913444F42CAD67AEB0458789952F"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3776)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Celkový čas: 2009-07-17 13:21
ComboFix-quarantined-files.txt 2009-07-17 11:20
ComboFix2.txt 2009-07-17 10:20

Před spuštěním: 2 127 679 488
Po spuštění: 2 120 667 136

121







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:22:26, on 17.7.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\wincommander 5.00\WINCMD32.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 5221 bytes

[Damned]

Ty pdf můžou být chybou stránky.

Spusť HJT, vypni prohlížeče, odpoj se od internetu a fixni (zatrhnout políčko před hodnotou, zmáčknout
"Fix checked"):

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

Odinstaluj ComboFix.
ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix[mezera]/u

takže jestli nejsou problémy,tak vyčisti systém CCleanerem
a použij i T-Cleaner
smaže vše po Combu,SDFixu,Avengeru,MWAVu atd.-stáhneš->spustíš

(pozn.Pokud máš AVG, před stažením T-Cleaneru a po dobu čištění deaktivuj AVG, následně T-Cleaner smaž
a zapni si AVG.)


Stáhni si ATF Cleaner
Poklepej na ATF Cleaner.exe, klikni select all found, pak klik empty selected.
Pokud chceš zachovat svoje uložená hesla, klikni na No.
ATF-Cleaner je jednoduchý nástroj na odstranění historie z webového prohlížeče. Program dokáže odstranit cache,
cookies, historii a další stopy po surfování na Internetu. Mezi podporované prohlížeče patří Internet Explorer,
Firefox a Opera. Aplikace navíc umí odstranit dočasné soubory Windows, vysypat koš atd.

Označ topic za vyřešený (zelená fajfka) a měj se.