Připojení v tahu, hledám pachatele

[Chriss1]

Zdravim všechny!
už druhý den se mořím s odvirováním a čištěním registrů. Dospěl jsem tak daleko, že připojení k internetu stále nefunguje, zato se mi pokaždé spouští scandisk a cosi opravuje. Kaspersky mi stále hlásí podezření na rootkity u různých druhů běžných windows služeb, tak nevím opravdu už co s tím. Podobný problém jsem tu viděl řešit, ale raději se už zříkám další samostatné činnosti, neboť nevím co činím...zde jest log, předem moc díky za jakoukoli pomoc!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:34:05, on 5.9.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\System32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE
C:\WINDOWS.0\system32\WService.EXE
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
D:\Program Files\ScanSoft\OmniPageSE\opware32.exe
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\chriss\Plocha\wclock30\wclock30.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS.0\System32\svchost.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\WINDOWS.0\system32\taskmgr.exe
L:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
F2 - REG:system.ini: UserInit=C:\WINDOWS.0\system32\userinit.exe,C:\WINDOWS.0\system32\hhw.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {35980F6E-A137-4E50-953D-813BB8556899} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: BzcDyszu Class - {BD16B902-013C-0168-5569-7FDA099A90FF} - C:\WINDOWS.0\DOWNLO~1\gcbhjzfg.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [Omnipage] D:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WorldClock] "C:\Documents and Settings\chriss\Plocha\wclock30\wclock30.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: RemoteScan Server.lnk = C:\Program Files\RemoteScan Server\RemoteScanServer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Chinese Navigation - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS.0\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Chinese Navigation - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS.0\System32\shdocvw.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\FLASHGET.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows.0\system32\nwprovau.dll
O16 - DPF: {3717DF57-0396-463D-98B7-647C7DC6898A} - http://delivery.inet-traffic.com/intdel.exe
O16 - DPF: {4ADC518E-B607-11D4-B395-0001020F4519} (SigVer Class) - https://portal.ozp.cz/obj/Signer.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0939995642
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: arm32reg - C:\WINDOWS.0\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS.0\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.0\system32\ati2sgag.exe (file missing)
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: WinTab Service (WinTabService) - Unknown owner - C:\WINDOWS.0\System32\Drivers\WTSRV.EXE (file missing)
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/chriss/LOCALS~1/Temp/msohtml1/01/clip_image001.gif

--
End of file - 11903 bytes

[Reklama]

[sakiri]

Udělej scan MWAVem a vlož sem z něho log jak je popsáno v návodu.

A vlož sem také log z ComboFixu:
Stáhni si ComboFix, ulož ho na plochu zavři všechna spuštěná okna a spusť ho.
Postupuj dle pokynů během aplikování ComboFixu neklikej do zobrazujícího se okna může se stát totiž že to proces zastaví.
Po skončení se vytvoří log tak sem zkopíruj jeho obsah.
(Je možné že se počítač restartuje, bude to kvůli tomu že ComboFix našel infikované soubory aby je smazal tak se restartuje PC)
Pro spusťění ComboFixu je nutné mít práva administrátora.
Jinak je ComboFixův log umístěný na C:\ComboFix.txt

[Chriss1]

ComboFix 07-08-30.3 - "chriss" 2007-09-05 14:59:44.1 - FAT32x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.816 [GMT 2:00]


Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



Infected copy of C:\WINDOWS.0\system32\drivers\ndis.sys was found & disinfected
C:\WINDOWS.0\smsys.dat
C:\WINDOWS.0\system32\1_exception.nls
C:\WINDOWS.0\system32\cdn.dll
C:\WINDOWS.0\system32\cdncli.exe
C:\WINDOWS.0\system32\DefLib.sys
C:\WINDOWS.0\system32\drivers\runtime2.sys
Restored copy from - c:\WINDOWS.0\ServicePackFiles\i386\ndis.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASC3550U
-------\LEGACY_FCI
-------\LEGACY_FWDRV.SYS
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_SYSLIBRARY
-------\FCI
-------\fwdrv.sys
-------\nm
-------\runtime
-------\SysLibrary


((((((((((((((((((((((((( Files Created from 2007-08-05 to 2007-09-05 )))))))))))))))))))))))))))))))


2007-09-05 15:05 182,912 --a------ C:\WINDOWS.0\system32\dllcache\ndis.sys
2007-09-05 14:39 51,200 --a------ C:\WINDOWS.0\nircmd.exe
2007-09-05 13:08 <DIR> d--hs---- C:\FOUND.013
2007-09-05 12:58 <DIR> d--hs---- C:\FOUND.012
2007-09-05 12:46 <DIR> d--hs---- C:\FOUND.011
2007-09-05 12:30 <DIR> d--hs---- C:\FOUND.010
2007-09-05 11:41 <DIR> d--hs---- C:\FOUND.009
2007-09-05 11:28 <DIR> d--hs---- C:\FOUND.008
2007-09-05 10:43 23 --ahs---- C:\WINDOWS.0\system32\bceebdcc9_r.dll
2007-09-05 10:43 <DIR> d-------- C:\Program Files\jv16 PowerTools 2007
2007-09-05 10:15 23 --ahs---- C:\WINDOWS.0\system32\bceebdcc9_g.dll
2007-09-05 10:15 <DIR> d-------- C:\Program Files\RegSupreme
2007-09-05 09:11 <DIR> d--hs---- C:\FOUND.007
2007-09-04 23:24 <DIR> d-------- C:\Program Files\ClearProg
2007-09-04 23:06 <DIR> d--hs---- C:\FOUND.006
2007-09-04 21:25 <DIR> d--hs---- C:\FOUND.005
2007-09-04 21:13 138,624 --a------ C:\WINDOWS.0\system32\drivers\sp_rsdrv2.sys
2007-09-04 21:09 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-09-04 21:09 <DIR> d-------- C:\Program Files\Crawler
2007-09-04 21:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Spyware Terminator
2007-09-04 17:25 3,968 --a------ C:\WINDOWS.0\system32\drivers\AvgArCln.sys
2007-09-04 10:26 <DIR> d--hs---- C:\FOUND.004
2007-09-04 08:23 <DIR> d--hs---- C:\FOUND.003
2007-09-03 23:11 159,744 --a------ C:\WINDOWS.0\system32\hasher.dll
2007-09-03 23:11 <DIR> d-------- C:\Program Files\Trisnap Technologies
2007-09-03 22:49 <DIR> d--hs---- C:\FOUND.002
2007-09-03 22:45 <DIR> d--hs---- C:\FOUND.001
2007-09-03 22:41 <DIR> d--hs---- C:\FOUND.000
2007-09-03 11:28 2,592 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox2.dat
2007-09-03 11:28 1,659,424 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox.dat
2007-09-03 11:28 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-09-03 11:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Kaspersky Lab
2007-09-02 22:31 94,208 --a------ C:\WINDOWS.0\system32\MailSpectre.exe
2007-09-02 22:31 58,880 --a------ C:\WINDOWS.0\system32\fci.exe
2007-09-02 22:31 46,080 --a------ C:\WINDOWS.0\system32\hhw.exe
2007-09-02 22:31 18,944 --ah----- C:\WINDOWS.0\system32\drivers\protect.sys
2007-09-02 22:31 18,176 --a------ C:\WINDOWS.0\system32\drivers\smtpdrv.sys
2007-08-20 18:03 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-07 09:50 <DIR> d-------- C:\Program Files\Phoner


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-05 14:54 32 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox2.idx
2007-09-05 14:54 32 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox.idx
2007-07-25 09:24 76560 --a------ C:\WINDOWS.0\system32\drivers\tmcomm.sys
2007-07-25 08:26 --------- d-------- C:\Program Files\HJT
2007-07-16 22:32 77312 --a------ C:\WINDOWS.0\ua2.dll
2007-07-13 08:56 --------- d-------- C:\Program Files\Skype
2007-07-13 08:56 --------- d-------- C:\Program Files\Common Files\Skype
2004-03-16 20:21 475 --a------ C:\Program Files\INSTALL.LOG
2004-03-11 13:27 40960 --a------ C:\Program Files\Uninstall_CDS.exe
2003-10-13 19:34 266 ---h----- C:\Program Files\desktop.ini
2003-10-13 19:34 11253 ---h----- C:\Program Files\folder.htt
2003-09-22 23:19 2095 --a------ C:\Program Files\uninstall.log
2000-08-09 14:26 3030 --a------ C:\Program Files\odbc.inf


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD16B902-013C-0168-5569-7FDA099A90FF}]
2006-05-01 22:09 196608 --a------ C:\WINDOWS.0\DOWNLO~1\gcbhjzfg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WService"="WService.EXE" [2002-01-30 08:23 C:\WINDOWS.0\system32\WService.exe]
"AtiPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 21:10]
"mouseElf"="C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE" [2003-05-13 10:41]
"Mirabilis ICQ"="C:\PROGRA~1\ICQ\ICQNet.exe" [2003-10-14 17:36]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-05 08:19]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 19:05]
"CloneCDElbyCDFL"="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2001-12-06 13:09]
"CloneCDTray"="C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe" [2002-04-15 09:12]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe" [2004-11-25 12:59]
"DataLayer"="C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE" [2004-11-30 14:02]
"WorldClock"="" []
"Omnipage"="D:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2003-07-14 16:37]
"Acrobat Assistant 8.0"="G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24]
"SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 19:03]
"kis"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-03-24 18:09]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-09-04 21:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS.0\system32\ctfmon.exe" [2004-08-18 00:49]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-22 16:10]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2004-11-24 12:29]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-07-02 17:10]
"WorldClock"="C:\Documents and Settings\chriss\Plocha\wclock30\wclock30.exe" [2006-10-29 14:46]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\arm32reg]

R0 protect;protect;C:\WINDOWS.0\system32\drivers\protect.sys
R1 smtpdrv;smtpdrv;C:\WINDOWS.0\system32\DRIVERS\smtpdrv.sys
R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS.0\system32\drivers\sp_rsdrv2.sys
R2 DgiVecp;Team MFP Comm Driver;C:\WINDOWS.0\system32\Drivers\DgiVecp.sys
R2 SpPortEx;Samsung Port Exclusion;C:\WINDOWS.0\system32\Drivers\SpPortEx.sys
R3 AVMWAN;NDIS WAN CAPI Treiber;C:\WINDOWS.0\system32\DRIVERS\avmwan.sys
R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS.0\system32\DRIVERS\gflmouhid.sys
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS.0\system32\DRIVERS\psched.sys
S2 P1C1394;Phase One 1394 Camera Driver;C:\WINDOWS.0\system32\Drivers\p1c1394.sys
S2 Tablet2k;Serial Tablet Port Driver;"C:\WINDOWS.0\System32\Drivers\Tablet2k.sys"
S3 ati2mtaa;ati2mtaa;C:\WINDOWS.0\system32\DRIVERS\ati2mtaa.sys
S3 fxusbase;ISDN@2lines-Connector (WinXP/2000);C:\WINDOWS.0\system32\DRIVERS\fxusbase.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS.0\system32\DRIVERS\MSIRCOMM.sys
S3 NETFRITZ;AVM FRITZ!web PPP over ISDN;C:\WINDOWS.0\system32\DRIVERS\NETFRITZ.SYS
S3 ovt530;TM507A USB Camera;C:\WINDOWS.0\system32\Drivers\ov530vid.sys
S3 TClass2k;Tablet Class Driver;C:\WINDOWS.0\system32\DRIVERS\TClass2k.sys
S3 UCTblHid;HID Tablet Port Driver;C:\WINDOWS.0\system32\DRIVERS\UCTblHid.sys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Schedule


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-05 15:10:46
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-05 15:15:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-05 15:14

--- E O F ---

na antiviru při restartu proběhly hlášky ohledně "catchme", regedit.exe se chtěl přejmenovávat na jpg ajiné, vše jsem zakázal, ale nevim...jak to dopadlo

[sakiri]

Při této akci je nutné mít ComboFix na ploše již by jsi ho tam měl mít stažený.

1. Spusť Notepad (Poznámkový blok) a vlož do něj celý text z toho bílého políčka:

Kód: Vybrat vše

Driver::
protect
smtpdrv

File:
C:\WINDOWS.0\system32\MailSpectre.exe
C:\WINDOWS.0\system32\fci.exe
C:\WINDOWS.0\system32\hhw.exe
C:\WINDOWS.0\system32\drivers\protect.sys
C:\WINDOWS.0\system32\drivers\smtpdrv.sys
C:\WINDOWS.0\DOWNLO~1\gcbhjzfg.dll

Folder:
C:\FOUND.013
C:\FOUND.012
C:\FOUND.011
C:\FOUND.010
C:\FOUND.009
C:\FOUND.008
C:\FOUND.007
C:\FOUND.006
C:\FOUND.005
C:\FOUND.004
C:\FOUND.003
C:\FOUND.002
C:\FOUND.001
C:\FOUND.000

Registry:
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD16B902-013C-0168-5569-7FDA099A90FF}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\arm32reg]

Pak dej Soubor (File) -> Uložit jako (Save As) -> jak je Název souboru (File name) tak do toho řádku napiš: CFScript.txt
Typ souboru (Save as type) tak tam vyber *všechny soubory (*all files)
A ulož ho na plochu.

2. Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix a když se oba soubory překryjí, skript upusť
- Automaticky se spustí ComboFix
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem klávesy 1
- Postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení čistícího procesu a případném restartu počítače by se ti měl zobrazit log. Jinak umístěný C:\ComboFix.txt
- Tak sem zkopíruj celý jeho obsah.


Tyto dva soubory nechej otestovat na Virustotalu:
C:\WINDOWS.0\system32\bceebdcc9_r.dll
C:\WINDOWS.0\system32\bceebdcc9_g.dll

Zapni si - Zobrazovat skryté a systémové soubory.
A zkopíruj sem výsledky.

+ Nový log z HJT.

Jinak já jsem chtěl vyfiltrovaný log MWAV dle návodu co jsem ti dával.

[Chriss1]

Wed Sep 05 15:43:39 2007 => Soubor C:\WINDOWS.0\system32\DRIVERS\smtpdrv.sys je infikovaný virem Email-Worm.Win32.Agent.l !!
Wed Sep 05 15:45:06 2007 => Soubor C:\WINDOWS.0\system32\fci.exe je infikovaný virem Trojan.Win32.Obfuscated.hn !
Wed Sep 05 15:45:08 2007 => Soubor C:\WINDOWS.0\system32\hhw.exe//PE_Patch.UPX//UPX je infikovaný virem Email-Worm.Win32.Mydoom.bj !!
Wed Sep 05 15:45:54 2007 => Soubor C:\WINDOWS.0\system32\MailSpectre.exe je infikovaný virem Email-Worm.Win32.Agent.q
Wed Sep 05 15:43:49 2007 => System found infected with flashget Unclassified ({a5366673-e8ca-11d3-9cd9-0090271d075b})! Action taken: Nic nebylo provedeno.
Wed Sep 05 15:43:49 2007 => System found infected with killav.nbd Browser Hijacker ({e0e899ab-f487-11d5-8d29-0050ba6940e3})! Action taken: Nic nebylo provedeno.
Wed Sep 05 15:43:49 2007 => System found infected with killav.nbd Browser Hijacker ({e0e899ab-f487-11d5-8d29-0050ba6940e3})! Action taken: Nic nebylo provedeno.
Wed Sep 05 15:43:49 2007 => System found infected with flashget Unclassified ({a5366673-e8ca-11d3-9cd9-0090271d075b})! Action taken: Nic nebylo provedeno.
Wed Sep 05 15:43:53 2007 => Offending file found: C:\WINDOWS.0\system32\swsc.exe
Wed Sep 05 15:43:53 2007 => System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (swsc.exe)! Action taken: Nic nebylo provedeno.

Wed Sep 05 15:43:53 2007 => Offending file found: C:\WINDOWS.0\system32\moveex.exe
Wed Sep 05 15:43:53 2007 => System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (moveex.exe)! Action taken: Nic nebylo provedeno.

Wed Sep 05 15:43:53 2007 => Offending file found: C:\WINDOWS.0\system32\swreg.exe
Wed Sep 05 15:43:53 2007 => System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (swreg.exe)! Action taken: Nic nebylo provedeno.

Wed Sep 05 15:43:58 2007 => Offending file found: C:\Documents and Settings\chriss\Data aplikací\install.dat
Wed Sep 05 15:43:58 2007 => System found infected with zlob Trojan-Downloader (install.dat)! Action taken: Nic nebylo provedeno.
Wed Sep 05 15:42:54 2007 => Invalid Entry DllName = appmgmts.dll (in key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}). Deleting Registry Key {c6dc5466-785a-11d2-84d0-00c04fb169f7}...


Wed Sep 05 15:47:39 2007 => Testovaných objektů: 30787
Wed Sep 05 15:47:39 2007 => Kritických objektů: 12
Wed Sep 05 15:47:39 2007 => Celkem vyléčených objektů: 0
Wed Sep 05 15:47:39 2007 => Celkem přejmenováno: 0
Wed Sep 05 15:47:39 2007 => Smazaných objektů: 0
Wed Sep 05 15:47:39 2007 => Celkem chyb: 167
Wed Sep 05 15:47:39 2007 => Uplynulý čas: 00:05:23
Wed Sep 05 15:47:39 2007 => Datum vydání databáze: 9/5/2007
Wed Sep 05 15:47:39 2007 => Verze virové databáze: 404109

[Chriss1]

No, až teď jsem to z toho logu vykopíroval, omlouvám se ale předtim jsem to odeslal špatně. Aktualizovat na novější databáze nemohu, protože mi nejde to připojení k netu. Tak a jdu si přečíst pořádně ty odpovědi. protože neco prislo, zatimco ja tohle pisu...

//OK, smažu tedy ten dlouhý nepovedený
//Karlos

[sakiri]

OK.

Nezapomeň udělat tu akci s tím ComboFixem.

[Chriss1]

jdu na to, kmitám mezi dvěma počítačema s flashdiskem tak to trvá....

[Chriss1]

Tak nevim, předtim, než combofix restartoval počítač začala rezidentní ochrana spyterminatoru vyhazovat hlášky, že se chtějí nějaké soubory přejmenovávat...sem si myslel, že je to reakce viru, tak jsem tuším první dva zakazal po dlouhem cekani, protože jsem si nebyl jistý jestli na to můžu vůbec kliknout...jdu zjistit co se stalo

[Chriss1]

ComboFix 07-08-30.3 - "chriss" 2007-09-05 16:52:30.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.500 [GMT 2:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS.0\regedit.com
C:\WINDOWS.0\system32\taskmgr.com


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_PROTECT
-------\LEGACY_SMTPDRV
-------\protect
-------\smtpdrv


((((((((((((((((((((((((( Files Created from 2007-08-05 to 2007-09-05 )))))))))))))))))))))))))))))))


2007-09-05 15:43 <DIR> d-a------ C:\WINDOWS.0\zts2.exe
2007-09-05 15:43 <DIR> d-a------ C:\WINDOWS.0\system32\vcmgcd32.dll
2007-09-05 15:43 <DIR> d-a------ C:\WINDOWS.0\system32\iifgfgf.dll
2007-09-05 15:43 <DIR> d-a------ C:\WINDOWS.0\rundll16.exe
2007-09-05 15:43 <DIR> d-a------ C:\WINDOWS.0\rundl132.dll
2007-09-05 15:43 <DIR> d-a------ C:\WINDOWS.0\logo1_.exe
2007-09-05 15:39 147,968 --a------ C:\WINDOWS.0\R.COM
2007-09-05 15:39 137,216 --a------ C:\WINDOWS.0\system32\T.COM
2007-09-05 15:05 182,912 --a------ C:\WINDOWS.0\system32\dllcache\ndis.sys
2007-09-05 14:39 51,200 --a------ C:\WINDOWS.0\nircmd.exe
2007-09-05 13:08 <DIR> d--hs---- C:\FOUND.013
2007-09-05 12:58 <DIR> d--hs---- C:\FOUND.012
2007-09-05 12:46 <DIR> d--hs---- C:\FOUND.011
2007-09-05 12:30 <DIR> d--hs---- C:\FOUND.010
2007-09-05 11:41 <DIR> d--hs---- C:\FOUND.009
2007-09-05 11:28 <DIR> d--hs---- C:\FOUND.008
2007-09-05 10:43 23 --ahs---- C:\WINDOWS.0\system32\bceebdcc9_r.dll
2007-09-05 10:43 <DIR> d-------- C:\Program Files\jv16 PowerTools 2007
2007-09-05 10:15 23 --ahs---- C:\WINDOWS.0\system32\bceebdcc9_g.dll
2007-09-05 10:15 <DIR> d-------- C:\Program Files\RegSupreme
2007-09-05 09:11 <DIR> d--hs---- C:\FOUND.007
2007-09-04 23:24 <DIR> d-------- C:\Program Files\ClearProg
2007-09-04 23:06 <DIR> d--hs---- C:\FOUND.006
2007-09-04 21:25 <DIR> d--hs---- C:\FOUND.005
2007-09-04 21:13 138,624 --a------ C:\WINDOWS.0\system32\drivers\sp_rsdrv2.sys
2007-09-04 21:09 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-09-04 21:09 <DIR> d-------- C:\Program Files\Crawler
2007-09-04 21:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Spyware Terminator
2007-09-04 17:25 3,968 --a------ C:\WINDOWS.0\system32\drivers\AvgArCln.sys
2007-09-04 10:26 <DIR> d--hs---- C:\FOUND.004
2007-09-04 08:23 <DIR> d--hs---- C:\FOUND.003
2007-09-03 23:11 159,744 --a------ C:\WINDOWS.0\system32\hasher.dll
2007-09-03 23:11 <DIR> d-------- C:\Program Files\Trisnap Technologies
2007-09-03 22:49 <DIR> d--hs---- C:\FOUND.002
2007-09-03 22:45 <DIR> d--hs---- C:\FOUND.001
2007-09-03 22:41 <DIR> d--hs---- C:\FOUND.000
2007-09-03 11:28 82,464 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox2.dat
2007-09-03 11:28 1,659,424 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox.dat
2007-09-03 11:28 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-09-03 11:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATAAP~1\Kaspersky Lab
2007-09-02 22:31 94,208 --a------ C:\WINDOWS.0\system32\MailSpectre.exe
2007-09-02 22:31 58,880 --a------ C:\WINDOWS.0\system32\fci.exe
2007-09-02 22:31 46,080 --a------ C:\WINDOWS.0\system32\hhw.exe
2007-09-02 22:31 18,944 --ah----- C:\WINDOWS.0\system32\drivers\protect.sys
2007-09-02 22:31 18,176 --a------ C:\WINDOWS.0\system32\drivers\smtpdrv.sys
2007-08-20 18:03 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-07 09:50 <DIR> d-------- C:\Program Files\Phoner


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-05 16:59 331136 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox2.idx
2007-09-05 16:59 1244 --ahs---- C:\WINDOWS.0\system32\drivers\fidbox.idx
2007-07-25 09:24 76560 --a------ C:\WINDOWS.0\system32\drivers\tmcomm.sys
2007-07-25 08:26 --------- d-------- C:\Program Files\HJT
2007-07-16 22:32 77312 --a------ C:\WINDOWS.0\ua2.dll
2007-07-13 08:56 --------- d-------- C:\Program Files\Skype
2007-07-13 08:56 --------- d-------- C:\Program Files\Common Files\Skype
2004-03-16 20:21 475 --a------ C:\Program Files\INSTALL.LOG
2004-03-11 13:27 40960 --a------ C:\Program Files\Uninstall_CDS.exe
2003-10-13 19:34 266 ---h----- C:\Program Files\desktop.ini
2003-10-13 19:34 11253 ---h----- C:\Program Files\folder.htt
2003-09-22 23:19 2095 --a------ C:\Program Files\uninstall.log
2000-08-09 14:26 3030 --a------ C:\Program Files\odbc.inf


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD16B902-013C-0168-5569-7FDA099A90FF}]
2006-05-01 22:09 196608 --a------ C:\WINDOWS.0\DOWNLO~1\gcbhjzfg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WService"="WService.EXE" [2002-01-30 08:23 C:\WINDOWS.0\system32\WService.exe]
"AtiPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 21:10]
"mouseElf"="C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE" [2003-05-13 10:41]
"Mirabilis ICQ"="C:\PROGRA~1\ICQ\ICQNet.exe" [2003-10-14 17:36]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-05 08:19]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 19:05]
"CloneCDElbyCDFL"="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2001-12-06 13:09]
"CloneCDTray"="C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe" [2002-04-15 09:12]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe" [2004-11-25 12:59]
"DataLayer"="C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE" [2004-11-30 14:02]
"WorldClock"="" []
"Omnipage"="D:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2003-07-14 16:37]
"Acrobat Assistant 8.0"="G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24]
"SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 19:03]
"kis"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-03-24 18:09]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-09-04 21:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS.0\system32\ctfmon.exe" [2004-08-18 00:49]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-22 16:10]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2004-11-24 12:29]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-07-02 17:10]
"WorldClock"="C:\Documents and Settings\chriss\Plocha\wclock30\wclock30.exe" [2006-10-29 14:46]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\arm32reg]

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS.0\system32\drivers\sp_rsdrv2.sys
R2 DgiVecp;Team MFP Comm Driver;C:\WINDOWS.0\system32\Drivers\DgiVecp.sys
R2 SpPortEx;Samsung Port Exclusion;C:\WINDOWS.0\system32\Drivers\SpPortEx.sys
R3 AVMWAN;NDIS WAN CAPI Treiber;C:\WINDOWS.0\system32\DRIVERS\avmwan.sys
R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS.0\system32\DRIVERS\gflmouhid.sys
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS.0\system32\DRIVERS\psched.sys
S2 P1C1394;Phase One 1394 Camera Driver;C:\WINDOWS.0\system32\Drivers\p1c1394.sys
S2 Tablet2k;Serial Tablet Port Driver;"C:\WINDOWS.0\System32\Drivers\Tablet2k.sys"
S3 ati2mtaa;ati2mtaa;C:\WINDOWS.0\system32\DRIVERS\ati2mtaa.sys
S3 fxusbase;ISDN@2lines-Connector (WinXP/2000);C:\WINDOWS.0\system32\DRIVERS\fxusbase.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS.0\system32\DRIVERS\MSIRCOMM.sys
S3 NETFRITZ;AVM FRITZ!web PPP over ISDN;C:\WINDOWS.0\system32\DRIVERS\NETFRITZ.SYS
S3 ovt530;TM507A USB Camera;C:\WINDOWS.0\system32\Drivers\ov530vid.sys
S3 TClass2k;Tablet Class Driver;C:\WINDOWS.0\system32\DRIVERS\TClass2k.sys
S3 UCTblHid;HID Tablet Port Driver;C:\WINDOWS.0\system32\DRIVERS\UCTblHid.sys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Schedule


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-05 17:06:29
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-05 17:12:50 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-05 17:12

--- E O F ---

[Chriss1]

Soubor bceebdcc9_g.dll přijatý 2007.09.05 17:25:36 (CET)
Současný stav: Čekejte ... Ve frontě Čekání Testování Dokončeno NENALEZENO ZASTAVENO


Výsledek: 0/32 (0%)

Soubor bceebdcc9_r.dll přijatý 2007.09.05 17:44:39 (CET)
Současný stav: Čekejte ... Ve frontě Čekání Testování Dokončeno NENALEZENO ZASTAVENO


Výsledek: 0/32 (0%)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:51:19, on 5.9.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\System32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS.0\System32\svchost.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\WINDOWS.0\system32\wscntfy.exe
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE
C:\WINDOWS.0\system32\WService.EXE
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
D:\Program Files\ScanSoft\OmniPageSE\opware32.exe
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\chriss\Plocha\wclock30\wclock30.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
L:\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\PROGRA~1\SPYWAR~1\STServer.Exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: BzcDyszu Class - {BD16B902-013C-0168-5569-7FDA099A90FF} - C:\WINDOWS.0\DOWNLO~1\gcbhjzfg.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [Omnipage] D:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WorldClock] "C:\Documents and Settings\chriss\Plocha\wclock30\wclock30.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: RemoteScan Server.lnk = C:\Program Files\RemoteScan Server\RemoteScanServer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Chinese Navigation - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS.0\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Chinese Navigation - {35980F6E-A137-4E50-953D-813BB8556899} - C:\WINDOWS.0\System32\shdocvw.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\FLASHGET.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows.0\system32\nwprovau.dll
O16 - DPF: {3717DF57-0396-463D-98B7-647C7DC6898A} - http://delivery.inet-traffic.com/intdel.exe
O16 - DPF: {4ADC518E-B607-11D4-B395-0001020F4519} (SigVer Class) - https://portal.ozp.cz/obj/Signer.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0939995642
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: arm32reg - C:\WINDOWS.0\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS.0\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.0\system32\ati2sgag.exe (file missing)
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: WinTab Service (WinTabService) - Unknown owner - C:\WINDOWS.0\System32\Drivers\WTSRV.EXE (file missing)
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/chriss/LOCALS~1/Temp/msohtml1/01/clip_image001.gif

--
End of file - 11649 bytes

[sakiri]

Udělej toto:

Stáhni si Avenger a spusť ho pod účtem administrátora.
Zaškrtni volbu - Input script manually a klikni na ikonku lupy vyskočí prázdné okno kam zkopíruj ten tučně označený text:
Files to delete:
C:\WINDOWS.0\system32\MailSpectre.exe
C:\WINDOWS.0\system32\fci.exe
C:\WINDOWS.0\system32\hhw.exe
C:\WINDOWS.0\system32\drivers\protect.sys
C:\WINDOWS.0\system32\drivers\smtpdrv.sys
C:\WINDOWS.0\DOWNLO~1\gcbhjzfg.dll

Folders to delete:
C:\FOUND.013
C:\FOUND.012
C:\FOUND.011
C:\FOUND.010
C:\FOUND.009
C:\FOUND.008
C:\FOUND.007
C:\FOUND.006
C:\FOUND.005
C:\FOUND.004
C:\FOUND.003
C:\FOUND.002
C:\FOUND.001
C:\FOUND.000

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BD16B902-013C-0168-5569-7FDA099A90FF}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\arm32reg

A klikni na Done.
Poté klikni na ikonku Semafory.

Vyskočí hláška kde odklikni Yes poté další hláška kde odklikni Yes.
PC se restartuje.Po restartu by ti měl "vyběhnout" log z Avengeru tak ho sem zkopíruj.

+ nový log z ComboFixu.

A odinstaluj Crawler Toolbar a FLASHGET.

Poté sem vlož také nový log z HJT.

Jinak při testování těch souborů jsi byl ve frontě musíš počkat až se na tebe dostane řada.