PC-HELP.CZ

České diskuzní fórum o počítačích
https://pc-help.cnews.cz/

virtumonde

https://pc-help.cnews.cz/viewtopic.php?f=70&t=28778

Stránka 1 z 1

virtumonde

Napsal: 30 čer 2008 19:48
od l.i.b.o.r
Dobrý den. mám problém s virtumonde. Spybot mi ho najde, smaže, ale on se znovu obnoví. Zatím jsem přišel jen na to, že mi blokuje nějaké stránky.. Třeba vyhledávače
muj log z HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:00:31, on 30.6.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\QIP\qip.exe
C:\Program Files\totalcmd7\TOTALCMD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.servis24.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {89657FA2-DD86-4CFC-868C-8936AB239E1D} - C:\WINDOWS\system32\qoMefefg.dll (file missing)
O2 - BHO: (no name) - {ACED1C9F-2718-4512-9F69-F4E28C1F484F} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C4A2E1E1-41A2-4514-8797-1D5CFAC75512} - C:\WINDOWS\system32\cbXRHbcb.dll (file missing)
O2 - BHO: (no name) - {E03C5BEE-09AB-4F2B-AC3B-0AAB99BDC9AE} - C:\WINDOWS\system32\rqRJAroO.dll (file missing)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - c:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [BMefb693dd] Rundll32.exe "C:\WINDOWS\system32\mtfgjumd.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6506709406
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ ... /CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: yaywuUlM - C:\WINDOWS\
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11641 bytes

a z SDFix:

SDFix: Version 1.199
Run by Administrator on po 30.06.2008 at 18:00

Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 18:14:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2645764b
"s2"=dword:9eb893a4
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:5e,73,cb,e8,b3,90,eb,a2,bf,5c,d9,b0,bc,42,43,b8,f0,3b,21,e1,90,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,ff,57,68,a7,c4,b5,4d,72,93,b6,e2,35,c1,e6,f9,ef,61,..
"khjeh"=hex:e8,2b,86,5c,30,8e,d4,70,9d,b1,78,a3,1e,f7,f6,e8,c7,4e,c9,02,47,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:e4,57,b8,d2,b6,77,8d,eb,5f,51,5b,7c,e9,bb,18,31,bf,da,4c,4f,a5,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:5e,73,cb,e8,b3,90,eb,a2,bf,5c,d9,b0,bc,42,43,b8,f0,3b,21,e1,90,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,ff,57,68,a7,c4,b5,4d,72,93,b6,e2,35,c1,e6,f9,ef,61,..
"khjeh"=hex:e8,2b,86,5c,30,8e,d4,70,9d,b1,78,a3,1e,f7,f6,e8,c7,4e,c9,02,47,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:84,9e,b9,cd,32,4c,51,6b,97,14,7b,0d,a6,65,36,32,68,81,87,ff,2e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:5e,73,cb,e8,b3,90,eb,a2,bf,5c,d9,b0,bc,42,43,b8,f0,3b,21,e1,90,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,ff,57,68,a7,c4,b5,4d,72,93,b6,e2,35,c1,e6,f9,ef,61,..
"khjeh"=hex:e8,2b,86,5c,30,8e,d4,70,9d,b1,78,a3,1e,f7,f6,e8,c7,4e,c9,02,47,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:e4,57,b8,d2,b6,77,8d,eb,5f,51,5b,7c,e9,bb,18,31,bf,da,4c,4f,a5,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?é?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1í?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:uTorrent"
"C:\\Program Files\\ventrilo\\Ventrilo.exe"="C:\\Program Files\\ventrilo\\Ventrilo.exe:*:Enabled:Ventrilo"
"C:\\Program Files\\Warcraft III\\Frozen Throne.exe"="C:\\Program Files\\Warcraft III\\Frozen Throne.exe:*:Enabled:Warcraft III - The Frozen Throne"
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"="C:\\Program Files\\totalcmd\\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Disabled:Run a DLL as an App"
"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"="C:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat:*:Disabled:The Battle for Middle-earth (tm)"
"C:\\Program Files\\TrackMania Nations ESWC Special Edition\\TmNationsESWC.exe"="C:\\Program Files\\TrackMania Nations ESWC Special Edition\\TmNationsESWC.exe:*:Disabled:TmNationsESWC"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\World of Warcraft\\Repair.exe"="C:\\Program Files\\World of Warcraft\\Repair.exe:*:Enabled:Blizzard Repair Utility"
"E:\\my\\QIP\\qip.exe"="E:\\my\\QIP\\qip.exe:*:Enabled:Quiet Internet Pager"
"C:\\Program Files\\Java\\jdk1.6.0_05\\jre\\bin\\java.exe"="C:\\Program Files\\Java\\jdk1.6.0_05\\jre\\bin\\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\\Program Files\\Miranda IM\\miranda32.exe"="C:\\Program Files\\Miranda IM\\miranda32.exe:*:Enabled:Miranda IM"
"C:\\Program Files\\QIP\\qip.exe"="C:\\Program Files\\QIP\\qip.exe:*:Enabled:Quiet Internet Pager"
"C:\\Program Files\\Miranda IM\\MirandaPack\\MirandaPack\\miranda32.exe"="C:\\Program Files\\Miranda IM\\MirandaPack\\MirandaPack\\miranda32.exe:*:Enabled:Miranda IM"
"C:\\Program Files\\MirandaPack\\miranda32.exe"="C:\\Program Files\\MirandaPack\\miranda32.exe:*:Enabled:Miranda IM"
"C:\\Program Files\\Mir4nda-IM-0.7-Pack-v1.9.3\\miranda32.exe"="C:\\Program Files\\Mir4nda-IM-0.7-Pack-v1.9.3\\miranda32.exe:*:Enabled:Miranda IM"
"C:\\Program Files\\THQ\\MotoGP 2007\\motogp.exe"="C:\\Program Files\\THQ\\MotoGP 2007\\motogp.exe:*:Enabled:motogp"
"C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\Program Files\\SecondLife\\SLVoice.exe"="C:\\Program Files\\SecondLife\\SLVoice.exe:*:Enabled:SLVoice"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:*:Disabled:ActiveSync Application"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:*:Disabled:Connection Manager"
"C:\\Program Files\\Codemasters\\DiRT\\DiRT.exe"="C:\\Program Files\\Codemasters\\DiRT\\DiRT.exe:*:Disabled:DiRT Executable"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"="C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe:*:Disabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)"
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"="C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe:*:Disabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Disabled:TVUPlayer Component"
"C:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"="C:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe:*:Disabled:Update Service"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Disabled:VLC media player"
"C:\\Program Files\\Ubisoft\\Funatics\\The Settlers II - 10th Anniversary\\bin\\S2DNG.exe"="C:\\Program Files\\Ubisoft\\Funatics\\The Settlers II - 10th Anniversary\\bin\\S2DNG.exe:*:Disabled:S2DNG"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\totalcmd7\\TOTALCMD.EXE"="C:\\Program Files\\totalcmd7\\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

Remaining Files :



Files with Hidden Attributes :

Fri 13 May 2005 217,073 A.SHR --- "C:\WINDOWS\meta4.exe"
Mon 7 Jan 2008 352 A..H. --- "C:\WINDOWS\nod32fixtemdono.reg"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 14 Jul 2005 27,648 A.SHR --- "C:\WINDOWS\system32\AVSredirect.dll"
Sun 26 Jun 2005 616,448 A.SHR --- "C:\WINDOWS\system32\cygwin1.dll"
Tue 21 Jun 2005 45,568 A.SHR --- "C:\WINDOWS\system32\cygz.dll"
Wed 3 May 2006 163,328 A.SHR --- "C:\WINDOWS\system32\flvDX.dll"
Sun 25 Jan 2004 70,656 A.SHR --- "C:\WINDOWS\system32\i420vfw.dll"
Wed 21 Feb 2007 31,232 A.SHR --- "C:\WINDOWS\system32\msfDX.dll"
Mon 28 Feb 2005 240,128 A.SHR --- "C:\WINDOWS\system32\x.264.exe"
Sun 25 Jan 2004 70,656 A.SHR --- "C:\WINDOWS\system32\yv12vfw.dll"
Wed 4 Apr 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Tue 21 Jun 2005 45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Wed 4 Jul 2007 72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Fri 27 Oct 2006 15,360 A.SHR --- "C:\Program Files\eRightSoft\SUPER\_Setup.dll"
Sat 10 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 4 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Tue 4 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Tue 10 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Tue 10 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Sun 9 Jun 2002 36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Tue 4 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Tue 10 Dec 2002 102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Tue 10 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Tue 10 Dec 2002 208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Tue 10 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Sun 9 Jun 2002 40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sun 4 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Sun 9 Jun 2002 525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Tue 10 Dec 2002 245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Tue 10 Dec 2002 45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Tue 10 Dec 2002 98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Tue 10 Dec 2002 94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Tue 10 Dec 2002 90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Tue 10 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Sun 9 Jun 2002 49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"
Wed 16 Apr 2008 165,232 A..H. --- "C:\Documents and Settings\Admin\Data aplikacˇ\Microsoft\Virtual PC\VPCKeyboard.dll"
Sun 21 Oct 2007 888 ...HR --- "C:\Documents and Settings\Admin\Data aplikacˇ\SecuROM\UserData\securom_v7_01.bak"
Tue 10 Oct 2006 96,768 A..H. --- "C:\Documents and Settings\Admin\Dokumenty\LIBOREK\sarsko\~WRL0001.tmp"
Tue 10 Oct 2006 96,768 A..H. --- "C:\Documents and Settings\Admin\Dokumenty\LIBOREK\sarsko\~WRL0004.tmp"
Tue 10 Oct 2006 143,872 A..H. --- "C:\Documents and Settings\Admin\Dokumenty\LIBOREK\sarsko\~WRL0078.tmp"
Tue 10 Oct 2006 143,872 A..H. --- "C:\Documents and Settings\Admin\Dokumenty\LIBOREK\sarsko\~WRL0903.tmp"
Tue 10 Oct 2006 171,008 A..H. --- "C:\Documents and Settings\Admin\Dokumenty\LIBOREK\sarsko\~WRL1368.tmp"
Tue 10 Oct 2006 117,248 A..H. --- "C:\Documents and Settings\Admin\Dokumenty\LIBOREK\sarsko\~WRL2213.tmp"
Tue 10 Oct 2006 143,872 A..H. --- "C:\Documents and Settings\Admin\Dokumenty\LIBOREK\sarsko\~WRL2612.tmp"
Tue 10 Oct 2006 117,248 A..H. --- "C:\Documents and Settings\Admin\Dokumenty\LIBOREK\sarsko\~WRL3748.tmp"
Tue 20 Apr 2004 47,104 A..H. --- "C:\Documents and Settings\Admin\Dokumenty\MILENKA\Rizeni 4_3_2_1_\~WRL0001.tmp"
Tue 20 Apr 2004 37,888 A..H. --- "C:\Documents and Settings\Admin\Dokumenty\MILENKA\Rizeni 4_3_2_1_\~WRL0005.tmp"

Finished!

Re: virtumonde

Napsal: 30 čer 2008 20:37
od fredik
Vítej na fóru

Stáhni ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

Re: virtumonde

Napsal: 30 čer 2008 21:30
od l.i.b.o.r
tak tady je lox z ComboFixu
ComboFix 08-06-20.4 - Admin 2008-06-30 20:43:05.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.1558 [GMT 2:00]
Running from: C:\Documents and Settings\Admin\Plocha\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 38
pv: No matching processes found
Nesprávná syntaxe příkazu


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMefb693dd.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bcbHRXbc.ini
C:\WINDOWS\system32\bcbHRXbc.ini2
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\gfefeMoq.ini
C:\WINDOWS\system32\gfefeMoq.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\OorAJRqr.ini
C:\WINDOWS\system32\OorAJRqr.ini2
C:\WINDOWS\system32\xefyyhyt.ini
C:\WINDOWS\system32\xjnmcbwb.ini
C:\WINDOWS\system32\ydshdfna.ini
C:\WINDOWS\system32\yhodtkqr.ini
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-30 17:51 . 2008-06-30 17:51 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-30 17:47 . 2008-06-30 18:27 <DIR> d-------- C:\SDFix
2008-06-29 22:43 . 2008-06-29 22:43 <DIR> d-------- C:\VundoFix Backups
2008-06-29 22:43 . 2008-06-30 20:55 <DIR> d-------- C:\Documents and Settings\Administrator\Plocha
2008-06-29 22:43 . 2008-06-29 22:43 <DIR> d--h----- C:\Documents and Settings\Administrator\Okolnˇ tisk rny
2008-06-29 22:43 . 2008-06-29 22:43 <DIR> d--h----- C:\Documents and Settings\Administrator\Okolnˇ sˇś
2008-06-29 22:43 . 2008-06-29 22:43 <DIR> d-------- C:\Documents and Settings\Administrator\Oblˇben‚ polo§ky
2008-06-29 22:43 . 2008-06-29 22:43 <DIR> dr------- C:\Documents and Settings\Administrator\Nabˇdka Start
2008-06-29 22:43 . 2008-06-29 22:43 <DIR> d-------- C:\Documents and Settings\Administrator\Dokumenty
2008-06-29 21:49 . 2008-06-29 22:43 <DIR> d--h----- C:\Documents and Settings\Administrator\ćablony
2008-06-29 21:49 . 2008-06-29 22:43 <DIR> dr-h----- C:\Documents and Settings\Administrator\Data aplikacˇ
2008-06-29 21:49 . 2008-06-29 22:43 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-29 21:36 . 2008-06-29 21:36 933 --a------ C:\sp.lnk
2008-06-29 20:43 . 2008-06-29 22:43 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-06-29 20:43 . 2008-06-29 20:43 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-06-29 13:06 . 2008-06-29 13:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-27 22:45 . 2008-06-27 22:45 81,920 --a------ C:\WINDOWS\system32\tyhyyfex.dll
2008-06-27 22:42 . 2008-06-27 22:42 90,112 --a------ C:\WINDOWS\system32\mtfgjumd.dll
2008-06-27 21:06 . 2008-06-27 21:06 90,112 --a------ C:\WINDOWS\system32\ydjtrgjp.dll
2008-06-27 20:38 . 2008-06-29 09:36 326 --a------ C:\WINDOWS\wininit.ini
2008-06-27 20:07 . 2008-06-27 20:07 90,112 --a------ C:\WINDOWS\system32\norsaejc.dll
2008-06-26 17:27 . 2008-06-26 17:27 80,896 --a------ C:\WINDOWS\system32\rqktdohy.dll
2008-06-10 18:14 . 2008-06-10 18:14 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-09 17:46 . 2008-06-09 17:46 <DIR> d-------- C:\WINDOWS\system32\cs
2008-06-09 17:46 . 2008-06-09 17:46 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-09 17:46 . 2008-06-09 17:46 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-09 17:44 . 2008-06-09 17:44 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-09 17:35 . 2004-08-17 15:43 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-06-04 20:41 . 2008-06-04 20:41 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-02 13:03 . 2008-06-02 13:03 <DIR> d-------- C:\Program Files\Common Files\Control Panels
2008-06-02 12:44 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-06-02 12:44 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-06-02 12:38 . 2008-06-02 12:38 <DIR> d-------- C:\Program Files\Bonjour
2008-06-02 12:34 . 2008-06-02 12:34 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-01 11:05 . 2008-06-01 11:05 <DIR> d-------- C:\Program Files\OLYMPUS
2008-05-16 10:53 . 2006-11-24 16:45 1,888,256 --a------ C:\h2benchw.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 15:07 --------- d-----w C:\Program Files\%temp&
2008-06-29 10:39 --------- d-----w C:\Program Files\ICQLite
2008-06-27 12:09 --------- d-----w C:\Program Files\Warcraft III
2008-06-02 11:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-02 10:27 --------- d-----w C:\Program Files\Macromedia
2008-06-02 10:18 --------- d-----w C:\Program Files\SpeedFan
2008-06-02 10:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 09:06 --------- d-----w C:\Program Files\QuickTime
2008-05-14 12:35 --------- d-----w C:\Program Files\Yuuguu
2008-05-03 14:37 --------- d-----w C:\Program Files\Java
2008-04-14 03:22 69,632 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 03:22 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 03:22 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 03:22 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 03:22 147,968 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 03:22 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 03:22 1,034,240 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 03:21 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 03:21 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 03:21 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 03:21 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 03:21 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 03:21 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2006-12-23 15:04 2,258,996 ----a-w C:\Program Files\WC3Banlist.zip
2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2005-05-13 16:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-07-14 11:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 14:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2005-02-28 12:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89657FA2-DD86-4CFC-868C-8936AB239E1D}]
C:\WINDOWS\system32\qoMefefg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACED1C9F-2718-4512-9F69-F4E28C1F484F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4A2E1E1-41A2-4514-8797-1D5CFAC75512}]
C:\WINDOWS\system32\cbXRHbcb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E03C5BEE-09AB-4F2B-AC3B-0AAB99BDC9AE}]
C:\WINDOWS\system32\rqRJAroO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:22 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2002-01-08 18:24 401496]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-12-24 19:58 67128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="NvMCTray.dll" [2006-08-08 15:54 86016 C:\WINDOWS\system32\nvmctray.dll]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 22:09 157592]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-22 20:01 196608]
"P17Helper"="P17.dll" [2005-05-03 20:38 64512 C:\WINDOWS\system32\P17.DLL]
"C6501Sound"="c6501.cpl,CMICtrlWnd" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-08 15:54 7630848]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 16:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 10:50 28672]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 09:21 1443072]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"BMefb693dd"="C:\WINDOWS\system32\mtfgjumd.dll" [2008-06-27 22:42 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 05:22 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywuUlM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Nabídka Start^Programy^Po spuštění^Styler.lnk]
path=C:\Documents and Settings\Admin\Nabídka Start\Programy\Po spuštění\Styler.lnk
backup=C:\WINDOWS\pss\Styler.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 16:40 1884160 C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMefb693dd]
--a------ 2008-06-27 22:42 90112 C:\WINDOWS\system32\mtfgjumd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ec85a041]
--a------ 2008-06-27 22:45 81920 C:\WINDOWS\system32\tyhyyfex.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2005-07-08 17:25 1397760 C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
--a------ 2008-02-07 20:32 249856 C:\Program Files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2006-02-10 22:40 2048000 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-08-08 15:54 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
--a------ 2008-02-22 14:29 95536 C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
--------- 2004-04-21 11:26 86016 C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 21:24 32768 C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
--------- 2004-08-14 05:42 36864 C:\Program Files\mobile PhoneTools\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\ventrilo\\Ventrilo.exe"=
"C:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_05\\jre\\bin\\java.exe"=
"C:\\Program Files\\QIP\\qip.exe"=
"C:\\Program Files\\MirandaPack\\miranda32.exe"=
"C:\\Program Files\\Mir4nda-IM-0.7-Pack-v1.9.3\\miranda32.exe"=
"C:\\Program Files\\THQ\\MotoGP 2007\\motogp.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\SecondLife\\SLVoice.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"C:\\Program Files\\Codemasters\\DiRT\\DiRT.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Ubisoft\\Funatics\\The Settlers II - 10th Anniversary\\bin\\S2DNG.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\totalcmd7\\TOTALCMD.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"38734:TCP"= 38734:TCP:port: 38734
"3587:TCP"= 3587:TCP:Skupiny sítě Peer-to-Peer
"3540:UDP"= 3540:UDP:Protokol PNRP (Peer Name Resolution Protocol)
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);C:\WINDOWS\system32\drivers\pe3ah4nc.sys [2007-05-18 21:53]
R0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);C:\WINDOWS\system32\drivers\ps6ah4nc.sys [2007-05-18 21:52]
R1 VBoxDrv;VirtualBox Service;C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys [2007-10-18 09:55]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys [2007-10-18 09:55]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2008-04-13 20:56]
R3 stihp2k;stihp2k;C:\WINDOWS\system32\DRIVERS\stihp2k.sys [2001-06-05 23:25]
S2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);C:\WINDOWS\system32\pr2ah4nc.exe svc []
S3 c65013264;C-Media CM6501 Like Sound UDAX Interface;C:\WINDOWS\system32\drivers\c6501.sys [2006-09-05 18:04]
S3 cm102u32;C-Media CM6501 Like Sound Interface;C:\WINDOWS\system32\drivers\c6501.sys [2006-09-05 18:04]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2007-11-14 20:09]
S3 k310bus;Sony Ericsson K310 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k310bus.sys [2006-03-10 14:03]
S3 k310mdfl;Sony Ericsson K310 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k310mdfl.sys [2006-03-10 14:03]
S3 k310mdm;Sony Ericsson K310 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k310mdm.sys [2006-03-10 14:03]
S3 k310mgmt;Sony Ericsson K310 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k310mgmt.sys [2006-03-10 14:03]
S3 k310obex;Sony Ericsson K310 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k310obex.sys [2006-03-10 14:03]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 23:10]
S3 p2pgasvc;Ověřování v síti skupiny rovnocenných počítačů;C:\WINDOWS\system32\svchost.exe [2008-04-14 05:22]
S3 p2pimsvc;Správce identit sítě rovnocenných počítačů;C:\WINDOWS\system32\svchost.exe [2008-04-14 05:22]
S3 p2psvc;Síť rovnocenných počítačů;C:\WINDOWS\system32\svchost.exe [2008-04-14 05:22]
S3 PNRPSvc;Protokol PNRP;C:\WINDOWS\system32\svchost.exe [2008-04-14 05:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 20:55:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\Logitech\SetPoint\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LogitechUpdate.exe
.
**************************************************************************
.
Completion time: 2008-06-30 21:28:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-30 19:27:59

Adresářů: 20, Volných bajtů: 59,690,024,960
Adres ý…: 21, Volněch bajt…: 61,835,255,808

285

Re: virtumonde

Napsal: 30 čer 2008 21:45
od Kosak
Zdravim,

pouzite Avenger s tymto skriptom:

Kód: Vybrat vše

Files to delete:
C:\WINDOWS\system32\tyhyyfex.dll
C:\WINDOWS\system32\mtfgjumd.dll
C:\WINDOWS\system32\ydjtrgjp.dll
C:\WINDOWS\system32\norsaejc.dll
C:\WINDOWS\system32\rqktdohy.dll
C:\WINDOWS\system32\x.264.exe

Folders to delete:
C:\Program Files\Save

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{89657FA2-DD86-4CFC-868C-8936AB239E1D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ACED1C9F-2718-4512-9F69-F4E28C1F484F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4A2E1E1-41A2-4514-8797-1D5CFAC75512}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E03C5BEE-09AB-4F2B-AC3B-0AAB99BDC9AE}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywuUlM
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMefb693dd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ec85a041
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | BMefb693dd



Skontrolujte, co je v tomto adresari:

Kód: Vybrat vše

C:\Program Files\%temp&

Re: virtumonde

Napsal: 30 čer 2008 22:15
od l.i.b.o.r
Ten skript nepomohl.
A v temp je jen jeden soubor bat.bat vytvořen v prosinci minulého roku. Ten vermunde mám od 26.června

Re: virtumonde

Napsal: 30 čer 2008 22:18
od Kosak
Posli log z Avengeru, nech vidim, co sa zmazalo a co nie.

Re: virtumonde

Napsal: 01 črc 2008 16:11
od l.i.b.o.r
Tak děkuju všem. nakonec jsme na problém přišli na jiném foru přes avenger.
Časové pásmo: UTC+02:00
Stránka 1 z 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/