Trojan.FakeAlert

rtepp · Příspěvekod **rtepp** » 03 úno 2009 20:57

Systém mi stále hlásí, že mám v počítači Trojan.FakeAlert. Spouštěl jsem MBAW, pak SDFix a opět MBAW. Přikládám i aktuální HiJackthis. WProsím o kontrolu logů.

První MBAW
Malwarebytes' Anti-Malware 1.33
Verze databáze: 1716
Windows 5.1.2600 Service Pack 3

3. 2. 2009 17:16:32
mbam-log-2009-02-03 (17-16-32).txt

Typ skenu: Rychlý sken
Objektu skenováno: 69882
Uplynulý cas: 4 minute(s), 41 second(s)

Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 1
Infikované hodnoty registru: 0
Infikované položky dat registru: 0
Infikované složky: 0
Infikované soubory: 0

Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)

Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)

Infikované klíce registru:
HKEY_CLASSES_ROOT\CLSID\{0b014b81-4e12-46f9-806f-55867af8fd3c} (Trojan.FakeAlert) -> Delete on reboot.

Infikované hodnoty registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované položky dat registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované složky:
(Žádné zákerné položky nebyly zjišteny)

Infikované soubory:
(Žádné zákerné položky nebyly zjišteny)

SDFix log

System Report
*************

Run on Łt 03. 02. 2009 at 17:31

Microsoft Windows XP [Verze 5.1.2600]

Current user is an administrator

Running Processes:

\SystemRoot\System32\smss.exe [160]
\??\C:\WINDOWS\system32\csrss.exe [208]
\??\C:\WINDOWS\system32\winlogon.exe [232]
C:\WINDOWS\system32\services.exe [276]
C:\WINDOWS\system32\lsass.exe [288]
C:\WINDOWS\system32\svchost.exe [448]
C:\WINDOWS\system32\svchost.exe [512]
C:\WINDOWS\system32\svchost.exe [580]
C:\WINDOWS\Explorer.EXE [868]

Drivers - Running:

ACPI
atapi
Beep
Cdfs
Cdrom
Disk
dmio
dmload
Fdc
FltMgr
Ftdisk
i8042prt
Imapi
isapnp
Kbdclass
KSecDD
Mouclass
MountMgr
Msfs
mssmbios
Mup
NDIS
Npfs
Ntfs
Null
PartMgr
PCI
PxHelp20
rdpdr
redbook
sfdrv01
sfhlp02
sfvfs02
snapman
sr
swenum
TermDD
Update
usbehci
usbhub
USBSTOR
usbuhci
VgaSave
viaagp
viaagp1
ViaIde
VolSnap
WudfPf

Drivers - Stopped:

Aavmker4
Abiosdsk
abp480n5
ACPIEC
adpu160m
aec
AFD
Aha154x
aic78u2
aic78xx
ALCXWDM
AliIde
amsint
asc
asc3350p
asc3550
aswFsBlk
aswMon2
aswRdr
aswSP
aswTdi
AsyncMac
Atdisk
ati2mtaa
ati2mtag
Atmarpc
audstub
cbidf2k
cd20xrnt
Cdaudio
Changer
CmdIde
Cpqarray
dac960nt
dmboot
DMusic
dpti2o
drmkaud
Fastfat
Fips
Flpydisk
gameenum
gel90xne
GMSIPCI
Gpc
HidUsb
hpn
HSFHWBS2
HSF_DP
HSF_DPV
HTTP
i2omgmt
i2omp
InCDFs
InCDPass
InCDRm
ini910u
IntelIde
intelppm
Ip6Fw
IpFilterDriver
IpInIp
IpNat
IPSec
IRENUM
iteio
kmixer
lbrtfdc
mdmxsdk
mnmdd
Modem
MODEMCSA
mraid35x
MREMP50
MREMP50a64
MREMPR5
MRENDIS5
MRESP50
MRESP50a64
MRxDAV
MRxSmb
MSKSSRV
MSPCLOCK
MSPQM
NdisTapi
Ndisuio
NdisWan
NDProxy
NetBIOS
NetBT
NwlnkFlt
NwlnkFwd
Parport
ParVdm
PCIDump
PCIIde
Pcmcia
PDCOMP
PDFRAME
PDRELI
PDRFRAME
perc2
perc2hib
PptpMiniport
PSched
Ptilink
ql1080
Ql10wnt
ql12160
ql1240
ql1280
RasAcd
Rasl2tp
RasPppoe
Raspti
Rdbss
RDPCDD
RDPWD
rtl8139
rtport
SANDRA
SASDIFSV
SASENUM
SASKUTIL
Secdrv
serenum
Serial
sermouse
Sfloppy
Simbad
Sparrow
splitter
Srv
StreamDispatcher
swmidi
symc810
symc8xx
sym_hi
sym_u3
sysaudio
Tcpip
TDPIPE
TDTCP
TosIde
Udfs
ultra
usbccgp
usbprint
usbscan
USB_RNDIS
Wanarp
WDICA
wdmaud
winachsf
WpdUsb
WS2IFSL
WudfRd

Services - Running:

CryptSvc
DcomLaunch
dmserver
Eventlog
helpsvc
PlugPlay
RpcSs
srservice
winmgmt

Services - Stopped:

Alerter
ALG
AppMgmt
aspnet_state
aswUpdSv
Ati
ATI
AudioSrv
avast!
avast!
avast!
BITS
Browser
CiSvc
ClipSrv
clr_optimization_v2.0.50727_32
COMSysApp
Dhcp
dmadmin
Dnscache
Dot3svc
EapHost
ERSvc
EventSystem
FastUserSwitchingCompatibility
FontCache3.0.0.0
HidServ
hkmsvc
HTTPFilter
IDriverT
idsvc
ImapiService
lanmanserver
lanmanworkstation
LmHosts
McciCMService
Messenger
mnmsrvc
MSDTC
MSIServer
napagent
NetDDE
NetDDEdsdm
Netlogon
Netman
NetTcpPortSharing
Nla
NtLmSsp
NtmsSvc
ose
PolicyAgent
ProtectedStorage
RasAuto
RasMan
RDSessMgr
RemoteAccess
RemoteRegistry
RpcLocator
RSVP
SamSs
SandraAgentSrv
SCardSvr
Schedule
seclogon
SENS
SharedAccess
ShellHWDetection
Spooler
SSDPSRV
stisvc
SwPrv
SysmonLog
TapiSrv
TermService
Themes
TlntSvr
TrkWks
upnphost
UPS
VSS
W32Time
WebClient
WmdmPmSN
Wmi
WmiApSrv
WMPNetworkSvc
wscsvc
wuauserv
WudfSvc
WZCSVC
xmlprov

Files Created/Modified - 60 Days:

C:\

3 Feb 2009 17.31.02 0 A.SHR "C:\IO.SYS"
3 Feb 2009 17.31.02 0 A.SHR "C:\MSDOS.SYS"
3 Feb 2009 17.28.48 402 653 184 A.SH. "C:\pagefile.sys"

C:\WINDOWS\

3 Feb 2009 17.29.12 2 048 A.S.. "C:\WINDOWS\bootstat.dat"
7 Dec 2008 16.11.52 2 560 A.... "C:\WINDOWS\_MSRSTRT.EXE"
1 Feb 2009 19.58.14 512 176 A.... "C:\WINDOWS\system32\FNTCACHE.DAT"
10 Jan 2009 2.35.28 20 853 704 A.... "C:\WINDOWS\system32\MRT.exe"
13 Dec 2008 7.39.10 3 593 216 A.... "C:\WINDOWS\system32\mshtml.dll"
1 Feb 2009 19.34.30 83 004 A.... "C:\WINDOWS\system32\perfc005.dat"
1 Feb 2009 19.34.30 71 474 A.... "C:\WINDOWS\system32\perfc009.dat"
1 Feb 2009 19.34.30 437 718 A.... "C:\WINDOWS\system32\perfh005.dat"
1 Feb 2009 19.34.30 441 260 A.... "C:\WINDOWS\system32\perfh009.dat"
3 Feb 2009 17.27.42 6 A..H. "C:\WINDOWS\Tasks\SA.DAT"
2 Feb 2009 18.00.22 6 588 A.... "C:\WINDOWS\Temp\14l7hVpd.dat"
3 Feb 2009 17.31.04 794 A.... "C:\WINDOWS\Temp\scs4.tmp"
13 Dec 2008 7.39.10 3 593 216 A.... "C:\WINDOWS\system32\dllcache\mshtml.dll"
11 Dec 2008 11.57.10 333 952 ..... "C:\WINDOWS\system32\dllcache\srv.sys"
14 Jan 2009 16.11.28 15 504 A.... "C:\WINDOWS\system32\drivers\mbam.sys"
14 Jan 2009 16.11.32 38 496 A.... "C:\WINDOWS\system32\drivers\mbamswissarmy.sys"
11 Dec 2008 11.57.10 333 952 A.... "C:\WINDOWS\system32\drivers\srv.sys"
1 Feb 2009 19.33.50 8 192 A.... "C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll"
1 Feb 2009 19.33.58 258 048 A.... "C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll"
1 Feb 2009 19.33.58 113 664 A.... "C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll"
24 Dec 2008 20.22.44 82 432 A.... "C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll"
5 Dec 2008 20.12.12 5 931 008 A.... "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.dll"
5 Dec 2008 19.35.22 1 736 528 A.... "C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\wpfgfx_v0300.dll"

C:\Program Files\

14 Jan 2009 16.11.28 380 048 A.... "C:\Program Files\Malwarebytes' Anti-Malware\mbam-dor.exe"
14 Jan 2009 16.11.26 73 360 A.... "C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll"
14 Jan 2009 16.11.26 1 273 488 A.... "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
14 Jan 2009 16.11.28 73 360 A.... "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll"
14 Jan 2009 16.11.30 399 504 A.... "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe"
14 Jan 2009 16.11.30 170 640 A.... "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe"
14 Jan 2009 16.11.30 44 688 A.... "C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll"
2 Feb 2009 19.17.02 9 056 A.... "C:\Program Files\Malwarebytes' Anti-Malware\unins000.dat"
2 Feb 2009 19.16.30 688 784 A.... "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
14 Jan 2009 16.11.32 77 968 A.... "C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll"
15 Jan 2009 16.17.36 1 830 128 A.... "C:\Program Files\SUPERAntiSpyware\b3a83c21-b090-4e30-9001-f97bbbea91ba.exe"
15 Jan 2009 16.17.40 8 944 A.... "C:\Program Files\SUPERAntiSpyware\sasdifsv.sys"
15 Jan 2009 16.17.42 7 408 A...R "C:\Program Files\SUPERAntiSpyware\SASENUM.SYS"
15 Jan 2009 16.17.38 55 024 A.... "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS"
22 Dec 2008 11.05.34 356 352 A.... "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll"
15 Jan 2009 16.17.34 158 960 A.... "C:\Program Files\SUPERAntiSpyware\SSUpdate.exe"
15 Jan 2009 16.17.36 1 830 128 A.... "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
24 Dec 2008 18.23.20 121 344 A.... "C:\Program Files\Spybot - Search & Destroy\Plugins\TCPIPAddress.dll"
17 Dec 2008 18.17.38 93 074 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\includes.pups.zip"
14 Jan 2009 18.17.40 7 878 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\includes.security.zip"
21 Jan 2009 18.18.54 515 011 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\includes.trojans.zip"
28 Jan 2009 18.18.00 182 586 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\includes.spybots.zip"
28 Jan 2009 18.20.16 1 699 844 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\includes.zip"
7 Jan 2009 18.16.44 123 967 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\includes.dialer.zip"
10 Dec 2008 18.16.56 76 923 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\includes.keyloggers.zip"
28 Jan 2009 18.18.30 597 983 A.... "C:\Program Files\Spybot - Search & Destroy\Updates\supplemental.zip"
31 Jan 2009 17.31.50 133 124 A.... "C:\Program Files\WinSpeedUp\Backups\Vymazan‚ z znamy registru z 01-31-2009.reg"
2 Feb 2009 21.15.00 67 676 A.... "C:\Program Files\Alwil Software\Avast4\DATA\iNews.htm"
27 Dec 2008 12.01.06 159 792 A.... "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll"
5 Dec 2008 19.30.50 5 283 840 A.... "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
5 Dec 2008 20.12.12 5 931 008 A.... "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
5 Dec 2008 20.55.30 442 368 A.... "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
5 Dec 2008 20.55.30 1 277 952 A.... "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
5 Dec 2008 20.55.30 139 264 A.... "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll"
5 Dec 2008 20.55.30 229 376 A.... "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll"
5 Dec 2008 20.55.30 294 912 A.... "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll"

Files with hidden attributes:

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"

Program Folders:

C:\Program Files\

Adobe
ahead
Alwil Software
ATI Technologies
ATI_install
AvRack
Axis Communications
CCleaner
CDex_150
Codec Pack - All In 1
Common Files
ComPlus Applications
CONEXANT
directx
DivX
EA GAMES
ESET
Hewlett-Packard
hp deskjet 656c series
InstallShield Installation Information
Internet Explorer
Java
Kodak
Malwarebytes' Anti-Malware
Messenger
microsoft frontpage
Microsoft Office
Microsoft.NET
Movie Maker
MSBuild
MSN Gaming Zone
MSXML 4.0
MSXML 6.0
Nero
NetMeeting
Online Services
Outlook Express
QuickTime
Reference Assemblies
SCi
SIMSMAZLICCI
SiSoftware
Spybot - Search & Destroy
SUPERAntiSpyware
TC PowerPack
TO2SAM
TO2SSM
totalcmd
Trend Micro
Ubisoft
Uninstall Information
VIA Technologies, INC
Windows Media Components
Windows Media Connect 2
Windows Media Player
Windows NT
WindowsUpdate
WinSpeedUp
WinZip
WizCom Entertainment
xerox
Xvid CZ
Zoner

C:\Program Files\Common Files\

Acronis
Adobe
Ahead
Autodesk Shared
DESIGNER
DirectX
GraphBoard 2.50
InstallShield
Java
Microsoft Shared
Motive
MSSoap
ODBC
Services
SpeechEngines
SWF Studio
System
Wise Installation Wizard

Add/Remove Programs:

Druhý MBAW
Malwarebytes' Anti-Malware 1.33
Verze databáze: 1716
Windows 5.1.2600 Service Pack 3

3. 2. 2009 18:10:31
mbam-log-2009-02-03 (18-09-59).txt

Typ skenu: Úplný sken (C:\|D:\|)
Objektu skenováno: 19214
Uplynulý cas: 4 minute(s), 32 second(s)

Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 1
Infikované hodnoty registru: 0
Infikované položky dat registru: 0
Infikované složky: 0
Infikované soubory: 0

Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)

Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)

Infikované klíce registru:
HKEY_CLASSES_ROOT\CLSID\{0b014b81-4e12-46f9-806f-55867af8fd3c} (Trojan.FakeAlert) -> No action taken.

Infikované hodnoty registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované položky dat registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované složky:
(Žádné zákerné položky nebyly zjišteny)

Infikované soubory:
(Žádné zákerné položky nebyly zjišteny)

No a konečně hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:51:48, on 3. 2. 2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\TC PowerPack\totalcmd.exe
c:\Install\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Přeložit - {230D1201-7607-4CF6-A11F-9E4BF0A333E0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {2C73F784-D2DE-4422-B070-2E3332FE5744} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Internetový překladač... - {2C73F784-D2DE-4422-B070-2E3332FE5744} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://www.gfp.cz:88/activex/AMC.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe

--
End of file - 6394 bytes

Moc díky, přeinstalovávat celý komp se mi moc nechce.

Reklama

Příspěvekod **jaro3** » 03 úno 2009 21:58

Ten infikovaný klíč si dal smazat a objevil se znovu? Restartoval jsi PC?

rtepp · Příspěvekod **rtepp** » 04 úno 2009 08:26

No při prvním MBAW jsem dal smazata rebootoval, prot snad je v logu "Delete on reboot". Pak jsem spustil SDFix, který také něco odstranil. Překvapilo mě však, že při druhém MBAW našel stejného Trojana ve stejném klíči, jako napoprvé. Tam jsem zatím nic nemazal.
P.S. neovlivňuje to rezidentní ochrana SpybootSD??
Co v hijackthis toto:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

a co toto, to se mi podle některých info tady, také nepozdává

Příspěvekod **jaro3** » 04 úno 2009 09:50

To je v pořádku.
Vypni rez .ochranu u Avastu.
vypni rez. ochranu u SpyBota:
- spusť Spybot - Search & Destroy
- nahoře v menu zvol: Režim => Pro pokročilé
- objeví se ti varovné okno kde zvol Ano
- okno programu se ti přepne do pokročilého zobrazení a tam zvol: Nástroje => Rezidentní
- tam zruš zatržení pokud bude u položky: Rezidentní program "TeaTimer" (Ochrana ...)
- zavři program
Restartuj PC.
Po té si stáhni ResetTeaTimer.bat(viz. Poznámka)
a ulož si ho na disku.
- spusť ho a po vyzvání zmáčkni libovolnou klávesu
- po proběhnutí a výzvě opět zmáčkni libovolnou klávesu a program se zavře.
Poznámka:
- pokud používáš Operu, tak klikni pravým tlačítkem myši na odkaz a zvol možnost Uložit cíl odkazu jako...
- pokud používáš Firefox tak klikni pravým tlačítkem myši na odkaz a zvol možnost Uložit odkaz jako...

Stáhni si ComboFix (by sUBs)
a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

rtepp · Příspěvekod **rtepp** » 05 úno 2009 19:23

Ahou.
Tak jsem udělal vše přesně dle popisu a log z Combofix je zde:

ComboFix 09-02-04.04 - Rodina 2009-02-05 19:12:31.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.1023.668 [GMT 1:00]
Spuštěný z: c:\documents and settings\Rodina\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090202-0] *On-access scanning disabled* (Updated)
* Vytvořen nový Bod Obnovení

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\kacka\Local Settings\Temporary Internet Files\MAILTRAN.INI
c:\documents and settings\kacka\Local Settings\Temporary Internet Files\TRNCOM.INI

.
((((((((((((((((((((((((( Soubory vytvořené od 2009-01-05 do 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-03 17:41 . 2009-02-03 17:41 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-03 17:39 . 2009-02-03 17:39 <DIR> d-------- c:\windows\ERUNT
2009-02-03 17:22 . 2009-02-03 17:57 <DIR> d-------- C:\SDFix
2009-02-02 19:17 . 2009-02-02 19:17 <DIR> d-------- c:\documents and settings\Rodina\Data aplikací\Malwarebytes
2009-02-02 19:16 . 2009-02-02 19:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-02 19:16 . 2009-02-02 19:16 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Data aplikací\Malwarebytes
2009-02-02 19:16 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-02 19:16 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-02 17:27 . 2009-02-02 17:27 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Data aplikací\SUPERAntiSpyware.com
2009-02-02 17:26 . 2009-02-03 17:20 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-02 17:26 . 2009-02-02 17:26 <DIR> d-------- c:\documents and settings\Rodina\Data aplikací\SUPERAntiSpyware.com
2009-02-01 19:24 . 2009-02-01 19:24 210 --a------ c:\windows\system32\spupdsvc.inf
2009-02-01 19:22 . 2009-02-01 19:58 <DIR> d-------- c:\windows\SxsCaPendDel
2009-01-24 20:41 . 2009-01-24 20:42 <DIR> d-------- c:\documents and settings\Rodina\Data aplikací\ICQ
2009-01-24 12:00 . 2009-01-24 12:00 <DIR> dr------- c:\documents and settings\NetworkService.NT AUTHORITY\Oblíbené položky
2009-01-18 21:24 . 2009-01-24 21:30 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Data aplikací\TrackMania
2009-01-16 22:52 . 2009-01-16 22:52 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-16 22:52 . 2009-01-16 22:52 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 16:26 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-01 17:35 --------- d-----w c:\documents and settings\All Users.WINDOWS\Data aplikací\Spybot - Search & Destroy
2009-02-01 07:42 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-31 16:31 --------- d-----w c:\program files\WinSpeedUp
2009-01-31 16:28 --------- d-----w c:\documents and settings\Rodina\Data aplikací\Skype
2009-01-25 16:29 --------- d-----w c:\program files\ESET
2008-12-25 20:54 --------- d-----w c:\program files\EA GAMES
2008-12-24 19:05 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 15:11 2,560 ----a-w c:\windows\_MSRSTRT.EXE
2008-11-24 20:17 120 ----a-w C:\drmHeader.bin
2008-10-05 14:32 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100520081006\index.dat
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SoundMan"="SOUNDMAN.EXE" [2002-03-21 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.l3acm"= l3codecp.acm
"vidc.xvid"= xvid.dll
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"msacm.l3codec"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009\\RpcAgentSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009\\WNt500x86\\RpcSandraSrv.exe"=
"d:\\hry\\Program Files\\ICQ6\\ICQ.exe"=
"d:\\eMule\\emule.exe"=
"d:\\hry\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"d:\\Program Files\\track mania 2\\TmNationsForever\\TmForever.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-21 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-21 20560]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2004-08-03 69120]
S3 gel90xne;gel90xne;\??\c:\docume~1\Rodina\LOCALS~1\Temp\gel90xne.sys --> c:\docume~1\Rodina\LOCALS~1\Temp\gel90xne.sys [?]
S3 iteio;iteio;\??\c:\windows\system32\drivers\iteio.sys --> c:\windows\system32\drivers\iteio.sys [?]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe [2008-10-04 98488]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
.
Obsah adresáře 'Naplánované úlohy'

2009-01-31 c:\windows\Tasks\At1.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At10.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At11.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At12.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At13.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At14.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At15.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At16.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At17.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-02 c:\windows\Tasks\At18.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At19.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At2.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At20.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At21.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At22.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-02 c:\windows\Tasks\At23.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-31 c:\windows\Tasks\At24.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-31 c:\windows\Tasks\At25.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At26.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At27.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At28.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At29.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At3.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At30.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At31.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At32.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At33.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At34.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At35.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At36.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At37.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At38.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At39.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At4.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At40.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At41.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-02 c:\windows\Tasks\At42.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At43.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At44.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At45.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At46.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-02 c:\windows\Tasks\At47.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-31 c:\windows\Tasks\At48.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-31 c:\windows\Tasks\At49.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At5.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At50.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At51.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At52.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At53.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At54.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At55.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At56.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At57.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At58.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At59.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At6.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At60.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At61.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At62.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At63.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At64.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At65.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-02 c:\windows\Tasks\At66.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At67.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At68.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At69.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At7.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At70.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-02 c:\windows\Tasks\At71.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-31 c:\windows\Tasks\At72.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At8.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At9.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-05 c:\windows\Tasks\EasyShare Registration RunOnce Task.job
- c:\docume~1\ALLUSE~1.WIN\DATAAP~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOfferSilence@16 []
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{230D1201-7607-4CF6-A11F-9E4BF0A333E0} - {0DB13731-CEFD-43CF-A8FD-B61DCBC4D5B8} -
IE: {{2C73F784-D2DE-4422-B070-2E3332FE5744} - {0320AC26-52C8-4316-B2C4-24BB6FA73C9A} -
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://www.gfp.cz:88/activex/AMC.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 19:15:10
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\AMUST\Registry Cleaner\pos*whor_xpos**]
"wX"=dword:01c72b4d
"whY"=dword:03a419f0

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0B014B81-4E12-46F9-806F-55867AF8FD3C}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\winsystems.dll"
"ThreadingModel"="Apartment"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2009-02-05 19:18:45
ComboFix-quarantined-files.txt 2009-02-05 18:18:32

Před spuštěním: 6 918 867 968
Po spuštění: 6,935,839,744

289 --- E O F --- 2009-01-14 19:50:55

Příspěvekod **jaro3** » 05 úno 2009 19:57

START-spustit-napiš= cmd.exe -dej OK- v dosovém okně vlož myší toto:
sc stop gel90xne
sc delete gel90xne
sc stop SB7K7u61
sc delete SB7K7u61
exit
Restart PC.
****************************************************************************************************************************************
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
c:\windows\SxsCaPendDel
c:\docume~1\Rodina\LOCALS~1\Temp\gel90xne.sys
c:\windows\system32\SB7K7u61.exe

Folder::
C:\SDFix
c:\windows\SxsCaPendDel

Driver::
gel90xne

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

rtepp · Příspěvekod **rtepp** » 05 úno 2009 20:30

Tak provedeno následovně:

V příkazové řádce to vypisovalo toto
C:\>sc stop gel90xne
[SC] ControlService FAILED 1062:
Slu

C:\>sc delete gel90.xne
[SC] OpenService FAILED 1060:
Zadaná slu

C:\>sc stop SB7K7u61
[SC] OpenService FAILED 1060:
Zadaná slu

C:\>sc delete SB7K7u61
[SC] OpenService FAILED 1060:
Zadaná slu
C:\>

Pak si nejsem jistý, zda jsem restartoval

Tady je pak ComboFix log
ComboFix 09-02-04.04 - Rodina 2009-02-05 20:11:45.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.1023.675 [GMT 1:00]
Spuštěný z: c:\documents and settings\Rodina\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Rodina\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090202-0] *On-access scanning disabled* (Updated)
* Vytvořen nový Bod Obnovení

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!

FILE ::
c:\docume~1\Rodina\LOCALS~1\Temp\gel90xne.sys
c:\windows\SxsCaPendDel
c:\windows\system32\SB7K7u61.exe
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\SDFix
c:\sdfix\Add_DBFix_RunOnce_key.inf
c:\sdfix\apps\assosfix.reg
c:\sdfix\apps\Cghtme.exe
c:\sdfix\apps\cliptext.exe
c:\sdfix\apps\DBFix.inf
c:\sdfix\apps\download.exe
c:\sdfix\apps\dummy.sys
c:\sdfix\apps\Enable_Command_Prompt.inf
c:\sdfix\apps\Enable_Command_Prompt.reg
c:\sdfix\apps\ERDNT.E_E
c:\sdfix\apps\ERDNTDOS.LOC
c:\sdfix\apps\ERDNTWIN.LOC
c:\sdfix\apps\ERUNT.EXE
c:\sdfix\apps\ERUNT.LOC
c:\sdfix\apps\fix.reg
c:\sdfix\apps\FixBeep.reg
c:\sdfix\apps\FixBH.reg
c:\sdfix\apps\FixComponents.reg
c:\sdfix\apps\FIXCU.reg
c:\sdfix\apps\FIXLM.reg
c:\sdfix\apps\FixPath.exe
c:\sdfix\apps\FixRedir.reg
c:\sdfix\apps\FixSchedule.reg
c:\sdfix\apps\FixWebCheck.reg
c:\sdfix\apps\fixXP.reg
c:\sdfix\apps\FixXPsp2.reg
c:\sdfix\apps\grep.exe
c:\sdfix\apps\HaxdFix.reg
c:\sdfix\apps\HPFix.reg
c:\sdfix\apps\HPFix2.reg
c:\sdfix\apps\HPFix3.reg
c:\sdfix\apps\HPFix4.reg
c:\sdfix\apps\HPFix5.reg
c:\sdfix\apps\HPFix6.reg
c:\sdfix\apps\HPFix7.reg
c:\sdfix\apps\HPFix8.reg
c:\sdfix\apps\HPFix9.reg
c:\sdfix\apps\Installed.txt
c:\sdfix\apps\isadmin.exe
c:\sdfix\apps\leg2.txt
c:\sdfix\apps\legacy.txt
c:\sdfix\apps\legacybk.txt
c:\sdfix\apps\locate.com
c:\sdfix\apps\LS.exe
c:\sdfix\apps\MD5File.exe
c:\sdfix\apps\moveex.exe
c:\sdfix\apps\MyGcpvFix.reg
c:\sdfix\apps\MyGkFix2.reg
c:\sdfix\apps\Process.exe
c:\sdfix\apps\procs.exe
c:\sdfix\apps\psservice.exe
c:\sdfix\apps\Rem.txt
c:\sdfix\apps\Rem2.txt
c:\sdfix\apps\Replace\regedit.exe
c:\sdfix\apps\Replace\w2k\AUTOEXEC.NT
c:\sdfix\apps\Replace\w2k\beep.sys
c:\sdfix\apps\Replace\w2k\command.com
c:\sdfix\apps\Replace\w2k\command.PIF
c:\sdfix\apps\Replace\w2k\CONFIG.NT
c:\sdfix\apps\Replace\w2k\null.sys
c:\sdfix\apps\Replace\xp\AUTOEXEC.NT
c:\sdfix\apps\Replace\xp\beep.sys
c:\sdfix\apps\Replace\xp\command.com
c:\sdfix\apps\Replace\xp\command.PIF
c:\sdfix\apps\Replace\xp\CONFIG.NT
c:\sdfix\apps\Replace\xp\null.sys
c:\sdfix\apps\Reset_AppInit_DLLs.reg
c:\sdfix\apps\RestartIt!.exe
c:\sdfix\apps\Restore_SafeBoot_Windows2000.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP2.reg
c:\sdfix\apps\Restore_SafeBoot_WindowsXP_SP3.reg
c:\sdfix\apps\Restore_SecurityCenter.reg
c:\sdfix\apps\Restore_SharedAccess.reg
c:\sdfix\apps\sc.exe
c:\sdfix\apps\sed.exe
c:\sdfix\apps\SF.exe
c:\sdfix\apps\shutdown.exe
c:\sdfix\apps\srv2.txt
c:\sdfix\apps\srv2bk.txt
c:\sdfix\apps\svc.txt
c:\sdfix\apps\svcbk.txt
c:\sdfix\apps\Swreg.exe
c:\sdfix\apps\swsc.exe
c:\sdfix\apps\UnRAR.exe
c:\sdfix\apps\unzip.exe
c:\sdfix\apps\vfind.exe
c:\sdfix\apps\WINMSG.EXE
c:\sdfix\apps\winsec.reg
c:\sdfix\apps\zip.exe
c:\sdfix\backups\backupreg.zip
c:\sdfix\backups\backups.zip
c:\sdfix\backups\catchme.log
c:\sdfix\backups\HOSTS
c:\sdfix\catchme.exe
c:\sdfix\DBFix.bat
c:\sdfix\dummy.sys
c:\sdfix\Report.txt
c:\sdfix\RunThis.bat
c:\sdfix\SDFIX_ReadMe_Online.url
c:\sdfix\SystemReport.txt
c:\sdfix\W2K_VirusAlert_Repair.inf
c:\sdfix\XP_VirusAlert_Repair.inf
c:\windows\SxsCaPendDel

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GEL90XNE
-------\Service_gel90xne

((((((((((((((((((((((((( Soubory vytvořené od 2009-01-05 do 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-03 17:41 . 2009-02-03 17:41 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-03 17:39 . 2009-02-03 17:39 <DIR> d-------- c:\windows\ERUNT
2009-02-02 19:17 . 2009-02-02 19:17 <DIR> d-------- c:\documents and settings\Rodina\Data aplikací\Malwarebytes
2009-02-02 19:16 . 2009-02-02 19:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-02 19:16 . 2009-02-02 19:16 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Data aplikací\Malwarebytes
2009-02-02 19:16 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-02 19:16 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-02 17:27 . 2009-02-02 17:27 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Data aplikací\SUPERAntiSpyware.com
2009-02-02 17:26 . 2009-02-03 17:20 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-02 17:26 . 2009-02-02 17:26 <DIR> d-------- c:\documents and settings\Rodina\Data aplikací\SUPERAntiSpyware.com
2009-02-01 19:24 . 2009-02-01 19:24 210 --a------ c:\windows\system32\spupdsvc.inf
2009-01-24 20:41 . 2009-01-24 20:42 <DIR> d-------- c:\documents and settings\Rodina\Data aplikací\ICQ
2009-01-24 12:00 . 2009-01-24 12:00 <DIR> dr------- c:\documents and settings\NetworkService.NT AUTHORITY\Oblíbené položky
2009-01-18 21:24 . 2009-01-24 21:30 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Data aplikací\TrackMania
2009-01-16 22:52 . 2009-01-16 22:52 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-16 22:52 . 2009-01-16 22:52 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 16:26 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-01 17:35 --------- d-----w c:\documents and settings\All Users.WINDOWS\Data aplikací\Spybot - Search & Destroy
2009-02-01 07:42 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-31 16:31 --------- d-----w c:\program files\WinSpeedUp
2009-01-31 16:28 --------- d-----w c:\documents and settings\Rodina\Data aplikací\Skype
2009-01-25 16:29 --------- d-----w c:\program files\ESET
2008-12-25 20:54 --------- d-----w c:\program files\EA GAMES
2008-12-24 19:05 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 15:11 2,560 ----a-w c:\windows\_MSRSTRT.EXE
2008-11-24 20:17 120 ----a-w C:\drmHeader.bin
2008-10-05 14:32 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100520081006\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-05_19.15.49,60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-02-05 19:15:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4d4.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SoundMan"="SOUNDMAN.EXE" [2002-03-21 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.l3acm"= l3codecp.acm
"vidc.xvid"= xvid.dll
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"msacm.l3codec"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009\\RpcAgentSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009\\WNt500x86\\RpcSandraSrv.exe"=
"d:\\hry\\Program Files\\ICQ6\\ICQ.exe"=
"d:\\eMule\\emule.exe"=
"d:\\hry\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"d:\\Program Files\\track mania 2\\TmNationsForever\\TmForever.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-21 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-21 20560]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2004-08-03 69120]
S3 iteio;iteio;\??\c:\windows\system32\drivers\iteio.sys --> c:\windows\system32\drivers\iteio.sys [?]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe [2008-10-04 98488]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
.
Obsah adresáře 'Naplánované úlohy'

2009-01-31 c:\windows\Tasks\At1.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At10.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At11.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At12.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At13.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At14.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At15.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At16.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At17.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-02 c:\windows\Tasks\At18.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At19.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At2.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At20.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-05 c:\windows\Tasks\At21.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At22.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-02 c:\windows\Tasks\At23.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-31 c:\windows\Tasks\At24.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-31 c:\windows\Tasks\At25.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At26.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At27.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At28.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At29.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At3.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At30.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At31.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At32.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At33.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At34.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At35.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At36.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At37.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At38.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At39.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At4.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At40.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At41.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-02 c:\windows\Tasks\At42.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At43.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At44.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-05 c:\windows\Tasks\At45.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At46.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-02 c:\windows\Tasks\At47.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-31 c:\windows\Tasks\At48.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-31 c:\windows\Tasks\At49.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At5.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At50.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At51.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At52.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At53.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At54.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At55.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At56.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-24 c:\windows\Tasks\At57.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At58.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At59.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At6.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At60.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At61.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At62.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At63.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At64.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-01 c:\windows\Tasks\At65.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-02 c:\windows\Tasks\At66.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At67.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At68.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-05 c:\windows\Tasks\At69.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At7.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-03 c:\windows\Tasks\At70.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-02 c:\windows\Tasks\At71.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-31 c:\windows\Tasks\At72.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At8.job
- c:\windows\system32\SB7K7u61.exe []

2009-01-23 c:\windows\Tasks\At9.job
- c:\windows\system32\SB7K7u61.exe []

2009-02-05 c:\windows\Tasks\EasyShare Registration RunOnce Task.job
- c:\docume~1\ALLUSE~1.WIN\DATAAP~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOfferSilence@16 []
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{230D1201-7607-4CF6-A11F-9E4BF0A333E0} - {0DB13731-CEFD-43CF-A8FD-B61DCBC4D5B8} -
IE: {{2C73F784-D2DE-4422-B070-2E3332FE5744} - {0320AC26-52C8-4316-B2C4-24BB6FA73C9A} -
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://www.gfp.cz:88/activex/AMC.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 20:16:04
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\AMUST\Registry Cleaner\pos*whor_xpos**]
"wX"=dword:01c72b4d
"whY"=dword:03a419f0

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0B014B81-4E12-46F9-806F-55867AF8FD3C}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\winsystems.dll"
"ThreadingModel"="Apartment"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2009-02-05 20:20:15 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-02-05 19:20:12
ComboFix2.txt 2009-02-05 18:18:48

Před spuštěním: 6 911 480 832
Po spuštění: 6,818,658,304

415 --- E O F --- 2009-01-14 19:50:55

No a tady aktuální HJC
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:24:55, on 5. 2. 2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\TC PowerPack\totalcmd.exe
c:\Install\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Přeložit - {230D1201-7607-4CF6-A11F-9E4BF0A333E0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {2C73F784-D2DE-4422-B070-2E3332FE5744} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Internetový překladač... - {2C73F784-D2DE-4422-B070-2E3332FE5744} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://www.gfp.cz:88/activex/AMC.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe

--
End of file - 5855 bytes

Příspěvekod **jaro3** » 05 úno 2009 20:49

Ze služeb je to pryč , tak asi O.K., jinak se to zkopíruje celý a vloží se to myší na ten blikající kurzor.
Ještě jeden script v CF:

Kód: Vybrat vše

File::
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\system32\SB7K7u61.exe

Postup stejný jako minule, bude snad vše...
Zase log z CF a HJT.

rtepp · Příspěvekod **rtepp** » 05 úno 2009 21:04

Tak provedeno dle rozkazu a tady jsou logy

ComboFix
ComboFix 09-02-04.04 - Rodina 2009-02-05 20:53:42.3 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.1023.662 [GMT 1:00]
Spuštěný z: c:\documents and settings\Rodina\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Rodina\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090202-0] *On-access scanning disabled* (Updated)
* Vytvořen nový Bod Obnovení

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!

FILE ::
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Soubory vytvořené od 2009-01-05 do 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-03 17:41 . 2009-02-03 17:41 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-03 17:39 . 2009-02-03 17:39 <DIR> d-------- c:\windows\ERUNT
2009-02-02 19:17 . 2009-02-02 19:17 <DIR> d-------- c:\documents and settings\Rodina\Data aplikací\Malwarebytes
2009-02-02 19:16 . 2009-02-02 19:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-02 19:16 . 2009-02-02 19:16 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Data aplikací\Malwarebytes
2009-02-02 19:16 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-02 19:16 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-02 17:27 . 2009-02-02 17:27 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Data aplikací\SUPERAntiSpyware.com
2009-02-02 17:26 . 2009-02-03 17:20 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-02 17:26 . 2009-02-02 17:26 <DIR> d-------- c:\documents and settings\Rodina\Data aplikací\SUPERAntiSpyware.com
2009-02-01 19:24 . 2009-02-01 19:24 210 --a------ c:\windows\system32\spupdsvc.inf
2009-01-24 20:41 . 2009-01-24 20:42 <DIR> d-------- c:\documents and settings\Rodina\Data aplikací\ICQ
2009-01-24 12:00 . 2009-01-24 12:00 <DIR> dr------- c:\documents and settings\NetworkService.NT AUTHORITY\Oblíbené položky
2009-01-18 21:24 . 2009-01-24 21:30 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Data aplikací\TrackMania
2009-01-16 22:52 . 2009-01-16 22:52 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-16 22:52 . 2009-01-16 22:52 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 16:26 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-01 17:35 --------- d-----w c:\documents and settings\All Users.WINDOWS\Data aplikací\Spybot - Search & Destroy
2009-02-01 07:42 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-31 16:31 --------- d-----w c:\program files\WinSpeedUp
2009-01-31 16:28 --------- d-----w c:\documents and settings\Rodina\Data aplikací\Skype
2009-01-25 16:29 --------- d-----w c:\program files\ESET
2008-12-25 20:54 --------- d-----w c:\program files\EA GAMES
2008-12-24 19:05 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 15:11 2,560 ----a-w c:\windows\_MSRSTRT.EXE
2008-11-24 20:17 120 ----a-w C:\drmHeader.bin
2008-10-05 14:32 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100520081006\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-05_19.15.49,60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-02-05 19:15:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4d4.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SoundMan"="SOUNDMAN.EXE" [2002-03-21 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.l3acm"= l3codecp.acm
"vidc.xvid"= xvid.dll
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"msacm.l3codec"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009\\RpcAgentSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009\\WNt500x86\\RpcSandraSrv.exe"=
"d:\\hry\\Program Files\\ICQ6\\ICQ.exe"=
"d:\\eMule\\emule.exe"=
"d:\\hry\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"d:\\Program Files\\track mania 2\\TmNationsForever\\TmForever.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 iteio;iteio; [x]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe [2008-09-08 98488]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-01-15 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-01-15 55024]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-26 20560]
S3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\DRIVERS\psched.sys [2008-04-13 69120]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - ALG
*Deregistered* - aswUpdSv
*Deregistered* - Ati HotKey Poller
*Deregistered* - ATI Smart
*Deregistered* - AudioSrv
*Deregistered* - avast! Antivirus
*Deregistered* - avast! Mail Scanner
*Deregistered* - avast! Web Scanner
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - ImapiService
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - McciCMService
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASKUTIL
*Deregistered* - Secdrv
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - sfdrv01
*Deregistered* - sfhlp02
*Deregistered* - sfvfs02
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Schedule
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - StreamDispatcher
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - viaagp
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WmiApSrv
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
.
Obsah adresáře 'Naplánované úlohy'

2009-02-05 c:\windows\Tasks\EasyShare Registration RunOnce Task.job
- c:\docume~1\ALLUSE~1.WIN\DATAAP~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOfferSilence@16 []
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{230D1201-7607-4CF6-A11F-9E4BF0A333E0} - {0DB13731-CEFD-43CF-A8FD-B61DCBC4D5B8} -
IE: {{2C73F784-D2DE-4422-B070-2E3332FE5744} - {0320AC26-52C8-4316-B2C4-24BB6FA73C9A} -
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://www.gfp.cz:88/activex/AMC.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 20:55:50
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\AMUST\Registry Cleaner\pos*whor_xpos**]
"wX"=dword:01c72b4d
"whY"=dword:03a419f0

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0B014B81-4E12-46F9-806F-55867AF8FD3C}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\winsystems.dll"
"ThreadingModel"="Apartment"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2009-02-05 20:58:32
ComboFix-quarantined-files.txt 2009-02-05 19:58:29
ComboFix2.txt 2009-02-05 19:20:17
ComboFix3.txt 2009-02-05 18:18:48

Před spuštěním: 6 794 937 856
Po spuštění: 6,780,208,640

392 --- E O F --- 2009-01-14 19:50:55

No a HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:00:58, on 5. 2. 2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TC PowerPack\totalcmd.exe
C:\WINDOWS\explorer.exe
c:\Install\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Přeložit - {230D1201-7607-4CF6-A11F-9E4BF0A333E0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {2C73F784-D2DE-4422-B070-2E3332FE5744} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Internetový překladač... - {2C73F784-D2DE-4422-B070-2E3332FE5744} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://www.gfp.cz:88/activex/AMC.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe

--
End of file - 5830 bytes

Příspěvekod **jaro3** » 05 úno 2009 21:18

Omlouvám se ještě jeden ...

Kód: Vybrat vše

Registry::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0B014B81-4E12-46F9-806F-55867AF8FD3C}\InprocServer32]
@=-

Teď už vážně vše.

rtepp · Příspěvekod **rtepp** » 05 úno 2009 21:32

Super, díky.
Níže jsou zase logy. A prosím ještě o radu. Na tom byl pouze Avast, teď jsem tam dal Spyboot. Je to vhodná kombinace nebo doporučíš něco vhodnějšího???

ComboFix 09-02-04.04 - Rodina 2009-02-05 21:24:08.4 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.1023.665 [GMT 1:00]
Spuštěný z: c:\documents and settings\Rodina\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Rodina\Plocha\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090202-0] *On-access scanning disabled* (Updated)
* Vytvořen nový Bod Obnovení

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((( Soubory vytvořené od 2009-01-05 do 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-03 17:41 . 2009-02-03 17:41 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-03 17:39 . 2009-02-03 17:39 <DIR> d-------- c:\windows\ERUNT
2009-02-02 19:17 . 2009-02-02 19:17 <DIR> d-------- c:\documents and settings\Rodina\Data aplikací\Malwarebytes
2009-02-02 19:16 . 2009-02-02 19:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-02 19:16 . 2009-02-02 19:16 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Data aplikací\Malwarebytes
2009-02-02 19:16 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-02 19:16 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-02 17:27 . 2009-02-02 17:27 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Data aplikací\SUPERAntiSpyware.com
2009-02-02 17:26 . 2009-02-03 17:20 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-02 17:26 . 2009-02-02 17:26 <DIR> d-------- c:\documents and settings\Rodina\Data aplikací\SUPERAntiSpyware.com
2009-02-01 19:24 . 2009-02-01 19:24 210 --a------ c:\windows\system32\spupdsvc.inf
2009-01-24 20:41 . 2009-01-24 20:42 <DIR> d-------- c:\documents and settings\Rodina\Data aplikací\ICQ
2009-01-24 12:00 . 2009-01-24 12:00 <DIR> dr------- c:\documents and settings\NetworkService.NT AUTHORITY\Oblíbené položky
2009-01-18 21:24 . 2009-01-24 21:30 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Data aplikací\TrackMania
2009-01-16 22:52 . 2009-01-16 22:52 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-16 22:52 . 2009-01-16 22:52 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 16:26 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-01 17:35 --------- d-----w c:\documents and settings\All Users.WINDOWS\Data aplikací\Spybot - Search & Destroy
2009-02-01 07:42 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-31 16:31 --------- d-----w c:\program files\WinSpeedUp
2009-01-31 16:28 --------- d-----w c:\documents and settings\Rodina\Data aplikací\Skype
2009-01-25 16:29 --------- d-----w c:\program files\ESET
2008-12-25 20:54 --------- d-----w c:\program files\EA GAMES
2008-12-24 19:05 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 15:11 2,560 ----a-w c:\windows\_MSRSTRT.EXE
2008-11-24 20:17 120 ----a-w C:\drmHeader.bin
2008-10-05 14:32 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100520081006\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-05_19.15.49,60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-02-05 19:15:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4d4.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"SoundMan"="SOUNDMAN.EXE" [2002-03-21 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.l3acm"= l3codecp.acm
"vidc.xvid"= xvid.dll
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"msacm.l3codec"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009\\RpcAgentSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009\\WNt500x86\\RpcSandraSrv.exe"=
"d:\\hry\\Program Files\\ICQ6\\ICQ.exe"=
"d:\\eMule\\emule.exe"=
"d:\\hry\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"d:\\Program Files\\track mania 2\\TmNationsForever\\TmForever.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-21 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-21 20560]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2004-08-03 69120]
S3 iteio;iteio;\??\c:\windows\system32\drivers\iteio.sys --> c:\windows\system32\drivers\iteio.sys [?]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe [2008-10-04 98488]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
.
Obsah adresáře 'Naplánované úlohy'

2009-02-05 c:\windows\Tasks\EasyShare Registration RunOnce Task.job
- c:\docume~1\ALLUSE~1.WIN\DATAAP~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOfferSilence@16 []
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{230D1201-7607-4CF6-A11F-9E4BF0A333E0} - {0DB13731-CEFD-43CF-A8FD-B61DCBC4D5B8} -
IE: {{2C73F784-D2DE-4422-B070-2E3332FE5744} - {0320AC26-52C8-4316-B2C4-24BB6FA73C9A} -
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://www.gfp.cz:88/activex/AMC.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 21:25:42
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\AMUST\Registry Cleaner\pos*whor_xpos**]
"wX"=dword:01c72b4d
"whY"=dword:03a419f0

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0B014B81-4E12-46F9-806F-55867AF8FD3C}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\winsystems.dll"
"ThreadingModel"="Apartment"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(540)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2009-02-05 21:28:27
ComboFix-quarantined-files.txt 2009-02-05 20:28:24
ComboFix2.txt 2009-02-05 19:20:17
ComboFix3.txt 2009-02-05 18:18:48

Před spuštěním: 6 760 106 496
Po spuštění: 6,745,409,536

142 --- E O F --- 2009-01-14 19:50:55

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:29:37, on 5. 2. 2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TC PowerPack\totalcmd.exe
C:\WINDOWS\explorer.exe
c:\Install\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Přeložit - {230D1201-7607-4CF6-A11F-9E4BF0A333E0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {2C73F784-D2DE-4422-B070-2E3332FE5744} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Internetový překladač... - {2C73F784-D2DE-4422-B070-2E3332FE5744} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://www.gfp.cz:88/activex/AMC.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe

--
End of file - 5830 bytes

Příspěvekod **jaro3** » 05 úno 2009 21:37

Klíč je zamknutý , neměl by vadit. Avast a Spybot je myslím dobrá kombinace.
Zavři ostatní aplikace a prohlížeče, odpoj se od netu a fixni v HJT:

Kód: Vybrat vše

O2 - BHO: (no name) - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)

ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix[mezera]/u

takže jestli nejsou problémy,tak vyčisti systém CCleanerem
a použij i T-Cleaner
smaže vše po Combu,SDFixu,Avengeru,MWAVu atd.-stáhneš>spustíš

Stáhni si ATF Cleaner
Poklepej na ATF Cleaner.exe, klikni select all found, pak klik empty selected.
Pokud chceš zachovat svoje uložená hesla, klikni na No.

Aktualizuj javu:
Java SE Runtime Environment 6u11
Vyber OS ( předpokládám Windows), zatržítko agree-continue
Vyber:
Windows Offline Installation
jre-6u11-windows-i586-p.exe
Ostatní javy odeber v přidat/odebrat programy.
Vše.

Trojan.FakeAlert Vyřešeno

Trojan.FakeAlert

Re: Trojan.FakeAlert

Re: Trojan.FakeAlert

Re: Trojan.FakeAlert

Re: Trojan.FakeAlert

Re: Trojan.FakeAlert

Re: Trojan.FakeAlert

Re: Trojan.FakeAlert

Re: Trojan.FakeAlert

Re: Trojan.FakeAlert

Re: Trojan.FakeAlert

Re: Trojan.FakeAlert

Kdo je online