Prosim o kontrolu logu kvoli viru...

nanuk1 · Příspěvekod **nanuk1** » 06 led 2008 20:55

Ahoj.
Naslo mi virus Win32 Trojan Agent Dropper DGO. Nod32 ho vie liecit, ale nachadza sa aj v suboroch, ktore bezia na pozadi. Aj aktie procesy ukoncim a vyliecim tie subory, tak po restarte sa virus objavi znovu na tych suboroch (a naslednych procesoch). A neviem prist na to, aky proces ich obnovuje.
Objavuje sa hlavne v subore ctfmon.exe v c:\windows\system32.
Prikladam log:

Logfile of HijackThis v1.99.1
Scan saved at 9:14:13, on 6. 1. 2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\BlueSoleil-bluetooth\BTNtService.exe
C:\Program Files\NOD32\ekrn.exe
C:\PROGRAMY\totalcmd\TOTALCMD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NOD32\egui.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\PROGRAMY\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.sk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\NOD32\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [b0daede1] rundll32.exe "C:\WINDOWS\system32\bkbbggfa.dll",b
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Stiahnuť položku pomocou FlashGetu - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Stiahnuť všetky položky pomocou FlashGetu - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8797787762
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\BlueSoleil-bluetooth\BTNtService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\NOD32\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\NOD32\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

Diky za rady.

Reklama

Příspěvekod **fredik** » 07 led 2008 05:17

Vítej na fóru

Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem klávesy 1
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

nanuk1 · Příspěvekod **nanuk1** » 09 led 2008 21:04

ComboFix 08-01-04.1 - Adminko 2008-01-09 15:05:56.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Plocha\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\PerfInfo
C:\WINDOWS\ppqvmpqr
C:\WINDOWS\ppqvmpqr\1.png
C:\WINDOWS\ppqvmpqr\2.png
C:\WINDOWS\ppqvmpqr\3.png
C:\WINDOWS\ppqvmpqr\4.png
C:\WINDOWS\ppqvmpqr\5.png
C:\WINDOWS\ppqvmpqr\6.png
C:\WINDOWS\ppqvmpqr\bottom-rc.gif
C:\WINDOWS\ppqvmpqr\content.png
C:\WINDOWS\ppqvmpqr\download.gif
C:\WINDOWS\ppqvmpqr\frame-bottom-left.gif
C:\WINDOWS\ppqvmpqr\frame-h1bg.gif
C:\WINDOWS\ppqvmpqr\head.png
C:\WINDOWS\ppqvmpqr\indexuc.html
C:\WINDOWS\ppqvmpqr\indexud.html
C:\WINDOWS\ppqvmpqr\main.css
C:\WINDOWS\ppqvmpqr\net.png
C:\WINDOWS\ppqvmpqr\pc-mag.gif
C:\WINDOWS\ppqvmpqr\pc.gif
C:\WINDOWS\ppqvmpqr\poloska1.png
C:\WINDOWS\ppqvmpqr\poloska2.png
C:\WINDOWS\ppqvmpqr\poloska3.png
C:\WINDOWS\ppqvmpqr\promouc1.html
C:\WINDOWS\ppqvmpqr\promouc2.html
C:\WINDOWS\ppqvmpqr\promouc3.html
C:\WINDOWS\ppqvmpqr\promouc4.html
C:\WINDOWS\ppqvmpqr\promouc5.html
C:\WINDOWS\ppqvmpqr\promoud1.html
C:\WINDOWS\ppqvmpqr\promoud2.html
C:\WINDOWS\ppqvmpqr\promoud3.html
C:\WINDOWS\ppqvmpqr\promoud4.html
C:\WINDOWS\ppqvmpqr\promoud5.html
C:\WINDOWS\ppqvmpqr\reg.png
C:\WINDOWS\ppqvmpqr\repair.png
C:\WINDOWS\ppqvmpqr\scr-1.png
C:\WINDOWS\ppqvmpqr\scr-2.png
C:\WINDOWS\ppqvmpqr\styles.css
C:\WINDOWS\ppqvmpqr\top-rc.gif
C:\WINDOWS\ppqvmpqr\vline.gif
C:\WINDOWS\system32\byxyaxy.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\fcccdda.dll
C:\WINDOWS\system32\ndaTqsVqrX.dll
C:\WINDOWS\system32\opnlmlk.dll
C:\WINDOWS\system32\pfwqrpmr.dll
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-09 14:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 16:24 . 2008-01-08 16:24 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-06 15:53 . 2006-12-19 16:53 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-01-06 15:50 . 2008-01-06 15:56 <DIR> d-------- C:\Program Files\TuneUp Utilities 2007
2008-01-06 15:46 . 2008-01-06 15:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 07:52 . 2007-12-30 07:52 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-12-30 07:49 . 2007-12-31 13:36 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-12-29 22:34 . 2008-01-06 14:37 1,044,220 --ahs---- C:\WINDOWS\system32\afggbbkb.ini
2007-12-29 19:28 . 2007-12-29 19:53 <DIR> d-------- C:\Program Files\BSplayer
2007-12-29 19:16 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2007-12-29 15:27 . 2007-12-29 15:27 <DIR> d-------- C:\Program Files\WhereIsIt
2007-12-29 15:17 . 2007-12-29 15:17 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-12-29 15:17 . 2007-12-29 15:17 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2007-12-29 15:13 . 2008-01-06 14:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-29 15:13 . 2007-12-30 07:14 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-29 15:10 . 2007-12-29 15:10 642,560 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-29 15:10 . 2007-12-29 15:10 96,256 --a------ C:\WINDOWS\system32\drivers\sptd9069.sys
2007-12-29 15:09 . 2008-01-06 14:32 <DIR> d-------- C:\Program Files\iTunes
2007-12-29 15:09 . 2007-12-29 15:09 <DIR> d-------- C:\Program Files\iPod
2007-12-29 15:02 . 2007-12-29 15:02 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-29 15:00 . 2007-12-29 15:01 <DIR> d-------- C:\Program Files\FlashGet
2007-12-29 14:59 . 2007-12-29 14:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-29 14:52 . 2007-12-29 14:54 <DIR> d-------- C:\Program Files\XnView
2007-12-29 14:43 . 2001-10-19 15:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2007-12-29 14:43 . 2001-10-19 15:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2007-12-29 14:43 . 2002-10-09 13:21 566,272 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-12-29 14:43 . 2001-10-19 15:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-12-29 14:43 . 2001-10-19 03:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2007-12-29 14:43 . 2007-12-29 14:43 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2007-12-29 14:41 . 2007-12-29 14:45 <DIR> d-------- C:\Program Files\Vegas 4.0
2007-12-29 14:39 . 2007-12-29 14:39 <DIR> d-------- C:\Program Files\PowerDVD
2007-12-29 14:39 . 2007-12-29 14:39 <DIR> d-------- C:\Program Files\CyberLink
2007-12-29 14:36 . 2003-03-29 16:45 89,184 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-12-29 14:36 . 2003-07-29 17:09 57,344 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2007-12-29 14:35 . 2007-12-29 14:35 <DIR> d-------- C:\Program Files\nero
2007-12-29 14:35 . 2007-12-29 14:35 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-12-29 14:35 . 2001-07-06 14:41 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2007-12-29 14:35 . 2001-07-06 12:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2007-12-29 14:35 . 2001-07-06 18:24 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2007-12-29 14:35 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-12-29 14:35 . 2001-06-26 08:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2007-12-29 14:33 . 1999-12-17 11:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-12-29 14:31 . 2007-12-29 19:15 <DIR> d-------- C:\Program Files\codecs
2007-12-29 10:02 . 2007-12-29 14:41 1 --a------ C:\WINDOWS\system32\ssttt.exe
2007-12-29 09:34 . 2007-12-29 16:37 <DIR> d-------- C:\WINDOWS\system32\cs-cz
2007-12-29 08:56 . 2006-08-21 10:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-29 08:56 . 2006-08-21 10:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-29 08:56 . 2006-08-21 13:27 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-28 23:42 . 2007-12-28 23:42 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-28 22:41 . 2007-07-09 14:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-28 20:22 . 2007-03-22 13:38 215,144 -ra------ C:\WINDOWS\pw32a.dll
2007-12-28 15:59 . 2007-12-28 16:08 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-28 13:28 . 2008-01-09 14:27 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-28 13:01 . 2007-12-28 13:03 <DIR> d-------- C:\Program Files\manli-honestech TVR 2.5
2007-12-28 13:01 . 2001-05-11 12:18 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-12-28 13:00 . 2007-12-28 22:14 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-28 12:59 . 2007-12-28 12:59 <DIR> d-------- C:\WINDOWS\MyInstall
2007-12-28 12:58 . 2005-09-09 19:56 <DIR> d-------- C:\Program Files\Support
2007-12-28 12:58 . 2007-12-28 12:59 <DIR> d-------- C:\Program Files\Driver Validation
2007-12-28 12:55 . 2007-01-24 04:00 716,160 --a------ C:\WINDOWS\system32\drivers\3xHybrid.sys
2007-12-28 12:55 . 2005-12-13 07:28 3,072 --a------ C:\WINDOWS\system32\34CoInstaller.dll
2007-12-28 11:49 . 2007-12-28 11:49 390 --a------ C:\WINDOWS\ODBC.INI
2007-12-28 11:47 . 2007-12-28 11:47 <DIR> d-------- C:\WINDOWS\ShellNew
2007-12-28 11:39 . 2008-01-09 05:02 95 --a------ C:\WINDOWS\winamp.ini
2007-12-28 11:38 . 2007-12-29 19:01 <DIR> d-------- C:\Program Files\Winamp
2007-12-28 11:38 . 2004-08-17 15:49 23,552 --a------ C:\WINDOWS\system32\SETB1.tmp
2007-12-28 11:38 . 2004-08-17 15:49 4,096 --a------ C:\WINDOWS\system32\SETA4.tmp
2007-12-28 11:34 . 2004-08-17 15:49 23,552 --a------ C:\WINDOWS\system32\SET33.tmp
2007-12-28 11:25 . 2007-12-28 11:27 39 --a------ C:\WINDOWS\TVRMT.INI
2007-12-28 11:13 . 2007-12-29 19:43 <DIR> d-------- C:\Program Files\ICQLite
2007-12-28 11:08 . 2007-12-29 15:01 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-28 11:07 . 2007-12-28 11:07 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-12-28 11:07 . 2007-12-28 11:08 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-12-28 11:07 . 2007-12-28 11:08 <DIR> d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2007-12-28 10:54 . 2007-12-28 10:54 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-28 10:52 . 2008-01-09 14:27 <DIR> d-------- C:\Program Files\NOD32
2007-12-28 10:47 . 2007-12-28 10:47 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-12-28 10:32 . 2007-12-29 14:44 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2007-12-28 10:27 . 2007-12-28 10:35 <DIR> d-------- C:\Program Files\Avant Browser
2007-12-28 10:25 . 2007-12-28 10:25 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-12-28 10:22 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002355_.tmp
2007-12-28 10:20 . 2006-09-06 17:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-28 10:17 . 2007-12-28 10:30 <DIR> d-------- C:\WINDOWS\EHome
2007-12-28 10:09 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-12-28 09:47 . 2004-08-03 22:59 36,352 --a------ C:\WINDOWS\system32\drivers\disk.sys
2007-12-28 09:47 . 2004-08-03 22:59 36,352 --a--c--- C:\WINDOWS\system32\dllcache\disk.sys
2007-12-28 09:45 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-28 00:23 . 2007-12-28 00:23 <DIR> d--hs---- C:\Documents and Settings\Administrator\UserData
2007-12-28 00:17 . 2007-12-28 00:18 <DIR> d-------- C:\Program Files\Skype
2007-12-28 00:17 . 2007-12-28 00:17 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-12-28 00:07 . 2007-12-28 11:06 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-12-28 00:00 . 2004-08-17 15:49 294,912 --a------ C:\WINDOWS\system32\msh263.drv
2007-12-28 00:00 . 2004-08-17 15:49 54,272 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-12-28 00:00 . 2004-08-17 15:49 54,272 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-12-28 00:00 . 2004-08-17 15:49 47,616 --a------ C:\WINDOWS\system32\iyuv_32.dll
2007-12-28 00:00 . 2004-08-17 15:49 47,616 --a--c--- C:\WINDOWS\system32\dllcache\iyuv_32.dll
2007-12-28 00:00 . 2002-07-05 06:38 14,624 -ra------ C:\WINDOWS\system32\drivers\PhTVTune.sys
2007-12-28 00:00 . 2001-09-17 10:28 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll
2007-12-27 23:56 . 2008-01-09 15:50 16,376 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000000-00000000-00000011-00001102-00000002-100A1102}.rfx
2007-12-27 23:56 . 2008-01-09 15:50 16,376 --a------ C:\WINDOWS\system32\BMXState-{00000000-00000000-00000011-00001102-00000002-100A1102}.rfx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 13:53 159,232 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
2008-01-06 13:43 159,232 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe
2007-12-07 17:28 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:44 1,290,240 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 09:00 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
.

Kód: Vybrat vše

<pre>
----a-w            58,992 2007-12-28 12:28:09  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           267,064 2008-01-06 13:32:37  C:\Program Files\iTunes\iTunesHelper .exe
----a-w         1,443,072 2008-01-09 13:27:34  C:\Program Files\NOD32\egui .exe
----a-w           286,720 2007-12-29 14:16:54  C:\Program Files\QuickTime\QTTask .exe
----a-w         2,834,432 2007-12-31 12:28:58  C:\Program Files\Spyware Terminator\SpywareTerminatorShield .exe
----a-w           159,232 2008-01-06 13:53:40  C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
----a-w            15,360 2008-01-09 13:27:30  C:\WINDOWS\system32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\NOD32\egui.exe" [2008-01-09 15:52 1443072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrpo32]
winrpo32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^ManliTV Remote.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\ManliTV Remote.lnk
backup=C:\WINDOWS\pss\ManliTV Remote.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^TVR Scheduler.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\TVR Scheduler.lnk
backup=C:\WINDOWS\pss\TVR Scheduler.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
C:\Program Files\AdVantage\AdVantage.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b0daede1]
rundll32.exe C:\WINDOWS\system32\bkbbggfa.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-17 15:49 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-01-08 17:57 267064 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask .exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TV Card Remote Control Device Monitor]
C:\WINDOWS\3xHybridRMT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zehmfoji]
rundll32.exe C:\Program Files\uzudghmp\epalivol.dll,Init

R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\system32\DRIVERS\sonyhcb.sys [2001-11-05 09:23]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2007-12-30 07:52]
R3 3xHybrid;SAA7130 TV Card Service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2007-01-24 04:00]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S2 713xTVCard;SAA7130 TV Card;C:\WINDOWS\system32\DRIVERS\SAA713x.sys [2005-03-15 12:00]
S3 Cap7134;ManliTV Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2002-07-05 06:38]
S3 PhTVTune;ManliTV TVTuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2002-07-05 06:38]
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\system32\DRIVERS\sonyhcs.sys [2001-11-05 09:23]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 14:55:03 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-09 14:34:15 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\cmd.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 15:52:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-09 15:55:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-09 14:55:37
.
2007-12-29 15:45:21 --- E O F ---

Příspěvekod **fredik** » 09 led 2008 21:42

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

File::
C:\WINDOWS\system32\afggbbkb.ini
C:\WINDOWS\system32\ssttt.exe
C:\WINDOWS\Tasks\At1.job

Folder::
C:\Program Files\uzudghmp

RenV::
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\NOD32\egui .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield .exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
C:\WINDOWS\system32\ctfmon .exe 

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrpo32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b0daede1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zehmfoji]

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť
Obrázek

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT (Používáš starší verzi HijackThis, stáhni si aktuální verzi zde a tu starou před použitím vymaž.)

nanuk1 · Příspěvekod **nanuk1** » 09 led 2008 23:04

ComboFix 08-01-04.1 - Adminko 2008-01-09 22:21:26.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.83 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Plocha\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\afggbbkb.ini
C:\WINDOWS\system32\ssttt.exe
C:\WINDOWS\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\afggbbkb.ini
C:\WINDOWS\system32\ssttt.exe
C:\WINDOWS\Tasks\At1.job

.
((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-09 20:12 . 2008-01-09 20:12 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-09 20:12 . 2008-01-09 20:12 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-09 14:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 16:27 . 2008-01-08 16:27 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Lavasoft
2008-01-08 16:24 . 2008-01-08 16:24 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-06 15:53 . 2006-12-19 16:53 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-01-06 15:51 . 2008-01-06 15:51 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\TuneUp Software
2008-01-06 15:50 . 2008-01-06 15:56 <DIR> d-------- C:\Program Files\TuneUp Utilities 2007
2008-01-06 15:47 . 2008-01-06 15:47 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\TuneUp Software
2008-01-06 15:46 . 2008-01-06 15:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 07:52 . 2007-12-30 07:52 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-12-30 07:50 . 2007-12-30 09:07 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spyware Terminator
2007-12-30 07:49 . 2007-12-31 13:36 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-12-29 19:28 . 2007-12-29 19:53 <DIR> d-------- C:\Program Files\BSplayer
2007-12-29 19:17 . 2007-12-29 19:18 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Media Player Classic
2007-12-29 19:16 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2007-12-29 15:33 . 2007-12-29 15:33 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Ahead
2007-12-29 15:27 . 2007-12-29 15:27 <DIR> d-------- C:\Program Files\WhereIsIt
2007-12-29 15:17 . 2007-12-29 15:17 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-12-29 15:17 . 2007-12-29 15:17 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2007-12-29 15:13 . 2008-01-06 14:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-29 15:13 . 2007-12-30 07:14 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-29 15:12 . 2007-12-29 15:12 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Apple Computer
2007-12-29 15:10 . 2007-12-29 15:10 642,560 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-29 15:10 . 2007-12-29 15:10 96,256 --a------ C:\WINDOWS\system32\drivers\sptd9069.sys
2007-12-29 15:09 . 2008-01-09 22:21 <DIR> d-------- C:\Program Files\iTunes
2007-12-29 15:09 . 2007-12-29 15:09 <DIR> d-------- C:\Program Files\iPod
2007-12-29 15:04 . 2007-12-29 15:09 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Apple Computer
2007-12-29 15:02 . 2007-12-29 15:02 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-29 15:00 . 2007-12-29 15:01 <DIR> d-------- C:\Program Files\FlashGet
2007-12-29 14:59 . 2007-12-29 14:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-29 14:59 . 2007-12-29 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Apple
2007-12-29 14:54 . 2007-12-29 14:54 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\XnView
2007-12-29 14:52 . 2007-12-29 14:54 <DIR> d-------- C:\Program Files\XnView
2007-12-29 14:51 . 2007-12-29 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2007-12-29 14:43 . 2001-10-19 15:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2007-12-29 14:43 . 2001-10-19 15:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2007-12-29 14:43 . 2002-10-09 13:21 566,272 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-12-29 14:43 . 2001-10-19 15:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-12-29 14:43 . 2001-10-19 03:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2007-12-29 14:43 . 2007-12-29 14:43 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2007-12-29 14:41 . 2007-12-29 14:45 <DIR> d-------- C:\Program Files\Vegas 4.0
2007-12-29 14:39 . 2007-12-29 14:39 <DIR> d-------- C:\Program Files\PowerDVD
2007-12-29 14:39 . 2007-12-29 14:39 <DIR> d-------- C:\Program Files\CyberLink
2007-12-29 14:39 . 2007-12-29 14:39 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\CyberLink
2007-12-29 14:36 . 2003-03-29 16:45 89,184 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-12-29 14:36 . 2003-07-29 17:09 57,344 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2007-12-29 14:35 . 2007-12-29 14:35 <DIR> d-------- C:\Program Files\nero
2007-12-29 14:35 . 2007-12-29 14:35 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-12-29 14:35 . 2001-07-06 14:41 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2007-12-29 14:35 . 2001-07-06 12:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2007-12-29 14:35 . 2001-07-06 18:24 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2007-12-29 14:35 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-12-29 14:35 . 2001-06-26 08:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2007-12-29 14:33 . 1999-12-17 11:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-12-29 14:31 . 2007-12-29 19:15 <DIR> d-------- C:\Program Files\codecs
2007-12-29 09:34 . 2007-12-29 16:37 <DIR> d-------- C:\WINDOWS\system32\cs-cz
2007-12-29 08:56 . 2006-08-21 10:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-29 08:56 . 2006-08-21 10:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-29 08:56 . 2006-08-21 13:27 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-28 23:42 . 2007-12-28 23:42 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-28 22:41 . 2007-07-09 14:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-28 20:22 . 2007-03-22 13:38 215,144 -ra------ C:\WINDOWS\pw32a.dll
2007-12-28 15:59 . 2007-12-28 16:08 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-28 13:28 . 2008-01-09 14:27 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-28 13:01 . 2007-12-28 13:03 <DIR> d-------- C:\Program Files\manli-honestech TVR 2.5
2007-12-28 13:01 . 2007-12-28 13:30 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Symantec
2007-12-28 13:01 . 2001-05-11 12:18 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-12-28 13:00 . 2008-01-09 22:21 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-28 13:00 . 2007-12-28 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Symantec
2007-12-28 12:59 . 2007-12-28 12:59 <DIR> d-------- C:\WINDOWS\MyInstall
2007-12-28 12:59 . 2007-12-28 12:59 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\InstallShield
2007-12-28 12:58 . 2005-09-09 19:56 <DIR> d-------- C:\Program Files\Support
2007-12-28 12:58 . 2007-12-28 12:59 <DIR> d-------- C:\Program Files\Driver Validation
2007-12-28 12:55 . 2007-01-24 04:00 716,160 --a------ C:\WINDOWS\system32\drivers\3xHybrid.sys
2007-12-28 12:55 . 2005-12-13 07:28 3,072 --a------ C:\WINDOWS\system32\34CoInstaller.dll
2007-12-28 11:49 . 2007-12-28 11:49 390 --a------ C:\WINDOWS\ODBC.INI
2007-12-28 11:47 . 2007-12-28 11:47 <DIR> d-------- C:\WINDOWS\ShellNew
2007-12-28 11:39 . 2008-01-09 21:54 95 --a------ C:\WINDOWS\winamp.ini
2007-12-28 11:38 . 2007-12-29 19:01 <DIR> d-------- C:\Program Files\Winamp
2007-12-28 11:38 . 2004-08-17 15:49 23,552 --a------ C:\WINDOWS\system32\SETB1.tmp
2007-12-28 11:38 . 2004-08-17 15:49 4,096 --a------ C:\WINDOWS\system32\SETA4.tmp
2007-12-28 11:34 . 2004-08-17 15:49 23,552 --a------ C:\WINDOWS\system32\SET33.tmp
2007-12-28 11:25 . 2007-12-28 11:27 39 --a------ C:\WINDOWS\TVRMT.INI
2007-12-28 11:22 . 2007-12-28 11:22 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Teleca
2007-12-28 11:19 . 2007-12-28 11:19 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Sony Ericsson
2007-12-28 11:13 . 2007-12-29 19:43 <DIR> d-------- C:\Program Files\ICQLite
2007-12-28 11:13 . 2007-12-28 11:16 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\ICQLite
2007-12-28 11:08 . 2007-12-29 15:01 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-28 11:08 . 2007-12-28 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Sony Ericsson
2007-12-28 11:07 . 2007-12-28 11:07 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-12-28 11:07 . 2007-12-28 11:08 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-12-28 11:07 . 2007-12-28 11:08 <DIR> d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2007-12-28 11:07 . 2007-12-28 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Teleca
2007-12-28 10:54 . 2008-01-09 16:58 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-28 10:52 . 2008-01-09 14:27 <DIR> d-------- C:\Program Files\NOD32
2007-12-28 10:52 . 2007-12-28 10:52 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ESET
2007-12-28 10:47 . 2007-12-28 10:47 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-12-28 10:36 . 2007-12-28 10:36 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Avant Profiles
2007-12-28 10:32 . 2007-12-29 14:44 316,640 --a------ C:\WINDOWS\WMSysPr9.prx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 13:53 159,232 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
2008-01-06 13:43 159,232 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe
2007-12-07 17:28 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:44 1,290,240 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 09:00 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
.

Kód: Vybrat vše

<pre>
----a-w           267,064 2008-01-06 13:32:37  C:\Program Files\iTunes\iTunesHelper .exe
----a-w         1,443,072 2008-01-09 13:27:34  C:\Program Files\NOD32\egui .exe
----a-w           286,720 2007-12-29 14:16:54  C:\Program Files\QuickTime\QTTask .exe
----a-w         2,834,432 2007-12-31 12:28:58  C:\Program Files\Spyware Terminator\SpywareTerminatorShield .exe
----a-w           159,232 2008-01-06 13:53:40  C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
----a-w            15,360 2008-01-09 13:27:30  C:\WINDOWS\system32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-09_15.55.03.36 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\NOD32\egui.exe" [2008-01-09 15:52 1443072]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^ManliTV Remote.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\ManliTV Remote.lnk
backup=C:\WINDOWS\pss\ManliTV Remote.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^TVR Scheduler.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\TVR Scheduler.lnk
backup=C:\WINDOWS\pss\TVR Scheduler.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
C:\Program Files\AdVantage\AdVantage.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-17 15:49 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask .exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TV Card Remote Control Device Monitor]
C:\WINDOWS\3xHybridRMT.exe

R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\system32\DRIVERS\sonyhcb.sys [2001-11-05 09:23]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2007-12-30 07:52]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-17 15:49]
R3 3xHybrid;SAA7130 TV Card Service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2007-01-24 04:00]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S2 713xTVCard;SAA7130 TV Card;C:\WINDOWS\system32\DRIVERS\SAA713x.sys [2005-03-15 12:00]
S3 Cap7134;ManliTV Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2002-07-05 06:38]
S3 PhTVTune;ManliTV TVTuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2002-07-05 06:38]
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\system32\DRIVERS\sonyhcs.sys [2001-11-05 09:23]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 14:55:03 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 22:24:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-09 22:25:29
ComboFix-quarantined-files.txt 2008-01-09 21:25:04
ComboFix2.txt 2008-01-09 14:55:55
.
2007-12-29 15:45:21 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:28:25, on 9. 1. 2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NOD32\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\BlueSoleil-bluetooth\BTNtService.exe
C:\Program Files\NOD32\ekrn.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRAMY\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.sk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\Jccatch.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\NOD32\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Stiahnuť položku pomocou FlashGetu - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Stiahnuť všetky položky pomocou FlashGetu - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8797787762
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\BlueSoleil-bluetooth\BTNtService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\NOD32\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\NOD32\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 4414 bytes

Příspěvekod **fredik** » 11 led 2008 17:24

Vytvoř si nový CFScript a tentokrát vlož do něho toto:

Kód: Vybrat vše

RenV::
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\NOD32\egui .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield .exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
C:\WINDOWS\system32\ctfmon .exe

Vlož sem pak log, který se ti zobrazí po proběhnutí programu

nanuk1 · Příspěvekod **nanuk1** » 12 led 2008 13:38

Myslim, ze tych par riadkov bolo aj v predchadzajucom skripte. To su subory, ktore ten virus uz niekedy tiez napadol....
Mas uz aspon tusenie co ten virus stale obnovuje?
Diky
posielam log:

ComboFix 08-01-04.1 - Adminko 2008-01-12 8:38:36.3 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.77 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Plocha\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))
.

2008-01-09 20:12 . 2008-01-09 20:12 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-09 14:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 16:27 . 2008-01-08 16:27 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Lavasoft
2008-01-08 16:24 . 2008-01-08 16:24 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-06 15:53 . 2006-12-19 16:53 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-01-06 15:51 . 2008-01-06 15:51 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\TuneUp Software
2008-01-06 15:50 . 2008-01-06 15:56 <DIR> d-------- C:\Program Files\TuneUp Utilities 2007
2008-01-06 15:47 . 2008-01-06 15:47 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\TuneUp Software
2008-01-06 15:46 . 2008-01-06 15:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-30 07:52 . 2007-12-30 07:52 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-12-30 07:50 . 2007-12-30 09:07 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spyware Terminator
2007-12-30 07:49 . 2007-12-31 13:36 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-12-29 19:28 . 2007-12-29 19:53 <DIR> d-------- C:\Program Files\BSplayer
2007-12-29 19:17 . 2007-12-29 19:18 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Media Player Classic
2007-12-29 19:16 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2007-12-29 15:33 . 2007-12-29 15:33 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Ahead
2007-12-29 15:27 . 2007-12-29 15:27 <DIR> d-------- C:\Program Files\WhereIsIt
2007-12-29 15:17 . 2007-12-29 15:17 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-12-29 15:17 . 2007-12-29 15:17 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2007-12-29 15:13 . 2008-01-06 14:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-29 15:13 . 2007-12-30 07:14 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-29 15:12 . 2007-12-29 15:12 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Apple Computer
2007-12-29 15:10 . 2007-12-29 15:10 642,560 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-29 15:10 . 2007-12-29 15:10 96,256 --a------ C:\WINDOWS\system32\drivers\sptd9069.sys
2007-12-29 15:09 . 2008-01-12 08:38 <DIR> d-------- C:\Program Files\iTunes
2007-12-29 15:09 . 2007-12-29 15:09 <DIR> d-------- C:\Program Files\iPod
2007-12-29 15:04 . 2007-12-29 15:09 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Apple Computer
2007-12-29 15:02 . 2007-12-29 15:02 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-29 15:00 . 2007-12-29 15:01 <DIR> d-------- C:\Program Files\FlashGet
2007-12-29 14:59 . 2007-12-29 14:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-29 14:59 . 2007-12-29 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Apple
2007-12-29 14:54 . 2007-12-29 14:54 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\XnView
2007-12-29 14:52 . 2007-12-29 14:54 <DIR> d-------- C:\Program Files\XnView
2007-12-29 14:51 . 2007-12-29 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2007-12-29 14:43 . 2001-10-19 15:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2007-12-29 14:43 . 2001-10-19 15:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2007-12-29 14:43 . 2002-10-09 13:21 566,272 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-12-29 14:43 . 2001-10-19 15:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-12-29 14:43 . 2001-10-19 03:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2007-12-29 14:43 . 2007-12-29 14:43 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2007-12-29 14:41 . 2007-12-29 14:45 <DIR> d-------- C:\Program Files\Vegas 4.0
2007-12-29 14:39 . 2007-12-29 14:39 <DIR> d-------- C:\Program Files\PowerDVD
2007-12-29 14:39 . 2007-12-29 14:39 <DIR> d-------- C:\Program Files\CyberLink
2007-12-29 14:39 . 2007-12-29 14:39 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\CyberLink
2007-12-29 14:36 . 2003-03-29 16:45 89,184 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-12-29 14:36 . 2003-07-29 17:09 57,344 --a------ C:\WINDOWS\system32\ImageDrive.cpl
2007-12-29 14:35 . 2007-12-29 14:35 <DIR> d-------- C:\Program Files\nero
2007-12-29 14:35 . 2007-12-29 14:35 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-12-29 14:35 . 2001-07-06 14:41 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2007-12-29 14:35 . 2001-07-06 12:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2007-12-29 14:35 . 2001-07-06 18:24 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2007-12-29 14:35 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-12-29 14:35 . 2001-06-26 08:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2007-12-29 14:33 . 1999-12-17 11:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-12-29 14:31 . 2007-12-29 19:15 <DIR> d-------- C:\Program Files\codecs
2007-12-29 09:34 . 2007-12-29 16:37 <DIR> d-------- C:\WINDOWS\system32\cs-cz
2007-12-29 08:56 . 2006-08-21 10:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-29 08:56 . 2006-08-21 10:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-29 08:56 . 2006-08-21 13:27 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-28 23:42 . 2007-12-28 23:42 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-28 22:41 . 2007-07-09 14:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-28 20:22 . 2007-03-22 13:38 215,144 -ra------ C:\WINDOWS\pw32a.dll
2007-12-28 15:59 . 2007-12-28 16:08 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-28 13:28 . 2008-01-09 14:27 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-28 13:01 . 2007-12-28 13:03 <DIR> d-------- C:\Program Files\manli-honestech TVR 2.5
2007-12-28 13:01 . 2007-12-28 13:30 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Symantec
2007-12-28 13:01 . 2001-05-11 12:18 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-12-28 13:00 . 2008-01-09 22:21 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-28 13:00 . 2007-12-28 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Symantec
2007-12-28 12:59 . 2007-12-28 12:59 <DIR> d-------- C:\WINDOWS\MyInstall
2007-12-28 12:59 . 2007-12-28 12:59 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\InstallShield
2007-12-28 12:58 . 2005-09-09 19:56 <DIR> d-------- C:\Program Files\Support
2007-12-28 12:58 . 2007-12-28 12:59 <DIR> d-------- C:\Program Files\Driver Validation
2007-12-28 12:55 . 2007-01-24 04:00 716,160 --a------ C:\WINDOWS\system32\drivers\3xHybrid.sys
2007-12-28 12:55 . 2005-12-13 07:28 3,072 --a------ C:\WINDOWS\system32\34CoInstaller.dll
2007-12-28 11:49 . 2007-12-28 11:49 390 --a------ C:\WINDOWS\ODBC.INI
2007-12-28 11:47 . 2007-12-28 11:47 <DIR> d-------- C:\WINDOWS\ShellNew
2007-12-28 11:39 . 2008-01-11 19:59 95 --a------ C:\WINDOWS\winamp.ini
2007-12-28 11:38 . 2007-12-29 19:01 <DIR> d-------- C:\Program Files\Winamp
2007-12-28 11:38 . 2004-08-17 15:49 23,552 --a------ C:\WINDOWS\system32\SETB1.tmp
2007-12-28 11:38 . 2004-08-17 15:49 4,096 --a------ C:\WINDOWS\system32\SETA4.tmp
2007-12-28 11:34 . 2004-08-17 15:49 23,552 --a------ C:\WINDOWS\system32\SET33.tmp
2007-12-28 11:25 . 2007-12-28 11:27 39 --a------ C:\WINDOWS\TVRMT.INI
2007-12-28 11:22 . 2007-12-28 11:22 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Teleca
2007-12-28 11:19 . 2007-12-28 11:19 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Sony Ericsson
2007-12-28 11:13 . 2007-12-29 19:43 <DIR> d-------- C:\Program Files\ICQLite
2007-12-28 11:13 . 2007-12-28 11:16 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\ICQLite
2007-12-28 11:08 . 2007-12-29 15:01 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-28 11:08 . 2007-12-28 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Sony Ericsson
2007-12-28 11:07 . 2007-12-28 11:07 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-12-28 11:07 . 2007-12-28 11:08 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-12-28 11:07 . 2007-12-28 11:08 <DIR> d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2007-12-28 11:07 . 2007-12-28 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Teleca
2007-12-28 10:54 . 2008-01-09 16:58 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-28 10:52 . 2008-01-12 08:38 <DIR> d-------- C:\Program Files\NOD32
2007-12-28 10:52 . 2007-12-28 10:52 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ESET
2007-12-28 10:47 . 2007-12-28 10:47 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-12-28 10:36 . 2007-12-28 10:36 <DIR> d-------- C:\Documents and Settings\Administrator\Data aplikací\Avant Profiles
2007-12-28 10:32 . 2007-12-29 14:44 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2007-12-28 10:27 . 2007-12-28 10:35 <DIR> d-------- C:\Program Files\Avant Browser

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 13:53 159,232 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
2008-01-06 13:43 159,232 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe
2007-12-07 17:28 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-04 01:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:29 720,896 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:44 1,290,240 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 09:00 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
.

Kód: Vybrat vše

<pre>
----a-w         1,443,072 2008-01-09 13:27:34  C:\Program Files\NOD32\egui .exe
----a-w           286,720 2007-12-29 14:16:54  C:\Program Files\QuickTime\QTTask .exe
----a-w         2,834,432 2007-12-31 12:28:58  C:\Program Files\Spyware Terminator\SpywareTerminatorShield .exe
----a-w           159,232 2008-01-06 13:53:40  C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
----a-w            15,360 2008-01-09 13:27:30  C:\WINDOWS\system32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-09_15.55.03.36 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-08-17 12:29:57 720,896 -c----w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2007-11-07 09:29:19 720,896 -c----w C:\WINDOWS\system32\dllcache\lsasrv.dll
- 2006-04-20 11:51:50 359,808 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2007-10-30 17:20:55 360,064 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-04-20 11:51:50 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2007-10-30 17:20:55 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
- 2007-12-02 14:00:06 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-01-02 18:21:36 17,642,616 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\NOD32\egui.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^ManliTV Remote.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\ManliTV Remote.lnk
backup=C:\WINDOWS\pss\ManliTV Remote.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^TVR Scheduler.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\TVR Scheduler.lnk
backup=C:\WINDOWS\pss\TVR Scheduler.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
C:\Program Files\AdVantage\AdVantage.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-17 15:49 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-01-06 14:32 267064 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask .exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TV Card Remote Control Device Monitor]
C:\WINDOWS\3xHybridRMT.exe

R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\system32\DRIVERS\sonyhcb.sys [2001-11-05 09:23]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2007-12-30 07:52]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-17 15:49]
R3 3xHybrid;SAA7130 TV Card Service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2007-01-24 04:00]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S2 713xTVCard;SAA7130 TV Card;C:\WINDOWS\system32\DRIVERS\SAA713x.sys [2005-03-15 12:00]
S3 Cap7134;ManliTV Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2002-07-05 06:38]
S3 PhTVTune;ManliTV TVTuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2002-07-05 06:38]
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\system32\DRIVERS\sonyhcs.sys [2001-11-05 09:23]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 18:23:44 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 08:41:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-12 8:42:30
ComboFix-quarantined-files.txt 2008-01-12 07:42:12
ComboFix2.txt 2008-01-09 21:25:30
ComboFix3.txt 2008-01-09 14:55:55
.
2008-01-09 22:14:47 --- E O F ---

Příspěvekod **fredik** » 12 led 2008 15:43

Co jsi tam měl ti modifikovalo pár programů co se spouští po startu Win. Uvidíme víc z výpisu, případně pak bude potřeba dané programy pro jejich správný chod přeinstalovat.

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

set lvyp=C:\dir.txt
if exist %lvyp% del %lvyp%

cd\
echo ------------- VypAdr ------------- >> %lvyp%
dir /s /a /-p /o:gen "C:\Program Files\NOD32" >> %lvyp%
echo ------------- VypAdr ------------- >> %lvyp%
dir /s /a /-p /o:gen "C:\Program Files\QuickTime" >> %lvyp%
echo ------------- VypAdr ------------- >> %lvyp%
dir /s /a /-p /o:gen "C:\Program Files\Spyware Terminator" >> %lvyp%
echo ------------- VypAdr ------------- >> %lvyp%
dir /s /a /-p /o:gen "C:\WINDOWS\PCHEALTH\HELPCTR\Binaries" >> %lvyp%
echo ------------- VypSou ------------- >> %lvyp%
dir c:\ctfmon??.exe /a h /s >> %lvyp%
start notepad %lvyp%

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: vyp.bat
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu a spusť ho.
Zobrazí se ti log tak ho sem vlož a dej sem zároveň s ním i nový log z HJT.

PS: ComboFix co máš na ploše smaž a stáhni si ho zatím znovu z odkazu co je tu uvedený. Zatím s ním nic nedělej.

nanuk1 · Příspěvekod **nanuk1** » 16 led 2008 11:33

Ahoj.

Tak pak se mi dosralo jeste vic veci, tak jsem se rozhodl to cele preinstalovat.... Coz par hodin stracenych, ale zato zatim slape jak hodinky

.
Diky za pomoc :thumbsup:

Dusan

Prosim o kontrolu logu kvoli viru...

Prosim o kontrolu logu kvoli viru...

Kdo je online