kontrola logu

[Jar jar binks]

Dobrý den. Mohl by mi někdo zkontrolovat logy a pomoct s odstraněním virů? Avast hlásí hlavně amvo.exe a autorun inf. Díkes za radu.

mwav:
Soubor C:\WINDOWS\system32\amvo.exe je infikovaný virem Trojan-PSW.Win32.OnLineGames.upg !! Provedené akce: Nic nebylo provedeno.
Objekt "savenow Adware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "remacc.multiwebsurv Generic Malware" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "Possible Fujacks-type Worm" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Objekt "Possible Fujacks-type Worm" nalezen v souborovém systému! Provedené akce: Nic nebylo provedeno.
Soubor C:\WINDOWS\system32\amvo.exe je infikovaný virem Trojan-PSW.Win32.OnLineGames.upg !! Provedené akce: Nic nebylo provedeno.
Soubor C:\AUTORUN.INF je infikovaný virem Fujack !! Provedené akce: No Action Taken.

HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:17:01, on 22.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Wireless Console 2\wcourier.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Seznam\Postak\Postak.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Zástupce stránky vlastností sběrnice High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\ASUS\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SMail] "C:\Program Files\Seznam\Postak\Postak.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\mysql-4.0.20a-win-noinstall\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5991 bytes

[Reklama]

[paul27]

Zdravím.

To stejné jako Avast si myslí i MWAV. Tohle fixněte v HijackThisu:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe

+ najdtěte a smažte tyto soubory, kdyby smazat nešli, tak napište, zkusíme je odstranit jinak:
C:\WINDOWS\system32\amvo.exe
C:\AUTORUN.INF

Napište, jestli Avast ještě něco hlásí.

[Jar jar binks]

zatím ne... nemám ještě poslat výpis z HiJackThis?? nebo tak něco?

[paul27]

Áno můžete.

[Jar jar binks]

Ale nejde mi třeba z Tento počítač otevřít místní disk... musím na něj najet jinak... není to ještě tim virem v autorun.inf??

[paul27]

Možné to je. Zkuste proscanovat s CureIt: http://www.freedrweb.com/cureit/ s tímto virem vede docela vyrovnaný boj a narozdíl od MWAVu umí i mazat. Nejdřív ho zkuste najít a smazat ručně, popřípadě přes nějaký souborový manager typu TotalCommander.

[fredik]

Vlož sem log z CF:
Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[Jar jar binks]

ComboFix 08-03-22.1 - Vlastimil Vondra 2008-03-22 21:45:52.1 - NTFSx86
Running from: C:\Documents and Settings\Vlastimil Vondra\Plocha\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\regedit.com
C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.

2008-03-20 21:18 . 2008-03-20 21:18 <DIR> d-------- C:\Program Files\Attribute Changer
2008-03-20 19:25 . 2008-03-22 17:12 50 --a------ C:\23990098.$$$
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-03-20 19:11 . 2008-03-22 16:56 50 --a------ C:\WINDOWS\Lic.xxx
2008-03-20 19:10 . 2004-08-17 15:49 147,968 --a------ C:\WINDOWS\R.COM
2008-03-20 19:10 . 2004-08-17 15:49 137,216 --a------ C:\WINDOWS\system32\T.COM
2008-03-20 19:08 . 2008-03-20 19:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-19 09:57 . 2008-03-19 09:57 <DIR> d-------- C:\Program Files\Common Files\XDATA
2008-03-19 09:53 . 2008-03-22 21:26 <DIR> d-------- C:\DTM2004
2008-03-13 06:52 . 2008-03-13 06:51 100,791 -r-hs---- C:\v.cmd
2008-03-07 06:56 . 2008-03-07 06:56 106,068 -r-hs---- C:\xpbkh.com
2008-03-06 13:02 . 2008-03-06 13:02 <DIR> d-------- C:\Program Files\Canon
2008-03-06 13:02 . 2007-01-10 16:00 135,168 --a------ C:\WINDOWS\system32\CNAB4EMU.DLL
2008-03-06 13:02 . 2007-01-10 16:00 65,536 --a------ C:\WINDOWS\system32\CNAB4SMK.DLL
2008-03-06 13:02 . 2007-01-11 13:26 63,112 --a------ C:\WINDOWS\system32\CNAB4RPK.EXE
2008-03-06 13:02 . 2007-01-10 16:00 28,672 --a------ C:\WINDOWS\system32\CNAB4PTU.DLL
2008-03-06 13:02 . 2007-01-10 16:00 28,672 --a------ C:\WINDOWS\system32\CNAB4LMK.DLL
2008-03-01 14:53 . 2008-03-01 14:55 <DIR> d-------- C:\Program Files\RegCleaner
2008-03-01 14:42 . 2008-03-01 14:42 <DIR> d-------- C:\Program Files\CCleaner
2008-02-22 11:57 . 2008-02-22 11:57 3,245,056 --a------ C:\pojištovna.doc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 20:44 --------- d-----w C:\Program Files\BitLord
2008-03-22 20:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 20:42 --------- d-----w C:\Program Files\Sony Corporation
2008-03-01 14:56 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-08-22 04:46 16 ----a-w C:\Documents and Settings\Vlastimil Vondra\pELE41.dll
2007-06-10 12:44 560 ----a-w C:\Documents and Settings\Vlastimil Vondra\Data aplikací\ViewerApp.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2002-01-20 10:00 35252]
"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2005-08-29 04:30 102400]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 04:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 04:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 04:10 114688]
"Zástupce stránky vlastností sběrnice High Definition Audio"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-08-18 07:38 86016 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-26 09:54 2806784 C:\WINDOWS\ALCWZRD.EXE]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-19 03:07 737369]
"Wireless Console 2"="C:\Program Files\ASUS\Wireless Console 2\wcourier.exe" [2005-08-23 13:45 987136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03 36975]
"SMail"="C:\Program Files\Seznam\Postak\Postak.exe" [2006-05-18 14:36 450560]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\totalcmd\\TOTALCMD.EXE"=

R0 Daemon;Daemon;C:\WINDOWS\system32\DRIVERS\daemon.sys [2002-01-19 02:44]
R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 19:54]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S3 OMCdrv;OMCdrv;C:\WINDOWS\System32\Drivers\OMCdrv.sys [2006-08-03 12:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e359cb6-cde4-11da-9665-0015f251b2a3}]
\Shell\AutoRun\command - F:\ekugb3.bat
\Shell\explore\Command - F:\ekugb3.bat
\Shell\open\Command - F:\ekugb3.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b36a1e06-c61b-11da-965e-0015f251b2a3}]
\Shell\AutoRun\command - F:\xo8wr9.exe
\Shell\explore\Command - F:\xo8wr9.exe
\Shell\open\Command - F:\xo8wr9.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9d83e86-742a-11da-b108-806d6172696f}]
\Shell\AutoRun\command - 3o.exe
\Shell\explore\Command - 3o.exe
\Shell\open\Command - 3o.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 21:49:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-22 21:50:37
ComboFix-quarantined-files.txt 2008-03-22 20:50:21
.
2008-03-13 12:34:36 --- E O F ---

[fredik]

#Krok 1:
Stáhni tento program: Flash Disinfector (by sUBs) a ulož si ho na disk

#Krok 2:
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

File::
C:\v.cmd
C:\xpbkh.com
F:\ekugb3.bat
F:\xo8wr9.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e359cb6-cde4-11da-9665-0015f251b2a3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b36a1e06-c61b-11da-965e-0015f251b2a3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9d83e86-742a-11da-b108-806d6172696f}]

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu

#Krok 3:
Po skončení činnosti ComoFix-u udělej toto:
- Připoj k počítači flešku/USB klíčenku (zařízení co se ti mapuje jako disk F)
- Spusť Flash Disinfector
- počkej až program proběhne.

#Krok 4:
Proveď kontrolu a vlož sem log z Kaspersky Online Scanner! (potřeba spustit v IE)
- klikni na tlačítko Accept
- budeš vyzván k nainstalovaní ActiveX komponenty od Kasperského, tak to povol
- program si stáhne potřebnou databázi
- po stažení klikni na volbu:
Po té klikni na tlačítko: Scan Settings
- dostaneš se do okna Scan settings a tam zvol následující možnosti vyber následující:

Pod položkou: Scan using the following antivirus database:

standard - detect viruses, worms, Trojans, rootkits

Pod položkou: Scan Options: - nech zvlolené obě možnosti:

Scan Archives - scan files inside archives
Scan Mail Bases - scan e-mails/attachments inside mail base files

Pak klikni na tlačítko OK

Nyní pak pod položkou Please select a target to scan zvol možnost:

- spustí se kontrola systému
- po jejím proběhnutí se ti zobrazí seznam co našel
Klikni na tlačítko Save Report As...
- ulož si ho třeba na plochu a zvol tyto parametry:
- Název souboru: zde napiš: Kavlog
- Uložit jako typ: tak tam vyber: Text file (*.txt)

Po skončení kontroly odpoj flešku

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

V následujícím příspěvku sem vlož tyto logy/výsledky:
- log z ComboFix
- log z Kasperského

[Jar jar binks]

ComboFix 08-03-22.1 - Vlastimil Vondra 2008-03-22 23:50:43.2 - NTFSx86
Running from: C:\Documents and Settings\Vlastimil Vondra\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vlastimil Vondra\Plocha\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\v.cmd
C:\xpbkh.com
F:\ekugb3.bat
F:\xo8wr9.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\v.cmd
C:\xpbkh.com

.
((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.

2008-03-20 21:18 . 2008-03-20 21:18 <DIR> d-------- C:\Program Files\Attribute Changer
2008-03-20 19:25 . 2008-03-22 17:12 50 --a------ C:\23990098.$$$
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-03-20 19:11 . 2008-03-22 16:56 50 --a------ C:\WINDOWS\Lic.xxx
2008-03-20 19:10 . 2004-08-17 15:49 147,968 --a------ C:\WINDOWS\R.COM
2008-03-20 19:10 . 2004-08-17 15:49 137,216 --a------ C:\WINDOWS\system32\T.COM
2008-03-20 19:08 . 2008-03-20 19:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-19 09:57 . 2008-03-19 09:57 <DIR> d-------- C:\Program Files\Common Files\XDATA
2008-03-19 09:53 . 2008-03-22 21:26 <DIR> d-------- C:\DTM2004
2008-03-06 13:02 . 2008-03-06 13:02 <DIR> d-------- C:\Program Files\Canon
2008-03-06 13:02 . 2007-01-10 16:00 135,168 --a------ C:\WINDOWS\system32\CNAB4EMU.DLL
2008-03-06 13:02 . 2007-01-10 16:00 65,536 --a------ C:\WINDOWS\system32\CNAB4SMK.DLL
2008-03-06 13:02 . 2007-01-11 13:26 63,112 --a------ C:\WINDOWS\system32\CNAB4RPK.EXE
2008-03-06 13:02 . 2007-01-10 16:00 28,672 --a------ C:\WINDOWS\system32\CNAB4PTU.DLL
2008-03-06 13:02 . 2007-01-10 16:00 28,672 --a------ C:\WINDOWS\system32\CNAB4LMK.DLL
2008-03-01 14:53 . 2008-03-01 14:55 <DIR> d-------- C:\Program Files\RegCleaner
2008-03-01 14:42 . 2008-03-01 14:42 <DIR> d-------- C:\Program Files\CCleaner
2008-02-22 11:57 . 2008-02-22 11:57 3,245,056 --a------ C:\pojištovna.doc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 21:34 16 ----a-w C:\Documents and Settings\Vlastimil Vondra\pELE41.dll
2008-03-22 20:44 --------- d-----w C:\Program Files\BitLord
2008-03-22 20:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 14:56 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-06-10 12:44 560 ----a-w C:\Documents and Settings\Vlastimil Vondra\Data aplikací\ViewerApp.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-22_21.50.06,51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-22 20:55:45 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_704.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2002-01-20 10:00 35252]
"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2005-08-29 04:30 102400]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 04:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 04:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 04:10 114688]
"Zástupce stránky vlastností sběrnice High Definition Audio"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-08-18 07:38 86016 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-26 09:54 2806784 C:\WINDOWS\ALCWZRD.EXE]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-19 03:07 737369]
"Wireless Console 2"="C:\Program Files\ASUS\Wireless Console 2\wcourier.exe" [2005-08-23 13:45 987136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03 36975]
"SMail"="C:\Program Files\Seznam\Postak\Postak.exe" [2006-05-18 14:36 450560]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\totalcmd\\TOTALCMD.EXE"=

R0 Daemon;Daemon;C:\WINDOWS\system32\DRIVERS\daemon.sys [2002-01-19 02:44]
R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 19:54]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S3 OMCdrv;OMCdrv;C:\WINDOWS\System32\Drivers\OMCdrv.sys [2006-08-03 12:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49673d04-7bec-11db-970a-0015f251b2a3}]
\Shell\AutoRun\command - G:\xpbkh.com
\Shell\explore\Command - G:\xpbkh.com
\Shell\open\Command - G:\xpbkh.com

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 23:54:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-22 23:56:14
ComboFix-quarantined-files.txt 2008-03-22 22:55:57
ComboFix2.txt 2008-03-22 20:50:38
.
2008-03-13 12:34:36 --- E O F ---



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 23, 2008 1:13:37 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/03/2008
Kaspersky Anti-Virus database records: 591493
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 43256
Number of viruses found: 5
Number of infected objects: 47
Number of suspicious objects: 0
Duration of the scan process: 00:58:07

Infected Object Name / Virus Name / Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Data aplikací\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Data aplikací\Mozilla\Firefox\Profiles\g2zry763.default\cert8.db Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Data aplikací\Mozilla\Firefox\Profiles\g2zry763.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Data aplikací\Mozilla\Firefox\Profiles\g2zry763.default\history.dat Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Data aplikací\Mozilla\Firefox\Profiles\g2zry763.default\key3.db Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Data aplikací\Mozilla\Firefox\Profiles\g2zry763.default\parent.lock Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Data aplikací\Mozilla\Firefox\Profiles\g2zry763.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Data aplikací\Mozilla\Firefox\Profiles\g2zry763.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Local Settings\Data aplikací\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\g2zry763.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\g2zry763.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\g2zry763.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Local Settings\Data aplikací\Mozilla\Firefox\Profiles\g2zry763.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Local Settings\History\History.IE5\MSHist012008032320080324\index.dat Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Vlastimil Vondra\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Avast4\DATA\report\Rezidentní ochrana.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP349\A0037562.dll Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP349\A0037563.bat Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP349\A0037564.inf Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP350\A0037579.bat Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP350\A0037580.inf Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP351\A0037581.bat Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP351\A0037582.inf Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP351\A0037648.dll Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP351\A0037649.bat Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP351\A0037650.inf Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP351\A0037677.dll Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP351\A0037678.bat Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP351\A0037679.inf Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP352\A0037680.bat Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP352\A0037681.inf Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP353\A0037708.bat Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP353\A0037709.inf Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP354\A0037724.bat Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP354\A0037725.inf Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP354\A0037762.dll Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP354\A0037763.bat Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP354\A0037764.inf Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP354\A0037765.exe Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP355\A0037768.com Infected: Worm.Win32.AutoRun.cxk skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP355\A0037769.inf Infected: Worm.Win32.AutoRun.cxk skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP355\A0037807.dll Infected: Worm.Win32.AutoRun.cxk skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP355\A0037809.com Infected: Worm.Win32.AutoRun.cxk skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP355\A0037810.inf Infected: Worm.Win32.AutoRun.cxk skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP355\A0037821.exe Infected: Worm.Win32.AutoRun.cxk skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP356\A0037825.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP357\A0037841.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP357\A0037854.dll Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP357\A0037855.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP357\A0037857.exe Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP357\A0037881.exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP357\A0037884.exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP357\A0037885.dll Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP358\A0037886.exe Infected: Trojan-PSW.Win32.OnLineGames.upg skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP359\A0037905.exe Infected: Trojan-PSW.Win32.OnLineGames.upg skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP360\A0037950.dll Infected: Trojan-PSW.Win32.OnLineGames.upg skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP360\A0037971.bat Infected: Trojan-PSW.Win32.OnLineGames.ski skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP360\A0037972.exe Infected: Trojan-PSW.Win32.OnLineGames.uej skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP361\A0037977.exe Infected: Trojan-PSW.Win32.OnLineGames.upg skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP364\A0038329.cmd Infected: Trojan-PSW.Win32.OnLineGames.uaw skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP364\A0038330.com Infected: Worm.Win32.AutoRun.cxk skipped
C:\System Volume Information\_restore{A44B40BB-4833-4FD4-AC47-91D19DD6205D}\RP364\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A3DF8492-D04E-4812-A181-9C53D6443E2C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_708.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\xpbkh.com Infected: Worm.Win32.AutoRun.cxk skipped
G:\autorun.inf Infected: Worm.Win32.AutoRun.cxk skipped

Scan process completed.

[fredik]

Připoj flešku k Pc co se ti mapuje jako disk G

Vytvoř si nový CFScript a tentokrát vlož do něho toto.

Kód: Vybrat vše

File::
G:\xpbkh.com
G:\autorun.inf

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49673d04-7bec-11db-970a-0015f251b2a3}]

Použij ho již popsaným postupem a dej sem z něho log.

Po proběhnutí ComboFixu, použij znovu Flash Disinfector

Vlož sem pak nový log z HJT a log z ComboFixu.

[Jar jar binks]

ComboFix 08-03-22.1 - Vlastimil Vondra 2008-03-23 10:37:41.4 - NTFSx86
Running from: C:\Documents and Settings\Vlastimil Vondra\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Vlastimil Vondra\Plocha\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
G:\autorun.inf
G:\xpbkh.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
G:\autorun.inf
G:\xpbkh.com

.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-23 00:03 . 2008-03-23 00:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-23 00:03 . 2008-03-23 00:03 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Kaspersky Lab
2008-03-20 21:18 . 2008-03-20 21:18 <DIR> d-------- C:\Program Files\Attribute Changer
2008-03-20 19:25 . 2008-03-22 17:12 50 --a------ C:\23990098.$$$
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-03-20 19:17 . 2008-03-20 19:17 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-03-20 19:11 . 2008-03-22 16:56 50 --a------ C:\WINDOWS\Lic.xxx
2008-03-20 19:10 . 2004-08-17 15:49 147,968 --a------ C:\WINDOWS\R.COM
2008-03-20 19:10 . 2004-08-17 15:49 137,216 --a------ C:\WINDOWS\system32\T.COM
2008-03-20 19:08 . 2008-03-20 19:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-19 09:57 . 2008-03-19 09:57 <DIR> d-------- C:\Program Files\Common Files\XDATA
2008-03-19 09:53 . 2008-03-22 21:26 <DIR> d-------- C:\DTM2004
2008-03-06 13:02 . 2008-03-06 13:02 <DIR> d-------- C:\Program Files\Canon
2008-03-06 13:02 . 2007-01-10 16:00 135,168 --a------ C:\WINDOWS\system32\CNAB4EMU.DLL
2008-03-06 13:02 . 2007-01-10 16:00 65,536 --a------ C:\WINDOWS\system32\CNAB4SMK.DLL
2008-03-06 13:02 . 2007-01-11 13:26 63,112 --a------ C:\WINDOWS\system32\CNAB4RPK.EXE
2008-03-06 13:02 . 2007-01-10 16:00 28,672 --a------ C:\WINDOWS\system32\CNAB4PTU.DLL
2008-03-06 13:02 . 2007-01-10 16:00 28,672 --a------ C:\WINDOWS\system32\CNAB4LMK.DLL
2008-03-01 14:53 . 2008-03-01 14:55 <DIR> d-------- C:\Program Files\RegCleaner
2008-03-01 14:42 . 2008-03-01 14:42 <DIR> d-------- C:\Program Files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 21:34 16 ----a-w C:\Documents and Settings\Vlastimil Vondra\pELE41.dll
2008-03-22 20:44 --------- d-----w C:\Program Files\BitLord
2008-03-22 20:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 14:56 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-06-10 12:44 560 ----a-w C:\Documents and Settings\Vlastimil Vondra\Data aplikací\ViewerApp.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-22_21.50.06,51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-03-23 09:29:38 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_704.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2002-01-20 10:00 35252]
"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2005-08-29 04:30 102400]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 04:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 04:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 04:10 114688]
"Zástupce stránky vlastností sběrnice High Definition Audio"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-08-18 07:38 86016 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-26 09:54 2806784 C:\WINDOWS\ALCWZRD.EXE]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-19 03:07 737369]
"Wireless Console 2"="C:\Program Files\ASUS\Wireless Console 2\wcourier.exe" [2005-08-23 13:45 987136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03 36975]
"SMail"="C:\Program Files\Seznam\Postak\Postak.exe" [2006-05-18 14:36 450560]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-17 15:49 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\totalcmd\\TOTALCMD.EXE"=

R0 Daemon;Daemon;C:\WINDOWS\system32\DRIVERS\daemon.sys [2002-01-19 02:44]
R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 19:54]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S3 OMCdrv;OMCdrv;C:\WINDOWS\System32\Drivers\OMCdrv.sys [2006-08-03 12:07]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 10:40:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-23 10:41:55
ComboFix-quarantined-files.txt 2008-03-23 09:41:39
ComboFix2.txt 2008-03-22 22:56:15
ComboFix3.txt 2008-03-22 20:50:38
.
2008-03-13 12:34:36 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:14, on 23.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Wireless Console 2\wcourier.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Seznam\Postak\Postak.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Zástupce stránky vlastností sběrnice High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\ASUS\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SMail] "C:\Program Files\Seznam\Postak\Postak.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\mysql-4.0.20a-win-noinstall\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5777 bytes