Win32/PSW.OnLineGames.NMY

[Quadman4852]

Zdravim, mam dost vazny problem, od vcera mi uakzuje stale dokolecka varovanie od Eset smart security:

! ESET Smart Security
Objekt:
C:\autorun.inf
Infiltrácia:
Win32/PSW.OnLineGames.NMY trójsky kôň
Info:
vyliečený zmazaním u uložený do karantény

Neviem ako sa ho zbavit, ked varovanie zmizne, znovu sa objavi, a v karantene mam tento autorun vo vsetkych diskoch, preto som skusil HijackThis a chcem sa spytat ci mam vsetko spravne, ked ano, poprosil by som o pomoc.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:34, on 2008-08-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\FixCamera.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zoznam.sk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CHelper Class - {99A7C4DD-B2E6-4CA0-BB6E-737A61364155} - C:\PROGRA~1\EUROTR~3\e2003i.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TXP] c:\program files\topthemesxp\txp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [symreg] C:\WINDOWS\system32\symreg.exe
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Adobe Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [BitTorrent] "D:\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Network Drive Manager] H:\Filmy\Suncross.Network.Drive.Manager.v2.2.0.WinAll.Cracked-CRD\NetworkDriveManager.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Mediaware Task Manager 3.5] "C:\Program Files\Mediaware Task Manager 3.5\TaskManager.exe" /m
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovať do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Eurotran - {572BF76C-9EFF-4e1e-93DE-72EF1E91B3DF} - C:\PROGRA~1\EUROTR~3\e2003i.dll
O9 - Extra 'Tools' menuitem: Eurotran - {572BF76C-9EFF-4e1e-93DE-72EF1E91B3DF} - C:\PROGRA~1\EUROTR~3\e2003i.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 6180 bytes

[Reklama]

[fredik]

Vítej na fóru

Otestuj tento soubor na VirusTotal
H:\Filmy\Suncross.Network.Drive.Manager.v2.2.0.WinAll.Cracked-CRD\NetworkDriveManager.exe
stačí jen zkopírovat na té stránce do toho prázdného okénka celou cestu a dát odeslat. Pak sem vlož výsledek pokud něco najde.

Stáhni si ComboFix (by sUBs) a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

PS: příště prosím tě nevkládej logy do Code blbě se to čte.

[Quadman4852]

mno ked som dal uploadnut obrazok, napisalo mI:

0 bytes size received / Se ha recibido un archivo vacio

[fredik]

Ok tak pak sem dej ten log z CF.

[Quadman4852]

ComboFix 08-08-11.01 - Ricky 2008-08-12 21:31:04.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.1420 [GMT 2:00]
Running from: C:\Documents and Settings\Ricky\Plocha\Stiahnuté\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\Ricky\Data aplikací\inst.exe
C:\Documents and Settings\Ricky\Data aplikací\macromedia\Flash Player\#SharedObjects\U5NF2UQY\interclick.com
C:\Documents and Settings\Ricky\Data aplikací\macromedia\Flash Player\#SharedObjects\U5NF2UQY\interclick.com\ud.sol
C:\Documents and Settings\Ricky\Data aplikací\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Ricky\Data aplikací\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo1.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\tmp52.tmp
C:\x0.cmd
D:\Autorun.inf
D:\x0.cmd
G:\x0.cmd
H:\x0.cmd

.
((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.

2008-08-12 21:26 . 2008-08-12 21:26 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-12 12:06 . 2008-08-12 12:06 90,258 -r-hs---- C:\bpu.exe
2008-08-11 20:16 . 2008-08-11 20:16 32 --a------ C:\WINDOWS\CD_Start.INI
2008-08-10 18:53 . 2008-08-11 12:41 90,295 -r-hs---- C:\r2nl.com
2008-08-07 21:56 . 2008-08-08 15:09 <DIR> d-------- C:\Documents and Settings\Ricky\Data aplikací\SPORE Creature Creator
2008-08-07 21:56 . 2008-08-08 15:09 <DIR> d-------- C:\Documents and Settings\Ricky\Data aplikací\SPORE Creature Creator
2008-08-07 21:56 . 2008-08-08 15:09 <DIR> d-------- C:\Documents and Settings\Ricky\Data aplikací\SPORE Creature Creator
2008-08-07 21:53 . 2008-08-07 21:53 <DIR> dr-h----- C:\Documents and Settings\Ricky\Data aplikací\SecuROM
2008-08-07 21:53 . 2008-08-07 21:53 <DIR> dr-h----- C:\Documents and Settings\Ricky\Data aplikací\SecuROM
2008-08-07 21:53 . 2008-08-07 21:53 <DIR> dr-h----- C:\Documents and Settings\Ricky\Data aplikací\SecuROM
2008-08-06 23:36 . 2008-08-06 23:36 <DIR> d-------- C:\Program Files\Zoner
2008-08-03 21:04 . 2004-10-12 16:40 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2008-08-03 21:04 . 2004-10-12 16:46 1,761,280 --a------ C:\WINDOWS\system32\ffdshow.ax
2008-08-03 21:04 . 2004-10-05 18:16 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2008-08-03 21:04 . 2004-10-12 16:42 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2008-08-03 21:04 . 2003-04-03 02:17 172,032 --a------ C:\WINDOWS\system32\ac3filter.ax
2008-08-03 21:04 . 2004-10-04 03:50 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2008-08-03 21:03 . 2008-08-03 21:05 <DIR> d-------- C:\Program Files\avi-dvd-pro
2008-08-02 01:28 . 2008-08-02 01:28 <DIR> d-------- C:\Documents and Settings\Ricky\Data aplikací\vlc
2008-08-02 01:28 . 2008-08-02 01:28 <DIR> d-------- C:\Documents and Settings\Ricky\Data aplikací\vlc
2008-08-02 01:28 . 2008-08-02 01:28 <DIR> d-------- C:\Documents and Settings\Ricky\Data aplikací\vlc
2008-07-31 14:17 . 2001-08-10 23:36 15,667,200 -ra------ C:\WINDOWS\UnWSetup.exe
2008-07-27 23:08 . 2003-02-19 15:06 438,272 --a------ C:\WINDOWS\system32\cmcs21.ocx
2008-07-27 23:08 . 2003-02-19 15:07 303,104 --a------ C:\WINDOWS\system32\cmcs21.dll
2008-07-27 23:08 . 2004-02-08 19:55 180,132 --a------ C:\WINDOWS\system32\GDIPlus.tlb
2008-07-26 02:53 . 2008-07-26 02:53 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Trymedia
2008-07-26 00:19 . 2008-07-31 22:21 <DIR> d-------- C:\Program Files\SpeedFan
2008-07-26 00:19 . 2008-07-26 00:19 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-07-24 14:02 . 2003-02-28 18:26 172,304 --a------ C:\WINDOWS\system32\jview.exe
2008-07-24 14:02 . 2003-02-28 18:26 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2008-07-24 14:02 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-07-24 14:02 . 2003-02-28 18:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2008-07-23 23:51 . 2008-07-23 23:51 69,632 --a------ C:\WINDOWS\system32\MSDATLST.oca
2008-07-23 23:51 . 2008-07-23 23:51 69,120 --a------ C:\WINDOWS\system32\DBLIST32.oca
2008-07-23 23:51 . 2008-07-23 23:51 65,536 --a------ C:\WINDOWS\system32\MSDATGRD.oca
2008-07-23 23:51 . 2008-07-23 23:51 62,464 --a------ C:\WINDOWS\system32\DBGRID32.oca
2008-07-23 23:51 . 2008-07-23 23:51 44,032 --a------ C:\WINDOWS\system32\MSDATREP.oca
2008-07-23 23:51 . 2008-07-23 23:51 35,840 --a------ C:\WINDOWS\system32\MSADODC.oca
2008-07-23 23:51 . 2008-07-23 23:51 35,840 --a------ C:\WINDOWS\system32\COMDLG32.oca
2008-07-23 23:51 . 2008-07-23 23:51 27,648 --a------ C:\WINDOWS\system32\MSCAL.oca
2008-07-23 23:51 . 2008-07-23 23:51 25,600 --a------ C:\WINDOWS\system32\MSCOMM32.oca
2008-07-23 23:50 . 2008-07-23 23:50 1,363,456 --a------ C:\WINDOWS\system32\mshtml.oca
2008-07-23 23:48 . 2008-07-23 23:48 230,912 --a------ C:\WINDOWS\system32\wmp.oca
2008-07-23 23:46 . 2008-07-23 23:46 123,392 --a------ C:\WINDOWS\system32\INKED.oca
2008-07-23 23:46 . 2008-07-23 23:46 64,000 --a------ C:\WINDOWS\system32\RICHTX32.oca
2008-07-23 23:46 . 2008-07-23 23:46 63,488 --a------ C:\WINDOWS\system32\shdocvw.oca
2008-07-23 23:46 . 2008-07-23 23:46 63,488 --a------ C:\WINDOWS\system32\MCI32.oca
2008-07-23 23:46 . 2008-07-23 23:46 48,640 --a------ C:\WINDOWS\system32\MSMASK32.oca
2008-07-23 23:46 . 2008-07-23 23:46 43,008 --a------ C:\WINDOWS\system32\MSMAPI32.oca
2008-07-23 23:46 . 2008-07-23 23:46 18,944 --a------ C:\WINDOWS\system32\PICCLP32.oca
2008-07-23 23:17 . 2008-07-23 23:39 43,008 --a------ C:\WINDOWS\system32\TABCTL32.oca
2008-07-23 23:16 . 2008-07-23 23:16 99,840 --a------ C:\WINDOWS\system32\actskin4.oca
2008-07-23 23:16 . 2008-07-23 23:16 81,408 --a------ C:\WINDOWS\system32\VSFLEX3.oca
2008-07-23 23:16 . 2008-07-23 23:16 22,016 --a------ C:\WINDOWS\system32\asctrls.oca
2008-07-23 23:15 . 2008-07-23 23:15 129,024 --a------ C:\WINDOWS\system32\msvidctl.oca
2008-07-23 19:51 . 2008-07-23 19:51 <DIR> d-------- C:\Program Files\Web Publish
2008-07-23 19:37 . 2003-02-28 18:26 46,352 --a------ C:\WINDOWS\setdebug.exe
2008-07-23 19:29 . 1998-04-24 20:55 5 --a------ C:\WINDOWS\VS98ENT.MIF
2008-07-22 16:37 . 2008-07-22 16:44 <DIR> d-------- C:\Documents and Settings\Ricky\Data aplikací\MilkShape 3D 1.x.x
2008-07-22 16:37 . 2008-07-22 16:44 <DIR> d-------- C:\Documents and Settings\Ricky\Data aplikací\MilkShape 3D 1.x.x
2008-07-22 16:37 . 2008-07-22 16:44 <DIR> d-------- C:\Documents and Settings\Ricky\Data aplikací\MilkShape 3D 1.x.x
2008-07-14 06:44 . 2008-07-15 20:25 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-12 19:34 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\Skype
2008-08-12 19:34 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\Skype
2008-08-12 19:34 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\Skype
2008-08-12 14:01 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\skypePM
2008-08-12 14:01 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\skypePM
2008-08-12 14:01 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\skypePM
2008-08-11 19:15 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\uTorrent
2008-08-11 19:15 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\uTorrent
2008-08-11 19:15 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\uTorrent
2008-08-10 18:01 --------- d-----w C:\Program Files\StyleXP 3.19
2008-08-07 20:17 --------- d---a-w C:\Documents and Settings\All Users\Data aplikací\TEMP
2008-08-07 19:53 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-07 19:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-07 16:48 --------- d-----w C:\Program Files\Macromedia
2008-08-06 21:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 23:12 --------- d-----w C:\Program Files\VideoLAN
2008-07-31 15:00 --------- d-----w C:\Program Files\Pracháč
2008-07-25 16:52 --------- d-----w C:\Program Files\VSO
2008-07-25 16:52 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\Dev-Cpp
2008-07-25 16:52 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\Dev-Cpp
2008-07-25 16:52 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\Dev-Cpp
2008-07-25 16:50 47,360 ----a-w C:\Documents and Settings\Ricky\Data aplikací\pcouffin.sys
2008-07-25 16:50 47,360 ----a-w C:\Documents and Settings\Ricky\Data aplikací\pcouffin.sys
2008-07-25 16:50 47,360 ----a-w C:\Documents and Settings\Ricky\Data aplikací\pcouffin.sys
2008-07-25 16:50 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\Vso
2008-07-25 16:50 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\Vso
2008-07-25 16:50 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\Vso
2008-07-25 16:46 --------- d-----w C:\Program Files\Bonjour
2008-07-24 13:48 --------- d-----w C:\Program Files\Opera
2008-07-24 12:02 155,995 ----a-w C:\WINDOWS\java\Packages\AZRFV1ZX.ZIP
2008-07-23 22:12 --------- d-----w C:\Program Files\Common Files\Skype
2008-07-23 21:51 --------- d-----w C:\Program Files\TV JOJ Media Player
2008-07-23 21:51 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\TV JOJ Media Player
2008-07-23 21:51 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\TV JOJ Media Player
2008-07-23 21:51 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\TV JOJ Media Player
2008-07-22 21:04 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-16 12:58 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\Hamachi
2008-07-16 12:58 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\Hamachi
2008-07-16 12:58 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\Hamachi
2008-07-15 13:06 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\FileZilla
2008-07-15 13:06 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\FileZilla
2008-07-15 13:06 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\FileZilla
2008-06-26 09:41 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\ICQ
2008-06-26 09:41 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\ICQ
2008-06-26 09:41 --------- d-----w C:\Documents and Settings\Ricky\Data aplikací\ICQ
2008-06-20 17:42 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 18:00 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 12:26 --------- d-----w C:\Program Files\Total Commander
2008-06-11 19:50 22,328 ----a-w C:\Documents and Settings\Ricky\Data aplikací\PnkBstrK.sys
2008-06-11 19:50 22,328 ----a-w C:\Documents and Settings\Ricky\Data aplikací\PnkBstrK.sys
2008-06-11 19:50 22,328 ----a-w C:\Documents and Settings\Ricky\Data aplikací\PnkBstrK.sys
2008-06-11 19:50 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-06-11 19:49 2,506,752 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-06-11 19:33 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-06-01 19:40 796,672 ----a-w C:\WINDOWS\GPInstall.exe
2008-05-30 17:51 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-05-30 17:51 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-12-12 13:44 32 ----a-w C:\Documents and Settings\All Users\Data aplikací\ezsid.dat
2007-08-21 19:50 12 ----a-w C:\Documents and Settings\Ricky\USERDATA.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 17:09 171464]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 20:31 1372160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-06-04 21:57 188416]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 22:43 7630848]
"FixCamera"="C:\WINDOWS\FixCamera.exe" [2007-02-10 15:40 20480]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 18:52 1447168]
"Adobe Reader Speed Launcher"="H:\Adobe Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"SoundMan"="SOUNDMAN.EXE" [2006-05-31 01:24 577536 C:\WINDOWS\soundman.exe]
"nwiz"="nwiz.exe" [2006-08-11 22:43 1519616 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Program Files\\TGTSoft\\StyleXP\\Logon\\CurrentLogon.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Total Commander\\TOTALCMD.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"H:\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"H:\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"H:\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"H:\\Frontlines-Fuel of War\\Binaries\\FFOW.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Documents and Settings\\Ricky\\Dokumenty\\WadAuthor\\Skultag\\skulltag.exe"=
"C:\\Documents and Settings\\Ricky\\Dokumenty\\WadAuthor\\Skultag\\IdeSE.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22394:TCP"= 22394:TCP:BitComet 22394 TCP
"22394:UDP"= 22394:UDP:BitComet 22394 UDP
"12964:TCP"= 12964:TCP:BitComet 12964 TCP
"12964:UDP"= 12964:UDP:BitComet 12964 UDP
"27387:TCP"= 27387:TCP:BitComet 27387 TCP
"27387:UDP"= 27387:UDP:BitComet 27387 UDP
"10112:TCP"= 10112:TCP:BitComet 10112 TCP
"10112:UDP"= 10112:UDP:BitComet 10112 UDP
"23128:TCP"= 23128:TCP:BitComet 23128 TCP
"23128:UDP"= 23128:UDP:BitComet 23128 UDP
"24884:TCP"= 24884:TCP:BitComet 24884 TCP
"24884:UDP"= 24884:UDP:BitComet 24884 UDP

R0 hotcore2;hotcore2;C:\WINDOWS\system32\drivers\hotcore2.sys [2006-11-13 19:58]
R1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys [2008-04-13 20:56]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2002-07-11 13:00]
R1 UsbFltr;WayTechUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys [2003-12-29 19:27]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2006-03-02 14:00]
S2 PSTRIP;PSTRIP;C:\WINDOWS\system32\DRIVERS\PSTRIP.SYS []
S3 BioNT_BS;BioNT_BS;C:\Program Files\Paragon Software\Hard Disk Manager\bluescrn\BioNT_bs.sys [2006-11-13 19:58]
S3 gHidPnp;USB Device Enhanced Function Driver;C:\WINDOWS\system32\Drivers\gHidPnp.Sys []
S3 gMouPS2;PS2 Scroll Mouse Device;C:\WINDOWS\system32\DRIVERS\gMouPS2.sys []
S3 gMouUsb;USB Mouse Device Drv;C:\WINDOWS\system32\DRIVERS\gMouUsb.sys []
S3 NtApm;Ovladač rozhraní služby NT Apm/Legacy;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2006-03-02 14:00]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\screamingbdriver.sys [2005-11-21 01:08]
S3 TVICHW32;TVICHW32;C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\m.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4d556ce-3447-11dc-bc71-001617bf9399}]
\Shell\AutoRun\command - F:\Install.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e56a38c5-1d76-11dc-bc42-001617bf9399}]
\Shell\AutoRun\command - v.exe
\Shell\explore\Command - v.exe
\Shell\open\Command - v.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2924940-323a-11dc-bc6c-001617bf9399}]
\Shell\AutoRun\command - F:\Install.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f78c6402-19e1-11dc-bc36-001617bf9399}]
\Shell\AutoRun\command - J:\w0o.com
\Shell\explore\Command - J:\w0o.com
\Shell\open\Command - J:\w0o.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f78c6403-19e1-11dc-bc36-001617bf9399}]
\Shell\AutoRun\command - v.exe
\Shell\explore\Command - v.exe
\Shell\open\Command - v.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BitTorrent - D:\BitTorrent\bittorrent.exe
HKCU-Run-Network Drive Manager - H:\Filmy\Suncross.Network.Drive.Manager.v2.2.0.WinAll.Cracked-CRD\NetworkDriveManager.exe
HKCU-Run-Mediaware Task Manager 3.5 - C:\Program Files\Mediaware Task Manager 3.5\TaskManager.exe
HKCU-Run-kamsoft - C:\WINDOWS\system32\ckvo.exe
HKCU-Run-OEXPRESS - (no file)
HKLM-Run-TXP - c:\program files\topthemesxp\txp.exe
HKLM-Run-WinampAgent - C:\Program Files\Winamp\winampa.exe
HKLM-Run-symreg - C:\WINDOWS\system32\symreg.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Ricky\Data aplikací\Mozilla\Firefox\Profiles\nwq8inpg.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.sk/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 21:34:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-12 21:36:17
ComboFix-quarantined-files.txt 2008-08-12 19:35:31

Pre-Run: 4,720,390,144
Post-Run: 8,787,304,448

276 --- E O F --- 2008-07-25 16:56:23

Ale uz mi nezobrazuje nic vsetko je v pohode. Inak ten trojan mi sposoboval ze mi zlozky diskov z Tohto pocitaca otvralo samostatne. Hned ako sa mi odstranil ten trojan, otvara sa v pohode, velmi dakujem vam aj ComboFixu.

[fredik]

Pokud jsi měl k tomuto Pc připojenou flešku/USB klíčenku/Mp3 přehrávač, tak ji připoj k Pc a proveď postup s Flash Disinfectorem.

Stáhni tento program: Flash Disinfector (by sUBs)
- Spusť Flash Disinfector a počkej až tě program bude informovat o ukončení své činnosti.
- po té můžeš výměnné zařízení odpojit.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
C:\bpu.exe
C:\r2nl.com

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e56a38c5-1d76-11dc-bc42-001617bf9399}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f78c6402-19e1-11dc-bc36-001617bf9399}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f78c6403-19e1-11dc-bc36-001617bf9399}]

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT.

Pošli pak ještě pro jistotu log z Mwav

[Quadman4852]

A vazne je to treba robit, ked mi uz nic nerobi? Eset Smart Security mi nic nehlasi a ide mi vsetko tak ako ma :/

[fredik]

Jde o to, že worm co jsi tam měl se šíří přes již zmíněná výměnná zařízení. Ještě to úplně v pořádku není.

[Quadman4852]

aha, no ok, ja som k tomu nemal nic pripojene (pokial sa nejedna o predlzovaci USB kabel).

[fredik]

Prodlužovací kabel ne.