mwav log-poradte co smáznout Vyřešeno

[lugr]

poslední dobou se můj systém chová divne ,mezi otevrenými procesy jsem objevil podezřelý soubor na který můj avast nereaguje ale po projetí teho souboru na netu jsem zjistil že nektré antiviry ho označili za vir či cosi podobného jedná se o soubor C:\DOCUME~1\grebi\grebi.exe

zajímavé je že má stejný název jako uživatel pod kterým se přihlašuji -grebi
pravdepodobne je to nejaký trojan který potom natahuje další smejd do počítače-možná ,nevím

tady je log s MWAV skenu už trochu pročištený poradte co mám smáznout díky moc, za pomoc
(jo ješte neco:mám Os- win xp, antivir avast)


Fri Dec 05 16:24:22 2008 => File C:\DOCUME~1\grebi\grebi.exe infected by "Backdoor.Win32.Small.gtw" Virus!

Action Taken: No Action Taken.






Fri Dec 05 16:24:27 2008 => System found infected with yahoospymon Spyware/Adware

({4340df8e-d7a3-4675-be74-80077b2b3e81})! Action taken: No Action Taken.
Fri Dec 05 16:24:29 2008 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\p3p\history\gator.com !!!
Fri Dec 05 16:24:29 2008 => Object "gain.gator Spyware/Adware" found in File System! Action Taken: No

Action Taken.

Fri Dec 05 16:24:29 2008 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\p3p\history\gator.com !!!
Fri Dec 05 16:24:29 2008 => Object "gain.gator Spyware/Adware" found in File System! Action Taken: No

Action Taken.

Fri Dec 05 16:24:30 2008 => Offending Folder found: C:\Documents and Settings\grebi\Data

aplikací\icq\bart\1024
Fri Dec 05 16:24:30 2008 => Object "smitfraud Browser Hijacker" found in File System! Action Taken: No

Action Taken.

Fri Dec 05 16:24:34 2008 => Offending file found: C:\WINNT\system32\win.com
Fri Dec 05 16:24:34 2008 => System found infected with combo Spyware/Adware (C:\WINNT\system32\win.com)!

Action taken: No Action Taken.

Fri Dec 05 16:24:38 2008 => Offending file found: C:\WINNT\system32\win.com
Fri Dec 05 16:24:38 2008 => System found infected with combo Spyware/Adware (C:\WINNT\system32\win.com)!

Action taken: No Action Taken.

Fri Dec 05 16:24:39 2008 => Offending file found: C:\WINNT\system32\win.com
Fri Dec 05 16:24:39 2008 => System found infected with combo Spyware/Adware (C:\WINNT\system32\win.com)!

Action taken: No Action Taken.

Fri Dec 05 16:24:40 2008 => Offending Registry Entry found: hkcu\software\mirabilis
Fri Dec 05 16:24:40 2008 => System found infected with personalantispy Corrupted Adware/Spyware

(hkcu\software\mirabilis)! Action taken: No Action Taken.

Fri Dec 05 16:24:40 2008 => Offending Registry Entry found: hkcu\software\avs
Fri Dec 05 16:24:40 2008 => System found infected with antivirus sentry Corrupted Adware/Spyware

(hkcu\software\avs)! Action taken: No Action Taken.

Fri Dec 05 16:24:43 2008 => Checking MountPoints2 Registry Key...
Fri Dec 05 16:24:43 2008 => Checking CLSID Reference Entries...
Fri Dec 05 16:24:43 2008 => Entry "HKCR\AcroExch.Document.7" refers to invalid object

"{B801CA65-A1FC-11D0-85AD-444553540000}". Action Taken: No Action Taken.

Fri Dec 05 16:24:43 2008 => Entry "HKCR\AcroExch.XDPDoc" refers to invalid object

"{B801CA65-A1FC-11D0-85AD-444553540000}". Action Taken: No Action Taken.

Fri Dec 05 16:24:44 2008 => Entry "HKCR\MSInfo.Document" refers to invalid object

"{45ac8c63-23e2-11d1-a696-00c04fd58bc3}". Action Taken: No Action Taken.

Fri Dec 05 16:24:44 2008 => Checking Module Usage Entries...
Fri Dec 05 16:24:44 2008 => Checking User Trusted External App Entries...
Fri Dec 05 16:24:44 2008 => Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External

Applications" refers to invalid object ""E:\data\cdw32.exe"". Action Taken: No Action Taken.

Fri Dec 05 16:24:44 2008 => Checking Shared DLL Entries...
Fri Dec 05 16:24:47 2008 => Checking Installer Entries...
Fri Dec 05 16:24:47 2008 => Checking Shared Tools Entries...
Fri Dec 05 16:24:47 2008 => Checking File Extension Entries...
Fri Dec 05 16:24:47 2008 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts"

refers to invalid object ".pf". Action Taken: No Action Taken.

Fri Dec 05 16:24:47 2008 => Checking Application Cache Entries...
Fri Dec 05 16:24:47 2008 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache"

refers to invalid object "{7B63B2922B174135AFC0E1377DD81EC2}". Action Taken: No Action Taken.



Fri Dec 05 16:26:14 2008 => ***** Checking for specific ITW Viruses *****
Fri Dec 05 16:26:14 2008 => Checking for Welchia Virus...
Fri Dec 05 16:26:14 2008 => Checking for LovGate Virus...
Fri Dec 05 16:26:14 2008 => Checking for CodeRed Virus...
Fri Dec 05 16:26:14 2008 => Checking for OpaServ Virus...
Fri Dec 05 16:26:14 2008 => Checking for Sobig.e Virus...
Fri Dec 05 16:26:14 2008 => Checking for Winupie Virus...
Fri Dec 05 16:26:14 2008 => Checking for Swen Virus...
Fri Dec 05 16:26:14 2008 => Checking for JS.Fortnight Virus...
Fri Dec 05 16:26:14 2008 => Checking for Novarg Virus...
Fri Dec 05 16:26:14 2008 => Checking for Pagabot Virus...
Fri Dec 05 16:26:14 2008 => Checking for Parite.b Virus...
Fri Dec 05 16:26:14 2008 => Checking for Parite.a Virus...
Fri Dec 05 16:26:14 2008 => Checking for Adware.SeekSeek Virus...

Fri Dec 05 16:26:14 2008 => ***** Scanning complete. *****

Fri Dec 05 16:26:14 2008 => Total Objects Scanned: 64776
Fri Dec 05 16:26:14 2008 => Total Critical Objects: 10
Fri Dec 05 16:26:14 2008 => Total Disinfected Objects: 0
Fri Dec 05 16:26:14 2008 => Total Objects Renamed: 0
Fri Dec 05 16:26:14 2008 => Total Deleted Objects: 0
Fri Dec 05 16:26:14 2008 => Total Errors: 15
Fri Dec 05 16:26:14 2008 => Time Elapsed: 00:02:17
Fri Dec 05 16:26:14 2008 => Virus Database Date: 12/5/2008
Fri Dec 05 16:26:14 2008 => Virus Database Count: 1438362

Fri Dec 05 16:26:14 2008 => Scan Completed.

[Reklama]

[jaro3]

Stáhni si Malwarebytes' Anti-Malware
Nainstaluj a spusť ho
- na konci instalace se ujisti že máš zvoleny/zatrhnuty obě možnosti:
Update Malwarebytes' Anti-Malware (Aktualizace Malwarebytes' Anti-Malware) a Launch Malwarebytes' Anti-Malware (Spustit aplikaci Malwarebytes' Anti-Malware), pokud jo tak klikni na tlačítko Finish
- pokud bude nalezena aktualizace, tak se stáhne a nainstaluje
- program se po té spustí a nech vybranou možnost Perform Quick Scan (Provést rychlý sken) a klikni na tlačítko Scan (Skenovat)
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Show Results
- pak zvol možnost Save Logfile a ulož si log na plochu
- po té klikni na tlačítko Exit, objeví se ti hláška tak zvol Ano
(zatím nic nemaž!).
Vlož sem pak obsah toho logu.

[lugr]

tady je ten log

Malwarebytes' Anti-Malware 1.31
Verze databáze: 1474
Windows 5.1.2600 Service Pack 2

8.12.2008 12:45:14
mbam-log-2008-12-08 (12-45-02).txt

Typ skenu: Rychlý sken
Objektu skenováno: 52599
Uplynulý cas: 2 minute(s), 55 second(s)

Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 1
Infikované hodnoty registru: 0
Infikované položky dat registru: 0
Infikované složky: 0
Infikované soubory: 4

Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)

Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)

Infikované klíce registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> No action taken.

Infikované hodnoty registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované položky dat registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované složky:
(Žádné zákerné položky nebyly zjišteny)

Infikované soubory:
C:\WINNT\rundll16.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINNT\system32\vcmgcd32.dll (Trojan.Agent) -> No action taken.
C:\WINNT\logo1_.exe (Worm.Viking) -> No action taken.
C:\WINNT\system32\systems.txt (Trojan.FakeAlert) -> No action taken.

[jaro3]

. Takže spusť znovu MbAM a dej Scan
- po proběhnutí programu se ti objeví hláška tak klikni na OK a pak na tlačítko Show Results
- ujistit se že máš zatrhnuté všechny vypsané nálezy a klikni na tlačítko Remove Selected
- když skončí odstraňování tak se ti zobrazí log, tak ho sem dej.
- pak zvol v programu OK a pak program ukonči přes Exit

Můžeš sem pak vložit log + nový log z HJT.

[lugr]

tady je ten log

Malwarebytes' Anti-Malware 1.31
Verze databáze: 1474
Windows 5.1.2600 Service Pack 2

8.12.2008 14:05:03
mbam-log-2008-12-08 (14-05-03).txt

Typ skenu: Rychlý sken
Objektu skenováno: 52746
Uplynulý cas: 2 minute(s), 46 second(s)

Infikované procesy pameti: 0
Infikované pametové moduly: 0
Infikované klíce registru: 1
Infikované hodnoty registru: 0
Infikované položky dat registru: 0
Infikované složky: 0
Infikované soubory: 4

Infikované procesy pameti:
(Žádné zákerné položky nebyly zjišteny)

Infikované pametové moduly:
(Žádné zákerné položky nebyly zjišteny)

Infikované klíce registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.

Infikované hodnoty registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované položky dat registru:
(Žádné zákerné položky nebyly zjišteny)

Infikované složky:
(Žádné zákerné položky nebyly zjišteny)

Infikované soubory:
C:\WINNT\rundll16.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINNT\system32\vcmgcd32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINNT\logo1_.exe (Worm.Viking) -> Delete on reboot.
C:\WINNT\system32\systems.txt (Trojan.FakeAlert) -> Delete on reboot.


tady je lok z hijaku:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:11:31, on 8.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\Labtec\Mouse\V3.0\moffice.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Labtec\Mouse\V3.0\MOUSE32A.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\svchost.exe
D:\luboš\Hijackthis\HijackThis.exe
C:\Documents and Settings\grebi\grebi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINNT\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Mouse\V3.0\moffice.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [grebi] C:\Documents and Settings\grebi\grebi.exe /i
O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6192133406
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FB91352-197D-4C9D-AAA2-443CEFF416C1}: NameServer = 217.112.162.34 217.112.160.1
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7145 bytes



ale obávám se že problém neni furt vyřešen po přihlášení na net mi zase antivir avas zachytil dva viry(dal jsem je smáznout)
tady je co mi našel:

8.12.2008 14:09:21 grebi 1028 Virus "Win32:Rootkit-gen [Rtk]" byl nalezen v souboru "C:\WINNT\System32\WinCtrl32.dll".
8.12.2008 14:09:34 grebi 1028 Virus "Win32:Agent-VGV [Wrm]" byl nalezen v souboru "C:\WINNT\System32\drivers\Winqw52.sys".

myslím že problém bude i jeden z bežících procesu
tento se mi nezdá:

C:\Documents and Settings\grebi\grebi.exe

je divné že má název stejný jak mé uživatelské jméno

ps : log jsem proved po restartu

[jaro3]

Zastav v procesech:grebi.exe
a následně smaž:
C:\Documents and Settings\grebi\grebi.exe

Stáhni si SDFix
- Spusť ho a rozbalí se ti na disk kde je nainstalovaný Windows (typicky to je C:\SDfix)
- Pak restartuj PC do nouzového režimu (zvol možnost: Stav nouze, ne Stav nouze s práci v síti)
- Otevři adresář kde je vybalený SDFix a spusť soubor RunThis.bat tím spustíš program.
* Pak stiskni klávesu Y a pak Enter pro zahájení čistícího procesu.
* Pro dokončení kontroly budeš vyzván ke stisknutí libovolné klávesy a počítač se restartuje.
* Při nabíhání operačního systému se program spustí znovu a dokončí čistící proces. Až se objeví Finish, budeš muset po vyzvání stisknout libovolnou klávesu, tim se ukončí program a zobrazí se ti ikony na ploše
- Když se skončí načítání ikon na ploše, otevře se ti na obrazovce log z SDFix a zároveň ho uloží do adresáře kde je rozbalený SDFix jako soubor Report.txt
Pak sem zkopíruj jeho obsah + nový log z HJT+ mrkni se jestli ti pod Startem nechybí nějaké ikony, zobrazují se ti disky pod Tento počítač....

[lugr]

tak tady je ten log


SDFix: Version 1.240
Run by grebi on Łt 09.12.2008 at 14:07

Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 14:11:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:7e,9c,02,e7,45,22,ff,bb,27,db,1e,f0,26,1f,95,7c,37,f9,7c,96,dd,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e3,15,32,ef,e9,3b,68,9b,57,ab,5e,93,15,21,bc,9c,45,..
"khjeh"=hex:e5,df,4e,c3,4b,7c,27,76,5f,a9,b5,a1,43,d1,e0,1f,ff,8e,5a,05,10,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:59,db,8d,f0,47,1a,51,ae,94,c7,db,c9,25,d7,27,21,8a,31,94,8f,d2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:7e,9c,02,e7,45,22,ff,bb,27,db,1e,f0,26,1f,95,7c,37,f9,7c,96,dd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e3,15,32,ef,e9,3b,68,9b,57,ab,5e,93,15,21,bc,9c,45,..
"khjeh"=hex:e5,df,4e,c3,4b,7c,27,76,5f,a9,b5,a1,43,d1,e0,1f,ff,8e,5a,05,10,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:59,db,8d,f0,47,1a,51,ae,94,c7,db,c9,25,d7,27,21,8a,31,94,8f,d2,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?á? ?o?k?n?a? ?"="C:\WINNT\cursors\arrow_r.cur,C:\WINNT\cursors\help_r.cur,C:\WINNT\cursors\wait_r.cur,C:\WINNT\cursors\busy_r.cur,C:\WINNT\cursors\cross_r.cur,C:\WINNT\cursors\beam_r.cur,C:\WINNT\cursors\pen_r.cur,C:\WINNT\cursors\no_r.cur,C:\WINNT\cursors\size4_r.cur,C:\WINNT\cursors\size3_r.cur,C:\WINNT\cursors\size2_r.cur,C:\WINNT\cursors\size1_r.cur,C:\WINNT\cursors\move_r.cur,C:\WINNT\cursors\up_r.cur"
"\f\1e?r?n?á? ?o?k?n?a? ?(?v?e?l?k?é?)?"="C:\WINNT\cursors\arrow_rm.cur,C:\WINNT\cursors\help_rm.cur,C:\WINNT\cursors\wait_rm.cur,C:\WINNT\cursors\busy_rm.cur,C:\WINNT\cursors\cross_rm.cur,C:\WINNT\cursors\beam_rm.cur,C:\WINNT\cursors\pen_rm.cur,C:\WINNT\cursors\no_rm.cur,C:\WINNT\cursors\size4_rm.cur,C:\WINNT\cursors\size3_rm.cur,C:\WINNT\cursors\size2_rm.cur,C:\WINNT\cursors\size1_rm.cur,C:\WINNT\cursors\move_rm.cur,C:\WINNT\cursors\up_rm.cur"
"\f\1e?r?n?á? ?o?k?n?a? ?(?n?e?j?v?\e\1t?a\1í?)?"="C:\WINNT\cursors\arrow_rl.cur,C:\WINNT\cursors\help_rl.cur,C:\WINNT\cursors\wait_rl.cur,C:\WINNT\cursors\busy_rl.cur,C:\WINNT\cursors\cross_rl.cur,C:\WINNT\cursors\beam_rl.cur,C:\WINNT\cursors\pen_rl.cur,C:\WINNT\cursors\no_rl.cur,C:\WINNT\cursors\size4_rl.cur,C:\WINNT\cursors\size3_rl.cur,C:\WINNT\cursors\size2_rl.cur,C:\WINNT\cursors\size1_rl.cur,C:\WINNT\cursors\move_rl.cur,C:\WINNT\cursors\up_rl.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINNT\cursors\arrow_r.cur,C:\WINNT\cursors\help_r.cur,C:\WINNT\cursors\wait_r.cur,C:\WINNT\cursors\busy_r.cur,C:\WINNT\cursors\cross_r.cur,C:\WINNT\cursors\beam_r.cur,C:\WINNT\cursors\pen_r.cur,C:\WINNT\cursors\no_r.cur,C:\WINNT\cursors\size4_r.cur,C:\WINNT\cursors\size3_r.cur,C:\WINNT\cursors\size2_r.cur,C:\WINNT\cursors\size1_r.cur,C:\WINNT\cursors\move_r.cur,C:\WINNT\cursors\up_r.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?é?)?"="C:\WINNT\cursors\arrow_rm.cur,C:\WINNT\cursors\help_rm.cur,C:\WINNT\cursors\wait_rm.cur,C:\WINNT\cursors\busy_rm.cur,C:\WINNT\cursors\cross_rm.cur,C:\WINNT\cursors\beam_rm.cur,C:\WINNT\cursors\pen_rm.cur,C:\WINNT\cursors\no_rm.cur,C:\WINNT\cursors\size4_rm.cur,C:\WINNT\cursors\size3_rm.cur,C:\WINNT\cursors\size2_rm.cur,C:\WINNT\cursors\size1_rm.cur,C:\WINNT\cursors\move_rm.cur,C:\WINNT\cursors\up_rm.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1í?)?"="C:\WINNT\cursors\arrow_rl.cur,C:\WINNT\cursors\help_rl.cur,C:\WINNT\cursors\wait_rl.cur,C:\WINNT\cursors\busy_rl.cur,C:\WINNT\cursors\cross_rl.cur,C:\WINNT\cursors\beam_rl.cur,C:\WINNT\cursors\pen_rl.cur,C:\WINNT\cursors\no_rl.cur,C:\WINNT\cursors\size4_rl.cur,C:\WINNT\cursors\size3_rl.cur,C:\WINNT\cursors\size2_rl.cur,C:\WINNT\cursors\size1_rl.cur,C:\WINNT\cursors\move_rl.cur,C:\WINNT\cursors\up_rl.cur"

scanning hidden files ...

C:\WINNT\0.log 0 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\WINNT\\Explorer.EXE"="C:\\WINNT\\Explorer.EXE:*:Enabled:ENABLE"
"C:\\WINNT\\system32\\userinit.exe"="C:\\WINNT\\system32\\userinit.exe:*:Enabled:ENABLE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ...H. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 17 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"

Finished!



a tuto ten z hijaku:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:28:37, on 9.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\Labtec\Mouse\V3.0\moffice.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Labtec\Mouse\V3.0\MOUSE32A.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\luboš\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINNT\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Mouse\V3.0\moffice.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [grebi] C:\Documents and Settings\grebi\grebi.exe /i
O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6192133406
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FB91352-197D-4C9D-AAA2-443CEFF416C1}: NameServer = 217.112.162.34 217.112.160.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7006 bytes

[jaro3]

Toto otestuj na Virustotal
C:\Documents and Settings\grebi\grebi.exe /i
C:\Documents and Settings\grebi\grebi.exe
Vlož sem výsledky.

Vypni rez. ochranu u antiviru.
Stáhni si ComboFix (by sUBs)

a ulož si ho na plochu.
Ukonči všechna aktivní okna a spusť ho.
- Po spuštění se zobrazí podmínky užití, potvrď je stiskem tlačítka Ano
- Dále postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log - C:\ComboFix.txt - zkopíruj sem prosím celý jeho obsah

[lugr]

takže soubor
C:\Documents and Settings\grebi\grebi.exe
už v počítači nemám smazaljsem ho jak si psal dříve(skartoval pomocí spybotu-nešel ukončit v bežících procesech)

tento soubor C:\Documents and Settings\grebi\grebi.exe /i
v počítači ani nemám
asi jsi myslel tento klíč (či coto je) v registru

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"grebi"=c:\documents and settings\grebi\grebi.exe /i

ináč jsem to projel tím ComboFix a toto mi vypadlo:
PS.: vypadá to nadějně zatím žádná hláška od antiviru

ComboFix 08-12-07.04 - grebi 2008-12-09 16:07:31.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.1604 [GMT 1:00]
Spuštěný z: c:\documents and settings\grebi\Plocha\ComboFix.exe
* Vytvořen nový Bod Obnovení

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\regedit.com
c:\winnt\system32\Dvbpws.dll
c:\winnt\system32\taskmgr.com
c:\winnt\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_IAS


((((((((((((((((((((((((( Soubory vytvořené od 2008-11-09 do 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-09 14:05 . 2008-12-09 14:05 <DIR> d-------- c:\winnt\ERUNT
2008-12-09 14:00 . 2008-12-09 14:12 <DIR> d-------- C:\SDFix
2008-12-08 12:39 . 2008-12-08 12:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 12:39 . 2008-12-08 12:39 <DIR> d-------- c:\documents and settings\grebi\Data aplikací\Malwarebytes
2008-12-08 12:39 . 2008-12-08 12:39 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Malwarebytes
2008-12-08 12:39 . 2008-12-03 19:59 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2008-12-08 12:39 . 2008-12-03 19:59 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2008-12-05 16:26 . 2008-12-05 16:26 0 --a------ C:\23990098.$$$
2008-12-02 21:21 . 2008-12-02 21:21 <DIR> d-------- c:\program files\oZone3D
2008-12-02 17:39 . 2008-12-02 17:39 <DIR> d-------- c:\winnt\system32\xlive
2008-12-01 22:00 . 2001-09-19 06:47 765,952 -ra------ c:\winnt\system\crlds3d.dll
2008-12-01 22:00 . 2006-03-17 11:18 392,960 -ra------ c:\winnt\system32\drivers\senfilt.sys
2008-12-01 22:00 . 2006-09-08 03:08 247,296 -ra------ c:\winnt\system32\drivers\ADIHdAud.sys
2008-12-01 22:00 . 2006-08-29 14:21 94,080 -ra------ c:\winnt\system32\drivers\aeaudio.sys
2008-12-01 22:00 . 2006-02-06 08:54 24,064 -ra------ c:\winnt\system32\PostProc.dll
2008-12-01 21:57 . 2008-12-01 21:58 23,701 --a------ c:\winnt\Ascd_tmp.ini
2008-11-24 15:04 . 2008-12-04 20:36 <DIR> d-------- c:\program files\Java
2008-11-24 15:04 . 2008-11-10 03:39 73,728 --a------ c:\winnt\system32\javacpl.cpl
2008-11-24 15:02 . 2008-11-10 05:43 410,984 --a------ c:\winnt\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 21:00 --------- d-----w c:\program files\Analog Devices
2008-12-01 20:44 --------- d-----w c:\program files\přehrávače
2008-11-26 20:16 --------- d-----w c:\documents and settings\grebi\Data aplikací\DivX
2008-11-07 18:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-07 18:08 --------- d-----w c:\documents and settings\All Users\Data aplikací\Fallout3
2008-11-07 18:06 --------- d-----w c:\program files\MSBuild
2008-11-07 18:03 --------- d-----w c:\program files\Reference Assemblies
2008-11-07 17:49 --------- d-----w c:\program files\DAEMON Tools Lite
2008-11-07 17:45 717,296 ----a-w c:\winnt\system32\drivers\sptd.sys
2008-11-07 17:45 --------- d-----w c:\documents and settings\grebi\Data aplikací\DAEMON Tools
2008-11-07 16:33 --------- d-----w c:\program files\GetRight
2008-11-06 04:52 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-04 19:43 --------- d-----w c:\program files\7-Zip
2008-10-28 15:38 --------- d-----w c:\documents and settings\grebi\Data aplikací\XnView
2008-10-21 16:08 --------- d-----w c:\program files\ICQ6
2008-08-17 09:54 20,500 ----a-w c:\documents and settings\grebi\FMCodec.dat
2007-10-26 15:01 271 --sh--w c:\program files\desktop.ini
2007-10-26 15:01 22,034 ---h--w c:\program files\folder.htt
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\winnt\system32\ctfmon.exe" [2004-08-17 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\winnt\system32\dumprep 0 -u" [X]
"JMB36X Configure"="c:\winnt\System32\JMRaidTool.exe" [2006-08-14 352256]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"WinFast Schedule"="c:\program files\WinFast\WFDTV\WFWIZ.exe" [2007-10-01 413696]
"amd_dc_opt"="c:\program files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 106496]
"WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2007-10-09 90112]
"FLMOFFICE4DMOUSE"="c:\program files\Labtec\Mouse\V3.0\moffice.exe" [2008-09-11 958464]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-09-26 872448]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [2003-07-25 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-17 215552]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-17 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winci17.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wincj28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl52.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnt74.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winou62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv27.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqw52.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winye16.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"grebi"=c:\documents and settings\grebi\grebi.exe /i

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"Launch Ai Booster"="c:\program files\ASUS\AI Booster\OverClk.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2008-04-04 111184]
R1 wfcxacap;WinFast TV PCI Audio Capture Driver;c:\winnt\system32\DRIVERS\wfcxacap.sys [2007-09-19 9856]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\DRIVERS\aswFsBlk.sys [2008-04-04 20560]
R2 nxsIO32;NextSensor Kernel I/O Driver;\??\c:\winnt\System32\DRIVERS\nxsIO32.sys [2008-01-25 2208]
R2 wfcxatun;WinFast TV Analog Tuner Driver;c:\winnt\system32\drivers\wfcxatun.sys [2007-09-19 31744]
R2 WFCXVCAP;WinFast TV Video Capture Driver;c:\winnt\system32\drivers\wfcxvcap.sys [2007-09-19 167040]
R3 AmdTools;AMD Special Tools Driver;c:\winnt\system32\DRIVERS\AmdTools.sys [2008-03-07 31744]
R3 wfcxdtun;WinFast DTV BDA Tuner/Demod Driver;c:\winnt\system32\drivers\wfcxdtun.sys [2007-09-19 21248]
R3 wfcxtcap;WinFast DTV BDA Transport Stream Capture Driver;c:\winnt\system32\drivers\wfcxtcap.sys [2007-09-19 15872]
R3 wfcxxbar;WinFast TV Crossbar Driver;c:\winnt\system32\drivers\wfcxxbar.sys [2007-09-19 10496]
R3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFDTV\WFIOCTL.SYS [2008-01-29 9446]
S0 Winci17;Winci17;c:\winnt\system32\Drivers\Winci17.sys []
S0 Wincj28;Wincj28;c:\winnt\system32\Drivers\Wincj28.sys []
S0 Winfl52;Winfl52;c:\winnt\system32\Drivers\Winfl52.sys []
S0 Winnt74;Winnt74;c:\winnt\system32\Drivers\Winnt74.sys []
S0 Winou62;Winou62;c:\winnt\system32\Drivers\Winou62.sys []
S0 Winpv27;Winpv27;c:\winnt\system32\Drivers\Winpv27.sys []
S0 Winqw52;Winqw52;c:\winnt\system32\Drivers\Winqw52.sys []
S0 Winye16;Winye16;c:\winnt\system32\Drivers\Winye16.sys []
S2 nicsk32;nicsk32;\??\c:\winnt\system32\drivers\nicsk32.sys []
S3 ALSysIO;ALSysIO;\??\c:\docume~1\grebi\LOCALS~1\Temp\ALSysIO.sys []
S3 atidgllk;atidgllk;\??\c:\documents and settings\grebi\Plocha\Downloads\Nová složka\Nová složka\atidgllk.sys []
S3 usbhub20;Podpora kořenového rozbočovač rozbočovače sběrnice USB 2.0;c:\winnt\system32\DRIVERS\usbhub20.sys [2007-10-26 49776]
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKCU-Run-grebi - c:\documents and settings\grebi\grebi.exe
SafeBoot-sglfb.sys
SafeBoot-tga.sys


.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm

O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\grebi\Data aplikací\Mozilla\Firefox\Profiles\p0p9lccu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.seznam.cz
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 16:10:05
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\winnt\system32\Ati2evxx.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\winnt\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\winnt\system32\ati2evxx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Labtec\Mouse\V3.0\mouse32a.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\winnt\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Celkový čas: 2008-12-09 16:11:47 - počítač byl restartován
ComboFix-quarantined-files.txt 2008-12-09 15:11:45

Před spuštěním: Volných bajtů: 11 734 167 552
Po spuštění: Volných bajtů: 11,675,684,864

193

[jaro3]

Ještě tam něco je, script dodám během večera , musím odjet...

[jaro3]

Najdi a smaž:
C:\SDFix

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

File::
c:\winnt\system32\Drivers\Winci17.sys
c:\winnt\system32\Drivers\Wincj28.sys
c:\winnt\system32\Drivers\Winfl52.sys
c:\winnt\system32\Drivers\Winnt74.sys
c:\winnt\system32\Drivers\Winou62.sys
c:\winnt\system32\Drivers\Winpv27.sys
c:\winnt\system32\Drivers\Winqw52.sys
c:\winnt\system32\Drivers\Winye16.sys

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winci17.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wincj28.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl52.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnt74.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winou62.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpv27.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winqw52.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winye16.sys]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"grebi"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
"FirewallOverride"=dword:00000000

Driver::
Winci17
Wincj28
Winfl52
Winnt74
Winou62
Winpv27
Winqw52
Winye16


Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.

Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť.
- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu + nový log z HJT

Toto otestuj na Virustotal
c:\program files\desktop.ini
c:\program files\folder.htt
c:\winnt\system32\drivers\nicsk32.sys
vlož sem pak výsledky.
Zítra se podívám.

[lugr]

ComboFix 08-12-07.04 - grebi 2008-12-09 20:23:27.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.1598 [GMT 1:00]
Spuštěný z: c:\documents and settings\grebi\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\grebi\Plocha\CFScript.txt
* Vytvořen nový Bod Obnovení

FILE ::
c:\winnt\system32\Drivers\Winci17.sys
c:\winnt\system32\Drivers\Wincj28.sys
c:\winnt\system32\Drivers\Winfl52.sys
c:\winnt\system32\Drivers\Winnt74.sys
c:\winnt\system32\Drivers\Winou62.sys
c:\winnt\system32\Drivers\Winpv27.sys
c:\winnt\system32\Drivers\Winqw52.sys
c:\winnt\system32\Drivers\Winye16.sys
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\Dvbpws.dll

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Winci17
-------\Service_Wincj28
-------\Service_Winfl52
-------\Service_Winnt74
-------\Service_Winou62
-------\Service_Winpv27
-------\Service_Winqw52
-------\Service_Winye16


((((((((((((((((((((((((( Soubory vytvořené od 2008-11-09 do 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-09 14:05 . 2008-12-09 14:05 <DIR> d-------- c:\winnt\ERUNT
2008-12-09 14:00 . 2008-12-09 14:12 <DIR> d-------- C:\SDFix
2008-12-08 12:39 . 2008-12-08 12:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 12:39 . 2008-12-08 12:39 <DIR> d-------- c:\documents and settings\grebi\Data aplikací\Malwarebytes
2008-12-08 12:39 . 2008-12-08 12:39 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Malwarebytes
2008-12-08 12:39 . 2008-12-03 19:59 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2008-12-08 12:39 . 2008-12-03 19:59 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2008-12-05 16:26 . 2008-12-05 16:26 0 --a------ C:\23990098.$$$
2008-12-02 21:21 . 2008-12-02 21:21 <DIR> d-------- c:\program files\oZone3D
2008-12-02 17:39 . 2008-12-02 17:39 <DIR> d-------- c:\winnt\system32\xlive
2008-12-01 22:00 . 2001-09-19 06:47 765,952 -ra------ c:\winnt\system\crlds3d.dll
2008-12-01 22:00 . 2006-03-17 11:18 392,960 -ra------ c:\winnt\system32\drivers\senfilt.sys
2008-12-01 22:00 . 2006-09-08 03:08 247,296 -ra------ c:\winnt\system32\drivers\ADIHdAud.sys
2008-12-01 22:00 . 2006-08-29 14:21 94,080 -ra------ c:\winnt\system32\drivers\aeaudio.sys
2008-12-01 22:00 . 2006-02-06 08:54 24,064 -ra------ c:\winnt\system32\PostProc.dll
2008-12-01 21:57 . 2008-12-01 21:58 23,701 --a------ c:\winnt\Ascd_tmp.ini
2008-11-24 15:04 . 2008-12-04 20:36 <DIR> d-------- c:\program files\Java
2008-11-24 15:04 . 2008-11-10 03:39 73,728 --a------ c:\winnt\system32\javacpl.cpl
2008-11-24 15:02 . 2008-11-10 05:43 410,984 --a------ c:\winnt\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 21:00 --------- d-----w c:\program files\Analog Devices
2008-12-01 20:44 --------- d-----w c:\program files\přehrávače
2008-11-26 20:16 --------- d-----w c:\documents and settings\grebi\Data aplikací\DivX
2008-11-07 18:08 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-07 18:08 --------- d-----w c:\documents and settings\All Users\Data aplikací\Fallout3
2008-11-07 18:06 --------- d-----w c:\program files\MSBuild
2008-11-07 18:03 --------- d-----w c:\program files\Reference Assemblies
2008-11-07 17:49 --------- d-----w c:\program files\DAEMON Tools Lite
2008-11-07 17:45 717,296 ----a-w c:\winnt\system32\drivers\sptd.sys
2008-11-07 17:45 --------- d-----w c:\documents and settings\grebi\Data aplikací\DAEMON Tools
2008-11-07 16:33 --------- d-----w c:\program files\GetRight
2008-11-06 04:52 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-04 19:43 --------- d-----w c:\program files\7-Zip
2008-10-28 15:38 --------- d-----w c:\documents and settings\grebi\Data aplikací\XnView
2008-10-21 16:08 --------- d-----w c:\program files\ICQ6
2008-08-17 09:54 20,500 ----a-w c:\documents and settings\grebi\FMCodec.dat
2007-10-26 15:01 271 --sh--w c:\program files\desktop.ini
2007-10-26 15:01 22,034 ---h--w c:\program files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@2008-12-09_16.11.21.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-04-16 15:54:40 60,928 ----a-w c:\winnt\system32\lalmapib.dll
- 2008-12-09 15:09:58 16,384 ----atw c:\winnt\Temp\Perflib_Perfdata_404.dat
+ 2008-12-09 19:25:48 16,384 ----atw c:\winnt\Temp\Perflib_Perfdata_404.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\winnt\system32\ctfmon.exe" [2004-08-17 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\winnt\system32\dumprep 0 -u" [X]
"JMB36X Configure"="c:\winnt\System32\JMRaidTool.exe" [2006-08-14 352256]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"WinFast Schedule"="c:\program files\WinFast\WFDTV\WFWIZ.exe" [2007-10-01 413696]
"amd_dc_opt"="c:\program files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 106496]
"WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2007-10-09 90112]
"FLMOFFICE4DMOUSE"="c:\program files\Labtec\Mouse\V3.0\moffice.exe" [2008-09-11 958464]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-09-26 872448]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [2003-07-25 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-17 215552]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-17 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"Launch Ai Booster"="c:\program files\ASUS\AI Booster\OverClk.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3999:TCP"= 3999:TCP:WWW

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2008-04-04 111184]
R1 wfcxacap;WinFast TV PCI Audio Capture Driver;c:\winnt\system32\DRIVERS\wfcxacap.sys [2007-09-19 9856]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\DRIVERS\aswFsBlk.sys [2008-04-04 20560]
R2 nxsIO32;NextSensor Kernel I/O Driver;\??\c:\winnt\System32\DRIVERS\nxsIO32.sys [2008-01-25 2208]
R2 wfcxatun;WinFast TV Analog Tuner Driver;c:\winnt\system32\drivers\wfcxatun.sys [2007-09-19 31744]
R2 WFCXVCAP;WinFast TV Video Capture Driver;c:\winnt\system32\drivers\wfcxvcap.sys [2007-09-19 167040]
R3 AmdTools;AMD Special Tools Driver;c:\winnt\system32\DRIVERS\AmdTools.sys [2008-03-07 31744]
R3 wfcxdtun;WinFast DTV BDA Tuner/Demod Driver;c:\winnt\system32\drivers\wfcxdtun.sys [2007-09-19 21248]
R3 wfcxtcap;WinFast DTV BDA Transport Stream Capture Driver;c:\winnt\system32\drivers\wfcxtcap.sys [2007-09-19 15872]
R3 wfcxxbar;WinFast TV Crossbar Driver;c:\winnt\system32\drivers\wfcxxbar.sys [2007-09-19 10496]
R3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFDTV\WFIOCTL.SYS [2008-01-29 9446]
S2 nicsk32;nicsk32;\??\c:\winnt\system32\drivers\nicsk32.sys []
S2 vwussqyqv;vwussqyqv;c:\winnt\system32\svchost.exe -k netsvcs [2001-10-25 14336]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\grebi\LOCALS~1\Temp\ALSysIO.sys []
S3 atidgllk;atidgllk;\??\c:\documents and settings\grebi\Plocha\Downloads\Nová složka\Nová složka\atidgllk.sys []
S3 usbhub20;Podpora kořenového rozbočovač rozbočovače sběrnice USB 2.0;c:\winnt\system32\DRIVERS\usbhub20.sys [2007-10-26 49776]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vwussqyqv
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm

O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\grebi\Data aplikací\Mozilla\Firefox\Profiles\p0p9lccu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.seznam.cz
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 20:25:54
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\winnt\system32\Ati2evxx.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\winnt\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\winnt\system32\ati2evxx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Labtec\Mouse\V3.0\mouse32a.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\winnt\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\winnt\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2008-12-09 20:27:34 - počítač byl restartován
ComboFix-quarantined-files.txt 2008-12-09 19:27:32
ComboFix2.txt 2008-12-09 15:11:48

Před spuštěním: Volných bajtů: 11 709 325 312
Po spuštění: Volných bajtů: 11,710,066,688

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer

193


tady je log z hijaku:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:24:19, on 9.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\Labtec\Mouse\V3.0\moffice.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Labtec\Mouse\V3.0\MOUSE32A.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\wuauclt.exe
D:\luboš\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINNT\System32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\Mouse\V3.0\moffice.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6192133406
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FB91352-197D-4C9D-AAA2-443CEFF416C1}: NameServer = 217.112.162.34 217.112.160.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6425 bytes


a prověřil jsem ty ostatní soubory a vyšli ztoho dobře -žádný vir
jen u toho posledního souboru nevim (c:\winnt\system32\drivers\nicsk32.sys)
asi ho ani nemám v kompu
pozadání umístení po chvíli vypadlo ztěch stránek tato hlážka:


0 bytes size received / Se ha recibido un archivo vacio