ADIRKA - log ke kontrole

[gnaver]

Rebooting...

Normal Mode:
Checking Files:




Folder C:\DOCUME~1\Kuba\LOCALS~1\Temp\ICD1.tmp - Removed

ADS Check:




Final Check:

Remaining Services:
------------------


Rootkit huy32 maybe active, Use a Rootkit scanner!
Rootkit PE386 maybe active, Use a Rootkit scanner!
Rootkit lzx32 maybe active, Use a Rootkit scanner!
Rootkit msguard maybe active, Use a Rootkit scanner!

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"E:\\cod2\\CoD2MP_s.exe"="E:\\cod2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"E:\\HLSW\\hlsw.exe"="E:\\HLSW\\hlsw.exe:*:Enabled:HLSW"
"C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"E:\\Xfire\\Xfire.exe"="E:\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\RadLight Company\\RadLight 4.0\\rlkernel.exe"="C:\\Program Files\\RadLight Company\\RadLight 4.0\\rlkernel.exe:*:Enabled:Kernel Executable"
"E:\\Enemy Territory\\ETDED.exe"="E:\\Enemy Territory\\ETDED.exe:*:Enabled:ETDED"
"E:\\Wolfenstein - Enemy Territory\\ETDED.exe"="E:\\Wolfenstein - Enemy Territory\\ETDED.exe:*:Enabled:ETDED"
"E:\\Wolfenstein - Enemy Territory\\ET.exe"="E:\\Wolfenstein - Enemy Territory\\ET.exe:*:Enabled:ET"
"C:\\WINDOWS\\system32\\dd.exe"="C:\\WINDOWS\\system32\\dd.exe:*:Enabled:enable"
"C:\\WINDOWS\\system32\\sm.exe"="C:\\WINDOWS\\system32\\sm.exe:*:Enabled:enable"
"C:\\WINDOWS\\system32\\lnwin.exe"="C:\\WINDOWS\\system32\\lnwin.exe:*:Enabled:enable"
"C:\\WINDOWS\\system32\\adirss.exe"="C:\\WINDOWS\\system32\\adirss.exe:*:Enabled:enable"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------
C:\WINDOWS\system32\rsvp32_2.dll Found - LSP!


Checking For Files with Hidden Attributes :


Finished









Logfile of HijackThis v1.99.1
Scan saved at 12:05:47, on 17.3.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\TraMet\TraMet.exe
C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TraMet] C:\Program Files\TraMet\TraMet.exe
O4 - HKLM\..\Run: [C-Media Echo Control] C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [DAEMON Tools] "E:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag 2000 (OOD2000) - O&O Software GmbH - C:\WINDOWS\system32\OOD2000.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

[Reklama]

[gnaver]

tohle je stav SD po cisteni v nouzovim rezimu a vysledek HJT

[fredik]

Stáhni si tento program:
http://www.uploads.ejvindh.net/rustbfix.exe

Spusť ho, pokud program virus najde, odstraní jej a následně vytvoří soubor C:\rustbfis\pelog.txt a ještě by tam měl být C:\avenger.txt tak sem vlož jejich obsah.

Bude chtít pravděpodobně restart, ten může chvíli trvat a možná bude potřeba restartovat ještě jednou ale to by se mělo stát automaticky.

[Damned]

V HJT fixni toto:
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe&quot
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)

Podívej se do Přidat/Odebrat programy a odinstaluj, jestli tam najdeš When_Usave. Pokud ne, tak složku C:\Program Files\Save\ vymaž v nouzovém režimu.

[gnaver]

z ceho spustim ten rustfix? je tam toho plno

[fredik]

To Damned: Nemyslí že je to zbytečné to sem psát když o tom vím a jsou tam větší problém na řešení než tyto drobnosti?

Normálně spustíš ten soubor co jsi stáhl: rustbfix.exe

[gnaver]

************************* Rustock.b-fix -- By ejvindh *************************
so 17.03.2007 12:38:06,68

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

Rustock.b-ADS attached to the System32-folder:
No streams found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************



a ten avenger je jako samostatnej program nebo neco takoveho

[gnaver]

a ten vir adirka a adirss mam v backups v SDfixu co s tim?

[gnaver]

po spusteni pise tohle

************************* Rustock.b-fix -- By ejvindh *************************
so 17.03.2007 12:43:27,07

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

[fredik]

Stáhni si a spusť ComboFix - http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- Postupuj dle pokynů, během aplikování ComboFixu neklikej do zobrazujícího se okna
- Po dokončení skenování by měl program vytvořit log, zkopíruj sem prosím celý jeho obsah.

No vypadá že tam ten roolkit nebyl tak uvidíme.

Zatím to nech kde to je.

[gnaver]

tak co dal? prosim :)

[gnaver]

skocilo mi tam tohle, to samy je na C:/combofix/combofix.txt





"Kuba" - 07-03-17 12:59:56 Service Pack 2
ComboFix 07-03-15.2 - Running from: "E:\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pfxzmtaim.dll
C:\WINDOWS\system32\pfxzmtforum.dll
C:\WINDOWS\system32\pfxzmtgtal.dll
C:\WINDOWS\system32\pfxzmticq.dll
C:\WINDOWS\system32\pfxzmtwbmail.dll
C:\WINDOWS\system32\pfxzmtymsg.dll
C:\WINDOWS\system32\rsvp32_2.dll
C:\WINDOWS\system32\drivers\npf.sys


((((((((((((((((((((((((((((((( Files Created from 2007-02-17 to 2007-03-17 ))))))))))))))))))))))))))))))))))


2007-03-16 20:32 11 --a------ C:\WINDOWS\system32\uiqzmticq.dll
2007-03-16 19:08 8,704 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-16 19:08 58,501 --a------ C:\WINDOWS\via.exe
2007-03-08 14:45 <DIR> d-------- C:\Program Files\QIP
2007-02-25 16:21 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-02-25 16:11 <DIR> d-------- C:\Program Files\Native Instruments
2007-02-22 13:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-02-21 14:49 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-02-21 14:45 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-02-21 14:45 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-02-21 14:43 94,064 --a------ C:\WINDOWS\system32\drivers\k510mdm.sys
2007-02-21 14:43 85,408 --a------ C:\WINDOWS\system32\drivers\k510mgmt.sys
2007-02-21 14:43 83,344 --a------ C:\WINDOWS\system32\drivers\k510obex.sys
2007-02-21 14:43 8,336 --a------ C:\WINDOWS\system32\drivers\k510mdfl.sys
2007-02-21 14:43 6,176 --a------ C:\WINDOWS\system32\drivers\k510cmnt.sys
2007-02-21 14:43 6,176 --a------ C:\WINDOWS\system32\drivers\k510cm.sys
2007-02-21 14:43 58,288 --a------ C:\WINDOWS\system32\drivers\k510bus.sys
2007-02-21 14:43 5,808 --a------ C:\WINDOWS\system32\drivers\k510whnt.sys
2007-02-21 14:43 5,808 --a------ C:\WINDOWS\system32\drivers\k510wh.sys
2007-02-21 14:43 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-02-21 14:42 <DIR> d-------- C:\WINDOWS\Downloaded Installations


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-16 19:36 -------- d-------- C:\Program Files\save
2007-03-16 19:36 -------- d-------- C:\Program Files\save
2007-03-10 11:49 -------- d-------- C:\Program Files\quicktime
2007-03-10 11:49 -------- d-------- C:\Program Files\quicktime
2007-03-07 18:47 -------- d-------- C:\Program Files\icqlite
2007-03-07 18:47 -------- d-------- C:\Program Files\icqlite
2007-02-23 20:25 -------- d-------- C:\Program Files\lineageii
2007-02-23 20:25 -------- d-------- C:\Program Files\lineageii
2007-02-21 14:50 73506 --a------ C:\WINDOWS\system32\perfc005.dat
2007-02-21 14:50 398250 --a------ C:\WINDOWS\system32\perfh005.dat
2007-02-02 21:16 -------- d--h----- C:\Program Files\installshield installation information
2007-02-02 21:16 -------- d--h----- C:\Program Files\installshield installation information
2007-01-25 17:00 -------- d-------- C:\Program Files\finepixviewer
2007-01-25 17:00 -------- d-------- C:\Program Files\finepixviewer
2007-01-24 18:36 -------- d-------- C:\Program Files\microsoft games
2007-01-24 18:36 -------- d-------- C:\Program Files\microsoft games
2007-01-15 18:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe
2007-01-15 18:23 90112 --a------ C:\WINDOWS\system32\avastss.scr
2007-01-15 17:52 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"WhenUSave"="\"C:\\Program Files\\Save\\Save.exe\""
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"="C:\\Program Files\\ICQLite\\ICQLite.exe -trayboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"TraMet"="C:\\Program Files\\TraMet\\TraMet.exe"
"C-Media Echo Control"="C:\\Program Files\\PCI Audio Applications\\Bin\\EchoCtrl.exe"
"C-Media Mixer"="Mixer.exe /startup"
"DAEMON Tools"="\"E:\\DAEMON Tools\\daemon.exe\" -lang 1033"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_NPKCRYPT


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-17 13:02:51