Download | Programy

Win32: Trojan-gen + VBS: Malware-gen

Problematika virů a antivirů, zabezpečení PC, firewall, spyware, kontrola logu, hesla, webové prohlížeče

Moderátoři: mozek007, Ryan, Moderátoři

belmondo
Nováček
Nováček
Příspěvky: 1
Registrován: úte zář 02, 2008 08:39

Win32: Trojan-gen + VBS: Malware-gen

Příspěvek od belmondo »

Dobrý den,
děti mi bohužel z WEBu zavirovaly stanici XP/SP2 spywarem nebo virem Win32:Trojan-gen a VBS:Malware-gen. Objevuje se mi na desktopu po restartu stanice velká hláška, že byl detekován spyware Adware Virtumonde a Privacy Remover.M64. Antivirus AVAST najde nějaké soubory s virem Win32: Trojan-gen a nebo VBS: Malware-gen a odstraní je (scanem naplánovaným hned při restartu), ale po dokončení restartu a nastartování všech procesů to tam zase najde a nahlásí. Podle vašeho fóra jsem si vypsal HJT log. Prosím o radu:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:26:13, on 1.9.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\lphcrosj0et63.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\oracle\ora92\BIN\TNSLSNR.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Salamander\salamand.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: ChrisTV Add-on Toolbar - {1192a62b-4dbc-4d1f-b54e-d820a1be76be} - C:\Program Files\ChrisTV_Add-on\tbChr1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ChrisTV Add-on Toolbar - {1192a62b-4dbc-4d1f-b54e-d820a1be76be} - C:\Program Files\ChrisTV_Add-on\tbChr1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: ChrisTV Add-on Toolbar - {1192a62b-4dbc-4d1f-b54e-d820a1be76be} - C:\Program Files\ChrisTV_Add-on\tbChr1.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [lphcrosj0et63] C:\WINDOWS\system32\lphcrosj0et63.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: F-Secure Installer restarter (FSIHS) - Unknown owner - C:\DOCUME~1\Admin\LOCALS~1\Temp\Installer\00000001\bootstrap\fsihs.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceXPS1 - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe (file missing)

--
End of file - 7532 bytes
Ryan
Čestný člen
Příspěvky: 316
Registrován: sob dub 21, 2007 11:05
Bydliště: tam kde je přístup k netu:-) / Českomoravská Vysočina
Kontaktovat uživatele:

Re: Win32: Trojan-gen + VBS: Malware-gen

Příspěvek od Ryan »

ukončete a smažte:

C:\WINDOWS\system32\lphcrosj0et63.exe

fixněte v hijackthis:

O4 - HKLM\..\Run: [lphcrosj0et63] C:\WINDOWS\system32\lphcrosj0et63.exe
Anonymous2
Uživatel
Uživatel
Příspěvky: 2203
Registrován: sob úno 09, 2008 19:23

Re: Win32: Trojan-gen + VBS: Malware-gen

Příspěvek od Anonymous2 »

Děkuji, pomohlo to.
Ryan
Čestný člen
Příspěvky: 316
Registrován: sob dub 21, 2007 11:05
Bydliště: tam kde je přístup k netu:-) / Českomoravská Vysočina
Kontaktovat uživatele:

Re: Win32: Trojan-gen + VBS: Malware-gen

Příspěvek od Ryan »

Nemáte zač, hezký den
Kuba

Re: Win32: Trojan-gen + VBS: Malware-gen

Příspěvek od Kuba »

mam tohle a nevim co dal poradi mi nekdo prosim
ComboFix 09-02-12.03 - Petr Hradil 2009-02-14 10:01:43.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.1023.636 [GMT 1:00]
Spuštěný z: c:\documents and settings\Petr Hradil\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090213-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Petr Hradil\Data aplikací\inst.exe
c:\documents and settings\Petr Hradil\Local Settings\Temporary Internet Files\SLOVA.WAV
c:\windows\services.exe

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TCPSR
-------\Service_tcpsr


((((((((((((((((((((((((( Soubory vytvořené od 2009-01-14 do 2009-02-14 )))))))))))))))))))))))))))))))
.

2009-02-13 17:24 . 2009-02-13 17:24 <DIR> d-------- c:\documents and settings\kuba\Data aplikací\Teleca
2009-02-13 17:23 . 2009-02-13 17:23 <DIR> d-------- c:\documents and settings\kuba\Data aplikací\Sony Ericsson
2009-02-13 17:23 . 2009-02-13 17:23 <DIR> d-------- c:\documents and settings\kuba\Data aplikací\ATI
2009-02-13 17:22 . 2009-02-14 08:42 <DIR> d-------- c:\documents and settings\kuba\Plocha
2009-02-13 17:22 . 2008-04-29 09:11 <DIR> d--h----- c:\documents and settings\kuba\Okolní tiskárny
2009-02-13 17:22 . 2008-04-29 09:11 <DIR> d--h----- c:\documents and settings\kuba\Okolní síť
2009-02-13 17:22 . 2009-02-13 17:23 <DIR> dr------- c:\documents and settings\kuba\Oblíbené položky
2009-02-13 17:22 . 2008-04-29 07:28 <DIR> d--h----- c:\documents and settings\kuba\Šablony
2009-02-13 17:22 . 2008-04-29 09:11 <DIR> dr------- c:\documents and settings\kuba\Nabídka Start
2009-02-13 17:22 . 2009-02-13 17:23 <DIR> dr------- c:\documents and settings\kuba\Dokumenty
2009-02-13 17:22 . 2009-02-13 17:24 <DIR> dr-h----- c:\documents and settings\kuba\Data aplikací
2009-02-13 17:22 . 2009-02-13 19:27 <DIR> d-------- c:\documents and settings\kuba
2009-02-13 16:27 . 2009-02-13 16:27 1,872 --ahs---- c:\windows\system32\msvpx86.aqmgu
2009-02-13 16:27 . 2009-02-13 16:27 275 --a------ c:\windows\{27018D57-D152-44EF-BCE0-5E3B3445EABE}_WiseFW.ini
2009-02-13 16:26 . 2009-02-13 16:26 43,520 --a------ c:\windows\system32\msvkx86.aqmgu
2009-02-13 16:26 . 2009-02-13 16:26 9,600 --a------ c:\windows\system32\msvdx86.tmp
2009-02-13 16:26 . 2009-02-13 16:26 9,600 --a------ c:\windows\system32\drivers\msvdx86.aqmgu
2009-02-13 16:26 . 2009-02-13 16:26 1,024 --a------ c:\windows\system32\msvtx86.aqmgu
2009-02-08 17:17 . 2009-02-08 17:17 <DIR> d-------- c:\program files\Stardock
2009-02-08 17:17 . 2008-04-26 16:14 42,672 --a------ c:\windows\system32\wbsys.dll
2009-02-08 16:58 . 2009-02-08 16:58 <DIR> d-------- c:\program files\UZC Trial
2009-01-31 16:27 . 2009-02-06 16:51 <DIR> d-------- c:\windows\system32\Adobe
2009-01-30 15:51 . 2009-01-30 15:51 <DIR> d-------- c:\documents and settings\Petr Hradil\Data aplikací\Capcom

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 09:05 --------- d-----w c:\program files\SpeedFan
2009-02-14 07:06 --------- d-----w c:\program files\NCSoft
2009-02-13 15:32 --------- d-----w c:\documents and settings\Petr Hradil\Data aplikací\uTorrent
2009-02-13 10:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-09 09:00 --------- d-----w c:\program files\Avast4
2009-02-08 18:06 --------- d-----w c:\documents and settings\All Users\Data aplikací\Microsoft Help
2009-02-08 18:03 --------- d-----w c:\documents and settings\Petr Hradil\Data aplikací\Skype
2009-02-08 17:25 --------- d-----w c:\documents and settings\Petr Hradil\Data aplikací\skypePM
2009-02-03 14:13 --------- d-----w c:\program files\Garena
2009-01-25 16:37 --------- d-----w c:\documents and settings\Petr Hradil\Data aplikací\XnView
2009-01-12 21:00 --------- d-----w c:\program files\Xilisoft
2009-01-08 15:16 --------- d-----w c:\documents and settings\Petr Hradil\Data aplikací\ICQ
2009-01-05 16:40 --------- d-----w c:\program files\Metin2_TESTER
2009-01-04 14:19 --------- d-----w c:\documents and settings\Petr Hradil\Data aplikací\Teleca
2009-01-01 20:01 --------- d-----w c:\program files\MP4Tool
2009-01-01 19:57 --------- d-----w c:\program files\TRANSLAT
2008-12-31 14:28 --------- d-----w c:\documents and settings\Petr Hradil\Data aplikací\Sony Ericsson
2008-12-31 14:24 --------- d-----w c:\program files\Common Files\Teleca Shared
2008-12-31 14:24 --------- d-----w c:\program files\Common Files\Sony Ericsson Shared
2008-12-31 14:24 --------- d-----w c:\documents and settings\All Users\Data aplikací\Teleca
2008-12-31 14:24 --------- d-----w c:\documents and settings\All Users\Data aplikací\Sony Ericsson
2008-12-31 14:22 --------- d-----w c:\program files\Sony Ericsson
2008-12-27 14:33 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-27 14:31 --------- d-----w c:\documents and settings\All Users\Data aplikací\UDL
2008-12-27 14:30 --------- d-----w c:\program files\epson
2008-12-27 14:29 --------- d-----w c:\program files\ABBYY FineReader 6.0 Sprint
2008-12-27 14:18 --------- d-----w c:\documents and settings\All Users\Data aplikací\EPSON
2008-12-19 19:04 --------- d-----w c:\program files\Zylom Games
2008-12-19 18:55 --------- d-----w c:\program files\WarRock
2008-12-19 18:54 --------- d-----w c:\program files\VDJ5
2008-08-30 17:08 2,248,704 ----a-w c:\program files\game.exe
2008-05-12 14:23 32 ----a-w c:\documents and settings\All Users\Data aplikací\ezsid.dat
2008-05-12 08:04 47,360 ----a-w c:\documents and settings\Petr Hradil\Data aplikací\pcouffin.sys
2008-11-22 17:11 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-22 17:11 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-22 17:11 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-22 17:11 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-22 17:11 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSToolBar"="c:\program files\Mojelogo\SMS ToolBar\smstbar.exe" [2007-11-06 1076560]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]
"EPSON Stylus DX7400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE" [2007-04-12 182272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 c:\windows\soundman.exe]
"Tweak UI"="TWEAKUI.CPL" [2000-01-01 c:\windows\system32\TWEAKUI.CPL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\Petr Hradil\Nabˇdka Start\Programy\Po spuçtŘnˇ\
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2008-04-22 3287552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-07-22 16:42 210168 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm
"VIDC.FFDS"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5tvxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7waxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\NCsoft\\Exteel (US)\\System\\Exteel.exe"=
"c:\\Program Files\\Metin2_TESTER\\metin2.bin"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [2006-07-05 63352]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-29 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-29 20560]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2008-10-12 222456]
R2 msvdx86;msvdx86;c:\windows\system32\drivers\msvdx86.aqmgu [2009-02-13 9600]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2004-08-04 69120]
S0 ati5tvxx;ati5tvxx;c:\windows\system32\Drivers\ati5tvxx.sys --> c:\windows\system32\Drivers\ati5tvxx.sys [?]
S0 ati7waxx;ati7waxx;c:\windows\system32\Drivers\ati7waxx.sys --> c:\windows\system32\Drivers\ati7waxx.sys [?]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);c:\windows\system32\drivers\se46bus.sys [2008-12-31 61536]
S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;c:\windows\system32\drivers\se46mdfl.sys [2008-12-31 9360]
S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;c:\windows\system32\drivers\se46mdm.sys [2008-12-31 97088]
S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\se46mgmt.sys [2009-01-01 88624]
S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se46nd5.sys [2009-01-01 18704]
S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;c:\windows\system32\drivers\se46obex.sys [2009-01-01 86432]
S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se46unic.sys [2009-01-01 90800]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'

2009-02-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-04-16 08:59]
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKCU-Run-rs32net - c:\windows\System32\rs32net.exe
SafeBoot-ati4twxx.sys


.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = hxxp://www.seznam.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Petr Hradil\Data aplikací\Mozilla\Firefox\Profiles\5c5nhkyz.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.atlas.cz/?from=icqhp
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-14 10:05:36
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msvdx86]
"ImagePath"="system32\DRIVERS\msvdx86.aqmgu"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\WBSrv.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avast4\aswUpdSv.exe
c:\program files\Avast4\ashServ.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Avast4\ashMaiSv.exe
c:\program files\Avast4\ashWebSv.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Celkový čas: 2009-02-14 10:11:12 - počítač byl restartován [Petr Hradil]
ComboFix-quarantined-files.txt 2009-02-14 09:11:09

Před spuštěním: Volných bajtů: 36,140,417,024
Po spuštění: Volných bajtů: 36,392,665,088

208 --- E O F --- 2008-05-12 07:43:08
Ryan
Čestný člen
Příspěvky: 316
Registrován: sob dub 21, 2007 11:05
Bydliště: tam kde je přístup k netu:-) / Českomoravská Vysočina
Kontaktovat uživatele:

Re: Win32: Trojan-gen + VBS: Malware-gen

Příspěvek od Ryan »

Kubo založte si vlastní téma, ať tu neděláme chaos. Díky
Anonymous2
Uživatel
Uživatel
Příspěvky: 2203
Registrován: sob úno 09, 2008 19:23

Re: Win32: Trojan-gen + VBS: Malware-gen

Příspěvek od Anonymous2 »

Dobrý den Vím že to tu padlo už poněkolikatý,ale já na to nemužu furt přijít mám problem z Win32:trojan gen (other)je ve složce C:\WINDOWS\Temp\VRT1.tmp!dál jsem ho do truhly!ale pokaždým zapnití pc nebo restaru mi to furt skače že je tam vir!tak jsem koukal na fora zkoušel jsem ten CamboFix a pak ještě myslím že se to jmenovalo MB free asrtro!a tam mi to zkontrolovalo pc a vygenerovalo že to nenašlo žadnej vir jenže já ho tam mám pořád prosím moc o radu tady dávám vygenerovaný od toho cambofix od toho druheho už to nemám!


ComboFix 09-02-18.01 - xxxx 2009-02-20 9:55:34.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.511.159 [GMT 1:00]
Spuštěný z: c:\documents and settings\xxxx\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090219-0] *On-access scanning enabled* (Updated)
* Vytvořen nový Bod Obnovení
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\xxxx\Data aplikací\inst.exe
c:\windows\system32\d3d8caps.dat
c:\windows\system32\Pncrt.dll

. . . je infikován!!

Nakažená kopie byla nalezena a vyléčena.
Obnovena kopie z -


Nakažená kopie byla nalezena a vyléčena.
Obnovena kopie z -


.
((((((((((((((((((((((((( Soubory vytvořené od 2009-01-20 do 2009-02-20 )))))))))))))))))))))))))))))))
.

2009-02-13 15:03 . 2009-02-19 15:12 <DIR> d-------- c:\program files\Call of Duty
2009-02-13 15:00 . 2009-02-17 13:53 766 --a------ c:\windows\CoD.INI
2009-02-11 12:57 . 2009-02-11 12:57 287 --a------ c:\windows\game.ini
2009-02-11 12:36 . 2009-02-11 12:36 <DIR> d-------- c:\program files\Activision
2009-02-11 12:33 . 2009-02-11 12:33 <DIR> d--hs---- c:\windows\ftpcache
2009-02-08 15:43 . 2009-02-08 15:43 <DIR> d-------- c:\documents and settings\xxxx\Data aplikací\Leadertech
2009-02-08 15:32 . 2009-02-08 15:32 0 --a------ c:\windows\PowerReg.dat
2009-02-04 12:34 . 2009-02-04 12:34 <DIR> d-------- C:\Word ciklista a životopis
2009-02-03 23:41 . 2009-02-03 23:41 3,932,214 --a------ c:\windows\BricoPack Wallpaper.bmp
2009-02-03 23:41 . 2009-02-03 23:41 64,778 --a------ c:\windows\BricoPackUninst.cmd
2009-02-03 23:33 . 2009-02-03 23:41 6,112 --a------ c:\windows\BricoPackFoldersDelete.cmd
2009-02-03 23:31 . 2009-02-03 23:31 <DIR> d-------- c:\windows\BricoPacks
2009-02-03 20:03 . 2008-04-14 08:52 219,648 --a--c--- c:\windows\system32\dllcache\uxtheme.dll
2009-02-03 19:55 . 2009-02-03 19:56 <DIR> d-------- c:\program files\VisualTaskTips
2009-01-25 20:48 . 2009-01-25 20:48 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\vsosdk
2009-01-25 16:44 . 2009-01-25 16:44 <DIR> d-------- c:\program files\VSO
2009-01-25 16:44 . 2006-05-20 16:16 1,184,984 --a------ c:\windows\system32\wvc1dmod.dll
2009-01-25 16:44 . 2006-05-11 19:21 626,688 --a------ c:\windows\system32\vp7vfw.dll
2009-01-25 16:44 . 2006-09-29 12:24 217,127 --a------ c:\windows\system32\drv43260.dll
2009-01-25 16:44 . 2006-09-29 12:25 208,935 --a------ c:\windows\system32\drv33260.dll
2009-01-25 16:44 . 2006-09-29 12:26 176,165 --a------ c:\windows\system32\drv23260.dll
2009-01-25 16:44 . 2002-12-10 02:20 102,439 --a------ c:\windows\system32\sipr3260.dll
2009-01-25 16:44 . 2007-03-18 20:37 65,602 --a------ c:\windows\system32\cook3260.dll
2009-01-25 16:28 . 2009-02-12 17:58 <DIR> d-------- c:\documents and settings\xxxx\Data aplikací\Vso
2009-01-25 16:28 . 2009-01-25 16:44 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-01-25 16:28 . 2009-01-25 16:44 47,360 --a------ c:\documents and settings\xxxx\Data aplikací\pcouffin.sys
2009-01-25 16:26 . 2009-01-25 16:26 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-01-23 10:00 . 1996-09-30 19:46 41,472 --------- c:\windows\UniFISH.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-19 13:22 188,848 ----a-w c:\windows\system32\PnkBstrB.exe
2009-02-19 13:22 138,064 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-13 14:31 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-13 12:16 70,968 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-10 11:07 --------- d-----w c:\program files\Czech Soccer Manager 2002 FE
2009-02-04 18:48 --------- d-----w c:\documents and settings\All Users\Data aplikací\Apple Computer
2009-02-03 22:41 219,648 ----a-w c:\windows\system32\uxtheme.dll
2009-01-18 17:04 --------- d-----w c:\documents and settings\xxxx\Data aplikací\ICQ
2009-01-16 15:21 --------- d-----w c:\documents and settings\xxxx\Data aplikací\Allstar
2009-01-15 20:08 --------- d-----w c:\documents and settings\xxxx\Data aplikací\Skype
2009-01-15 20:04 --------- d-----w c:\documents and settings\xxxx\Data aplikací\skypePM
2009-01-13 23:46 757,760 ----a-w c:\windows\iun6002.exe
2009-01-11 13:01 --------- d-----w c:\program files\DNA
2009-01-11 11:38 --------- d-----w c:\program files\GamePark
2009-01-03 17:56 --------- d-----w c:\program files\FDRLab
2009-01-03 17:51 --------- d-----w c:\documents and settings\xxxx\Data aplikací\Orbit
2008-12-28 08:17 --------- d-----w c:\program files\Seznam
2008-12-26 15:18 --------- d-----w c:\documents and settings\All Users\Data aplikací\NFS Underground
2008-12-20 23:03 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-20 11:05 --------- d-----w c:\documents and settings\xxxx\Data aplikací\Microsoft Games
2008-12-16 16:46 22,328 ----a-w c:\documents and settings\xxxx\Data aplikací\PnkBstrK.sys
2008-12-07 10:44 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
.

------- Sigcheck -------

2002-09-20 19:05 13312 8708be15ac5f27386b5d5fe7a1ebaf26 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 08:52 15360 a756b8f0f7bafba6dfe39f7d169f2519 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 08:52 32256 364c3e519c19027a13451a234d2218f2 c:\windows\system32\ctfmon.exe

2001-10-25 15:00 51200 fbd651b9cf8f5297f86961843d6f1bab c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-14 08:52 57856 cb1090bca0e7b40d0b5b4e4d66531809 c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 08:52 74752 a50c61c49a8fc065da2c6e1a7d2c615e c:\windows\system32\spoolsv.exe

2002-09-20 19:05 140288 fa4b5c09c730f2fee754e69264ea198d c:\windows\$NtServicePackUninstall$\wuauclt.exe
2008-10-16 14:09 66584 2275f45e257d46e6500558b2930cb9a4 c:\windows\ServicePackFiles\i386\wuauclt.exe
2008-10-16 14:09 66584 2275f45e257d46e6500558b2930cb9a4 c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51224 e654b78d2f1d791b30d0ed9a8195ec22 c:\windows\system32\dllcache\wuauclt.exe

2002-09-20 19:05 39424 ef8f9b98b1513f789858b2eabdab86f8 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 08:52 43008 472411942115a266dda871fa6af84b78 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 08:52 43520 8d9fc2f4caa44d77331cb3d22fda207e c:\windows\system32\userinit.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 32256]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 159744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 47104]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 69632]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 176128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SMail"="c:\program files\Seznam\Postak\Postak.exe" [2008-02-21 474416]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 32256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Call of Duty\\CoDMP.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Call of Duty\\CoDUOMP.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-16 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-16 20560]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [2008-11-16 222456]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2002-08-29 69120]
S3 atirage;atirage;c:\windows\system32\drivers\atiragem.sys [2008-11-16 70528]
.
Obsah adresáře 'Naplánované úlohy'

2009-02-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

URLSearchHooks-{EEE6C35D-6118-11DC-9C72-001320C79847} - c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
BHO-{EEE6C35C-6118-11DC-9C72-001320C79847} - c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
Toolbar-{EEE6C35B-6118-11DC-9C72-001320C79847} - c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll


.
------- Doplňkový sken -------
.
uStart Page = hxxp://search.orbitdownloader.com
mStart Page = hxxp://home.sweetim.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
------- Asociace souborů -------
.
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 10:06:21
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...


c:\windows\TEMP\TMP00000004CC44B45501D947F1 524288 bytes executable

sken byl úspešně dokončen
skryté soubory: 1

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\Temp\VRT2.tmp
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Celkový čas: 2009-02-20 10:11:50 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-02-20 09:11:32

Před spuštěním: 9 957 130 240
Po spuštění: Volných bajtů: 10,166,292,480

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

196 --- E O F --- 2009-02-20 07:31:17
Anonymous2
Uživatel
Uživatel
Příspěvky: 2203
Registrován: sob úno 09, 2008 19:23

Re: Win32: Trojan-gen + VBS: Malware-gen

Příspěvek od Anonymous2 »

Dobrý den, mam v PC win32 malware gen a vubec nevim co stim prosím o radu :))
Děkuju

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:19:57, on 3.10.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ICQ6.5\ICQ.exe
C:\Program Files\World of Warcraft\WoW.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O2 - BHO: QuickStores-Toolbar - {10EDB994-47F8-43F7-AE96-F2EA63E9F90F} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Ukazatel S-Rank - {EA837F48-5AD1-443E-AE34-FFE03CBF3099} - C:\Program Files\Seznam.cz\core.2.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: &Crawler lišta - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: QuickStores-Toolbar - {10EDB994-47F8-43F7-AE96-F2EA63E9F90F} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://icq.oberon-media.com/Gameshell/G ... meHost.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD523AF4-F5A5-4D9E-A39A-48E36562B432}: NameServer = 182.168.1.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate1c986dda26e7694) (gupdate1c986dda26e7694) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 13138 bytes
Ryan
Čestný člen
Příspěvky: 316
Registrován: sob dub 21, 2007 11:05
Bydliště: tam kde je přístup k netu:-) / Českomoravská Vysočina
Kontaktovat uživatele:

Re: Win32: Trojan-gen + VBS: Malware-gen

Příspěvek od Ryan »

Dobrý den,

stáhněte toto: http://www.forospyware.com/sUBs/ComboFix.exe a projeďte tím PC při vypnutém antiviru. Po skončení program vyplivne podobný log jako je ten z HiJackThis. Pošlete ho sem a uvidíme co dál.
Anonymous2
Uživatel
Uživatel
Příspěvky: 2203
Registrován: sob úno 09, 2008 19:23

Re: Win32: Trojan-gen + VBS: Malware-gen

Příspěvek od Anonymous2 »

Dobrý den díky za radu :) tady je to report :)) včera sem dal do karanteny nějaky malwary pomocí programu ADAWARE :))
ComboFix 10-10-02.02 - Robert 03.10.2010 12:53:22.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.3071.2204 [GMT 2:00]
Spuštěný z: c:\documents and settings\Robert\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 101002-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Robert\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}
c:\documents and settings\Robert\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\bg.jpg
c:\documents and settings\Robert\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\CurrentVersion.xml
c:\documents and settings\Robert\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\Data\ProductInfo.mx
c:\documents and settings\Robert\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\icon.ico
c:\documents and settings\Robert\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\productinfo.dll
c:\documents and settings\Robert\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\Setup.exe
C:\Thumbs.db
c:\windows\system32\vbzlib1.dll

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-09-03 do 2010-10-03 )))))))))))))))))))))))))))))))
.

2010-10-03 10:41 . 2010-10-03 10:41 390144 ----a-w- c:\windows\system32\CF27814.exe
2010-09-16 16:26 . 2010-09-16 16:26 -------- d-----w- c:\program files\Common Files\Skype
2010-09-16 16:26 . 2010-09-16 16:26 -------- d-----r- c:\program files\Skype
2010-09-10 16:38 . 2010-09-10 16:38 503808 ----a-w- c:\documents and settings\Robert\Data aplikací\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5ea49810-n\msvcp71.dll
2010-09-10 16:38 . 2010-09-10 16:38 499712 ----a-w- c:\documents and settings\Robert\Data aplikací\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5ea49810-n\jmc.dll
2010-09-10 16:38 . 2010-09-10 16:38 348160 ----a-w- c:\documents and settings\Robert\Data aplikací\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5ea49810-n\msvcr71.dll
2010-09-10 16:38 . 2010-09-10 16:38 61440 ----a-w- c:\documents and settings\Robert\Data aplikací\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5a2c67ea-n\decora-sse.dll
2010-09-10 16:38 . 2010-09-10 16:38 12800 ----a-w- c:\documents and settings\Robert\Data aplikací\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5a2c67ea-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-02 22:02 . 2009-11-09 11:37 -------- d-----w- c:\program files\Spyware Terminator
2010-10-02 08:36 . 2008-04-14 12:00 84030 ----a-w- c:\windows\system32\perfc005.dat
2010-10-02 08:36 . 2008-04-14 12:00 440828 ----a-w- c:\windows\system32\perfh005.dat
2010-09-30 17:23 . 2009-01-30 18:09 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-30 13:31 . 2010-08-01 20:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-24 05:08 . 2009-02-04 15:20 -------- d-----w- c:\program files\Google
2010-09-23 18:42 . 2009-12-23 18:54 -------- d-----w- c:\program files\World of Warcraft
2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-06 12:18 . 2009-02-14 16:17 -------- d-----w- c:\program files\Microsoft Games
2010-08-05 18:56 . 2008-12-25 14:08 138592 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-05 18:56 . 2008-12-25 14:08 219128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-07-31 10:24 . 2010-07-31 10:24 27632 ----a-w- c:\windows\system32\drivers\seehcri.sys
2010-07-31 10:23 . 2010-07-31 10:23 25512 ----a-w- c:\windows\system32\drivers\ggsemc.sys
2010-07-31 10:23 . 2010-07-31 10:23 13224 ----a-w- c:\windows\system32\drivers\ggflt.sys
2010-07-31 10:23 . 2010-07-31 10:23 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-07-22 15:46 . 2008-04-14 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 06:19 . 2008-05-05 05:25 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 03:00 . 2010-07-31 10:10 423656 ----a-w- c:\windows\system32\deployJava1.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 13:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2009-11-09 3055616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-08 16125952]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-29 638976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"nwiz"="nwiz.exe" [2007-04-29 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-03-30 1820040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-11-09 2172416]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2006-5-24 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 ----a-w- c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
"StudentDOG"=c:\program files\Student DOG\StudentDOG.exe -h
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"STYLEXP"=c:\program files\TGTSoft\StyleXP\StyleXP.exe -Hide
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" -autorun
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe"
"Skype"="c:\program files\Skype\\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe"
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\EA Sports\\NHL 09\\nhl2009.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\TrackMania Sunrise2\\TmSunrise.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enGB-downloader.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Robert\\Plocha\\Parbisss\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\CAPCOM\\RESIDENT EVIL 5\\RE5DX9.EXE"=
"c:\\Program Files\\CAPCOM\\RESIDENT EVIL 5\\RE5DX10.EXE"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\EA Sports\\FIFA 10\\FIFA10.exe"=
"c:\\Program Files\\Hasbro Interactive\\RollerCoaster Tycoon\\rct.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8170:TCP"= 8170:TCP:BitComet 8170 TCP
"8170:UDP"= 8170:UDP:BitComet 8170 UDP
"21741:TCP"= 21741:TCP:BitComet 21741 TCP
"21741:UDP"= 21741:UDP:BitComet 21741 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1.10.2009 16:05 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [24.12.2008 20:18 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [9.11.2009 13:37 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [24.12.2008 20:18 20560]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [27.3.2009 15:54 165160]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [30.3.2010 11:16 1107336]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [23.1.2010 20:06 222968]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3.7.2009 16:49 1029456]
R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [21.4.2006 8:22 70912]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [31.7.2010 12:24 27632]
R3 SynMini;Syntek USB2.0 2M WebCam;c:\windows\system32\drivers\SynMini.sys [27.11.2006 11:53 1208064]
R3 SynScan;Syntek USB2.0 2M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [5.10.2006 3:54 8064]
S2 gupdate1c986dda26e7694;Google Update Service (gupdate1c986dda26e7694);c:\program files\Google\Update\GoogleUpdate.exe [4.2.2009 17:31 133104]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [31.7.2010 12:23 13224]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [24.12.2008 21:34 691696]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 13:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'

2010-10-03 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 08:09]

2010-09-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:08]

2010-10-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-04 13:03]

2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 15:31]

2010-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 15:31]

2010-10-03 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 13:23]

2010-10-03 c:\windows\Tasks\User_Feed_Synchronization-{93652C6F-65F2-484E-892B-398593C7E881}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Doplňkový sken -------
.
IE: Crawler Search - tbr:iemenu
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {FD523AF4-F5A5-4D9E-A39A-48E36562B432} = 182.168.1.1
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
FF - ProfilePath - c:\documents and settings\Robert\Data aplikací\Mozilla\Firefox\Profiles\3vyfuzax.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - About:Blank
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FF&o=14594&locale=en_EU&apn_uid=83677BFC-4209-416F-BA22-5DF08489ECA2&apn_ptnrs=FV&apn_sauid=E3D1BAF0-7719-46E5-9554-7348DB2330A7&apn_dtid=&q=
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xcomm.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xshared.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xsupport.dll
FF - component: c:\program files\Crawler\Toolbar\firefox\components\xwsg.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-03 12:59
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-842925246-583907252-1801674531-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-842925246-583907252-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-842925246-583907252-1801674531-1004\Software\SecuROM\License information*]
"datasecu"=hex:65,ce,d0,96,0b,12,ae,ad,48,e6,de,7d,6e,b1,9c,70,4b,6b,e1,4f,51,
95,ab,5d,af,5b,4d,c7,8d,53,c5,76,59,0d,15,dc,ad,38,c2,a6,6e,4f,31,36,13,62,\
"rkeysecu"=hex:01,f8,75,05,ad,60,34,1f,9d,10,df,30,73,b5,ba,7d

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1328)
c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll
.
Celkový čas: 2010-10-03 13:01:39
ComboFix-quarantined-files.txt 2010-10-03 11:01

Před spuštěním: Volných bajtů: 109 801 885 696
Po spuštění: Volných bajtů: 110 832 549 888

WindowsXP-KB310994-SP2-Home-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 7E354124FCD98B033A3B3C1D5D201A13
Ryan
Čestný člen
Příspěvky: 316
Registrován: sob dub 21, 2007 11:05
Bydliště: tam kde je přístup k netu:-) / Českomoravská Vysočina
Kontaktovat uživatele:

Re: Win32: Trojan-gen + VBS: Malware-gen

Příspěvek od Ryan »

smažte ještě toto:

c:\windows\system32\CF27814.exe

a bude to OK
Ryan
Čestný člen
Příspěvky: 316
Registrován: sob dub 21, 2007 11:05
Bydliště: tam kde je přístup k netu:-) / Českomoravská Vysočina
Kontaktovat uživatele:

Re: Win32: Trojan-gen + VBS: Malware-gen

Příspěvek od Ryan »

Pak ještě promažte registry přes CCleaner...
Odpovědět