Stále se objevující vir Win32/Rootkit.Agent.DP

[Kardif]

Stále se nemohu zbavit virů, které při spuštění systému hlásí nod32 !!!

Hned po startu nahlásí nod32 tyto viry:

C:\WINDOWS\system32\drivers\ip6fw.sys Win32/Rootkit.Agent.DP trojský kůň
C:\WINDOWS\System32\drivers\runtime.sys Win32/Rootkit.Agent.NDF trojský kůň
C:\DOCUME~1\xxxx\LOCALS~1\Temp\46156.exe Win32/Wigon.Z trojský kůň

Výpis z hijacku:

Kód: Vybrat vše

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:49:38, on 12.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WebTransBHO Class - {2DB66063-BB98-466A-AA0D-3E7ACF5ED853} - C:\WINDOWS\WebIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\WINDOWS\WebIE.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: WebTran - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - C:\WINDOWS\WebIE.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: &Nastavit překladač - {CC963627-B1DC-40E0-B52A-CF21EE748449} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: &Slovník - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\WINDOWS\WebIE.dll
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\WebIE.dll
O9 - Extra 'Tools' menuitem: Přeložit &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\WINDOWS\WebIE.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe

-- 
End of file - 5053 bytes 

Nevím už co s tím poraďte prosím

Kdyžtak napište podrobnější návod jak se toho zbavit nejsem v tom tak zběhlej

[BUBINO]

Klidek

Vypnite NODa aby vas neznervoznoval .

Urobte log z ComboFix
Stiahnite si ComboFix http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Restartuje pocitac do nudzoveho rezimu.
Behom skenu bude vas pocitac restartovany.
Po restartu vytvori log, uložený v C:/Combofix.txt .
Jeho obsah vlozte sem.

[Kardif]

Výpis z combofixu:

Kód: Vybrat vše

ComboFix 07-11-08.1 - pepa 2007-11-12 22:24:01.3 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\pepa\Plocha\ComboFix.exe
.

	Unable to gain System Privileges

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\runtime2.sys

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\runtime


(((((((((((((((((((((((((   Files Created from 2007-10-12 to 2007-11-12  )))))))))))))))))))))))))))))))
.

2007-11-12 22:05	<DIR>	d--h-----	C:\Documents and Settings\Administrator\ćablony
2007-11-12 22:05	<DIR>	d--------	C:\Documents and Settings\Administrator\Plocha
2007-11-12 22:05	<DIR>	d--h-----	C:\Documents and Settings\Administrator\Okolnˇ tisk rny
2007-11-12 22:05	<DIR>	d--h-----	C:\Documents and Settings\Administrator\Okolnˇ sˇś
2007-11-12 22:05	<DIR>	d--------	C:\Documents and Settings\Administrator\Oblˇben‚ polo§ky
2007-11-12 22:05	<DIR>	dr-------	C:\Documents and Settings\Administrator\Nabˇdka Start
2007-11-12 22:05	<DIR>	d--------	C:\Documents and Settings\Administrator\Dokumenty
2007-11-12 22:05	<DIR>	dr-h-----	C:\Documents and Settings\Administrator\Data aplikacˇ
2007-11-12 21:54	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-11-11 12:17	<DIR>	d--------	C:\Program Files\Trend Micro
2007-11-10 13:41	<DIR>	d--------	C:\Documents and Settings\pepa\WINDOWS
2007-11-04 22:48	<DIR>	d--------	C:\Program Files\Common Files\DirectX
2007-11-04 22:35	1,060,864	--a------	C:\WINDOWS\system32\mfc71.dll
2007-11-04 01:06	32,768	-ra------	C:\WINDOWS\system32\XSIChooser.exe
2007-11-03 11:17	<DIR>	d--------	C:\Program Files\Windows Media Connect 2
2007-11-03 11:16	<DIR>	d--------	C:\WINDOWS\system32\LogFiles
2007-11-03 11:16	<DIR>	d--------	C:\WINDOWS\system32\drivers\UMDF
2007-10-28 19:54	<DIR>	d--------	C:\Program Files\Hamachi
2007-10-28 19:54	25,544	--a------	C:\WINDOWS\system32\drivers\hamachi.sys
2007-10-23 13:50	<DIR>	d--h-----	C:\WINDOWS\$hf_mig$

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 20:43	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-11-12 19:56	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-11-11 16:47	---------	d-----w	C:\Program Files\TRANSLAT
2007-11-11 13:37	---------	d-----w	C:\Program Files\GamePark
2007-11-06 18:37	29,056	----a-w	C:\WINDOWS\system32\drivers\ip6fw.Vsys
2007-10-23 22:12	---------	d-----w	C:\Program Files\DAEMON Tools
2007-10-11 16:55	---------	d-----w	C:\Program Files\DVD Shrink
2007-09-28 15:30	---------	d-----w	C:\Program Files\Microsoft.NET
2007-09-25 20:41	---------	d-----w	C:\Program Files\Common Files\Ahead
2007-09-25 20:39	---------	d-----w	C:\Program Files\Nero
2007-09-25 19:56	---------	d-----w	C:\Program Files\Registry Medic
2007-09-23 20:39	---------	d-----w	C:\Program Files\CyberLink
2007-09-23 19:12	---------	d-----w	C:\Program Files\K-Lite Codec Pack
2007-09-23 18:51	737,280	----a-w	C:\WINDOWS\iun6002.exe
2007-09-22 20:25	---------	d-----w	C:\Program Files\Common Files\Adobe
2007-09-15 14:08	---------	d-----w	C:\Program Files\ATI Technologies
2007-09-15 01:25	---------	d-----w	C:\Program Files\Common Files\Thraex Software
2007-09-13 17:34	491,520	----a-w	C:\WINDOWS\WebIE.dll
2007-09-13 17:34	294,912	----a-w	C:\WINDOWS\TrnWord.dll
2007-09-13 17:32	516,096	----a-w	C:\WINDOWS\UN32.EXE
2007-09-12 19:11	12,528	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-12 18:52	---------	d-----w	C:\Program Files\totalcmd
2007-09-12 15:14	---------	d-----w	C:\Program Files\BitLord
2007-09-12 15:01	223,128	----a-w	C:\WINDOWS\system32\drivers\dtscsi.sys
2007-09-12 15:00	96,256	----a-w	C:\WINDOWS\system32\drivers\sptd8781.sys
2007-09-12 15:00	642,560	----a-w	C:\WINDOWS\system32\drivers\sptd.sys
2007-09-11 18:36	60,416	----a-w	C:\WINDOWS\ALCFDRTM.EXE
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 08:34 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-11 21:08]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 19:24]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2006-11-10 15:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49]

R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 22:28:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-11-12 22:29:06 - machine was rebooted 
.
	--- E O F ---

[BUBINO]

Urobte toto :


V hijacThis fixnete toto :
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)

Najdite to v ponuke , oznacte a kliknite na FIXCHCECKED.
Nainstalujte firewall !

Stiahnite si nastroj Avenger odtialto : http://www.viry.cz/forum/viewtopic.php?t=19832

Podľa navodu sa dopracujte ku tomu bielemu okne ako v navode .
Do neho skopirujte cely nasledujuci text dole v bielom policku .

Files to delete:
C:\WINDOWS\system32\drivers\ip6fw.Vsys
C:\WINDOWS\iun6002.exe
C:\WINDOWS\UN32.EXE
C:\DOCUME~1\xxxx\LOCALS~1\Temp\46156.exe

Pkracujte DONE --> SEMAFOR --> OK a pocitac se restartuje . Po vstupu do win sa vam ukaze log ktore skopirujte sem . Okrem toho je aj v c:\avenger.txt

Urobte nove logy z ComboFix a HijackThis .

Je mozne , ze vam bude nod hlasit viry v obnove systemu (VOLUME INFORMATION) Ak ano , tak vypnite obnovu systemu .


[/quote]

[BUBINO]

Ospravedlnujem sa ale zabudol som este na nieco . Som to ale vol

Toto dodatocne skontrolujte na virustotal.com .
Uploadnite a odoslite . Pockajte kym zacne skenovanie. :
C:\WINDOWS\system32\mfc71.dll
C:\WINDOWS\system32\XSIChooser.exe

vysledky hodte sem .

[Kardif]

Výsledky z virustotal:

Soubor mfc71.dll přijatý 2007.11.13 16:31:41 (CET)
Současný stav: Dokončeno
Výsledek: 0/32 (0%)

Soubor XSIChooser.exe přijatý 2007.11.13 16:49:49 (CET)
Současný stav: Dokončeno
Výsledek: 0/32 (0%)

Evidentně jsou v pohodě co mám udělat nyní ? Mám provést ten předchozí postup ?

[BUBINO]

Ano , ten co som napisal hore .

[Kardif]

Tak dík už je to v pořádku nod viry nehlásí

[BUBINO]

Ak chcete mat istotu tak tu mozte dat tie logy ktore vam vyhodil avenger a urobit novy combo fix log.

[Kardif]

Tady je nový log z combo fixu:

Kód: Vybrat vše

ComboFix 07-11-08.1 - pepa 2007-11-14 16:28:28.5 - NTFSx86 
Systém Microsoft Windows XP Professional  5.1.2600.2.1250.1.1029.18.703 [GMT 1:00]
Running from: C:\Documents and Settings\pepa\Plocha\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2007-10-14 to 2007-11-14  )))))))))))))))))))))))))))))))
.

2007-11-12 22:05	<DIR>	d--------	C:\Documents and Settings\Administrator\Plocha
2007-11-12 22:05	<DIR>	d--h-----	C:\Documents and Settings\Administrator\Okolní tiskárny
2007-11-12 22:05	<DIR>	d--h-----	C:\Documents and Settings\Administrator\Okolní síť
2007-11-12 22:05	<DIR>	d--------	C:\Documents and Settings\Administrator\Oblíbené položky
2007-11-12 22:05	<DIR>	d--h-----	C:\Documents and Settings\Administrator\Šablony
2007-11-12 22:05	<DIR>	dr-------	C:\Documents and Settings\Administrator\Nabídka Start
2007-11-12 22:05	<DIR>	d--------	C:\Documents and Settings\Administrator\Dokumenty
2007-11-12 22:05	<DIR>	dr-h-----	C:\Documents and Settings\Administrator\Data aplikací
2007-11-12 21:54	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-11-11 12:17	<DIR>	d--------	C:\Program Files\Trend Micro
2007-11-10 13:41	<DIR>	d--------	C:\Documents and Settings\pepa\WINDOWS
2007-11-04 22:48	<DIR>	d--------	C:\Program Files\Common Files\DirectX
2007-11-04 22:35	1,060,864	--a------	C:\WINDOWS\system32\mfc71.dll
2007-11-04 01:06	32,768	-ra------	C:\WINDOWS\system32\XSIChooser.exe
2007-11-03 11:17	<DIR>	d--------	C:\Program Files\Windows Media Connect 2
2007-11-03 11:16	<DIR>	d--------	C:\WINDOWS\system32\LogFiles
2007-11-03 11:16	<DIR>	d--------	C:\WINDOWS\system32\drivers\UMDF
2007-10-28 19:55	<DIR>	d--------	C:\Documents and Settings\pepa\Data aplikací\Hamachi
2007-10-28 19:54	<DIR>	d--------	C:\Program Files\Hamachi
2007-10-28 19:54	25,544	--a------	C:\WINDOWS\system32\drivers\hamachi.sys
2007-10-23 13:50	<DIR>	d--h-----	C:\WINDOWS\$hf_mig$
2007-10-17 20:18	<DIR>	d-a------	C:\Documents and Settings\All Users\Data aplikací\TEMP
2007-10-14 10:37	<DIR>	d--------	C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 20:43	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-11-12 19:56	---------	d-----w	C:\Program Files\Common Files\InstallShield
2007-11-11 16:47	---------	d-----w	C:\Program Files\TRANSLAT
2007-11-11 13:37	---------	d-----w	C:\Program Files\GamePark
2007-11-08 19:02	---------	d-----w	C:\Documents and Settings\All Users\Data aplikací\DVD Shrink
2007-10-23 22:12	---------	d-----w	C:\Program Files\DAEMON Tools
2007-10-11 16:55	---------	d-----w	C:\Program Files\DVD Shrink
2007-10-07 20:47	21,840	----a-w	C:\Documents and Settings\pepa\Data aplikací\GDIPFONTCACHEV1.DAT
2007-09-28 15:30	---------	d-----w	C:\Program Files\Microsoft.NET
2007-09-25 20:48	---------	d-----w	C:\Documents and Settings\pepa\Data aplikací\Ahead
2007-09-25 20:41	---------	d-----w	C:\Program Files\Common Files\Ahead
2007-09-25 20:39	---------	d-----w	C:\Program Files\Nero
2007-09-25 20:39	---------	d-----w	C:\Documents and Settings\All Users\Data aplikací\Nero
2007-09-25 19:56	---------	d-----w	C:\Program Files\Registry Medic
2007-09-23 20:43	---------	d-----w	C:\Documents and Settings\pepa\Data aplikací\CyberLink
2007-09-23 20:40	---------	d-----w	C:\Documents and Settings\All Users\Data aplikací\CyberLink
2007-09-23 20:39	---------	d-----w	C:\Program Files\CyberLink
2007-09-23 19:12	---------	d-----w	C:\Program Files\K-Lite Codec Pack
2007-09-23 18:01	---------	d-----w	C:\Documents and Settings\pepa\Data aplikací\Media Player Classic
2007-09-22 20:26	---------	d-----w	C:\Documents and Settings\pepa\Data aplikací\AdobeUM
2007-09-22 20:25	---------	d-----w	C:\Program Files\Common Files\Adobe
2007-09-15 14:08	---------	d-----w	C:\Program Files\ATI Technologies
2007-09-15 01:25	---------	d-----w	C:\Program Files\Common Files\Thraex Software
2007-09-14 23:36	---------	d-----w	C:\Documents and Settings\pepa\Data aplikací\ATI
2007-09-13 17:34	491,520	----a-w	C:\WINDOWS\WebIE.dll
2007-09-13 17:34	294,912	----a-w	C:\WINDOWS\TrnWord.dll
2007-09-12 19:08	34,308	----a-w	C:\WINDOWS\system32\Chip.dll
2007-09-11 20:08	298,104	----a-w	C:\WINDOWS\system32\imon.dll
2007-09-11 18:36	60,416	----a-w	C:\WINDOWS\ALCFDRTM.EXE
2007-09-11 09:17	81,920	----a-w	C:\WINDOWS\system32\frapsvid.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 08:34 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-11 21:08]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 19:24]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2006-11-10 15:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 06:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04]

R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S3 usbscan;Ovladač skeneru USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 16:29:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-11-14 16:29:50
.
	--- E O F ---

Doufám že už je vše v pohodě nod už žádný problém nehlásí

[Kardif]

A ještě z Avangeru:

Kód: Vybrat vše

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lqlcbept

*******************

Script file located at: \??\C:\WINDOWS\system32\tkptspib.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\drivers\ip6fw.Vsys not found!
Deletion of file C:\WINDOWS\system32\drivers\ip6fw.Vsys failed!

Could not process line:
C:\WINDOWS\system32\drivers\ip6fw.Vsys
Status: 0xc0000034



File C:\WINDOWS\iun6002.exe not found!
Deletion of file C:\WINDOWS\iun6002.exe failed!

Could not process line:
C:\WINDOWS\iun6002.exe
Status: 0xc0000034



File C:\WINDOWS\UN32.EXE not found!
Deletion of file C:\WINDOWS\UN32.EXE failed!

Could not process line:
C:\WINDOWS\UN32.EXE
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.

[BUBINO]

Este moment.

Zapnite avenger ako v predchadzajucej operacii a do bieleho okna skopirujte toto:

Files to delete:
C:\WINDOWS\system32\Chip.dll

Folders to delete:
C:\Documents and Settings\pepa\WINDOWS

Toto prosim otestuje na virustotal.com :
:\Documents and Settings\pepa\Data aplikací\GDIPFONTCACHEV1.DAT

Potom tu dajte vysledky z virustotal , log z avengeru a log z combofix.A logy vkladajte prosim normalne .Zle sa mi to potom cita.

[Kardif]

Takže výsledek z avengeru:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\quwhjkxg

*******************

Script file located at: \??\C:\WINDOWS\system32\wxuivtcq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\Chip.dll deleted successfully.
Folder C:\Documents and Settings\pepa\WINDOWS deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Výsledek z virustotal:

Soubor GDIPFONTCACHEV1.DAT přijatý 2007.11.14 20:17:35 (CET)
Současný stav: Dokončeno
Výsledek: 0/32 (0%)

A výsledek z combofixu:

ComboFix 07-11-08.1 - pepa 2007-11-14 20:32:17.6 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.673 [GMT 1:00]
Running from: C:\Documents and Settings\pepa\Plocha\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-12 22:05 <DIR> d-------- C:\Documents and Settings\Administrator\Plocha
2007-11-12 22:05 <DIR> d--h----- C:\Documents and Settings\Administrator\Okolní tiskárny
2007-11-12 22:05 <DIR> d--h----- C:\Documents and Settings\Administrator\Okolní síť
2007-11-12 22:05 <DIR> d-------- C:\Documents and Settings\Administrator\Oblíbené položky
2007-11-12 22:05 <DIR> d--h----- C:\Documents and Settings\Administrator\Šablony
2007-11-12 22:05 <DIR> dr------- C:\Documents and Settings\Administrator\Nabídka Start
2007-11-12 22:05 <DIR> d-------- C:\Documents and Settings\Administrator\Dokumenty
2007-11-12 22:05 <DIR> dr-h----- C:\Documents and Settings\Administrator\Data aplikací
2007-11-12 21:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 12:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-04 22:48 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-11-04 22:35 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-11-04 01:06 32,768 -ra------ C:\WINDOWS\system32\XSIChooser.exe
2007-11-03 11:17 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-03 11:16 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-03 11:16 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-28 19:55 <DIR> d-------- C:\Documents and Settings\pepa\Data aplikací\Hamachi
2007-10-28 19:54 <DIR> d-------- C:\Program Files\Hamachi
2007-10-28 19:54 25,544 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-10-23 13:50 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-17 20:18 <DIR> d-a------ C:\Documents and Settings\All Users\Data aplikací\TEMP
2007-10-14 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 20:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-12 19:56 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-11 16:47 --------- d-----w C:\Program Files\TRANSLAT
2007-11-11 13:37 --------- d-----w C:\Program Files\GamePark
2007-11-08 19:02 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\DVD Shrink
2007-10-23 22:12 --------- d-----w C:\Program Files\DAEMON Tools
2007-10-11 16:55 --------- d-----w C:\Program Files\DVD Shrink
2007-10-07 20:47 21,840 ----a-w C:\Documents and Settings\pepa\Data aplikací\GDIPFONTCACHEV1.DAT
2007-09-28 15:30 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-25 20:48 --------- d-----w C:\Documents and Settings\pepa\Data aplikací\Ahead
2007-09-25 20:41 --------- d-----w C:\Program Files\Common Files\Ahead
2007-09-25 20:39 --------- d-----w C:\Program Files\Nero
2007-09-25 20:39 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Nero
2007-09-25 19:56 --------- d-----w C:\Program Files\Registry Medic
2007-09-23 20:43 --------- d-----w C:\Documents and Settings\pepa\Data aplikací\CyberLink
2007-09-23 20:40 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\CyberLink
2007-09-23 20:39 --------- d-----w C:\Program Files\CyberLink
2007-09-23 19:12 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-09-23 18:01 --------- d-----w C:\Documents and Settings\pepa\Data aplikací\Media Player Classic
2007-09-22 20:26 --------- d-----w C:\Documents and Settings\pepa\Data aplikací\AdobeUM
2007-09-22 20:25 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-15 14:08 --------- d-----w C:\Program Files\ATI Technologies
2007-09-15 01:25 --------- d-----w C:\Program Files\Common Files\Thraex Software
2007-09-14 23:36 --------- d-----w C:\Documents and Settings\pepa\Data aplikací\ATI
2007-09-13 17:34 491,520 ----a-w C:\WINDOWS\WebIE.dll
2007-09-13 17:34 294,912 ----a-w C:\WINDOWS\TrnWord.dll
2007-09-11 20:08 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2007-09-11 18:36 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-09-11 09:17 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 08:34 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-11 21:08]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 19:24]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 14:40]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2006-11-10 15:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 14:49]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 06:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04]

R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
R3 usbccgp;Obecný nadřazený ovladač Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB;C:\WINDOWS\system32\DRIVERS\usbohci.sys
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S3 usbscan;Ovladač skeneru USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 20:33:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-14 20:33:32
.
--- E O F ---

[BUBINO]

Log je cisty . Ako sa citi vas pocitac?

[Kardif]

Spokojeně si chrochtá díky.

[BUBINO]

Nemate zaco ! Rado sa stalo V pripade problemov napiste.