prosím o pomoc s AVG

[Radkoff]

Dlouho sem se tomu bránil, ale nakonec sem nainstaloval antivir. Legální, plná chip verze 7.5 + firewall. To, co sem hodím pravděpodobně bude nějaká trivialita spojená s neznalostí problematiky antivirů.
Při každým scanu mi výsledek hodí 4 infikované soubory (viz obrázek). Na každým disku jeden, s tím, že nejdou vyléčit. A shodou okolností mi od té doby (co sem nainstaloval avg) nejdou napřímo klikem otevřít disky, hodí mi to "přístup odepřen". Otevřu je jedině pravým myšítkem/otevřít. Na každým disku je pak skrytej soubor (je zakroužkovanej).
O co de? Jak z toho ven?

[BUBINO]

Dobry den !

Urobte log z HijackThis .
Stiahnite si program : http://www.trendsecure.com/portal/en-US ... hijackthis , nainstalujte , spustite a kliknite na "DO A SYSTEM SCAN AND SAVE A LOGFILE" Po skenovani vam vyhodi log v poznamkovom bloku a ten cely skopirujte sem . Dajte si zalezat aby bol cely.


Dajte sem aj log z ComboFixu:
Stiahnite si ComboFix http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Restartuje pocitac do nudzoveho rezimu.
Behom skenu bude vas pocitac restartovany.
Po restartu vytvori log, uložený v C:/Combofix.txt .
Jeho obsah vlozte sem.

[Radkoff]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:09, on 20.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AsusServiceProvider] C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Thoosje Sidebar .lnk = C:\Program Files\Thoosje Sidebar V2.0\Thoosje Sidebar .exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B960333-DC32-41F5-A911-6CC067A5017C}: NameServer = 192.168.0.1
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[likc]

Napriklad Spyware doktor by to mel vylecit. Lze ho stahnout z google packu. http://pack.google.com/intl/en/pack_ins ... w&ciNum=11
Ostatni bych nestahoval. Je to smeti, to je na Tobe.
pripadne tohle http://www.sunbelt-software.com/Home-Ho ... /Download/ ale ma to pres 50MB :-/

[rary]

Obávám se že se bude muset použít ComboFix a poté Flash Disinfector jinak se toho svinstva nezbavíš.

Proto sem vlož log z ComboFixu jak psal BUBINO.

[BUBINO]

Ako antivirus pouzivajte NOD , alebo Kaspersky a ako antispyware pouzivajte toho spyware doktor , nie na opak !

Dajte sem ten log z ComboFixu.

[BUBINO]

Ano viem .Combo je v sucastnosti nefunkcny.

Aplikujte SDFIX a MWAV:
SDFIX :
http://www.viry.cz/forum/viewtopic.php?t=40395
Log , ktory po skene naskoci , skopirujte sem.

Ak by zresetovalo pripojenie k internetu , pouzite tuto ulitku :
http://www.spyware.cz/go.php?p=spyware&t=aplikace&id=22
Ak by pripojenie aj tak neslo , nastavte spravne LAN a IP.

MWAV:
http://www.viry.cz/forum/viewtopic.php?t=4097
Vypnite obnovu systemu a aplikujte. Po skene sem dajte log v dolnom okne , nie v hornom !

[rary]

Udělej co radil BUBINO + použij Deckard's System Scanner (dříve Comboscan):
Stáhni si Deckard's System Scanner a ulož ho na plochu.
Spusť ho, potvrď licenční podmínky a postupuj podle pokynů.
Po skončení se zobrazí dva logy main.txt a extra.txt tak sem zkopíruj pouze obsah main.txt
Jinak je log uložen v - C:\Deckard\System Scanner\

[Radkoff]

změnil sem datum a šlo to:

ComboFix 07-11-08.1 - Radek 2006-11-20 17:56:13.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.1505 [GMT 1:00]
Running from: C:\Documents and Settings\Radek\Plocha\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\Milada\Plocha\internet.lnk
C:\WINDOWS\Fonts\serife.fon
C:\WINDOWS\system32\winsys.exe
E:\Autorun.inf
F:\Autorun.inf
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-20 17:33 <DIR> d-------- C:\Documents and Settings\Administrator\Plocha
2007-11-20 17:33 <DIR> d--h----- C:\Documents and Settings\Administrator\Okolní tiskárny
2007-11-20 17:33 <DIR> d--h----- C:\Documents and Settings\Administrator\Okolní síť
2007-11-20 17:33 <DIR> d-------- C:\Documents and Settings\Administrator\Oblíbené položky
2007-11-20 17:33 <DIR> d--h----- C:\Documents and Settings\Administrator\Šablony
2007-11-20 17:33 <DIR> dr------- C:\Documents and Settings\Administrator\Nabídka Start
2007-11-20 17:33 <DIR> d-------- C:\Documents and Settings\Administrator\Dokumenty
2007-11-20 17:33 <DIR> dr-h----- C:\Documents and Settings\Administrator\Data aplikací
2007-11-20 01:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-20 00:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-19 01:06 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2007-11-19 00:42 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-19 00:36 <DIR> d-------- C:\Documents and Settings\LocalService\Data aplikací\AVG7
2007-11-19 00:32 <DIR> d-------- C:\Documents and Settings\Radek\Data aplikací\AVG7
2007-11-19 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Grisoft
2007-11-19 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\avg7
2007-11-19 00:32 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2007-11-18 01:04 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-08 18:40 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-11-01 17:16 <DIR> d-------- C:\Documents and Settings\Milada\Data aplikací\Skype
2007-11-01 17:12 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\LightScribe
2007-11-01 17:10 <DIR> d-------- C:\Documents and Settings\Radek\Data aplikací\Ahead
2007-11-01 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Ahead
2007-11-01 17:08 <DIR> d-------- C:\Program Files\Nero
2007-11-01 17:08 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-11-01 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Nero
2007-10-28 17:14 <DIR> d-------- C:\Program Files\Zoner
2007-10-26 18:43 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-10-26 18:41 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-25 18:40 <DIR> d-------- C:\Documents and Settings\Radek\Data aplikací\Skype
2007-10-25 18:39 <DIR> d-------- C:\Program Files\Skype
2007-10-25 18:39 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-10-25 18:39 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Skype
2007-10-25 18:29 <DIR> d-------- C:\Program Files\Opera
2007-10-25 17:56 <DIR> d-------- C:\Documents and Settings\Milada\Data aplikací\Mikrotik
2007-10-25 17:45 <DIR> d-------- C:\Documents and Settings\Radek\Data aplikací\Mikrotik
2007-10-25 17:24 <DIR> d-------- C:\Program Files\Marvell

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-20 16:39 --------- d-----w C:\Documents and Settings\Radek\Data aplikací\OpenOffice.org2
2007-11-19 20:03 --------- d-----w C:\Documents and Settings\Radek\Data aplikací\Rainlendar
2007-11-18 23:58 --------- d-----w C:\Program Files\DaemonTools_WhenUSave_Installer
2007-11-18 23:58 --------- d-----w C:\Program Files\DAEMON Tools
2007-11-01 16:12 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-11-01 16:04 --------- d-----w C:\Program Files\Ahead
2007-10-28 16:16 --------- d-----w C:\Documents and Settings\Radek\Data aplikací\Zoner
2007-10-06 11:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-18 07:22]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-05-18 14:26]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe" [2006-06-30 15:57]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-07-10 15:49]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-02-22 07:46]
"SW24"="C:\WINDOWS\system32\sw24.exe" [2006-02-22 07:46]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 11:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-08-05 11:56]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-19 01:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-11-08 18:40]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 10:21]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\Radek\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-12-01 23:32:46]
Rainlendar.lnk - C:\Program Files\Rainlendar\Rainlendar.exe [2006-01-21 13:31:46]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-11-08 18:40:37]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-03-23 17:58:53]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DaemonTools_WhenUSave_Installer]
C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

R0 hotcore2;hotcore2;C:\WINDOWS\system32\drivers\hotcore2.sys
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d62f831-d953-11db-ad17-ca1f5d3dd6e0}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 17:56:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 17:56:58

[Radkoff]

hele, a vám ty logy něco říkaj? mně teda ne
nebo je tam důležitý jen to "hidden files: 0" ?


btw. používám ještě spybota

[rary]

Stáhni si Avenger a spusť.
Zatrhni volbu Input script manually a klikni na ikonku lupy.
Do volné ho okna co se zobrazí zkopíruj tento text:
Folders to delete:
C:\Program Files\DaemonTools_WhenUSave_Installer

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DaemonTools_WhenUSave_Installer
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d62f831-d953-11db-ad17-ca1f5d3dd6e0}

Poté klikni na Done pak na ikonku semafory.
Potvrď ty dvě hlášky a PC se restartuje, po restartu sem vlož log který se ti zobrazí.

A teď se tě zeptám ten disk F: je flashka?

[Radkoff]

A teď se tě zeptám ten disk F: je flashka?

f: je partiton na hadru (4 partition - c, e, f, g)

[rary]

A jo nevšim sem si na tom screenshotu že je to disk, sorry.

Udělej tu akci s tím Avengerem a vlož sem z něho log + sem vlož nový log z ComboFixu a budeme pokračovat na odstranění té havěti.

[Radkoff]

scan z mwav:

Object "spyware.imfmonitor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spyware.imfmonitor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spyware.imfmonitor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spyware.imfmonitor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spyware.imfmonitor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spyware.imfmonitor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spyware.imfmonitor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spyware.imfmonitor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spyware.imfmonitor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spyware.imfmonitor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spyware.imfmonitor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spyware.imfmonitor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spyware.imfmonitor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spyware.imfmonitor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "spyware.imfmonitor Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "mss Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "savenow Adware" found in File System! Action Taken: No Action Taken.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.
Entry "HKCR\NMUIEngine.NMUIResourceLoaderHarddisk" refers to invalid object "{03DC5606-EA66-4f02-AB52-2065524B03821}". Action Taken: No Action Taken.
Entry "HKCR\SPhoneParser.FoundSkypeNumber" refers to invalid object "{E40A96CC-4A5B-47F4-9957-87CDED1DFF45}". Action Taken: No Action Taken.
Entry "HKCR\SPhoneParser.FoundSkypeNumber.1" refers to invalid object "{E40A96CC-4A5B-47F4-9957-87CDED1DFF45}". Action Taken: No Action Taken.
Entry "HKCR\WholeSecurity.CATEEAx" refers to invalid object "{3ba494b1-d507-4c11-9bda-d47e1a65dfcf}". Action Taken: No Action Taken.
Entry "HKCR\WholeSecurity.CATEEAx.1" refers to invalid object "{3ba494b1-d507-4c11-9bda-d47e1a65dfcf}". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\Logitech\Desktop Messenger\8876480\7.2.0.137-8876480SL\Program\PrvCnt.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjblaunch.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmfwlaunch.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\Logitech\Desktop Messenger\8876480\8.1.1.50-8876480SL\Program\PrvCnt.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\OLYMPUS\OLYMPUS Master\Superimpose\Frame\Default\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\OLYMPUS\OLYMPUS Master\Superimpose\Title\Default\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\OLYMPUS\OLYMPUS Master\Superimpose\Frame\Extension\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\OLYMPUS\OLYMPUS Master\Superimpose\Title\Extension\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "F:\Binaries\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Data aplikací\SmartSound Software Inc\Encoding\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Data aplikací\SmartSound Software Inc\Sound Files\". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".bak". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cfg". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ess". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".mds". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tao". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Combined Community Codec Pack_is1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NeroMultiInstaller!UninstallKey". Action Taken: No Action Taken.

[Radkoff]

ještě sjedu sdfix


SDFix: Version 1.115

Run by Administrator on Łt 20.11.2007 at 19:06

Microsoft Windows XP [Verze 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\regedit.com - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-20 19:09:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:7ad5a1d1
"s2"=dword:198fb4be
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:af,d7,a0,4f,21,0b,3f,62,ea,d0,c6,33,7f,1b,50,a8,f7,9c,54,1c,55,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,4f,f8,4e,f7,34,13,3c,60,a3,d1,cb,e2,b1,0f,a2,5b,91,..
"khjeh"=hex:55,ba,20,ea,55,f5,46,2a,19,fc,a7,68,7d,6d,4b,59,ca,48,8a,86,bc,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:64,62,03,00,08,3f,18,00,40,21,26,00,e0,ff,ff,ff,76,6b,03,00,1e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:af,d7,a0,4f,21,0b,3f,62,ea,d0,c6,33,7f,1b,50,a8,f7,9c,54,1c,55,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,4f,f8,4e,f7,34,13,3c,60,a3,d1,cb,e2,b1,0f,a2,5b,91,..
"khjeh"=hex:55,ba,20,ea,55,f5,46,2a,19,fc,a7,68,7d,6d,4b,59,ca,48,8a,86,bc,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:64,62,03,00,30,d4,24,00,00,00,64,00,68,62,69,6e,00,d0,24,00,00,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?\xe9?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?\xe9? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1\xed?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero 7 Essentials\`\1t]
"Order"=hex:08,00,00,00,02,00,00,00,b0,00,00,00,01,00,00,00,01,00,00,00,a4,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 16 May 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 29 Jul 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 16 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6e75856c6efd762fe9068b5aa0da3bd6\BIT1.tmp"
Fri 7 Sep 2007 165,232 A..H. --- "C:\Documents and Settings\Radek\Data aplikacˇ\Microsoft\Virtual PC\VPCKeyboard.dll"
Wed 16 May 2007 4,348 ...H. --- "C:\Documents and Settings\Radek\Dokumenty\Hudba\Z lohov nˇ licence\drmv1key.bak"
Wed 16 May 2007 20 A..H. --- "C:\Documents and Settings\Radek\Dokumenty\Hudba\Z lohov nˇ licence\drmv1lic.bak"
Wed 16 May 2007 312 ...H. --- "C:\Documents and Settings\Radek\Dokumenty\Hudba\Z lohov nˇ licence\drmv2key.bak"
Wed 16 May 2007 1,536 A..H. --- "C:\Documents and Settings\Radek\Dokumenty\Hudba\Z lohov nˇ licence\drmv2lic.bak"

Finished!

[Radkoff]

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d62f831-d953-11db-ad17-ca1f5d3dd6e0}


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rqissmrx

*******************

Script file located at: \??\C:\WINDOWS\tirocklf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\Program Files\DaemonTools_WhenUSave_Installer deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DaemonTools_WhenUSave_Installer deleted successfully.

Completed script processing.


hodilo mi to chybu. ale to je ostatně napsaný v prvním řádku

[BUBINO]

C:\SDFIX celu rucne zmazte.
Predrhnite pocitac s tymto programom : CCLEANER : http://www.viry.cz/forum/viewtopic.php? ... d837707a0b

Mate zbytky po vyliecenych infekciach + neplatne kluce . To tym ccleanerom zmaznete,. Inak su logy ok . Ako sa chova pocitac?

[Radkoff]

ComboFix 07-11-08.1 - Radek 2006-11-20 19:55:29.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.1539 [GMT 1:00]
Running from: C:\Documents and Settings\Radek\Plocha\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-20 19:06 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-20 18:56 <DIR> d-a------ C:\WINDOWS\zts2.exe
2007-11-20 18:56 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-11-20 18:56 <DIR> d-a------ C:\WINDOWS\system32\systems.txt
2007-11-20 18:56 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-11-20 18:56 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2007-11-20 18:56 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2007-11-20 18:56 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2007-11-20 18:54 147,968 --a------ C:\WINDOWS\R.COM
2007-11-20 18:54 137,216 --a------ C:\WINDOWS\system32\T.COM
2007-11-20 17:33 <DIR> d-------- C:\Documents and Settings\Administrator\Plocha
2007-11-20 17:33 <DIR> d--h----- C:\Documents and Settings\Administrator\Okolní tiskárny
2007-11-20 17:33 <DIR> d--h----- C:\Documents and Settings\Administrator\Okolní síť
2007-11-20 17:33 <DIR> d-------- C:\Documents and Settings\Administrator\Oblíbené položky
2007-11-20 17:33 <DIR> d--h----- C:\Documents and Settings\Administrator\Šablony
2007-11-20 17:33 <DIR> dr------- C:\Documents and Settings\Administrator\Nabídka Start
2007-11-20 17:33 <DIR> d-------- C:\Documents and Settings\Administrator\Dokumenty
2007-11-20 17:33 <DIR> dr-h----- C:\Documents and Settings\Administrator\Data aplikací
2007-11-20 01:02 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-20 00:59 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-19 01:06 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2007-11-19 00:42 <DIR> d-------- C:\WINDOWS\PIF
2007-11-19 00:36 <DIR> d-------- C:\Documents and Settings\LocalService\Data aplikací\AVG7
2007-11-19 00:32 <DIR> d-------- C:\Documents and Settings\Radek\Data aplikací\AVG7
2007-11-19 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Grisoft
2007-11-19 00:32 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\avg7
2007-11-19 00:32 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2007-11-18 01:04 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-08 18:40 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-11-01 17:16 <DIR> d-------- C:\Documents and Settings\Milada\Data aplikací\Skype
2007-11-01 17:12 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\LightScribe
2007-11-01 17:10 <DIR> d-------- C:\Documents and Settings\Radek\Data aplikací\Ahead
2007-11-01 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Ahead
2007-11-01 17:08 <DIR> d-------- C:\Program Files\Nero
2007-11-01 17:08 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-11-01 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Nero
2007-10-28 17:14 <DIR> d-------- C:\Program Files\Zoner
2007-10-26 18:43 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-10-26 18:41 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-25 18:40 <DIR> d-------- C:\Documents and Settings\Radek\Data aplikací\Skype
2007-10-25 18:39 <DIR> d-------- C:\Program Files\Skype
2007-10-25 18:39 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-10-25 18:39 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Skype
2007-10-25 18:29 <DIR> d-------- C:\Program Files\Opera
2007-10-25 17:56 <DIR> d-------- C:\Documents and Settings\Milada\Data aplikací\Mikrotik
2007-10-25 17:45 <DIR> d-------- C:\Documents and Settings\Radek\Data aplikací\Mikrotik
2007-10-25 17:24 <DIR> d-------- C:\Program Files\Marvell

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-20 18:46 --------- d-----w C:\Documents and Settings\Radek\Data aplikací\OpenOffice.org2
2007-11-19 20:03 --------- d-----w C:\Documents and Settings\Radek\Data aplikací\Rainlendar
2007-11-18 23:58 --------- d-----w C:\Program Files\DAEMON Tools
2007-11-01 16:12 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-11-01 16:04 --------- d-----w C:\Program Files\Ahead
2007-10-28 16:16 --------- d-----w C:\Documents and Settings\Radek\Data aplikací\Zoner
2007-10-06 11:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-08-21 06:18 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-18 07:22]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-05-18 14:26]
"AsusServiceProvider"="C:\Program Files\ASUS\AASP\1.00.01\aaCenter.exe" [2006-06-30 15:57]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2006-07-10 15:49]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-02-22 07:46]
"SW24"="C:\WINDOWS\system32\sw24.exe" [2006-02-22 07:46]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 11:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-08-05 11:56]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-19 01:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-11-08 18:40]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 10:21]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\Radek\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-12-01 23:32:46]
Rainlendar.lnk - C:\Program Files\Rainlendar\Rainlendar.exe [2006-01-21 13:31:46]

C:\Documents and Settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-11-08 18:40:37]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-03-23 17:58:53]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

R0 hotcore2;hotcore2;C:\WINDOWS\system32\drivers\hotcore2.sys
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d62f831-d953-11db-ad17-ca1f5d3dd6e0}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 19:56:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 19:56:16
C:\ComboFix2.txt ... 2007-11-08 17:56
.
--- E O F ---

[Radkoff]

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d62f831-d953-11db-ad17-ca1f5d3dd6e0}

a co ta chyba, kterou hodil ten avenger?

[BUBINO]

My tie virusy ale chytame . Do avengera napiste toto :

Files to delete:
C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\systems.txt
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\logo1_.exe
C:\WINDOWS\R.COM
C:\WINDOWS\system32\T.COM

DONE --> SEMAFOR --> OK .
Po restarte sem vlozte log.


Otvorte poznamkovy blok (notepad) a skopirujte donho toto:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d62f831-d953-11db-ad17-ca1f5d3dd6e0}]

- ulozte pod nazvom CFScript tak, aby mal koncovku txt a podla spodneho obrazku ho pretiahni nad combofix - automaticky sa spusti combofix - log vlozte potom sem + log z avengera