Trojan

Pavel777 · Příspěvek od **Pavel777** » úte 18. pro 2007, 00:53

Ahoj lidičky, pomůže mi někdo? Už dva dny se snažím vyhnat havěť ze svýho PC a stále mi tam něco zůstává. Udělal jsem log. Všechny ty "file missing" jsem různě odmazával, ale po chvíli na netu se mi to stěhuje zpět.

Díky Pavel

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:35:34, on 18.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\VirusScan\VsTskMgr.exe
C:\Program Files\Corporate SMTP Server\SMTPListener.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\wininet.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\wuauclt.exe
c:\autoekpe.exe
c:\autodbnz.exe
C:\WINDOWS\system32\w32sys3.exe
C:\WINDOWS\system32\wininet.exe
C:\WINDOWS\system32\makehm.exe
C:\WINDOWS\system32\svchost.exe
E:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ldr.exe,C:\WINDOWS\system32\makehm.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [ShStatEXE] "C:\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-484763869-682003330-950239820-1014\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Vytvořit mobilní oblíbenou položku - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Vytvořit mobilní oblíbenou položku… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {50E43D86-A74D-11D0-98CE-004005249458} (AnimatedGif Control) - https://www.mojebanka.cz/jars/confwiz/MVSGif.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/cz/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0618B53-5D11-4FC0-A455-965F82A8D0D5}: NameServer = 192.168.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\svcht2k.dll
O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\system32\svshost.dll
O23 - Service: Cobian Backup 8 služba (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: CVWTF - Unknown owner - C:\DOCUME~1\PAVELH~1\LOCALS~1\Temp\CVWTF.exe (file missing)
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Správa služby IIS (IISADMIN) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\VirusScan\VsTskMgr.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe
O23 - Service: Neurotechnologija - Unknown owner - C:\Program Files\Neurotechnologija\VeriFinger 5.0 Standard SDK Trial\bin\Win32_x86\Activation\pg.exe (file missing)
O23 - Service: PGBTIP - Unknown owner - C:\DOCUME~1\PAVELH~1\LOCALS~1\Temp\PGBTIP.exe (file missing)
O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SMTP Server Service (SMTPMainService) - Unknown owner - C:\Program Files\Corporate SMTP Server\SMTPListener.exe
O23 - Service: Simple Mail Transport Protocol (SMTP) (SMTPSVC) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: Publikování na webu (W3SVC) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)

--
End of file - 9085 bytes

rary · Příspěvek od **rary** » úte 18. pro 2007, 15:40

Aplikuj ComboFix:
Stáhni si ComboFix a ulož ho na plochu, spusť ho.Postupuj dle pokynů na obrazovce, během aplikování ComboFixu neklikej do zobrazujícího se okna může se stát totiž že to proces zastaví.
Je možné, že se restartuje počítač, znamená to, že byli nalezeny škodlivé soubory a je nutný restart, aby je ComboFix smazal.
Po skončení se vytvoří log tak sem zkopíruj jeho obsah.

Poznámka: Pro spuštění ComboFixe je nutné mít práva administrátora.

BUBINO · Příspěvek od **BUBINO** » úte 18. pro 2007, 16:05

Iba doplnim raryho .Najprv urobte nasledovne .

Najprv pouzite tento navod : http://www.viry.cz/forum/viewtopic.php?t=47137

Start --> Spustit --> napiste services.msc
Nabehne vam zoznam procesov .Vy presne vyhladajte procesy , ktore su zelenym , poklikajte , a oznacte na zakazano , alebo ich vypnite. Z pokuky zvolte zastavit /zakazat:
SMTP Server Service (SMTPMainService)
PGBTIP
Neurotechnologija
Microsoft security update service (msupdate)
Service: CVWTF

Fixnite v programe tieto veci : (u vybranych poloziek , na lavej strane , kliknite na ramcek , tym ich oznacite a nasledne na FIX CHECKED v dolnom panely .Tym ich zmaznete:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ldr.exe,C:\WINDOWS \system32\makehm.exe,
O20 - AppInit_DLLs: C:\WINDOWS\system32\svcht2k.dll
O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\system32\svshost.dll

Stiahnite si avengera z odkazu tu : http://www.viry.cz/forum/viewtopic.php?t=19832
Podla navodu sa dopracujte k tomu bielemu okne do ktoreho napiste nasledovne :

Drivers to unload:
Microsoft security update service
SMTP Server Service

Files to delete:
C:\WINDOWS\system32\svshost.dll
c:\windows\system32\mssrv32.exe
C:\WINDOWS\system32\svcht2k.dll
C:\Program Files\Corporate SMTP Server\SMTPListener.exe
C:\WINDOWS\system32\wininet.exe
c:\autoekpe.exe
c:\autodbnz.exe
C:\WINDOWS\system32\w32sys3.exe
C:\WINDOWS\system32\makehm.exe
C:\WINDOWS\system32\ldr.exe
C:\WINDOWS \system32\makehm.exe
C:\WINDOWS\system32\svshost.dll

Folders to delete:
C:\Program Files\Corporate SMTP Server

DONE --> SEMAFOR --> OK
Pocitac sa restartuje a vybehne vam log , ktory skopirujte sem .Je aj v c:\ avenger.txt Nasledne urobte novy log z hijackthis.

Pavel777 · Příspěvek od **Pavel777** » úte 18. pro 2007, 21:48

Díky moc - moc jste mi pomohli. Pro kontrolu posílám log. Snad už to bude dobrý. Jen je mi ještě divný, že mi v Local Setting\Temp hned po startu stále zůstává okolo dvaceti souborů jar_cachhexxxxx.tmp, který teď už jdou smazat, ale po staru tam jsou zas. Na jiným PC je nemám. Dále se mi tam tvoří toolbox_healerxxxxx.log. Bojím se že mi tam ještě nějaká mrcha zůstala a zas to tam znova nastěhuje. Aktualizace Win se mi pořád dokola nabízí a po stažení se zobrazí "Následující aktualizace nebyly nainstalovány" a v listu je vše co se stahovalo...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:30:53, on 18.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\MyAccount\Plocha\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Vytvořit mobilní oblíbenou položku - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Vytvořit mobilní oblíbenou položku… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {50E43D86-A74D-11D0-98CE-004005249458} (AnimatedGif Control) - https://www.mojebanka.cz/jars/confwiz/MVSGif.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/cz/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0618B53-5D11-4FC0-A455-965F82A8D0D5}: NameServer = 192.168.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cobian Backup 8 služba (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Správa služby IIS (IISADMIN) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Simple Mail Transport Protocol (SMTP) (SMTPSVC) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: Publikování na webu (W3SVC) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)

BUBINO · Příspěvek od **BUBINO** » úte 18. pro 2007, 21:58

Prvy krok ste urobil delikatne !

Toto otestujte na virustotal.com :
C:\VSTASCAN\vsaccess.exe
Mozte aj celu zlozku .Chcem mat istotu. Uploadnite , odoslite a vysledky , ktore vam naskocia dajte sem.

Nedal ste tu log z avengera , ktory by mi pomohol ako doprovod , ci vsetko zmazlo tak ako malo .

Do avengera , ako predchadzajuc , napiste toto:

Folders to delete:
C:\DOCUME~1\PAVELH~1\LOCALS~1\Temp

Urobte log z Combofixu tak , ako pisal rary hore.

Pavel777 · Příspěvek od **Pavel777** » úte 18. pro 2007, 22:42

Tak pořád něco špatně

avenger smazal co jsem mu dal. Log už jsem nenašel, ale mělo by to být OK. Psal, že nenašel v reg to pro odebrání služeb, ale dal jsem to pak pryč ručně. Soubory smazal bez problému. Horší je, že když jsem teď kliknul v About dialogu svýho programu na link na svůj web, (po kliknutí se uvnitř programu volá standardně ShellExecute(NULL, _T("open"), url, NULL,NULL, showcmd); ) tak se stránky zobrazí, ale zároveň Avast zobrazí že byla zjištěna nákaza a když dám soubor přesunout do moved, tak v něm vidím java zdrojáky toho svinstva. Avast píše, že to bere z adresy "http:// 00a0-f0d5-a44e-33s6.cnc-inc.cn/r7e/1/" (za // jsem tady dal mezery...) Přitom ve svým zdrojáku ten nesmysl v žádným případě nevolám. Alespoň, že to Avast odchytne. Před tím se mi to tady vysemenilo. Ale co s tím? Ten zdroj co tu mám toho neřáda rád poskytnu, ale sem bych to raděj nedával. Připadá mi to jako by někdo přepsal to ShellExecute aby zároveň volalo i jinam. Má někdo potuchy jestli je něco takovýho možný??? Jo a ten temp po startu smazat celej? Horší je, že to tam nějaká sviňa po dalším startu asi zas dolní.... Pavel PS: mám i adresu ze který ty moje problémy začaly - http://www .ts-bohemia.cz/

BUBINO · Příspěvek od **BUBINO** » úte 18. pro 2007, 22:45

Urobte to , co som vam v predchadzajucom prispevku napisal . Do avengeru dajte to v tom bielom ramceku a urobte log z combofixu.

Pavel777 · Příspěvek od **Pavel777** » úte 18. pro 2007, 23:04

OK, ten virustotal napsal OK - http://www.virustotal.com/cs/resultado. ... c2bd226c30 soubor znám je od skeneru.

Avenger napsal:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ccxfbhrx

*******************

Script file located at: \??\C:\WINDOWS\tsxnddhk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\DOCUME~1\PAVELH~1\LOCALS~1\Temp deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Ale po startu vypadal temp jako dřív.

ComboFix napsal:
ComboFix 07-12-18.1 - MyAccount 2007-12-18 22:56:32.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.632 [GMT 1:00]
Running from: C:\Documents and Settings\MyAccount\Plocha\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-18 to 2007-12-18 )))))))))))))))))))))))))))))))
.

2007-12-18 12:13 . 2007-12-18 12:13 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-18 12:13 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-18 12:13 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-18 12:13 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-18 12:13 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-18 12:13 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-18 12:13 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-18 12:13 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-18 12:13 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-18 12:09 . 2007-12-18 12:09 <DIR> d-------- C:\Documents and Settings\MyAccount\Data aplikací\PrevxCSI
2007-12-18 12:09 . 2007-12-18 12:09 <DIR> d-------- C:\Documents and Settings\MyAccount\Data aplikací\PrevxCSI
2007-12-18 12:09 . 2007-12-18 12:09 <DIR> d-------- C:\Documents and Settings\MyAccount\Data aplikací\PrevxCSI
2007-12-18 12:09 . 2007-12-18 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Prevx
2007-12-18 11:18 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-18 11:18 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-18 11:18 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-18 00:32 . 2007-12-18 00:32 19,388 --a------ C:\WINDOWS\system32\w32sys1.exe
2007-12-17 22:48 . 2007-12-17 22:48 507,164 --a------ C:\WINDOWS\system32\w32sys15.exe
2007-12-17 22:48 . 2007-12-17 22:48 19,388 --a------ C:\WINDOWS\system32\w32sys0.exe
2007-12-17 22:39 . 2007-12-18 01:09 4,608 --a------ C:\WINDOWS\system32\drivers\ntoss.sys
2007-12-17 22:39 . 2007-12-18 01:09 2,464 --a------ C:\WINDOWS\system32\drivers\ntosnh.sys
2007-12-17 19:59 . 2004-08-17 15:49 153,088 --a------ C:\WINDOWS\system32\irftp.exe
2007-12-17 19:59 . 2004-08-17 15:49 153,088 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-17 19:59 . 2004-08-17 15:49 26,624 --a------ C:\WINDOWS\system32\irmon.dll
2007-12-17 19:59 . 2004-08-17 15:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\irmon.dll
2007-12-17 19:59 . 2004-08-17 15:49 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2007-12-17 19:59 . 2004-08-17 15:49 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2007-12-17 09:54 . 2005-04-05 07:23 139,264 -ra------ C:\WINDOWS\system32\igfxres.dll
2007-12-17 09:47 . 2007-12-17 09:47 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-12-17 09:47 . 2007-12-17 09:47 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2007-12-17 09:47 . 2007-12-17 09:47 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2007-12-17 09:47 . 2007-12-17 09:47 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2007-12-17 09:47 . 2007-12-17 09:47 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2007-12-17 09:47 . 2007-12-17 09:47 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2007-12-17 09:37 . 2004-08-18 13:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-12-17 09:37 . 2004-08-18 13:00 14,043 -ra------ C:\WINDOWS\SET53.tmp
2007-12-17 09:37 . 2004-08-18 13:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-12-17 09:36 . 2004-08-18 13:00 1,086,058 -ra------ C:\WINDOWS\SET47.tmp
2007-12-17 09:36 . 2004-08-18 13:00 1,014,483 -ra------ C:\WINDOWS\SET44.tmp
2007-12-16 23:39 . 2007-12-16 23:39 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-16 22:38 . 2007-12-16 22:38 <DIR> d-------- C:\Program Files\InCode Solutions
2007-12-16 20:37 . 2004-08-18 13:00 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-12-16 20:37 . 2004-08-18 13:00 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2007-12-16 20:30 . 2004-08-18 13:00 1,896,102 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2007-12-16 20:30 . 2004-08-18 13:00 1,086,058 -ra------ C:\WINDOWS\SET46.tmp
2007-12-16 20:30 . 2004-08-18 13:00 1,014,483 -ra------ C:\WINDOWS\SET43.tmp
2007-12-16 20:30 . 2004-08-18 13:00 621,080 --a--c--- C:\WINDOWS\system32\dllcache\NT5INF.CAT
2007-12-16 20:30 . 2004-08-18 13:00 14,043 -ra------ C:\WINDOWS\SET52.tmp
2007-12-16 19:40 . 2007-12-16 19:40 38,400 -r-h----- C:\WINDOWS\system32\svch5f2.exe
2007-12-16 16:33 . 2004-08-18 13:00 1,086,058 -ra------ C:\WINDOWS\SET45.tmp
2007-12-16 16:33 . 2004-08-18 13:00 1,014,483 -ra------ C:\WINDOWS\SET42.tmp
2007-12-16 16:33 . 2004-08-18 13:00 14,043 -ra------ C:\WINDOWS\SET51.tmp
2007-12-16 09:31 . 2007-12-16 09:31 <DIR> dr------- C:\Documents and Settings\LocalService\Oblíbené položky
2007-12-15 23:33 . 2007-12-17 23:14 <DIR> dr------- C:\Documents and Settings\LocalService\Dokumenty
2007-12-15 22:12 . 2007-12-15 22:12 <DIR> d-------- C:\WINDOWS\msapps
2007-12-15 21:46 . 2007-12-15 21:46 38,400 -r-h----- C:\WINDOWS\system32\svch0.exe
2007-12-09 14:08 . 2007-12-09 14:08 <DIR> d-------- C:\Program Files\Neurotechnologija
2007-12-08 16:30 . 2007-12-08 16:30 <DIR> d-------- C:\Program Files\MicrosoftDigitalPersona
2007-12-08 16:19 . 2007-12-16 09:45 <DIR> d-------- C:\WINDOWS\DPDrv
2007-12-08 14:41 . 2007-12-15 13:52 2,238 --a------ C:\WINDOWS\SecFloader.icon
2007-12-06 23:05 . 2007-12-06 23:05 <DIR> d-------- C:\Program Files\Application Verifier
2007-12-06 22:24 . 2007-12-06 22:24 <DIR> d-------- C:\Program Files\Microsoft Application Compatibility Toolkit 5
2007-12-02 16:47 . 2007-12-04 20:15 <DIR> d-------- C:\_Klasf
2007-12-01 14:29 . 2007-12-15 20:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-01 14:29 . 2007-12-01 14:29 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 19:46 76 ----a-w C:\Program Files\wpciiugo.txt
2007-12-18 11:12 --------- d-----w C:\Program Files\Network Associates
2007-12-17 23:33 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2007-12-16 08:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 14:09 --------- d-----w C:\Documents and Settings\MyAccount\Data aplikací\Skype
2007-12-12 14:09 --------- d-----w C:\Documents and Settings\MyAccount\Data aplikací\Skype
2007-12-12 14:09 --------- d-----w C:\Documents and Settings\MyAccount\Data aplikací\Skype
2007-12-11 10:09 --------- d-----w C:\Program Files\JPH Software
2007-11-23 19:08 --------- d-----w C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2007-11-21 15:08 --------- d-----w C:\Documents and Settings\MyAccount\Data aplikací\Hamachi
2007-11-21 15:08 --------- d-----w C:\Documents and Settings\MyAccount\Data aplikací\Hamachi
2007-11-21 15:08 --------- d-----w C:\Documents and Settings\MyAccount\Data aplikací\Hamachi
2007-11-18 09:31 --------- d-----w C:\Program Files\Totalcmd
2007-11-11 11:22 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-11-09 09:02 --------- d-----w C:\Program Files\AlfaMini-stopky
2007-11-05 15:38 172,088 ----a-w C:\WINDOWS\system32\vfLuaPriv2.dll
2007-11-02 20:29 10,340 ----a-w C:\Program Files\uninstal.log
2007-11-02 20:29 --------- d-----w C:\Program Files\Encore 4.5.3
2007-11-02 20:28 --------- d-----w C:\Program Files\Example Files
2007-11-02 19:55 --------- d-----w C:\Program Files\GVOX
2007-10-19 12:43 --------- d-----w C:\Program Files\BrigSoft
2006-06-29 09:29 6,766 ----a-w C:\Program Files\Sudoku z časopisu4.sud
2006-06-27 12:07 6,398 ----a-w C:\Program Files\Sudoku z časopisu3.sud
2006-06-27 12:01 6,829 ----a-w C:\Program Files\Sudoku z časopisu2.sud
2006-06-27 11:49 6,838 ----a-w C:\Program Files\Sudoku z časopisu.sud
2006-01-31 17:39 40,960 ----a-w C:\Program Files\LphViewer.exe
2002-12-11 13:17 13,366,265 --s-a-w C:\Program Files\Encore Manual.pdf
.

((((((((((((((((((((((((((((( snapshot@2007-12-18_19.52.30.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-18 21:52:44 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_590.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-19 15:07]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 13:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 17:40]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 18:29]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 07:23]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 07:22]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 20:39]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 07:19]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-18 13:00 C:\WINDOWS\system32\bthprops.cpl]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-18 13:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-18 13:00]

C:\Documents and Settings\MyAccount\Nabˇdka Start\Programy\Po spuçtŘnˇ\
UMAX VistaAccess.lnk - C:\VSTASCAN\vsaccess.exe [2005-11-30 21:41:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\{ApplicationVerifierGlobalSettings}]
ReminderDebugger=0 (0x0)

R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 19:08]
R3 NeroCd2k;NeroCd2k;C:\WINDOWS\system32\drivers\NeroCd2k.sys [2001-04-16 11:54]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-18 13:00]
S0 iwsmrlwj;iwsmrlwj;C:\WINDOWS\system32\drivers\upmtsrai.sys []
S2 SMTPSVC;Simple Mail Transport Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe []
S3 FILEMON;FILEMON;D:\Tools\System\FileMon\FILEM.SYS [2000-01-30 16:45]
S3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gmfiltr.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 18:31]
S3 ntosnh.sys;ntosnh.sys;C:\WINDOWS\system32\drivers\ntosnh.sys [2007-12-18 01:09]
S3 ntoss.sys;ntoss.sys;C:\WINDOWS\system32\drivers\ntoss.sys [2007-12-18 01:09]
S3 pgsql-8.2;PostgreSQL Database Server 8.2;"C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe" runservice -N "pgsql-8.2" -D "C:\Program Files\PostgreSQL\8.2\data\" []
S3 REGMON;REGMON;C:\WINDOWS\system32\drivers\REGSYS.SYS []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
S4 Neurotechnologija;Neurotechnologija;"C:\Program Files\Neurotechnologija\VeriFinger 5.0 Standard SDK Trial\bin\Win32_x86\Activation\pg.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fc3fc7a-52de-11da-bfd7-90f5d427fb52}]
\Shell\AutoRun\command - E:\nvda\nvda.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{852a0537-52e1-11da-a0b3-806d6172696f}]
\Shell\AutoRun\command - X:\SETUP.EXE /AUTORUN
\Shell\configure\command - X:\SETUP.EXE
\Shell\install\command - X:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7326f3c-61c6-11dc-be70-0013d4b70910}]
\Shell\AutoRun\command - E:\nvda.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-18 22:59:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"
.
Completion time: 2007-12-18 22:59:48
C:\ComboFix2.txt ... 2007-12-18 19:52
.
2007-12-18 20:53:32 --- E O F ---

rary · Příspěvek od **rary** » stř 19. pro 2007, 15:55

Aplikuj zovu Avenger a vlož do něj následující script:

Files to delete:
C:\WINDOWS\system32\drivers\ntoss.sys
C:\WINDOWS\system32\drivers\ntosnh.sys
C:\WINDOWS\system32\svch5f2.exe
C:\WINDOWS\system32\svch0.exe

Drivers to delete:
ntosnh.sys
ntoss.sys

Tvůj počítač se 2krát restartuje, po 2. restartu sem vlož log který se ti zobrazí + nový log z ComboFixu.

Na Virustotalu nechej zkontrolovat tyto soubory:
C:\WINDOWS\system32\w32sys1.exe
C:\WINDOWS\system32\w32sys15.exe
C:\WINDOWS\system32\w32sys0.exe
C:\WINDOWS\SecFloader.icon
C:\WINDOWS\system32\drivers\upmtsrai.sys
C:\WINDOWS\system32\drivers\REGSYS.SYS

A zkopíruj sem výsledky.

BUBINO · Příspěvek od **BUBINO** » stř 19. pro 2007, 18:39

RARRY , mas tam podstatne chyby !

BUBINO · Příspěvek od **BUBINO** » stř 19. pro 2007, 19:59

Mate tam dost smejdov.

Do avengeru skopirujte nasledovne :

Drivers to unload:
iwsmrlwj
ntosnh.sys
ntoss.sys

Files to delete:
C:\WINDOWS\system32\drivers\upmtsrai.sys
C:\WINDOWS\system32\drivers\ntosnh.sys
C:\WINDOWS\system32\drivers\ntoss.sy
C:\Program Files\LphViewer.exe
C:\Program Files\wpciiugo.txt
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\SecFloader.icon
C:\WINDOWS\system32\svch0.exe
C:\WINDOWS\system32\svch5f2.exe
C:\WINDOWS\SET51.tmp
C:\WINDOWS\SET42.tmp
C:\WINDOWS\SET45.tmp
C:\WINDOWS\SET52.tmp
C:\WINDOWS\SET43.tmp
C:\WINDOWS\SET46.tmp
C:\WINDOWS\SET44.tmp
C:\WINDOWS\SET47.tmp
C:\WINDOWS\system32\w32sys1.exe
C:\WINDOWS\system32\w32sys15.exe
C:\WINDOWS\system32\w32sys0.exe

Folders to delete:
C:\WINDOWS\msapps

DONE --> SEMAFOR--> OK
Po restarte sem dajte log , ktory vam naskoci .Je aj v c:\avenger.txt.
Potom urobte novy log z combofixu.

Otestujte na virustotal.com :
C:\WINDOWS\system32\drivers\npf.sys
Vysledky hodte sem

Prosil by som , keby ste odkontroloval tuto zlozku + jej obsah:
C:\_Klasf

Predpokladam , ze toto poznate:
C:\Program Files\Sudoku z časopisu4.sud
C:\Program Files\Sudoku z C:\Program Files\Sudoku z časopisu2.sud
C:\Program Files\Sudoku z časopisu.sud

Pavel777 · Příspěvek od **Pavel777** » stř 19. pro 2007, 20:28

Díky, jdu na to, ale jestli jste někdo u toho - vrtá mi hlavou několik věcí. Když jsem se teď z jinýho PC (doposud snad čistýho) zobrazil web http://www.jphsw.cz tak mi vyskočil virusscan s trojany. Nad tím webem mám patronaci a na něm nic není - jen pár php a js. Mohl byste mi na ty stránky někdo opatrně mrknout? Nemůže být napaden server poskytovatele internetu?

BUBINO · Příspěvek od **BUBINO** » stř 19. pro 2007, 20:35

Ma ten pocitac kontrolu url stranok? Nieco take ma Spyboot. Dalej aky je to prehliadac, ? Nestahoval ste z internetu , neaku ulitu na kontrolu pocitaca cez net, Nieco ako virusscan . C:\Documents and Settings\All Users\Data aplikací\Prevx
Toto by som idinstaloval uplne , nainstaloval antivir ao nod , avast , atd , aktualizoval a cakal .Mne tu nehlasi nic.

Pavel777 · Příspěvek od **Pavel777** » stř 19. pro 2007, 20:47

Já už jsem z toho jelen. Ten _Klasf jsou moje testy sw - dal jsem to pryč, to je čistý. Kontrolu url stránek myslíte na mým PC zde? měl jsem virusscan a ten nic. Teď tu mám Avast - ten se mi jeví jako že hlídá víc. Koukám tam přes IE6 a 7. Ten Prevx mi nic neříká. Jedině že by to bylo z té plejády testů co tu dělám teď poslední 3 dny. Těch souborů set3.tmp... už tam je víc tak to rozšířím i na ně..

BUBINO · Příspěvek od **BUBINO** » stř 19. pro 2007, 20:48

Ja potrebujem , aby ste mi tu dal log z toho , co som vam napisal hore. To deletnite to je kopa virov .Potom budeme pokracovat . musite vydrzat.

Pavel777 · Příspěvek od **Pavel777** » stř 19. pro 2007, 20:51

makám na tom, ale je to sila. Nevysype se ten avetar, když tam soubor nenajde? Já tam třeba hned +. nenašel - ten upmtsrai.sys. Mám pocit že mi to tu žije pod rukama vlastním životem

BUBINO · Příspěvek od **BUBINO** » stř 19. pro 2007, 20:54

Nechajte to vsetko tak , len tu dajte nove log z vasho pocitaca ktory riesime:-)

Pavel777 · Příspěvek od **Pavel777** » stř 19. pro 2007, 21:04

Tak avenger napsal:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dveverkb

*******************

Script file located at: \??\C:\WINDOWS\kewukbml.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver iwsmrlwj unloaded successfully.
Driver ntosnh.sys unloaded successfully.
Driver ntoss.sys unloaded successfully.

File C:\WINDOWS\system32\drivers\upmtsrai.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\upmtsrai.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\upmtsrai.sys
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\ntosnh.sys deleted successfully.

File C:\WINDOWS\system32\drivers\ntoss.sy not found!
Deletion of file C:\WINDOWS\system32\drivers\ntoss.sy failed!

Could not process line:
C:\WINDOWS\system32\drivers\ntoss.sy
Status: 0xc0000034

File C:\Program Files\LphViewer.exe deleted successfully.

File C:\Program Files\wpciiugo.txt not found!
Deletion of file C:\Program Files\wpciiugo.txt failed!

Could not process line:
C:\Program Files\wpciiugo.txt
Status: 0xc0000034

File C:\WINDOWS\QTFont.for deleted successfully.
File C:\WINDOWS\QTFont.qfn deleted successfully.
File C:\WINDOWS\SecFloader.icon deleted successfully.
File C:\WINDOWS\system32\svch0.exe deleted successfully.
File C:\WINDOWS\system32\svch5f2.exe deleted successfully.
File c:\Windows\SET3.tmp deleted successfully.
File c:\Windows\SET4.tmp deleted successfully.
File c:\Windows\SET42.tmp deleted successfully.
File c:\Windows\SET43.tmp deleted successfully.
File c:\Windows\SET44.tmp deleted successfully.
File c:\Windows\SET45.tmp deleted successfully.
File c:\Windows\SET46.tmp deleted successfully.
File c:\Windows\SET47.tmp deleted successfully.
File c:\Windows\SET51.tmp deleted successfully.
File c:\Windows\SET52.tmp deleted successfully.
File c:\Windows\SET53.tmp deleted successfully.
File c:\Windows\SET8.tmp deleted successfully.
File c:\Windows\SETC8.tmp deleted successfully.
File c:\Windows\SETCB.tmp deleted successfully.
File c:\Windows\SETD7.tmp deleted successfully.
File C:\WINDOWS\system32\w32sys1.exe deleted successfully.
File C:\WINDOWS\system32\w32sys15.exe deleted successfully.
File C:\WINDOWS\system32\w32sys0.exe deleted successfully.
Folder C:\WINDOWS\msapps deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

a ComboFix:

ComboFix 07-12-18.1 - Pavel Holec 2007-12-19 20:56:25.3 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.604 [GMT 1:00]
Running from: C:\Documents and Settings\Pavel Holec\Plocha\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.

2007-12-18 12:13 . 2007-12-18 12:13 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-18 12:13 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-18 12:13 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-18 12:13 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-18 12:13 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-18 12:13 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-18 12:13 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-18 12:13 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-18 12:13 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-18 12:09 . 2007-12-18 12:09 <DIR> d-------- C:\Documents and Settings\Pavel Holec\Data aplikací\PrevxCSI
2007-12-18 12:09 . 2007-12-18 12:09 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\Prevx
2007-12-18 11:18 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-18 11:18 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-18 11:18 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-17 22:39 . 2007-12-18 01:09 4,608 --a------ C:\WINDOWS\system32\drivers\ntoss.sys
2007-12-17 19:59 . 2004-08-17 15:49 153,088 --a------ C:\WINDOWS\system32\irftp.exe
2007-12-17 19:59 . 2004-08-17 15:49 153,088 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-17 19:59 . 2004-08-17 15:49 26,624 --a------ C:\WINDOWS\system32\irmon.dll
2007-12-17 19:59 . 2004-08-17 15:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\irmon.dll
2007-12-17 19:59 . 2004-08-17 15:49 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2007-12-17 19:59 . 2004-08-17 15:49 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2007-12-17 09:54 . 2005-04-05 07:23 139,264 -ra------ C:\WINDOWS\system32\igfxres.dll
2007-12-17 09:47 . 2007-12-17 09:47 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-12-17 09:47 . 2007-12-17 09:47 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2007-12-17 09:47 . 2007-12-17 09:47 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2007-12-17 09:47 . 2007-12-17 09:47 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2007-12-17 09:47 . 2007-12-17 09:47 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2007-12-17 09:47 . 2007-12-17 09:47 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2007-12-17 09:37 . 2004-08-18 13:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-12-17 09:37 . 2004-08-18 13:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-12-16 23:39 . 2007-12-16 23:39 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-16 22:38 . 2007-12-16 22:38 <DIR> d-------- C:\Program Files\InCode Solutions
2007-12-16 20:37 . 2004-08-18 13:00 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-12-16 20:37 . 2004-08-18 13:00 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2007-12-16 20:30 . 2004-08-18 13:00 1,896,102 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2007-12-16 20:30 . 2004-08-18 13:00 621,080 --a--c--- C:\WINDOWS\system32\dllcache\NT5INF.CAT
2007-12-16 09:31 . 2007-12-16 09:31 <DIR> dr------- C:\Documents and Settings\LocalService\Oblíbené položky
2007-12-15 23:33 . 2007-12-17 23:14 <DIR> dr------- C:\Documents and Settings\LocalService\Dokumenty
2007-12-09 14:08 . 2007-12-09 14:08 <DIR> d-------- C:\Program Files\Neurotechnologija
2007-12-08 16:30 . 2007-12-08 16:30 <DIR> d-------- C:\Program Files\MicrosoftDigitalPersona
2007-12-08 16:19 . 2007-12-16 09:45 <DIR> d-------- C:\WINDOWS\DPDrv
2007-12-06 23:05 . 2007-12-06 23:05 <DIR> d-------- C:\Program Files\Application Verifier
2007-12-06 22:24 . 2007-12-06 22:24 <DIR> d-------- C:\Program Files\Microsoft Application Compatibility Toolkit 5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-19 19:17 --------- d-----w C:\Program Files\Sudoku
2007-12-18 11:12 --------- d-----w C:\Program Files\Network Associates
2007-12-17 23:33 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2007-12-16 08:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 14:09 --------- d-----w C:\Documents and Settings\Pavel Holec\Data aplikací\Skype
2007-12-11 10:09 --------- d-----w C:\Program Files\JPH Software
2007-11-23 19:08 --------- d-----w C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2007-11-21 15:08 --------- d-----w C:\Documents and Settings\Pavel Holec\Data aplikací\Hamachi
2007-11-18 09:31 --------- d-----w C:\Program Files\Totalcmd
2007-11-11 11:22 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-11-09 09:02 --------- d-----w C:\Program Files\AlfaMini-stopky
2007-11-05 15:38 172,088 ----a-w C:\WINDOWS\system32\vfLuaPriv2.dll
2007-11-02 20:29 10,340 ----a-w C:\Program Files\uninstal.log
2007-11-02 20:29 --------- d-----w C:\Program Files\Encore 4.5.3
2007-11-02 20:28 --------- d-----w C:\Program Files\Example Files
2007-11-02 19:55 --------- d-----w C:\Program Files\GVOX
2007-10-19 12:43 --------- d-----w C:\Program Files\BrigSoft
2002-12-11 13:17 13,366,265 ----a-w C:\Program Files\Encore Manual.pdf
.

((((((((((((((((((((((((((((( snapshot@2007-12-18_19.52.30.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-03 21:58:46 15,104 -c--a-w C:\WINDOWS\system32\dllcache\usbscan.sys
+ 2001-10-24 11:25:04 216,576 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\um34scan.dll
+ 2004-08-03 21:58:46 15,104 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\usbscan.sys
+ 2007-12-19 19:55:07 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_588.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-19 15:07]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 13:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 17:40]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 18:29]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 07:23]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 07:22]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 20:39]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 07:19]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-18 13:00 C:\WINDOWS\system32\bthprops.cpl]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-18 13:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-18 13:00]

C:\Documents and Settings\Pavel Holec\Nabˇdka Start\Programy\Po spuçtŘnˇ\
UMAX VistaAccess.lnk - C:\VSTASCAN\vsaccess.exe [2005-11-30 21:41:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\{ApplicationVerifierGlobalSettings}]
ReminderDebugger=0 (0x0)

R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 19:08]
R3 NeroCd2k;NeroCd2k;C:\WINDOWS\system32\drivers\NeroCd2k.sys [2001-04-16 11:54]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-18 13:00]
S2 SMTPSVC;Simple Mail Transport Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe []
S3 FILEMON;FILEMON;D:\Tools\System\FileMon\FILEM.SYS [2000-01-30 16:45]
S3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gmfiltr.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 18:31]
S3 pgsql-8.2;PostgreSQL Database Server 8.2;"C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe" runservice -N "pgsql-8.2" -D "C:\Program Files\PostgreSQL\8.2\data\" []
S3 REGMON;REGMON;C:\WINDOWS\system32\drivers\REGSYS.SYS []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
S4 Neurotechnologija;Neurotechnologija;"C:\Program Files\Neurotechnologija\VeriFinger 5.0 Standard SDK Trial\bin\Win32_x86\Activation\pg.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fc3fc7a-52de-11da-bfd7-90f5d427fb52}]
\Shell\AutoRun\command - E:\nvda\nvda.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{852a0537-52e1-11da-a0b3-806d6172696f}]
\Shell\AutoRun\command - X:\SETUP.EXE /AUTORUN
\Shell\configure\command - X:\SETUP.EXE
\Shell\install\command - X:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7326f3c-61c6-11dc-be70-0013d4b70910}]
\Shell\AutoRun\command - E:\nvda.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 20:58:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"
.
Completion time: 2007-12-19 20:59:04
C:\ComboFix2.txt ... 2007-12-18 22:59
C:\ComboFix3.txt ... 2007-12-18 19:52
.
2007-12-19 11:01:54 --- E O F ---

Pak jsem ještě virustotal.com testnul
C:\WINDOWS\system32\drivers\npf.sys
a napsalo to že File has already been analysed:
MD5:
Date:
Results:
Permalink:
Tak to nechápu....

BUBINO · Příspěvek od **BUBINO** » stř 19. pro 2007, 21:40

Do avengera skopirujte este toto nasledovne :

Drivers to unload:
Neurotechnologija

Files to delete:
C:\WINDOWS\system32\drivers\ntoss.sys
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\Process.exe
C:\Program Files\Neurotechnologija\VeriFinger 5.0 Standard SDK Trial\bin\Win32_x86\Activation\pg.exe

Folders to delete:
C:\Program Files\Neurotechnologija
C:\Documents and Settings\Pavel Holec\Data aplikací\PrevxCSI
C:\Documents and Settings\All Users\Data aplikací\Prevx

Toto otestujte na virustotal.com a vysledky sem dajte:
C:\WINDOWS\system32\vfLuaPriv2.dll
C:\WINDOWS\system32\drivers\npf.sys
Pri naskoceni tabulky , kliknite na prave tlacitko .Su tam dve.

Pocitac predrhnite s Ccleanerom:
http://www.viry.cz/forum/viewtopic.php?t=7478

Doinstalujte najnovsie aktualizacie do avastu.

Preferujte ci problemy zmizli.

Pavel777 · Příspěvek od **Pavel777** » stř 19. pro 2007, 21:52

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hkqrclcd

*******************

Script file located at: \??\C:\Program Files\dpddwkmn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver Neurotechnologija unloaded successfully.
File C:\WINDOWS\system32\drivers\ntoss.sys deleted successfully.
File C:\WINDOWS\system32\SrchSTS.exe deleted successfully.
File C:\WINDOWS\system32\Process.exe deleted successfully.

File C:\Program Files\Neurotechnologija\VeriFinger 5.0 Standard SDK Trial\bin\Win32_x86\Activation\pg.exe not found!
Deletion of file C:\Program Files\Neurotechnologija\VeriFinger 5.0 Standard SDK Trial\bin\Win32_x86\Activation\pg.exe failed!

Could not process line:
C:\Program Files\Neurotechnologija\VeriFinger 5.0 Standard SDK Trial\bin\Win32_x86\Activation\pg.exe
Status: 0xc0000034

Folder C:\Documents and Settings\Pavel Holec\Data aplikací\PrevxCSI deleted successfully.
Folder C:\Documents and Settings\All Users\Data aplikací\Prevx deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

ComboFix 07-12-18.1 - Pavel Holec 2007-12-19 21:46:34.4 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.604 [GMT 1:00]
Running from: C:\Documents and Settings\Pavel Holec\Plocha\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.

2007-12-18 12:13 . 2007-12-18 12:13 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-18 12:13 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-18 12:13 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-18 12:13 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-18 12:13 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-18 12:13 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-18 12:13 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-18 12:13 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-18 12:13 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-18 11:18 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-17 19:59 . 2004-08-17 15:49 153,088 --a------ C:\WINDOWS\system32\irftp.exe
2007-12-17 19:59 . 2004-08-17 15:49 153,088 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-17 19:59 . 2004-08-17 15:49 26,624 --a------ C:\WINDOWS\system32\irmon.dll
2007-12-17 19:59 . 2004-08-17 15:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\irmon.dll
2007-12-17 19:59 . 2004-08-17 15:49 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2007-12-17 19:59 . 2004-08-17 15:49 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2007-12-17 09:54 . 2005-04-05 07:23 139,264 -ra------ C:\WINDOWS\system32\igfxres.dll
2007-12-17 09:47 . 2007-12-17 09:47 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-12-17 09:47 . 2007-12-17 09:47 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2007-12-17 09:47 . 2007-12-17 09:47 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2007-12-17 09:47 . 2007-12-17 09:47 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2007-12-17 09:47 . 2007-12-17 09:47 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2007-12-17 09:47 . 2007-12-17 09:47 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2007-12-17 09:37 . 2004-08-18 13:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-12-17 09:37 . 2004-08-18 13:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-12-16 23:39 . 2007-12-16 23:39 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-16 22:38 . 2007-12-16 22:38 <DIR> d-------- C:\Program Files\InCode Solutions
2007-12-16 20:37 . 2004-08-18 13:00 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2007-12-16 20:37 . 2004-08-18 13:00 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2007-12-16 20:30 . 2004-08-18 13:00 1,896,102 --a--c--- C:\WINDOWS\system32\dllcache\NT5.CAT
2007-12-16 20:30 . 2004-08-18 13:00 621,080 --a--c--- C:\WINDOWS\system32\dllcache\NT5INF.CAT
2007-12-16 09:31 . 2007-12-16 09:31 <DIR> dr------- C:\Documents and Settings\LocalService\Oblíbené položky
2007-12-15 23:33 . 2007-12-17 23:14 <DIR> dr------- C:\Documents and Settings\LocalService\Dokumenty
2007-12-09 14:08 . 2007-12-09 14:08 <DIR> d-------- C:\Program Files\Neurotechnologija
2007-12-08 16:30 . 2007-12-08 16:30 <DIR> d-------- C:\Program Files\MicrosoftDigitalPersona
2007-12-08 16:19 . 2007-12-16 09:45 <DIR> d-------- C:\WINDOWS\DPDrv
2007-12-06 23:05 . 2007-12-06 23:05 <DIR> d-------- C:\Program Files\Application Verifier
2007-12-06 22:24 . 2007-12-06 22:24 <DIR> d-------- C:\Program Files\Microsoft Application Compatibility Toolkit 5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-19 19:17 --------- d-----w C:\Program Files\Sudoku
2007-12-18 11:12 --------- d-----w C:\Program Files\Network Associates
2007-12-17 23:33 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2007-12-16 08:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 14:09 --------- d-----w C:\Documents and Settings\Pavel Holec\Data aplikací\Skype
2007-12-11 10:09 --------- d-----w C:\Program Files\JPH Software
2007-11-23 19:08 --------- d-----w C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2007-11-21 15:08 --------- d-----w C:\Documents and Settings\Pavel Holec\Data aplikací\Hamachi
2007-11-18 09:31 --------- d-----w C:\Program Files\Totalcmd
2007-11-11 11:22 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-11-09 09:02 --------- d-----w C:\Program Files\AlfaMini-stopky
2007-11-05 15:38 172,088 ----a-w C:\WINDOWS\system32\vfLuaPriv2.dll
2007-11-02 20:29 10,340 ----a-w C:\Program Files\uninstal.log
2007-11-02 20:29 --------- d-----w C:\Program Files\Encore 4.5.3
2007-11-02 20:28 --------- d-----w C:\Program Files\Example Files
2007-11-02 19:55 --------- d-----w C:\Program Files\GVOX
2007-10-19 12:43 --------- d-----w C:\Program Files\BrigSoft
2002-12-11 13:17 13,366,265 ----a-w C:\Program Files\Encore Manual.pdf
.

((((((((((((((((((((((((((((( snapshot@2007-12-18_19.52.30.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-03 21:58:46 15,104 -c--a-w C:\WINDOWS\system32\dllcache\usbscan.sys
+ 2001-10-24 11:25:04 216,576 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\um34scan.dll
+ 2004-08-03 21:58:46 15,104 ----a-w C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\usbscan.sys
+ 2007-12-19 20:45:46 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_52c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-19 15:07]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 13:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 17:40]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 18:29]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 07:23]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 07:22]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 20:39]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 07:19]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-18 13:00 C:\WINDOWS\system32\bthprops.cpl]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-18 13:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-18 13:00]

C:\Documents and Settings\Pavel Holec\Nabˇdka Start\Programy\Po spuçtŘnˇ\
UMAX VistaAccess.lnk - C:\VSTASCAN\vsaccess.exe [2005-11-30 21:41:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\{ApplicationVerifierGlobalSettings}]
ReminderDebugger=0 (0x0)

R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 19:08]
R3 NeroCd2k;NeroCd2k;C:\WINDOWS\system32\drivers\NeroCd2k.sys [2001-04-16 11:54]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-18 13:00]
S2 SMTPSVC;Simple Mail Transport Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe []
S3 FILEMON;FILEMON;D:\Tools\System\FileMon\FILEM.SYS [2000-01-30 16:45]
S3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gmfiltr.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 18:31]
S3 pgsql-8.2;PostgreSQL Database Server 8.2;"C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe" runservice -N "pgsql-8.2" -D "C:\Program Files\PostgreSQL\8.2\data\" []
S3 REGMON;REGMON;C:\WINDOWS\system32\drivers\REGSYS.SYS []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fc3fc7a-52de-11da-bfd7-90f5d427fb52}]
\Shell\AutoRun\command - E:\nvda\nvda.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{852a0537-52e1-11da-a0b3-806d6172696f}]
\Shell\AutoRun\command - X:\SETUP.EXE /AUTORUN
\Shell\configure\command - X:\SETUP.EXE
\Shell\install\command - X:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7326f3c-61c6-11dc-be70-0013d4b70910}]
\Shell\AutoRun\command - E:\nvda.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 21:49:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"
.
Completion time: 2007-12-19 21:49:37
C:\ComboFix2.txt ... 2007-12-19 20:59
C:\ComboFix3.txt ... 2007-12-18 22:59
.
2007-12-19 11:01:54 --- E O F ---