Prosím o kontrolu logu...

[slavikz]

Teď sem trochu zmatenej...
odkuď chceš ten log... z HiJackThis nebo Combofixu?

[Baron Prášil]

Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:

Kód: Vybrat vše

File::
C:\WINDOWS\system32\qpdlafvy.dll
C:\WINDOWS\system32\saonsmxh.ini
C:\WINDOWS\system32\rtppytii.dll
C:\WINDOWS\system32\tyrmmmma.dll
C:\WINDOWS\system32\xfnwqdcr.dll
C:\WINDOWS\system32\qejibtpq.dll
C:\WINDOWS\system32\jaskvywk.ini
C:\WINDOWS\system32\xidvlklc.ini
C:\WINDOWS\system32\dsrfkwhn.ini
C:\WINDOWS\system32\ckfwkbug.ini
C:\WINDOWS\system32\ycvkjalp.ini
C:\WINDOWS\system32\vlnwiyhg.ini
C:\WINDOWS\system32\lnpgeqib.ini
C:\WINDOWS\system32\ajypmtqw.ini
C:\WINDOWS\system32\hxmsnoas.dll
C:\WINDOWS\system32\ufcfdfsq.dll

Folder::
c:\z_Drivers

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"alpha"=-
"beta"=-
"gamma"=-
"SystemDriverLoad"=-
"SystemDriver"=-
"ADriver"=-
"CDriver"=-
"DDriver"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d0ddf406"=-
"BMd3eec79a"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuvsp]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=-

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.
Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť

- Automaticky se spustí ComboFix
- Vlož sem log, který vyběhne v závěru čistícího procesu+nový log z hijackthis+ info jak se chová komp

potřeboval jsem aby si udělal toto. protože ti to napoprvé nešlo,tak sem chtěl aby jsi použil ten T-Cleaner a na čisto
stáhnul znova combofix - nespouštěl sken,ale použil ten návod na čištění.
takže snad je to již pochopitelné. máš tam šmejdy a přes combofix je chceme smazat

[slavikz]

Tady je (doufám že už správně ) ten log z Cobofixu:

ComboFix 08-04-11.8 - Tomáš 2008-04-12 18:31:36.4 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.282 [GMT 2:00]
Running from: C:\Documents and Settings\Tomáš\Plocha\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\Tom ç\Plocha\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.

2008-04-12 15:52 . 2008-04-12 15:52 241 --a------ C:\Documents and Settings\Tomáš\SR.vbs
2008-04-12 15:52 . 2008-04-12 15:52 241 --a------ C:\Documents and Settings\Tomáš\SR.vbs
2008-04-12 12:11 . 2008-04-12 12:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-12 10:22 . 2008-04-12 10:22 <DIR> d-------- C:\Program Files\Macromedia
2008-04-12 10:22 . 2008-04-12 10:22 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-04-11 21:51 . 2008-04-11 21:51 3,648 --a------ C:\WINDOWS\system32\qpdlafvy.dll
2008-04-11 21:05 . 2008-04-11 21:05 0 --a------ C:\WINDOWS\BMd3eec79a.xml
2008-04-10 21:07 . 2008-04-11 21:51 594 ---hs---- C:\WINDOWS\system32\saonsmxh.ini
2008-04-10 21:04 . 2008-04-10 21:04 3,648 --a------ C:\WINDOWS\system32\rtppytii.dll
2008-04-09 21:03 . 2008-04-09 21:03 3,648 --a------ C:\WINDOWS\system32\tyrmmmma.dll
2008-04-09 20:03 . 2008-04-09 20:03 <DIR> d-------- C:\z_Drivers
2008-04-09 18:56 . 2008-04-09 18:56 3,648 --a------ C:\WINDOWS\system32\xfnwqdcr.dll
2008-04-08 17:04 . 2008-04-08 17:04 3,648 --a------ C:\WINDOWS\system32\qejibtpq.dll
2008-04-07 16:57 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-07 16:57 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-30 15:45 . 2008-03-30 15:45 6 --a------ C:\tw0001.dat
2008-03-30 15:34 . 2008-04-07 16:51 <DIR> d-------- C:\Program Files\Bonjour
2008-03-30 15:09 . 2008-03-30 15:09 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-30 14:32 . 2008-04-10 20:28 <DIR> d-------- C:\Program Files\PowerISO
2008-03-30 14:11 . 2008-04-07 16:52 <DIR> d-------- C:\Program Files\free-downloads.net
2008-03-30 14:11 . 2008-03-30 14:11 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-03-29 14:19 . 2008-03-29 14:25 416 --a------ C:\WINDOWS\wcx_ftp.ini
2008-03-26 17:13 . 2008-03-26 17:13 1,854 --ahs---- C:\WINDOWS\system32\jaskvywk.ini
2008-03-25 14:17 . 2008-03-26 17:11 1,794 --ahs---- C:\WINDOWS\system32\xidvlklc.ini
2008-03-24 11:35 . 2008-03-25 14:11 1,554 --ahs---- C:\WINDOWS\system32\dsrfkwhn.ini
2008-03-23 11:28 . 2008-03-24 11:28 1,194 --ahs---- C:\WINDOWS\system32\ckfwkbug.ini
2008-03-22 11:17 . 2008-03-23 11:25 1,074 --ahs---- C:\WINDOWS\system32\ycvkjalp.ini
2008-03-20 22:51 . 2008-03-22 11:14 774 --ahs---- C:\WINDOWS\system32\vlnwiyhg.ini
2008-03-20 15:24 . 2008-03-20 15:30 <DIR> d-------- C:\Program Files\The KMPlayer
2008-03-20 09:25 . 2008-03-20 09:25 294 --ahs---- C:\WINDOWS\system32\lnpgeqib.ini
2008-03-18 17:39 . 2008-03-18 17:39 294 --ahs---- C:\WINDOWS\system32\ajypmtqw.ini
2008-03-16 21:29 . 2008-03-16 21:30 <DIR> d-------- C:\EasyBoot
2008-03-16 20:40 . 2008-03-16 20:41 <DIR> d-------- C:\REATOGO-240
2008-03-16 19:59 . 2006-08-21 13:16 <DIR> d-------- C:\Program Files\REATOGO-240

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 10:09 2,075 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2008-04-11 20:00 --------- d-----w C:\Documents and Settings\Tomáš\Data aplikací\OpenOffice.org2
2008-04-11 19:00 --------- d-----w C:\Program Files\FlashGet
2008-04-09 17:44 --------- d-----w C:\Program Files\Kool Musik
2008-03-30 13:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-29 22:54 --------- d-----w C:\Documents and Settings\Tomáš\Data aplikací\U3
2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe
2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 17:23 95,608 -c--a-w C:\WINDOWS\system32\AvastSS.scr
2008-03-28 15:16 --------- d-----w C:\Program Files\PSPad editor
2008-03-12 19:41 --------- d-----w C:\Program Files\RocketDock
2008-03-04 17:45 --------- d-----w C:\Program Files\Samurize
2008-03-01 12:04 --------- d-----w C:\Program Files\Burn4Free
2008-03-01 11:39 --------- d-----w C:\Program Files\Nokia
2008-03-01 11:35 --------- d-----w C:\Program Files\PVD15
2008-02-29 14:35 --------- d-----w C:\Program Files\Memory Max
2008-02-28 19:57 --------- d-----w C:\Documents and Settings\Tomáš\Data aplikací\ExportTool
2008-02-27 18:53 --------- d-----w C:\Program Files\iTunes
2008-02-24 19:44 --------- d-----w C:\Documents and Settings\Tomáš\Data aplikací\Bret Taylor
2008-02-24 19:37 --------- d-----w C:\Program Files\MoRUN.net
2008-02-24 16:57 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\nView_Profiles
2008-02-24 16:09 --------- d-----w C:\Program Files\RadarSync
2008-02-24 14:03 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2008-02-24 12:47 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-13 16:00 --------- d-----w C:\Program Files\DivX
2008-02-07 14:41 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-02-07 14:41 249,856 ------w C:\WINDOWS\Setup1.exe
.

------- Sigcheck -------

2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-03 23:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-04-12_16.37.25.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-12 16:19:55 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_634.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BBDE44C-079B-4E03-B1F5-45A16691F551}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AE66C8E-D2EB-4256-A5F9-F02DD25C07AA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E238016-2886-4A24-9EEE-DF90C74C61CB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{588C7B62-DB2A-4ECC-BE87-0ECDC553054E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7590549B-B0F1-4929-8BBD-E02B56C5622C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81219520-EA09-4E31-9F0B-55A1EB62374E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A9143AE-26B7-4F79-8F6F-DFB085727DFD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C909D5C-1FDE-4724-B4EA-D424EDDEAC0C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96292847-2CCA-4667-9D03-9158EB618D42}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7E419CB-E54C-4563-BF49-F4A11E64DD4E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DFB13717-B443-4AD1-AD64-F08D761889A9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5032733-F294-4A28-B7C8-DFF90B4A5BD8}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616]
"SystemDriverLoad"="" []
"alpha"="c:\z_Drivers\svchost.exe" [2008-04-09 20:03 198144]
"beta"="c:\z_Drivers\svchost.exe" [2008-04-09 20:03 198144]
"gamma"="c:\z_Drivers\svchost.exe" [2008-04-09 20:03 198144]
"SystemDriver"="" []
"ADriver"="" []
"CDriver"="c:\z_Drivers\svchost.exe" [2008-04-09 20:03 198144]
"DDriver"="c:\z_Drivers\svchost.exe" [2008-04-09 20:03 198144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 09:05 217088]
"d0ddf406"="C:\WINDOWS\system32\hxmsnoas.dll" [ ]
"BMd3eec79a"="C:\WINDOWS\system32\ufcfdfsq.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuvsp]
cbxuvsp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
--a------ 2007-09-25 10:10 2007088 C:\PROGRA~1\FlashGet\flashget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"MySQL"=2 (0x2)
"iPod Service"=3 (0x3)
"BlueSoleil Hid Service"=2 (0x2)
"Apache2"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13388:TCP"= 13388:TCP:BitComet 13388 TCP
"13388:UDP"= 13388:UDP:BitComet 13388 UDP

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]
S3 mxInsMon;mxInsMon;C:\PROGRA~1\ALADDI~1\INTERN~1\mxInsMon.sys [2007-09-29 17:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 18:52:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 18:39:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\dev\prog\mysql50\bin\mysqld-nt\" --defaults-file=\"C:\dev\prog\mysql50\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.

[Baron Prášil]

půjdeme bod po bodu.

1.)
použijT-Cleaner smaže vše po Combu,SDFixu,Avengeru,MWAVu atd.-stáhneš>spustíš

2.)
vypni štíty spybotu

3.)
stahni znovu Combofix ComboFix
a ulož ho na plochu

4.)
Otevři si Poznámkový blok NOTEPAD.EXE (Start -> Spustit... a napiš do okna Notepad a dej Ok)
Zkopíruj do něj následující text označený zeleně:
File::
C:\WINDOWS\system32\qpdlafvy.dll
C:\WINDOWS\system32\saonsmxh.ini
C:\WINDOWS\system32\rtppytii.dll
C:\WINDOWS\system32\tyrmmmma.dll
C:\WINDOWS\system32\xfnwqdcr.dll
C:\WINDOWS\system32\qejibtpq.dll
C:\WINDOWS\system32\jaskvywk.ini
C:\WINDOWS\system32\xidvlklc.ini
C:\WINDOWS\system32\dsrfkwhn.ini
C:\WINDOWS\system32\ckfwkbug.ini
C:\WINDOWS\system32\ycvkjalp.ini
C:\WINDOWS\system32\vlnwiyhg.ini
C:\WINDOWS\system32\lnpgeqib.ini
C:\WINDOWS\system32\ajypmtqw.ini
C:\WINDOWS\system32\hxmsnoas.dll
C:\WINDOWS\system32\ufcfdfsq.dll

Folder::
c:\z_Drivers

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"alpha"=-
"beta"=-
"gamma"=-
"SystemDriverLoad"=-
"SystemDriver"=-
"ADriver"=-
"CDriver"=-
"DDriver"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d0ddf406"=-
"BMd3eec79a"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuvsp]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=-

Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: CFScript.txt
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.
Uchop myší vytvořený skript CFScript.txt, přemísti ho nad stažený program ComboFix.exe a když se oba soubory překryjí, skript upusť

- Automaticky se spustí ComboFix

5.) Vlož sem log, který vyběhne v závěru čistícího procesu+nový log z hijackthis+ info jak se chová komp

[slavikz]

Když jsem spustil ComboFix s tim texťákem, tak mi vyjelo tady to... viz příloha... nevim co mám dát, ano/ne?

[Baron Prášil]

ano.

[slavikz]

Počítač se chová divně... ten log sem udělal (doufám že správně ), ale v nouzovém režimu, jelikož aplikace mi ve windowsech nabíhaj cca 5 minut bez přehánění, když mám štestí, tak se mi po startu hned sekne + hlásí mi to nějaký chybějcí knihovny...
log:

ComboFix 08-04-12.7 - Tomáš 2008-04-13 17:59:02.6 - NTFSx86 MINIMAL
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.354 [GMT 2:00]
Running from: C:\Documents and Settings\Tomáš\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tom ç\Plocha\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-13 13:13 . 2008-04-13 13:13 <DIR> d-------- C:\Program Files\SaveSnap
2008-04-12 15:52 . 2008-04-13 11:47 241 --a------ C:\Documents and Settings\Tomáš\SR.vbs
2008-04-12 15:52 . 2008-04-13 11:47 241 --a------ C:\Documents and Settings\Tomáš\SR.vbs
2008-04-12 12:11 . 2008-04-12 12:11 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-12 10:22 . 2008-04-12 10:22 <DIR> d-------- C:\Program Files\Macromedia
2008-04-12 10:22 . 2008-04-12 10:22 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-04-11 21:51 . 2008-04-11 21:51 3,648 --a------ C:\WINDOWS\system32\qpdlafvy.dll
2008-04-11 21:05 . 2008-04-11 21:05 0 --a------ C:\WINDOWS\BMd3eec79a.xml
2008-04-10 21:07 . 2008-04-11 21:51 594 ---hs---- C:\WINDOWS\system32\saonsmxh.ini
2008-04-10 21:04 . 2008-04-10 21:04 3,648 --a------ C:\WINDOWS\system32\rtppytii.dll
2008-04-09 21:03 . 2008-04-09 21:03 3,648 --a------ C:\WINDOWS\system32\tyrmmmma.dll
2008-04-09 20:03 . 2008-04-09 20:03 <DIR> d-------- C:\z_Drivers
2008-04-09 18:56 . 2008-04-09 18:56 3,648 --a------ C:\WINDOWS\system32\xfnwqdcr.dll
2008-04-08 17:04 . 2008-04-08 17:04 3,648 --a------ C:\WINDOWS\system32\qejibtpq.dll
2008-04-07 16:57 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-07 16:57 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-30 15:45 . 2008-03-30 15:45 6 --a------ C:\tw0001.dat
2008-03-30 15:34 . 2008-04-07 16:51 <DIR> d-------- C:\Program Files\Bonjour
2008-03-30 15:09 . 2008-03-30 15:09 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-30 14:32 . 2008-04-10 20:28 <DIR> d-------- C:\Program Files\PowerISO
2008-03-30 14:11 . 2008-04-07 16:52 <DIR> d-------- C:\Program Files\free-downloads.net
2008-03-30 14:11 . 2008-03-30 14:11 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-03-29 14:19 . 2008-03-29 14:25 416 --a------ C:\WINDOWS\wcx_ftp.ini
2008-03-26 17:13 . 2008-03-26 17:13 1,854 --ahs---- C:\WINDOWS\system32\jaskvywk.ini
2008-03-25 14:17 . 2008-03-26 17:11 1,794 --ahs---- C:\WINDOWS\system32\xidvlklc.ini
2008-03-24 11:35 . 2008-03-25 14:11 1,554 --ahs---- C:\WINDOWS\system32\dsrfkwhn.ini
2008-03-23 11:28 . 2008-03-24 11:28 1,194 --ahs---- C:\WINDOWS\system32\ckfwkbug.ini
2008-03-22 11:17 . 2008-03-23 11:25 1,074 --ahs---- C:\WINDOWS\system32\ycvkjalp.ini
2008-03-20 22:51 . 2008-03-22 11:14 774 --ahs---- C:\WINDOWS\system32\vlnwiyhg.ini
2008-03-20 15:24 . 2008-03-20 15:30 <DIR> d-------- C:\Program Files\The KMPlayer
2008-03-20 09:25 . 2008-03-20 09:25 294 --ahs---- C:\WINDOWS\system32\lnpgeqib.ini
2008-03-18 17:39 . 2008-03-18 17:39 294 --ahs---- C:\WINDOWS\system32\ajypmtqw.ini
2008-03-16 21:29 . 2008-03-16 21:30 <DIR> d-------- C:\EasyBoot
2008-03-16 20:40 . 2008-03-16 20:41 <DIR> d-------- C:\REATOGO-240
2008-03-16 19:59 . 2006-08-21 13:16 <DIR> d-------- C:\Program Files\REATOGO-240

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 15:53 2,240 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2008-04-13 11:24 --------- d-----w C:\Documents and Settings\Tomáš\Data aplikací\OpenOffice.org2
2008-04-11 19:00 --------- d-----w C:\Program Files\FlashGet
2008-04-09 17:44 --------- d-----w C:\Program Files\Kool Musik
2008-03-30 13:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-29 22:54 --------- d-----w C:\Documents and Settings\Tomáš\Data aplikací\U3
2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe
2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 17:23 95,608 -c--a-w C:\WINDOWS\system32\AvastSS.scr
2008-03-28 15:16 --------- d-----w C:\Program Files\PSPad editor
2008-03-12 19:41 --------- d-----w C:\Program Files\RocketDock
2008-03-04 17:45 --------- d-----w C:\Program Files\Samurize
2008-03-01 12:04 --------- d-----w C:\Program Files\Burn4Free
2008-03-01 11:39 --------- d-----w C:\Program Files\Nokia
2008-03-01 11:35 --------- d-----w C:\Program Files\PVD15
2008-02-29 14:35 --------- d-----w C:\Program Files\Memory Max
2008-02-28 19:57 --------- d-----w C:\Documents and Settings\Tomáš\Data aplikací\ExportTool
2008-02-27 18:53 --------- d-----w C:\Program Files\iTunes
2008-02-24 19:44 --------- d-----w C:\Documents and Settings\Tomáš\Data aplikací\Bret Taylor
2008-02-24 19:37 --------- d-----w C:\Program Files\MoRUN.net
2008-02-24 16:57 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\nView_Profiles
2008-02-24 16:09 --------- d-----w C:\Program Files\RadarSync
2008-02-24 14:03 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2008-02-24 12:47 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-13 16:00 --------- d-----w C:\Program Files\DivX
2008-02-07 14:41 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-02-07 14:41 249,856 ------w C:\WINDOWS\Setup1.exe
.

------- Sigcheck -------

2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\dllcache\tcpip.sys
2004-08-03 23:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0BBDE44C-079B-4E03-B1F5-45A16691F551}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AE66C8E-D2EB-4256-A5F9-F02DD25C07AA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E238016-2886-4A24-9EEE-DF90C74C61CB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{588C7B62-DB2A-4ECC-BE87-0ECDC553054E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7590549B-B0F1-4929-8BBD-E02B56C5622C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81219520-EA09-4E31-9F0B-55A1EB62374E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A9143AE-26B7-4F79-8F6F-DFB085727DFD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C909D5C-1FDE-4724-B4EA-D424EDDEAC0C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96292847-2CCA-4667-9D03-9158EB618D42}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7E419CB-E54C-4563-BF49-F4A11E64DD4E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DFB13717-B443-4AD1-AD64-F08D761889A9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5032733-F294-4A28-B7C8-DFF90B4A5BD8}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616]
"SystemDriverLoad"="" []
"alpha"="c:\z_Drivers\svchost.exe" [2008-04-09 20:03 198144]
"beta"="c:\z_Drivers\svchost.exe" [2008-04-09 20:03 198144]
"gamma"="c:\z_Drivers\svchost.exe" [2008-04-09 20:03 198144]
"SystemDriver"="" []
"ADriver"="" []
"CDriver"="c:\z_Drivers\svchost.exe" [2008-04-09 20:03 198144]
"DDriver"="c:\z_Drivers\svchost.exe" [2008-04-09 20:03 198144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-01-20 09:05 217088]
"d0ddf406"="C:\WINDOWS\system32\hxmsnoas.dll" [ ]
"BMd3eec79a"="C:\WINDOWS\system32\ufcfdfsq.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 15:49 15360]

C:\Documents and Settings\Tom ç\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Client Default.lnk - C:\Program Files\Samurize\Client.exe [2007-04-02 21:43:04 2032128]
SaveSnap.lnk - C:\Program Files\SaveSnap\SaveSnap.exe [2008-04-13 13:13:29 1264128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuvsp]
cbxuvsp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
--a------ 2007-09-25 10:10 2007088 C:\PROGRA~1\FlashGet\flashget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"MySQL"=2 (0x2)
"iPod Service"=3 (0x3)
"BlueSoleil Hid Service"=2 (0x2)
"Apache2"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13388:TCP"= 13388:TCP:BitComet 13388 TCP
"13388:UDP"= 13388:UDP:BitComet 13388 UDP

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
S1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
S2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]
S3 mxInsMon;mxInsMon;C:\PROGRA~1\ALADDI~1\INTERN~1\mxInsMon.sys [2007-09-29 17:53]
S3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 18:52:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 18:01:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\dev\prog\mysql50\bin\mysqld-nt\" --defaults-file=\"C:\dev\prog\mysql50\my.ini\" MySQL"
.
Completion time: 2008-04-13 18:02:21
ComboFix-quarantined-files.txt 2008-04-13 16:02:06
Adresářů: 25, Volných bajtů: 54,889,238,528
Adresářů: 28, Volných bajtů: 54,881,792,000

[slavikz]

Tak mám u počítače další problém... nejde mi plocha...i když ji spustim přes správce úloh tak mi nenajede... ve správci je napsán explorer že jede, ale nijak se mi nezobrazuje, všechny aplikace musim pouštět přes správce úloh-nová úloha... nebylo by lepší celej počítač přeistalovat, jelikož mi odpadly i antiviry a firewall...

[Baron Prášil]

hele,to musíš spíš ty posoudit,jestli neni lepší přeinstal systému. já ti nemůžu zaručit nic. už proto že takto nestandadní chování combofixu jsem ještě neviděl.

takže to ještě zkusíme smazat avengerem http://www.spyware.cz/go.php?p=spyware&t=aplikace&id=35

a tento skript zkopíruj do okna avengeru

Files to delete:
C:\WINDOWS\system32\qpdlafvy.dll
C:\WINDOWS\system32\saonsmxh.ini
C:\WINDOWS\system32\rtppytii.dll
C:\WINDOWS\system32\tyrmmmma.dll
C:\WINDOWS\system32\xfnwqdcr.dll
C:\WINDOWS\system32\qejibtpq.dll
C:\WINDOWS\system32\jaskvywk.ini
C:\WINDOWS\system32\xidvlklc.ini
C:\WINDOWS\system32\dsrfkwhn.ini
C:\WINDOWS\system32\ckfwkbug.ini
C:\WINDOWS\system32\ycvkjalp.ini
C:\WINDOWS\system32\vlnwiyhg.ini
C:\WINDOWS\system32\lnpgeqib.ini
C:\WINDOWS\system32\ajypmtqw.ini
C:\WINDOWS\system32\hxmsnoas.dll
C:\WINDOWS\system32\ufcfdfsq.dll

Folders to delete:
c:\z_Drivers

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | d0ddf406
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | BMd3eec79a
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services | usnjsvc

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuvsp

po akci s avengerem pošli z něho log a novej log z hijackthis

[slavikz]

Tak to taky nejde... hlásí to:
Invalid registry syntax in command
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | alpha
.
.
.
takhle to hlásí u každého řádku, kterej začíná příkazem HKEY_CURRENT_USER\SOFTWARE\

[Baron Prášil]

jasně že to nejde-je to dva dny co sem to tady někomu psal

skript sem předělal,použij ho znovu

[slavikz]

Po třetím restartová ní mi najela plocha i s tim logem:



//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sun Apr 13 19:12:39 2008

19:12:28: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|alpha"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
19:12:34: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|beta"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
19:12:36: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|gamma"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
19:12:37: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SystemDriverLoad"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
19:12:37: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SystemDriver"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
19:12:37: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ADriver"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
19:12:38: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|CDriver"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
19:12:38: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|DDriver"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
19:12:39: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sun Apr 13 19:14:38 2008

19:14:34: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|alpha"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
19:14:35: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|beta"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
19:14:36: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|gamma"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)
19:14:38: Error: Execution aborted by user!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\qpdlafvy.dll" deleted successfully.
File "C:\WINDOWS\system32\saonsmxh.ini" deleted successfully.
File "C:\WINDOWS\system32\rtppytii.dll" deleted successfully.
File "C:\WINDOWS\system32\tyrmmmma.dll" deleted successfully.
File "C:\WINDOWS\system32\xfnwqdcr.dll" deleted successfully.
File "C:\WINDOWS\system32\qejibtpq.dll" deleted successfully.
File "C:\WINDOWS\system32\jaskvywk.ini" deleted successfully.
File "C:\WINDOWS\system32\xidvlklc.ini" deleted successfully.
File "C:\WINDOWS\system32\dsrfkwhn.ini" deleted successfully.
File "C:\WINDOWS\system32\ckfwkbug.ini" deleted successfully.
File "C:\WINDOWS\system32\ycvkjalp.ini" deleted successfully.
File "C:\WINDOWS\system32\vlnwiyhg.ini" deleted successfully.
File "C:\WINDOWS\system32\lnpgeqib.ini" deleted successfully.
File "C:\WINDOWS\system32\ajypmtqw.ini" deleted successfully.

Error: file "C:\WINDOWS\system32\hxmsnoas.dll" not found!
Deletion of file "C:\WINDOWS\system32\hxmsnoas.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\ufcfdfsq.dll" not found!
Deletion of file "C:\WINDOWS\system32\ufcfdfsq.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "c:\z_Drivers" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|d0ddf406" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BMd3eec79a" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services|usnjsvc" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuvsp" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.