Combofix Log - prosím pomoc

M4rekX · Napísal **M4rekX**: 18.08.2009 17:40 | Combofix Log - prosím pomoc

Noo takže u Priateľky v kompe bolo mrte sajrajtu z Michalea Jacksona, nejake víry a dalsie viry atd atd.. počítač puštal same okienka, nešlo sa dvojklikom dostat na disky a nešla spustit napr ani opera heh ale niečo som prečistil Spybot Search and Destroy, CCleanerom, HijackThis a Combofixom (ten automaticky niečo zmazal)
a tu je log potreboval by som help či je to v poriadku alebo ešte niečo zmazať ak hej tak čo mam napisat do toho .txt suboru lebo som z toho lolec

Citácia:

ComboFix 09-08-10.06 - Owner 18.08.2009 17:21.1.1 - NTFSx86
Systém Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.511.227 [GMT 2:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\docume~1\Owner\LOCALS~1\Temp\install_flash_player.exe
c:\windows\regedit.com
c:\windows\system32\1175900.exe
c:\windows\system32\156422.exe
c:\windows\system32\2847802.exe
c:\windows\system32\503013.exe
c:\windows\system32\993000.exe
c:\windows\system32\taskmgr.com
D:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-18 14:40 . 2009-08-18 15:28 4196384 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-18 14:40 . 2008-07-08 12:54 148496 ----a-w- c:\windows\system32\drivers\76465394.sys
2009-08-12 13:26 . 2009-08-12 13:26 459130 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aescript.dll
2009-08-11 12:40 . 2009-08-11 12:40 356725 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aegen.dll
2009-08-07 13:57 . 2009-08-07 13:57 1917302 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aeheur.dll
2009-07-22 15:43 . 2009-07-22 15:43 233846 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aehelp.dll
2009-07-22 15:43 . 2009-07-22 15:43 127348 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aescn.dll
2009-07-22 15:43 . 2009-07-22 15:43 184694 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aecore.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 15:27 . 2009-08-18 14:40 49664 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-18 15:17 . 2005-05-31 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-18 14:50 . 2008-06-16 18:08 -------- d-----w- c:\program files\ICQToolbar0855
2009-08-18 14:37 . 2005-05-31 13:39 -------- d-----w- c:\program files\Yahoo!
2009-08-17 18:38 . 2009-07-05 13:44 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-15 16:54 . 2008-08-09 10:14 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-08-10 17:21 . 2007-01-22 15:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-08-08 08:51 . 2009-08-18 15:20 75776 --sh--r- C:\vshost.exe
2009-07-14 16:08 . 2009-07-14 16:08 430452 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aerdl.dll
2009-07-05 13:48 . 2009-07-05 13:44 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-05 13:44 . 2009-07-05 13:44 -------- d-----w- c:\program files\Avira
2009-07-05 13:44 . 2009-07-05 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-04 17:46 . 2009-07-04 17:46 -------- d-----w- c:\program files\Opera
2009-06-22 15:44 . 2009-06-22 15:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-22 15:14 . 2009-06-22 15:14 -------- d-----w- c:\program files\Oberon Media
2009-06-22 15:14 . 2009-06-22 15:14 -------- d-----w- c:\program files\Gamenext
2009-06-22 15:14 . 2009-06-22 15:14 -------- d-----w- c:\program files\Common Files\Oberon Media
2009-06-17 13:32 . 2009-06-17 13:32 196987 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aeoffice.dll
2009-05-27 16:10 . 2009-05-27 16:10 401783 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aepack.dll
2006-06-05 17:59 . 2005-06-23 16:04 2969 -c--a-w- c:\program files\NettGain Client setup.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-01-12 25367592]
"H/PC Connection Agent"="d:\progra~1\MICROS~1\wcescomm.exe" [2005-11-15 1200128]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-05 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" [2004-03-03 131072]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-04-01 5562368]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-04-01 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-04-01 1495040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
is-N8C7M.lnk - d:\program files\Virus Removal Tool\is-N8C7M\startup.exe [2009-8-18 65536]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NettGain Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NettGain Client.lnk
backup=c:\windows\pss\NettGain Client.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orange Slovensko\\NettGain Client\\NettGain1100_C.exe"=
"d:\program files\Microsoft ActiveSync\rapimgr.exe"= d:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"d:\program files\Microsoft ActiveSync\wcescomm.exe"= d:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"d:\program files\Microsoft ActiveSync\WCESMgr.exe"= d:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7Debug\\mdm.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\CNAB4RPK.EXE"=
"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 is-N8C7Mdrv;is-N8C7Mdrv;c:\windows\system32\drivers\76465394.sys [18.8.2009 16:40 148496]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5.7.2009 15:44 108289]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [10.6.2008 20:30 220920]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [29.5.2008 19:49 29744]
.
Contents of the 'Scheduled Tasks' folder

2009-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-1801674531-682003330-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-05 13:29]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.sk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 3.70\AMVConverter\grab.html
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 3.70\MediaManager\grab.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 17:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
d:\progra~1\MICROS~1\rapimgr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\windows\system32\CNAB4RPK.EXE
.
**************************************************************************
.
Completion time: 2009-08-18 17:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 15:32

Pre-Run: 1 410 260 992 bytes free
Post-Run: 1 330 311 168 voľných bajtov

149 --- E O F --- 2009-06-17 09:09

Dalej v Documents and Setings / Owner / Local Setings / Temp su tieto dva súbory:
vshost.exe a svchost32.exe
a ten vshost je aj v D:/
a avira mi stale pípa že tam je vír ale ked dam hocičo (Deny Acces,Move To Quarantine,Delete) tak mi tu tabulku výstražnu zobrazí znovu

neviem čo mam s tym robiť pls help...

Ešte mám v plane použiť AVZ Tool (Kaspersky Antivir Remove či čo to je )
Vopred Dík za help... M4rekX

pitimir · Napísal **pitimir**: 18.08.2009 18:23 | Combofix Log - prosím pomoc

Presun ikonu CF na plochu, vypni vsetky otvorene aplikacie, ako aj rezidenty antiviru, antispywaru a firewall a otvor poznamkovy blok. Donho skopiruj:

Kód:

KillAll::
File::
c:\windows\system32\drivers\76465394.sys 
C:\vshost.exe 
c:\documents and settings\Owner\Start Menu\Programs\Startup\
is-N8C7M.lnk
d:\program files\Virus Removal Tool\is-N8C7M\startup.exe

Rootkit::
c:\windows\system32\drivers\76465394.sys 

Driver::
76465394
is-N8C7Mdrv
ICQ Service

Folder::
c:\program files\ICQToolbar0855 
c:\program files\ICQ6Toolbar

DDS::
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html 
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 3.70\AMVConverter\grab.html 
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 3.70\MediaManager\grab.html 

Uloz na plochu ako CFScript.txt a mysou pretiahni nad ikonou CF.

Combofix Log - prosím pomoc

Program script spracuje a spravi novy log.

Pozor: Ak po aplikacii skriptu nenabehne Windows, restartuj PC, stlac F8 a zvol Poslednu znamu funkcnu konfiguraciu.

A potom pouzi ten AVPTool, navod nan je tu. Vloz sem len tu spravnu cast logu.

M4rekX · Napísal autor témy **M4rekX**: 18.08.2009 19:50 | Combofix Log - prosím pomoc

Ten AVP Tool mi nejde kua, a to som stiahol poslednu verziu zo stránky :oops:

A pripájam Combofix log co vyplulo po tom CFScripte

Citácia:

ComboFix 09-08-10.06 - Owner 18.08.2009 19:10.2.1 - NTFSx86
Systém Microsoft Windows XP Home Edition 5.1.2600.3.1250.421.1033.18.511.157 [GMT 2:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\documents and settings\Owner\Start Menu\Programs\Startup\"
"C:\vshost.exe"
"c:\windows\system32\drivers\76465394.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ICQ6Toolbar
c:\program files\ICQ6Toolbar\Icons.bmp
c:\program files\ICQ6Toolbar\ICQ Service.exe
c:\program files\ICQ6Toolbar\icq6Toolbar.ico
c:\program files\ICQ6Toolbar\ICQToolBar.dll
c:\program files\ICQ6Toolbar\ICQUnToolbar.exe
c:\program files\ICQ6Toolbar\logo_small.gif
c:\program files\ICQ6Toolbar\ServiceStarter.exe
c:\program files\ICQ6Toolbar\short.wav
c:\program files\ICQ6Toolbar\Version.txt
c:\program files\ICQToolbar0855
c:\program files\ICQToolbar0855\about.html
c:\program files\ICQToolbar0855\basis.xml
c:\program files\ICQToolbar0855\Dlg_Res.xml
c:\program files\ICQToolbar0855\download.html
c:\program files\ICQToolbar0855\Games.xml
c:\program files\ICQToolbar0855\games_button.xml
c:\program files\ICQToolbar0855\icons.bmp
c:\program files\ICQToolbar0855\loading.html
c:\program files\ICQToolbar0855\logo_small.gif
c:\program files\ICQToolbar0855\newversion.txt
c:\program files\ICQToolbar0855\tb_buttons.xml
c:\program files\ICQToolbar0855\tb_games.xml
c:\program files\ICQToolbar0855\tb_options.xml
c:\program files\ICQToolbar0855\toolbaru.crc
c:\program files\ICQToolbar0855\version.txt
c:\program files\MP3 Player Utilities 3.70\AMVConverter\grab.html
c:\program files\MP3 Player Utilities 3.70\MediaManager\grab.html
c:\windows\system32\drivers\76465394.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ICQ_SERVICE
-------\Legacy_IS-N8C7MDRV
-------\Service_ICQ Service
-------\Service_is-N8C7Mdrv

((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-18 14:40 . 2009-08-18 17:15 7514144 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-12 13:26 . 2009-08-12 13:26 459130 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aescript.dll
2009-08-11 12:40 . 2009-08-11 12:40 356725 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aegen.dll
2009-08-07 13:57 . 2009-08-07 13:57 1917302 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aeheur.dll
2009-07-22 15:43 . 2009-07-22 15:43 233846 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aehelp.dll
2009-07-22 15:43 . 2009-07-22 15:43 127348 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aescn.dll
2009-07-22 15:43 . 2009-07-22 15:43 184694 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aecore.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 17:15 . 2009-08-18 14:40 90176 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-18 15:17 . 2005-05-31 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-18 14:37 . 2005-05-31 13:39 -------- d-----w- c:\program files\Yahoo!
2009-08-17 18:38 . 2009-07-05 13:44 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-15 16:54 . 2008-08-09 10:14 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-08-10 17:21 . 2007-01-22 15:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-07-14 16:08 . 2009-07-14 16:08 430452 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aerdl.dll
2009-07-05 13:48 . 2009-07-05 13:44 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-05 13:44 . 2009-07-05 13:44 -------- d-----w- c:\program files\Avira
2009-07-05 13:44 . 2009-07-05 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-04 17:46 . 2009-07-04 17:46 -------- d-----w- c:\program files\Opera
2009-06-22 15:44 . 2009-06-22 15:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-22 15:14 . 2009-06-22 15:14 -------- d-----w- c:\program files\Oberon Media
2009-06-22 15:14 . 2009-06-22 15:14 -------- d-----w- c:\program files\Gamenext
2009-06-22 15:14 . 2009-06-22 15:14 -------- d-----w- c:\program files\Common Files\Oberon Media
2009-06-17 13:32 . 2009-06-17 13:32 196987 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aeoffice.dll
2009-05-27 16:10 . 2009-05-27 16:10 401783 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVCENTER_4a899c5e\fuse\ivdf_fusebundle_nt_en\aepack.dll
2006-06-05 17:59 . 2005-06-23 16:04 2969 -c--a-w- c:\program files\NettGain Client setup.log
.

((((((((((((((((((((((((((((( SnapShot@2009-08-18_15.28.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-18 17:16 . 2009-08-18 17:16 16384 c:\windows\temp\Perflib_Perfdata_18c.dat
- 2009-08-18 15:26 . 2009-08-18 15:26 40960 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-18 17:14 . 2009-08-18 17:14 40960 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
- 2009-08-18 15:26 . 2009-08-18 15:26 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-18 17:14 . 2009-08-18 17:14 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-18 17:14 . 2009-08-18 17:14 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2009-08-18 15:26 . 2009-08-18 15:26 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-18 17:14 . 2009-08-18 17:14 233472 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-18 15:26 . 2009-08-18 15:26 233472 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-18 17:14 . 2009-08-18 17:14 233472 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
- 2009-08-18 15:26 . 2009-08-18 15:26 233472 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
- 2009-08-18 15:26 . 2009-08-18 15:26 8925184 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
+ 2009-08-18 17:14 . 2009-08-18 17:14 8925184 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-01-12 25367592]
"H/PC Connection Agent"="d:\progra~1\MICROS~1\wcescomm.exe" [2005-11-15 1200128]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-05 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" [2004-03-03 131072]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-04-01 5562368]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-04-01 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-04-01 1495040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
is-N8C7M.lnk - d:\program files\Virus Removal Tool\is-N8C7M\startup.exe [2009-8-18 65536]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NettGain Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NettGain Client.lnk
backup=c:\windows\pss\NettGain Client.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orange Slovensko\\NettGain Client\\NettGain1100_C.exe"=
"d:\program files\Microsoft ActiveSync\rapimgr.exe"= d:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"d:\program files\Microsoft ActiveSync\wcescomm.exe"= d:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"d:\program files\Microsoft ActiveSync\WCESMgr.exe"= d:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7Debug\\mdm.exe"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\CNAB4RPK.EXE"=
"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5.7.2009 15:44 108289]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [29.5.2008 19:49 29744]
.
Contents of the 'Scheduled Tasks' folder

2009-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1454471165-1801674531-682003330-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-05 13:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.sk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 19:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\progra~1\MICROS~1\rapimgr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\CNAB4RPK.EXE
.
**************************************************************************
.
Completion time: 2009-08-18 19:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 17:19
ComboFix2.txt 2009-08-18 15:32

Pre-Run: 1 343 791 104 bytes free
Post-Run: 1 295 286 272 voľných bajtov

186 --- E O F --- 2009-06-17 09:09

// presunute. ac.milan

pitimir · Napísal **pitimir**: 19.08.2009 10:12 | Combofix Log - prosím pomoc

Stiahni OTM. Do laveho policka skopiruj:

Kód:

:processes
explorer.exe

:files
c:\documents and settings\Owner\Start Menu\Programs\Startup\is-N8C7M.lnk
d:\program files\Virus Removal Tool

:commands
[start explorer]
[emptytemp]
[reboot]

Klik na "Move It". Nasledne sa ti objavi v okne "Result" pokec, ktory sem cely skopiruj.

P.S.: Keby program ziadal restart, potvr ho. Nasledujuci log najdes v "C:\_OTM\MovedFiles\".

M4rekX · Napísal autor témy **M4rekX**: 19.08.2009 16:58 | Combofix Log - prosím pomoc

Tu je log:

Citácia:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
File/Folder c:\documents and settings\Owner\Start Menu\Programs\Startup\is-N8C7M.lnk not found.
File/Folder d:\program files\Virus Removal Tool not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Owner
->Temp folder emptied: 3857 bytes
->Temporary Internet Files folder emptied: 26213580 bytes
->Google Chrome cache emptied: 10152899 bytes
->Opera cache emptied: 28594522 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1138887 bytes
%systemroot%\System32 .tmp files removed: 7703569 bytes
Windows Temp folder emptied: 16639 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 70,44 mb

OTM by OldTimer - Version 3.0.0.6 log created on 08192009_164932

Files moved on Reboot...

Registry entries deleted on Reboot...

pitimir · Napísal **pitimir**: 20.08.2009 9:49 | Combofix Log - prosím pomoc

Stiahni MbAM. Uloz na plochu, otvor "mbam-setup.exe" a nainstaluj. Updatuj. Potom spravis kompletny scan - co program najde, zmaz. Nasledny log vloz sem.

M4rekX · Napísal autor témy **M4rekX**: 21.08.2009 9:39 | Combofix Log - prosím pomoc

Niekde som čital že je to nebezpečné, nemože sa s tym niečo pokašlat ?
Inak zatial počítač vypadá že je v poriadku už. Zatial nič nezvyčajné nerobí.
A zaujímalo by ma prečo mi nejde AVP Tool...

pitimir · Napísal **pitimir**: 21.08.2009 15:14 | Combofix Log - prosím pomoc

Preco by to malo byt nebezpecne?

Combofix Log - prosím pomoc

Combofix Log - prosím pomoc

Podobné témy

prosim o kontrolu combofix

Prosím o pomoc s "printer.exe"+log z Hijacku

Prosim vas kuknete mi log?

Prosim o kontrolu Hijack log

Prosím o kontrolu HJT log, reštarty mi robí pc

Pomoc. bordel z facebooku (+ log)

ComboFix otazka..

pomoc pomoc prosim nefunguje internet

Combofix, virus na win32/drivers/wrvkgg.sys

Prosim Prosim POMOC

PROSIM POMOC

Pomoc prosím

Prosim POMOC!

Prosím pomoc

Prosím POMOC SURNE!

prosim o pomoc