[ Príspevkov: 23 ] 
AutorSpráva
Offline

Užívateľ
Užívateľ
WIN32/Alman.NAD

Registrovaný: 28.05.08
Prihlásený: 30.05.08
Príspevky: 13
Témy: 1 | 1
Bydlisko: Košice
NapísalOffline : 28.05.2008 10:19 | WIN32/Alman.NAD

Ahojte, cize uz sa dva dni trapim s vyssie uvedenym "kamaratom" (WIN32/Alman.NOD), nasla sm si aj nejake veci na forach, no ani podla tamtych navodov sa ho zbavit neviem. uz si zavolal na pomoc aj "kamosov" WIN32/PSW.OnLineGames.MUG a WIN32/TrojanDownloader.Murto.NN. nod ich sice zakazdym najde, ja ich dam zmazat, ale oni su tam znova. kedze ten Alman napada absolutne vsetky subory .exe,tak sa chcem opytat, ci je vobec mozne si este pred uplnym preinstalovanim Windowsu urobit zalohu instalaciek, kedze aj to su vsetko .exe subory. uz som sa nejako vzdala moznosti,ze by som ich iba tak dala von z pc. dufam,ze mi pomozete nejako. :cry: tak prajem pekny den a hlavne malo "kamaratov"


Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 28.07.07
Príspevky: 3208
Témy: 41 | 41
Bydlisko: Brno
NapísalOffline : 28.05.2008 10:27 | WIN32/Alman.NAD

poprosim o log z Hijackthis a Combofix:
navod: http://www.pcforum.sk/cistime-napadnuty ... 27265.html


_________________
PC: CPU: Intel i7 5820k @ 4.2 Ghz Cooler: NZXT Kraken x41 MB: ASUS X99-A GPU: ASUS Stryx 970 GTX 4GB RAM: 32 GB Kingston 2133 DDR4 SSD: Kingston Hyperx 240 GB HDD1: Seagate Barracuda 7200.14 3TB HDD2: Seagate Barracuda 7200 1TB PSU: Corsair RM 850 Case: NZXT Phantom 410 white LCD: DELL P2416D @ 75Hz AUDIO: Yamaha RN500 Repro: DALI Zensor 5 Phone: Galaxy S8+
NB: Lenovo Y500
Offline

Užívateľ
Užívateľ
WIN32/Alman.NAD

Registrovaný: 28.05.08
Prihlásený: 30.05.08
Príspevky: 13
Témy: 1 | 1
Bydlisko: Košice
Napísal autor témyOffline : 28.05.2008 10:32 | WIN32/Alman.NAD

poslem,vsetko poslem,,ale az vecer,, som momentalne totiz v parci.. inak tym programom Hijackthis som vymazala vsetko,,co podla navodu ten virus vytvara, potom som to dala prebehnut nodom a bolo vsetko v poriadku.no asi o 20 minut to bolo vsetko spat. si ochotny mi pomoct vecer? asi okolo deviatej?


Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 28.07.07
Príspevky: 3208
Témy: 41 | 41
Bydlisko: Brno
NapísalOffline : 28.05.2008 10:37 | WIN32/Alman.NAD

vtedy budem v praci :) pridem az o 02:00, ale tak budu tuna dalsi ludia a urcite pomozu....hlavne tie logy nezabudni :)


_________________
PC: CPU: Intel i7 5820k @ 4.2 Ghz Cooler: NZXT Kraken x41 MB: ASUS X99-A GPU: ASUS Stryx 970 GTX 4GB RAM: 32 GB Kingston 2133 DDR4 SSD: Kingston Hyperx 240 GB HDD1: Seagate Barracuda 7200.14 3TB HDD2: Seagate Barracuda 7200 1TB PSU: Corsair RM 850 Case: NZXT Phantom 410 white LCD: DELL P2416D @ 75Hz AUDIO: Yamaha RN500 Repro: DALI Zensor 5 Phone: Galaxy S8+
NB: Lenovo Y500
Offline

Užívateľ
Užívateľ
WIN32/Alman.NAD

Registrovaný: 28.05.08
Prihlásený: 30.05.08
Príspevky: 13
Témy: 1 | 1
Bydlisko: Košice
Napísal autor témyOffline : 28.05.2008 10:41 | WIN32/Alman.NAD

aaaaach, my pracujuci ludia :(( dobre,dakujem a nech ti to v praci zbehne


Offline

Užívateľ
Užívateľ
WIN32/Alman.NAD

Registrovaný: 28.05.08
Prihlásený: 30.05.08
Príspevky: 13
Témy: 1 | 1
Bydlisko: Košice
Napísal autor témyOffline : 28.05.2008 20:10 | WIN32/Alman.NAD

tak teda posielam,,dakujem za pomoc :)))

Logfile of HijackThis v1.99.1
Scan saved at 20:11:02, on 28. 5. 2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\MagicRotation\MagicPvt.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\totalcmd\TOTALCMD.EXE
c:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MagicRotation] C:\Program Files\MagicRotation\MagicPvt.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Offline

Užívateľ
Užívateľ
WIN32/Alman.NAD

Registrovaný: 02.09.07
Prihlásený: 20.11.17
Príspevky: 6419
Témy: 298 | 298
Bydlisko: Žilina
Vek: 24
NapísalOffline : 28.05.2008 20:24 | WIN32/Alman.NAD

Fixni:


O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll


O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll


INAC MAS 2 ANITIVIRUSAKY, NACO?? ODINSTALUJ AVASTA, NECHAJ NOD


_________________
NTB: Dell Vostro 5470 - Core i5-4200U, GT 740M, 8GB DDR3-1600, Crucial MX100 256GB, 14" 1366x768
Audio: KRK RoKit 5 G2 White, Lexicon Alpha, M-Audio Axiom 25 MKII, AKG Y55
Phone: Samsung Galaxy S8
Vozenie: Alfa Romeo 159 SW 1.9JTDm 110kW - DPF/EGR/SWIRL OFF, BOSE SOUND
Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 28.07.07
Príspevky: 3208
Témy: 41 | 41
Bydlisko: Brno
NapísalOffline : 29.05.2008 3:08 | WIN32/Alman.NAD

Je potrebny aj log z combofixu, nech vyhodime toho zlteho smejda :)

navod: http://www.pcforum.sk/cistime-napadnuty ... 27265.html


_________________
PC: CPU: Intel i7 5820k @ 4.2 Ghz Cooler: NZXT Kraken x41 MB: ASUS X99-A GPU: ASUS Stryx 970 GTX 4GB RAM: 32 GB Kingston 2133 DDR4 SSD: Kingston Hyperx 240 GB HDD1: Seagate Barracuda 7200.14 3TB HDD2: Seagate Barracuda 7200 1TB PSU: Corsair RM 850 Case: NZXT Phantom 410 white LCD: DELL P2416D @ 75Hz AUDIO: Yamaha RN500 Repro: DALI Zensor 5 Phone: Galaxy S8+
NB: Lenovo Y500
Offline

Užívateľ
Užívateľ
WIN32/Alman.NAD

Registrovaný: 28.05.08
Prihlásený: 30.05.08
Príspevky: 13
Témy: 1 | 1
Bydlisko: Košice
Napísal autor témyOffline : 29.05.2008 9:49 | WIN32/Alman.NAD

dobre dakujem,,ja zas az vecer,som cely den v robote,asi sa zas nestretneme :DDD inak dva antiviraky mam,lebo som uz zufala a ten vas navod uz viem aj o polnoci :D


Offline

Užívateľ
Užívateľ
WIN32/Alman.NAD

Registrovaný: 28.05.08
Prihlásený: 30.05.08
Príspevky: 13
Témy: 1 | 1
Bydlisko: Košice
Napísal autor témyOffline : 30.05.2008 11:48 | WIN32/Alman.NAD

tuna je log z komobfixu :

ComboFix 08-05-29.1 - Viki a Tanicka 2008-05-30 11:47:41.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.487 [GMT 2:00]
Running from: D:\matus\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-28 20:39 . 2008-05-28 22:55 <DIR> d-------- C:\!KillBox
2008-05-27 15:35 . 2008-05-27 15:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-27 12:54 . 2008-05-27 12:57 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-05-26 11:44 . 2008-05-30 08:23 186 --a------ C:\MicroSoft.vbs
2008-05-26 11:44 . 2008-05-30 08:23 30 --a------ C:\MicroSoft.bat
2008-05-23 06:53 . 2008-05-23 06:53 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\PDFCreator
2008-05-23 06:40 . 2008-05-23 06:47 <DIR> d-------- C:\Program Files\PDFCreator
2008-05-15 19:19 . 2008-05-17 18:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-15 19:19 . 2008-05-15 19:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-14 13:40 . 2008-05-14 13:40 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\ABBYY
2008-05-14 13:34 . 2008-05-14 13:35 <DIR> d-------- C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2008-05-14 13:34 . 2008-05-14 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ABBYY
2008-05-13 12:55 . 2008-05-13 12:55 <DIR> d-------- C:\Program Files\NIVEAklub
2008-04-25 13:09 . 2008-05-14 16:26 19 --a------ C:\Documents and Settings\Viki a Tanicka\Data aplikací\mdbu.bin
2008-04-25 13:08 . 2008-04-25 13:08 <DIR> d-------- C:\Program Files\HappyFoto
2008-04-19 15:52 . 2008-04-19 16:17 <DIR> d-------- C:\Program Files\ICQ6
2008-04-19 15:51 . 2008-04-19 15:51 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 06:22 9,216 ----a-w C:\WINDOWS\AppPatch\AcXtrnel.dll
2008-05-30 06:22 13,824 ----a-w C:\WINDOWS\AppPatch\Jview.dll
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\skypePM
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\Skype
2008-05-26 09:49 --------- d-----w C:\Program Files\ESET
2008-05-21 18:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-20 13:32 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\uTorrent
2008-05-20 08:50 --------- d-----w C:\Program Files\uTorrent
2008-05-15 06:24 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\ICQ
2008-05-10 09:47 --------- d-----w C:\Program Files\rc10
2008-05-08 10:06 --------- d-----w C:\Program Files\ICQLite
2008-04-19 13:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-19 13:53 --------- d-----w C:\Program Files\Opera
2008-04-19 13:50 --------- d-----w C:\Program Files\QIP
2008-03-29 16:37 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-29 16:37 --------- d--h--r C:\Documents and Settings\Viki a Tanicka\Data aplikací\SecuROM
2008-02-07 09:52 168,592 ----a-w C:\WINDOWS\FotoFusion Uninstaller.exe
2008-02-06 21:05 271,429 ----a-w C:\WINDOWS\FotoFusionV4 Uninstaller.exe
2008-02-01 21:48 32 ----a-w C:\Documents and Settings\All Users\Data aplikací\ezsid.dat
2008-02-01 20:18 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-01 19:40 274,432 ----a-w C:\WINDOWS\system32\imon.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}]
2008-05-30 09:12 45056 --a------ C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 14:05 486856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 04:07 843776]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 06:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 06:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 06:22 86016]
"MagicRotation"="C:\Program Files\MagicRotation\MagicPvt.exe" [2005-12-26 18:23 1089536]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-01 21:40 921600]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 18:34 213936]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 21:21 57344]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 12:41 507904]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 18:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 18:30 864256]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 13:06 40048]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]
"FineReader7NewsReaderPro"="C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" [2003-12-10 00:19 278528]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"JavaView"= {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll [2008-05-30 08:22 13824]
"ThunderAdvise"= {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll [2008-05-30 09:12 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\rc10\\StrongDC.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\QIP\\qip.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"D:\\instalacky\\qipinfium9000full_slovak\\infium.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 magicpvt;magicpvt;C:\WINDOWS\system32\drivers\magicpvt.sys [2005-11-14 04:26]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 13:50]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]

*Newly Created Service* - 3983671ERRORCONTROL
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 05:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 11:49:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-05-30 11:50:13
ComboFix-quarantined-files.txt 2008-05-30 09:50:05

Adresářů: 9, Volných bajtů: 72,343,740,416
Adresářů: 12, Volných bajtů: 74,083,340,288

133


Offline

Užívateľ
Užívateľ
WIN32/Alman.NAD

Registrovaný: 28.05.08
Prihlásený: 30.05.08
Príspevky: 13
Témy: 1 | 1
Bydlisko: Košice
Napísal autor témyOffline : 30.05.2008 11:51 | WIN32/Alman.NAD

no a tuna je log z Hijacku ... tie tri procesy, su v plnej parade nazad :)

Logfile of HijackThis v1.99.1
Scan saved at 11:54:39, on 30. 5. 2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\MagicRotation\MagicPvt.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ICQ6\ICQ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\rundll32.exe
C:\totalcmd\TOTALCMD.EXE
c:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MagicRotation] C:\Program Files\MagicRotation\MagicPvt.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 28.07.07
Príspevky: 3208
Témy: 41 | 41
Bydlisko: Brno
NapísalOffline : 30.05.2008 12:13 | WIN32/Alman.NAD

najprv si vypni antivirak :)

Pozri si sekciu Combofix a SPUSTENIE SCRIPTU: http://www.pcforum.sk/cistime-napadnuty ... 27265.html
postupuj podla navodu a toto vloz do scriptu:

Kód:
File:
C:\MicroSoft.vbs
C:\MicroSoft.bat
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\AppPatch\AcXtrnel.dll
C:\WINDOWS\AppPatch\Jview.dll
C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"JavaView"=-
"ThunderAdvise"=-


novy log vloz sem

potom toto fix v hjt logu:
O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll
O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll


_________________
PC: CPU: Intel i7 5820k @ 4.2 Ghz Cooler: NZXT Kraken x41 MB: ASUS X99-A GPU: ASUS Stryx 970 GTX 4GB RAM: 32 GB Kingston 2133 DDR4 SSD: Kingston Hyperx 240 GB HDD1: Seagate Barracuda 7200.14 3TB HDD2: Seagate Barracuda 7200 1TB PSU: Corsair RM 850 Case: NZXT Phantom 410 white LCD: DELL P2416D @ 75Hz AUDIO: Yamaha RN500 Repro: DALI Zensor 5 Phone: Galaxy S8+
NB: Lenovo Y500
Offline

Užívateľ
Užívateľ
WIN32/Alman.NAD

Registrovaný: 28.05.08
Prihlásený: 30.05.08
Príspevky: 13
Témy: 1 | 1
Bydlisko: Košice
Napísal autor témyOffline : 30.05.2008 12:28 | WIN32/Alman.NAD

log z combofixu po spusteni scriptu ...

ComboFix 08-05-29.1 - Viki a Tanicka 2008-05-30 12:28:24.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.507 [GMT 2:00]
Running from: D:\matus\ComboFix.exe
Command switches used :: C:\Documents and Settings\Viki a Tanicka\Plocha\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-28 20:39 . 2008-05-30 12:20 <DIR> d-------- C:\!KillBox
2008-05-27 15:35 . 2008-05-27 15:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-27 12:54 . 2008-05-27 12:57 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-05-26 11:44 . 2008-05-30 08:23 186 --a------ C:\MicroSoft.vbs
2008-05-26 11:44 . 2008-05-30 08:23 30 --a------ C:\MicroSoft.bat
2008-05-23 06:53 . 2008-05-23 06:53 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\PDFCreator
2008-05-23 06:40 . 2008-05-23 06:47 <DIR> d-------- C:\Program Files\PDFCreator
2008-05-15 19:19 . 2008-05-17 18:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-15 19:19 . 2008-05-15 19:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-14 13:40 . 2008-05-14 13:40 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\ABBYY
2008-05-14 13:34 . 2008-05-14 13:35 <DIR> d-------- C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2008-05-14 13:34 . 2008-05-14 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ABBYY
2008-05-13 12:55 . 2008-05-13 12:55 <DIR> d-------- C:\Program Files\NIVEAklub
2008-04-25 13:09 . 2008-05-14 16:26 19 --a------ C:\Documents and Settings\Viki a Tanicka\Data aplikací\mdbu.bin
2008-04-25 13:08 . 2008-04-25 13:08 <DIR> d-------- C:\Program Files\HappyFoto
2008-04-19 15:52 . 2008-04-19 16:17 <DIR> d-------- C:\Program Files\ICQ6
2008-04-19 15:51 . 2008-04-19 15:51 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 10:11 9,216 ----a-w C:\WINDOWS\AppPatch\AcXtrnel.dll
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\skypePM
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\Skype
2008-05-26 09:49 --------- d-----w C:\Program Files\ESET
2008-05-21 18:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-20 13:32 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\uTorrent
2008-05-20 08:50 --------- d-----w C:\Program Files\uTorrent
2008-05-15 06:24 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\ICQ
2008-05-10 09:47 --------- d-----w C:\Program Files\rc10
2008-05-08 10:06 --------- d-----w C:\Program Files\ICQLite
2008-04-19 13:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-19 13:53 --------- d-----w C:\Program Files\Opera
2008-04-19 13:50 --------- d-----w C:\Program Files\QIP
2008-03-29 16:37 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-29 16:37 --------- d--h--r C:\Documents and Settings\Viki a Tanicka\Data aplikací\SecuROM
2008-02-07 09:52 168,592 ----a-w C:\WINDOWS\FotoFusion Uninstaller.exe
2008-02-06 21:05 271,429 ----a-w C:\WINDOWS\FotoFusionV4 Uninstaller.exe
2008-02-01 21:48 32 ----a-w C:\Documents and Settings\All Users\Data aplikací\ezsid.dat
2008-02-01 20:18 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-01 19:40 274,432 ----a-w C:\WINDOWS\system32\imon.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-30_11.49.58,59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 06:06:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 10:22:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-29 21:57:27 1,925 ----a-w C:\WINDOWS\system32\imon1.dat
+ 2008-05-30 10:21:17 2,863 ----a-w C:\WINDOWS\system32\imon1.dat
- 2008-05-30 06:06:43 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d8.dat
+ 2008-05-30 10:22:21 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 14:05 486856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 04:07 843776]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 06:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 06:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 06:22 86016]
"MagicRotation"="C:\Program Files\MagicRotation\MagicPvt.exe" [2005-12-26 18:23 1089536]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-01 21:40 921600]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 18:34 213936]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 21:21 57344]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 12:41 507904]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 18:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 18:30 864256]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 13:06 40048]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]
"FineReader7NewsReaderPro"="C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" [2003-12-10 00:19 278528]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\rc10\\StrongDC.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\QIP\\qip.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"D:\\instalacky\\qipinfium9000full_slovak\\infium.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 magicpvt;magicpvt;C:\WINDOWS\system32\drivers\magicpvt.sys [2005-11-14 04:26]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 13:50]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 05:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 12:30:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-05-30 12:30:32
ComboFix-quarantined-files.txt 2008-05-30 10:30:22
ComboFix2.txt 2008-05-30 09:50:14

Adresářů: 9, Volných bajtů: 75,778,506,752
Adresářů: 11, Volných bajtů: 75,769,786,368

136


v hijacku fixnute a zaroven aj pomocou killboxu mazane (tie tri procesy) ... neviem ci trebalo :) ale stalo sa


Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 28.07.07
Príspevky: 3208
Témy: 41 | 41
Bydlisko: Brno
NapísalOffline : 30.05.2008 12:34 | WIN32/Alman.NAD

takze znova :) chybicka se vloudila :) urob to iste a bude to ok :)

Kód:
File::
C:\MicroSoft.vbs
C:\MicroSoft.bat
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\AppPatch\AcXtrnel.dll
C:\WINDOWS\AppPatch\Jview.dll
C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"JavaView"=-
"ThunderAdvise"=-


_________________
PC: CPU: Intel i7 5820k @ 4.2 Ghz Cooler: NZXT Kraken x41 MB: ASUS X99-A GPU: ASUS Stryx 970 GTX 4GB RAM: 32 GB Kingston 2133 DDR4 SSD: Kingston Hyperx 240 GB HDD1: Seagate Barracuda 7200.14 3TB HDD2: Seagate Barracuda 7200 1TB PSU: Corsair RM 850 Case: NZXT Phantom 410 white LCD: DELL P2416D @ 75Hz AUDIO: Yamaha RN500 Repro: DALI Zensor 5 Phone: Galaxy S8+
NB: Lenovo Y500
Offline

Užívateľ
Užívateľ
WIN32/Alman.NAD

Registrovaný: 28.05.08
Prihlásený: 30.05.08
Príspevky: 13
Témy: 1 | 1
Bydlisko: Košice
Napísal autor témyOffline : 30.05.2008 12:37 | WIN32/Alman.NAD

ComboFix 08-05-29.1 - Viki a Tanicka 2008-05-30 12:38:34.3 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.511 [GMT 2:00]
Running from: D:\matus\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-28 20:39 . 2008-05-30 12:20 <DIR> d-------- C:\!KillBox
2008-05-27 15:35 . 2008-05-27 15:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-27 12:54 . 2008-05-27 12:57 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-05-26 11:44 . 2008-05-30 08:23 186 --a------ C:\MicroSoft.vbs
2008-05-26 11:44 . 2008-05-30 08:23 30 --a------ C:\MicroSoft.bat
2008-05-23 06:53 . 2008-05-23 06:53 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\PDFCreator
2008-05-23 06:40 . 2008-05-23 06:47 <DIR> d-------- C:\Program Files\PDFCreator
2008-05-15 19:19 . 2008-05-17 18:51 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-15 19:19 . 2008-05-15 19:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-14 13:40 . 2008-05-14 13:40 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\ABBYY
2008-05-14 13:34 . 2008-05-14 13:35 <DIR> d-------- C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2008-05-14 13:34 . 2008-05-14 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ABBYY
2008-05-13 12:55 . 2008-05-13 12:55 <DIR> d-------- C:\Program Files\NIVEAklub
2008-04-25 13:09 . 2008-05-14 16:26 19 --a------ C:\Documents and Settings\Viki a Tanicka\Data aplikací\mdbu.bin
2008-04-25 13:08 . 2008-04-25 13:08 <DIR> d-------- C:\Program Files\HappyFoto
2008-04-19 15:52 . 2008-04-19 16:17 <DIR> d-------- C:\Program Files\ICQ6
2008-04-19 15:51 . 2008-04-19 15:51 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 10:11 9,216 ----a-w C:\WINDOWS\AppPatch\AcXtrnel.dll
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\skypePM
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\Skype
2008-05-26 09:49 --------- d-----w C:\Program Files\ESET
2008-05-21 18:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-20 13:32 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\uTorrent
2008-05-20 08:50 --------- d-----w C:\Program Files\uTorrent
2008-05-15 06:24 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\ICQ
2008-05-10 09:47 --------- d-----w C:\Program Files\rc10
2008-05-08 10:06 --------- d-----w C:\Program Files\ICQLite
2008-04-19 13:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-19 13:53 --------- d-----w C:\Program Files\Opera
2008-04-19 13:50 --------- d-----w C:\Program Files\QIP
2008-03-29 16:37 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-29 16:37 --------- d--h--r C:\Documents and Settings\Viki a Tanicka\Data aplikací\SecuROM
2008-02-07 09:52 168,592 ----a-w C:\WINDOWS\FotoFusion Uninstaller.exe
2008-02-06 21:05 271,429 ----a-w C:\WINDOWS\FotoFusionV4 Uninstaller.exe
2008-02-01 21:48 32 ----a-w C:\Documents and Settings\All Users\Data aplikací\ezsid.dat
2008-02-01 20:18 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-01 19:40 274,432 ----a-w C:\WINDOWS\system32\imon.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-30_11.49.58,59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 06:06:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 10:34:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-29 21:57:27 1,925 ----a-w C:\WINDOWS\system32\imon1.dat
+ 2008-05-30 10:21:17 2,863 ----a-w C:\WINDOWS\system32\imon1.dat
+ 2008-05-30 10:34:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 14:05 486856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 04:07 843776]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 06:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 06:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 06:22 86016]
"MagicRotation"="C:\Program Files\MagicRotation\MagicPvt.exe" [2005-12-26 18:23 1089536]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-01 21:40 921600]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 18:34 213936]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 21:21 57344]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 12:41 507904]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 18:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 18:30 864256]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 13:06 40048]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]
"FineReader7NewsReaderPro"="C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" [2003-12-10 00:19 278528]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\rc10\\StrongDC.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\QIP\\qip.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"D:\\instalacky\\qipinfium9000full_slovak\\infium.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 magicpvt;magicpvt;C:\WINDOWS\system32\drivers\magicpvt.sys [2005-11-14 04:26]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 13:50]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 05:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 12:40:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-05-30 12:40:47
ComboFix-quarantined-files.txt 2008-05-30 10:40:39
ComboFix2.txt 2008-05-30 10:30:33
ComboFix3.txt 2008-05-30 09:50:14

Adresářů: 9, Volných bajtů: 75,776,208,896
Adresářů: 11, Volných bajtů: 75,767,455,744

134
combofix log
tamto v hijacku fixnute a nasledne este zmazane v killboxe


Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 28.07.07
Príspevky: 3208
Témy: 41 | 41
Bydlisko: Brno
NapísalOffline : 30.05.2008 12:40 | WIN32/Alman.NAD

yaJohny píše:
takze znova :) chybicka se vloudila :) urob to iste a bude to ok :)

Kód:
File::
C:\MicroSoft.vbs
C:\MicroSoft.bat
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\AppPatch\AcXtrnel.dll
C:\WINDOWS\AppPatch\Jview.dll
C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"JavaView"=-
"ThunderAdvise"=-


ale musis to urobit s tymto scriptom co je hore :) cize rovnaky postup so scriptom, ale do scriptu vlozis to, co je nadomnou...ale predtym si vypni Antivirak..


_________________
PC: CPU: Intel i7 5820k @ 4.2 Ghz Cooler: NZXT Kraken x41 MB: ASUS X99-A GPU: ASUS Stryx 970 GTX 4GB RAM: 32 GB Kingston 2133 DDR4 SSD: Kingston Hyperx 240 GB HDD1: Seagate Barracuda 7200.14 3TB HDD2: Seagate Barracuda 7200 1TB PSU: Corsair RM 850 Case: NZXT Phantom 410 white LCD: DELL P2416D @ 75Hz AUDIO: Yamaha RN500 Repro: DALI Zensor 5 Phone: Galaxy S8+
NB: Lenovo Y500
Offline

Užívateľ
Užívateľ
WIN32/Alman.NAD

Registrovaný: 28.05.08
Prihlásený: 30.05.08
Príspevky: 13
Témy: 1 | 1
Bydlisko: Košice
Napísal autor témyOffline : 30.05.2008 12:46 | WIN32/Alman.NAD

toto je log po tom druhom scripte ... tamto bol preklep mensi :/

ComboFix 08-05-29.1 - Viki a Tanicka 2008-05-30 12:45:06.4 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.494 [GMT 2:00]
Running from: D:\matus\ComboFix.exe
Command switches used :: C:\Documents and Settings\Viki a Tanicka\Plocha\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\MicroSoft.bat
C:\MicroSoft.vbs
C:\WINDOWS\AppPatch\AcXtrnel.dll
C:\WINDOWS\AppPatch\Jview.dll
C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\MicroSoft.bat
C:\MicroSoft.vbs
C:\WINDOWS\AppPatch\AcXtrnel.dll
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-28 20:39 . 2008-05-30 12:20 <DIR> d-------- C:\!KillBox
2008-05-27 15:35 . 2008-05-27 15:35 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-27 12:54 . 2008-05-27 12:57 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-05-23 06:53 . 2008-05-23 06:53 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\PDFCreator
2008-05-23 06:40 . 2008-05-23 06:47 <DIR> d-------- C:\Program Files\PDFCreator
2008-05-14 13:40 . 2008-05-14 13:40 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\ABBYY
2008-05-14 13:34 . 2008-05-14 13:35 <DIR> d-------- C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2008-05-14 13:34 . 2008-05-14 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ABBYY
2008-05-13 12:55 . 2008-05-13 12:55 <DIR> d-------- C:\Program Files\NIVEAklub
2008-04-25 13:09 . 2008-05-14 16:26 19 --a------ C:\Documents and Settings\Viki a Tanicka\Data aplikací\mdbu.bin
2008-04-25 13:08 . 2008-04-25 13:08 <DIR> d-------- C:\Program Files\HappyFoto
2008-04-19 15:52 . 2008-04-19 16:17 <DIR> d-------- C:\Program Files\ICQ6
2008-04-19 15:51 . 2008-04-19 15:51 <DIR> d-------- C:\Documents and Settings\Viki a Tanicka\Data aplikací\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\skypePM
2008-05-26 19:30 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\Skype
2008-05-26 09:49 --------- d-----w C:\Program Files\ESET
2008-05-21 18:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-20 13:32 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\uTorrent
2008-05-20 08:50 --------- d-----w C:\Program Files\uTorrent
2008-05-15 06:24 --------- d-----w C:\Documents and Settings\Viki a Tanicka\Data aplikací\ICQ
2008-05-10 09:47 --------- d-----w C:\Program Files\rc10
2008-05-08 10:06 --------- d-----w C:\Program Files\ICQLite
2008-04-19 13:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-19 13:53 --------- d-----w C:\Program Files\Opera
2008-04-19 13:50 --------- d-----w C:\Program Files\QIP
2008-03-29 16:37 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-29 16:37 --------- d--h--r C:\Documents and Settings\Viki a Tanicka\Data aplikací\SecuROM
2008-02-07 09:52 168,592 ----a-w C:\WINDOWS\FotoFusion Uninstaller.exe
2008-02-06 21:05 271,429 ----a-w C:\WINDOWS\FotoFusionV4 Uninstaller.exe
2008-02-01 21:48 32 ----a-w C:\Documents and Settings\All Users\Data aplikací\ezsid.dat
2008-02-01 20:18 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-01 19:40 274,432 ----a-w C:\WINDOWS\system32\imon.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-30_11.49.58,59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 06:06:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 10:34:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-29 21:57:27 1,925 ----a-w C:\WINDOWS\system32\imon1.dat
+ 2008-05-30 10:21:17 2,863 ----a-w C:\WINDOWS\system32\imon1.dat
+ 2008-05-30 10:34:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-17 15:49 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 14:05 486856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 04:07 843776]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 06:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 06:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 06:22 86016]
"MagicRotation"="C:\Program Files\MagicRotation\MagicPvt.exe" [2005-12-26 18:23 1089536]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-02-01 21:40 921600]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 18:34 213936]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04 40960]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 21:21 57344]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2007-11-07 12:41 507904]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 18:14 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 18:30 864256]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 13:06 40048]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06 3144800]
"FineReader7NewsReaderPro"="C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" [2003-12-10 00:19 278528]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-17 15:49 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\rc10\\StrongDC.exe"=
"C:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\QIP\\qip.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"D:\\instalacky\\qipinfium9000full_slovak\\infium.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 magicpvt;magicpvt;C:\WINDOWS\system32\drivers\magicpvt.sys [2005-11-14 04:26]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 13:50]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-03 23:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 05:46:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 12:46:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-05-30 12:46:41
ComboFix-quarantined-files.txt 2008-05-30 10:46:32
ComboFix2.txt 2008-05-30 10:40:49
ComboFix3.txt 2008-05-30 10:30:33
ComboFix4.txt 2008-05-30 09:50:14

Adresářů: 9, Volných bajtů: 75,753,979,904
Adresářů: 11, Volných bajtů: 75,746,234,368

148


v hijacku uy neni nic z tej trojice ... akurat potom Nod este vyhadzuje nejaky Eicar testovaci subor ze sa mu nepaci


Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 28.07.07
Príspevky: 3208
Témy: 41 | 41
Bydlisko: Brno
NapísalOffline : 30.05.2008 12:50 | WIN32/Alman.NAD

trojana uz nemas, teraz si uz len prescanuj PC Nodom, vycisti Temp adresar, prejdi system CCleanerom....antispywarom nejakym,,, pravidelna udrzba dolezita:)

//inak si to nemusela ani mazat v killboxe, combofix by to vyriesil :) ale zase aspon si sa naucila nieco nove :)


_________________
PC: CPU: Intel i7 5820k @ 4.2 Ghz Cooler: NZXT Kraken x41 MB: ASUS X99-A GPU: ASUS Stryx 970 GTX 4GB RAM: 32 GB Kingston 2133 DDR4 SSD: Kingston Hyperx 240 GB HDD1: Seagate Barracuda 7200.14 3TB HDD2: Seagate Barracuda 7200 1TB PSU: Corsair RM 850 Case: NZXT Phantom 410 white LCD: DELL P2416D @ 75Hz AUDIO: Yamaha RN500 Repro: DALI Zensor 5 Phone: Galaxy S8+
NB: Lenovo Y500
Offline

Užívateľ
Užívateľ
WIN32/Alman.NAD

Registrovaný: 28.05.08
Prihlásený: 30.05.08
Príspevky: 13
Témy: 1 | 1
Bydlisko: Košice
Napísal autor témyOffline : 30.05.2008 13:25 | WIN32/Alman.NAD

tak tento kamos je tu este vzdy na nepozvanej navsteve WIN32/TrojanDownloader.Murto.NN


Offline

Užívateľ
Užívateľ
WIN32/Alman.NAD

Registrovaný: 28.05.08
Prihlásený: 30.05.08
Príspevky: 13
Témy: 1 | 1
Bydlisko: Košice
Napísal autor témyOffline : 30.05.2008 13:31 | WIN32/Alman.NAD

WIN32/TrojanDownloader.Murlo.NN pardoon ;)


Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 28.07.07
Príspevky: 3208
Témy: 41 | 41
Bydlisko: Brno
NapísalOffline : 30.05.2008 15:19 | WIN32/Alman.NAD

postupuj podla navodu:
http://www.viry.cz/forum/viewtopic.php?t=16475


_________________
PC: CPU: Intel i7 5820k @ 4.2 Ghz Cooler: NZXT Kraken x41 MB: ASUS X99-A GPU: ASUS Stryx 970 GTX 4GB RAM: 32 GB Kingston 2133 DDR4 SSD: Kingston Hyperx 240 GB HDD1: Seagate Barracuda 7200.14 3TB HDD2: Seagate Barracuda 7200 1TB PSU: Corsair RM 850 Case: NZXT Phantom 410 white LCD: DELL P2416D @ 75Hz AUDIO: Yamaha RN500 Repro: DALI Zensor 5 Phone: Galaxy S8+
NB: Lenovo Y500
Offline

Užívateľ
Užívateľ
WIN32/Alman.NAD

Registrovaný: 28.05.08
Prihlásený: 30.05.08
Príspevky: 13
Témy: 1 | 1
Bydlisko: Košice
Napísal autor témyOffline : 30.05.2008 17:43 | WIN32/Alman.NAD

WIN32/TrojanDownloader.Murlo.NN, nejako sa mu tu paci frajerovi ... este stale je tu ...
SmitFraud bol spusteny presne podla navodu, no nepomohlo, pri scane Nodom ho stale najde


Offline

Užívateľ
Užívateľ
Obrázok užívateľa

Registrovaný: 28.07.07
Príspevky: 3208
Témy: 41 | 41
Bydlisko: Brno
NapísalOffline : 31.05.2008 0:25 | WIN32/Alman.NAD

ale kde ti ho najde? daj vypis o infiltracii


_________________
PC: CPU: Intel i7 5820k @ 4.2 Ghz Cooler: NZXT Kraken x41 MB: ASUS X99-A GPU: ASUS Stryx 970 GTX 4GB RAM: 32 GB Kingston 2133 DDR4 SSD: Kingston Hyperx 240 GB HDD1: Seagate Barracuda 7200.14 3TB HDD2: Seagate Barracuda 7200 1TB PSU: Corsair RM 850 Case: NZXT Phantom 410 white LCD: DELL P2416D @ 75Hz AUDIO: Yamaha RN500 Repro: DALI Zensor 5 Phone: Galaxy S8+
NB: Lenovo Y500
 [ Príspevkov: 23 ] 


WIN32/Alman.NAD




© 2005 - 2017 PCforum, edited by JanoF