Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz

ComboFix nasel rootkit

Máte problém s virem? Vložte sem log z FRST nebo RSIT.

Moderátor: Moderátoři

Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]

Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.

!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Zpráva
Autor
kubikma
Návštěvník
Návštěvník
Příspěvky: 10
Registrován: 02 led 2010 10:22

ComboFix nasel rootkit

#1 Příspěvek od kubikma »

Prosim o kontrolu. ComboFix nasel rootkit ale nevim jestli ho odstranil. Prikladam i log z combofixu.

ComboFix 09-12-31.A1 - Eva 02.01.2010 9:33.2.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.495.129 [GMT 1:00]
Spuštěný z: c:\documents and settings\Eva\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091231-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Soubory vytvořené od 2009-12-02 do 2010-01-02 )))))))))))))))))))))))))))))))
.

2010-01-02 07:13 . 2009-11-21 16:03 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-01 19:58 . 2010-01-01 19:58 -------- d-----w- c:\program files\LooksBuilderSE
2010-01-01 19:44 . 2005-09-23 21:18 171520 ----a-w- c:\windows\system32\drivers\MarvinBus.sys
2010-01-01 19:43 . 2010-01-01 19:44 -------- dc----w- c:\windows\system32\DRVSTORE
2010-01-01 19:43 . 2010-01-01 19:43 -------- d-----w- c:\program files\Common Files\Pinnacle
2010-01-01 19:42 . 2010-01-01 20:07 -------- d-----w- c:\documents and settings\All Users\Data aplikac
2010-01-01 19:33 . 2010-01-01 19:33 -------- d-----w- c:\program files\Common Files\Pegasus Imaging
2010-01-01 19:33 . 2010-01-01 19:33 -------- d-----w- c:\program files\Common Files\Yahoo!
2010-01-01 16:56 . 2010-01-01 16:56 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-01-01 16:56 . 2010-01-01 19:22 -------- d-----w- c:\program files\Spyware Terminator
2010-01-01 15:55 . 2010-01-01 18:32 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-01-01 15:55 . 2010-01-01 15:56 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-01-01 12:09 . 2006-06-29 12:07 14048 ------w- c:\windows\system32\spmsg2.dll
2010-01-01 12:05 . 2010-01-01 12:08 -------- d-----w- c:\windows\system32\XPSViewer
2010-01-01 12:05 . 2010-01-01 12:05 -------- d-----w- c:\program files\MSBuild
2010-01-01 12:05 . 2010-01-01 12:05 -------- d-----w- c:\program files\Reference Assemblies
2010-01-01 12:04 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-01-01 12:03 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-01 12:03 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-01 12:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-01-01 12:03 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-01-01 12:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-01-01 12:03 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-01-01 12:03 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-01 12:03 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-12-27 06:42 . 2004-03-29 16:23 90112 ----a-w- c:\windows\unvise32.exe
2009-12-27 06:40 . 2002-01-05 01:38 54784 ----a-w- c:\windows\system32\MSVCI70.DLL
2009-12-27 06:40 . 2002-01-05 00:18 84992 ----a-w- c:\windows\system32\ATL70.DLL
2009-12-27 06:37 . 2010-01-01 19:57 -------- d-----w- c:\program files\Pinnacle
2009-12-27 06:36 . 2002-03-19 08:29 14165 ------w- c:\windows\system32\drivers\Pclepci.sys
2009-12-26 17:29 . 2009-12-26 17:29 -------- d-----w- c:\program files\Ashampoo

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-02 08:47 . 2010-01-02 08:45 524288 ---ha-w- c:\documents and settings\Administrator\NTUSER.DAT
2010-01-02 07:21 . 2001-10-25 14:00 83940 ----a-w- c:\windows\system32\perfc005.dat
2010-01-02 07:21 . 2001-10-25 14:00 441324 ----a-w- c:\windows\system32\perfh005.dat
2010-01-02 06:25 . 2009-11-17 09:42 -------- d-----w- c:\program files\Foxit Software
2010-01-01 19:01 . 2005-12-28 11:18 -------- d-----w- c:\program files\Zoner
2010-01-01 18:57 . 2005-12-27 18:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-01 15:45 . 2005-12-27 12:55 -------- d-----w- c:\program files\ESET
2009-12-29 14:40 . 2005-12-27 13:08 -------- d-----w- c:\program files\Ahead
2009-12-29 14:36 . 2009-10-27 19:50 -------- d-----w- c:\program files\VMPTH3
2009-12-29 14:35 . 2006-12-15 19:47 -------- d-----w- c:\program files\IDOS
2009-12-24 21:14 . 2006-02-15 18:10 -------- d-----w- c:\program files\CyberLink
2009-12-23 18:17 . 2006-04-16 19:09 -------- d-----w- c:\program files\Mv2Player
2009-11-24 23:54 . 2007-03-16 18:21 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2007-03-16 18:21 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2007-03-16 18:21 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-04-14 06:39 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-04-14 06:39 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2007-03-16 18:21 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2007-03-16 18:21 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2007-03-16 18:21 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2007-03-16 18:21 97480 ----a-w- c:\windows\system32\AVASTSS.scr
2009-11-21 16:03 . 2004-08-17 13:49 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-03 10:03 . 2005-12-27 18:02 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-03 10:03 . 2005-12-27 18:02 2740 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2009-10-29 07:43 . 2004-08-17 13:49 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:40 . 2004-08-17 13:49 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:40 . 2004-08-17 13:49 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 21:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:34 . 2004-08-17 13:49 271360 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:40 . 2004-08-17 13:49 150016 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:40 . 2004-08-17 13:49 79872 ----a-w- c:\windows\system32\raschap.dll
2007-08-05 17:08 . 2007-08-04 16:05 48 --sha-w- c:\windows\SAED26C4E.tmp
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-19 737369]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Control Center"="c:\program files\ASUS\WLAN Card Utilities\Center.exe" [2005-06-15 1623040]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\AutorunsDisabled
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
Rychl‚ spuçtŘnˇ aplikace HP Image Zone.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Control Center]
2005-06-15 14:50 1623040 ----a-w- c:\program files\ASUS\WLAN Card Utilities\Center.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wireless Console 2]
2005-08-23 12:45 987136 ----a-w- c:\program files\ASUS\Wireless Console 2\wcourier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ASWLSVC"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\umi.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [27.12.2005 21:20 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [27.12.2005 21:20 5248]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [14.4.2008 7:39 114768]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [1.1.2010 17:56 142592]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [14.4.2008 7:39 20560]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1.1.2010 16:55 691696]

--- Ostatní služby/ovladače v paměti ---

*NewlyCreated* - PARPORT
.
Obsah adresáře 'Naplánované úlohy'

2009-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 15:13]

2010-01-02 c:\windows\Tasks\HPpromotions journeysoftware.job
- c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 15:36]
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKLM-Run-ASUS Probe - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-02 09:46
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x861B9C30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf77bcf28
\Driver\ACPI -> ACPI.sys @ 0xf76e9cb8
\Driver\atapi -> 0x861b9c30
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(1408)
c:\windows\system32\msi.dll
.
Celkový čas: 2010-01-02 09:54:06 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-01-02 08:54
ComboFix2.txt 2010-01-01 16:43

Před spuštěním: Volných bajtů: 24 351 174 656
Po spuštění: Volných bajtů: 24 386 244 608

- - End Of File - - 51CF1405EE03532E78F327591D987F16




Logfile of random's system information tool 1.06 (written by random/random)
Run by Eva at 2010-01-02 10:18:42
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 23 GB (41%) free of 57 GB
Total RAM: 495 MB (42% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:12, on 2.1.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
C:\WINDOWS\system32\spoolsv.exe
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Eva\Local Settings\Data aplikací\Opera\Opera\profile\cache4\temporary_download\RSIT.exe
C:\Program Files\trend micro\Eva.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.63.26:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [USBToolTip] C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 5685194721
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5685186659
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5704 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\HPpromotions journeysoftware.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-07-19 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-07-19 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-07-19 114688]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-08-19 737369]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-11-25 81000]
"Control Center"=C:\Program Files\ASUS\WLAN Card Utilities\Center.exe [2005-06-15 1623040]
"USBToolTip"=C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe [2007-02-20 199752]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Control Center]
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe [2005-06-15 1623040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wireless Console 2]
C:\Program Files\ASUS\Wireless Console 2\wcourier.exe [2005-08-23 987136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ASWLSVC"=2

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
AutorunsDisabled

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-07-19 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 265096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ICQ6.5\ICQ.exe"="C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"="C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe:*:Enabled:Crawler Spyware Terminator"
"C:\Program Files\Pinnacle\Studio 14\Programs\RM.exe"="C:\Program Files\Pinnacle\Studio 14\Programs\RM.exe:*:Enabled:Render Manager"
"C:\Program Files\Pinnacle\Studio 14\Programs\Studio.exe"="C:\Program Files\Pinnacle\Studio 14\Programs\Studio.exe:*:Enabled:Studio"
"C:\Program Files\Pinnacle\Studio 14\Programs\umi.exe"="C:\Program Files\Pinnacle\Studio 14\Programs\umi.exe:*:Enabled:umi"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-01-02 10:18:47 ----D---- C:\Program Files\trend micro
2010-01-02 10:18:42 ----D---- C:\rsit
2010-01-02 09:54:09 ----D---- C:\WINDOWS\temp
2010-01-02 09:54:07 ----A---- C:\ComboFix.txt
2010-01-02 09:44:37 ----A---- C:\WINDOWS\ntbtlog.txt
2010-01-02 08:23:02 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2010-01-02 08:14:50 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2010-01-01 20:58:25 ----D---- C:\Program Files\LooksBuilderSE
2010-01-01 20:43:58 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-01-01 20:43:47 ----D---- C:\Program Files\Common Files\Pinnacle
2010-01-01 20:42:39 ----D---- C:\Documents and Settings\All Users\Data aplikací\Pinnacle Studio Ultimate Collection
2010-01-01 20:33:40 ----D---- C:\Program Files\Common Files\Pegasus Imaging
2010-01-01 20:33:37 ----D---- C:\Program Files\Common Files\Yahoo!
2010-01-01 20:33:37 ----D---- C:\Documents and Settings\All Users\Data aplikací\Studio 14
2010-01-01 20:33:37 ----D---- C:\Documents and Settings\All Users\Data aplikací\Pinnacle Studio Plus
2010-01-01 20:16:07 ----HDC---- C:\WINDOWS\$NtUninstallKB942288-v3$
2010-01-01 17:56:50 ----D---- C:\Documents and Settings\Eva\Data aplikací\Spyware Terminator
2010-01-01 17:56:30 ----D---- C:\Documents and Settings\All Users\Data aplikací\Spyware Terminator
2010-01-01 17:56:24 ----D---- C:\Program Files\Spyware Terminator
2010-01-01 17:06:04 ----A---- C:\Boot.bak
2010-01-01 17:05:51 ----RASHD---- C:\cmdcons
2010-01-01 17:04:48 ----A---- C:\WINDOWS\NIRCMD.exe
2010-01-01 17:04:48 ----A---- C:\WINDOWS\MBR.exe
2010-01-01 17:04:47 ----A---- C:\WINDOWS\zip.exe
2010-01-01 17:04:47 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-01-01 17:04:47 ----A---- C:\WINDOWS\SWSC.exe
2010-01-01 17:04:47 ----A---- C:\WINDOWS\SWREG.exe
2010-01-01 17:04:47 ----A---- C:\WINDOWS\sed.exe
2010-01-01 17:04:47 ----A---- C:\WINDOWS\PEV.exe
2010-01-01 17:04:47 ----A---- C:\WINDOWS\grep.exe
2010-01-01 17:04:39 ----D---- C:\WINDOWS\ERDNT
2010-01-01 17:04:28 ----D---- C:\Qoobox
2010-01-01 16:55:34 ----D---- C:\Program Files\DAEMON Tools Lite
2010-01-01 16:54:57 ----D---- C:\Documents and Settings\Eva\Data aplikací\DAEMON Tools Lite
2010-01-01 16:54:52 ----D---- C:\Documents and Settings\All Users\Data aplikací\DAEMON Tools Lite
2010-01-01 13:09:18 ----N---- C:\WINDOWS\system32\spmsg2.dll
2010-01-01 13:09:08 ----HDC---- C:\WINDOWS\$NtUninstallXPSEPSCLP$
2010-01-01 13:05:26 ----D---- C:\WINDOWS\system32\XPSViewer
2010-01-01 13:05:20 ----D---- C:\Program Files\MSBuild
2010-01-01 13:05:18 ----D---- C:\WINDOWS\system32\en-US
2010-01-01 13:05:07 ----D---- C:\Program Files\Reference Assemblies
2010-01-01 13:03:19 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2010-01-01 13:03:19 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2010-01-01 13:03:19 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-12-27 07:42:15 ----A---- C:\WINDOWS\unvise32.exe
2009-12-27 07:40:04 ----A---- C:\WINDOWS\system32\MSVCI70.DLL
2009-12-27 07:40:02 ----A---- C:\WINDOWS\system32\ATL70.DLL
2009-12-27 07:37:18 ----D---- C:\Documents and Settings\All Users\Data aplikací\Pinnacle
2009-12-27 07:37:13 ----D---- C:\Program Files\Pinnacle
2009-12-26 18:38:33 ----D---- C:\Documents and Settings\Eva\Data aplikací\Ashampoo
2009-12-26 18:30:44 ----D---- C:\Documents and Settings\All Users\Data aplikací\ashampoo
2009-12-26 18:29:49 ----D---- C:\Documents and Settings\All Users\Data aplikací\page
2009-12-26 18:29:47 ----D---- C:\Program Files\Ashampoo
2009-12-24 21:17:16 ----D---- C:\Documents and Settings\All Users\Data aplikací\CyberLink
2009-12-24 21:07:37 ----D---- C:\Documents and Settings\All Users\Data aplikací\Temp
2009-12-10 09:46:47 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2009-12-10 09:44:11 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2009-12-10 09:38:07 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2009-12-10 09:37:56 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2009-12-10 09:37:34 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$

======List of files/folders modified in the last 1 months======

2010-01-02 10:19:11 ----A---- C:\ASWL2K.ini
2010-01-02 10:18:47 ----RD---- C:\Program Files
2010-01-02 09:54:45 ----D---- C:\WINDOWS\system32\drivers
2010-01-02 09:54:09 ----D---- C:\WINDOWS
2010-01-02 09:51:43 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-02 09:46:25 ----A---- C:\WINDOWS\system.ini
2010-01-02 09:45:30 ----D---- C:\Documents and Settings
2010-01-02 09:40:10 ----D---- C:\WINDOWS\system32
2010-01-02 09:40:10 ----D---- C:\WINDOWS\AppPatch
2010-01-02 09:39:59 ----D---- C:\Program Files\Common Files
2010-01-02 09:37:05 ----D---- C:\WINDOWS\Microsoft.NET
2010-01-02 09:33:26 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-01-02 09:32:43 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-02 09:27:11 ----D---- C:\WINDOWS\system32\config
2010-01-02 08:45:44 ----D---- C:\Config.Msi
2010-01-02 08:35:08 ----D---- C:\MyWorks
2010-01-02 08:28:47 ----RSD---- C:\WINDOWS\assembly
2010-01-02 08:23:17 ----HD---- C:\WINDOWS\inf
2010-01-02 08:22:53 ----HD---- C:\WINDOWS\$hf_mig$
2010-01-02 08:22:39 ----SHD---- C:\WINDOWS\Installer
2010-01-02 08:21:59 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-01-02 08:21:23 ----D---- C:\WINDOWS\WinSxS
2010-01-02 08:15:46 ----A---- C:\WINDOWS\imsins.BAK
2010-01-02 08:15:35 ----D---- C:\WINDOWS\system32\CatRoot
2010-01-02 07:55:16 ----D---- C:\WINDOWS\Prefetch
2010-01-02 07:25:52 ----D---- C:\Program Files\Foxit Software
2010-01-01 20:44:14 ----SD---- C:\Documents and Settings\Eva\Data aplikací\Microsoft
2010-01-01 20:40:30 ----RSD---- C:\WINDOWS\Fonts
2010-01-01 20:16:43 ----D---- C:\WINDOWS\system32\mui
2010-01-01 20:02:56 ----D---- C:\Documents and Settings\Eva\Data aplikací\Zoner
2010-01-01 20:01:05 ----D---- C:\Program Files\Zoner
2010-01-01 19:57:31 ----HD---- C:\Program Files\InstallShield Installation Information
2010-01-01 17:06:04 ----RASH---- C:\boot.ini
2010-01-01 16:45:55 ----D---- C:\Program Files\ESET
2010-01-01 13:08:44 ----D---- C:\WINDOWS\system32\cs-cz
2010-01-01 13:04:20 ----D---- C:\WINDOWS\system32\spool
2009-12-29 15:48:33 ----D---- C:\Program Files\Mozilla Firefox
2009-12-29 15:40:26 ----D---- C:\Program Files\Ahead
2009-12-29 15:36:39 ----D---- C:\Program Files\VMPTH3
2009-12-29 15:35:34 ----D---- C:\Program Files\IDOS
2009-12-26 09:51:59 ----A---- C:\WINDOWS\cdplayer.ini
2009-12-24 22:14:14 ----D---- C:\Program Files\CyberLink
2009-12-24 22:00:15 ----D---- C:\Program Files\Windows Media Player
2009-12-24 22:00:10 ----D---- C:\WINDOWS\Help
2009-12-24 21:13:01 ----D---- C:\Documents and Settings\Eva\Data aplikací\CyberLink
2009-12-23 19:17:42 ----D---- C:\Program Files\Mv2Player
2009-12-23 19:11:55 ----D---- C:\Documents and Settings\Eva\Data aplikací\Audacity
2009-12-10 09:38:57 ----D---- C:\Program Files\Internet Explorer
2009-12-10 09:38:30 ----D---- C:\WINDOWS\ie8updates
2009-12-03 14:30:33 ----D---- C:\Documents and Settings\Eva\Data aplikací\Skype

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-11-25 27408]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-11-25 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-11-25 48560]
R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40192]
R1 sp_rsdrv2;Spyware Terminator Driver 2; \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys []
R1 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-10-25 12032]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-11-25 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-11-25 94160]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.9; C:\WINDOWS\system32\DRIVERS\mdc8021x.sys [2005-12-27 15781]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-02-16 13059]
R3 ASNDIS5;ASNDIS5 Protocol Driver; \??\C:\WINDOWS\system32\ASNDIS5.SYS []
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-11-25 23120]
R3 BCM43XX;ASUS 802.11 ovladač síťového adaptéru; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-02-11 371712]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 HDAudBus;Ovladač Microsoft UAA pro sběrnici High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2005-02-16 1036928]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2005-02-16 163328]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-07-19 1049180]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-08-18 3856896]
R3 MarvinBus;Pinnacle Marvin Bus; C:\WINDOWS\system32\DRIVERS\MarvinBus.sys [2005-09-23 171520]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-25 12160]
R3 MTsensor;ATK0100 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ATKACPI.sys [2005-02-17 5632]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 21248]
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2005-02-16 70144]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-08-19 190912]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-02-16 702592]
S3 Arp1394;Protokol 1394 ARP Client; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 aslm75;aslm75; \??\C:\WINDOWS\system32\drivers\aslm75.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 HdAudAddService;Ovladač funkcí Microsoft UAA pro služby sběrnice High Definition Audio; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-12-14 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-12-14 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-12-14 21744]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2010-01-01 691696]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-11-25 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-11-25 138680]
R2 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-06-20 53248]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
R2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\Program Files\Spyware Terminator\sp_rsser.exe [2010-01-01 488960]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-11-25 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-11-25 352920]
S3 aspnet_state;Stavová služba ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe []
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 ASWLSVC;ASWLSVC; C:\WINDOWS\system32\ASWLSVC.exe [2004-05-06 496640]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23301
Registrován: 23 říj 2008 08:02
Bydliště: Haná

Re: ComboFix nasel rootkit

#2 Příspěvek od motji »

Hezké dopoledne :)

Vidím že combofix byl spuštěn už potřetí. Já nikde v tomto logu rootkit nevidím, ještě ho ted hlásil? Když tam sem vložte předchozí logy, tj combofix1.txt a combofix.txt.

A přečtěte si varování v mém podpise :)

Používáte daemon nebo alcohol nebo nějakou podobnou virtuální jednotku?
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.

kubikma
Návštěvník
Návštěvník
Příspěvky: 10
Registrován: 02 led 2010 10:22

Re: ComboFix nasel rootkit

#3 Příspěvek od kubikma »

Dobry den, ano byl spusten po nekolikate ale jn z duvodu kontroly jestli ohlasi znovu rootkit a vzdy pri spusteni napise ze musi restartovat kvuli rootkititu. jine logy na C: nejsou jen tn co sem poslal bohuzel. Je nainstalovan Daemon, kvuli nemu mel take nejake problemy combofix.

kubikma
Návštěvník
Návštěvník
Příspěvky: 10
Registrován: 02 led 2010 10:22

Re: ComboFix nasel rootkit

#4 Příspěvek od kubikma »

jeste doplnim ze tento pc neni muj a svagrova mela problem s vytvarenim nekolika GB souboru na C pry nejake video a pak fotky co vubec nepoznavala bohuzel to vse mazla a nevim podrobnosti.

Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23301
Registrován: 23 říj 2008 08:02
Bydliště: Haná

Re: ComboFix nasel rootkit

#5 Příspěvek od motji »

A nepíše kde ho našel?

:arrow: odinstalujte všechny virtuální jednotky (Daemon nebo alcohol)

:arrow: Stáhněte SPTD http://www.duplexsecure.com/en/downloads
-vyberte verzi podle svého operačního systému. SPTD for Windows (32 bit) nebo (64b)
-uložte na plochu a spusťte
- zvolte možnost Uninstall
- restart PC
- spusťte gmer


:arrow: Stáhněte Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878
- rozbalte a spusťte
-proběhne sken, po skončení se otevře okno s výsledky, kliknete na Save a tím si uložíte log,který sem vložíte

-Podle návodu v odkazu proveďte druhý sken a log sem také vložte.

:arrow: stáhněte MBR
http://www2.gmer.net/mbr/mbr.exe
-uložte ho na plochu


:arrow: start-spustit
do okénka zkopírujte

Kód: Vybrat vše

"%userprofile%\plocha\mbr" -t
ok

:arrow: vytvoří se log s názvem mbr.log, vložte ho zde


Tím jste myslel, že se jí na disku tvořili nějaké neznámé videa? Nemá torenty?
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.

kubikma
Návštěvník
Návštěvník
Příspěvky: 10
Registrován: 02 led 2010 10:22

Re: ComboFix nasel rootkit

#6 Příspěvek od kubikma »

Zjistil jsem ze video se ulozilo do c:you like heaven, jen nevim zda you ci just. V teto slozce se vytvorilo nekolik videi z toho co otevrel byl jeden film v anlictine a pak nejake reklamni spoty ci co. Fotky se objevili v dokumentech ve slozce obrazky.pri spusteni SPTD se jako uninstal moznost neukazala jen instal, ale urcite vim ze sem to instaloval.
zde je vypis logu:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-02 11:35:50
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Eva\LOCALS~1\Temp\fwlyrfow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-02 13:47:20
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Eva\LOCALS~1\Temp\fwlyrfow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAA7146B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAA714574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAA714A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAA71414C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAA71464E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAA71408C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAA7140F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAA71476E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAA71472E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAA7148AE]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[752] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[752] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCD 0xAF 0x11 0x82 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAD 0xE6 0xAD 0xE0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x30 0x3F 0xEE 0x7F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCD 0xAF 0x11 0x82 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAD 0xE6 0xAD 0xE0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x30 0x3F 0xEE 0x7F ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@C:\Documents and Settings\All Users\Dokumenty\Pinnacle\Content\MotionTitles\-Looks\Standard\01 \x2013 Soft Shadow Looks.ixLook 1
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x37 0xA4 0xAA 0xC3 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xF8 0x31 0x0F 0xA9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- EOF - GMER 1.0.15 ----



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23301
Registrován: 23 říj 2008 08:02
Bydliště: Haná

Re: ComboFix nasel rootkit

#7 Příspěvek od motji »

Nepoužívá torrenty? Nemohl to stahnout a uložitr někdo s rodiny? Přece jen film se nestahuje 5 minut
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.

kubikma
Návštěvník
Návštěvník
Příspěvky: 10
Registrován: 02 led 2010 10:22

Re: ComboFix nasel rootkit

#8 Příspěvek od kubikma »

Zadne torrenty nepouzivaji jedine co bylo, tak stahovali 1 soubor z ulozto ale urcite ne filmy a ne do takove slozky nemeli tu ani zadnej jinej program na stahovani. je mozne ze se jim sem nekdo naboural, jinak uz nevim. Pres operu dou stahovat torrenty, ale musel by vytvorit slozku a urcite by ji nepojmenoval anglicky a nakonec oni ani nevi co sou torrenty. Kdo vi jak dlouho se jim to stahovalo. Podle me na to prisli az kdyz meli plnej disk a pak zacali patrat co se deje :D

Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23301
Registrován: 23 říj 2008 08:02
Bydliště: Haná

Re: ComboFix nasel rootkit

#9 Příspěvek od motji »

Zajímavé, já ale nikde nic nevidím, jedině že by nějaký hacker :hmm:
Nemohli to stahnout děti?

:arrow: Odinstalujte combofix přes
Start >> Spustit zkopírujte do okénka:

ComboFix /Uninstall

stiskněte Enter
-To odinstaluje ComboFix a smaže s ním související soubory a složky.



:arrow: Stáhněte T-Cleaner
http://sweb.cz/Marinus/T-Cleaner.exe

-Spusťte,pro potvrzení volby mačkejte klávesu A, Enter
-po použití prográmek vymažte.Pozor,antiviry ho mohou falešně označit za vir


:arrow: Stahněte TFC a použijte
TFC (http://oldtimer.geekstogo.com/TFC.exe)


:arrow: Stáhněte Ccleaner,viz můj podpis
-nainstalujte a vyčištěte dočasné soubory, i registry

:arrow: Vložte nový log ze RSIT a řekněte co počítač,jak se chová,už je vše v pořádku?


:arrow: Stahněte MBAM z mého podpisu
-Nainstalujte,dejte úplný sken

NIC NEMAZAT :!:
-MBAM má občas falešné detekce,proto budeme mazat až po kontrole logu.
-Log zkopírujte sem.
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.

kubikma
Návštěvník
Návštěvník
Příspěvky: 10
Registrován: 02 led 2010 10:22

Re: ComboFix nasel rootkit

#10 Příspěvek od kubikma »

Dite maji 9 mesicni, ale kdo vi jestli jim tajne nechodi na pc uz v tomhle veku :D Od druhe svagrove si mlady natacel budika na 1h v noci tak kdo vi co tenhle :D. Ted vazne, vyzkousim jeste to co pisete a uz Vas nebudu otravovat pockame co to udela. Me osobne se nic nestahovalo, ale je pravda ze sem pod jinou IP a jinym poskytovatelem internetu. Pokud by mu nic neposlalo novou ip takl by utoky meli ustat, nemylim-li se.

Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23301
Registrován: 23 říj 2008 08:02
Bydliště: Haná

Re: ComboFix nasel rootkit

#11 Příspěvek od motji »

Tak já nevím jak mají staré děti :D .
Ještě kouknu na log ze Rsitu. Zatím jsem neviděla nikde firewall, bylo by dobré ho nainstalovat :!: a dobře nastavit.
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.

kubikma
Návštěvník
Návštěvník
Příspěvky: 10
Registrován: 02 led 2010 10:22

Re: ComboFix nasel rootkit

#12 Příspěvek od kubikma »

Jasne ze to nemuzete vedet jen sem chtel trosku odlehcit. Zde je 1 log.

Logfile of random's system information tool 1.06 (written by random/random)
Run by Eva at 2010-01-02 23:24:26
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 28 GB (48%) free of 57 GB
Total RAM: 495 MB (25% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:24:40, on 2.1.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eva\Local Settings\Temporary Internet Files\Content.IE5\73X9V37F\RSIT[1].exe
C:\Program Files\trend micro\Eva.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.63.26:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [USBToolTip] C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 5685194721
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5685186659
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5305 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\HPpromotions journeysoftware.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-07-19 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-07-19 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-07-19 114688]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-08-19 737369]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-11-25 81000]
"Control Center"=C:\Program Files\ASUS\WLAN Card Utilities\Center.exe [2005-06-15 1623040]
"USBToolTip"=C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe [2007-02-20 199752]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Control Center]
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe [2005-06-15 1623040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wireless Console 2]
C:\Program Files\ASUS\Wireless Console 2\wcourier.exe [2005-08-23 987136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ASWLSVC"=2

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
AutorunsDisabled

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-07-19 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 265096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ICQ6.5\ICQ.exe"="C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"="C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe:*:Enabled:Crawler Spyware Terminator"
"C:\Program Files\Pinnacle\Studio 14\Programs\RM.exe"="C:\Program Files\Pinnacle\Studio 14\Programs\RM.exe:*:Enabled:Render Manager"
"C:\Program Files\Pinnacle\Studio 14\Programs\Studio.exe"="C:\Program Files\Pinnacle\Studio 14\Programs\Studio.exe:*:Enabled:Studio"
"C:\Program Files\Pinnacle\Studio 14\Programs\umi.exe"="C:\Program Files\Pinnacle\Studio 14\Programs\umi.exe:*:Enabled:umi"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-01-02 23:24:26 ----D---- C:\rsit
2010-01-02 23:21:03 ----D---- C:\Program Files\CCleaner
2010-01-02 23:18:20 ----SHD---- C:\RECYCLER
2010-01-02 10:18:47 ----D---- C:\Program Files\trend micro
2010-01-02 09:54:09 ----D---- C:\WINDOWS\temp
2010-01-02 08:23:02 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2010-01-02 08:14:50 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2010-01-01 20:58:25 ----D---- C:\Program Files\LooksBuilderSE
2010-01-01 20:43:58 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-01-01 20:43:47 ----D---- C:\Program Files\Common Files\Pinnacle
2010-01-01 20:42:39 ----D---- C:\Documents and Settings\All Users\Data aplikací\Pinnacle Studio Ultimate Collection
2010-01-01 20:33:40 ----D---- C:\Program Files\Common Files\Pegasus Imaging
2010-01-01 20:33:37 ----D---- C:\Program Files\Common Files\Yahoo!
2010-01-01 20:33:37 ----D---- C:\Documents and Settings\All Users\Data aplikací\Studio 14
2010-01-01 20:33:37 ----D---- C:\Documents and Settings\All Users\Data aplikací\Pinnacle Studio Plus
2010-01-01 20:16:07 ----HDC---- C:\WINDOWS\$NtUninstallKB942288-v3$
2010-01-01 17:56:50 ----D---- C:\Documents and Settings\Eva\Data aplikací\Spyware Terminator
2010-01-01 17:56:30 ----D---- C:\Documents and Settings\All Users\Data aplikací\Spyware Terminator
2010-01-01 17:56:24 ----D---- C:\Program Files\Spyware Terminator
2010-01-01 17:06:04 ----A---- C:\Boot.bak
2010-01-01 17:05:51 ----RASHD---- C:\cmdcons
2010-01-01 16:55:34 ----D---- C:\Program Files\DAEMON Tools Lite
2010-01-01 16:54:57 ----D---- C:\Documents and Settings\Eva\Data aplikací\DAEMON Tools Lite
2010-01-01 16:54:52 ----D---- C:\Documents and Settings\All Users\Data aplikací\DAEMON Tools Lite
2010-01-01 13:09:18 ----N---- C:\WINDOWS\system32\spmsg2.dll
2010-01-01 13:09:08 ----HDC---- C:\WINDOWS\$NtUninstallXPSEPSCLP$
2010-01-01 13:05:26 ----D---- C:\WINDOWS\system32\XPSViewer
2010-01-01 13:05:20 ----D---- C:\Program Files\MSBuild
2010-01-01 13:05:18 ----D---- C:\WINDOWS\system32\en-US
2010-01-01 13:05:07 ----D---- C:\Program Files\Reference Assemblies
2010-01-01 13:03:19 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2010-01-01 13:03:19 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2010-01-01 13:03:19 ----N---- C:\WINDOWS\system32\prntvpt.dll
2009-12-27 07:42:15 ----A---- C:\WINDOWS\unvise32.exe
2009-12-27 07:40:04 ----A---- C:\WINDOWS\system32\MSVCI70.DLL
2009-12-27 07:40:02 ----A---- C:\WINDOWS\system32\ATL70.DLL
2009-12-27 07:37:18 ----D---- C:\Documents and Settings\All Users\Data aplikací\Pinnacle
2009-12-27 07:37:13 ----D---- C:\Program Files\Pinnacle
2009-12-26 18:38:33 ----D---- C:\Documents and Settings\Eva\Data aplikací\Ashampoo
2009-12-26 18:30:44 ----D---- C:\Documents and Settings\All Users\Data aplikací\ashampoo
2009-12-26 18:29:49 ----D---- C:\Documents and Settings\All Users\Data aplikací\page
2009-12-26 18:29:47 ----D---- C:\Program Files\Ashampoo
2009-12-24 21:17:16 ----D---- C:\Documents and Settings\All Users\Data aplikací\CyberLink
2009-12-24 21:07:37 ----D---- C:\Documents and Settings\All Users\Data aplikací\Temp
2009-12-10 09:46:47 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2009-12-10 09:44:11 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2009-12-10 09:38:07 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2009-12-10 09:37:56 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2009-12-10 09:37:34 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$

======List of files/folders modified in the last 1 months======

2010-01-02 23:24:37 ----D---- C:\WINDOWS\Prefetch
2010-01-02 23:21:31 ----D---- C:\WINDOWS\Debug
2010-01-02 23:21:31 ----D---- C:\WINDOWS
2010-01-02 23:21:03 ----RD---- C:\Program Files
2010-01-02 23:18:19 ----D---- C:\WINDOWS\system32
2010-01-02 23:15:27 ----A---- C:\ASWL2K.ini
2010-01-02 23:12:29 ----SHD---- C:\System Volume Information
2010-01-02 23:12:29 ----D---- C:\WINDOWS\system32\Restore
2010-01-02 22:30:13 ----N---- C:\WINDOWS\SchedLgU.Txt
2010-01-02 22:30:02 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-02 11:24:17 ----SHD---- C:\WINDOWS\Installer
2010-01-02 11:24:07 ----D---- C:\Config.Msi
2010-01-02 11:24:05 ----HD---- C:\WINDOWS\inf
2010-01-02 11:24:05 ----D---- C:\WINDOWS\system32\drivers
2010-01-02 11:15:28 ----D---- C:\WINDOWS\Microsoft.NET
2010-01-02 11:15:23 ----RSD---- C:\WINDOWS\assembly
2010-01-02 09:46:25 ----A---- C:\WINDOWS\system.ini
2010-01-02 09:45:30 ----D---- C:\Documents and Settings
2010-01-02 09:40:10 ----D---- C:\WINDOWS\AppPatch
2010-01-02 09:39:59 ----D---- C:\Program Files\Common Files
2010-01-02 09:33:26 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-01-02 09:27:11 ----D---- C:\WINDOWS\system32\config
2010-01-02 08:35:08 ----D---- C:\MyWorks
2010-01-02 08:22:53 ----HD---- C:\WINDOWS\$hf_mig$
2010-01-02 08:21:59 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-01-02 08:21:23 ----D---- C:\WINDOWS\WinSxS
2010-01-02 08:15:35 ----D---- C:\WINDOWS\system32\CatRoot
2010-01-02 07:25:52 ----D---- C:\Program Files\Foxit Software
2010-01-01 20:44:14 ----SD---- C:\Documents and Settings\Eva\Data aplikací\Microsoft
2010-01-01 20:40:30 ----RSD---- C:\WINDOWS\Fonts
2010-01-01 20:16:43 ----D---- C:\WINDOWS\system32\mui
2010-01-01 20:02:56 ----D---- C:\Documents and Settings\Eva\Data aplikací\Zoner
2010-01-01 20:01:05 ----D---- C:\Program Files\Zoner
2010-01-01 19:57:31 ----HD---- C:\Program Files\InstallShield Installation Information
2010-01-01 17:06:04 ----RASH---- C:\boot.ini
2010-01-01 16:45:55 ----D---- C:\Program Files\ESET
2010-01-01 13:08:44 ----D---- C:\WINDOWS\system32\cs-cz
2010-01-01 13:04:20 ----D---- C:\WINDOWS\system32\spool
2009-12-29 15:48:33 ----D---- C:\Program Files\Mozilla Firefox
2009-12-29 15:40:26 ----D---- C:\Program Files\Ahead
2009-12-29 15:36:39 ----D---- C:\Program Files\VMPTH3
2009-12-29 15:35:34 ----D---- C:\Program Files\IDOS
2009-12-26 09:51:59 ----A---- C:\WINDOWS\cdplayer.ini
2009-12-24 22:14:14 ----D---- C:\Program Files\CyberLink
2009-12-24 22:00:15 ----D---- C:\Program Files\Windows Media Player
2009-12-24 22:00:10 ----D---- C:\WINDOWS\Help
2009-12-24 21:13:01 ----D---- C:\Documents and Settings\Eva\Data aplikací\CyberLink
2009-12-23 19:17:42 ----D---- C:\Program Files\Mv2Player
2009-12-23 19:11:55 ----D---- C:\Documents and Settings\Eva\Data aplikací\Audacity
2009-12-10 09:38:57 ----D---- C:\Program Files\Internet Explorer
2009-12-10 09:38:30 ----D---- C:\WINDOWS\ie8updates
2009-12-03 14:30:33 ----D---- C:\Documents and Settings\Eva\Data aplikací\Skype

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-11-25 27408]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-11-25 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-11-25 48560]
R1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40192]
R1 sp_rsdrv2;Spyware Terminator Driver 2; \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys []
R1 WS2IFSL;Podpůrné prostředí zprostředkovatele služeb Windows Socket 2.0 bez podpory IFS; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-10-25 12032]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-11-25 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-11-25 94160]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.9; C:\WINDOWS\system32\DRIVERS\mdc8021x.sys [2005-12-27 15781]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-02-16 13059]
R3 ASNDIS5;ASNDIS5 Protocol Driver; \??\C:\WINDOWS\system32\ASNDIS5.SYS []
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-11-25 23120]
R3 BCM43XX;ASUS 802.11 ovladač síťového adaptéru; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-02-11 371712]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 HDAudBus;Ovladač Microsoft UAA pro sběrnici High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2005-02-16 1036928]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2005-02-16 163328]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-07-19 1049180]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-08-18 3856896]
R3 MarvinBus;Pinnacle Marvin Bus; C:\WINDOWS\system32\DRIVERS\MarvinBus.sys [2005-09-23 171520]
R3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-10-25 12160]
R3 MTsensor;ATK0100 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ATKACPI.sys [2005-02-17 5632]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 21248]
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2005-02-16 70144]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-08-19 190912]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-02-16 702592]
S3 Arp1394;Protokol 1394 ARP Client; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 aslm75;aslm75; \??\C:\WINDOWS\system32\drivers\aslm75.sys []
S3 HdAudAddService;Ovladač funkcí Microsoft UAA pro služby sběrnice High Definition Audio; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-12-14 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-12-14 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-12-14 21744]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
S3 usbccgp;Obecný nadřazený ovladač Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Třída USB Printer; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;Ovladač skeneru USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2010-01-01 691696]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-11-25 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-11-25 138680]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-11-25 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-11-25 352920]
S2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-06-20 53248]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-09-29 69632]
S2 sp_rssrv;Spyware Terminator Realtime Shield Service; C:\Program Files\Spyware Terminator\sp_rsser.exe [2010-01-01 488960]
S3 aspnet_state;Stavová služba ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe []
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 ASWLSVC;ASWLSVC; C:\WINDOWS\system32\ASWLSVC.exe [2004-05-06 496640]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23301
Registrován: 23 říj 2008 08:02
Bydliště: Haná

Re: ComboFix nasel rootkit

#13 Příspěvek od motji »

I když co my víme :D

:arrow: tento proxi server znáte?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.63.26:3128

:arrow: Rsit musí být stažený v pc

:arrow: spusťte přejmenované HJT C:\Program Files\trend micro\Eva.exe

-Klikněte na "Do a system scan only"
-u řádku
R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)

Dejte fajfku do čtverečku a zmáčkněte Fix checked
-restartujte pc

:arrow: tohle znáte
C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
AutorunsDisabled


:arrow: doinstalujte firewall, návody k nastavení najdete zde
http://www.viry.cz/forum/viewforum.php?f=41
K těm nejjednodušším patří zone alarm, ale je v angličtině.
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.

kubikma
Návštěvník
Návštěvník
Příspěvky: 10
Registrován: 02 led 2010 10:22

Re: ComboFix nasel rootkit

#14 Příspěvek od kubikma »

:arrow: tento proxi server znáte?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.63.26:3128

Rek bych ze proxy sem u nich nikdy nenastavoval a ip me nic nerika

:arrow: tohle znáte
C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
AutorunsDisabled


Slozku autorunsdisabled bych priradil k prgramu autoruns.exe v kterem sem pozastavil ale ne vymazal nektere programy po startu systemu. Podle me je to tam jen schovane pro pripad ze to budu chtit znovu obnovit.

Uživatelský avatar
motji
VIP
VIP
Příspěvky: 23301
Registrován: 23 říj 2008 08:02
Bydliště: Haná

Re: ComboFix nasel rootkit

#15 Příspěvek od motji »

Pokud ten proxi server nepoužíváte, fixněte ho v hjt. Hjt si dělá zálohy, jde to vrátit zpět :)
Nepoužívejte COMBOFIX bez doporučení rádce, může dojít k poškození systému!
Vždy před odvirováním počítače zazálohujte důležitá data :!:
Chcete podpořit naše forum? Informace zde

Obrázek

K zastižení jsem spíše v noci, mezi 21.-23. hodinou
Pokud máte nějaké dotazy, můžete mi napsat na email Motji(zavináč)forum.viry.cz.

Odpovědět