TSR.BOOT virus

[rey_619]

Dobry den, prosim o pomoc pri odstraneni TSR.BOOT virusu z MBR sekoru 1. fyzickeho disku
prikladam log z combofixu


ComboFix 12-03-12.03 - Lenka 13.03.2012 8:38.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.421.1033.18.759.473 [GMT 1:00]
Running from: c:\documents and settings\Lenka\My Documents\Downloads\ComboFix.exe
AV: ESET Smart Security 5.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active
.
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Lenka\WINDOWS
c:\windows\$NtUninstallKB57786$
c:\windows\$NtUninstallKB57786$\2491191896
c:\windows\$NtUninstallKB57786$\2502658926\@
c:\windows\$NtUninstallKB57786$\2502658926\L\nyovwhwr
c:\windows\$NtUninstallKB57786$\2502658926\loader.tlb
c:\windows\$NtUninstallKB57786$\2502658926\U\@00000001
c:\windows\$NtUninstallKB57786$\2502658926\U\@000000c0
c:\windows\$NtUninstallKB57786$\2502658926\U\@000000cb
c:\windows\$NtUninstallKB57786$\2502658926\U\@000000cf
c:\windows\$NtUninstallKB57786$\2502658926\U\@80000000
c:\windows\$NtUninstallKB57786$\2502658926\U\@800000c0
c:\windows\$NtUninstallKB57786$\2502658926\U\@800000cb
c:\windows\$NtUninstallKB57786$\2502658926\U\@800000cf
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\system32\
c:\windows\system32\CF22014.exe
c:\windows\system32\CF31620.exe
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\msssc.dll
c:\windows\system32\regobj.dll
c:\windows\winhelp.ini
c:\windows\wiNHost_app.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))
.
.
2012-03-12 21:35 . 2012-03-12 21:35 -------- d-----w- c:\documents and settings\Lenka\Doctor Web
2012-03-12 21:34 . 2012-03-12 21:34 -------- d-----w- c:\program files\Common Files\Doctor Web
2012-03-12 21:33 . 2012-03-13 06:25 -------- d-----w- c:\program files\DrWeb
2012-03-12 21:33 . 2012-03-12 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Doctor Web
2012-03-12 21:25 . 2012-03-12 21:25 -------- d-----w- c:\documents and settings\Lenka\Local Settings\Application Data\Downloaded Installations
2012-03-05 21:52 . 2012-03-05 21:52 -------- d-----w- c:\documents and settings\LocalService\Application Data\TuneUp Software
2012-03-05 20:29 . 2012-03-05 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2012-03-05 20:28 . 2012-03-05 20:28 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
2012-03-05 19:58 . 2012-03-05 21:02 -------- d-----w- c:\documents and settings\Lenka\Application Data\LangSoft
2012-03-05 19:58 . 2012-03-05 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\LangSoft
2012-02-27 21:31 . 2012-02-27 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverGenius
2012-02-27 21:05 . 2012-02-27 21:07 -------- d-----w- c:\documents and settings\Lenka\dwhelper
2012-02-26 21:52 . 2008-03-21 12:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2012-02-26 21:01 . 2012-02-26 21:01 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2012-02-26 21:01 . 2012-02-26 21:01 25512 ----a-w- c:\windows\system32\drivers\ggsemc.sys
2012-02-26 21:01 . 2012-02-26 21:01 13224 ----a-w- c:\windows\system32\drivers\ggflt.sys
2012-02-26 20:51 . 2009-09-02 19:34 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2012-02-26 20:49 . 2012-02-29 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Ericsson
2012-02-26 20:49 . 2012-02-29 17:21 -------- d-----w- c:\program files\Sony Ericsson
2012-02-26 20:39 . 2012-02-26 20:40 -------- d-----w- c:\windows\system32\drivers\UMDF
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-05 20:49 . 2011-12-20 12:16 48 ----a-w- c:\windows\rafazon.bat
2011-12-14 14:26 . 2011-12-05 17:33 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2008-03-09 06:25 . 2009-01-21 14:55 236 -c-ha-w- c:\program files\Common Files\dx.reg
2011-12-20 23:41 . 2011-09-21 17:17 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 11:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216064 --sha-r- c:\windows\system32\nbDX.dll
2010-01-06 23:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-10-02 118784]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-28 69632]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-03-12 108544]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-09-22 3080264]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-03-12 14336]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 11:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"OEXPRESS"=
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\TC PowerPack\\TOTALCMD.EXE"=
"c:\\Program Files\\QIP Infium\\infium.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=
"c:\\totalcmd\\TOTALCMD.EXE"=
"d:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"d:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\outlook.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\onenote.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Engine\\Sony Ericsson Update Engine.exe"=
"c:\\Documents and Settings\\Lenka\\Desktop\\Ace_Translator_v6.5_CRACK_CW\\AceTrans.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24269:TCP"= 24269:TCP:BitComet 24269 TCP
"24269:UDP"= 24269:UDP:BitComet 24269 UDP
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [14.3.2009 19:36 149376]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [5.12.2011 18:33 232512]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4.8.2011 9:20 118104]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [22.9.2011 12:03 974944]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2.11.2011 8:24 68896]
S0 SpiderG3;DrWeb file system scanner;c:\windows\system32\drivers\spiderg3.sys --> c:\windows\system32\drivers\spiderg3.sys [?]
S2 .EsetTrialReset;Eset Trial Reset;c:\windows\system32\regedt32.exe [31.3.2003 13:00 3584]
S2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [1.5.2010 14:53 467968]
S2 gupdate1c98f838f1c3cd0;Služba Google Update (gupdate1c98f838f1c3cd0);c:\program files\Google\Update\GoogleUpdate.exe [15.2.2009 16:39 133104]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;c:\windows\system32\drivers\BCM4E5.SYS [30.10.2008 12:42 26568]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [26.2.2012 22:01 13224]
S3 gupdatem;Služba Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [15.2.2009 16:39 133104]
S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [26.2.2012 21:49 155344]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-15 15:39]
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-15 15:39]
.
2012-03-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-1993962763-839522115-1003Core.job
- c:\documents and settings\Lenka\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-29 17:54]
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-1993962763-839522115-1003UA.job
- c:\documents and settings\Lenka\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-29 17:54]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
IE: E&xportovat do aplikace Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} -
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748449} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} -
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} -
TCP: DhcpNameServer = 147.175.8.20 147.175.8.3
FF - ProfilePath - c:\documents and settings\Lenka\Application Data\Mozilla\Firefox\Profiles\9js0714v.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.sk/
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Battle Los Angeles - f:\program files\Konami\Battle Los Angeles\Uninstall.exe
AddRemove-PC Translator - c:\docume~1\Lenka\LOCALS~1\Temp\UN32.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-13 08:45
Windows 5.1.2600 Service Pack 2, v.2096 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\ODBC32.dll
.
- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\dssenh.dll
.
- - - - - - - > 'explorer.exe'(1936)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
d:\program files\Microsoft Office\Office12\1029\GrooveIntlResource.dll
c:\windows\system32\ODBC32.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\rundll32.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-03-13 08:49:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-13 07:49
.
Pre-Run: 1 481 879 552 bytes free
Post-Run: 1 658 134 528 voľných bajtov
.
- - End Of File - - B081540F7F1D7895802CD0C4CBA69290

[vyosek]

Zdravim

CF se nespousti bez doporuceni radce, nota bene na takovouhle havet, uz nemusel OS nabehnout

Neni divu ze to mate zaliskane kdyz pouzivane nelegalni bezpecnostni SW (ESET). Pravidla fora ale hovori jasne, takze udelame s tim neco?

[rey_619]

ospravedlnujem sa a dakujem za upozornenie. eset je uz vyrieseny a legalny. CF som pouzil, lebo rovnaky problem s tymto virusom sa riesil cez CF, tak som to hned nahodil, nech usetrim cas a myslel som, ze je to len neskodny diagnosticky program.
a k tomu virusu, takze ja mam ozajstny virus v MBR? myslel som, ze to je len poplach ako som sa niekde docital

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST340014A rev.3.06 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

mam este hodit nejaky log? dakujem za kazdu radu

este som trochu patral a zistil som, ze Eset mi vyhadzuje TSR.BOOT virus, iba ak mam pripojeny flash disk, cize teoreticky tam by sa mal nachadzat, ale je zaujimave, ze ked dam scanovat flash disk, tak nic nenajde. info o viruse vyhodi, iba ked scanujem C:/
chcel som este otestovat aj externy HDD, ale ked ho pripojim PC komplet zamrzne
este poznamka: pred nejakym mesiacom som sa snazil vytvorit z flash disku bootovaci disk cez nejaky program, potreboval som to pri instalacii winXP

[vyosek]

eset je uz vyrieseny a legalny.

Pod timto si mam predstavit co?

Proc poustite mbr kdyz mu zrejme vubec nerzumite jelikoz byl spusten bez potrebnych parametru a kroku pred jeho aplikaci

[rey_619]

v poriadku sam uz radsej nebudem nic podnikat a cakam na vase rady
pure fix som odinstaloval aj cely eset a znovu som nainstaloval korektnu trial verziu

[vyosek]

A to jste si neprecetl licencni podminky, ze nesmite vyuzivat opakovane trial licence za ucelem vyhnuti se poplatku

[rey_619]

tak to som naozaj necital mozete mi odporucit nejaky free? okrem avastu s nim nemam dobre skusenosti

[vyosek]

Ale spokojene jste ty licencni podminky odsouhlasil

Z free reseni jeste pak Avira ci MSE

Pak poprosim o novy log z RSIT

[rey_619]

opät sa mi potvrdilo, ze ziaden virus nie je tak nebezpecny ako samotny windows.
chcel som nainstalovat MSE, ale pytalo si to este nejaky doplnok a ked som ho nainstaloval a restartoval PC, tak windows nenabehne. ked sa chcem prihlasit, tak vyhadzuje tuto hlasku. v nedelu idem nanovo instalovat windows, alebo da sa to este nejako zachranit?

[vyosek]

Zeptam se takto, windows jsou legalni

Zkuste jeste mackat pri restartu F8 a zvolit Posledni znama funkcni konfigurace

[rey_619]

windows je asi to jedine, co mam legalne
to som hned skusal a nepomohlo. nainstalujem windows a bude pokoj, aj tak potrebujem miesto na C:/
mate zatial nejaku teoriu, ako je mozne, ze mi eset pri kontrole usb kluca nenajde ten virus, ale ked dam skenovat cely pc, tak pri kontrole oddielu C ho hlasi? ked nie je pripojeny usb kluc, tak nehlasi ziadny virus
som zvedavy ako sa to bude spravat po novej instalacii windowsu

[vyosek]

To, co tam mate - mel jste za havet, je peknej previt...ma skvele techniky kamuflaze, umi se maskovat, predhazovat ciste soubory na test atd...

Kolegove na zahranicnich forech doporucuji na tohle jedine reinstal...ja u nas resil zatim 4 pripady, uspespesnost 50% - ovsem to je relevatni - PC se chova v poradku, ale havet tam muze klidne byt...zatim se presne nevi co vse nabori a do ceho vseho rype v OS - a ze je toho pozehnane...

[rey_619]

a keby ta potvora bola na usb kluci da sa nejako odstranit? lebo zevraj sformatovanie kluca nepomoze

Neni divu ze to mate zaliskane kdyz pouzivane nelegalni bezpecnostni SW (ESET).

takze cracknuty antivir neochrani tak ako legalny?

[vyosek]

a keby ta potvora bola na usb kluci da sa nejako odstranit? lebo zevraj sformatovanie kluca nepomoze

Na toto jste prisel kde?

takze cracknuty antivir neochrani tak ako legalny?

Ano, nikdy nevite co crack s av udela - muze zahasovat treba do jeho cinnosti, aby neco nedetekoval - ale je tu i strana licencnich podminek, porusovani autorskeho zakona = pachani trestneho cinu

[rey_619]

http://forum.zive.sk/viewtopic.php?f=927&t=1045628
tu sa pise, ze format disku nemeni mbr a tam by sa mal ten tsr.boot nachadzat