Win32/Mebroot.K

[Ghost8]

Mám taky problém s tímhle šikulou . MBR sice ukazuje cistej log, ale NOD se muze zblaznit a mám šíleně pomalej komp. Pomůže mi někdo?

[JanH.]

Zalozte nove tema(tady to nedavejte) a tam dejte log z Hjt(+ popis stav a atd.) a pokud neusnu u kompu pokusim se poradit.

[Consolero]

A nepomohl ti ten program z meho odkazu ? Me to vyresilo a NOD je v pohode, PC je ted rychle jak ma bejt...
Pak pisni jak jsi dopadl.

[Consolero]

Chtel jsem se tady zeptat jeste.
Ten NOD uz mi sice nic nehlasi, ale nevim zda je tento vypis s GMER v poradku ? Nejak mi ted totiz spatne vypaluje mechanika a to na8x rychlosti zacne padat buder aniz bych neco pracoval, mechanika je 2 mesice stara a zacalo to az po tom viru Tak ted vubec nevim zda je to vyleceno nebo je to stale na disku
Nejprve mi to ukazovalo VIR v pameti v NODu a pak to vletelo na ten disk, ted uz tedy NOD neukazeje nikde VIR, ale PC se zase chova divne

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-27 16:29:38
Windows 5.1.2600 Service Pack 3


---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x2e937cc1 size 0x1ac
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- System - GMER 1.0.14 ----

SSDT spzr.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spzr.sys ZwEnumerateValueKey [0xB9EC7030]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 89E511F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

---- EOF - GMER 1.0.14 ----

[JanH.]

to je cely log?


2.

stáhněte MBR - http://www2.gmer.net/mbr/mbr.exe ulož ho na plochu>spust > vytvoří se log mbr.log, vložte ho celý sem.

[Consolero]

Zdravim, potreboval bych radu a prohlednou me logy, je to jeste mozne na tomto Win32/Mebroot.K vlakne ?
Dekuji.

[vokounek]

Prosim, je nekde popsano, co Win32/Mebroot.K dela?

[vokounek]

zdravim, tak bych take potreboval poradit co s timto svabem Win32/Mebroot.K.
snad jsem ho odstranil http://free.drweb.com/, ale kdyz spustim mbr, vysledek je na sledujici
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x2546841 size 0x1ac !
copy of MBR has been found in sector 62 !

TAK PROSIM, co s tim... dekuji za pomoc

Nasledne jsem to jeste nechal projet SDFixem
SDFix: Version 1.220
Run by Administrator on Łt 02.09.2008 at 09:17

Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
{DEF85C80-216A-43ab-AF70-1665EDBE2780}

Path :
\??\C:\WINDOWS\TEMP\16AD.tmp

{DEF85C80-216A-43ab-AF70-1665EDBE2780} - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found


Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer




Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 09:22:38
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:1a2b2e9a
"s1"=dword:2238ca7b
"s2"=dword:0789e7fa
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\\Alcohol 120\"
"h0"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\\Alcohol 120\"
"h0"=dword:00000000

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?é?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1í?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{43B11277-31C7-2F46-8F79-E08879C94332}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{83090E01-12EE-9B41-914D-27EB6237801F}]

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

Remaining Files :



Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 21 Jun 2003 377,344 A..H. --- "C:\Program Files\IsoBuster\Help\AHlp.exe"

Finished!

[JanH.]

hm...to vas asi presmeruju na jineho radce ten mbrje zas nejaky divny zatim:


stahnete a ulozte nejlepe na plochu ComboFix

pote spustte aplikaci pod uctem s administratorskym opravnenim

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano:



v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: pokud pouzivate antispyware s rezidentnim stitem, prepnete jeho rezidentni stit do Install Mode, pripadne jej po dobu skenu uplne deaktivujte, protoze dochazi pri skenu a vymazu pripadneho malware k nezadoucim kolizim s rezidentem antispyware


po restartu aplikace vytvori log, ulozeny na C:/Combofix.txt (pri opakovanem pouziti jsou logy oznaceny Combofix2.txt atd.), jeho obsah vlozte sem

[vokounek]

ComboFix 08-09-01.01 - borec 2008-09-02 11:09:32.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.1.1250.1.1029.18.240 [GMT 2:00]
Spusteny z: H:\ComboFix.exe
* Vytvoren novy Bod Obnoveni
* Resident AV is active


VAROVANI - NA TOMTO POCITACI NENI NAINSTALOVANA KONZOLA PRO ZOTAVENI !!
.

((((((((((((((((((((((((((((((((((((((( Ostatni vymazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\borec\Cookies\borec@2o7[1].txt
C:\Documents and Settings\borec\Cookies\borec@ehg-ittoolbox.hitbox[2].txt
C:\Documents and Settings\borec\Data aplikací\inst.exe
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\dao350.dll
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((((( Soubory vytvorene od 2008-08-02 do 2008-09-02 )))))))))))))))))))))))))))))))
.

2008-09-02 09:55 . 2008-09-02 09:55 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-09-02 09:55 . 2008-09-02 09:55 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-09-02 09:55 . 2008-09-02 09:55 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-09-02 09:55 . 2008-09-02 09:55 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-09-02 09:55 . 2008-09-02 09:55 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-09-02 09:55 . 2008-09-02 09:55 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-09-02 09:53 . 2002-09-20 20:05 135,680 --a------ C:\WINDOWS\R.COM
2008-09-02 09:53 . 2002-09-20 20:05 130,048 --a------ C:\WINDOWS\system32\T.COM
2008-09-02 09:53 . 2008-09-02 09:53 27 --a------ C:\WINDOWS\Lic.xxx
2008-09-02 09:52 . 2008-09-02 09:52 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\MicroWorld
2008-09-02 09:49 . 2008-09-02 09:08 1,419,780 --a------ C:\Temp\SDFix.exe
2008-09-02 09:14 . 2008-09-02 09:14 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-02 09:07 . 2008-09-02 09:32 <DIR> d-------- C:\SDFix
2008-09-02 07:31 . 2008-09-02 10:06 250 --a------ C:\WINDOWS\gmer.ini
2008-09-02 07:02 . 2008-09-02 07:02 <DIR> d-------- C:\Documents and Settings\borec\DoctorWeb
2008-08-27 07:43 . 2002-09-20 18:03 202,496 --a--c--- C:\WINDOWS\system32\dllcache\ati2dvag.dll
2008-08-27 07:43 . 2002-09-20 18:03 202,496 --a------ C:\WINDOWS\system32\ati2dvag.dll
2008-08-27 07:42 . 2008-08-27 07:42 10 --a------ C:\WINDOWS\WININIT.INI
2008-08-17 13:22 . 2002-09-20 17:15 450,176 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-17 13:22 . 2002-09-20 17:15 450,176 --a--c--- C:\WINDOWS\system32\dllcache\ati2mtag.sys
2008-08-17 09:03 . 2002-09-20 18:04 3,494,303 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-08-17 09:03 . 2002-08-28 23:16 891,711 --------- C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-08-17 09:03 . 2002-08-28 23:16 891,711 -----c--- C:\WINDOWS\system32\dllcache\nv4_mini.sys
2008-08-17 08:46 . 2008-08-17 09:12 88,566 --------- C:\WINDOWS\system32\nvapps.xml
2008-08-17 08:45 . 2006-10-22 12:22 208,896 --------- C:\WINDOWS\system32\nvudisp.exe
2008-08-17 08:25 . 2008-08-17 08:25 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\MumboJumbo
2008-08-17 07:16 . 2008-08-17 07:16 <DIR> d-------- C:\Documents and Settings\borec\Data aplikací\Ashampoo
2008-08-17 07:16 . 2008-08-17 07:16 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ashampoo
2008-08-17 07:15 . 2008-08-17 07:16 <DIR> d-------- C:\Program Files\Ashampoo Burning Studio 7
2008-08-14 15:43 . 2008-08-14 15:43 <DIR> d-------- C:\Program Files\PCNetSoftware
2008-08-05 13:46 . 2008-08-05 13:46 <DIR> d-------- C:\Program Files\DVD Shrink
2008-08-05 13:46 . 2008-08-05 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\DVD Shrink
2008-08-05 13:44 . 2008-09-02 10:15 <DIR> d-------- C:\Documents and Settings\borec\Data aplikací\Vso
2008-08-05 13:44 . 2008-08-05 13:44 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-08-05 13:44 . 2008-09-02 10:15 47,360 --a------ C:\Documents and Settings\borec\Data aplikací\pcouffin.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M vypis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 08:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-27 05:42 --------- d-----w C:\Program Files\AoA DVD Copy
2008-08-26 15:13 --------- d-----w C:\Program Files\Photoshop
2008-08-13 09:55 --------- d-----w C:\Program Files\Miranda
2008-08-05 12:30 --------- d-----w C:\Documents and Settings\borec\Data aplikací\Ahead
2008-08-05 08:49 --------- d-----w C:\Program Files\Putty
2008-07-30 11:33 462 ----a-w C:\udiv39_UDIV_TEST_AD.bat
2008-07-30 11:33 454 ----a-w C:\udiv39_UDIV_TELE_AD.bat
2008-07-21 13:23 1,468 ----a-w C:\udiv37_UDIV_TEST_AD.bat
2008-07-21 13:23 1,444 ----a-w C:\udiv37_UDIV_TELE_AD.bat
2008-07-16 13:42 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Hewlett-Packard
2008-07-16 13:24 --------- d-----w C:\Program Files\HP
2008-07-12 15:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 15:12 --------- d-----w C:\Program Files\IsoBuster
2008-07-08 09:05 --------- d-----w C:\Program Files\Cyklotrasy
2008-02-10 08:35 784 ----a-w C:\Documents and Settings\borec\Data aplikací\mpauth.dat
.

(((((((((((((((((((((((((((((((((( Spousteci body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznamka* prazdne zaznamy & legitimni vychozi udaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-20 20:05 13312]
"MirandaIM"="c:\Program Files\Miranda\miranda32.exe" [2006-07-28 10:11 471633]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\Smart Security\egui.exe" [2007-11-14 15:05 1410304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 20:05 13312]

C:\Documents and Settings\borec\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Outlook Express.lnk - C:\Program Files\Outlook Express\msimn.exe [2004-06-07 16:13:22 56832]
Vyroci.lnk - C:\Program Files\Vyroci\Vyroci.exe [2007-10-06 11:22:58 99328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= C:\WINDOWS\System32\i263_32.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.DIVX"= divxdec.ax
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= C:\WINDOWS\System32\i263_32.drv
"msacm.imc"= C:\WINDOWS\System32\imc32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^msn_0803_upd041807.exe]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\msn_0803_upd041807.exe
backup=C:\WINDOWS\pss\msn_0803_upd041807.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^borec^Nabídka Start^Programy^Po spuštění^HDDlife.lnk]
path=C:\Documents and Settings\borec\Nabídka Start\Programy\Po spuštění\HDDlife.lnk
backup=C:\WINDOWS\pss\HDDlife.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^borec^Nabídka Start^Programy^Po spuštění^msn_0803_upd041807.exe]
path=C:\Documents and Settings\borec\Nabídka Start\Programy\Po spuštění\msn_0803_upd041807.exe
backup=C:\WINDOWS\pss\msn_0803_upd041807.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Dynamics SdwMon32]
--a------ 2002-03-02 20:34 73728 C:\PROGRA~1\SAFEHO~1\SdwMon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SafeHouseSystemTray]
--a------ 2002-03-02 20:52 155648 C:\PROGRA~1\SAFEHO~1\SdwTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)

R1 SafDskNT;SafDskNT;C:\WINDOWS\System32\drivers\SafDskNT.sys [2002-03-02 20:34]
R2 HWiNFO32;HWiNFO32 Kernel Driver;C:\Program Files\HWiNFO32\HWiNFO32.SYS [2004-01-24 15:47]
R2 OkiPar;OkiPar;C:\WINDOWS\System32\DRIVERS\OKIPAR.SYS [2001-10-02 11:54]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\System32\DRIVERS\psched.sys [2002-08-29 03:35]
S3 gtcdcmdm;GTRAN USB CDC Driver (PID 3196);C:\WINDOWS\System32\DRIVERS\gtusbmdm_gpc6400.sys [2004-06-11 17:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

*Newly Created Service* - PROCEXP90
.
- - - - NEPLATNE POLOZKY ODSTRANENE Z REGISTRU - - - -

Notify-AtiExtEvent - (no file)
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
MSConfigStartUp-NeroFilterCheck - C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe


.
------- Doplnkovy sken -------
.
FireFox -: Profile - C:\Documents and Settings\borec\Data aplikací\Mozilla\Firefox\Profiles\27atr7r7.default\
FF -: plugin - C:\Program Files\Acrobat\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_12\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_12\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_12\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_12\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_12\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_12\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 11:12:44
Windows 5.1.2600 Service Pack 1 NTFS

skenovani skrytych procesu ...

skenovani skrytych polozek 'Po spusteni' ...

skenovani skrytych souboru ...

sken byl uspesne dokoncen
skryte soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PSSdk21]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\HNPsSdk.drv"
.
Celkovy cas: 2008-09-02 11:14:46
ComboFix-quarantined-files.txt 2008-09-02 09:14:35

Pre-Run: 1,493,372,928
Post-Run: 1,631,219,712

160

[JanH.]

toto otestujte na www.virustotal.com
C:\WINDOWS\System32\Drivers\HNPsSdk.drv

to sis tvoril sam?
C:\udiv39_UDIV_TEST_AD.bat

[vokounek]

Uz jsem neco odinstaloval a dany soubor tam jiz neni.
Ten batak je muj..

Tak co ted?

[JanH.]

otevrete si Poznamkovy blok

do nej zkopirujte skript z nasledujiciho okna:

Kód: Vybrat vše

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^msn_0803_upd041807.exe]
[-HKLM\~\startupfolder\C:^Documents and Settings^borec^Nabídka Start^Programy^Po spuštění^HDDlife.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^borec^Nabídka Start^Programy^Po spuštění^msn_0803_upd041807.exe]

File::
C:\Documents and Settings\borec\Nabídka Start\Programy\Po spuštění\msn_0803_upd041807.exe
C:\WINDOWS\pss\msn_0803_upd041807.exe

ulozte vami vytvoreny textovy soubor jako CFScript.txt na plochu

po ulozeni uchopte vami vytvoreny skript levym tlacitkem mysi a presunte jej nad ikonu Combofixu, nad niz skript upustte:




mas cd(instalacni?)

[vokounek]

ComboFix 08-09-01.01 - borec 2008-09-02 13:28:50.2 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.1.1250.1.1029.18.242 [GMT 2:00]
Spusteny z: C:\Documents and Settings\borec\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\borec\Plocha\CFScript.txt
* Vytvoren novy Bod Obnoveni
* Resident AV is active


VAROVANI - NA TOMTO POCITACI NENI NAINSTALOVANA KONZOLA PRO ZOTAVENI !!

FILE ::
C:\Documents and Settings\borec\Nabídka Start\Programy\Po spuštění\msn_0803_upd041807.exe
C:\WINDOWS\pss\msn_0803_upd041807.exe
.

((((((((((((((((((((((((( Soubory vytvorene od 2008-08-02 do 2008-09-02 )))))))))))))))))))))))))))))))
.

2008-09-02 11:39 . 2008-09-02 11:40 <DIR> d-------- C:\Temp\cis
2008-09-02 11:25 . 2008-09-02 11:25 139 --a------ C:\WINDOWS\msicpl.ini
2008-09-02 11:22 . 2008-09-02 11:22 <DIR> d-------- C:\WINDOWS\nview
2008-09-02 11:22 . 2003-01-14 12:04 237,568 -ra------ C:\WINDOWS\system32\msicpl.dll
2008-09-02 11:22 . 2002-08-29 06:37 69,632 -ra------ C:\WINDOWS\system32\nvclock.dll
2008-09-02 11:22 . 2002-04-16 03:41 45,056 -ra------ C:\WINDOWS\system32\memtest.dll
2008-09-02 11:22 . 2002-08-28 13:16 37,880 -ra------ C:\WINDOWS\system32\drivers\vgauti.sys
2008-09-02 11:22 . 2002-08-28 13:12 37,880 -ra------ C:\WINDOWS\system32\drivers\msicpl.sys
2008-09-02 11:22 . 2002-07-05 23:32 24,576 -ra------ C:\WINDOWS\system32\msiuins.exe
2008-09-02 09:55 . 2008-09-02 09:55 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-09-02 09:55 . 2008-09-02 09:55 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-09-02 09:55 . 2008-09-02 09:55 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-09-02 09:55 . 2008-09-02 09:55 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-09-02 09:55 . 2008-09-02 09:55 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-09-02 09:55 . 2008-09-02 09:55 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-09-02 09:53 . 2002-09-20 20:05 135,680 --a------ C:\WINDOWS\R.COM
2008-09-02 09:53 . 2002-09-20 20:05 130,048 --a------ C:\WINDOWS\system32\T.COM
2008-09-02 09:53 . 2008-09-02 09:53 27 --a------ C:\WINDOWS\Lic.xxx
2008-09-02 09:52 . 2008-09-02 09:52 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\MicroWorld
2008-09-02 09:49 . 2008-09-02 09:08 1,419,780 --a------ C:\Temp\SDFix.exe
2008-09-02 09:14 . 2008-09-02 09:14 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-02 09:07 . 2008-09-02 09:32 <DIR> d-------- C:\SDFix
2008-09-02 07:31 . 2008-09-02 10:06 250 --a------ C:\WINDOWS\gmer.ini
2008-09-02 07:02 . 2008-09-02 07:02 <DIR> d-------- C:\Documents and Settings\borec\DoctorWeb
2008-08-27 07:43 . 2002-09-20 18:03 202,496 --a--c--- C:\WINDOWS\system32\dllcache\ati2dvag.dll
2008-08-27 07:43 . 2002-09-20 18:03 202,496 --a------ C:\WINDOWS\system32\ati2dvag.dll
2008-08-27 07:42 . 2008-08-27 07:42 10 --a------ C:\WINDOWS\WININIT.INI
2008-08-17 13:22 . 2002-09-20 17:15 450,176 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-17 13:22 . 2002-09-20 17:15 450,176 --a--c--- C:\WINDOWS\system32\dllcache\ati2mtag.sys
2008-08-17 08:25 . 2008-08-17 08:25 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\MumboJumbo
2008-08-17 07:16 . 2008-08-17 07:16 <DIR> d-------- C:\Documents and Settings\borec\Data aplikací\Ashampoo
2008-08-17 07:16 . 2008-08-17 07:16 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\ashampoo
2008-08-17 07:15 . 2008-08-17 07:16 <DIR> d-------- C:\Program Files\Ashampoo Burning Studio 7
2008-08-14 15:43 . 2008-08-14 15:43 <DIR> d-------- C:\Program Files\PCNetSoftware
2008-08-05 13:46 . 2008-08-05 13:46 <DIR> d-------- C:\Program Files\DVD Shrink
2008-08-05 13:46 . 2008-08-05 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Data aplikací\DVD Shrink
2008-08-05 13:44 . 2008-09-02 10:15 <DIR> d-------- C:\Documents and Settings\borec\Data aplikací\Vso
2008-08-05 13:44 . 2008-08-05 13:44 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-08-05 13:44 . 2008-09-02 10:15 47,360 --a------ C:\Documents and Settings\borec\Data aplikací\pcouffin.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M vypis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 08:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-27 05:42 --------- d-----w C:\Program Files\AoA DVD Copy
2008-08-26 15:13 --------- d-----w C:\Program Files\Photoshop
2008-08-13 09:55 --------- d-----w C:\Program Files\Miranda
2008-08-05 12:30 --------- d-----w C:\Documents and Settings\borec\Data aplikací\Ahead
2008-08-05 08:49 --------- d-----w C:\Program Files\Putty
2008-07-30 11:33 462 ----a-w C:\udiv39_UDIV_TEST_AD.bat
2008-07-30 11:33 454 ----a-w C:\udiv39_UDIV_TELE_AD.bat
2008-07-21 13:23 1,468 ----a-w C:\udiv37_UDIV_TEST_AD.bat
2008-07-21 13:23 1,444 ----a-w C:\udiv37_UDIV_TELE_AD.bat
2008-07-16 13:42 --------- d-----w C:\Documents and Settings\All Users\Data aplikací\Hewlett-Packard
2008-07-16 13:24 --------- d-----w C:\Program Files\HP
2008-07-12 15:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 15:12 --------- d-----w C:\Program Files\IsoBuster
2008-07-08 09:05 --------- d-----w C:\Program Files\Cyklotrasy
2008-02-10 08:35 784 ----a-w C:\Documents and Settings\borec\Data aplikací\mpauth.dat
.

((((((((((((((((((((((((((((( snapshot@2008-09-02_11.14.18.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-11-08 12:22:00 1,306,624 ----a-w C:\WINDOWS\system32\dmcpl.exe
- 2002-08-28 21:16:30 891,711 ------w C:\WINDOWS\system32\drivers\nv4_mini.sys
+ 2002-11-08 12:22:00 1,177,594 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
- 2006-10-22 10:22:00 425,984 ------w C:\WINDOWS\system32\keystone.exe
+ 2002-11-08 12:22:00 262,229 ----a-w C:\WINDOWS\system32\keystone.exe
- 2002-09-20 16:04:36 3,494,303 ------w C:\WINDOWS\system32\nv4_disp.dll
+ 2002-11-08 12:22:00 2,684,138 ----a-w C:\WINDOWS\system32\nv4_disp.dll
- 2006-10-22 10:22:00 7,700,480 ------w C:\WINDOWS\system32\nvcpl.dll
+ 2002-11-08 12:22:00 4,243,456 ----a-w C:\WINDOWS\system32\nvcpl.dll
- 2006-10-22 10:22:00 1,470,464 ------w C:\WINDOWS\system32\nview.dll
+ 2002-11-08 12:22:00 770,117 ----a-w C:\WINDOWS\system32\nview.dll
+ 2002-11-08 12:22:00 372,736 ----a-w C:\WINDOWS\system32\nviewimg.dll
+ 2002-11-08 12:22:00 118,784 ----a-w C:\WINDOWS\system32\nvinstnt.dll
- 2006-10-22 10:22:00 86,016 ------w C:\WINDOWS\system32\nvmctray.dll
+ 2002-11-08 12:22:00 49,152 ----a-w C:\WINDOWS\system32\nvmctray.dll
- 2006-10-22 10:22:00 5,644,288 ------w C:\WINDOWS\system32\nvoglnt.dll
+ 2002-11-12 15:16:26 3,514,368 ----a-w C:\WINDOWS\system32\nvoglnt.dll
- 2006-10-22 10:22:00 323,584 ------w C:\WINDOWS\system32\nvrsar.dll
+ 2002-11-08 12:22:00 311,296 ----a-w C:\WINDOWS\system32\nvrsar.dll
- 2006-10-22 10:22:00 241,664 ------w C:\WINDOWS\system32\nvrscs.dll
+ 2002-11-08 12:22:00 241,664 ----a-w C:\WINDOWS\system32\nvrscs.dll
- 2006-10-22 10:22:00 245,760 ------w C:\WINDOWS\system32\nvrsda.dll
+ 2002-11-08 12:22:00 249,856 ----a-w C:\WINDOWS\system32\nvrsda.dll
- 2006-10-22 10:22:00 270,336 ------w C:\WINDOWS\system32\nvrsde.dll
+ 2002-11-08 12:22:00 258,048 ----a-w C:\WINDOWS\system32\nvrsde.dll
- 2006-10-22 10:22:00 274,432 ------w C:\WINDOWS\system32\nvrsel.dll
+ 2002-11-08 12:22:00 241,664 ----a-w C:\WINDOWS\system32\nvrsel.dll
- 2006-10-22 10:22:00 241,664 ------w C:\WINDOWS\system32\nvrseng.dll
+ 2002-11-08 12:22:00 258,048 ----a-w C:\WINDOWS\system32\nvrseng.dll
- 2006-10-22 10:22:00 274,432 ------w C:\WINDOWS\system32\nvrses.dll
+ 2002-11-08 12:22:00 245,760 ----a-w C:\WINDOWS\system32\nvrses.dll
- 2006-10-22 10:22:00 241,664 ------w C:\WINDOWS\system32\nvrsfi.dll
+ 2002-11-08 12:22:00 241,664 ----a-w C:\WINDOWS\system32\nvrsfi.dll
- 2006-10-22 10:22:00 278,528 ------w C:\WINDOWS\system32\nvrsfr.dll
+ 2002-11-08 12:22:00 258,048 ----a-w C:\WINDOWS\system32\nvrsfr.dll
- 2006-10-22 10:22:00 323,584 ------w C:\WINDOWS\system32\nvrshe.dll
+ 2002-11-08 12:22:00 299,008 ----a-w C:\WINDOWS\system32\nvrshe.dll
- 2006-10-22 10:22:00 253,952 ------w C:\WINDOWS\system32\nvrshu.dll
+ 2002-11-08 12:22:00 233,472 ----a-w C:\WINDOWS\system32\nvrshu.dll
- 2006-10-22 10:22:00 274,432 ------w C:\WINDOWS\system32\nvrsit.dll
+ 2002-11-08 12:22:00 258,048 ----a-w C:\WINDOWS\system32\nvrsit.dll
- 2006-10-22 10:22:00 262,144 ------w C:\WINDOWS\system32\nvrsja.dll
+ 2002-11-08 12:22:00 3,477,504 ----a-w C:\WINDOWS\system32\nvrsja.dll
- 2006-10-22 10:22:00 258,048 ------w C:\WINDOWS\system32\nvrsko.dll
+ 2002-11-08 12:22:00 221,184 ----a-w C:\WINDOWS\system32\nvrsko.dll
- 2006-10-22 10:22:00 266,240 ------w C:\WINDOWS\system32\nvrsnl.dll
+ 2002-11-08 12:22:00 253,952 ----a-w C:\WINDOWS\system32\nvrsnl.dll
- 2006-10-22 10:22:00 249,856 ------w C:\WINDOWS\system32\nvrsno.dll
+ 2002-11-08 12:22:00 245,760 ----a-w C:\WINDOWS\system32\nvrsno.dll
- 2006-10-22 10:22:00 249,856 ------w C:\WINDOWS\system32\nvrspl.dll
+ 2002-11-08 12:22:00 233,472 ----a-w C:\WINDOWS\system32\nvrspl.dll
- 2006-10-22 10:22:00 266,240 ------w C:\WINDOWS\system32\nvrspt.dll
+ 2002-11-08 12:22:00 237,568 ----a-w C:\WINDOWS\system32\nvrspt.dll
- 2006-10-22 10:22:00 262,144 ------w C:\WINDOWS\system32\nvrsptb.dll
+ 2002-11-08 12:22:00 253,952 ----a-w C:\WINDOWS\system32\nvrsptb.dll
- 2006-10-22 10:22:00 262,144 ------w C:\WINDOWS\system32\nvrsru.dll
+ 2002-11-08 12:22:00 253,952 ----a-w C:\WINDOWS\system32\nvrsru.dll
- 2006-10-22 10:22:00 249,856 ------w C:\WINDOWS\system32\nvrssk.dll
+ 2002-11-08 12:22:00 237,568 ----a-w C:\WINDOWS\system32\nvrssk.dll
- 2006-10-22 10:22:00 249,856 ------w C:\WINDOWS\system32\nvrssl.dll
+ 2002-11-08 12:22:00 241,664 ----a-w C:\WINDOWS\system32\nvrssl.dll
- 2006-10-22 10:22:00 245,760 ------w C:\WINDOWS\system32\nvrssv.dll
+ 2002-11-08 12:22:00 249,856 ----a-w C:\WINDOWS\system32\nvrssv.dll
- 2006-10-22 10:22:00 249,856 ------w C:\WINDOWS\system32\nvrstr.dll
+ 2002-11-08 12:22:00 249,856 ----a-w C:\WINDOWS\system32\nvrstr.dll
- 2006-10-22 10:22:00 221,184 ------w C:\WINDOWS\system32\nvrszhc.dll
+ 2002-11-08 12:22:00 212,992 ----a-w C:\WINDOWS\system32\nvrszhc.dll
- 2006-10-22 10:22:00 118,784 ------w C:\WINDOWS\system32\nvrszht.dll
+ 2002-11-08 12:22:00 212,992 ----a-w C:\WINDOWS\system32\nvrszht.dll
- 2006-10-22 10:22:00 466,944 ------w C:\WINDOWS\system32\nvshell.dll
+ 2002-11-08 12:22:00 454,727 ----a-w C:\WINDOWS\system32\nvshell.dll
- 2006-10-22 10:22:00 159,810 ------w C:\WINDOWS\system32\nvsvc32.exe
+ 2002-11-08 12:22:00 65,536 ----a-w C:\WINDOWS\system32\nvsvc32.exe
- 2006-10-22 10:22:00 282,624 ------w C:\WINDOWS\system32\nvwrsar.dll
+ 2002-11-08 12:22:00 139,264 ----a-w C:\WINDOWS\system32\nvwrsar.dll
- 2006-10-22 10:22:00 286,720 ------w C:\WINDOWS\system32\nvwrscs.dll
+ 2002-11-08 12:22:00 151,552 ----a-w C:\WINDOWS\system32\nvwrscs.dll
- 2006-10-22 10:22:00 294,912 ------w C:\WINDOWS\system32\nvwrsda.dll
+ 2002-11-08 12:22:00 155,648 ----a-w C:\WINDOWS\system32\nvwrsda.dll
- 2006-10-22 10:22:00 311,296 ------w C:\WINDOWS\system32\nvwrsde.dll
+ 2002-11-08 12:22:00 167,936 ----a-w C:\WINDOWS\system32\nvwrsde.dll
- 2006-10-22 10:22:00 335,872 ------w C:\WINDOWS\system32\nvwrsel.dll
+ 2002-11-08 12:22:00 176,128 ----a-w C:\WINDOWS\system32\nvwrsel.dll
- 2006-10-22 10:22:00 286,720 ------w C:\WINDOWS\system32\nvwrseng.dll
+ 2002-11-08 12:22:00 143,360 ----a-w C:\WINDOWS\system32\nvwrseng.dll
- 2006-10-22 10:22:00 335,872 ------w C:\WINDOWS\system32\nvwrses.dll
+ 2002-11-08 12:22:00 167,936 ----a-w C:\WINDOWS\system32\nvwrses.dll
- 2006-10-22 10:22:00 303,104 ------w C:\WINDOWS\system32\nvwrsfi.dll
+ 2002-11-08 12:22:00 159,744 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
- 2006-10-22 10:22:00 327,680 ------w C:\WINDOWS\system32\nvwrsfr.dll
+ 2002-11-08 12:22:00 163,840 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
- 2006-10-22 10:22:00 278,528 ------w C:\WINDOWS\system32\nvwrshe.dll
+ 2002-11-08 12:22:00 135,168 ----a-w C:\WINDOWS\system32\nvwrshe.dll
- 2006-10-22 10:22:00 315,392 ------w C:\WINDOWS\system32\nvwrshu.dll
+ 2002-11-08 12:22:00 163,840 ----a-w C:\WINDOWS\system32\nvwrshu.dll
- 2006-10-22 10:22:00 323,584 ------w C:\WINDOWS\system32\nvwrsit.dll
+ 2002-11-08 12:22:00 167,936 ----a-w C:\WINDOWS\system32\nvwrsit.dll
- 2006-10-22 10:22:00 212,992 ------w C:\WINDOWS\system32\nvwrsja.dll
+ 2002-11-08 12:22:00 106,496 ----a-w C:\WINDOWS\system32\nvwrsja.dll
- 2006-10-22 10:22:00 196,608 ------w C:\WINDOWS\system32\nvwrsko.dll
+ 2002-11-08 12:22:00 98,304 ----a-w C:\WINDOWS\system32\nvwrsko.dll
- 2006-10-22 10:22:00 319,488 ------w C:\WINDOWS\system32\nvwrsnl.dll
+ 2002-11-08 12:22:00 163,840 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
- 2006-10-22 10:22:00 299,008 ------w C:\WINDOWS\system32\nvwrsno.dll
+ 2002-11-08 12:22:00 151,552 ----a-w C:\WINDOWS\system32\nvwrsno.dll
- 2006-10-22 10:22:00 294,912 ------w C:\WINDOWS\system32\nvwrspl.dll
+ 2002-11-08 12:22:00 159,744 ----a-w C:\WINDOWS\system32\nvwrspl.dll
- 2006-10-22 10:22:00 323,584 ------w C:\WINDOWS\system32\nvwrspt.dll
+ 2002-11-08 12:22:00 167,936 ----a-w C:\WINDOWS\system32\nvwrspt.dll
- 2006-10-22 10:22:00 319,488 ------w C:\WINDOWS\system32\nvwrsptb.dll
+ 2002-11-08 12:22:00 167,936 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
- 2006-10-22 10:22:00 315,392 ------w C:\WINDOWS\system32\nvwrsru.dll
+ 2002-11-08 12:22:00 172,032 ----a-w C:\WINDOWS\system32\nvwrsru.dll
- 2006-10-22 10:22:00 299,008 ------w C:\WINDOWS\system32\nvwrssk.dll
+ 2002-11-08 12:22:00 163,840 ----a-w C:\WINDOWS\system32\nvwrssk.dll
- 2006-10-22 10:22:00 303,104 ------w C:\WINDOWS\system32\nvwrssl.dll
+ 2002-11-08 12:22:00 151,552 ----a-w C:\WINDOWS\system32\nvwrssl.dll
- 2006-10-22 10:22:00 294,912 ------w C:\WINDOWS\system32\nvwrssv.dll
+ 2002-11-08 12:22:00 155,648 ----a-w C:\WINDOWS\system32\nvwrssv.dll
- 2006-10-22 10:22:00 303,104 ------w C:\WINDOWS\system32\nvwrstr.dll
+ 2002-11-08 12:22:00 159,744 ----a-w C:\WINDOWS\system32\nvwrstr.dll
- 2006-10-22 10:22:00 163,840 ------w C:\WINDOWS\system32\nvwrszhc.dll
+ 2002-11-08 12:22:00 81,920 ----a-w C:\WINDOWS\system32\nvwrszhc.dll
- 2006-10-22 10:22:00 167,936 ------w C:\WINDOWS\system32\nvwrszht.dll
+ 2002-11-08 12:22:00 81,920 ----a-w C:\WINDOWS\system32\nvwrszht.dll
- 2006-10-22 10:22:00 1,622,016 ------w C:\WINDOWS\system32\nwiz.exe
+ 2002-11-08 12:22:00 315,392 ----a-w C:\WINDOWS\system32\nwiz.exe
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((( Spousteci body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznamka* prazdne zaznamy & legitimni vychozi udaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-20 20:05 13312]
"MirandaIM"="c:\Program Files\Miranda\miranda32.exe" [2006-07-28 10:11 471633]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\Smart Security\egui.exe" [2007-11-14 15:05 1410304]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2002-11-08 14:22 4243456]
"nwiz"="nwiz.exe" [2002-11-08 14:22 315392 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 20:05 13312]

C:\Documents and Settings\borec\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Outlook Express.lnk - C:\Program Files\Outlook Express\msimn.exe [2004-06-07 16:13:22 56832]
Vyroci.lnk - C:\Program Files\Vyroci\Vyroci.exe [2007-10-06 11:22:58 99328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= C:\WINDOWS\System32\i263_32.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.DIVX"= divxdec.ax
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= C:\WINDOWS\System32\i263_32.drv
"msacm.imc"= C:\WINDOWS\System32\imc32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^borec^Nabídka Start^Programy^Po spuštění^HDDlife.lnk]
path=C:\Documents and Settings\borec\Nabídka Start\Programy\Po spuštění\HDDlife.lnk
backup=C:\WINDOWS\pss\HDDlife.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^borec^Nabídka Start^Programy^Po spuštění^msn_0803_upd041807.exe]
path=C:\Documents and Settings\borec\Nabídka Start\Programy\Po spuštění\msn_0803_upd041807.exe
backup=C:\WINDOWS\pss\msn_0803_upd041807.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Dynamics SdwMon32]
--a------ 2002-03-02 20:34 73728 C:\PROGRA~1\SAFEHO~1\SdwMon32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SafeHouseSystemTray]
--a------ 2002-03-02 20:52 155648 C:\PROGRA~1\SAFEHO~1\SdwTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)

R1 SafDskNT;SafDskNT;C:\WINDOWS\System32\drivers\SafDskNT.sys [2002-03-02 20:34]
R2 HWiNFO32;HWiNFO32 Kernel Driver;C:\Program Files\HWiNFO32\HWiNFO32.SYS [2004-01-24 15:47]
R2 OkiPar;OkiPar;C:\WINDOWS\System32\DRIVERS\OKIPAR.SYS [2001-10-02 11:54]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\System32\DRIVERS\psched.sys [2002-08-29 03:35]
S3 gtcdcmdm;GTRAN USB CDC Driver (PID 3196);C:\WINDOWS\System32\DRIVERS\gtusbmdm_gpc6400.sys [2004-06-11 17:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

*Newly Created Service* - NVSVC
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 13:31:23
Windows 5.1.2600 Service Pack 1 NTFS

skenovani skrytych procesu ...

skenovani skrytych polozek 'Po spusteni' ...

skenovani skrytych souboru ...

sken byl uspesne dokoncen
skryte soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PSSdk21]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\HNPsSdk.drv"
.
Celkovy cas: 2008-09-02 13:35:10
ComboFix-quarantined-files.txt 2008-09-02 11:35:00
ComboFix2.txt 2008-09-02 09:14:47

Pre-Run: 1,534,541,824
Post-Run: 1,532,506,112

273

[JanH.]

Otevřete si Poznámkový blok a zkopírujte do něj text (z bílého políčka):

Kód: Vybrat vše

REGEDIT4

[-HKLM\~\startupfolder\C:^Documents and Settings^borec^Nabídka Start^Programy^Po spuštění^msn_0803_upd041807.exe]

Nyní uložte jako (typ: všechny soubory) kde za název souboru zadáte "smazani.reg" bez uvozovek, klik na uložit, pak na soubor standardně 2X kliknete a potvrďte dialogové okno.


a ted se vrhnem na ten mbr...

dej instlacni cd do mechaniky restart pc dej bootvat pres nej vyber opravit a tam napis do konzole fixmbr

nebo-> fixmbr \Device\HardDisk0


restart pc a novy log z Mbr


tohle tam je stale:
C:\WINDOWS\System32\Drivers\HNPsSdk.drv

tak to otestuj na virustotalu