Win32/Mebroot.K

[Vasekpasek]

Ok, takže log 1:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-02 17:10:35
Windows 5.1.2600 Service Pack 2


---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0xdf8f900 size 0x1fd
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR

---- System - GMER 1.0.14 ----

SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xF73614FE]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xF736CD50]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 84A51A38

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )
AttachedDevice \Driver\Tcpip \Device\Ip nltdi.sys (NetLimiter Driver/Locktime Software)
AttachedDevice \Driver\Tcpip \Device\Tcp nltdi.sys (NetLimiter Driver/Locktime Software)
AttachedDevice \Driver\Tcpip \Device\Udp nltdi.sys (NetLimiter Driver/Locktime Software)
AttachedDevice \Driver\Tcpip \Device\RawIp nltdi.sys (NetLimiter Driver/Locktime Software)

---- Modules - GMER 1.0.14 ----

Module _________ F72C3000-F72DB000 (98304 bytes)

---- Threads - GMER 1.0.14 ----

Thread 4:284 831978D0
Thread 4:288 83184BE0
Thread 4:292 831CCDF0
Thread 4:296 83165110
Thread 4:1072 831978D0
Thread 4:1156 83184BE0
Thread 4:1192 831CCDF0
Thread 4:1212 83165110

---- EOF - GMER 1.0.14 ----


Log 2:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-02 17:51:06
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwClose [0xF736CC58]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwCreateKey [0xF736CC10]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwCreatePagingFile [0xF7360C70]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xF73614FE]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xF736CD50]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwOpenKey [0xF736CBD4]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwQueryKey [0xF736151E]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwQueryValueKey [0xF736CCA6]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwSetSystemPowerState [0xF736C4F0]

---- Kernel code sections - GMER 1.0.14 ----

PAGE CLASSPNP.SYS!ClassInitialize + F4 F74CE4B2 4 Bytes [ 56, 87, 15, 83 ]
PAGE CLASSPNP.SYS!ClassInitialize + FF F74CE4BD 4 Bytes [ AC, 41, 15, 83 ]
PAGE CLASSPNP.SYS!ClassInitialize + 10A F74CE4C8 4 Bytes [ 68, 87, 15, 83 ]
PAGE CLASSPNP.SYS!ClassInitialize + 111 F74CE4CF 4 Bytes [ 5C, 87, 15, 83 ]
PAGE CLASSPNP.SYS!ClassInitialize + 118 F74CE4D6 4 Bytes [ 62, 87, 15, 83 ]
PAGE ...

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1272] ADVAPI32.dll!CryptDestroyKey 77DDA544 7 Bytes JMP 00CE2B93
.text C:\Program Files\Mozilla Firefox\firefox.exe[1272] ADVAPI32.dll!CryptDecrypt 77DDA7B1 7 Bytes JMP 00CE2B50
.text C:\Program Files\Mozilla Firefox\firefox.exe[1272] ADVAPI32.dll!CryptEncrypt 77DE1558 7 Bytes JMP 00CE2B14
.text C:\Program Files\Mozilla Firefox\firefox.exe[1272] WS2_32.dll!send 71A9428A 5 Bytes JMP 00CE2985
.text C:\Program Files\Mozilla Firefox\firefox.exe[1272] WS2_32.dll!WSARecv 71A94318 5 Bytes JMP 00CE2A77
.text C:\Program Files\Mozilla Firefox\firefox.exe[1272] WS2_32.dll!recv 71A9615A 5 Bytes JMP 00CE29BD
.text C:\Program Files\Mozilla Firefox\firefox.exe[1272] WS2_32.dll!WSASend 71A96233 5 Bytes JMP 00CE29F5
.text C:\Program Files\Mozilla Firefox\firefox.exe[1272] WS2_32.dll!closesocket 71A99639 5 Bytes JMP 00CE2AF9
.text C:\WINDOWS\Explorer.EXE[1692] ADVAPI32.dll!CryptDestroyKey 77DDA544 7 Bytes JMP 00FE2B93
.text C:\WINDOWS\Explorer.EXE[1692] ADVAPI32.dll!CryptDecrypt 77DDA7B1 7 Bytes JMP 00FE2B50
.text C:\WINDOWS\Explorer.EXE[1692] ADVAPI32.dll!CryptEncrypt 77DE1558 7 Bytes JMP 00FE2B14
.text C:\WINDOWS\Explorer.EXE[1692] WS2_32.dll!send 71A9428A 5 Bytes JMP 00FE2985
.text C:\WINDOWS\Explorer.EXE[1692] WS2_32.dll!WSARecv 71A94318 5 Bytes JMP 00FE2A77
.text C:\WINDOWS\Explorer.EXE[1692] WS2_32.dll!recv 71A9615A 5 Bytes JMP 00FE29BD
.text C:\WINDOWS\Explorer.EXE[1692] WS2_32.dll!WSASend 71A96233 5 Bytes JMP 00FE29F5
.text C:\WINDOWS\Explorer.EXE[1692] WS2_32.dll!closesocket 71A99639 5 Bytes JMP 00FE2AF9
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3928] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)
.text C:\Program Files\totalcmd\TOTALCMD.EXE[4424] advapi32.dll!CryptDestroyKey 77DDA544 7 Bytes JMP 01082B93
.text C:\Program Files\totalcmd\TOTALCMD.EXE[4424] advapi32.dll!CryptDecrypt 77DDA7B1 7 Bytes JMP 01082B50
.text C:\Program Files\totalcmd\TOTALCMD.EXE[4424] advapi32.dll!CryptEncrypt 77DE1558 7 Bytes JMP 01082B14
.text C:\Program Files\totalcmd\TOTALCMD.EXE[4424] WS2_32.dll!send 71A9428A 5 Bytes JMP 01082985
.text C:\Program Files\totalcmd\TOTALCMD.EXE[4424] WS2_32.dll!WSARecv 71A94318 5 Bytes JMP 01082A77
.text C:\Program Files\totalcmd\TOTALCMD.EXE[4424] WS2_32.dll!recv 71A9615A 5 Bytes JMP 010829BD
.text C:\Program Files\totalcmd\TOTALCMD.EXE[4424] WS2_32.dll!WSASend 71A96233 5 Bytes JMP 010829F5
.text C:\Program Files\totalcmd\TOTALCMD.EXE[4424] WS2_32.dll!closesocket 71A99639 5 Bytes JMP 01082AF9

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7189500] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F71898C0] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F7189890] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F7189636] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F7189636] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F71898C0] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7189500] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7189890] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7189890] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F7189636] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F71898C0] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7189500] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F7189636] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7189500] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F71898C0] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7189890] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7189500] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F71898C0] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7189636] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7189890] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7189636] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F71898C0] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7189500] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] [F7189890] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisCloseAdapter] [F7189500] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisOpenAdapter] [F71898C0] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] [F7189636] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F7189636] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7189890] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F7189500] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F71898C0] xpacket.sys (Filseclab Personal Firewall Kernel Module/Filseclab Corporation)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 84A51A38

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )

Device \FileSystem\InCDfs \InCDFsDisk 84A28BC8

AttachedDevice \Driver\Tcpip \Device\Ip nltdi.sys (NetLimiter Driver/Locktime Software)
AttachedDevice \Driver\Tcpip \Device\Tcp nltdi.sys (NetLimiter Driver/Locktime Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

Device \FileSystem\Rdbss \Device\FsWrap 848DCFB0
Device \Driver\Cdrom \Device\CdRom1 84790E98

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8489D390
Device \Driver\atapi \Device\Ide\IdePort0 8489D390
Device \Driver\atapi \Device\Ide\IdePort1 8489D390
Device \Driver\atapi \Device\Ide\IdePort2 8489D390
Device \Driver\atapi \Device\Ide\IdePort3 8489D390
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e 8489D390

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

Device \FileSystem\InCDfs \Device\InCDfsComm 84A28BC8
Device \FileSystem\Srv \Device\LanmanServer 847B0830

AttachedDevice \Driver\Tcpip \Device\Udp nltdi.sys (NetLimiter Driver/Locktime Software)

Device \Driver\Disk \Device\Harddisk0\DR0 83158756

AttachedDevice \Driver\Tcpip \Device\RawIp nltdi.sys (NetLimiter Driver/Locktime Software)

Device \Driver\Disk \Device\Harddisk1\DR3 83158756
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+4 83158756
Device \Driver\Disk \Device\Harddisk2\DR5 83158756
Device \Driver\Disk \Device\Harddisk3\DR8 83158756
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 84A2ABC8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 84A2ABC8
Device \FileSystem\Npfs \Device\NamedPipe 84A0C770
Device \FileSystem\Msfs \Device\Mailslot 84AB6D40
Device \Driver\Vax347s \Device\Scsi\Vax347s1 84A5CD98
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port4Path0Target0Lun0 84A5CD98
Device \FileSystem\InCDfs \GLOBAL??\BsUDF 84A28BC8
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 84B0E558
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 84B0E558
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 84B0E558
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 84B0E558
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 84B0E558
Device \FileSystem\Cdfs \Cdfs 847747F8

---- Modules - GMER 1.0.14 ----

Module _________ F72C3000-F72DB000 (98304 bytes)

---- Threads - GMER 1.0.14 ----

Thread 4:284 831978D0
Thread 4:288 83184BE0
Thread 4:292 831CCDF0
Thread 4:296 83165110
Thread 4:1072 831978D0
Thread 4:1156 83184BE0
Thread 4:1192 831CCDF0
Thread 4:1212 83165110

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40@ljej40 0xDD 0xE9 0x31 0xF6 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}@DisplayName Alcohol 120%
Reg HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6@ProductName Alcohol 120%

---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0xdf8f900 size 0x1fd
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.14 ----

Jak si to tak prohlížím, moc se mi to nelíbí...

[stell]

ani mne,

stáhněte MBR - http://www2.gmer.net/mbr/mbr.exe ulož ho na plochu>spust > vytvoří se log mbr.log, vložte ho celý sem.

[Vasekpasek]

Aha a ještě ke všemu jsem slepej... Takže ten požadovaný log je tady:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0xdf8f900 size 0x1fd !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

[stell]

klik-start-klik-spustit vloz prikaz
"%userprofile%\plocha\mbr" -f stlac[enter]
restart a spust znova mbr.exe novy log vloz sem.

[Vasekpasek]

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Že by?

[stell]

este pockas kus
Stiahnes z mojho podpisu WEBCUREIT-spravis len EXPRES SKEN ak to budes mat napisat.

[Vasekpasek]

No, cosi to našlo a napsalo
http://img218.imageshack.us/my.php?image=antivirgz2.jpg
Asi to mám potvrdit že?

[stell]

ok,potvrd presne potom sme sli mas infikovanu aj pamat,mozno ze pc pojde do modrej smrti tak sa nezlakni,po restarte pokracujes SDFIX v nudzovom rezime

Pouzijeme SDFIX v Nudzovom rezime>Stiahnes ho stadial:>
>http://downloads.andymanchesta.com/Remo ... /SDFix.exe

Po stazeni je treba spustit exe soubor, v otevrenem okne vyberte umisteni adresare, kam si aplikace nakopiruje potrebne soubory (doporucuji defaultni C:/SDFix)

Restartujte pocitac do nouzoveho rezimu (pri restartu mackejte klavesu F8, pote zvolte z nabidky Stav nouze; pote chvili vyckejte, otevre se vam potvrzovaci okno s nabidkou spusteni zvlastniho diagnostickeho rezimu, ktere potvrdte OK), otevrete vyse zmineny adresar a spustte aplikaci RunThis.bat

po stisku klavesy Y a Enter se spusti samotny sken, netrvajici dele nez pet minut, behem nejz si muzete vychutnat krasne graficke ztvarneni prubehu skenu

pred zacatkem skenu SDFix zazalohuje registry a hosts soubory, v prubehu skenu pak hleda smejdy dle vyse zmineneho seznamu, maze soubory v Tempech a hleda soubory se skrytymi atributy

po ukonceni skenu vas SDFix vyzve ke stisku jakekoli klavesy k potvrzeni restartu

po restartu do jiz klasickeho rezimu se znovu zobrazi okno prikazoveho radku s informaci o dokonceni skenu a vytvareni logu, ktery se po automatickem zavreni okna prikazoveho radku otevre, k dispozici je pak ve vami zvolenem adresari, kde se nachazi SDFix; nese nazev Report.txt; jeho obsah vloz sem.

[Vasekpasek]

Tak ten předchozí napsal, že infekce byla vyléčena (ani to nechtělo restartovat, musel jsem ručně, bluescreen naštěstí nenastal - ale potýkal jsem se s ním v minulosti a nechápal jsem, proč). Výpis z Report.txt:


SDFix: Version 1.240
Run by Vasekpasek on pá 02.01.2009 at 18:47

Microsoft Windows XP [Verze 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
{DEF85C80-216A-43ab-AF70-1665EDBE2780}

Path :
\??\C:\WINDOWS\TEMP\F038.tmp

{DEF85C80-216A-43ab-AF70-1665EDBE2780} - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Temp\bca4e2da.$$$ - Deleted
C:\WINDOWS\Temp\ed47fa.$ - Deleted
C:\WINDOWS\Temp\fa56d7ec.$$$ - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer




Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 18:54:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]
"ujdew"=hex:20,02,00,00,06,ca,88,93,22,24,f8,25,c2,1a,0d,fb,74,ec,a9,ec,c1,..
"ljej40"=hex:38,25,13,07,7d,46,1b,8f,6d,b0,be,98,52,91,64,f8,d2,6b,6f,14,65,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?é?)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1í?)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"D:\\Použ. programy\\Miranda - Vasekpasek\\miranda32.exe"="D:\\Použ. programy\\Miranda - Vasekpasek\\miranda32.exe:*:Enabled:Miranda IM"
"D:\\Hry\\Warcraft III\\Warcraft III.exe"="D:\\Hry\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"D:\\Použ. programy\\DC Strong\\sdc205\\StrongDC.exe"="D:\\Použ. programy\\DC Strong\\sdc205\\StrongDC.exe:*:Enabled:StrongDC++"
"D:\\Použ. programy\\Miranda 0.7\\miranda32.exe"="D:\\Použ. programy\\Miranda 0.7\\miranda32.exe:*:Enabled:Miranda IM"
"D:\\Hry\\Warcraft III\\War3.exe"="D:\\Hry\\Warcraft III\\War3.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"
"D:\\Použ. programy\\Miranda 0.6\\miranda32.exe"="D:\\Použ. programy\\Miranda 0.6\\miranda32.exe:*:Enabled:Miranda IM"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"="C:\\Program Files\\totalcmd\\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\CesarFTP\\Server.exe"="C:\\Program Files\\CesarFTP\\Server.exe:*:Enabled:Server"
"C:\\Documents and Settings\\Vasekpasek\\Plocha\\Miranda pack\\Mir4nda-IM-0.7.1-Pack-v2.0\\miranda32.exe"="C:\\Documents and Settings\\Vasekpasek\\Plocha\\Miranda pack\\Mir4nda-IM-0.7.1-Pack-v2.0\\miranda32.exe:*:Enabled:Miranda IM"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Documents and Settings\\Vasekpasek\\Plocha\\bulanci.exe"="C:\\Documents and Settings\\Vasekpasek\\Plocha\\bulanci.exe:*:Enabled:bulanci"
"D:\\Hry\\AoE\\Age of Empires II\\age2_x1\\age2_x1.exe"="D:\\Hry\\AoE\\Age of Empires II\\age2_x1\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\FreeCall.com\\FreeCall\\FreeCall.exe"="C:\\Program Files\\FreeCall.com\\FreeCall\\FreeCall.exe:*:Enabled:FreeCall"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"F:\\uTorrent\\0_utorrent.exe"="F:\\uTorrent\\0_utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Ubisoft\\Funatics\\The Settlers II - 10th Anniversary\\bin\\S2DNG.exe"="C:\\Program Files\\Ubisoft\\Funatics\\The Settlers II - 10th Anniversary\\bin\\S2DNG.exe:*:Enabled:S2DNG"
"C:\\Program Files\\IEPro\\MiniDM.exe"="C:\\Program Files\\IEPro\\MiniDM.exe:*:Enabled:MiniDM"
"D:\\Hry\\Dune 2000\\Dune 2000\\DUNE2000.DAT"="D:\\Hry\\Dune 2000\\Dune 2000\\DUNE2000.DAT:*:Enabled:Dune2000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"D:\\Downloads\\Miranda 0.6\\miranda32.exe"="D:\\Downloads\\Miranda 0.6\\miranda32.exe:*:Enabled:Miranda IM"
"D:\\Hry\\TTD\\OpenTTD - RC\\openttd.exe"="D:\\Hry\\TTD\\OpenTTD - RC\\openttd.exe:*:Enabled:OpenTTD"
"C:\\Program Files\\BPFTP Server\\G6FTPSrv.exe"="C:\\Program Files\\BPFTP Server\\G6FTPSrv.exe:*:Enabled:BPFTP Server for Internet."
"C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"="C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe:*:Enabled:winvnc4"
"D:\\Miranda Lucka\\MirandaPack\\miranda32.exe"="D:\\Miranda Lucka\\MirandaPack\\miranda32.exe:*:Enabled:Miranda IM"
"\\\\Athlon\\D\\Použ. programy\\Miranda Lucka\\miranda32.exe"="\\\\Athlon\\D\\Použ. programy\\Miranda Lucka\\miranda32.exe:*:Enabled:miranda32.exe"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"D:\\Hry\\AoE_New\\age2_x1.exe"="D:\\Hry\\AoE_New\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"D:\\Hry\\AoE_New\\empires2.exe"="D:\\Hry\\AoE_New\\empires2.exe:*:Enabled:Age of Empires II"
"D:\\Hry\\AoE_New\\age2_x1\\age2_x1.exe"="D:\\Hry\\AoE_New\\age2_x1\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"C:\\Documents and Settings\\Vasekpasek\\Plocha\\winbox.exe"="C:\\Documents and Settings\\Vasekpasek\\Plocha\\winbox.exe:*:Enabled:winbox"
"D:\\Použ. programy\\Miranda qlucka\\MirandaPack\\miranda32.exe"="D:\\Použ. programy\\Miranda qlucka\\MirandaPack\\miranda32.exe:*:Enabled:Miranda IM"
"D:\\Miranda Lucka\\Miranda Lucka\\miranda32.exe"="D:\\Miranda Lucka\\Miranda Lucka\\miranda32.exe:*:Enabled:Miranda IM"
"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe:*:Enabled:Java(TM) Platform SE binary"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 21 Sep 2008 107,008 ...H. --- "C:\Documents and Settings\Vasekpasek\Data aplikacˇ\Microsoft\Word\~WRL0005.tmp"
Tue 11 Nov 2008 451,584 ...H. --- "C:\Documents and Settings\Vasekpasek\Data aplikacˇ\Microsoft\Word\~WRL0614.tmp"
Mon 5 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ea42314f860f5702c15b0ee4cecc20d9\download\BIT29.tmp"

Finished!

[stell]

ok
pokracujes combofixom-suhlasit instalacio RECOVERY KONZOLE

PROSIM CITAJTE POZORNE NAVODY!!!,

Stáhněte na plochu, ukončete všechna aktivní okna a spusťte ComboFix -
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Suhlasit instalacio Konzoly pre zotavenie (Recovery console)


- ComboFix je třeba spustit pod účtem s právy administrátora.
- Po spuštění se zobrazí podmínky užití, potvrďte je stiskem tlačítka Ano;

A este raz >ANO<


- Dále postupujte dle pokynů, během aplikování ComboFixu neklikejte do zobrazujícího se okna

- Po dokončení skenování, trvajícího maximálně 10-15 minut, by měl program vytvořit log - C:\ComboFix.txt, zkopírujte celý jeho obsah do svého threadu na forum


- Před použitím ComboFixu je treba vypnout všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary. Mohou zasahovat do činnosti ComboFixu, což může způsobit, že nebude fungovat korektně.
V případě detekce antiviru u ComboFixu se jedná o falešný poplach.

[Vasekpasek]

Tu je log
ComboFix 09-01-01.02 - Vasekpasek 2009-01-02 19:16:00.3 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.1.1029.18.895.233 [GMT 1:00]
Spuštěný z: c:\documents and settings\Vasekpasek\Plocha\ComboFix.exe
* Vytvořen nový Bod Obnovení
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\skinboxer43.dll

.
((((((((((((((((((((((((( Soubory vytvořené od 2008-12-02 do 2009-01-02 )))))))))))))))))))))))))))))))
.

2009-01-02 18:54 . <DIR> c:\documents and settings\Vasekpasek\Data aplikací\WinRAR
2009-01-02 18:43 . 2009-01-02 18:43 <DIR> d-------- c:\windows\ERUNT
2009-01-02 18:36 . 2009-01-02 18:59 <DIR> d-------- C:\SDFix
2009-01-02 18:35 . 2009-01-02 18:36 1,529,241 --a------ C:\SDFix.exe
2009-01-02 18:21 . 2009-01-02 18:21 <DIR> d-------- c:\documents and settings\Vasekpasek\DoctorWeb
2009-01-02 17:06 . 2009-01-02 17:09 250 --a------ c:\windows\gmer.ini
2008-12-31 00:27 . 2008-08-25 16:48 40,496 --a------ c:\windows\system32\drivers\hotcore3.sys
2008-12-31 00:23 . 2008-12-31 00:23 <DIR> d-------- c:\program files\Paragon Software
2008-12-17 01:19 . 2008-12-17 01:19 <DIR> d-------- c:\program files\Classic Menu for Office
2008-12-12 23:32 . 2008-12-12 23:32 <DIR> d-------- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 18:13 --------- d-----w c:\program files\Net Activity Diagram
2009-01-02 17:59 22,528 ----a-w c:\windows\system32\drivers\nhcDriver.sys
2009-01-02 17:08 --------- d-----w c:\documents and settings\Vasekpasek\Data aplikací\Azureus
2009-01-02 16:00 --------- d-----w c:\program files\LogMeIn
2008-12-26 09:46 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-25 20:11 --------- d-----w c:\program files\Common Files\Adobe
2008-12-25 20:08 --------- d-----w c:\documents and settings\Vasekpasek\Data aplikací\Adobe
2008-12-23 02:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 02:16 --------- d-----w c:\program files\Wolfram Research
2008-12-13 20:43 --------- d-----w c:\documents and settings\Vasekpasek\Data aplikací\Vso
2008-11-29 00:45 --------- d-----w c:\documents and settings\Vasekpasek\Data aplikací\dvdcss
2008-11-29 00:36 --------- d-----w c:\documents and settings\Vasekpasek\Data aplikací\vlc
2008-11-29 00:33 --------- d-----w c:\program files\VideoLAN
2008-11-26 15:16 --------- d-----w c:\documents and settings\Vasekpasek\Data aplikací\MetaProducts
2008-11-17 12:00 --------- d-----w c:\program files\MirandaPack
2008-11-15 23:19 --------- d-----w c:\documents and settings\Vasekpasek\Data aplikací\uTorrent
2008-11-08 14:19 18,688 ----a-w c:\windows\system32\drivers\nadim.sys
2008-11-06 23:18 --------- d-----w c:\program files\USB Disk Win98 Driver
2008-11-03 06:21 --------- d-----w c:\documents and settings\Vasekpasek\Data aplikací\MegauploadToolbar
2008-10-16 18:35 87,352 ----a-w c:\windows\system32\LMIinit.dll
2008-10-16 18:35 83,288 ----a-w c:\windows\system32\LMIRfsClientNP.dll
2008-10-16 18:35 28,984 ----a-w c:\windows\system32\LMIport.dll
2008-10-16 18:35 23,736 ----a-w c:\windows\system32\lmimirr.dll
2008-10-16 18:35 10,040 ----a-w c:\windows\system32\lmimirr2.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-02 04:33 92 ----a-w C:\mswexpvp.sys
2007-12-18 01:32 1,438 ----a-w c:\documents and settings\Vasekpasek\Data aplikací\mdb.bin
2007-11-05 19:34 47,360 ----a-w c:\documents and settings\Vasekpasek\Data aplikací\pcouffin.sys
2007-12-23 19:06 8,784 ----a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-12-23 19:06 245,408 ----a-w c:\program files\mozilla firefox\plugins\unicows.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-17 15360]
"FreeCall"="c:\program files\freecall.com\freecall\freecall.exe" [2008-09-13 9109296]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"feedreader.exe"="c:\program files\FeedReader30\feedreader.exe" [2008-02-29 2021888]
"Net Activity Diagram"="c:\program files\Net Activity Diagram\nad.exe" [2008-12-27 1139288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-25 8433664]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-25 81920]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-11-01 949376]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 63048]
"XFILTER"="c:\program files\Filseclab\xfilter\xfilter.exe" [2005-07-27 897284]
"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2002-03-20 10752]
"ATKHOTKEY"="c:\program files\ATK Hotkey\Hcontrol.exe" [2007-07-12 225280]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"NotebookHardwareControl"="c:\program files\Notebook Hardware Control\nhc.exe" [2007-05-04 2629632]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 1057064]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2007-04-20 503808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-14 65536]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-20 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-08-03 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-06-25 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 19:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Azureus\\Azureus.exe"=
"d:\\Hry\\Warcraft III\\Warcraft III.exe"=
"d:\\Hry\\Warcraft III\\War3.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\ICQLite\\ICQLite.exe"=
"c:\\Program Files\\CesarFTP\\Server.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Hry\\AoE\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FreeCall.com\\FreeCall\\FreeCall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ubisoft\\Funatics\\The Settlers II - 10th Anniversary\\bin\\S2DNG.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"d:\\Hry\\Dune 2000\\Dune 2000\\DUNE2000.DAT"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"d:\\Hry\\TTD\\OpenTTD - RC\\openttd.exe"=
"c:\\Program Files\\BPFTP Server\\G6FTPSrv.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"\\\\Athlon\\D\\Použ. programy\\Miranda Lucka\\miranda32.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Hry\\AoE_New\\age2_x1.exe"=
"d:\\Hry\\AoE_New\\empires2.exe"=
"d:\\Hry\\AoE_New\\age2_x1\\age2_x1.exe"=
"c:\\Documents and Settings\\Vasekpasek\\Plocha\\winbox.exe"=
"d:\\Miranda Lucka\\Miranda Lucka\\miranda32.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port

R0 hotcore3;Hotcore helper;c:\windows\system32\DRIVERS\hotcore3.sys [2008-12-31 40496]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-07-30 28544]
R0 XPacket;Filseclab Packet Filter;c:\windows\system32\xpacket.sys [2007-11-08 124752]
R1 nltdi;nltdi;\??\c:\windows\system32\drivers\nltdi.sys [2007-04-23 81688]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-11-01 15424]
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys [2007-09-12 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2007-11-01 47640]
R2 Nadim;NAD Proto Driver;c:\windows\system32\DRIVERS\nadim.sys [2008-11-26 18688]
R2 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies Inc\SMART Board Software\WebServer.exe [2007-04-19 759312]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\System32\StkCSrv.exe [2007-11-01 24576]
R3 ASNDIS5;ASNDIS5 Protocol Driver;\??\c:\progra~1\ATKHOT~1\ASNDIS5.SYS [2007-11-16 16269]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\DRIVERS\psched.sys [2004-08-03 69120]
R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\windows\system32\Drivers\StkCMini.sys [2007-11-01 1260672]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\w300mgmt.sys [2008-04-19 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\w300obex.sys [2008-04-19 85696]
S4 LMIRfsClientNP;LMIRfsClientNP; []
.
.
------- Doplňkový sken -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.mozilla-world.org/cs/products/thunderbird/support
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
IE: {{7E6A20FB-153F-402c-A84B-1A64E1955D3D} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748449} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\windows\WebIE.dll
IE: {{CC963627-B1DC-40E0-B52A-CF21EE748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\windows\WebIE.dll
LSP: c:\windows\system32\imon.dll
LSP: c:\program files\Filseclab\xfilter\XFILTER.DLL
FF - ProfilePath -

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 19:18:04
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(860)
c:\windows\system32\imon.dll
c:\program files\Filseclab\xfilter\XFILTER.DLL
.
Celkový čas: 2009-01-02 19:18:59
ComboFix-quarantined-files.txt 2009-01-02 18:18:44
ComboFix2.txt 2007-11-08 19:51:18

P°ed spuÜtýnÝm: 5˙194˙797˙056
Po spuÜtýnÝ: 5,728,714,752

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

209 --- E O F --- 2008-10-24 20:40:55

[stell]

otestujte na VIRUSTOTALu
C:\mswexpvp.sys
(navod prosty: po nacteni stranky kliknete na tlacitko Prochazet , najdete cestu k vyse zminenemu souboru a kliknete na tlacitko Odeslat soubor; dejte skenerum nejakych deset minut; vysledek sem vlozte)

potom start -spustit-vloz prikaz
diskmgmt.msc ok
sprav screenshot a vloz sem

[Vasekpasek]

Otestování dopadlo asi dobře, všude je výsledek proškrtnutý:

Antivirus Verze Poslední aktualizace Výsledek
a-squared 4.0.0.73 2009.01.02 -
AhnLab-V3 2008.12.31.0 2009.01.02 -
AntiVir 7.9.0.45 2009.01.02 -
Authentium 5.1.0.4 2009.01.02 -
Avast 4.8.1281.0 2009.01.02 -
AVG 8.0.0.199 2009.01.02 -
BitDefender 7.2 2009.01.02 -
CAT-QuickHeal 10.00 2009.01.02 -
ClamAV 0.94.1 2009.01.02 -
Comodo 866 2009.01.02 -
DrWeb 4.44.0.09170 2009.01.02 -
eTrust-Vet 31.6.6287 2009.01.01 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.02 -
F-Secure 8.0.14470.0 2009.01.02 -
Fortinet 3.117.0.0 2009.01.02 -
GData 19 2009.01.02 -
Ikarus T3.1.1.45.0 2009.01.02 -
K7AntiVirus 7.10.572 2009.01.02 -
Kaspersky 7.0.0.125 2009.01.02 -
McAfee 5481 2009.01.02 -
McAfee+Artemis 5482 2009.01.02 -
Microsoft 1.4205 2009.01.02 -
NOD32 3732 2009.01.02 -
Norman 5.80.02 2009.01.02 -
Panda 9.0.0.4 2009.01.02 -
PCTools 4.4.2.0 2009.01.02 -
Prevx1 V2 2009.01.02 -
Rising 21.10.22.00 2008.12.31 -
SecureWeb-Gateway 6.7.6 2009.01.02 -
Sophos 4.37.0 2009.01.02 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.02 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2009.01.02 -
VBA32 3.12.8.10 2009.01.01 -
ViRobot 2008.12.30.1540 2008.12.31 -
VirusBuster 4.5.11.0 2009.01.01 -
Rozšiřující informace
File size: 92 bytes
MD5...: b3bf9f30614059ac9bbbbe326d61e516
SHA1..: a053c19160f3f7e25887757252361d0f0bb9e84d
SHA256: 8a4b5e9e960c0cba4a02eb3f320d3876bce12b29decc19be127ff722b8db4cc9
SHA512: 168ea275d022371b2a322fd6816f23fad04e3c0d94b04bad40cb673e818d51ca
6dd9d306463e451f16d9d525600fd695e66b5a42a3605ea4cc8249f16abfebae
ssdeep: 3:mElfEsLZtz2gBqkn2/qObDMdV:mEfP9Bfn2CEgn
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -

Ještě screen:
http://img227.imageshack.us/my.php?image=diskylh4.jpg
Koukám, že E:\ mám nějak divně rozdělený, to jsem si ani nikdy nevšiml

[stell]

Disk F:\je vylieceny,ok
Podla hlasky NOD a aj na E:\mas MEBROOT k,ale toto bude problem,
lebo podla diskmg je to logicka jednotka
takto otestuj estec raz NODOM a vloz sem presnu hlasku.

[Vasekpasek]

No, předtím házel hlášku o infiltraci, tu teď nehází, ale píše cosi o mbr sectoru 3. fyzického disku, což bude asi problém
http://img227.imageshack.us/my.php?image=nodkq4.jpg
Předtím jsem scanoval NODem 3 (protože jsem měl systém spuštěn z toho druhého disku), kdežto na tomhle mám jen 2.7