zase ROOTKIT

Zpráva

brankar · #16 Příspěvek od **brankar** » 21 lis 2009 18:29

TADY JE LOG Z OTMoveIt3

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
Error: Unable to interpret <:file> in the current context!
Error: Unable to interpret <c:\windows\system32\wmllyzdn.dll> in the current context!
Error: Unable to interpret <c:\windows\system32\svtomugm.dll> in the current context!
Error: Unable to interpret <c:\windows\system32\fpextqfzyboo.dll> in the current context!
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D36201E-9190-4A6B-A776-27C381A5B96D}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D36201E-9190-4A6B-A776-27C381A5B96D}\ not found.
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{815F6964-C399-DA2E-2188-4E353655EFDD}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{815F6964-C399-DA2E-2188-4E353655EFDD}\ not found.
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0873976-C5D1-498B-B0C9-6B47624109FB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C0873976-C5D1-498B-B0C9-6B47624109FB}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\jafeypukewazc not found.
========== REGISTRY ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Opera cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: user
->Temp folder emptied: 246 bytes
->Temporary Internet Files folder emptied: 300446 bytes
->Java cache emptied: 0 bytes
->Opera cache emptied: 1872924 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2,14 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTM by OldTimer - Version 3.1.2.0 log created on 11212009_182516

Files moved on Reboot...

Registry entries deleted on Reboot...

brankar · #17 Příspěvek od **brankar** » 21 lis 2009 18:41

lomitka vyřešena

brankar · #18 Příspěvek od **brankar** » 21 lis 2009 18:55

při zadaní cd erdnt\hiv-backup <nebo> cd erdnt\subs vypsalo že tato cesta neexistuje

brankar · #19 Příspěvek od **brankar** » 21 lis 2009 19:25

AHOJ TAK JSEM TO RISKNUL A SKUSIL VYPNUTÍ PC VŠE NABĚHLO BEZ POTÍŽÍ

ALE NĚJAKY TEN ŠMEJD TAM URČITĚ POŘÁD BUDE

#20 Příspěvek od **earl** » 22 lis 2009 01:50

VŠE NABĚHLO BEZ POTÍŽÍ

uff...

ALE NĚJAKY TEN ŠMEJD TAM URČITĚ POŘÁD BUDE

je tam rootkit,behem dne ho zrusime.

brankar · #21 Příspěvek od **brankar** » 22 lis 2009 07:40

JOJOJO ZATÍM

#22 Příspěvek od **earl** » 22 lis 2009 13:15

Stahnete MBR ulozte ho na plochu-spustte - vytvori se log mbr.log, vlozte ho cely sem.

brankar · #23 Příspěvek od **brankar** » 22 lis 2009 13:30

tady jsem udělal ještě jednou scan combo fix, comodo začalohlásit Malware@49967178 msgasst84.dll

ComboFix 09-11-21.03 - user 22.11.2009 12:58.30.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.511.259 [GMT 1:00]
Spuštěný z: c:\documents and settings\user\Dokumenty\kikikikikikikikikikikiiá\ComboFix.exe
AV: AVG *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Data aplikací\Messenger\Drivers\Aud32\msgasst84.dll
c:\program files\Smart-Ads-Solutions
c:\program files\Smart-Ads-Solutions\SmartAds\1.0.27.0\uninstall.exe
c:\windows\system32\dixsjflj.dll

c:\windows\System32\Drivers\vax347s.sys . . . je infikován!!

.
((((((((((((((((((((((((( Soubory vytvořené od 2009-10-22 do 2009-11-22 )))))))))))))))))))))))))))))))
.

2009-11-22 07:24 . 2009-11-22 07:24 -------- d-sh--w- c:\documents and settings\user\IECompatCache
2009-11-22 06:54 . 2009-11-22 06:54 211893 ----a-w- c:\windows\system32\drivers\IsDrv122.sys
2009-11-21 16:31 . 2009-11-21 16:31 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-20 12:00 . 2009-11-20 12:00 -------- d-----w- c:\program files\ezLife
2009-11-19 12:31 . 2009-11-19 12:31 -------- d-----w- c:\program files\EMCO
2009-11-17 16:39 . 2009-11-21 14:51 -------- d-----w- c:\program files\Bus Simulator
2009-11-16 08:42 . 2009-11-16 08:42 286720 ----a-w- c:\windows\system32\wmllyzdn.dll
2009-11-14 11:02 . 2009-11-14 11:02 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-14 10:59 . 2009-11-20 11:07 -------- d-sh--w- c:\documents and settings\user\PrivacIE
2009-11-14 10:57 . 2009-11-14 10:57 -------- d-sh--w- c:\documents and settings\user\IETldCache
2009-11-14 10:47 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-14 10:45 . 2009-11-14 10:49 -------- d-----w- c:\windows\ie8updates
2009-11-14 10:40 . 2009-08-29 07:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-14 10:40 . 2009-08-29 07:58 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-11-14 10:40 . 2009-08-29 07:58 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-11-14 10:40 . 2009-08-29 07:58 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-11-14 10:40 . 2009-08-29 07:58 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-14 10:40 . 2009-08-29 07:58 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-11-14 10:37 . 2009-11-14 10:40 -------- dc-h--w- c:\windows\ie8
2009-11-14 09:07 . 2009-11-14 09:07 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-14 09:07 . 2009-11-14 09:07 -------- d-----w- c:\program files\MSBuild
2009-11-14 09:07 . 2009-11-14 09:07 -------- d-----w- c:\program files\Reference Assemblies
2009-11-14 09:06 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-14 09:06 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-14 09:06 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-14 09:06 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-14 09:06 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-14 09:06 . 2009-11-14 09:07 -------- d-----w- C:\f3cc40b8cb9f581d2518b62b
2009-11-14 09:06 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-14 09:06 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-12 14:43 . 2009-11-12 14:45 -------- d-----w- c:\program files\Euro Truck Simulator
2009-11-05 13:42 . 2000-08-19 18:29 268048 ----a-w- c:\windows\system32\dxtmeta2.dll
2009-11-04 16:22 . 2009-11-04 16:23 -------- d-----w- c:\program files\Landwirtschafts-Simulator 2009
2009-10-28 13:45 . 2009-10-28 13:45 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-26 16:26 . 2004-04-30 08:33 5248 ------w- c:\windows\system32\drivers\vax347s.sys
2009-10-26 12:45 . 2009-10-26 12:45 -------- d-----w- c:\program files\Microsoft Games
2009-10-25 11:12 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-25 11:12 . 2009-11-10 19:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 11:12 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 11:52 . 2009-10-24 12:00 -------- d--h--w- c:\program files\Zero G Registry
2009-10-24 11:51 . 2009-10-24 11:51 -------- d--h--w- c:\documents and settings\user\InstallAnywhere

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 13:05 . 2009-10-03 14:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-21 12:30 . 2008-10-17 21:52 -------- d-----w- c:\program files\Java
2009-11-18 20:04 . 2009-09-30 12:41 397312 ----a-w- c:\windows\system32\fpextqfzyboo.dll
2009-11-18 09:41 . 2009-04-21 08:57 171552 ----a-w- c:\windows\system32\guard32.dll
2009-11-18 09:41 . 2009-04-21 08:57 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-11-18 09:41 . 2009-04-21 08:57 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-11-18 09:41 . 2009-04-21 08:57 132808 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-11-17 15:06 . 2008-10-17 21:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-14 09:39 . 2006-03-02 12:00 91866 ----a-w- c:\windows\system32\perfc005.dat
2009-11-14 09:39 . 2006-03-02 12:00 469558 ----a-w- c:\windows\system32\perfh005.dat
2009-11-12 13:07 . 2009-07-12 08:52 -------- d-----w- c:\program files\Fifa Master
2009-11-12 12:31 . 2008-10-26 06:54 -------- d-----w- c:\program files\EA Sports
2009-11-09 13:15 . 2009-10-10 16:24 -------- d-----w- c:\program files\Electronic Arts
2009-10-31 15:19 . 2008-12-22 17:42 -------- d-----w- c:\program files\Sports Interactive
2009-10-23 04:21 . 2009-10-17 05:23 -------- d-----w- c:\program files\Ares
2009-10-22 10:29 . 2009-10-22 10:21 3773087 ----a-w- c:\windows\REGBK05.ZIP
2009-10-21 14:35 . 2009-10-21 14:35 -------- d-----w- c:\program files\2K Sports
2009-10-17 10:40 . 2009-10-16 12:48 -------- d-----w- c:\program files\Freeware PDF Unlocker
2009-10-16 14:12 . 2009-10-16 14:12 -------- d-----w- c:\program files\Intelore
2009-10-14 08:30 . 2009-10-14 08:30 -------- d-----w- c:\program files\7-Zip
2009-10-11 16:36 . 2009-05-18 11:09 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-10-10 17:15 . 2009-10-10 17:15 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-10 04:54 . 2009-10-10 04:53 5073806 ----a-w- c:\windows\REGBK04.ZIP
2009-10-03 15:27 . 2009-10-03 15:27 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-10-02 20:41 . 2009-10-02 20:39 5067769 ----a-w- c:\windows\REGBK03.ZIP
2009-10-02 19:49 . 2009-05-07 08:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-21 09:59 . 2009-09-21 09:58 5076455 ----a-w- c:\windows\REGBK02.ZIP
2009-09-11 14:19 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:05 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 15:44 . 2009-10-20 16:35 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 15:44 . 2009-10-20 16:35 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 15:44 . 2009-04-13 17:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 15:29 . 2009-10-20 16:35 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 15:29 . 2009-10-20 16:35 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 15:29 . 2009-10-20 16:35 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 15:29 . 2009-10-20 16:35 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 15:29 . 2009-10-20 16:35 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-08-29 07:58 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:02 . 2008-04-14 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxSys"="c:\documents and settings\user\Data aplikací\Messenger\Drivers\IgfxSys.dll" [2009-07-27 186368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-11-18 1800464]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-08-30 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 09:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^user^Nabídka Start^Programy^Po spuštění^FIFA 10 Registration.lnk]
backup=c:\windows\pss\FIFA 10 Registration.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\2K Sports\\NBA 2K10\\nba2k10.exe"=
"c:\\Documents and Settings\\user\\Dokumenty\\košikova nba\\nba2k10.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [27.1.2009 10:14 64160]
R0 vax347b;vax347b;c:\windows\system32\drivers\vax347b.sys [30.11.2008 8:18 159616]
R0 vax347s;vax347s;c:\windows\system32\drivers\vax347s.sys [26.10.2009 17:26 5248]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [21.4.2009 9:57 132808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17.2.2009 10:43 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17.2.2009 10:43 55024]
S3 BZKKPQN;BZKKPQN;c:\docume~1\user\LOCALS~1\Temp\BZKKPQN.exe --> c:\docume~1\user\LOCALS~1\Temp\BZKKPQN.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17.2.2009 10:43 7408]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10.10.2009 18:15 721904]
.
.
------- Doplňkový sken -------
.
uDefault_Search_URL = hxxp://www.google.com
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {7E1B775D-FB9F-4945-8B6B-60D8BA4F52C7} = 10.1.1.1
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

BHO-{18D71A5D-B28D-4210-8BD0-A7722F9A6DA9} - c:\windows\system32\dixsjflj.dll
BHO-{815F6964-C399-DA2E-2188-4E353655EFDD} - (no file)
BHO-{C0873976-C5D1-498B-B0C9-6B47624109FB} - (no file)
AddRemove-Smart-Ads-Solutions - c:\program files\Smart-Ads-Solutions\SmartAds\1.0.27.0\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 13:12
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82812800]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf84e3f28
\Driver\ACPI -> ACPI.sys @ 0xf842fcb8
\Driver\atapi -> 0x82812800
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf82dcbd4
PacketIndicateHandler -> NDIS.sys @ 0xf82caa0d
SendHandler -> NDIS.sys @ 0xf82deb40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1409082233-1580818891-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1409082233-1580818891-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b7,4a,67,15,5b,a9,6a,5b,cd,e9,29,0d,e8,6d,03,26,ab,ed,d4,03,b1,05,91,
9e,12,18,64,cd,52,6a,9b,30,35,dd,39,6d,c6,2c,07,28,e0,cc,4d,3d,fe,d3,a7,b4,\
"??"=hex:8a,95,0c,91,36,dd,90,2c,2c,e3,05,7a,7a,8f,80,cc

[HKEY_USERS\S-1-5-21-1409082233-1580818891-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:fc,f7,b4,e1,1a,0b,8d,1a,2e,05,40,9a,99,2b,d2,8c,d8,5f,96,56,75,
10,34,70,af,7e,01,cb,a4,bb,cf,55,2f,90,0b,28,85,40,55,ae,54,8b,2f,81,7b,89,\
"rkeysecu"=hex:c4,98,f8,f2,a3,e0,a8,86,3b,5f,9f,89,b6,9f,0a,07
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2009-11-22 13:17
ComboFix-quarantined-files.txt 2009-11-22 12:17

Před spuštěním: Volných bajtů: 65 647 153 152
Po spuštění: Volných bajtů: 65 604 919 296

Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 40E8753C7588CE3EACA90D6B9E8AE4F9

JDU SKUSIT TEN MBR UŽ JSEM TO SKOUŠEL VČERA ALE NEŠEL SPUSTIT NO UVIDÍME

TAK TEN MBR OPRAVDU NEJDE SPUSTIT JENOM PROBLIKNE

NEPOMOHLO BYTO V NOUZAKU

brankar · #24 Příspěvek od **brankar** » 22 lis 2009 14:08

SKUSIL JSEM TO MBR V NOUZÁKU A NIC
PIŠE dEVIACE-OPENED
SUCCESS -FULLY
USER:MBR READ SUCCESSFULY
KERNEL:MBR READ SUCCESSFULY
USEA KERNEL MBR OK

#25 Příspěvek od **earl** » 22 lis 2009 16:48

Mate Comodo Internet Security - AVG odinstalujte.

Odinstalujte Alcohol120 - po vycisteni pc ho nainstalujete zpet.

Stahnete SPTD ,verzi dle sveho operacniho systemu.

SPTD for Windows (32 bit) nebo (64bit) a ulozte na plochu

spustte,zvolte moznost Uninstall,restartujte PC.

pokud jste tak jeste neucinil(a), presunte Combofix na plochu

otevrete si Poznamkovy blok

do nej zkopirujte skript z nasledujiciho okna:

Kód: Vybrat vše

KillAll::
Collect::
c:\windows\system32\drivers\IsDrv122.sys
c:\windows\system32\wmllyzdn.dll
c:\windows\system32\fpextqfzyboo.dll
c:\documents and settings\user\Data aplikací\Messenger\Drivers\IgfxSys.dll
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxSys"=-
FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\dllcache\atapi.sys

ulozte vami vytvoreny textovy soubor jako CFScript.txt na plochu

po ulozeni uchopte vami vytvoreny skript levym tlacitkem mysi a presunte jej nad ikonu Combofixu, nad niz skript upustte:

Obrázek

po aplikaci by na vas mel vyskocit dalsi log, vlozte jej sem

Upozorneni: je mozne, ze po aplikaci skriptu a restartu nenabehnou Windows, v takovem pripade znovu restartujte, po restartu mackejte F8 a zvolte Posledni znamou fukncni konfiguraci

brankar · #26 Příspěvek od **brankar** » 22 lis 2009 17:59

zdravim avg nemam asi poněm zustal nejaky odpad .alcohol 120 to samé

#27 Příspěvek od **earl** » 22 lis 2009 18:00

Tim lip,udelejte zbyvajici kroky.

brankar · #28 Příspěvek od **brankar** » 22 lis 2009 18:07

SPTD ,jsem spustil ale chce to jenom instal unistal je šedivy

#29 Příspěvek od **earl** » 22 lis 2009 18:08

Ok,tzn. ze v systemu uz neni.

Provedte ten skript pro ComboFix.

brankar · #30 Příspěvek od **brankar** » 22 lis 2009 18:32

začina to bejt na posrani combo fix ten skript prilmul ale hned se zapnula opera s bílim pozadi
a ve vyhledavači
file://localhost/C:/Documents%20and%20Settings/user/Plocha/CFScript.txt

VIRY.CZ

zase ROOTKIT

Re: zase ROTKIT

Re: zase ROTKIT

Re: zase ROTKIT

Re: zase ROTKIT

Re: zase ROTKIT

Re: zase ROOTKIT

Re: zase ROOTKIT

Re: zase ROOTKIT

Re: zase ROOTKIT

Re: zase ROOTKIT

Re: zase ROOTKIT

Re: zase ROOTKIT

Re: zase ROOTKIT

Re: zase ROOTKIT

Re: zase ROOTKIT