Problem s virem Win32/Mebroot.mbr, prosim o kontrolu logu

Zpráva

Garrique · #1 Příspěvek od **Garrique** » 12 led 2010 15:48

Zdravim a prosim o pomoc. V jednom pc mam problem se prihlasit do banky, vzdy vyskoci nevyzadane okno s pokusem o instalaci ActiveX. Pri pokusu o kontrolu pomoci Malwarebyte a SDFix vzdy v konkretnim miste doslo k restartu PC. Pri kontrole HDD v jinem pc mi Eset Smart Security zahlasil vir v MBR sektor 3. fyzickeho disku - Win32/Mebroot.mbr a zaroven zahlasil chybu pri leceni. Vratil jsem hdd zpet, zkusil provest pomoci instalacniho cd prikazy fixboot a fixmbr. Vse fungovalo, ovsem jen do restartu, po restartu tam potvora byla znovu. Nasledne jsem postupoval podle tohoto odkazu http://www.viry.cz/forum/viewtopic.php?f=13&t=65918 , ale dal se mi nedari. Prikladam log z mbr i z RSIT

Predem diky za pomoc

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !

Logfile of random's system information tool 1.06 (written by random/random)
Run by krogler at 2010-01-12 15:17:17
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 141 GB (93%) free of 153 GB
Total RAM: 1015 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:32:17, on 12.1.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
I:\Kregler mbr\RSIT.exe
C:\Program Files\trend micro\krogler.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6349163687
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 4923 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Podpora odkazu pro Adobe PDF Reader - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-01-13 131072]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-01-13 163840]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-01-13 135168]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2006-11-23 56928]
"LanguageShortcut"=C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2006-12-05 54832]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2009-09-01 1461080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-01-13 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 265096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WINDOW~4\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableCAD"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\SAP\FrontEnd\SAPgui\saplogon.exe"="C:\Program Files\SAP\FrontEnd\SAPgui\saplogon.exe:*:Enabled:SAP Logon for Windows"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\SAP\FrontEnd\SAPgui\saplogon.exe"="C:\Program Files\SAP\FrontEnd\SAPgui\saplogon.exe:*:Enabled:SAP Logon for Windows"

======List of files/folders created in the last 1 months======

2010-01-12 15:17:18 ----D---- C:\Program Files\trend micro
2010-01-12 15:17:17 ----D---- C:\rsit
2010-01-12 14:50:32 ----A---- C:\WINDOWS\mbr.exe
2010-01-12 11:54:28 ----D---- C:\WINDOWS\LastGood
2010-01-12 11:33:16 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2010-01-12 11:33:02 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2010-01-12 09:55:44 ----N---- C:\WINDOWS\system32\prntvpt.dll
2010-01-12 09:55:43 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2010-01-12 09:55:43 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2010-01-12 09:55:43 ----D---- C:\ad9dd7aa86203356719e7afc5193
2010-01-12 09:51:23 ----D---- C:\0cedd632fda66675aafad257e2
2010-01-12 09:51:18 ----D---- C:\fec98f9cf93501b8b2ec0af62491af
2010-01-08 12:11:00 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2010-01-08 12:10:51 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2010-01-08 12:10:41 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2010-01-08 12:10:31 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2010-01-08 12:10:13 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2010-01-08 12:10:05 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2010-01-08 12:09:58 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2010-01-08 12:09:47 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2010-01-08 12:09:38 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2010-01-08 12:09:30 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$
2010-01-08 12:09:23 ----HDC---- C:\WINDOWS\$NtUninstallKB961371-v2$
2010-01-08 12:09:13 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2010-01-08 12:08:49 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2010-01-08 12:08:42 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2010-01-08 12:08:34 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2010-01-08 12:08:25 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2010-01-08 12:08:11 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2010-01-08 12:08:00 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2010-01-08 12:07:51 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2010-01-08 12:07:42 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2010-01-08 12:07:25 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2010-01-08 12:07:13 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2010-01-08 12:07:04 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2010-01-08 12:06:50 ----HDC---- C:\WINDOWS\$NtUninstallKB976325$
2010-01-08 12:06:34 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2010-01-08 12:05:53 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2010-01-08 12:05:43 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2010-01-08 12:05:33 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2010-01-08 12:05:23 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2010-01-08 12:05:14 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2010-01-08 12:04:56 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2010-01-08 12:04:45 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2010-01-08 12:04:35 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2010-01-08 12:04:26 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2010-01-08 12:04:17 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2010-01-08 12:04:10 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2010-01-08 12:03:52 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2010-01-08 12:03:43 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2010-01-08 12:03:33 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2010-01-08 12:03:23 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2010-01-08 12:03:06 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2010-01-08 12:02:58 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2010-01-08 12:02:49 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2010-01-08 12:02:37 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2010-01-08 12:02:12 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2010-01-08 12:02:02 ----HDC---- C:\WINDOWS\$NtUninstallKB971961$
2010-01-08 12:01:55 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2010-01-08 12:01:46 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2010-01-08 12:01:32 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2010-01-08 11:04:11 ----RA---- C:\WINDOWS\system32\igfxres.dll
2010-01-08 10:59:49 ----D---- C:\WINDOWS\Prefetch
2010-01-08 10:53:19 ----RAH---- C:\WINDOWS\system32\logonui.exe.manifest
2010-01-08 10:52:50 ----A---- C:\WINDOWS\system32\bitsprx4.dll
2010-01-08 10:51:15 ----A---- C:\WINDOWS\system32\tsgqec.dll
2010-01-08 10:51:15 ----A---- C:\WINDOWS\system32\rhttpaa.dll
2010-01-08 10:51:15 ----A---- C:\WINDOWS\system32\aaclient.dll
2010-01-08 10:44:05 ----RA---- C:\WINDOWS\SETA2.tmp
2010-01-08 10:44:02 ----RA---- C:\WINDOWS\SET96.tmp
2010-01-08 10:44:01 ----RA---- C:\WINDOWS\SET93.tmp
2010-01-07 17:14:49 ----RA---- C:\WINDOWS\SETA1.tmp
2010-01-07 17:14:46 ----RA---- C:\WINDOWS\SET95.tmp
2010-01-07 17:14:44 ----RA---- C:\WINDOWS\SET92.tmp
2010-01-07 15:00:13 ----D---- C:\WINDOWS\system32\cs
2010-01-07 15:00:13 ----D---- C:\WINDOWS\L2Schemas
2010-01-07 14:44:16 ----RA---- C:\WINDOWS\SETA0.tmp
2010-01-07 14:44:13 ----RA---- C:\WINDOWS\SET94.tmp
2010-01-07 14:44:11 ----RA---- C:\WINDOWS\SET91.tmp
2010-01-07 14:22:31 ----A---- C:\WINDOWS\pnplog.txt
2010-01-07 14:10:45 ----A---- C:\WINDOWS\system32\spxcoins.dll
2010-01-07 14:10:45 ----A---- C:\WINDOWS\system32\irclass.dll
2010-01-07 14:10:29 ----RA---- C:\WINDOWS\SETEA.tmp
2010-01-07 14:10:25 ----RA---- C:\WINDOWS\SETDE.tmp
2010-01-07 14:10:23 ----RA---- C:\WINDOWS\SETDD.tmp
2010-01-07 12:46:01 ----D---- C:\WINDOWS\ERUNT
2010-01-07 12:45:26 ----D---- C:\SDFix
2010-01-07 12:40:10 ----D---- C:\Program Files\ToniArts
2010-01-07 12:19:32 ----D---- C:\WINDOWS\system32\appmgmt
2010-01-07 11:45:56 ----D---- C:\Documents and Settings\All Users\Data aplikací\NVIDIA Corporation
2010-01-07 11:39:47 ----A---- C:\WINDOWS\system32\nv4_disp.dll
2010-01-07 11:39:44 ----D---- C:\NVIDIA
2010-01-07 11:30:18 ----D---- C:\Instal
2010-01-07 10:05:58 ----D---- C:\Documents and Settings\krogler\Data aplikací\Mozilla
2010-01-07 10:05:03 ----D---- C:\Program Files\Mozilla Firefox
2010-01-06 12:58:58 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-01-06 12:58:58 ----D---- C:\Documents and Settings\All Users\Data aplikací\Spybot - Search & Destroy
2010-01-06 12:21:48 ----D---- C:\Documents and Settings\krogler\Data aplikací\Malwarebytes
2010-01-06 12:21:43 ----D---- C:\Documents and Settings\All Users\Data aplikací\Malwarebytes
2010-01-06 12:21:42 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

======List of files/folders modified in the last 1 months======

2010-01-12 15:17:18 ----RD---- C:\Program Files
2010-01-12 14:55:24 ----SD---- C:\WINDOWS\Tasks
2010-01-12 14:53:50 ----A---- C:\WINDOWS\ntbtlog.txt
2010-01-12 14:50:32 ----D---- C:\WINDOWS
2010-01-12 14:42:47 ----D---- C:\WINDOWS\Temp
2010-01-12 14:40:07 ----SHD---- C:\WINDOWS\CSC
2010-01-12 14:33:53 ----HD---- C:\WINDOWS\inf
2010-01-12 14:33:52 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-12 11:54:39 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-12 11:54:34 ----D---- C:\WINDOWS\system32\CatRoot
2010-01-12 11:54:33 ----D---- C:\WINDOWS\system32
2010-01-12 11:43:56 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-01-12 11:43:56 ----D---- C:\WINDOWS\Help
2010-01-12 11:43:56 ----D---- C:\Program Files\Internet Explorer
2010-01-12 11:42:36 ----D---- C:\WINDOWS\system32\cs-cz
2010-01-12 11:42:16 ----HD---- C:\WINDOWS\$hf_mig$
2010-01-12 11:42:02 ----A---- C:\WINDOWS\imsins.BAK
2010-01-12 11:41:45 ----D---- C:\WINDOWS\Microsoft.NET
2010-01-12 11:41:34 ----HDC---- C:\WINDOWS\ie7
2010-01-12 11:36:58 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-01-12 11:33:19 ----D---- C:\WINDOWS\system32\drivers
2010-01-12 11:32:39 ----RSD---- C:\WINDOWS\assembly
2010-01-12 10:38:00 ----SHD---- C:\System Volume Information
2010-01-12 09:56:33 ----D---- C:\WINDOWS\system32\XPSViewer
2010-01-12 09:56:33 ----D---- C:\Config.Msi
2010-01-12 09:56:24 ----RSD---- C:\WINDOWS\Fonts
2010-01-12 09:56:17 ----SHD---- C:\WINDOWS\Installer
2010-01-12 09:55:56 ----D---- C:\WINDOWS\system32\spool
2010-01-12 09:54:32 ----D---- C:\WINDOWS\WinSxS
2010-01-12 09:53:43 ----D---- C:\WINDOWS\system32\mui
2010-01-08 13:56:45 ----D---- C:\WINDOWS\system32\wbem
2010-01-08 13:56:43 ----D---- C:\WINDOWS\AppPatch
2010-01-08 12:10:22 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2010-01-08 12:09:05 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2010-01-08 12:08:57 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2010-01-08 12:07:34 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2010-01-08 12:06:42 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2010-01-08 12:05:07 ----D---- C:\Program Files\Outlook Express
2010-01-08 12:05:06 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2010-01-08 12:03:15 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2010-01-08 11:03:46 ----A---- C:\WINDOWS\OEWABLog.txt
2010-01-08 11:03:16 ----D---- C:\WINDOWS\Registration
2010-01-08 11:02:31 ----A---- C:\WINDOWS\setuplog.txt
2010-01-08 11:01:53 ----D---- C:\WINDOWS\SoftwareDistribution
2010-01-08 11:00:56 ----D---- C:\WINDOWS\system32\Restore
2010-01-08 10:59:14 ----D---- C:\WINDOWS\system32\config
2010-01-08 10:54:31 ----D---- C:\WINDOWS\security
2010-01-08 10:54:12 ----A---- C:\WINDOWS\ODBCINST.INI
2010-01-08 10:53:49 ----D---- C:\WINDOWS\system32\ias
2010-01-08 10:53:21 ----RD---- C:\WINDOWS\Web
2010-01-08 10:53:13 ----RAH---- C:\WINDOWS\system32\cdplayer.exe.manifest
2010-01-08 10:53:02 ----A---- C:\WINDOWS\win.ini
2010-01-08 10:52:55 ----D---- C:\WINDOWS\srchasst
2010-01-08 10:52:53 ----D---- C:\Program Files\Windows Media Player
2010-01-08 10:52:49 ----D---- C:\Program Files\Movie Maker
2010-01-08 10:52:47 ----D---- C:\WINDOWS\system32\oobe
2010-01-08 10:52:41 ----D---- C:\Program Files\NetMeeting
2010-01-08 10:52:38 ----D---- C:\Program Files\Common Files\System
2010-01-08 10:51:44 ----D---- C:\WINDOWS\system32\Com
2010-01-08 10:51:17 ----D---- C:\Program Files\Windows NT
2010-01-08 10:50:28 ----SH---- C:\boot.ini
2010-01-08 10:44:22 ----A---- C:\WINDOWS\system.ini
2010-01-08 10:44:08 ----ASH---- C:\Documents and Settings\All Users\Data aplikací\desktop.ini
2010-01-07 15:07:29 ----D---- C:\WINDOWS\system32\Setup
2010-01-07 15:07:17 ----D---- C:\WINDOWS\system32\usmt
2010-01-07 15:07:02 ----D---- C:\WINDOWS\ehome
2010-01-07 15:07:01 ----D---- C:\WINDOWS\ime
2010-01-07 15:06:59 ----D---- C:\WINDOWS\Media
2010-01-07 15:06:58 ----D---- C:\WINDOWS\network diagnostic
2010-01-07 15:06:43 ----D---- C:\WINDOWS\PeerNet
2010-01-07 15:06:26 ----D---- C:\WINDOWS\system32\npp
2010-01-07 15:06:16 ----D---- C:\WINDOWS\msagent
2010-01-07 15:02:42 ----D---- C:\WINDOWS\system32\1029
2010-01-07 15:02:27 ----D---- C:\WINDOWS\twain_32
2010-01-07 15:01:40 ----D---- C:\WINDOWS\system32\icsxml
2010-01-07 15:01:08 ----D---- C:\WINDOWS\system32\1033
2010-01-07 15:00:13 ----D---- C:\WINDOWS\Driver Cache
2010-01-07 14:10:45 ----D---- C:\WINDOWS\system
2010-01-07 12:40:10 ----HD---- C:\Program Files\InstallShield Installation Information
2010-01-07 12:38:43 ----SD---- C:\Documents and Settings\krogler\Data aplikací\Microsoft
2010-01-07 11:45:58 ----D---- C:\Program Files\Common Files
2009-12-16 11:29:33 ----D---- C:\Documents and Settings\All Users\Data aplikací\Microsoft Help
2009-12-16 11:28:26 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-12-16 11:27:48 ----D---- C:\Program Files\Microsoft Works

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 epfwtdi;epfwtdi; C:\WINDOWS\system32\DRIVERS\epfwtdi.sys [2009-09-01 55256]
R3 Epfwndis;Eset Personal Firewall; C:\WINDOWS\system32\DRIVERS\Epfwndis.sys [2009-09-01 32072]
R3 HDAudBus;Ovladač Microsoft UAA pro sběrnici High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2007-04-14 94592]
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Ovladač Microsoft univerzálního hostitelského řadiče USB od společnosti Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2009-09-01 54184]
S1 intelppm;Řadič procesoru Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40192]
S2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2009-09-01 40824]
S2 epfw;epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [2009-09-01 73760]
S3 catchme;catchme; \??\C:\DOCUME~1\krogler\LOCALS~1\Temp\catchme.sys []
S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS []
S3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-01-13 5672032]
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-06-22 4432384]
S3 mbr;mbr; \??\C:\DOCUME~1\krogler\LOCALS~1\Temp\mbr.sys []
S3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-18 12160]
S3 NTACCESS;NTACCESS; \??\D:\NTACCESS.sys []
S3 SetupNTGLM7X;SetupNTGLM7X; \??\D:\NTGLM7X.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;Ovladač filtru Obnovy systému; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-14 73344]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S2 ekrn;Eset Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2009-09-01 472280]
S2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-10-19 61440]
S2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2005-08-07 167936]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2009-09-01 20680]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-01-05 774144]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2006-12-23 262144]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]

-----------------EOF-----------------

pitimir · #2 Příspěvek od **pitimir** » 12 led 2010 18:51

Ahoj, to heslo bude potom treba zmenit...

Stiahni ComboFix, najlepsie na plochu. Vypni vsetky otvorene aplikacie, ako aj rezidenty antiviru, antispywaru a firewall. Spust program cez ucet s administratorskymi pravami a postupuj podla instrukcii. Cely sken bude trvat cca 10 minut. Pocas neho moze byt PC restartovane. Log, ktory ComboFix vytvori, najdes na adrese "C:\ComboFix.txt".
Ten vloz sem.

Pozor: Kym ComboFix nevytvori log, na nic neklikat, nic nestlacat !!

Garrique · #3 Příspěvek od **Garrique** » 13 led 2010 09:53

Ano, se zmenou hesla pocitam automaticky....
zde je log z Combofixu, spoustel jsem ho v normalnim rezimu

ComboFix 10-01-12.04 - krogler 13.01.2010 9:41.1.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1015.567 [GMT 1:00]
Spuštěný z: c:\documents and settings\krogler\Plocha\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((( Soubory vytvořené od 2009-12-13 do 2010-01-13 )))))))))))))))))))))))))))))))
.

2010-01-13 08:11 . 2010-01-13 08:13 -------- d-----w- C:\0b72a6ce1d5574f55cea34ef
2010-01-12 14:17 . 2010-01-12 14:32 -------- d-----w- c:\program files\trend micro
2010-01-12 14:17 . 2010-01-12 14:32 -------- d-----w- C:\rsit
2010-01-12 10:42 . 2009-10-29 07:45 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-12 10:42 . 2009-10-29 07:45 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-12 10:42 . 2009-10-28 14:36 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-01-12 10:42 . 2009-10-29 07:45 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-12 10:42 . 2009-10-29 07:45 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-12 10:42 . 2009-10-29 07:45 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-01-12 10:42 . 2009-10-29 07:45 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-01-12 10:42 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-01-12 08:55 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-01-12 08:55 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-12 08:55 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-01-12 08:55 . 2010-01-12 08:56 -------- d-----w- C:\ad9dd7aa86203356719e7afc5193
2010-01-12 08:55 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-12 08:55 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-01-12 08:55 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-01-12 08:55 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-01-12 08:55 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-12 08:55 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-01-12 08:51 . 2010-01-12 08:51 -------- d-----w- C:\0cedd632fda66675aafad257e2
2010-01-12 08:51 . 2010-01-12 08:51 -------- d-----w- C:\fec98f9cf93501b8b2ec0af62491af
2010-01-08 10:57 . 2008-06-14 17:35 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-01-08 10:51 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-08 10:49 . 2009-08-04 17:29 2147328 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-08 10:49 . 2009-08-04 17:29 2025984 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-08 10:49 . 2009-08-04 17:29 2068224 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-08 10:04 . 2007-01-13 01:49 176128 ----a-r- c:\windows\system32\igfxres.dll
2010-01-08 09:56 . 2008-04-14 12:00 8704 -c--a-w- c:\windows\system32\dllcache\snmptrap.exe
2010-01-08 09:55 . 2008-04-14 12:00 9216 -c--a-w- c:\windows\system32\dllcache\kbdnecat.dll
2010-01-08 09:54 . 2008-04-14 12:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2010-01-08 09:52 . 2008-04-14 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-01-08 09:52 . 2008-04-14 12:00 7168 -c--a-w- c:\windows\system32\dllcache\bitsprx4.dll
2010-01-08 09:52 . 2008-04-14 12:00 7168 ----a-w- c:\windows\system32\bitsprx4.dll
2010-01-08 09:51 . 2008-04-14 12:00 53248 -c--a-w- c:\windows\system32\dllcache\tsgqec.dll
2010-01-08 09:51 . 2008-04-14 12:00 53248 ----a-w- c:\windows\system32\tsgqec.dll
2010-01-08 09:51 . 2008-04-14 12:00 290304 -c--a-w- c:\windows\system32\dllcache\rhttpaa.dll
2010-01-08 09:51 . 2008-04-14 12:00 290304 ----a-w- c:\windows\system32\rhttpaa.dll
2010-01-08 09:51 . 2008-04-14 12:00 136192 -c--a-w- c:\windows\system32\dllcache\aaclient.dll
2010-01-08 09:51 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\aaclient.dll
2010-01-07 14:00 . 2010-01-07 14:07 -------- d-----w- c:\windows\L2Schemas
2010-01-07 14:00 . 2010-01-07 14:06 -------- d-----w- c:\windows\system32\cs
2010-01-07 13:10 . 2004-08-18 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-01-07 13:10 . 2004-08-18 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-01-07 13:10 . 2004-08-18 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-01-07 13:10 . 2004-08-18 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-01-07 11:46 . 2010-01-07 11:46 -------- d-----w- c:\windows\ERUNT
2010-01-07 11:45 . 2010-01-12 13:42 -------- d-----w- C:\SDFix
2010-01-07 11:40 . 2010-01-07 11:40 -------- d-----w- c:\program files\ToniArts
2010-01-07 10:39 . 2004-08-03 21:29 1897408 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-01-07 10:39 . 2008-04-14 07:51 4274816 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-07 10:39 . 2010-01-07 10:39 -------- d-----w- C:\NVIDIA
2010-01-07 10:30 . 2010-01-07 10:30 -------- d-----w- C:\Instal
2010-01-07 09:06 . 2010-01-07 09:06 0 ----a-w- c:\windows\nsreg.dat
2010-01-06 11:58 . 2010-01-12 08:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-06 11:21 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 11:21 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-06 11:21 . 2010-01-12 15:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 08:17 . 2007-08-02 12:00 496148 ----a-w- c:\windows\system32\perfh005.dat
2010-01-13 08:17 . 2007-08-02 12:00 102520 ----a-w- c:\windows\system32\perfc005.dat
2010-01-08 09:51 . 2007-11-29 14:08 22916 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-07 11:40 . 2007-11-29 15:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-16 10:27 . 2007-11-30 09:28 -------- d-----w- c:\program files\Microsoft Works
2009-11-02 19:42 . 2009-10-05 06:40 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45 . 2008-04-14 06:52 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45 . 2008-04-14 06:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:45 . 2008-04-14 06:51 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:40 . 2008-04-14 06:52 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:40 . 2008-04-14 06:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-13 22:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
2007-12-11 07:55 . 2008-10-16 11:19 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2007-12-11 07:55 . 2008-10-16 11:19 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2007-12-11 07:55 . 2008-10-16 11:19 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2007-12-11 07:55 . 2008-10-16 11:19 1229312 ----a-w- c:\program files\Common Files\SAPActiveXL_nosig.xlt
2007-12-11 07:55 . 2008-10-16 11:19 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
2007-12-11 07:55 . 2008-10-16 11:19 1167872 ----a-w- c:\program files\Common Files\SAPActiveXL.xlt
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-09-01 1461080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2007-08-02 44544]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\saplogon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"5177:TCP"= 5177:TCP:Services
"5193:TCP"= 5193:TCP:Services
"2479:TCP"= 2479:TCP:Services
"4114:TCP"= 4114:TCP:Services
"3246:TCP"= 3246:TCP:Services

R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [1.9.2009 9:58 472280]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 18:19 13592]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

--- Ostatní služby/ovladače v paměti ---

*NewlyCreated* - FONTCACHE3.0.0.0
.
Obsah adresáře 'Naplánované úlohy'

2010-01-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\krogler\Data aplikací\Mozilla\Firefox\Profiles\1dmk9wsu.default\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-13 09:46
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
Celkový čas: 2010-01-13 09:47:54
ComboFix-quarantined-files.txt 2010-01-13 08:47

Před spuštěním: Volných bajtů: 148 105 920 512
Po spuštění: Volných bajtů: 148 168 355 840

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0DA977BB74D5A28C068BB954E187095E

pitimir · #4 Příspěvek od **pitimir** » 13 led 2010 14:57

Rootkit tam uz nie je, zostali ta uz len nejake zvysky.

Pouzi:
- Mebroot Fixtool
- EMebRemover

Daj vediet, co najdu.

Garrique · #5 Příspěvek od **Garrique** » 13 led 2010 15:22

ani jeden z tech nastroju nic nenasel, ovsem problem trva.

Garrique · #6 Příspěvek od **Garrique** » 13 led 2010 16:05

jinak pro doplneni - od rana jsem zkusil jsem odinstalovat resp. reinstalovat Eset SS, vymazal jsem vsechny mozny temp soubory, historii IE, cookies, odstranil jsem body obnoveni - stale nic. Ted mi tu bezi online scaner Eset a nasel Win32/PrcView aplikaci...

pitimir · #7 Příspěvek od **pitimir** » 13 led 2010 19:27

Garrique píše:...ovsem problem trva...

Popis to lepsie, prosim. Nod uz nema co hlasit, Mebroot tam nie (len neskodne zbytky).

Garrique · #8 Příspěvek od **Garrique** » 14 led 2010 09:57

pri pokusu o prihlaseni do banky (www.rb.cz) po kliknuti na vstup na ucet vyskoci hlaska o tom, ze byla zablokovana instalace prvku ActiveX. Kdyz na okno kliknu a necham prvek instalovat, objevi se dalsi hlaska, ze Win zablokoval tento sw, protoze se nepodarilo overit vydavatele. Nazev sw - error404.html
Pokud se ted majitel prihlasi do uctu, objevi se dalsi chybova hlaska primo od banky
Proste se potrebuju zbavit toho ActiveX prvku

Jo podobne to probiha i v Mozille, vyzaduje instalaci nejakeho pluginu

pitimir · #9 Příspěvek od **pitimir** » 14 led 2010 13:07

V tom pripade to treba nainstalovat

Podla mna ide o prvok, ktory vyzaduje banka (-> bez neho ta dalej nepusti). Co tak instalacia cez FireFox a celkove pouzivanie alternativneho browsera?

Garrique · #10 Příspěvek od **Garrique** » 14 led 2010 14:11

to pitimir: ty nectes, pisu ze to nainstalovat nejde

Nakonec jsem to vyresil cistou instalaci. Ozvali se mi i z banky a podle info, co mi sdelili byla pravdepodobne nakopnuta Java, kterou jsem tam opravdu nikde nevidel. Takze mozna uzivatel cistil - tohle neznam, nepouzivam, tudiz nepotrebuju a odinstalil ji. Bohuzel nejak se zapomel priznat

Kazdopadne Mebroot tam byl, vyhnat se ho povedlo a banka byl jiny samostatny problem.

Vsem diky, problem povazuju za uzavreny

pitimir · #11 Příspěvek od **pitimir** » 14 led 2010 18:28

No pochopil som to, ze to neslo len v IE...kazdopadne zaujimava podstata problemu

1) Docistime to:

Odinstaluj Combofix:
Start -> Spustit -> (napis) combofix /uninstall

Pouzi T-Cleaner (ak by ho antivirus hlasil ako smejda, nic sa netreba bat, ide len o paranoju AV programu).

Precisti PC CCleanerom (vratane registrov).

Pouzi TFC (spust program a klikni na "Start". Pozor, PC moze byt restartovane).

2) Vloz log z HJT.

V pripade nezrovnalosti sa >>tu<< nachadza navod.

VIRY.CZ

Problem s virem Win32/Mebroot.mbr, prosim o kontrolu logu

Problem s virem Win32/Mebroot.mbr, prosim o kontrolu logu

Re: Problem s virem Win32/Mebroot.mbr, prosim o kontrolu logu

Re: Problem s virem Win32/Mebroot.mbr, prosim o kontrolu logu

Re: Problem s virem Win32/Mebroot.mbr, prosim o kontrolu logu

Re: Problem s virem Win32/Mebroot.mbr, prosim o kontrolu logu

Re: Problem s virem Win32/Mebroot.mbr, prosim o kontrolu logu

Re: Problem s virem Win32/Mebroot.mbr, prosim o kontrolu logu

Re: Problem s virem Win32/Mebroot.mbr, prosim o kontrolu logu

Re: Problem s virem Win32/Mebroot.mbr, prosim o kontrolu logu

Re: Problem s virem Win32/Mebroot.mbr, prosim o kontrolu logu

Re: Problem s virem Win32/Mebroot.mbr, prosim o kontrolu logu