Začervený PC

Zpráva

Macas · #1 Příspěvek od **Macas** » 20 led 2010 22:05

Dobrý večer. Mám zavirovaný PC. Žádám Vás o pomoc. Posílám logy z GMER, GMER 2 a ComboFix. Log z OTL.txt je tak strašně dlouhý, že mi ho jaksi nechce fórum přijmout. Obsahuje asi 130 000 znaků.

GMER log po spuštění programu:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-01-20 21:38:03
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Macasovi\LOCALS~1\Temp\kxtdypow.sys

---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\Macasovi\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:360] 81541930

---- EOF - GMER 1.0.15 ----

GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-20 21:51:45
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Macasovi\LOCALS~1\Temp\kxtdypow.sys

---- System - GMER 1.0.15 ----

SSDT 815438A0 ZwAssignProcessToJobObject
SSDT 81542CB0 ZwOpenProcess
SSDT 815430D0 ZwOpenThread
SSDT 815436D0 ZwSuspendProcess
SSDT 815434F0 ZwSuspendThread
SSDT 81542EE0 ZwTerminateProcess
SSDT 81543310 ZwTerminateThread

Code \??\C:\DOCUME~1\Macasovi\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF94E7360, 0x1DE5ED, 0xE8000020]
? C:\DOCUME~1\Macasovi\LOCALS~1\Temp\catchme.sys Systém nemůže nalézt uvedený soubor. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Systém nemůže nalézt uvedený soubor. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[2004] kernel32.dll!SetUnhandledExceptionFilter 7C810386 4 Bytes [C2, 04, 00, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 00, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 00, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 01, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtOpenProcessToken + 6 7C90DD96 4 Bytes CALL 7B90F29C
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 02, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 01, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 02, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtOpenThreadTokenEx + 6 7C90DE29 4 Bytes CALL 7B90F330
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 00, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtQueryFullAttributesFile + 6 7C90DFB8 4 Bytes CALL 7B90F4BD
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 01, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 02, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2516] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 00, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtCreateFile + B 7C90D68D 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtOpenFile + 6 7C90DD03 4 Bytes [68, 00, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtOpenFile + B 7C90DD08 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtOpenProcess + 6 7C90DD81 4 Bytes [A8, 01, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtOpenProcess + B 7C90DD86 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtOpenProcessToken + 6 7C90DD96 4 Bytes CALL 7B90F29C
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtOpenProcessToken + B 7C90DD9B 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtOpenProcessTokenEx + 6 7C90DDAB 4 Bytes [A8, 02, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtOpenProcessTokenEx + B 7C90DDB0 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtOpenThread + 6 7C90DDFF 4 Bytes [68, 01, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtOpenThread + B 7C90DE04 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtOpenThreadToken + 6 7C90DE14 4 Bytes [68, 02, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtOpenThreadToken + B 7C90DE19 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtOpenThreadTokenEx + 6 7C90DE29 4 Bytes CALL 7B90F330
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtOpenThreadTokenEx + B 7C90DE2E 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtQueryAttributesFile + 6 7C90DEE6 4 Bytes [A8, 00, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtQueryAttributesFile + B 7C90DEEB 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtQueryFullAttributesFile + 6 7C90DFB8 4 Bytes CALL 7B90F4BD
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtQueryFullAttributesFile + B 7C90DFBD 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtSetInformationFile + 6 7C90E5DF 4 Bytes [28, 01, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtSetInformationFile + B 7C90E5E4 1 Byte [E2]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtSetInformationThread + 6 7C90E648 4 Bytes [28, 02, 15, 00]
.text C:\Documents and Settings\Macasovi\Local Settings\Data aplikací\Google\Chrome\Application\chrome.exe[2780] ntdll.dll!NtSetInformationThread + B 7C90E64D 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:360] 81541930

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6C 0xC7 0x18 0xB2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x23 0x1B 0x75 0xBA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7D 0xDE 0xE4 0xB5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6C 0xC7 0x18 0xB2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x23 0x1B 0x75 0xBA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7D 0xDE 0xE4 0xB5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\vqzjwltr@DisplayName Config Support
Reg HKLM\SYSTEM\ControlSet002\Services\vqzjwltr@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\vqzjwltr@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\vqzjwltr@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\vqzjwltr@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\vqzjwltr@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\vqzjwltr@Description Poskytuje mapova? koncov?ch bod? a r?zn? dal?? slu?by RPC.
Reg HKLM\SYSTEM\ControlSet002\Services\vqzjwltr\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vqzjwltr\Parameters@ServiceDll C:\WINDOWS\system32\uphql.dll

---- EOF - GMER 1.0.15 ----

ComboFix log:

ComboFix 10-01-19.08 - Macasovi 20.01.2010 21:15:19.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.255.100 [GMT 1:00]
Spuštěný z: c:\documents and settings\Macasovi\Plocha\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Macasovi\LOCALS~1\Temp\install_flash_player.exe
c:\windows\logfile32.txt
c:\windows\system32\ieuinit.inf

.
((((((((((((((((((((((((( Soubory vytvořené od 2009-12-20 do 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-20 19:13 . 2010-01-20 19:36 16896 ----a-w- C:\sdsd.exe
2010-01-20 19:12 . 2005-02-25 03:34 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2010-01-20 19:12 . 2010-01-20 19:12 -------- d--h--w- c:\windows\$hf_mig$
2010-01-20 19:05 . 2010-01-20 19:04 75264 --sh--r- c:\windows\win7.exe
2010-01-20 19:04 . 2010-01-20 19:04 75264 ----a-w- c:\windows\system32\55.scr
2010-01-20 18:56 . 2010-01-20 18:56 306432 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2010-01-20 18:56 . 2007-12-20 09:41 29440 ----a-w- c:\windows\system32\uxtuneup.dll
2010-01-20 18:56 . 2010-01-20 18:56 -------- d-----w- c:\program files\TuneUp Utilities 2008
2010-01-20 18:54 . 2010-01-20 18:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-20 18:19 . 2010-01-20 18:19 34563 ----a-w- c:\windows\system32\71.scr
2010-01-19 16:15 . 2001-08-17 20:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS
2010-01-19 15:39 . 2006-05-03 21:53 174592 ----a-w- c:\windows\system32\framedyn.dll
2010-01-19 15:39 . 2003-02-21 17:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-01-19 15:38 . 2010-01-19 15:39 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2010-01-19 15:38 . 2006-07-24 15:05 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-01-19 15:37 . 2010-01-19 15:37 -------- d-----w- c:\program files\Samsung
2010-01-18 17:06 . 2010-01-19 10:50 -------- d-----w- c:\windows\nview
2010-01-18 17:06 . 2005-08-02 15:35 176128 ----a-w- c:\windows\system32\nvudisp.exe
2010-01-18 17:05 . 2010-01-18 17:05 -------- d-----w- C:\NVIDIA
2010-01-18 16:47 . 2010-01-18 16:47 -------- d-----w- c:\program files\ESET
2010-01-18 16:41 . 2003-06-18 16:31 18944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-01-18 16:41 . 2003-06-18 16:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-01-18 16:40 . 2010-01-18 16:40 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-18 16:39 . 2010-01-18 16:40 -------- d-----w- c:\windows\SHELLNEW
2010-01-18 16:30 . 2010-01-18 16:36 -------- d-----w- c:\program files\DAEMON Tools Pro
2010-01-18 16:28 . 2010-01-18 16:28 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-01-18 13:45 . 2010-01-18 13:45 -------- d-----w- c:\program files\ICQ6Toolbar
2010-01-18 13:45 . 2010-01-19 15:37 -------- d--h--w- c:\program files\InstallShield Installation Information

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 17:05 . 2010-01-17 13:40 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-17 19:07 . 2010-01-17 13:25 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-17 19:07 . 2010-01-17 13:25 2426 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2010-01-17 19:04 . 2010-01-17 13:25 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2010-01-17 13:55 . 2010-01-17 13:55 -------- d-----w- c:\program files\uTorrent
2010-01-17 13:46 . 2010-01-17 13:46 -------- d-----w- c:\program files\VIA Technologies, INC
2010-01-17 13:38 . 2001-10-25 14:00 46016 ----a-w- c:\windows\system32\perfc005.dat
2010-01-17 13:38 . 2001-10-25 14:00 309716 ----a-w- c:\windows\system32\perfh005.dat
2010-01-17 13:28 . 2010-01-17 13:28 -------- d-----w- c:\program files\microsoft frontpage
2010-01-17 13:20 . 2010-01-17 13:20 21812 ----a-w- c:\windows\system32\emptyregdb.dat
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\System32\\55.scr"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3580:TCP"= 3580:TCP:dyxyad

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [11.9.2009 7:23 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [11.9.2009 7:26 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11.9.2009 7:24 735960]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.1.2010 17:28 685816]
S2 vqzjwltr;Config Support;c:\windows\system32\svchost.exe -k netsvcs [17.8.2004 14:49 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
vqzjwltr
.
Obsah adresáře 'Naplánované úlohy'

2010-01-20 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 14:17]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-20 21:19
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vqzjwltr]
"ServiceDll"="c:\windows\system32\uphql.dll"
.
Celkový čas: 2010-01-20 21:21:58
ComboFix-quarantined-files.txt 2010-01-20 20:21

Před spuštěním: 881 205 248
Po spuštění: 862 154 752

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - EC4EF2AACF08AFEB8D506B3D2645A124

Děkuji mnohokrát!

#2 Příspěvek od **Rudy** » 20 led 2010 22:28

Otevřte poznámkový blok a zkopírujte do něj:

Driver::
vqzjwltr

Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu Combofix a pusťte. CF se spustí a vykoná příkaz ze skriptu.

Obrázek

Tento soubor: c:\windows\win7.exe otevsatujte online na www.virustotal.com .

Macas · #3 Příspěvek od **Macas** » 12 úno 2010 18:30

win7.exe to smazalo pres combofix, report jsem nejakou zahadou smazal.

Pripadalo mi, ze to neprobehlo s tim pretazenym scriptem, tak jsem delal novy scan, kde uz se ale nic nesmazalo, neupravilo... tady je log:

ComboFix 10-02-11.04 - Macasovi 12.02.2010 18:20:26.4.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.255.93 [GMT 1:00]
Spuštěný z: c:\documents and settings\Macasovi\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Macasovi\Plocha\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((( Soubory vytvořené od 2010-01-12 do 2010-02-12 )))))))))))))))))))))))))))))))
.

2010-02-12 16:41 . 2010-02-12 16:41 -------- d-----w- c:\program files\CCleaner
2010-01-31 10:38 . 2010-01-31 10:38 -------- d-----w- c:\documents and settings\Macasovi\AppData
2010-01-28 18:39 . 2010-01-28 18:39 -------- d-----w- C:\suntemp
2010-01-25 12:35 . 2010-02-12 16:34 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-01-25 12:29 . 2009-12-09 10:28 2138112 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-25 12:29 . 2009-12-09 10:28 2059904 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-25 12:29 . 2009-12-09 10:28 2182528 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-01-25 12:29 . 2009-12-09 10:28 2017792 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-24 21:16 . 2010-01-24 21:16 -------- d-----w- c:\windows\system32\KB905474
2010-01-24 21:16 . 2009-03-10 21:26 1435008 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2010-01-24 21:16 . 2009-03-10 21:18 454024 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2010-01-24 21:09 . 2010-01-24 21:09 -------- d-----w- c:\windows\ServicePackFiles
2010-01-24 15:39 . 2008-06-14 18:00 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-01-24 15:39 . 2008-06-14 18:00 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-01-24 15:34 . 2009-12-04 14:41 453760 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-21 17:29 . 2010-01-21 17:28 172544 ----a-w- c:\windows\system32\quouvebif.exe
2010-01-21 17:28 . 2010-01-21 17:28 172544 ----a-w- c:\windows\system32\syhyzonnequ.exe
2010-01-21 17:13 . 2010-01-21 17:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-20 19:12 . 2008-07-09 07:36 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-01-20 19:12 . 2010-02-10 19:29 -------- d--h--w- c:\windows\$hf_mig$
2010-01-19 16:15 . 2001-08-17 20:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS
2010-01-19 15:39 . 2006-05-03 21:53 174592 ----a-w- c:\windows\system32\framedyn.dll
2010-01-19 15:39 . 2003-02-21 17:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-01-19 15:38 . 2010-01-19 15:39 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2010-01-19 15:38 . 2006-07-24 15:05 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-01-18 17:06 . 2010-01-19 10:50 -------- d-----w- c:\windows\nview
2010-01-18 17:06 . 2005-08-02 15:35 176128 ----a-w- c:\windows\system32\nvudisp.exe
2010-01-18 17:05 . 2010-01-18 17:05 -------- d-----w- C:\NVIDIA
2010-01-18 16:47 . 2010-01-18 16:47 -------- d-----w- c:\program files\ESET
2010-01-18 16:41 . 2003-06-18 16:31 18944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-01-18 16:41 . 2003-06-18 16:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2010-01-18 16:40 . 2010-01-18 16:40 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-18 16:39 . 2010-01-18 16:40 -------- d-----w- c:\windows\SHELLNEW
2010-01-18 16:30 . 2010-02-12 16:27 -------- d-----w- c:\program files\DAEMON Tools Pro
2010-01-18 16:28 . 2010-01-18 16:28 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-01-18 13:45 . 2010-01-18 13:45 -------- d-----w- c:\program files\ICQ6Toolbar
2010-01-18 13:45 . 2010-01-21 19:16 -------- d--h--w- c:\program files\InstallShield Installation Information

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 08:52 . 2001-10-25 14:00 46016 ----a-w- c:\windows\system32\perfc005.dat
2010-02-05 08:52 . 2001-10-25 14:00 309716 ----a-w- c:\windows\system32\perfh005.dat
2010-01-18 17:05 . 2010-01-17 13:40 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-17 19:07 . 2010-01-17 13:25 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-17 19:07 . 2010-01-17 13:25 2426 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2010-01-17 19:04 . 2010-01-17 13:25 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2010-01-17 13:55 . 2010-01-17 13:55 -------- d-----w- c:\program files\uTorrent
2010-01-17 13:46 . 2010-01-17 13:46 -------- d-----w- c:\program files\VIA Technologies, INC
2010-01-17 13:28 . 2010-01-17 13:28 -------- d-----w- c:\program files\microsoft frontpage
2010-01-17 13:20 . 2010-01-17 13:20 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-31 16:14 . 2004-08-03 21:14 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:42 . 2004-08-17 13:49 663040 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-17 13:49 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-17 08:00 . 2010-01-17 13:19 343552 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:37 . 2004-08-17 13:49 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 10:28 . 2004-08-17 15:45 2059904 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-09 10:28 . 2004-08-17 13:45 2182528 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-04 14:41 . 2004-08-03 21:15 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:35 . 2004-08-17 15:49 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:35 . 2004-08-17 13:49 1293824 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:40 . 2004-08-17 15:49 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:40 . 2004-08-17 13:49 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:40 . 2004-08-17 13:49 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:40 . 2001-10-25 14:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:40 . 2001-10-24 12:25 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-21 16:46 . 2004-08-17 13:49 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
"quoci"="c:\windows\system32\syhyzonnequ.exe" [2010-01-21 172544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-17 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-14 34880]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3580:TCP"= 3580:TCP:dyxyad

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [11.9.2009 7:23 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [11.9.2009 7:26 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11.9.2009 7:24 735960]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18.1.2010 17:28 685816]
S2 tx5ivdefue901;Blue Coat K9 Web Protection;c:\windows\system32\quouvebif.exe [21.1.2010 18:29 172544]
.
Obsah adresáře 'Naplánované úlohy'

2010-02-12 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-01-24 21:18]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-12 18:24
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
Celkový čas: 2010-02-12 18:28:00
ComboFix-quarantined-files.txt 2010-02-12 17:27
ComboFix2.txt 2010-02-12 17:12
ComboFix3.txt 2010-01-20 20:21

Před spuštěním: 173 023 232
Po spuštění: 145 592 320

- - End Of File - - B91A4D43CACD81001207FC74D7107AC5

Macas · #4 Příspěvek od **Macas** » 12 úno 2010 18:30

pocitac se uz tvari dost dobre, tak vam dekuji. Na shledanou.

#5 Příspěvek od **Rudy** » 12 úno 2010 19:30

Nejásejte předčasně, ještě musíme dočistit. Otevřte poznámkový blok a zkopírujte do něj:

Collect::
c:\windows\system32\quouvebif.exe
c:\windows\system32\syhyzonnequ.exe

Driver::
tx5ivdefue901

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"quoci"=-
[-HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

Uložte na plochu jako CFScript.txt. Pak jej myší přetáhněte nad ikonu ComboFix a pusťte. CF se spustí a vykoná příkazy ze skriptu.

Obrázek

VIRY.CZ

Začervený PC

Začervený PC

Re: Začervený PC

Re: Začervený PC

Re: Začervený PC

Re: Začervený PC