Prosím o kontrolu logu.

[Caroprd111]

Ano

[Yanina]

Ide sa na to, ak sa nebudem ozývať, som v......na psychiatrii.

[Caroprd111]

[Yanina]

Tu som, idem na ten sken.

[Yanina]

Celkom tomu nerozumiem, stiahla som, spustila, vyšlo toto:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x0DF8F900 !

[Caroprd111]

Stáhněte Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878
- Rozbalte a spusťte.
- Proběhne sken, po skončení se otevře okno s výsledky, klikněte na Save a tím si uložíte log, který sem vložíte.

- Podle návodu v odkazu provedete druhý sken a log sem také vložíte.

[Yanina]

Ano, pracuje sa na tom.Som vam ešte nepovedala, že približne v tom čase, ako za ten net začal kaziť, mi hlási v Správe počítače, systém...."Upozornenie...TCPIP udalosť 4226..len včera som to objavila.

[Caroprd111]

OK, počkám na ten Gmer.

[Yanina]

Tu je:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-13 20:34:07
Windows 5.1.2600 Service Pack 3
Running: zoq0qq29.exe; Driver: c:\Temp\kwrdapob.sys


---- System - GMER 1.0.15 ----

SSDT 82053A70 ZwAssignProcessToJobObject
SSDT 820545F0 ZwDebugActiveProcess
SSDT 82054020 ZwDuplicateObject
SSDT 820531B0 ZwOpenProcess
SSDT 820534B0 ZwOpenThread
SSDT 82053EB0 ZwProtectVirtualMemory
SSDT 82053D50 ZwSetContextThread
SSDT 82053BD0 ZwSetInformationThread
SSDT 82050A90 ZwSetSecurityObject
SSDT 82053910 ZwSuspendProcess
SSDT 820537B0 ZwSuspendThread
SSDT 82053340 ZwTerminateProcess
SSDT 82053640 ZwTerminateThread
SSDT 82054440 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF7493900]
? c:\Temp\mbr.sys Systém nemůže nalézt uvedený soubor. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1796] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3160] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x28 0x5C 0x43 0xC9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x6A 0xC9 0x1A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6F 0xA3 0x91 0xC0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x37 0xA4 0xAA 0xC3 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- Files - GMER 1.0.15 ----

File C:\1.txt 332 bytes
File C:\Temp\41E.tmp 1429504 bytes

---- EOF - GMER 1.0.15 ----

[Caroprd111]

Jak to vypadá s PC

[Yanina]

Pravdupovediac rovnako zlé..Ja som si pootvárala jedného času porty na firewalle, na sopcasty, tvants apodobne...nebude to tým?:...rozzzz...bité

[Caroprd111]

Odinstalujte ComboFix přes:
Start >> Spustit, zkopírujte do okénka:

ComboFix /Uninstall

stiskněte Enter


Stáhněte T-Cleaner
http://sweb.cz/Marinus/T-Cleaner.exe

- Spusťte, pro potvrzení volby mačkejte klávesu A, Enter
- Po použití program vymažte. Pozor,antiviry ho mohou falešně označit za vir.


Stáhněte OTC http://oldtimer.geekstogo.com/OTC.exe
- Spusťte.
- Klikněte na "CleanUp!". Potvrďte hlášky stiskem "Yes" (Bude následovat restart)


Stáhněte Ccleaner http://viry.cz/forum/viewtopic.php?t=7478
- Nainstalujte a v průběhu instalace odškrtněte, že chcete instalovat yahoo toolbar.

Záložka Čistič
- Dejte analyzovat, po dokončení dejte Spustit Ccleaner.

Záložka Registry
- Klikněte na Hledej problémy, po dokončení klikněte na Opravit problémy, zálohu dělat nemusíte, potom dejte Opravit všechny problémy.
OK Zavřít


Stáhněte a uložte, nejlépe na plochu http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Vypněte všechny rezidentní bezpečnostní programy - firewally, antiviry, antispywary

Spusťte aplikaci pod účtem s oprávněním Administrátora (Správce), ihned po startu se zobrází stránka s licenčnímy podmínkami, pokračujte stisknutím tlačítka "Ano"

Dále postupujte dle pokynů, během scanu nespouštějte jiné aplikace a neklikejte do zobrazujícího se okna

Scan by měl trvat okolo 5 - 10 minut, po dokončení Combofix zobrazí log C:\ComboFix.txt , který sem vložte.

Během skenování může být počítač restartován.

[Yanina]

Dobrý den, postupovala som podľa vašeho návodu, log je tu.Žiadna zmena, internet je stále zlý.Včer, ked som chcela navšíviť jednu stránku,mi napísalo, že am tam google nepustí, lebo posielam nejaké automatické dopyty. http://www.google.com/support/websearch ... swer=86640 Za ten možno aj týžden, čo vás tu trápim, sme nič zásadné neobjavili.Čo myslíte, kde može byť problém?Už som si zo zúfalstva stiahla aj toto, ked mi hlásilo chybu Tcpip 4226 http://www.lvllord.de/?url=tools Skúšala som núdzový režim so sieťou, stále rovnako zle, žiadna zmena.
ComboFix 10-02-12.01 - Gretka 14.02.2010 16:43:58.5.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.421.1029.18.511.211 [GMT 1:00]
Running from: c:\documents and settings\Gretka\Plocha\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((( Files Created from 2010-01-14 to 2010-02-14 )))))))))))))))))))))))))))))))
.

2010-02-14 15:50 . 2010-02-14 15:50 53248 ----a-w- c:\temp\catchme.dll
2010-02-14 15:44 . 2010-02-14 15:44 -------- d-----w- c:\temp\WPDNSE
2010-02-14 15:22 . 2010-02-14 15:22 16384 ----atw- c:\temp\Perflib_Perfdata_157c.dat
2010-02-14 15:22 . 2010-02-14 15:22 16384 ----atw- c:\temp\Perflib_Perfdata_1570.dat
2010-02-14 15:20 . 2010-02-14 15:20 16384 ----atw- c:\temp\Perflib_Perfdata_174.dat
2010-02-14 14:51 . 2010-02-14 14:51 -------- d-----w- c:\windows\ie8updates
2010-02-14 14:49 . 2010-02-14 14:49 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-02-14 14:45 . 2010-02-14 14:45 361600 -c--a-w- c:\windows\system32\dllcache\TCPIP.SYS
2010-02-14 12:55 . 2009-12-21 19:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-14 12:55 . 2009-12-21 19:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-14 12:53 . 2009-11-21 16:03 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-14 12:50 . 2009-10-15 16:32 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-02-14 12:50 . 2009-10-15 16:32 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-02-14 12:48 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-02-14 12:48 . 2009-03-06 14:23 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-02-14 12:48 . 2009-02-09 11:25 111104 -c----w- c:\windows\system32\dllcache\services.exe
2010-02-14 12:48 . 2009-02-09 10:56 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-02-14 12:48 . 2009-02-09 10:56 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-02-14 12:48 . 2009-02-09 10:56 684032 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-02-14 12:48 . 2009-02-09 10:56 728064 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-02-14 12:48 . 2009-02-09 10:56 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-02-14 12:47 . 2009-02-09 10:56 709632 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-02-14 12:47 . 2009-06-21 21:48 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-02-14 12:43 . 2009-07-10 13:28 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-02-14 12:37 . 2008-04-21 21:15 216576 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-02-13 14:52 . 2010-02-13 14:53 -------- d-----w- c:\program files\Ultimate Process Manager
2010-02-13 00:39 . 2010-02-13 00:39 -------- d-----w- c:\program files\Languages
2010-02-13 00:39 . 2010-02-13 00:39 -------- d-----w- c:\program files\Helps
2010-02-12 22:46 . 2010-02-12 22:46 -------- d-----w- c:\program files\VS Revo Group
2010-02-11 22:23 . 2010-02-11 22:23 -------- d---a-w- c:\windows\VDLL.DLL
2010-02-11 22:23 . 2010-02-11 22:23 -------- d---a-w- c:\windows\RUNDL132.EXE
2010-02-11 22:23 . 2010-02-11 22:23 -------- d---a-w- c:\windows\logo_1.exe
2010-02-11 22:21 . 2010-02-11 22:21 34048 ----a-w- c:\windows\system32\eEmpty.exe
2010-02-11 15:14 . 2010-02-11 15:14 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2010-02-11 15:14 . 2010-02-11 15:14 17212 ----a-w- c:\windows\system32\SIntf32.dll
2010-02-10 00:56 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 00:56 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-10 00:56 . 2010-02-10 00:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-30 12:27 . 2010-01-30 12:27 -------- d-----w- c:\windows\system32\TVUAx
2010-01-27 21:41 . 2010-01-28 17:42 -------- d-----w- c:\program files\SopCast
2010-01-27 19:29 . 2010-01-27 19:30 -------- dc-h--w- c:\windows\ie8
2010-01-20 20:59 . 2010-01-20 21:18 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-20 20:58 . 2010-01-20 20:59 -------- d-----w- c:\program files\Quick Hit
2010-01-20 20:55 . 2010-01-20 21:00 -------- d--h--w- c:\program files\Zero G Registry
2010-01-20 20:55 . 2010-01-20 20:55 -------- d-----w- c:\program files\Quick Hit Football
2010-01-20 20:55 . 2010-01-20 20:55 -------- d--h--w- c:\documents and settings\Gretka\InstallAnywhere

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-14 15:24 . 2003-04-16 12:00 90526 ----a-w- c:\windows\system32\perfc005.dat
2010-02-14 15:24 . 2003-04-16 12:00 452932 ----a-w- c:\windows\system32\perfh005.dat
2010-02-14 15:19 . 2008-09-03 05:23 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-14 14:45 . 2010-02-14 14:45 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2010-02-14 14:45 . 2003-04-16 12:00 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2010-02-13 17:55 . 2006-01-10 07:55 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-13 00:34 . 2006-01-10 07:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-12 22:37 . 2006-01-10 08:11 -------- d-----w- c:\program files\Java
2010-02-11 19:00 . 2008-01-08 08:01 -------- d-----w- c:\program files\Opera
2010-02-09 22:04 . 2006-01-10 07:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-27 22:05 . 2006-01-10 08:11 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 17:57 . 2006-01-11 07:53 -------- d-----w- c:\program files\ESET
2010-01-17 19:42 . 2006-01-10 08:08 -------- d-----w- c:\program files\Advanced Disk Catalog
2010-01-14 20:18 . 2010-01-14 20:18 1124 ----a-w- c:\windows\system32\ezdigsgn.dat
2010-01-14 18:55 . 2010-01-14 18:55 -------- d-----w- c:\program files\Common Files\Skype
2010-01-14 18:55 . 2006-09-23 15:18 -------- d-----r- c:\program files\Skype
2010-01-13 21:14 . 2006-01-12 21:49 -------- d-----w- c:\program files\Common Files\Ahead
2010-01-13 21:14 . 2006-01-10 07:55 -------- d-----w- c:\program files\Ahead
2010-01-09 21:56 . 2010-01-05 17:17 -------- d-----w- c:\program files\Sandboxie
2009-12-31 16:50 . 2003-04-16 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 13:26 . 2006-01-10 08:06 -------- d-----w- c:\program files\Winamp
2009-12-21 19:08 . 2003-04-16 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 16:14 . 2008-12-04 16:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-04 18:22 . 2003-04-16 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-21 16:03 . 2003-04-16 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2004-03-11 12:27 . 2008-01-12 11:31 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

------- Sigcheck -------

[-] 2010-02-14 . E248A8391D7388A0A3679D1FB33E003D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\TCPIP.SYS
[-] 2010-02-14 . E248A8391D7388A0A3679D1FB33E003D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\TCPIP.SYS
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\TCPIP.SYS
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . B4E29943B4B04BD5E7381546848E6669 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OEXPRESS"="c:\documents and settings\All Users\Data aplikací\LangSoft\OETRN.EXE" [2009-04-05 26624]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-22 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2007-01-05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 67584]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-05-16 86960]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-11-22 122880]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Gretka\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Věýezy obrazovky a spuçtŘnˇ aplikace OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\NVIDIA\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AvRack\\rtlrack.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3902:TCP"= 3902:TCP:*:Disabled:SopClient
"3902:UDP"= 3902:UDP:*:Disabled:sopcast.exe
"3903:TCP"= 3903:TCP:*:Disabled:sop

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [16.11.2009 9:03 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [16.11.2009 9:06 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [16.11.2009 9:04 735960]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 cpuz132;cpuz132;\??\c:\temp\cpuz132\cpuz132_x32.sys --> c:\temp\cpuz132\cpuz132_x32.sys [?]
S3 GXRNFLIM;GXRNFLIM;c:\temp\GXRNFLIM.exe --> c:\temp\GXRNFLIM.exe [?]
S3 HFVG;HFVG;c:\temp\HFVG.exe --> c:\temp\HFVG.exe [?]
S3 speccy;speccy;\??\c:\temp\82afd58c-20e4-4efd-b2e1-67d640601971 --> c:\temp\82afd58c-20e4-4efd-b2e1-67d640601971 [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [13.5.2006 17:50 717296]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.sk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Pobierz z &BitSpirit - c:\program files\BitSpirit\bsurl.htm
IE: {{7e6a20fb-153f-402c-a84b-1a64e1955d3d} - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - c:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{cc963627-b1dc-40e0-b52a-cf21ee748449} - {CC963627-B1DC-40E0-B52A-CF21EE748449} - c:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{cc963627-b1dc-40e0-b52a-cf21ee748450} - {CC963627-B1DC-40E0-B52A-CF21EE748450} - c:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{cc963627-b1dc-40e0-b52a-cf21ee748451} - {CC963627-B1DC-40E0-B52A-CF21EE748451} - c:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
IE: {{cc963627-b1dc-40e0-b52a-cf21ee748452} - {CC963627-B1DC-40E0-B52A-CF21EE748452} - c:\documents and settings\All Users\Data aplikací\LangSoft\WebIE.dll
FF - ProfilePath - c:\documents and settings\Gretka\Data aplikací\Mozilla\Firefox\Profiles\3tvabsnb.default\
FF - component: c:\documents and settings\Gretka\Data aplikací\Mozilla\Firefox\Profiles\3tvabsnb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\Gretka\Data aplikací\Mozilla\Firefox\Profiles\3tvabsnb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\TV JOJ Media Player\npplugin_netscape.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".sk");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 16:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\speccy]
"ImagePath"="\??\c:\temp\82afd58c-20e4-4efd-b2e1-67d640601971"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1960408961-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-117609710-1960408961-725345543-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-117609710-1960408961-725345543-1003)
@Allowed: (Read) (S-1-5-21-117609710-1960408961-725345543-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(460)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4620)
c:\documents and settings\All Users\Data aplikací\LangSoft\TrnOEH.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-14 16:54:19
ComboFix-quarantined-files.txt 2010-02-14 15:54

Pre-Run: Volných bajtů: 33 034 235 904
Post-Run: Volných bajtů: 33 021 718 528

- - End Of File - - 530F25EAA10DCE47C2AE47976E53E349

[Caroprd111]

Tohle otestujte na http://www.virustotal.com/cs/
c:\windows\system32\drivers\TCPIP.SYS

(Soubor nehledejte, jenom vložíte tučně označenou cestu, v případě hlášky "Soubor již byl testován" dejte otestovat znovu. Výsledek analýzy sem vložte.)


Pokud nemáte, přesuňte Combofix na plochu
- otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.

Kód: Vybrat vše

Driver::
GXRNFLIM
HFVG
speccy

File::
c:\temp\GXRNFLIM.exe 
c:\temp\HFVG.exe 
c:\temp\82afd58c-20e4-4efd-b2e1-67d640601971 

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\speccy]

- uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
- po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:


- po aplikaci na Vás vypadne další log,vložte ho sem

Může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci


Tyto porty máte otevřené záměrně
"3902:TCP"= 3902:TCP:*:Disabled:SopClient
"3902:UDP"= 3902:UDP:*:Disabled:sopcast.exe
"3903:TCP"= 3903:TCP:*:Disabled:sop

[Yanina]

Ano, tie porty som si pootvárala, ked mi nešlapal sopcast, včera som sa ich snažila zatvoriť, ale neviem či sa mi to podarilo.Na virustotal sa nedostanem, skúsim ešte neskor.Idem na ten Combofix.