Po aplikaci CF v nouzovém režimu (v normální se zasek) to vypadá takto:
ComboFix 10-03-25.06 - uživatel 26.03.2010 7:37.2.2 - x86 MINIMAL
Spuštěný z: c:\documents and settings\uživatel\Plocha\uzdkutd.exe
AV: avast! antivirus 4.8.1335 [VPS 100324-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Vytvořen nový Bod Obnovení
VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\app_dll.dll
c:\windows\system32\ctfmon .exe
c:\windows\system32\regedit .exe
c:\windows\system32\regedit.exe
c:\windows\system32\wuaucldt .exe
c:\windows\system32\drivers\cdrom.sys chyběl.
Obnovena kopie z - c:\system volume information\_restore{1E7926F4-7146-4A52-B8F8-8369E8A9935D}\RP2\A0009313.sys
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-26 do 2010-03-26 )))))))))))))))))))))))))))))))
.
2010-03-26 06:45 . 2004-08-03 21:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-03-24 07:50 . 2010-03-24 07:50 86016 ----a-w- c:\windows\system32\lgqafo.exe
2010-03-23 18:29 . 2010-03-23 18:29 47616 ----a-w- c:\windows\system32\hqnl.exe
2010-03-23 17:30 . 2010-03-23 17:30 -------- d-----r- c:\documents and settings\LocalService\Oblíbené položky
2010-03-19 11:19 . 2010-03-26 06:51 860672 ----a-w- c:\windows\system32\drivers\jevxh.sys
2010-03-18 16:22 . 2004-08-03 22:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-03-18 16:22 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-03-12 15:17 . 2010-03-12 15:17 -------- d-----w- c:\program files\Conduit
2010-03-12 15:17 . 2010-03-12 15:51 -------- d-----w- c:\program files\BS_Player
2010-03-12 15:14 . 2010-03-14 10:22 -------- d-----w- C:\BS player
2010-03-12 14:56 . 2010-03-12 15:26 -------- d-----w- C:\kamera JVC
2010-03-11 12:46 . 2010-03-11 12:46 -------- d-----w- c:\program files\Digital Photo Navigator 1.5
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-24 07:55 . 2008-03-03 12:01 -------- d-----w- c:\program files\Winamp
2010-03-23 20:29 . 2008-03-03 12:03 -------- d-----w- c:\program files\Google
2010-03-22 09:00 . 2008-12-04 13:18 -------- d-----w- c:\program files\Spyware Doctor
2010-03-11 12:46 . 2008-02-29 07:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-16 17:35 . 2010-02-16 17:35 -------- d-----w- c:\program files\Windows Media Connect 2
2010-01-31 15:41 . 2008-05-16 12:09 -------- d-----w- c:\program files\ICQLite
2010-01-31 15:16 . 2008-12-26 14:07 -------- d-----w- c:\program files\Yahoo!
2010-01-14 19:51 . 2008-08-12 19:29 796672 ----a-w- c:\windows\GPInstall.exe
2009-12-31 16:14 . 2006-03-02 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
.
Kód: Vybrat vše
<pre>
c:\program files\CyberLink\PowerDVD8\Language\language .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Spyware Doctor\pctstray .exe
</pre>.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}"= "c:\program files\BS_Player\tbBS_1.dll" [2010-03-12 2349080]
[HKEY_CLASSES_ROOT\clsid\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]
2010-03-12 15:51 2349080 ----a-w- c:\program files\BS_Player\tbBS_1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}"= "c:\program files\BS_Player\tbBS_1.dll" [2010-03-12 2349080]
[HKEY_CLASSES_ROOT\clsid\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{FED66DC5-1B74-4A04-8F5C-15C5ACE2B9A5}"= "c:\program files\BS_Player\tbBS_1.dll" [2010-03-12 2349080]
[HKEY_CLASSES_ROOT\clsid\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-23 39408]
"syncman"="c:\documents and settings\uživatel\wuaucldt.exe" [2010-03-24 29764]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"syncman"="c:\windows\system32\wuaucldt.exe" [N/A]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [N/A]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]
c:\documents and settings\u§ivatel\Nabˇdka Start\Programy\Po spuçtŘnˇ\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-6-8 393216]
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\windows\system32\config\systemprofile\Local Settings\Data aplikací\Windows Server\ljpdea.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Calculator CZ\\Deutscher Ring Calculator CZ.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Documents and Settings\\uživatel\\Plocha\\Quake3Arena\\Quake3Arena\\Quake III Arena\\quake3.exe"=
"c:\\Documents and Settings\\uživatel\\Plocha\\UO\\AndariaClient.exe"=
"c:\\Cibis\\CibisWebStandalone\\programs\\jdk1.5.0_11\\bin\\java.exe"=
"c:\\Program Files\\Kooperativa\\KalkZiv\\Kalk_Ziv.exe"=
R1 aswSP;avast! Self Protection; [x]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\bin\fbguard.exe [2007-01-31 65536]
R2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-24 135664]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\bin\fbserver.exe [2007-01-31 1527893]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
R3 Stmatm;ATM/ADSL miniport;c:\windows\system32\DRIVERS\stmatm.sys [2003-08-12 60255]
R3 TaurusUsb;ADSL Modem USB Service;c:\windows\system32\DRIVERS\torususb.sys [2003-12-23 549421]
--- Ostatní služby/ovladače v paměti ---
*NewlyCreated* - PXHELP20
*Deregistered* - AtapiDrv
*Deregistered* - jevxh
.
Obsah adresáře 'Naplánované úlohy'
2010-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-24 07:54]
2010-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-24 07:54]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -
SafeBoot-AtapiDrv.sys
**************************************************************************
disk not found C:\
please note that you need administrator rights to perform deep scan
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory:
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\jevxh]
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'winlogon.exe'(268)
c:\documents and settings\LocalService\Local Settings\Data aplikací\Windows Server\ljpdea.dll
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2010-03-26 07:56:41
ComboFix-quarantined-files.txt 2010-03-26 06:56
Před spuštěním: Volných bajtů: 16 469 487 616
Po spuštění: Volných bajtů: 17 121 865 728
- - End Of File - - 225439D0C2156BCDCA61FB3ED5BE1B19
Potom jsem sustil GMER, log1:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-26 08:26:07
Windows 5.1.2600 Service Pack 2
Running: br7ozth4.exe; Driver: C:\DOCUME~1\UIVATE~1\LOCALS~1\Temp\kxpoyfow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\drivers\AtapiDrv.sys ZwQueryDirectoryFile [0xBAA1A57A]
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8A5FE838
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- Processes - GMER 1.0.15 ----
Process hidden process (*** hidden *** ) 30080
Process hidden process (*** hidden *** ) 35376
Process hidden process (*** hidden *** ) 57156
---- EOF - GMER 1.0.15 ----
log2 (nedojede z důvodů chybových hlášek Windows):
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-26 08:26:51
Windows 5.1.2600 Service Pack 2
Running: br7ozth4.exe; Driver: C:\DOCUME~1\UIVATE~1\LOCALS~1\Temp\kxpoyfow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAEE386B8]
SSDT \SystemRoot\system32\drivers\AtapiDrv.sys ZwCreateFile [0xBAA1A48F]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAEE38574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAEE38A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAEE3814C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAEE3864E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAEE3808C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAEE380F0]
SSDT \SystemRoot\system32\drivers\AtapiDrv.sys ZwQueryDirectoryFile [0xBAA1A57A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAEE3876E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAEE3872E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAEE388AE]
---- Kernel code sections - GMER 1.0.15 ----
? C:\WINDOWS\system32\drivers\jevxh.sys Zařízení připojené k systému nefunguje. !
.text AtapiDrv.sys BAA19000 134 Bytes [55, 8B, EC, 51, 51, 83, 65, ...]
.text AtapiDrv.sys BAA19087 111 Bytes [00, 00, 00, 75, 2F, 8B, 45, ...]
.text AtapiDrv.sys BAA190F7 547 Bytes [8B, 45, FC, 8B, 4D, 0C, 8D, ...]
.text AtapiDrv.sys BAA1931B 107 Bytes [EC, 51, 83, 65, FC, 00, 83, ...]
.text AtapiDrv.sys BAA19387 371 Bytes [08, 8B, 45, 0C, 48, 89, 45, ...]
.text ...
? C:\WINDOWS\system32\drivers\AtapiDrv.sys Svazek tohoto souboru byl zvnějšku změněn, tudíž otevřený soubor není nadále platný.
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8A5FE838
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
---- Processes - GMER 1.0.15 ----
Process hidden process (*** hidden *** ) 30080
Process hidden process (*** hidden *** ) 35376
Process hidden process (*** hidden *** ) 57156
---- EOF - GMER 1.0.15 ----
teraz vycisti PC s MBAM
Přispějete na provoz fóra?