Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz

Kontrola logu - problém s root kitem gyqdeaip.sys

Máte problém s virem? Vložte sem log z FRST nebo RSIT.

Moderátor: Moderátoři

Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]

Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.

!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Odpovědět
Zpráva
Autor
merlp
Návštěvník
Návštěvník
Příspěvky: 9
Registrován: 29 dub 2010 16:17

Kontrola logu - problém s root kitem gyqdeaip.sys

#1 Příspěvek od merlp »

Dobrý den, prosím o kontrolu logu z ComboFixu.

Malwarebytes mi našel root kit gyqdeaip.sys, který nejde odstranit, prosím o pomoc s tímto neřádem..
Předem děkuju.

ComboFix 10-04-28.08 - merlp 29.04.2010 16:43:21.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1250.420.1029.18.2046.1306 [GMT 2:00]
Spuštěný z: d:\!!!!!!!!! martinova slozka !!!!!!!!!!!!!!\PROGRAMY !!\!! ničitel Trojáků a virů\ComboFix.exe
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-220523388-1644491937-839522115-1003
c:\users\merlp\AppData\Local\Microsoft\Windows\Temporary Internet Files\-hyFBlFlU3b-hl
c:\users\merlp\AppData\Local\Microsoft\Windows\Temporary Internet Files\8aU4koGz_RXxcf
c:\users\merlp\AppData\Local\Microsoft\Windows\Temporary Internet Files\AJ1w9EC5_
c:\windows\system32\%appdata%
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-03-28 do 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 14:31 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-29 14:31 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-27 13:59 . 2010-04-27 13:59 -------- d-----w- c:\program files\Imagenomic
2010-04-27 13:01 . 2010-04-27 13:01 -------- d-----w- c:\windows\MSSecurityNS
2010-04-27 13:01 . 2010-04-27 13:01 -------- d-----w- c:\windows\MSSecurityNi
2010-04-23 19:18 . 2010-04-23 19:18 -------- d-----w- c:\users\merlp\AppData\Roaming\Malwarebytes
2010-04-23 19:16 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-23 19:16 . 2010-04-23 19:16 -------- d-----w- c:\programdata\Malwarebytes
2010-04-23 19:16 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 19:16 . 2010-04-23 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-23 18:53 . 2010-01-10 17:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-04-23 12:34 . 2010-04-23 12:34 -------- d-----w- c:\windows\Sun
2010-04-23 12:32 . 2010-04-23 12:38 -------- d-----w- c:\program files\Common Files\Java
2010-04-23 12:32 . 2010-04-23 12:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-23 12:32 . 2010-04-23 12:39 -------- d-----w- c:\program files\Java
2010-04-21 18:40 . 1998-06-17 22:00 102912 ----a-w- c:\windows\system32\Vb6stkit.dll
2010-04-21 18:40 . 1997-02-24 15:44 70656 ----a-w- c:\windows\system32\vspell32.dll
2010-04-21 18:40 . 1998-11-22 12:23 84992 ----a-w- c:\windows\system32\Ledit32.dll
2010-04-21 18:40 . 2008-09-12 12:55 1245184 ----a-w- c:\windows\system32\ChilkatCert.dll
2010-04-21 18:40 . 2008-09-12 12:50 1105920 ----a-w- c:\windows\system32\ChilkatFtp2.dll
2010-04-21 14:42 . 2010-04-21 14:42 -------- d-----w- c:\program files\Advanced Port Scanner
2010-04-20 16:01 . 2010-04-20 16:02 -------- d-----w- c:\programdata\Sticky Notes TB Hider
2010-04-20 16:01 . 2010-04-20 16:01 -------- d-----w- c:\program files\StickyNotes
2010-04-20 15:37 . 2010-04-20 15:37 53319 ----a-w- c:\programdata\TEMP\{8C20787A-7402-4FA7-BF25-6E5750930FDC}\PostBuild.exe
2010-04-20 15:04 . 2010-04-20 15:04 -------- d-----w- c:\users\merlp\AppData\Local\PowerDVDCox
2010-04-20 15:04 . 2010-04-20 15:04 -------- d-----w- c:\users\merlp\AppData\Local\PowerDVDCinema
2010-04-20 15:04 . 2010-04-20 15:04 -------- d-----w- c:\users\Public\CyberLink
2010-04-20 15:04 . 2010-04-20 15:04 -------- d-----w- c:\programdata\CyberLink
2010-04-20 15:02 . 2010-04-20 15:12 53319 ----a-w- c:\programdata\TEMP\{2B55AF83-017A-4C81-9324-D9D3255642A6}\PostBuild.exe
2010-04-20 14:59 . 2010-04-20 15:13 -------- d-----w- c:\program files\InstallShield Installation Information
2010-04-20 14:59 . 2010-04-20 14:59 -------- d-----w- c:\program files\Common Files\CyberLink
2010-04-20 14:58 . 2010-04-20 14:58 -------- d-----w- c:\program files\CyberLink
2010-04-20 14:58 . 2010-04-20 15:12 505128 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-20 14:58 . 2010-04-20 15:12 353576 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-20 14:58 . 2010-04-20 15:12 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-04-20 14:58 . 2010-04-20 14:57 53319 ----a-w- c:\programdata\TEMP\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
2010-04-19 11:13 . 2010-04-19 11:13 -------- d-----w- c:\users\merlp\AppData\Local\PunkBuster
2010-04-19 11:12 . 2010-04-21 12:30 139128 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-19 11:12 . 2010-04-19 11:12 138056 ----a-w- c:\users\merlp\AppData\Roaming\PnkBstrK.sys
2010-04-19 11:11 . 2010-04-21 12:30 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-19 11:11 . 2010-04-19 11:11 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-19 11:11 . 2010-04-19 11:11 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2010-04-19 10:37 . 2010-04-19 10:37 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-19 10:00 . 2010-04-19 11:55 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-04-16 19:35 . 2010-04-16 19:35 -------- d-----w- C:\Local Publish
2010-04-16 19:25 . 2010-04-16 19:24 737280 ----a-w- c:\windows\iun6002.exe
2010-04-16 19:24 . 2010-04-19 11:55 -------- d-----w- c:\program files\WYSIWYG Web Builder 6
2010-04-16 18:11 . 2010-04-19 11:55 -------- d-----w- c:\users\merlp\AppData\Local\Totalidea_Software
2010-04-16 18:10 . 2010-04-19 11:55 -------- d-----w- c:\windows\Tweak-7
2010-04-16 18:10 . 2010-04-19 11:55 -------- d-----w- c:\program files\Tweak-7
2010-04-16 18:08 . 2010-04-19 11:55 -------- d-----w- c:\program files\Změna MAC adresy
2010-04-13 19:08 . 2010-04-19 11:47 -------- d-----w- c:\users\merlp\AppData\Roaming\Tweak-7
2010-04-13 18:54 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 18:54 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 18:29 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-13 18:29 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-13 18:29 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-13 18:29 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-13 18:29 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-13 18:29 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-13 17:34 . 2010-04-13 17:34 -------- d-----w- c:\programdata\Adobe Systems
2010-04-13 17:28 . 2010-04-13 17:28 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-04-13 13:29 . 2010-04-13 13:29 -------- d-----w- c:\program files\Xvid
2010-04-13 13:28 . 2010-04-13 13:28 -------- d-----w- c:\program files\VDGPRS Client NetMeter
2010-04-13 13:28 . 2010-04-13 13:28 -------- d-----w- c:\program files\VDGPRS NetMeter
2010-04-13 13:28 . 2001-08-31 10:00 24626 ----a-w- c:\windows\system32\ScrrnIT.dll
2010-04-13 13:28 . 2010-04-13 13:28 -------- d-----w- c:\program files\VDGPRS Client Manager
2010-04-13 13:27 . 2010-04-13 13:29 -------- d-----w- c:\program files\VDGPRS CLIENT 2°
2010-04-10 15:48 . 2010-04-10 15:48 714752 ----a-w- c:\windows\is-MADLI.exe
2010-04-10 15:48 . 2009-08-24 19:08 28160 ----a-w- c:\windows\system32\DfSdkBt.exe
2010-04-10 15:46 . 2009-01-09 09:46 39776 ----a-w- c:\windows\system32\DfSdkBt64.exe
2010-04-10 15:46 . 2010-04-24 06:18 -------- d-----w- c:\program files\Ashampoo WinOptimizer 6
2010-04-10 15:44 . 2010-04-10 15:44 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-04-10 15:44 . 2010-04-20 18:34 -------- d-----w- c:\program files\Hewlett-Packard
2010-04-10 08:31 . 2010-04-10 08:31 -------- d-----w- c:\program files\Common Files\Borland Shared
2010-04-10 08:31 . 2010-04-10 08:31 -------- d-----w- C:\Avaris
2010-04-10 08:31 . 1999-03-23 07:12 299520 ----a-w- c:\windows\uninst.exe
2010-04-10 08:29 . 2010-04-10 08:29 -------- d-----w- c:\users\merlp\AppData\Roaming\TrueCrypt
2010-04-09 16:21 . 2010-04-09 16:21 -------- d-----w- c:\program files\ESET
2010-04-09 16:18 . 2010-04-13 17:28 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-09 15:51 . 2009-12-13 09:30 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-04-09 15:51 . 2009-12-13 09:30 465408 ----a-w- c:\windows\system32\psisdecd.dll
2010-04-09 15:51 . 2009-12-13 09:29 417792 ----a-w- c:\windows\system32\msdri.dll
2010-04-09 15:51 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-04-09 15:51 . 2010-01-18 23:29 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-04-09 15:51 . 2010-01-18 23:29 369152 ----a-w- c:\windows\system32\secproc.dll
2010-04-09 15:51 . 2010-01-18 23:28 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-04-09 15:51 . 2010-01-18 23:28 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-04-09 15:51 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-04-09 15:51 . 2010-01-18 23:28 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-04-09 15:51 . 2010-01-18 23:28 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-04-09 15:02 . 2010-04-19 14:22 -------- d-----w- c:\program files\Classic Menu for Office
2010-04-09 15:01 . 2010-04-09 15:01 -------- d-----w- c:\program files\MSECache
2010-04-09 15:00 . 2010-04-09 15:00 -------- d-----w- c:\windows\PCHEALTH
2010-04-09 15:00 . 2010-04-09 15:00 -------- d-----w- c:\program files\Microsoft.NET
2010-04-09 14:59 . 2010-04-09 14:59 -------- d-----w- c:\users\merlp\AppData\Local\Microsoft Help
2010-04-09 14:59 . 2010-04-09 15:01 -------- d-----w- c:\programdata\Microsoft Help
2010-04-09 14:57 . 2010-04-09 14:57 -------- d-----r- C:\MSOCache
2010-04-09 14:36 . 2010-04-09 14:36 4 ----a-w- c:\program files\1522086.dat
2010-04-09 14:22 . 2010-04-09 14:22 -------- d-----w- c:\users\merlp\AppData\Roaming\Nero
2010-04-09 14:09 . 2010-04-09 14:09 -------- d-----w- c:\programdata\Nero
2010-04-09 14:09 . 2010-04-09 14:09 -------- d-----w- c:\program files\Common Files\Nero
2010-04-09 14:09 . 2010-04-09 14:09 -------- d-----w- c:\program files\Nero
2010-04-09 13:51 . 2010-04-09 13:51 53248 ----a-w- c:\users\merlp\AppData\Roaming\Thinstall\Microsoft Office Enterprise 2007\300000005700002h\WINWORD.EXE
2010-04-09 13:44 . 2010-04-20 14:52 -------- d-----w- c:\program files\AusLogics Registry Defrag
2010-04-09 13:43 . 2010-04-09 13:43 -------- d-----w- c:\program files\PoiEdit2007
2010-04-09 13:43 . 2010-04-09 13:43 -------- d-----w- c:\program files\TomTom HOME 2
2010-04-09 13:42 . 2010-04-09 13:42 -------- d-----w- c:\program files\Regino v5.0
2010-04-09 13:42 . 2010-04-09 13:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-09 13:41 . 2010-04-09 13:41 -------- d-----w- c:\program files\ConvertX
2010-04-09 13:41 . 2010-04-09 13:41 -------- d-----w- c:\program files\DVD Shrink
2010-04-09 13:40 . 2010-04-09 13:40 -------- d-----w- c:\program files\MP3Gain
2010-04-09 12:56 . 2010-04-09 13:51 -------- d-----w- c:\users\merlp\AppData\Roaming\Thinstall
2010-04-09 12:56 . 2010-04-09 12:56 -------- d-----w- c:\users\merlp\AppData\Local\Thinstall
2010-04-09 12:50 . 2010-04-09 12:50 4 ----a-w- c:\program files\513648.dat
2010-04-09 12:49 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-04-09 12:48 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-09 12:45 . 2010-02-02 07:45 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-09 12:45 . 2009-08-29 06:57 34816 ----a-w- c:\windows\system32\msasn1.dll
2010-04-08 18:46 . 2010-04-29 15:28 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-08 18:44 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
2010-04-08 18:44 . 2008-04-27 08:35 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2010-04-08 18:44 . 2008-04-27 08:33 765952 ----a-w- c:\windows\system32\xvidcore.dll
2010-04-08 18:44 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-04-08 18:44 . 2009-06-02 16:11 85504 ----a-w- c:\windows\system32\ff_vfw.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 14:47 . 2009-07-14 08:44 622422 ----a-w- c:\windows\system32\perfh005.dat
2010-04-29 14:47 . 2009-07-14 08:44 118604 ----a-w- c:\windows\system32\perfc005.dat
2010-04-19 11:55 . 2010-04-16 18:08 -------- d-----w- c:\program files\Změna MAC adresy
2010-04-08 18:37 . 2010-04-08 18:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\Leadertech
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\Imagenomic
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\DAEMON Tools Lite
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\DAEMON Tools
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\CyberLink
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\CD-LabelPrint
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\Auslogics
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\atitray
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\ATI
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\Ahead
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\AdobeUM
2010-04-08 16:31 . 2010-04-08 16:31 -------- d-sh--we c:\programdata\Plocha
2010-04-08 16:31 . 2010-04-08 16:31 -------- d-sh--we c:\programdata\Oblíbené položky
2010-04-08 16:31 . 2010-04-08 16:31 -------- d-sh--we c:\programdata\Šablony
2010-04-08 16:31 . 2010-04-08 16:31 -------- d-sh--we c:\programdata\Nabídka Start
2010-04-08 16:31 . 2010-04-08 16:31 -------- d-sh--we c:\programdata\Dokumenty
2010-04-08 16:31 . 2010-04-08 16:31 -------- d-sh--we c:\programdata\Data aplikací
2010-03-26 13:48 . 2010-03-26 13:48 91816 ----a-w- c:\windows\system32\Tweak7SystemService.exe
2010-03-04 11:42 . 2010-03-04 11:42 277536 ----a-w- c:\windows\system32\drivers\Rt86win7.sys
2010-03-03 04:22 . 2010-03-03 04:22 5340160 ----a-w- c:\windows\system32\drivers\atipmdag.sys
2010-03-03 04:22 . 2010-03-03 04:22 5340160 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2010-03-03 04:16 . 2010-03-03 04:16 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-03-03 04:16 . 2010-03-03 04:16 446464 ----a-w- c:\windows\system32\aticfx32.dll
2010-03-03 04:13 . 2010-03-03 04:13 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 04:12 . 2010-03-03 04:12 372736 ----a-w- c:\windows\system32\atieclxx.exe
2010-03-03 04:11 . 2010-03-03 04:11 172032 ----a-w- c:\windows\system32\atiesrxx.exe
2010-03-03 04:10 . 2010-03-03 04:10 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2010-03-03 04:10 . 2010-03-03 04:10 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 04:09 . 2010-03-03 04:09 274432 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 04:09 . 2010-03-03 04:09 11776 ----a-w- c:\windows\system32\atimuixx.dll
2010-03-03 04:09 . 2010-03-03 04:09 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 04:06 . 2010-03-03 04:06 3131392 ----a-w- c:\windows\system32\atidxx32.dll
2010-03-03 03:46 . 2010-03-03 03:46 3703808 ----a-w- c:\windows\system32\atiumdag.dll
2010-03-03 03:45 . 2010-03-03 03:45 14226944 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:24 . 2010-03-03 03:24 2993152 ----a-w- c:\windows\system32\atiumdva.dll
2010-03-03 03:23 . 2010-03-03 03:23 50176 ----a-w- c:\windows\system32\coinst.dll
2010-03-03 03:20 . 2010-03-03 03:20 53248 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-03 03:20 . 2010-03-03 03:20 53248 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-03 03:18 . 2010-03-03 03:18 3657728 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-03 03:08 . 2010-03-03 03:08 52224 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-03 03:08 . 2010-03-03 03:08 52224 ----a-w- c:\windows\system32\amdpcom32.dll
2010-03-03 03:08 . 2010-03-03 03:08 237568 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:07 . 2010-03-03 03:07 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2010-03-03 03:07 . 2010-03-03 03:07 15360 ----a-w- c:\windows\system32\atigktxx.dll
2010-03-03 03:07 . 2010-03-03 03:07 152064 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2010-03-03 03:06 . 2010-03-03 03:06 27648 ----a-w- c:\windows\system32\atiuxpag.dll
2010-03-03 03:06 . 2010-03-03 03:06 20480 ----a-w- c:\windows\system32\atiu9pag.dll
2010-03-03 03:05 . 2010-03-03 03:05 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-02-25 19:55 . 2010-02-25 19:55 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-23 16:15 . 2010-02-23 16:15 1105 ----a-w- c:\windows\system32\atipblag.dat
2010-02-23 07:56 . 2010-04-09 12:47 977920 ----a-w- c:\windows\system32\wininet.dll
2010-02-08 17:46 . 2010-02-22 16:51 1695264 ----a-w- c:\windows\system32\RtkPgExt.dll
2010-02-08 17:46 . 2010-02-22 16:51 57376 ----a-w- c:\windows\system32\RtkCoInst.dll
2010-02-08 17:46 . 2010-02-22 16:51 371232 ----a-w- c:\windows\system32\RtkApoApi.dll
2010-02-08 17:46 . 2010-02-22 16:51 2624544 ----a-w- c:\windows\system32\RtkAPO.dll
2010-02-08 17:17 . 2010-02-22 16:51 3019232 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
2010-02-03 10:24 . 2009-12-03 08:27 94208 ----a-w- c:\windows\system32\RTNUninst32.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

Kód: Vybrat vše

<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\ATI\ATICustomerCare\aticustomercare .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\clistart .exe
c:\program files\Common Files\Nero\Lib\nerocheck .exe
c:\program files\Nero\Nero8\Nero BackItUp\nbkeyscan .exe
c:\program files\Realtek\Audio\HDA\rthdvcpl .exe
</pre>
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-02-08 8505888]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]

c:\users\merlp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Sticky Notes Taskbar Hider.lnk - c:\program files\StickyNotes\SNTBHider.exe [2010-4-20 638976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)

R1 zflxsbdwi9;zflxsbdwi9.sys;c:\windows\system32\drivers\zflxsbdwi9.sys [x]
R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-08-24 406016]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-04-19 691696]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-05-14 107256]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-03-03 172032]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-05-14 731840]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-05-14 38240]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-03-29 303952]
S2 Tweak7SystemService;Tweak7SystemService;c:\windows\system32\Tweak7SystemService.exe [2010-03-26 91816]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2010-03-03 5340160]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-03-03 152064]
S3 kxwdmdrv;kX WDM Driver Service;c:\windows\system32\drivers\kx.sys [2008-04-05 568320]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-03-29 20824]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-03-04 277536]


--- Ostatní služby/ovladače v paměti ---

*Deregistered* - gyqdeaip
.
Obsah adresáře 'Naplánované úlohy'

2010-04-20 c:\windows\Tasks\PDVD9Serv.EXE_20100420_170148_0336.job
- c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe [2009-02-16 07:55]

2010-04-20 c:\windows\Tasks\PDVD9Serv.EXE_20100420_171404_0721.job
- c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe [2009-02-16 07:55]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
mWindow Title = Microsoft Internet Explorer
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x850721F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x850c26f0
QueryNameProcedure -> 0x850c2880
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\gyqdeaip]

.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\DAEMON Tools Lite\DTShellHlp.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Celkový čas: 2010-04-29 16:52:28 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-04-29 14:52

Před spuštěním: Volných bajtů: 15 736 967 168
Po spuštění: Volných bajtů: 15 647 850 496

- - End Of File - - C961E9109096A39EAA50D87AB229455E
Naposledy upravil(a) merlp dne 29 dub 2010 17:30, celkem upraveno 2 x.

merlp
Návštěvník
Návštěvník
Příspěvky: 9
Registrován: 29 dub 2010 16:17

Re: Kontrola logu - problém s root kitem gyqdeaip.sys

#2 Příspěvek od merlp »

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-29 18:21:54
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\merlp\AppData\Local\Temp\pglcypod.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85FD6618
Device \FileSystem\Ntfs \Ntfs 850741F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

---- EOF - GMER 1.0.15 ----







GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-29 18:28:45
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\merlp\AppData\Local\Temp\pglcypod.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303BAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303B104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303B3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830242D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83023898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303B1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303B958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303B6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303BF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303C1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C54599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C78F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\sppv.sys Systém nemůže nalézt uvedenou cestu. !
? System32\Drivers\gyqdeaip.sys Zařízení připojené k systému nefunguje. !
.text C:\Windows\system32\DRIVERS\atipmdag.sys section is writeable [0x8F602000, 0x2ECEB2, 0xE8000020]
.text USBPORT.SYS!DllUnload 8EBD9CA0 5 Bytes JMP 8634F1D8
.text aujtarfm.SYS 8EDA9000 12 Bytes [44, 68, 02, 83, EE, 66, 02, ...] {INC ESP; PUSH 0x66ee8302; ADD AL, [EBX-0x7cfdb860]}
.text aujtarfm.SYS 8EDA900D 9 Bytes [47, 02, 83, 48, 6B, 02, 83, ...] {INC EDI; ADD AL, [EBX-0x7cfd94b8]; ADD [EAX], AL}
.text aujtarfm.SYS 8EDA9017 170 Bytes [00, DE, C7, F8, 88, E6, C5, ...]
.text aujtarfm.SYS 8EDA90C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text aujtarfm.SYS 8EDA90CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text peauth.sys 96099C9D 28 Bytes [DE, 91, 3F, 60, CB, 83, A3, ...]
.text peauth.sys 96099CC1 28 Bytes [DE, 91, 3F, 60, CB, 83, A3, ...]

---- User code sections - GMER 1.0.15 ----

? C:\Windows\System32\svchost.exe[624] image checksum mismatch; time/date stamp mismatch;
.text C:\Program Files\Mozilla Firefox\firefox.exe[1520] ntdll.dll!LdrLoadDll 7709F585 5 Bytes JMP 013A13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1592] kernel32.dll!SetUnhandledExceptionFilter 76E53162 4 Bytes [C2, 04, 00, 00]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [88E90042] \SystemRoot\System32\Drivers\sppv.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [88E906D6] \SystemRoot\System32\Drivers\sppv.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [88E90800] \SystemRoot\System32\Drivers\sppv.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [88E9013E] \SystemRoot\System32\Drivers\sppv.sys
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\aujtarfm.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__wgetmainargs] 51EC8B55
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_exit] 1845DB51
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_XcptFilter] F855DD56
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!exit] E8084DDC
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_initterm] 000004D2
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_amsg_exit] FF184589
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__setusermatherr] 40516015
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!memcpy] F845DD00
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_controlfp] 8B104DDC
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_except_handler4_common] 1865DAF0
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!?terminate@@YAXXZ] 0004B9E8
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__set_app_type] 8BC88B00
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__fmode] F74199C6
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__commode] C28B5EF9
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_cexit] C9184503
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 40516015
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CloseHandle] 244C8B00
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 748D9908
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcAddress] FEF70109
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetLastError] 2BC28B5E
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 244403C1
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 15FFC308
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExA] [00405160] C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedExchange] 04244C8B
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!Sleep] F9F74199
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] FFC3C28B
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetModuleHandleA] 40516015
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 646A9900
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetTickCount] 33F9F759
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 24543BC0
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] C09C0F04
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DeactivateActCtx] EC8B55C3
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 0204EC81
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ActivateActCtx] 68560000
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 515815FF
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegCloseKey] 00FFB8F0
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegOpenKeyExW] 8D500000
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapSetInformation] FFFEFC8D
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] C93351FF
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrlenW] 558D5151
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 8D5052FC
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegQueryValueExW] FFFDFC85
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ReleaseActCtx] FF5150FF
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CreateActCtxW] 40504415
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 56216A00
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] FFFC75FF
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExitProcess] 40515C15
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetProcessAffinityUpdateMode] 0CC48300
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegDisablePredefinedCacheEx] C01BD8F7
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] EC8B55C3
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 458B5151
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObjectEx] 33565308
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalFree] 57C88BF6
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapFree] 33FC7589
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 01518DFF
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] 802974CA
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] [7420063C] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (User Experience Controls Library/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] [75FF850A] C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 45FF470C
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlCopySid] 8506EBFC
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 330274FF
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeCriticalSection] 46C88BFF
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSetProcessIsCritical] 8A01518D
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] DB844119
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] CA2BF975
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventWrite] D772F13B
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventEnabled] 5FFC458B
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventRegister] C3C95B5E
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 83EC8B55
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] FF0A7500
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 45C7F845
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 000001FC
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 0C4D8B00
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] F84D3941
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 016A3275
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 15FF5750
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] [00405154] C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[624] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerListen] EB0CC483

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85FD6618
Device \FileSystem\Ntfs \Ntfs 850741F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\volmgr \Device\VolMgrControl 850701F8
Device \Driver\usbuhci \Device\USBPDO-0 863571F8
Device \Driver\sptd \Device\3658771455 sppv.sys
Device \Driver\usbuhci \Device\USBPDO-1 863571F8
Device \Driver\usbuhci \Device\USBPDO-2 863571F8
Device \Driver\usbehci \Device\USBPDO-3 86316500
Device \Driver\usbuhci \Device\USBPDO-4 863571F8
Device \Driver\usbuhci \Device\USBPDO-5 863571F8
Device \Driver\usbuhci \Device\USBPDO-6 863571F8
Device \Driver\volmgr \Device\HarddiskVolume1 850701F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\PCI_PNP9454 \Device\00000058 sppv.sys
Device \Driver\usbehci \Device\USBPDO-7 86316500
Device \Driver\volmgr \Device\HarddiskVolume2 850701F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 86A4B1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{5B38E1CD-B78B-430B-8B49-2A42EE929CA4} 85FE73B0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 850721F8
Device \Driver\atapi \Device\Ide\IdePort0 850721F8
Device \Driver\atapi \Device\Ide\IdePort1 850721F8
Device \Driver\atapi \Device\Ide\IdePort2 850721F8
Device \Driver\atapi \Device\Ide\IdePort3 850721F8
Device \Driver\atapi \Device\Ide\IdePort4 850721F8
Device \Driver\atapi \Device\Ide\IdePort5 850721F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 85FE73B0
Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBFDO-0 863571F8
Device \Driver\usbuhci \Device\USBFDO-1 863571F8
Device \Driver\usbuhci \Device\USBFDO-2 863571F8
Device \Driver\usbehci \Device\USBFDO-3 86316500
Device \Driver\usbuhci \Device\USBFDO-4 863571F8
Device \Driver\usbuhci \Device\USBFDO-5 863571F8
Device \Driver\usbuhci \Device\USBFDO-6 863571F8
Device \Driver\usbehci \Device\USBFDO-7 86316500
Device \Driver\aujtarfm \Device\Scsi\aujtarfm1Port6Path0Target0Lun0 86407500
Device \Driver\aujtarfm \Device\Scsi\aujtarfm1 86407500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\gyqdeaip@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\gyqdeaip@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\gyqdeaip@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\gyqdeaip@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFD 0x96 0x29 0xF9 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAC 0xE7 0x33 0x28 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF6 0x65 0x09 0x59 ...
Reg HKLM\SYSTEM\ControlSet002\services\gyqdeaip@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\gyqdeaip@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\gyqdeaip@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\gyqdeaip@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFD 0x96 0x29 0xF9 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xAC 0xE7 0x33 0x28 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF6 0x65 0x09 0x59 ...
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\PROGRA~1\VDGPRS CLIENT 2\xb0\vcredist_x86.exe 1
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\PROGRA~1\VDGPRS CLIENT 2\xb0\XviD-1.1.3-27042008.exe 1

---- EOF - GMER 1.0.15 ----

merlp
Návštěvník
Návštěvník
Příspěvky: 9
Registrován: 29 dub 2010 16:17

Re: Kontrola logu - problém s root kitem gyqdeaip.sys

#3 Příspěvek od merlp »

Tady posílám oba logy, OTL.Txt se mi nevešel do příspěvku
Přílohy
OTL.rar
OTL.Txt
(13.94 KiB) Staženo 47 x
Extras.rar
Extras.Txt
(6.77 KiB) Staženo 58 x

merlp
Návštěvník
Návštěvník
Příspěvky: 9
Registrován: 29 dub 2010 16:17

Re: Kontrola logu - problém s root kitem gyqdeaip.sys

#4 Příspěvek od merlp »

ComboFix 10-04-29.01 - merlp 29.04.2010 19:30:43.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1250.420.1029.18.2046.1519 [GMT 2:00]
Spuštěný z: c:\users\merlp\Desktop\ComboFix.exe
Použité ovládací přepínače :: c:\users\merlp\Desktop\CFScript.txt
* Rezidentní štít AV je zapnutý


file zipped: c:\windows\System32\drivers\gyqdeaip.sys
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%
c:\windows\System32\drivers\gyqdeaip.sys

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GYQDEAIP
-------\Legacy_ZFLXSBDWI9
-------\Service_gyqdeaip
-------\Service_zflxsbdwi9


((((((((((((((((((((((((( Soubory vytvořené od 2010-03-28 do 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 17:35 . 2010-04-29 17:36 -------- d-----w- c:\users\merlp\AppData\Local\temp
2010-04-29 17:35 . 2010-04-29 17:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-29 17:35 . 2010-04-29 17:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-29 15:48 . 2010-04-29 15:48 -------- d-----w- c:\program files\trend micro
2010-04-29 15:48 . 2010-04-29 15:48 -------- d-----w- C:\rsit
2010-04-29 14:31 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-29 14:31 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-27 13:59 . 2010-04-27 13:59 -------- d-----w- c:\program files\Imagenomic
2010-04-27 13:01 . 2010-04-27 13:01 -------- d-----w- c:\windows\MSSecurityNS
2010-04-27 13:01 . 2010-04-27 13:01 -------- d-----w- c:\windows\MSSecurityNi
2010-04-23 19:18 . 2010-04-23 19:18 -------- d-----w- c:\users\merlp\AppData\Roaming\Malwarebytes
2010-04-23 19:16 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-23 19:16 . 2010-04-23 19:16 -------- d-----w- c:\programdata\Malwarebytes
2010-04-23 19:16 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 19:16 . 2010-04-23 19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-23 18:53 . 2010-01-10 17:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-04-23 12:34 . 2010-04-23 12:34 -------- d-----w- c:\windows\Sun
2010-04-23 12:32 . 2010-04-23 12:38 -------- d-----w- c:\program files\Common Files\Java
2010-04-23 12:32 . 2010-04-23 12:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-23 12:32 . 2010-04-23 12:39 -------- d-----w- c:\program files\Java
2010-04-21 18:40 . 1998-06-17 22:00 102912 ----a-w- c:\windows\system32\Vb6stkit.dll
2010-04-21 18:40 . 1997-02-24 15:44 70656 ----a-w- c:\windows\system32\vspell32.dll
2010-04-21 18:40 . 1998-11-22 12:23 84992 ----a-w- c:\windows\system32\Ledit32.dll
2010-04-21 18:40 . 2008-09-12 12:55 1245184 ----a-w- c:\windows\system32\ChilkatCert.dll
2010-04-21 18:40 . 2008-09-12 12:50 1105920 ----a-w- c:\windows\system32\ChilkatFtp2.dll
2010-04-21 14:42 . 2010-04-21 14:42 -------- d-----w- c:\program files\Advanced Port Scanner
2010-04-20 16:01 . 2010-04-20 16:02 -------- d-----w- c:\programdata\Sticky Notes TB Hider
2010-04-20 16:01 . 2010-04-20 16:01 -------- d-----w- c:\program files\StickyNotes
2010-04-20 15:37 . 2010-04-20 15:37 53319 ----a-w- c:\programdata\TEMP\{8C20787A-7402-4FA7-BF25-6E5750930FDC}\PostBuild.exe
2010-04-20 15:04 . 2010-04-20 15:04 -------- d-----w- c:\users\merlp\AppData\Local\PowerDVDCox
2010-04-20 15:04 . 2010-04-20 15:04 -------- d-----w- c:\users\merlp\AppData\Local\PowerDVDCinema
2010-04-20 15:04 . 2010-04-20 15:04 -------- d-----w- c:\users\Public\CyberLink
2010-04-20 15:04 . 2010-04-20 15:04 -------- d-----w- c:\programdata\CyberLink
2010-04-20 15:02 . 2010-04-20 15:12 53319 ----a-w- c:\programdata\TEMP\{2B55AF83-017A-4C81-9324-D9D3255642A6}\PostBuild.exe
2010-04-20 14:59 . 2010-04-20 15:13 -------- d-----w- c:\program files\InstallShield Installation Information
2010-04-20 14:59 . 2010-04-20 14:59 -------- d-----w- c:\program files\Common Files\CyberLink
2010-04-20 14:58 . 2010-04-20 14:58 -------- d-----w- c:\program files\CyberLink
2010-04-20 14:58 . 2010-04-20 15:12 505128 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-20 14:58 . 2010-04-20 15:12 353576 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-20 14:58 . 2010-04-20 15:12 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-04-20 14:58 . 2010-04-20 14:57 53319 ----a-w- c:\programdata\TEMP\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
2010-04-19 11:13 . 2010-04-19 11:13 -------- d-----w- c:\users\merlp\AppData\Local\PunkBuster
2010-04-19 11:12 . 2010-04-21 12:30 139128 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-19 11:12 . 2010-04-19 11:12 138056 ----a-w- c:\users\merlp\AppData\Roaming\PnkBstrK.sys
2010-04-19 11:11 . 2010-04-21 12:30 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-19 11:11 . 2010-04-19 11:11 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-19 11:11 . 2010-04-19 11:11 2434856 ----a-w- c:\windows\system32\pbsvc_bc2.exe
2010-04-19 10:37 . 2010-04-19 10:37 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-19 10:00 . 2010-04-19 11:55 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-04-16 19:35 . 2010-04-16 19:35 -------- d-----w- C:\Local Publish
2010-04-16 19:25 . 2010-04-16 19:24 737280 ----a-w- c:\windows\iun6002.exe
2010-04-16 19:24 . 2010-04-19 11:55 -------- d-----w- c:\program files\WYSIWYG Web Builder 6
2010-04-16 18:11 . 2010-04-19 11:55 -------- d-----w- c:\users\merlp\AppData\Local\Totalidea_Software
2010-04-16 18:10 . 2010-04-19 11:55 -------- d-----w- c:\windows\Tweak-7
2010-04-16 18:10 . 2010-04-19 11:55 -------- d-----w- c:\program files\Tweak-7
2010-04-16 18:08 . 2010-04-19 11:55 -------- d-----w- c:\program files\Změna MAC adresy
2010-04-13 19:08 . 2010-04-19 11:47 -------- d-----w- c:\users\merlp\AppData\Roaming\Tweak-7
2010-04-13 18:54 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-13 18:54 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 18:29 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-13 18:29 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-13 18:29 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-13 18:29 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-13 18:29 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-13 18:29 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-13 17:34 . 2010-04-13 17:34 -------- d-----w- c:\programdata\Adobe Systems
2010-04-13 17:28 . 2010-04-13 17:28 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-04-13 13:29 . 2010-04-13 13:29 -------- d-----w- c:\program files\Xvid
2010-04-13 13:28 . 2010-04-13 13:28 -------- d-----w- c:\program files\VDGPRS Client NetMeter
2010-04-13 13:28 . 2010-04-13 13:28 -------- d-----w- c:\program files\VDGPRS NetMeter
2010-04-13 13:28 . 2001-08-31 10:00 24626 ----a-w- c:\windows\system32\ScrrnIT.dll
2010-04-13 13:28 . 2010-04-13 13:28 -------- d-----w- c:\program files\VDGPRS Client Manager
2010-04-13 13:27 . 2010-04-13 13:29 -------- d-----w- c:\program files\VDGPRS CLIENT 2°
2010-04-10 15:48 . 2010-04-10 15:48 714752 ----a-w- c:\windows\is-MADLI.exe
2010-04-10 15:48 . 2009-08-24 19:08 28160 ----a-w- c:\windows\system32\DfSdkBt.exe
2010-04-10 15:46 . 2009-01-09 09:46 39776 ----a-w- c:\windows\system32\DfSdkBt64.exe
2010-04-10 15:46 . 2010-04-24 06:18 -------- d-----w- c:\program files\Ashampoo WinOptimizer 6
2010-04-10 15:44 . 2010-04-10 15:44 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-04-10 15:44 . 2010-04-20 18:34 -------- d-----w- c:\program files\Hewlett-Packard
2010-04-10 08:31 . 2010-04-10 08:31 -------- d-----w- c:\program files\Common Files\Borland Shared
2010-04-10 08:31 . 2010-04-10 08:31 -------- d-----w- C:\Avaris
2010-04-10 08:31 . 1999-03-23 07:12 299520 ----a-w- c:\windows\uninst.exe
2010-04-10 08:29 . 2010-04-10 08:29 -------- d-----w- c:\users\merlp\AppData\Roaming\TrueCrypt
2010-04-09 16:21 . 2010-04-09 16:21 -------- d-----w- c:\program files\ESET
2010-04-09 16:18 . 2010-04-13 17:28 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-09 15:51 . 2009-12-13 09:30 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-04-09 15:51 . 2009-12-13 09:30 465408 ----a-w- c:\windows\system32\psisdecd.dll
2010-04-09 15:51 . 2009-12-13 09:29 417792 ----a-w- c:\windows\system32\msdri.dll
2010-04-09 15:51 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-04-09 15:51 . 2010-01-18 23:29 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-04-09 15:51 . 2010-01-18 23:29 369152 ----a-w- c:\windows\system32\secproc.dll
2010-04-09 15:51 . 2010-01-18 23:28 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-04-09 15:51 . 2010-01-18 23:28 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-04-09 15:51 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-04-09 15:51 . 2010-01-18 23:28 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-04-09 15:51 . 2010-01-18 23:28 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-04-09 15:02 . 2010-04-19 14:22 -------- d-----w- c:\program files\Classic Menu for Office
2010-04-09 15:01 . 2010-04-09 15:01 -------- d-----w- c:\program files\MSECache
2010-04-09 15:00 . 2010-04-09 15:00 -------- d-----w- c:\windows\PCHEALTH
2010-04-09 15:00 . 2010-04-09 15:00 -------- d-----w- c:\program files\Microsoft.NET
2010-04-09 14:59 . 2010-04-09 14:59 -------- d-----w- c:\users\merlp\AppData\Local\Microsoft Help
2010-04-09 14:59 . 2010-04-09 15:01 -------- d-----w- c:\programdata\Microsoft Help
2010-04-09 14:57 . 2010-04-09 14:57 -------- d-----r- C:\MSOCache
2010-04-09 14:36 . 2010-04-09 14:36 4 ----a-w- c:\program files\1522086.dat
2010-04-09 14:22 . 2010-04-09 14:22 -------- d-----w- c:\users\merlp\AppData\Roaming\Nero
2010-04-09 14:09 . 2010-04-09 14:09 -------- d-----w- c:\programdata\Nero
2010-04-09 14:09 . 2010-04-09 14:09 -------- d-----w- c:\program files\Common Files\Nero
2010-04-09 14:09 . 2010-04-09 14:09 -------- d-----w- c:\program files\Nero
2010-04-09 13:51 . 2010-04-09 13:51 53248 ----a-w- c:\users\merlp\AppData\Roaming\Thinstall\Microsoft Office Enterprise 2007\300000005700002h\WINWORD.EXE
2010-04-09 13:44 . 2010-04-20 14:52 -------- d-----w- c:\program files\AusLogics Registry Defrag
2010-04-09 13:43 . 2010-04-09 13:43 -------- d-----w- c:\program files\PoiEdit2007
2010-04-09 13:43 . 2010-04-09 13:43 -------- d-----w- c:\program files\TomTom HOME 2
2010-04-09 13:42 . 2010-04-09 13:42 -------- d-----w- c:\program files\Regino v5.0
2010-04-09 13:42 . 2010-04-09 13:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-09 13:41 . 2010-04-09 13:41 -------- d-----w- c:\program files\ConvertX
2010-04-09 13:41 . 2010-04-09 13:41 -------- d-----w- c:\program files\DVD Shrink
2010-04-09 13:40 . 2010-04-09 13:40 -------- d-----w- c:\program files\MP3Gain
2010-04-09 12:56 . 2010-04-09 13:51 -------- d-----w- c:\users\merlp\AppData\Roaming\Thinstall
2010-04-09 12:56 . 2010-04-09 12:56 -------- d-----w- c:\users\merlp\AppData\Local\Thinstall
2010-04-09 12:50 . 2010-04-09 12:50 4 ----a-w- c:\program files\513648.dat
2010-04-09 12:49 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-04-09 12:48 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-09 12:45 . 2010-02-02 07:45 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-09 12:45 . 2009-08-29 06:57 34816 ----a-w- c:\windows\system32\msasn1.dll
2010-04-08 18:46 . 2010-04-29 15:28 -------- d-----w- c:\programdata\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 17:34 . 2009-07-14 08:44 622422 ----a-w- c:\windows\system32\perfh005.dat
2010-04-29 17:34 . 2009-07-14 08:44 118604 ----a-w- c:\windows\system32\perfc005.dat
2010-04-19 11:55 . 2010-04-16 18:08 -------- d-----w- c:\program files\Změna MAC adresy
2010-04-08 18:37 . 2010-04-08 18:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\Leadertech
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\Imagenomic
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\DAEMON Tools Lite
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\DAEMON Tools
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\CyberLink
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\CD-LabelPrint
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\Auslogics
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\atitray
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\ATI
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\Ahead
2010-04-08 17:05 . 2010-04-08 17:05 -------- d-----w- c:\users\merlp\AppData\Roaming\AdobeUM
2010-04-08 16:31 . 2010-04-08 16:31 -------- d-sh--we c:\programdata\Plocha
2010-04-08 16:31 . 2010-04-08 16:31 -------- d-sh--we c:\programdata\Oblíbené položky
2010-04-08 16:31 . 2010-04-08 16:31 -------- d-sh--we c:\programdata\Šablony
2010-04-08 16:31 . 2010-04-08 16:31 -------- d-sh--we c:\programdata\Nabídka Start
2010-04-08 16:31 . 2010-04-08 16:31 -------- d-sh--we c:\programdata\Dokumenty
2010-04-08 16:31 . 2010-04-08 16:31 -------- d-sh--we c:\programdata\Data aplikací
2010-03-26 13:48 . 2010-03-26 13:48 91816 ----a-w- c:\windows\system32\Tweak7SystemService.exe
2010-03-04 11:42 . 2010-03-04 11:42 277536 ----a-w- c:\windows\system32\drivers\Rt86win7.sys
2010-03-03 04:22 . 2010-03-03 04:22 5340160 ----a-w- c:\windows\system32\drivers\atipmdag.sys
2010-03-03 04:22 . 2010-03-03 04:22 5340160 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2010-03-03 04:16 . 2010-03-03 04:16 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-03-03 04:16 . 2010-03-03 04:16 446464 ----a-w- c:\windows\system32\aticfx32.dll
2010-03-03 04:13 . 2010-03-03 04:13 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 04:12 . 2010-03-03 04:12 372736 ----a-w- c:\windows\system32\atieclxx.exe
2010-03-03 04:11 . 2010-03-03 04:11 172032 ----a-w- c:\windows\system32\atiesrxx.exe
2010-03-03 04:10 . 2010-03-03 04:10 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2010-03-03 04:10 . 2010-03-03 04:10 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 04:09 . 2010-03-03 04:09 274432 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 04:09 . 2010-03-03 04:09 11776 ----a-w- c:\windows\system32\atimuixx.dll
2010-03-03 04:09 . 2010-03-03 04:09 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 04:06 . 2010-03-03 04:06 3131392 ----a-w- c:\windows\system32\atidxx32.dll
2010-03-03 03:46 . 2010-03-03 03:46 3703808 ----a-w- c:\windows\system32\atiumdag.dll
2010-03-03 03:45 . 2010-03-03 03:45 14226944 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:24 . 2010-03-03 03:24 2993152 ----a-w- c:\windows\system32\atiumdva.dll
2010-03-03 03:23 . 2010-03-03 03:23 50176 ----a-w- c:\windows\system32\coinst.dll
2010-03-03 03:20 . 2010-03-03 03:20 53248 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-03 03:20 . 2010-03-03 03:20 53248 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-03 03:18 . 2010-03-03 03:18 3657728 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-03 03:08 . 2010-03-03 03:08 52224 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-03 03:08 . 2010-03-03 03:08 52224 ----a-w- c:\windows\system32\amdpcom32.dll
2010-03-03 03:08 . 2010-03-03 03:08 237568 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:07 . 2010-03-03 03:07 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2010-03-03 03:07 . 2010-03-03 03:07 15360 ----a-w- c:\windows\system32\atigktxx.dll
2010-03-03 03:07 . 2010-03-03 03:07 152064 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2010-03-03 03:06 . 2010-03-03 03:06 27648 ----a-w- c:\windows\system32\atiuxpag.dll
2010-03-03 03:06 . 2010-03-03 03:06 20480 ----a-w- c:\windows\system32\atiu9pag.dll
2010-03-03 03:05 . 2010-03-03 03:05 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-02-25 19:55 . 2010-02-25 19:55 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-23 16:15 . 2010-02-23 16:15 1105 ----a-w- c:\windows\system32\atipblag.dat
2010-02-23 07:56 . 2010-04-09 12:47 977920 ----a-w- c:\windows\system32\wininet.dll
2010-02-08 17:46 . 2010-02-22 16:51 1695264 ----a-w- c:\windows\system32\RtkPgExt.dll
2010-02-08 17:46 . 2010-02-22 16:51 57376 ----a-w- c:\windows\system32\RtkCoInst.dll
2010-02-08 17:46 . 2010-02-22 16:51 371232 ----a-w- c:\windows\system32\RtkApoApi.dll
2010-02-08 17:46 . 2010-02-22 16:51 2624544 ----a-w- c:\windows\system32\RtkAPO.dll
2010-02-08 17:17 . 2010-02-22 16:51 3019232 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
2010-02-03 10:24 . 2009-12-03 08:27 94208 ----a-w- c:\windows\system32\RTNUninst32.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-02-08 8505888]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]

c:\users\merlp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Sticky Notes Taskbar Hider.lnk - c:\program files\StickyNotes\SNTBHider.exe [2010-4-20 638976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)

R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-08-24 406016]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-05-14 107256]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-03-03 172032]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-05-14 731840]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-05-14 38240]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2010-03-03 5340160]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-03-03 152064]

.
Obsah adresáře 'Naplánované úlohy'

2010-04-20 c:\windows\Tasks\PDVD9Serv.EXE_20100420_170148_0336.job
- c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe [2009-02-16 07:55]

2010-04-20 c:\windows\Tasks\PDVD9Serv.EXE_20100420_171404_0721.job
- c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe [2009-02-16 07:55]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
mWindow Title = Microsoft Internet Explorer
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x84C761F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x84cc26f0
QueryNameProcedure -> 0x84cc2880
user & kernel MBR OK

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\Tweak7SystemService.exe
c:\windows\system32\conhost.exe
c:\program files\DAEMON Tools Lite\DTShellHlp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Celkový čas: 2010-04-29 19:38:46 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-04-29 17:38
ComboFix2.txt 2010-04-29 14:52

Před spuštěním: Volných bajtů: 15 614 812 160
Po spuštění: Volných bajtů: 15 359 746 048

- - End Of File - - 692A0FFCAD4F95953F9BE55091339B87
Nahr nˇ probŘhlo ŁspŘçnŘ



----
Zip soubor jsem poslal a soubor konečně zmizel...

vřelé a upříné DÍKY za pomoc

merlp
Návštěvník
Návštěvník
Příspěvky: 9
Registrován: 29 dub 2010 16:17

Re: Kontrola logu - problém s root kitem gyqdeaip.sys

#5 Příspěvek od merlp »

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 20:04 on 29/04/2010 (merlp)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
SPTD -> Already disabled


-=E.O.F=-


-----------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-29 20:11:49
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\merlp\AppData\Local\Temp\pglcypod.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83039AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83039104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830393F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83021634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83021898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830391DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83039958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830396F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83039F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8303A1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C52599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C76F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\Windows\system32\DRIVERS\atipmdag.sys section is writeable [0x8E83E000, 0x2ECEB2, 0xE8000020]
.text peauth.sys 96470C9D 28 Bytes [04, 1D, 6C, C6, CC, 8D, BF, ...]
.text peauth.sys 96470CC1 28 Bytes [04, 1D, 6C, C6, CC, 8D, BF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A383C000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A383C123 629 Bytes [75, 83, A3, FE, 05, 34, 75, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 A383C399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F A383C3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B A383C4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...
.text autochk.exe 004511D1 2 Bytes [C8, 04]
.text autochk.exe 004511D5 33 Bytes [8D, 8D, B4, FE, FF, FF, E8, ...]
.text autochk.exe 004511F9 15 Bytes [8B, 8D, A0, FD, FF, FF, E8, ...]
.text autochk.exe 0045120A 39 Bytes [8B, 8D, 40, FE, FF, FF, 81, ...]
.text autochk.exe 00451232 33 Bytes [8D, 8D, A4, FE, FF, FF, E8, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1548] kernel32.dll!SetUnhandledExceptionFilter 754A3162 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3588] ntdll.dll!LdrLoadDll 76F2F585 5 Bytes JMP 013713F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFD 0x96 0x29 0xF9 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFD 0x96 0x29 0xF9 ...
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\PROGRA~1\VDGPRS CLIENT 2\xb0\vcredist_x86.exe 1
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\PROGRA~1\VDGPRS CLIENT 2\xb0\XviD-1.1.3-27042008.exe 1

---- EOF - GMER 1.0.15 ----




----------------


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

----

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
kernel: MBR read successfully
user & kernel MBR OK

merlp
Návštěvník
Návštěvník
Příspěvky: 9
Registrován: 29 dub 2010 16:17

Re: Kontrola logu - problém s root kitem gyqdeaip.sys

#6 Příspěvek od merlp »

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Verze databáze: 4049

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

29.4.2010 20:41:15
mbam-log-2010-04-29 (20-41-15).txt

Typ skenu: Úplný sken (C:\|)
Skenované objekty: 173732
Uplynulý čas: 22 minuta(y), 40 sekunda(y)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 0
Infikované hodnoty registru: 0
Infikované datové položky registru: 0
Infikované složky: 0
Infikované soubory: 0

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované hodnoty registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
(Žádné škodlivé položky nebyly zjištěny)


---
čistý jak lilie... Ještě jednou moc děkuju za pomoc!

merlp
Návštěvník
Návštěvník
Příspěvky: 9
Registrován: 29 dub 2010 16:17

Re: Kontrola logu - problém s root kitem gyqdeaip.sys

#7 Příspěvek od merlp »

vše provedeno a vše vypadá OK...
dole pro úplnost přikládám log z Rsit

díky M.
Přílohy
log.rar
(6.97 KiB) Staženo 52 x

merlp
Návštěvník
Návštěvník
Příspěvky: 9
Registrován: 29 dub 2010 16:17

Re: Kontrola logu - problém s root kitem gyqdeaip.sys

#8 Příspěvek od merlp »

jj, už to šlo, ale nevešel se, tak přikládám jako přílohu
Přílohy
log.rar
(11.97 KiB) Staženo 28 x

merlp
Návštěvník
Návštěvník
Příspěvky: 9
Registrován: 29 dub 2010 16:17

Re: Kontrola logu - problém s root kitem gyqdeaip.sys

#9 Příspěvek od merlp »

z mé strany na dlouhou dobu snad také :-)
děkuju, je příjemné vědět, že tu jsou ochotní odborníci, kteří pomůžou, když je třeba...

pěkný víkend :)

Odpovědět