Prosim o kontrolu logu, Dakujem

Zpráva

Narfyk · #1 Příspěvek od **Narfyk** » 14 črc 2010 11:23

PC som mal asi pred dvomi dnami infikovany rootkitom. Do PC ho sem dostal maly brat, ked hral online hry (vraj sa mu ukazal nejaky obrazok, a vtom mu dole vrohu stale vypisovalo cervene).
Nechtiac som namiesto RSITu spustil ComboFix, tak mi to prepracte.CF som spustal asi pred tyzdnom par krat.
Tu je LOG:
ComboFix 10-07-13.08 - Andy 14.07.2010 12:10:55.3.1 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.767.548 [GMT 2:00]
Spuštěný z: c:\documents and settings\Andy\Dokumenty\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Vytvořen nový Bod Obnovení
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ktd32.atm
c:\windows\system\sservice.exe
c:\windows\system32\fservice.exe

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-06-14 do 2010-07-14 )))))))))))))))))))))))))))))))
.

2010-07-09 12:01 . 2010-07-09 12:01 -------- d-----w- c:\program files\ICQ6Toolbar
2010-07-09 08:56 . 2010-07-09 08:56 -------- d-----w- C:\FOUND.001
2010-07-08 12:12 . 2010-07-08 12:12 -------- d-----w- c:\program files\Common Files\reFX
2010-07-08 12:10 . 2009-10-24 19:15 1332224 ----a-w- c:\windows\system32\SYNSOEMU.DLL
2010-07-07 17:05 . 2010-07-07 17:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 11:00 . 2010-07-07 11:01 -------- d-----w- c:\program files\Samsung
2010-07-02 12:49 . 2010-07-02 12:49 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-07-02 12:49 . 2010-07-02 12:49 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2010-07-02 12:49 . 2010-07-02 12:49 1060864 ----a-w- c:\windows\system32\mfc71.dll
2010-07-02 12:49 . 1999-12-17 08:13 86016 ----a-w- c:\windows\unvise32.exe
2010-07-02 12:45 . 2010-07-02 12:45 -------- d-----w- c:\program files\Common Files\Digidesign
2010-07-02 12:08 . 2006-06-20 08:56 225280 ----a-w- c:\windows\system32\rewire.dll
2010-07-02 12:07 . 2010-07-02 12:07 -------- d-----w- c:\program files\Image-Line
2010-07-02 12:07 . 2010-07-02 12:07 -------- d-----w- c:\program files\Outsim
2010-07-02 09:44 . 2010-07-02 09:44 632064 ----a-w- c:\windows\system32\msvcr80.dll
2010-07-02 09:44 . 2010-07-02 09:44 554240 ----a-w- c:\windows\system32\msvcp80.dll
2010-07-02 09:44 . 2010-07-02 09:44 34048 ----a-w- c:\windows\system32\eEmpty.exe
2010-07-02 09:44 . 2008-04-14 03:22 137216 ----a-w- c:\windows\system32\T.COM
2010-07-02 09:44 . 2008-04-14 03:22 147968 ----a-w- c:\windows\R.COM
2010-07-02 09:44 . 2010-07-02 09:44 -------- d-----w- c:\program files\Common Files\MicroWorld
2010-07-02 08:52 . 2008-04-14 03:22 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-07-02 08:52 . 2010-07-02 08:52 -------- d-----w- c:\program files\Windows Media Connect 2
2010-07-02 08:50 . 2010-07-02 08:50 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-07-02 08:36 . 2010-07-02 08:36 -------- d-----w- c:\program files\Common Files\Java
2010-07-02 08:36 . 2010-07-02 08:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-07-02 08:36 . 2010-07-02 08:36 -------- d-----w- c:\program files\Java
2010-06-30 11:50 . 2010-06-30 11:50 -------- d-----w- C:\FOUND.000
2010-06-29 20:03 . 2001-10-19 12:40 1683792 ----a-w- c:\windows\system32\wmvcore2.dll
2010-06-29 20:03 . 2001-10-19 12:40 438608 ----a-w- c:\windows\system32\wmv8dmod.dll
2010-06-29 20:03 . 2001-10-19 12:40 665424 ----a-w- c:\windows\system32\wmv8dmoe.dll
2010-06-29 20:03 . 2001-10-19 12:39 572752 ----a-w- c:\windows\system32\wmvdmoe.dll
2010-06-29 13:21 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-29 13:21 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-29 13:03 . 2010-06-29 13:03 -------- d-----w- c:\program files\Google
2010-06-28 20:52 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-06-28 20:52 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-06-28 20:51 . 2007-07-11 09:05 101120 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-06-28 20:51 . 2007-07-11 09:02 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-06-28 20:51 . 2010-06-28 20:51 -------- d-----w- c:\program files\Huawei technologies
2010-06-28 20:47 . 2008-04-13 18:45 17152 ----a-w- c:\windows\system32\drivers\usbohci.sys
2010-06-28 20:47 . 2008-04-13 18:45 17152 ----a-w- c:\windows\system32\dllcache\usbohci.sys
2010-06-28 10:56 . 2010-06-28 10:56 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-06-27 17:25 . 2010-06-27 17:25 -------- d-----w- c:\windows\system32\NtmsData
2010-06-27 17:24 . 2010-06-27 17:24 -------- d-----w- c:\program files\Common Files\Skype
2010-06-27 17:24 . 2010-06-27 17:24 -------- d-----r- c:\program files\Skype
2010-06-20 19:17 . 2001-10-24 09:54 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-06-20 19:17 . 2001-10-24 09:54 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-06-20 19:17 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-06-20 18:43 . 2010-06-20 18:43 -------- d-----w- c:\windows\ServicePackFiles
2010-06-20 18:32 . 2008-06-14 17:35 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-06-20 18:32 . 2008-06-14 17:35 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-06-20 18:32 . 2009-12-31 16:50 353792 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-20 18:31 . 2010-02-24 13:11 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-20 18:31 . 2009-11-21 16:03 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-06-20 18:27 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-06-20 18:27 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-06-20 18:24 . 2008-10-15 16:38 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-06-20 18:23 . 2008-04-21 21:15 216576 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-06-20 18:12 . 2007-07-27 08:41 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-20 17:56 . 2006-07-13 10:33 674560 ----a-r- c:\windows\system32\drivers\w70n51.sys
2010-06-20 17:56 . 2005-02-25 09:34 995328 ----a-r- c:\windows\system32\W20MLRes.dll
2010-06-20 17:56 . 2005-02-25 09:33 430147 ----a-r- c:\windows\system32\W20NCPA.dll
2010-06-20 17:56 . 2003-11-03 05:55 32768 ----a-r- c:\windows\system32\w70n5msg.dll
2010-06-20 17:25 . 2010-06-20 17:25 -------- d--h--w- c:\documents and settings\Andy\WLANProfiles
2010-06-20 17:25 . 2010-06-20 17:25 14037 ----a-w- c:\windows\system32\drivers\mdc8021x.sys
2010-06-20 17:25 . 2010-06-20 17:25 -------- d-----w- c:\windows\system32\LogFiles
2010-06-20 17:17 . 2010-06-20 17:17 -------- d-----w- c:\windows\nview
2010-06-20 17:17 . 2010-06-20 17:17 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-20 17:16 . 2009-03-16 21:19 58208 ----a-w- c:\windows\system32\wsimd.sys
2010-06-20 17:16 . 2009-03-16 21:19 58208 ----a-w- c:\windows\system32\drivers\wsimd.sys
2010-06-20 17:16 . 2010-06-20 17:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-20 17:16 . 2010-06-20 17:16 -------- d-----w- c:\program files\Atheros
2010-06-20 16:54 . 2010-06-20 16:54 -------- d-----w- c:\windows\system32\DRVSTORE
2010-06-20 16:04 . 2010-06-20 16:04 -------- d-s---w- c:\windows\system32\Microsoft
2010-06-20 16:04 . 2010-06-20 16:04 -------- d-sh--w- c:\documents and settings\LocalService
2010-06-20 16:04 . 2010-06-20 16:04 -------- d-----w- c:\documents and settings\LocalService\Data aplikací
2010-06-20 16:04 . 2010-06-20 16:04 -------- d-----w- c:\documents and settings\NetworkService\Data aplikací
2010-06-20 16:04 . 2010-06-20 16:04 -------- d-sh--w- c:\documents and settings\NetworkService
2010-06-20 16:02 . 2001-10-24 10:25 12288 ----a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2010-06-20 16:01 . 2006-03-02 12:00 92416 ----a-w- c:\windows\system32\dllcache\mga.sys
2010-06-20 16:00 . 2006-03-02 12:00 6656 ----a-w- c:\windows\system32\dllcache\iissync.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-12 12:31 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4c70.tmp
2010-07-12 12:28 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2c6e.tmp
2010-07-12 12:26 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2cbe.tmp
2010-07-12 12:23 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2d18.tmp
2010-07-12 12:21 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2e1d.tmp
2010-07-12 07:00 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2dff.tmp
2010-07-12 06:59 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP5398.tmp
2010-07-10 08:51 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2e95.tmp
2010-07-07 10:58 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4f73.tmp
2010-07-06 19:30 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP5b61.tmp
2010-07-06 19:24 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP5013.tmp
2010-07-06 19:18 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4c20.tmp
2010-07-06 17:42 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4f9b.tmp
2010-07-06 17:41 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP599e.tmp
2010-07-05 10:08 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMPbda5.tmp
2010-07-05 10:03 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4ea0.tmp
2010-07-05 10:02 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP59c7.tmp
2010-07-05 09:58 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP5352.tmp
2010-07-04 09:39 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4746.tmp
2010-06-30 16:42 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP262c.tmp
2010-06-20 18:28 . 2010-06-20 18:28 -------- d-----w- c:\program files\ESET
2010-06-20 15:58 . 2010-06-20 15:58 -------- d-----w- c:\program files\microsoft frontpage
2010-06-20 15:54 . 2010-06-20 15:54 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-20 11:25 . 2010-06-20 11:25 -------- d-----w- c:\program files\Opera
2010-06-20 11:18 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP5cd4.tmp
2010-06-19 19:06 . 2010-06-19 19:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-19 17:59 . 2006-03-02 10:00 46394 ----a-w- c:\windows\system32\perfc005.dat
2010-06-19 17:59 . 2006-03-02 10:00 310228 ----a-w- c:\windows\system32\perfh005.dat
2010-06-19 17:25 . 2010-06-20 15:57 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-19 17:25 . 2010-06-20 15:57 2740 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2010-06-19 17:23 . 2010-06-20 15:57 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2010-06-18 18:24 . 2010-06-18 18:24 0 ----a-w- c:\windows\nsreg.dat
2010-06-18 13:06 . 2010-06-18 13:07 809872 ----a-w- c:\windows\system32\drivers\LTSM.sys
2010-06-18 12:59 . 2010-06-18 13:00 230416 ----a-w- c:\windows\system32\drivers\stac97.sys
2010-06-18 12:58 . 2010-06-18 12:58 35704 ----a-w- c:\windows\system32\NicInst.dll
2010-06-18 12:58 . 2010-06-18 12:58 28536 ----a-w- c:\windows\system32\NicCo.dll
2010-06-18 12:58 . 2010-06-18 12:58 154496 ----a-w- c:\windows\system32\Prounstl.exe
2010-06-18 12:58 . 2010-06-18 12:58 43880 ----a-w- c:\windows\system32\e100bmsg.dll
2010-06-18 12:58 . 2010-06-18 12:58 165760 ----a-w- c:\windows\system32\drivers\e100b325.sys
2010-05-02 08:09 . 2006-03-02 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:32 . 2006-03-02 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:08 . 2006-03-02 10:00 668160 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:08 . 2006-03-02 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-08_16.35.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-10-15 14:03 . 2003-10-15 14:03 73728 c:\windows\system32\TFNF5.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"SUPERAntiSpyware"="e:\superantispyware\SUPERAntiSpyware.exe" [2010-06-07 2403568]
"NVIEW"="nview.dll" [2004-04-15 856135]
"ICQ"="e:\program files\ICQ7.2\ICQ.exe" [2010-07-09 133368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-15 4866048]
"nwiz"="nwiz.exe" [2004-04-15 323584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2010-06-20 2347008]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 86016]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"TFNF5"="TFNF5.exe" [2003-10-15 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\superantispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- e:\superantispyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 06:32 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\OPERA.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [19.6.2010 21:33 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [19.6.2010 21:33 5248]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9.4.2009 15:18 107256]
R1 SASDIFSV;SASDIFSV;e:\superantispyware\sasdifsv.sys [17.2.2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;e:\superantispyware\SASKUTIL.SYS [10.5.2010 20:41 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9.4.2009 15:19 731840]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29.6.2010 15:03 136176]
.
Obsah adresáře 'Naplánované úlohy'

2010-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-29 13:03]

2010-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-29 13:03]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.sk/
IE: {{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - e:\program files\ICQ7.2\ICQ.exe
FF - ProfilePath - c:\documents and settings\Andy\Data aplikací\Mozilla\Firefox\Profiles\7bseb0j0.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.4&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
ActiveSetup-{5Y99AE78-58TT-11dW-BE53-Y67078979Y} - c:\windows\system\sservice.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-14 12:15
Windows 5.1.2600 Service Pack 3 FAT NTAPI

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83801008]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7644f28
\Driver\ACPI -> ACPI.sys @ 0xf7571cb8
\Driver\atapi -> 0x83801008
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel(R) PRO/Wireless LAN 2100 3B Mini PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7442bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7431a0d
SendHandler -> NDIS.sys @ 0xf7445b40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1764)
e:\superantispyware\SASWINLO.DLL
c:\windows\system32\LgNotify.dll
.
Celkový čas: 2010-07-14 12:16:56
ComboFix-quarantined-files.txt 2010-07-14 10:16
ComboFix2.txt 2010-07-12 17:49
ComboFix3.txt 2010-07-08 16:36

Před spuštěním: 8 176 304 128
Po spuštění: 8 172 191 744

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 49427D86346B749C3A54B509F6268766

Pridavam este skeny z virustotalu:
atapi.sys
http://www.virustotal.com/analisis/b4df ... 1279079963

classpnp.sys
http://www.virustotal.com/analisis/f6da ... 1278211798

ACPI.sys
http://www.virustotal.com/analisis/de37 ... 1269874410

ndis.sys
http://www.virustotal.com/analisis/fe0d ... 1278905434

ntoskrnl.exe
http://www.virustotal.com/analisis/891a ... 1274769531

Tieto subory som dal na kontrolu lebo tam v logu z CF som videl nieco s possivle rootkit infection a chcel som to preverit.

Dakujem

1danab · #2 Příspěvek od **1danab** » 14 črc 2010 17:42

zdravím

stahnete TDSSKiller , rozbalte do slozky C:\WINDOWS\system32\drivers a spustte

v operacnich systemech Windows Vista a Windows 7 spoustejte aplikaci jako spravce (kliknutim pravym mysitkem na ikonu aplikace a volbou "Spustit jako spravce"

zobrazi se nasledujici okno:

probehne sken, na jehoz konci se v pripade infekce zobrazi nasledujici okno:

Pokud uvidite na poslednim radku hlasku "Close all programs and choose Y to restart or N to continue", zmacknete klavesu Y a vas stroj bude restartovan

po restartu znovu aplikujte Combofix a vlozte sem log po aplikaci

Narfyk · #3 Příspěvek od **Narfyk** » 14 črc 2010 19:14

TDSSKiller je OK, prikladam screen.....este spustim CF.

Narfyk · #4 Příspěvek od **Narfyk** » 14 črc 2010 19:34

Tak. CF mi napisal ze detekoval pritomnost rootkitu a ze potrebuje Restart. Tak som PC restartol, a nic nemazal.
Divne. Tu je LOG:

ComboFix 10-07-13.08 - Andy 14.07.2010 20:21:56.4.1 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.767.544 [GMT 2:00]
Spuštěný z: c:\documents and settings\Andy\Plocha\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((( Soubory vytvořené od 2010-06-14 do 2010-07-14 )))))))))))))))))))))))))))))))
.

2010-07-14 18:10 . 2010-06-30 15:25 1013584 ----a-w- c:\windows\system32\drivers\TDSSKiller.exe
2010-07-09 12:01 . 2010-07-09 12:01 -------- d-----w- c:\program files\ICQ6Toolbar
2010-07-09 08:56 . 2010-07-09 08:56 -------- d-----w- C:\FOUND.001
2010-07-08 12:12 . 2010-07-08 12:12 -------- d-----w- c:\program files\Common Files\reFX
2010-07-08 12:10 . 2009-10-24 19:15 1332224 ----a-w- c:\windows\system32\SYNSOEMU.DLL
2010-07-07 17:05 . 2010-07-07 17:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 11:00 . 2010-07-07 11:01 -------- d-----w- c:\program files\Samsung
2010-07-02 12:49 . 2010-07-02 12:49 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-07-02 12:49 . 2010-07-02 12:49 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2010-07-02 12:49 . 2010-07-02 12:49 1060864 ----a-w- c:\windows\system32\mfc71.dll
2010-07-02 12:49 . 1999-12-17 08:13 86016 ----a-w- c:\windows\unvise32.exe
2010-07-02 12:45 . 2010-07-02 12:45 -------- d-----w- c:\program files\Common Files\Digidesign
2010-07-02 12:08 . 2006-06-20 08:56 225280 ----a-w- c:\windows\system32\rewire.dll
2010-07-02 12:07 . 2010-07-02 12:07 -------- d-----w- c:\program files\Image-Line
2010-07-02 12:07 . 2010-07-02 12:07 -------- d-----w- c:\program files\Outsim
2010-07-02 09:44 . 2010-07-02 09:44 632064 ----a-w- c:\windows\system32\msvcr80.dll
2010-07-02 09:44 . 2010-07-02 09:44 554240 ----a-w- c:\windows\system32\msvcp80.dll
2010-07-02 09:44 . 2010-07-02 09:44 34048 ----a-w- c:\windows\system32\eEmpty.exe
2010-07-02 09:44 . 2008-04-14 03:22 137216 ----a-w- c:\windows\system32\T.COM
2010-07-02 09:44 . 2008-04-14 03:22 147968 ----a-w- c:\windows\R.COM
2010-07-02 09:44 . 2010-07-02 09:44 -------- d-----w- c:\program files\Common Files\MicroWorld
2010-07-02 08:52 . 2008-04-14 03:22 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-07-02 08:52 . 2010-07-02 08:52 -------- d-----w- c:\program files\Windows Media Connect 2
2010-07-02 08:50 . 2010-07-02 08:50 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-07-02 08:36 . 2010-07-02 08:36 -------- d-----w- c:\program files\Common Files\Java
2010-07-02 08:36 . 2010-07-02 08:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-07-02 08:36 . 2010-07-02 08:36 -------- d-----w- c:\program files\Java
2010-06-30 11:50 . 2010-06-30 11:50 -------- d-----w- C:\FOUND.000
2010-06-29 20:03 . 2001-10-19 12:40 1683792 ----a-w- c:\windows\system32\wmvcore2.dll
2010-06-29 20:03 . 2001-10-19 12:40 438608 ----a-w- c:\windows\system32\wmv8dmod.dll
2010-06-29 20:03 . 2001-10-19 12:40 665424 ----a-w- c:\windows\system32\wmv8dmoe.dll
2010-06-29 20:03 . 2001-10-19 12:39 572752 ----a-w- c:\windows\system32\wmvdmoe.dll
2010-06-29 13:21 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-29 13:21 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-29 13:03 . 2010-06-29 13:03 -------- d-----w- c:\program files\Google
2010-06-28 20:52 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-06-28 20:52 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-06-28 20:51 . 2007-07-11 09:05 101120 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-06-28 20:51 . 2007-07-11 09:02 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-06-28 20:51 . 2010-06-28 20:51 -------- d-----w- c:\program files\Huawei technologies
2010-06-28 20:47 . 2008-04-13 18:45 17152 ----a-w- c:\windows\system32\drivers\usbohci.sys
2010-06-28 20:47 . 2008-04-13 18:45 17152 ----a-w- c:\windows\system32\dllcache\usbohci.sys
2010-06-28 10:56 . 2010-06-28 10:56 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-06-27 17:25 . 2010-06-27 17:25 -------- d-----w- c:\windows\system32\NtmsData
2010-06-27 17:24 . 2010-06-27 17:24 -------- d-----w- c:\program files\Common Files\Skype
2010-06-27 17:24 . 2010-06-27 17:24 -------- d-----r- c:\program files\Skype
2010-06-20 19:17 . 2001-10-24 09:54 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-06-20 19:17 . 2001-10-24 09:54 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-06-20 19:17 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-06-20 18:43 . 2010-06-20 18:43 -------- d-----w- c:\windows\ServicePackFiles
2010-06-20 18:32 . 2008-06-14 17:35 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-06-20 18:32 . 2008-06-14 17:35 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-06-20 18:32 . 2009-12-31 16:50 353792 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-20 18:31 . 2010-02-24 13:11 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-20 18:31 . 2009-11-21 16:03 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-06-20 18:27 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-06-20 18:27 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-06-20 18:24 . 2008-10-15 16:38 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-06-20 18:23 . 2008-04-21 21:15 216576 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-06-20 18:12 . 2007-07-27 08:41 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-20 17:56 . 2006-07-13 10:33 674560 ----a-r- c:\windows\system32\drivers\w70n51.sys
2010-06-20 17:56 . 2005-02-25 09:34 995328 ----a-r- c:\windows\system32\W20MLRes.dll
2010-06-20 17:56 . 2005-02-25 09:33 430147 ----a-r- c:\windows\system32\W20NCPA.dll
2010-06-20 17:56 . 2003-11-03 05:55 32768 ----a-r- c:\windows\system32\w70n5msg.dll
2010-06-20 17:25 . 2010-06-20 17:25 -------- d--h--w- c:\documents and settings\Andy\WLANProfiles
2010-06-20 17:25 . 2010-06-20 17:25 14037 ----a-w- c:\windows\system32\drivers\mdc8021x.sys
2010-06-20 17:25 . 2010-06-20 17:25 -------- d-----w- c:\windows\system32\LogFiles
2010-06-20 17:17 . 2010-06-20 17:17 -------- d-----w- c:\windows\nview
2010-06-20 17:17 . 2010-06-20 17:17 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-20 17:16 . 2009-03-16 21:19 58208 ----a-w- c:\windows\system32\wsimd.sys
2010-06-20 17:16 . 2009-03-16 21:19 58208 ----a-w- c:\windows\system32\drivers\wsimd.sys
2010-06-20 17:16 . 2010-06-20 17:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-20 17:16 . 2010-06-20 17:16 -------- d-----w- c:\program files\Atheros
2010-06-20 16:54 . 2010-06-20 16:54 -------- d-----w- c:\windows\system32\DRVSTORE
2010-06-20 16:04 . 2010-06-20 16:04 -------- d-s---w- c:\windows\system32\Microsoft
2010-06-20 16:04 . 2010-06-20 16:04 -------- d-sh--w- c:\documents and settings\LocalService
2010-06-20 16:04 . 2010-06-20 16:04 -------- d-----w- c:\documents and settings\LocalService\Data aplikací
2010-06-20 16:04 . 2010-06-20 16:04 -------- d-----w- c:\documents and settings\NetworkService\Data aplikací
2010-06-20 16:04 . 2010-06-20 16:04 -------- d-sh--w- c:\documents and settings\NetworkService
2010-06-20 16:02 . 2001-10-24 10:25 12288 ----a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2010-06-20 16:01 . 2006-03-02 12:00 92416 ----a-w- c:\windows\system32\dllcache\mga.sys
2010-06-20 16:00 . 2006-03-02 12:00 6656 ----a-w- c:\windows\system32\dllcache\iissync.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-12 12:31 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4c70.tmp
2010-07-12 12:28 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2c6e.tmp
2010-07-12 12:26 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2cbe.tmp
2010-07-12 12:23 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2d18.tmp
2010-07-12 12:21 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2e1d.tmp
2010-07-12 07:00 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2dff.tmp
2010-07-12 06:59 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP5398.tmp
2010-07-10 08:51 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2e95.tmp
2010-07-07 10:58 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4f73.tmp
2010-07-06 19:30 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP5b61.tmp
2010-07-06 19:24 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP5013.tmp
2010-07-06 19:18 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4c20.tmp
2010-07-06 17:42 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4f9b.tmp
2010-07-06 17:41 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP599e.tmp
2010-07-05 10:08 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMPbda5.tmp
2010-07-05 10:03 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4ea0.tmp
2010-07-05 10:02 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP59c7.tmp
2010-07-05 09:58 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP5352.tmp
2010-07-04 09:39 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4746.tmp
2010-06-30 16:42 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP262c.tmp
2010-06-20 18:28 . 2010-06-20 18:28 -------- d-----w- c:\program files\ESET
2010-06-20 15:58 . 2010-06-20 15:58 -------- d-----w- c:\program files\microsoft frontpage
2010-06-20 15:54 . 2010-06-20 15:54 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-20 11:25 . 2010-06-20 11:25 -------- d-----w- c:\program files\Opera
2010-06-20 11:18 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP5cd4.tmp
2010-06-19 19:06 . 2010-06-19 19:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-19 17:59 . 2006-03-02 10:00 46394 ----a-w- c:\windows\system32\perfc005.dat
2010-06-19 17:59 . 2006-03-02 10:00 310228 ----a-w- c:\windows\system32\perfh005.dat
2010-06-19 17:25 . 2010-06-20 15:57 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-19 17:25 . 2010-06-20 15:57 2740 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2010-06-19 17:23 . 2010-06-20 15:57 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2010-06-18 18:24 . 2010-06-18 18:24 0 ----a-w- c:\windows\nsreg.dat
2010-06-18 13:06 . 2010-06-18 13:07 809872 ----a-w- c:\windows\system32\drivers\LTSM.sys
2010-06-18 12:59 . 2010-06-18 13:00 230416 ----a-w- c:\windows\system32\drivers\stac97.sys
2010-06-18 12:58 . 2010-06-18 12:58 35704 ----a-w- c:\windows\system32\NicInst.dll
2010-06-18 12:58 . 2010-06-18 12:58 28536 ----a-w- c:\windows\system32\NicCo.dll
2010-06-18 12:58 . 2010-06-18 12:58 154496 ----a-w- c:\windows\system32\Prounstl.exe
2010-06-18 12:58 . 2010-06-18 12:58 43880 ----a-w- c:\windows\system32\e100bmsg.dll
2010-06-18 12:58 . 2010-06-18 12:58 165760 ----a-w- c:\windows\system32\drivers\e100b325.sys
2010-05-17 14:15 . 2010-07-14 18:11 2258 ----a-w- c:\windows\system32\drivers\eula.txt
2010-05-02 08:09 . 2006-03-02 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:32 . 2006-03-02 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:08 . 2006-03-02 10:00 668160 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:08 . 2006-03-02 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-08_16.35.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-10-15 14:03 . 2003-10-15 14:03 73728 c:\windows\system32\TFNF5.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"SUPERAntiSpyware"="e:\superantispyware\SUPERAntiSpyware.exe" [2010-06-07 2403568]
"NVIEW"="nview.dll" [2004-04-15 856135]
"ICQ"="e:\program files\ICQ7.2\ICQ.exe" [2010-07-09 133368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-15 4866048]
"nwiz"="nwiz.exe" [2004-04-15 323584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2010-06-20 2347008]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 86016]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"TFNF5"="TFNF5.exe" [2003-10-15 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\superantispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- e:\superantispyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 06:32 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\OPERA.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [19.6.2010 21:33 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [19.6.2010 21:33 5248]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9.4.2009 15:18 107256]
R1 SASDIFSV;SASDIFSV;e:\superantispyware\sasdifsv.sys [17.2.2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;e:\superantispyware\SASKUTIL.SYS [10.5.2010 20:41 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9.4.2009 15:19 731840]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29.6.2010 15:03 136176]
.
Obsah adresáře 'Naplánované úlohy'

2010-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-29 13:03]

2010-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-29 13:03]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.sk/
IE: {{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - e:\program files\ICQ7.2\ICQ.exe
FF - ProfilePath - c:\documents and settings\Andy\Data aplikací\Mozilla\Firefox\Profiles\7bseb0j0.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.4&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-14 20:26
Windows 5.1.2600 Service Pack 3 FAT NTAPI

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x836AF3B0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7644f28
\Driver\ACPI -> ACPI.sys @ 0xf7571cb8
\Driver\atapi -> 0x836af3b0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel(R) PRO/Wireless LAN 2100 3B Mini PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7442bb0
PacketIndicateHandler -> NDIS.sys @ 0xf744fa21
SendHandler -> NDIS.sys @ 0xf742d87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1736)
e:\superantispyware\SASWINLO.DLL
c:\windows\system32\LgNotify.dll

- - - - - - - > 'explorer.exe'(840)
c:\windows\system32\nView.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Celkový čas: 2010-07-14 20:29:16
ComboFix-quarantined-files.txt 2010-07-14 18:29
ComboFix2.txt 2010-07-14 10:16
ComboFix3.txt 2010-07-12 17:49
ComboFix4.txt 2010-07-08 16:36

Před spuštěním: 8 246 296 576
Po spuštění: 8 266 268 672

- - End Of File - - D9DE09BBAD689E409C30D4BFB4C27389

1danab · #5 Příspěvek od **1danab** » 14 črc 2010 19:39

http://www.esagelab.com/files/bootkit_remover.rar

stahnout, rozbalit na plochu, spustit

po spusteni klik pravym mysidlem do okna, zvolit moznost Vybrat vse, CTRL+C a sem do odpovedi CTRL+V (tim mi sem plesknete log)

Narfyk · #6 Příspěvek od **Narfyk** » 14 črc 2010 19:44

Nech sa paci:
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: ee7fe9f24bc949ea3a78cf7064fbe50b
\\.\D: -> \\.\PhysicalDrive0
\\.\E: -> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Press any key to quit...

1danab · #7 Příspěvek od **1danab** » 14 črc 2010 19:53

Start/Spustit a do okénka zkopírujte následující text:

Kód: Vybrat vše

"c:\documents and settings\Andy\Plocha\remover.exe" fix \\.\PhysicalDrive0

potvrďte, restartujte a udělejte nový sken jako v předchozím případě bootkit removerem

Narfyk · #8 Příspěvek od **Narfyk** » 14 črc 2010 19:59

Restartovat mam PC ?? o_O

1danab · #9 Příspěvek od **1danab** » 14 črc 2010 20:00

ano

Narfyk · #10 Příspěvek od **Narfyk** » 14 črc 2010 20:02

OK, idem na to.

Narfyk · #11 Příspěvek od **Narfyk** » 14 črc 2010 20:09

Tu je LOG po spusteny toho scriptu a restartovany:

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\D: -> \\.\PhysicalDrive0
\\.\E: -> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Press any key to quit...

A po restarte mi PC napisal ze su nejake Nove Zmeny v Systeme alebo co a ze mam restartovat ale nerestartol som. A tiez som si vsimol ze asi 7 sekund po prihlaseny, sa hore vlavo vrohu objavil asi na 2 sekundy taky malilinky sivy stvorcek.

1danab · #12 Příspěvek od **1danab** » 14 črc 2010 20:13

znovu restartujte pc a poté znovu spusťte Combofix...log vložte sem

Narfyk · #13 Příspěvek od **Narfyk** » 14 črc 2010 20:43

CF znova napisal ze detekoval pritomnost rootkitu. Tu je LOG:
ComboFix 10-07-13.08 - Andy 14.07.2010 21:33:53.5.1 - FAT32x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.767.542 [GMT 2:00]
Spuštěný z: c:\documents and settings\Andy\Plocha\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((( Soubory vytvořené od 2010-06-14 do 2010-07-14 )))))))))))))))))))))))))))))))
.

2010-07-14 18:10 . 2010-06-30 15:25 1013584 ----a-w- c:\windows\system32\drivers\TDSSKiller.exe
2010-07-09 12:01 . 2010-07-09 12:01 -------- d-----w- c:\program files\ICQ6Toolbar
2010-07-09 08:56 . 2010-07-09 08:56 -------- d-----w- C:\FOUND.001
2010-07-08 12:12 . 2010-07-08 12:12 -------- d-----w- c:\program files\Common Files\reFX
2010-07-08 12:10 . 2009-10-24 19:15 1332224 ----a-w- c:\windows\system32\SYNSOEMU.DLL
2010-07-07 17:05 . 2010-07-07 17:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 11:00 . 2010-07-07 11:01 -------- d-----w- c:\program files\Samsung
2010-07-02 12:49 . 2010-07-02 12:49 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-07-02 12:49 . 2010-07-02 12:49 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2010-07-02 12:49 . 2010-07-02 12:49 1060864 ----a-w- c:\windows\system32\mfc71.dll
2010-07-02 12:49 . 1999-12-17 08:13 86016 ----a-w- c:\windows\unvise32.exe
2010-07-02 12:45 . 2010-07-02 12:45 -------- d-----w- c:\program files\Common Files\Digidesign
2010-07-02 12:08 . 2006-06-20 08:56 225280 ----a-w- c:\windows\system32\rewire.dll
2010-07-02 12:07 . 2010-07-02 12:07 -------- d-----w- c:\program files\Image-Line
2010-07-02 12:07 . 2010-07-02 12:07 -------- d-----w- c:\program files\Outsim
2010-07-02 09:44 . 2010-07-02 09:44 632064 ----a-w- c:\windows\system32\msvcr80.dll
2010-07-02 09:44 . 2010-07-02 09:44 554240 ----a-w- c:\windows\system32\msvcp80.dll
2010-07-02 09:44 . 2010-07-02 09:44 34048 ----a-w- c:\windows\system32\eEmpty.exe
2010-07-02 09:44 . 2008-04-14 03:22 137216 ----a-w- c:\windows\system32\T.COM
2010-07-02 09:44 . 2008-04-14 03:22 147968 ----a-w- c:\windows\R.COM
2010-07-02 09:44 . 2010-07-02 09:44 -------- d-----w- c:\program files\Common Files\MicroWorld
2010-07-02 08:52 . 2008-04-14 03:22 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-07-02 08:52 . 2010-07-02 08:52 -------- d-----w- c:\program files\Windows Media Connect 2
2010-07-02 08:50 . 2010-07-02 08:50 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-07-02 08:36 . 2010-07-02 08:36 -------- d-----w- c:\program files\Common Files\Java
2010-07-02 08:36 . 2010-07-02 08:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-07-02 08:36 . 2010-07-02 08:36 -------- d-----w- c:\program files\Java
2010-06-30 11:50 . 2010-06-30 11:50 -------- d-----w- C:\FOUND.000
2010-06-29 20:03 . 2001-10-19 12:40 1683792 ----a-w- c:\windows\system32\wmvcore2.dll
2010-06-29 20:03 . 2001-10-19 12:40 438608 ----a-w- c:\windows\system32\wmv8dmod.dll
2010-06-29 20:03 . 2001-10-19 12:40 665424 ----a-w- c:\windows\system32\wmv8dmoe.dll
2010-06-29 20:03 . 2001-10-19 12:39 572752 ----a-w- c:\windows\system32\wmvdmoe.dll
2010-06-29 13:21 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-29 13:21 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-29 13:03 . 2010-06-29 13:03 -------- d-----w- c:\program files\Google
2010-06-28 20:52 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-06-28 20:52 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-06-28 20:51 . 2007-07-11 09:05 101120 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-06-28 20:51 . 2007-07-11 09:02 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-06-28 20:51 . 2010-06-28 20:51 -------- d-----w- c:\program files\Huawei technologies
2010-06-28 20:47 . 2008-04-13 18:45 17152 ----a-w- c:\windows\system32\drivers\usbohci.sys
2010-06-28 20:47 . 2008-04-13 18:45 17152 ----a-w- c:\windows\system32\dllcache\usbohci.sys
2010-06-28 10:56 . 2010-06-28 10:56 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-06-27 17:25 . 2010-06-27 17:25 -------- d-----w- c:\windows\system32\NtmsData
2010-06-27 17:24 . 2010-06-27 17:24 -------- d-----w- c:\program files\Common Files\Skype
2010-06-27 17:24 . 2010-06-27 17:24 -------- d-----r- c:\program files\Skype
2010-06-20 19:17 . 2001-10-24 09:54 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-06-20 19:17 . 2001-10-24 09:54 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-06-20 19:17 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-06-20 18:43 . 2010-06-20 18:43 -------- d-----w- c:\windows\ServicePackFiles
2010-06-20 18:32 . 2008-06-14 17:35 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-06-20 18:32 . 2008-06-14 17:35 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-06-20 18:32 . 2009-12-31 16:50 353792 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-20 18:31 . 2010-02-24 13:11 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-20 18:31 . 2009-11-21 16:03 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-06-20 18:27 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-06-20 18:27 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-06-20 18:24 . 2008-10-15 16:38 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-06-20 18:23 . 2008-04-21 21:15 216576 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-06-20 18:12 . 2007-07-27 08:41 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-20 17:56 . 2006-07-13 10:33 674560 ----a-r- c:\windows\system32\drivers\w70n51.sys
2010-06-20 17:56 . 2005-02-25 09:34 995328 ----a-r- c:\windows\system32\W20MLRes.dll
2010-06-20 17:56 . 2005-02-25 09:33 430147 ----a-r- c:\windows\system32\W20NCPA.dll
2010-06-20 17:56 . 2003-11-03 05:55 32768 ----a-r- c:\windows\system32\w70n5msg.dll
2010-06-20 17:25 . 2010-06-20 17:25 -------- d--h--w- c:\documents and settings\Andy\WLANProfiles
2010-06-20 17:25 . 2010-06-20 17:25 14037 ----a-w- c:\windows\system32\drivers\mdc8021x.sys
2010-06-20 17:25 . 2010-06-20 17:25 -------- d-----w- c:\windows\system32\LogFiles
2010-06-20 17:17 . 2010-06-20 17:17 -------- d-----w- c:\windows\nview
2010-06-20 17:17 . 2010-06-20 17:17 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-20 17:16 . 2009-03-16 21:19 58208 ----a-w- c:\windows\system32\wsimd.sys
2010-06-20 17:16 . 2009-03-16 21:19 58208 ----a-w- c:\windows\system32\drivers\wsimd.sys
2010-06-20 17:16 . 2010-06-20 17:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-20 17:16 . 2010-06-20 17:16 -------- d-----w- c:\program files\Atheros
2010-06-20 16:54 . 2010-06-20 16:54 -------- d-----w- c:\windows\system32\DRVSTORE
2010-06-20 16:04 . 2010-06-20 16:04 -------- d-s---w- c:\windows\system32\Microsoft
2010-06-20 16:04 . 2010-06-20 16:04 -------- d-sh--w- c:\documents and settings\LocalService
2010-06-20 16:04 . 2010-06-20 16:04 -------- d-----w- c:\documents and settings\LocalService\Data aplikací
2010-06-20 16:04 . 2010-06-20 16:04 -------- d-----w- c:\documents and settings\NetworkService\Data aplikací
2010-06-20 16:04 . 2010-06-20 16:04 -------- d-sh--w- c:\documents and settings\NetworkService
2010-06-20 16:02 . 2001-10-24 10:25 12288 ----a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2010-06-20 16:01 . 2006-03-02 12:00 92416 ----a-w- c:\windows\system32\dllcache\mga.sys
2010-06-20 16:00 . 2006-03-02 12:00 6656 ----a-w- c:\windows\system32\dllcache\iissync.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-12 12:31 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4c70.tmp
2010-07-12 12:28 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2c6e.tmp
2010-07-12 12:26 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2cbe.tmp
2010-07-12 12:23 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2d18.tmp
2010-07-12 12:21 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2e1d.tmp
2010-07-12 07:00 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2dff.tmp
2010-07-12 06:59 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP5398.tmp
2010-07-10 08:51 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP2e95.tmp
2010-07-07 10:58 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4f73.tmp
2010-07-06 19:30 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP5b61.tmp
2010-07-06 19:24 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP5013.tmp
2010-07-06 19:18 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4c20.tmp
2010-07-06 17:42 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4f9b.tmp
2010-07-06 17:41 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP599e.tmp
2010-07-05 10:08 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMPbda5.tmp
2010-07-05 10:03 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4ea0.tmp
2010-07-05 10:02 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP59c7.tmp
2010-07-05 09:58 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP5352.tmp
2010-07-04 09:39 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP4746.tmp
2010-06-30 16:42 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP262c.tmp
2010-06-20 18:28 . 2010-06-20 18:28 -------- d-----w- c:\program files\ESET
2010-06-20 15:58 . 2010-06-20 15:58 -------- d-----w- c:\program files\microsoft frontpage
2010-06-20 15:54 . 2010-06-20 15:54 21812 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-20 11:25 . 2010-06-20 11:25 -------- d-----w- c:\program files\Opera
2010-06-20 11:18 . 2010-06-20 15:18 90112 ----a-w- c:\windows\DUMP5cd4.tmp
2010-06-19 19:06 . 2010-06-19 19:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-19 17:59 . 2006-03-02 10:00 46394 ----a-w- c:\windows\system32\perfc005.dat
2010-06-19 17:59 . 2006-03-02 10:00 310228 ----a-w- c:\windows\system32\perfh005.dat
2010-06-19 17:25 . 2010-06-20 15:57 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-19 17:25 . 2010-06-20 15:57 2740 ----a-w- c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
2010-06-19 17:23 . 2010-06-20 15:57 8972 ----a-w- c:\windows\pchealth\helpctr\Config\Cntstore.bin
2010-06-18 18:24 . 2010-06-18 18:24 0 ----a-w- c:\windows\nsreg.dat
2010-06-18 13:06 . 2010-06-18 13:07 809872 ----a-w- c:\windows\system32\drivers\LTSM.sys
2010-06-18 12:59 . 2010-06-18 13:00 230416 ----a-w- c:\windows\system32\drivers\stac97.sys
2010-06-18 12:58 . 2010-06-18 12:58 35704 ----a-w- c:\windows\system32\NicInst.dll
2010-06-18 12:58 . 2010-06-18 12:58 28536 ----a-w- c:\windows\system32\NicCo.dll
2010-06-18 12:58 . 2010-06-18 12:58 154496 ----a-w- c:\windows\system32\Prounstl.exe
2010-06-18 12:58 . 2010-06-18 12:58 43880 ----a-w- c:\windows\system32\e100bmsg.dll
2010-06-18 12:58 . 2010-06-18 12:58 165760 ----a-w- c:\windows\system32\drivers\e100b325.sys
2010-05-17 14:15 . 2010-07-14 18:11 2258 ----a-w- c:\windows\system32\drivers\eula.txt
2010-05-02 08:09 . 2006-03-02 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:32 . 2006-03-02 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:08 . 2006-03-02 10:00 668160 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:08 . 2006-03-02 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-08_16.35.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-10-15 14:03 . 2003-10-15 14:03 73728 c:\windows\system32\TFNF5.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"SUPERAntiSpyware"="e:\superantispyware\SUPERAntiSpyware.exe" [2010-06-07 2403568]
"NVIEW"="nview.dll" [2004-04-15 856135]
"ICQ"="e:\program files\ICQ7.2\ICQ.exe" [2010-07-09 133368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-15 4866048]
"nwiz"="nwiz.exe" [2004-04-15 323584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2010-06-20 2347008]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 86016]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"TFNF5"="TFNF5.exe" [2003-10-15 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\superantispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- e:\superantispyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 06:32 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\OPERA.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [19.6.2010 21:33 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [19.6.2010 21:33 5248]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9.4.2009 15:18 107256]
R1 SASDIFSV;SASDIFSV;e:\superantispyware\sasdifsv.sys [17.2.2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;e:\superantispyware\SASKUTIL.SYS [10.5.2010 20:41 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9.4.2009 15:19 731840]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [29.6.2010 15:03 136176]
.
Obsah adresáře 'Naplánované úlohy'

2010-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-29 13:03]

2010-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-29 13:03]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.sk/
IE: {{72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - e:\program files\ICQ7.2\ICQ.exe
FF - ProfilePath - c:\documents and settings\Andy\Data aplikací\Mozilla\Firefox\Profiles\7bseb0j0.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.4&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-14 21:38
Windows 5.1.2600 Service Pack 3 FAT NTAPI

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x837D8758]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7644f28
\Driver\ACPI -> ACPI.sys @ 0xf7571cb8
\Driver\atapi -> 0x837d8758
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel(R) PRO/Wireless LAN 2100 3B Mini PCI Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7442bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7431a0d
SendHandler -> NDIS.sys @ 0xf7445b40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(1736)
e:\superantispyware\SASWINLO.DLL
c:\windows\system32\LgNotify.dll

- - - - - - - > 'explorer.exe'(3056)
c:\windows\system32\nView.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Celkový čas: 2010-07-14 21:40:53
ComboFix-quarantined-files.txt 2010-07-14 19:40
ComboFix2.txt 2010-07-14 18:29
ComboFix3.txt 2010-07-14 10:16
ComboFix4.txt 2010-07-12 17:49
ComboFix5.txt 2010-07-14 19:27

Před spuštěním: 8 281 407 488
Po spuštění: 8 266 645 504

- - End Of File - - 799FEE6465765B81AAC8F893B0A19A2C

1danab · #14 Příspěvek od **1danab** » 14 črc 2010 20:51

máte instalační cd?

Narfyk · #15 Příspěvek od **Narfyk** » 14 črc 2010 20:54

Ehm, ako instalacku na Windows XP ? (mam instalacku na Windows XP SP2)

VIRY.CZ

Prosim o kontrolu logu, Dakujem

Prosim o kontrolu logu, Dakujem

Re: Prosim o kontrolu logu, Dakujem

Re: Prosim o kontrolu logu, Dakujem

Re: Prosim o kontrolu logu, Dakujem

Re: Prosim o kontrolu logu, Dakujem

Re: Prosim o kontrolu logu, Dakujem

Re: Prosim o kontrolu logu, Dakujem

Re: Prosim o kontrolu logu, Dakujem

Re: Prosim o kontrolu logu, Dakujem

Re: Prosim o kontrolu logu, Dakujem

Re: Prosim o kontrolu logu, Dakujem

Re: Prosim o kontrolu logu, Dakujem

Re: Prosim o kontrolu logu, Dakujem

Re: Prosim o kontrolu logu, Dakujem

Re: Prosim o kontrolu logu, Dakujem