Prosím o kontrolu logu

[vyosek]

Ale uz jsem mrsku odkryli vice, je pekne zazrana

Zkuste nyni aplikovat gmer - nejlepe v nouzovem rezimu...

[nasua]

Opět zklamu - test doběhl, ale log nevytvořen - opět zamrzl komp

Potěšující je, že dle starého logu bylo napsáno něco o tom sektoru a v novém to již nebylo

[vyosek]

JJ log z mbr se zmenil...nejaka mrska nam tam hackuje atapi.sys

Virtualni mechaniky jsou pryc ze Programek StarForce nahodou nemate

Stahnete SytemLook (viz muj podpis) a ulozte jej na plochu

• Do okna vlozte skript nize

• Kód: Vybrat vše

  :filefind
  atapi.sys

• Kliknete na Look
• Tlacitko Look se zmeni na Scanning a zsedne
• Pockejte pokud se tlacitko Scanning opet nezmeni na Look - tak poznate ze SystemLook dokoncil svou praci
• Vyskoci na Vas log s nazvem SystemLook (pripadne bude ulozen na plose), jeho obsah mi sem vlozte

[nasua]

Virt. mechaniky nemám, StarForce nemám také...

Zde log :

SystemLook 04.09.10 by jpshortstuff
Log created at 13:50 on 24/10/2010 by noskin
Administrator - Elevation successful

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\ERDNT\cache\atapi.sys --a---- 96512 bytes [16:33 18/10/2010] [22:10 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a---- 96512 bytes [22:10 13/04/2008] [22:10 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0071\DriverFiles\i386\atapi.sys --a---- 96512 bytes [18:59 28/01/2010] [22:10 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-= EOF =-

[vyosek]

Zkuste provest gmer, ale log neukladejte - jakmile se objevi nejaky cerveny radek ve skenu, tak udelejte screen a vlozte jej sem

Gmer dela dva logy, jeden ihned po spusteni a druhy po kliknuti na sken - ani ten prvni log neulozite

[nasua]

on je problém, pokud dělam scan v nouzovém režimu, pak položka save as je schována - nelze na ní liknout ( rozlišení ), napadá mne udělat to v klasickém režimu .... Lze to ?

[vyosek]

Lze, ale pokud se seka v nouzaku, tak v normalnim se bdue sekat na tuty...

Jeste je tam talcitko copy - to zkopiruje log do schranky, takze jej pak sem zkuste vlozit takhle...

[nasua]

Zde je první log v klasickém režimu :

Bez problému šel uložit :

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit quick scan 2010-10-24 16:05:52
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\noskin\LOCALS~1\Temp\pgrdqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xAB95C768]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xAB95C9BE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdePort0 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\Ntfs \Ntfs 8A7CB1F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

[vyosek]

Zkuste tedy jestli se povede i druhy log udelat

[nasua]

Takže zase PC zamrzl - ale žádný červený řádek ve skenu nebyl - to vím jistě ....

[vyosek]

Pokud nemate, tak presunte Combofix na plochu

• Spustte poznamkovy blok (Start-spustit-notepad)
• Zkopirujte skript nize

• Kód: Vybrat vše

  Restore::
  C:\WINDOWS\system32\drivers\atapi.sys

• Ulozte vytvoreny TXT jako CFScript.txt
• Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
  
• Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

[nasua]

Nový log :

ComboFix 10-10-23.02 - noskin 24.10.2010 21:19:11.3.2 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.2046.1533 [GMT 2:00]
Spuštěný z: c:\documents and settings\noskin\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\noskin\Plocha\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

Nakažená kopie c:\windows\system32\drivers\atapi.sys byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\ERDNT\cache\atapi.sys

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-09-24 do 2010-10-24 )))))))))))))))))))))))))))))))
.

2010-10-22 20:30 . 2010-10-22 20:30 -------- d-----w- c:\program files\LSoft Technologies
2010-10-20 14:22 . 2009-04-01 19:47 1683968 ----a-w- C:\HxD.exe
2010-10-19 20:07 . 2010-10-19 20:07 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS\Data aplikací\DSS
2010-10-19 20:06 . 2010-10-19 13:07 2601752 ----a-w- c:\windows\system32\pbsvc_moh.exe
2010-10-19 14:54 . 2010-10-19 14:54 -------- d-----w- c:\documents and settings\Administrator.NOSKINS.000\Local Settings\Data aplikací\ATI
2010-10-19 14:54 . 2010-10-19 14:54 -------- d-----w- c:\documents and settings\Administrator.NOSKINS.000\Data aplikací\ATI
2010-10-19 14:40 . 2010-10-19 14:40 -------- d-----w- c:\documents and settings\Administrator.NOSKINS.000\Local Settings\Data aplikací\Electronic Arts
2010-10-19 14:34 . 2010-10-19 14:34 -------- d-----w- c:\documents and settings\Administrator.NOSKINS.000\Local Settings\Data aplikací\Opera
2010-10-19 11:35 . 2010-10-19 11:35 -------- d-----w- c:\documents and settings\noskin\Local Settings\Data aplikací\Electronic Arts
2010-10-18 20:32 . 2010-10-18 20:32 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Plocha
2010-10-18 19:30 . 2010-10-18 19:30 -------- d-----w- C:\_OTL
2010-10-18 14:12 . 2010-10-18 14:12 -------- d-----w- C:\_OTM
2010-10-14 20:03 . 2008-04-14 06:52 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-14 18:17 . 2001-11-05 08:50 69632 ----a-w- c:\windows\AMCap.exe
2010-10-14 18:01 . 2010-10-14 18:01 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Local Settings\Data aplikací\AskToolbar
2010-10-14 18:01 . 2010-10-14 18:01 -------- d-----r- c:\documents and settings\LocalService.NT AUTHORITY.000\Oblíbené položky
2010-10-14 14:51 . 2010-10-19 15:29 -------- d-----w- c:\program files\All2WAV Recorder
2010-10-14 14:51 . 2002-01-05 09:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-10-14 09:45 . 2010-10-24 18:39 -------- d-----w- c:\documents and settings\noskin\Data aplikací\skypePM
2010-10-14 09:43 . 2010-10-24 19:26 -------- d-----w- c:\documents and settings\noskin\Data aplikací\Skype
2010-10-14 09:42 . 2010-10-14 09:42 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Data aplikací\Skype
2010-10-12 17:26 . 2010-10-14 19:22 -------- d-----w- c:\documents and settings\noskin\Data aplikací\U3
2010-10-11 17:59 . 2010-10-11 17:59 -------- d-----w- c:\documents and settings\noskin\Local Settings\Data aplikací\id Software
2010-09-26 11:09 . 2010-09-26 11:09 -------- d-----w- c:\documents and settings\noskin\Data aplikací\Downloaded Installations
2010-09-26 10:37 . 2010-09-26 10:37 75776 ----a-w- c:\windows\cadkasdeinst01e.exe
2010-09-26 10:37 . 2010-09-26 10:48 -------- d-----w- c:\program files\PDF Editor 3
2010-09-25 16:59 . 2010-10-20 19:10 -------- d-----r- c:\documents and settings\Administrator.NOSKINS.000\Dokumenty
2010-09-25 16:59 . 2010-09-25 16:59 -------- d-----w- c:\documents and settings\Administrator.NOSKINS.000\Data aplikací\OpenOffice.org
2010-09-25 16:57 . 2010-09-25 16:57 -------- d-----r- c:\documents and settings\Administrator.NOSKINS.000\Oblíbené položky
2010-09-25 16:57 . 2010-10-20 18:48 -------- d-----w- c:\documents and settings\Administrator.NOSKINS.000\Plocha

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-24 09:15 . 2009-12-25 21:21 218496 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-10-24 09:15 . 2009-12-25 20:31 218496 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-10-24 08:42 . 2009-12-25 20:31 139832 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-10-22 20:31 . 2010-01-11 08:56 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-10-19 20:06 . 2009-12-25 20:31 138056 ----a-w- c:\documents and settings\noskin\Data aplikací\PnkBstrK.sys
2010-10-18 14:23 . 2010-03-03 18:54 285480 ----a-w- c:\windows\system32\guard32.dll
2010-10-18 14:23 . 2010-03-03 18:54 91560 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-10-18 14:23 . 2010-03-03 18:54 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-10-18 14:23 . 2010-03-03 18:54 239240 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-10-18 14:23 . 2010-03-03 18:54 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-09-18 10:23 . 2007-04-03 06:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 06:51 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 06:51 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-10-25 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-10 05:52 . 2008-08-08 15:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:52 . 2008-08-08 15:43 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:52 . 2008-08-08 15:43 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-07 15:12 . 2010-06-29 18:30 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-03-09 12:28 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-03-09 12:28 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-03-09 12:28 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-03-09 12:28 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-03-09 12:28 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-03-09 12:28 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-03-09 12:28 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-03-09 12:28 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-01 11:52 . 2008-04-14 06:37 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-09-01 07:57 . 2008-04-14 05:45 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:03 . 2008-04-14 06:52 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:54 . 2008-04-14 06:52 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-27 01:43 . 2008-05-05 06:25 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-26 13:39 . 2008-04-13 22:45 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-23 16:12 . 2008-04-14 06:51 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-04-14 06:52 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2008-04-14 06:51 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[-] 2008-08-08 . 1E603EA2A3FDBAE9E5B88A8CB3C03124 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-10-18_16.32.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-24 19:26 . 2010-10-24 19:26 16384 c:\windows\temp\Perflib_Perfdata_d3c.dat
+ 2010-10-21 17:51 . 2010-10-21 18:27 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-25 20:07 . 2010-06-05 19:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-12-25 20:07 . 2010-10-21 18:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-06-16 21:25 . 2010-10-21 17:50 30759 c:\windows\system32\config\systemprofile\Local Settings\Data aplikací\ATI\ACE\Manifest.Bin
- 2010-06-16 21:25 . 2010-06-05 19:37 30759 c:\windows\system32\config\systemprofile\Local Settings\Data aplikací\ATI\ACE\Manifest.Bin
- 2009-12-25 20:07 . 2010-06-05 19:49 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-10-21 17:51 . 2010-10-21 18:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-10-19 20:04 . 2010-10-19 20:04 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 576000 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 576000 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 567296 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 567296 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 563712 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 563712 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 2846720 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 2846720 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2010-09-17 14:05 . 2010-09-17 14:05 2676224 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-10-19 20:04 . 2010-10-19 20:04 2676224 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2010-10-19 20:05 . 2010-10-19 20:05 35863040 c:\windows\Installer\365d4.msi
+ 2010-10-19 20:05 . 2010-10-19 20:05 33709056 c:\windows\Installer\{415030B8-3E8B-462A-8C03-41D95AA3AB3B}\moh.exe
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2005-05-03 64512]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-10-18 2500552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"DefaultP17MIDI"="MIDIDEF.EXE" [2002-12-03 49152]
"DefaultP17"="P17Def.Exe" [2005-05-03 20480]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^noskin^Nabídka Start^Programy^Po spuštění^GIGABYTE Gamer HUD.lnk]
path=c:\documents and settings\noskin\Nabídka Start\Programy\Po spuštění\GIGABYTE Gamer HUD.lnk
backup=c:\windows\pss\GIGABYTE Gamer HUD.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2008-07-22 11:53 77824 ----a-w- c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 06:52 110592 ----a-w- c:\windows\system32\bthprops.cpl

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"Google Update"="c:\documents and settings\noskin\Local Settings\Data aplikací\Google\Update\GoogleUpdate.exe" /c

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SoundMAXPnP"=c:\program files\Analog Devices\Core\smax4pnp.exe
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"Monitor"=c:\windows\PixArt\PAC207\Monitor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera 10 Beta\\opera.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\zero gear\\ZeroGear.bat"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\_hry\\BF2\\GAME\\BFBC2Updater.exe"=
"c:\\Program Files\\ICQ7.1\\ICQ.exe"=
"c:\\Program Files\\ICQ7.1\\aolload.exe"=
"e:\\_hry\\silent hunter\\sh5.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57180:TCP"= 57180:TCP:Pando Media Booster
"57180:UDP"= 57180:UDP:Pando Media Booster

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9.3.2010 14:28 165584]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [3.3.2010 20:54 239240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3.3.2010 20:54 25240]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [9.3.2010 16:59 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9.3.2010 14:28 17744]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [12.2.2010 20:23 148744]
R2 USBDLM;USBDLM;c:\program files\USBDLM\USBDLM.exe [13.12.2009 20:31 226816]
R3 PAC207;Webcam 1200;c:\windows\system32\drivers\PFC027.SYS [14.4.2009 17:57 611584]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11.1.2010 10:56 691696]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'

2010-10-24 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-11-16 14:43]

2010-10-24 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-04-28 11:03]
.
.
------- Doplňkový sken -------
.
uStart Page = www.gooogle.com
uInternet Settings,ProxyOverride = *.local
IE: Download all by FlashGet3 - c:\documents and settings\noskin\Data aplikací\FlashGetBHO\GetAllUrl.htm
IE: Download by FlashGet3 - c:\documents and settings\noskin\Data aplikací\FlashGetBHO\GetUrl.htm
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Stahnou vse FlashGet3 - c:\documents and settings\noskin\Data aplikací\FlashGetBHO\GetAllUrl.htm
IE: Stahnout FlashGet3 - c:\documents and settings\noskin\Data aplikací\FlashGetBHO\GetUrl.htm
IE: {{71BFC818-0CED-42D6-9C87-5142918957EE} - c:\program files\ICQ7.1\ICQ.exe
FF - ProfilePath - c:\documents and settings\noskin\Data aplikací\Mozilla\Firefox\Profiles\iuz01vun.default\
FF - plugin: c:\program files\Opera\program\plugins\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-24 21:26
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1958367476-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:58,88,30,2a,59,0c,25,b3,74,06,a3,1f,ff,4a,bf,e5,35,2a,00,52,7d,
7f,88,e1,b9,2d,39,1c,13,41,75,a6,ce,36,9e,ea,38,be,6b,47,11,b9,5c,da,0f,c8,\
"rkeysecu"=hex:04,42,9b,89,45,2a,1b,9c,89,22,2d,b8,7e,a8,a5,71
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\MPR.dll
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(2840)
c:\windows\system32\guard32.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\MPR.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_cze.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\System32\TUProgSt.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2010-10-24 21:31:18 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-10-24 19:31
ComboFix2.txt 2010-10-18 17:12
ComboFix3.txt 2010-10-18 16:34

Před spuštěním: 2 155 425 792
Po spuštění: 2 165 084 160

- - End Of File - - 9F217192C61FF78AE2CD3F3A2A7BD6FF

[vyosek]

Kliknete na Start a pote Spustit, pripadne pouzijte klavesou zkratku Win+R

• Vyskoci na Vas okenko, do ktereho zkopirujte text nize

• Kód: Vybrat vše

  "%userprofile%\plocha\mbr" -t

• Kliknete na OK
• Na plose se Vam vytvori log s nazvem mbr.txt, jeho obsah mi sem vlozte

[nasua]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
kernel: MBR read successfully
user & kernel MBR OK

[vyosek]

Jak se chova PC