Prosím o preventivní kontrolu logu, děkuji :)

Zpráva

G0nzales · #1 Příspěvek od **G0nzales** » 04 lis 2010 20:47

Logfile of random's system information tool 1.08 (written by random/random)
Run by radka at 2010-11-04 20:52:43
Systém Microsoft Windows XP Professional Service Pack 2
System drive C: has 531 MB (3%) free of 20 GB
Total RAM: 639 MB (35% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\20090222_190400_radka.job
C:\WINDOWS\tasks\Norton Security Scan for radka.job
C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2008-06-11 61816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{100EB1FD-D03E-47FD-81F3-EE91287F9465}]
ShoppingReport - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll [2008-02-06 1173024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}]
Skype add-on for Internet Explorer - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2010-02-08 804136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll [2010-09-29 842296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B922D405-6D13-4A2B-AE89-08A030DA4402}]
pdfforge Toolbar - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll [2010-01-08 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-04-25 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}]
C:\Program Files\pdfforge Toolbar\SearchSettings.dll [2010-01-08 1109504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll []
{B922D405-6D13-4A2B-AE89-08A030DA4402} - pdfforge Toolbar - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll [2010-01-08 700416]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"=C:\WINDOWS\SiSUSBrg.exe [2002-04-26 102400]
"Cmaudio"=RunDll32 cmicnfg.dll,CMICtrlWnd []
"B'sCLiP"=C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe [2003-05-22 1310720]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-07-19 78008]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-03-22 180269]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2002-09-25 87751]
"NBKeyScan"=C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe [2008-02-21 1647912]
"FixCamera"=C:\WINDOWS\FixCamera.exe [2007-02-10 20480]
"snpstd3"=C:\WINDOWS\vsnpstd3.exe [2006-09-19 827392]
"tsnpstd3"=C:\WINDOWS\tsnpstd3.exe [2007-03-10 270336]
"SearchSettings"=C:\Program Files\pdfforge Toolbar\SearchSettings.exe [2010-01-08 974848]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-17 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-17 1667584]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-07-28 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-06-27 152872]
"PopRock"=C:\DOCUME~1\radka\LOCALS~1\Temp\b.exe [2009-10-29 157184]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2010-05-13 26192168]

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winhuh32]
C:\WINDOWS\system32\winhuh32.dll [2009-05-22 39936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-17 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-08-24 133120]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Corel\Graphics10\Register\NAVBrowser.exe"="C:\Program Files\Corel\Graphics10\Register\NAVBrowser.exe:*:Enabled:NAVBrowser"
"C:\Program Files\3DO\Heroes 3 Complete\HEROES3.EXE"="C:\Program Files\3DO\Heroes 3 Complete\HEROES3.EXE:*:Enabled:Heroes of Might and Magic® III"
"C:\Program Files\games\Warcraft III\Warcraft III.exe"="C:\Program Files\games\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\Diablo\diablo.exe"="C:\Diablo\diablo.exe:*:Enabled:Diablo"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2010-11-04 20:52:45 ----D---- C:\Program Files\trend micro
2010-11-04 20:52:43 ----D---- C:\rsit

======List of files/folders modified in the last 1 months======

2010-11-04 20:52:45 ----RD---- C:\Program Files
2010-11-04 20:49:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-11-04 20:48:47 ----SD---- C:\WINDOWS\Tasks
2010-11-04 20:47:23 ----D---- C:\WINDOWS\Prefetch
2010-11-04 20:40:38 ----D---- C:\WINDOWS\Temp
2010-11-04 20:38:54 ----D---- C:\Program Files\Mozilla Firefox
2010-11-04 20:33:14 ----D---- C:\Documents and Settings\radka\Data aplikací\Skype
2010-11-04 20:29:40 ----D---- C:\WINDOWS\system32\CatRoot2
2010-11-04 20:29:34 ----D---- C:\WINDOWS\system32
2010-11-04 16:33:34 ----D---- C:\Documents and Settings\radka\Data aplikací\skypePM
2010-11-04 12:19:50 ----D---- C:\Documents and Settings\radka\Data aplikací\ShoppingReport
2010-11-01 22:02:20 ----SHD---- C:\WINDOWS\Installer
2010-10-31 20:03:08 ----D---- C:\WINDOWS
2010-10-31 11:31:41 ----A---- C:\WINDOWS\IE4 Error Log.txt
2010-10-31 10:36:29 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-10-31 10:33:26 ----D---- C:\WINDOWS\Minidump
2010-10-24 10:28:55 ----A---- C:\WINDOWS\DUMP72bc.tmp
2010-10-19 17:26:24 ----SHD---- C:\Config.Msi

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 BsStor;B.H.A Storage Helper Driver; C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 9344]
R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\DRIVERS\PxHelp20.sys [2005-03-22 17168]
R0 sfdrv01;StarForce Protection Environment Driver (version 1.x); C:\WINDOWS\System32\drivers\sfdrv01.sys [2005-08-10 50688]
R0 sfhlp02;StarForce Protection Helper Driver (version 2.x); C:\WINDOWS\System32\drivers\sfhlp02.sys [2005-05-16 6656]
R0 sfvfs02;StarForce Protection VFS Driver (version 2.x); C:\WINDOWS\System32\drivers\sfvfs02.sys [2005-09-29 66048]
R0 sisagp;SiS AGP Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2002-05-22 27392]
R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-07-19 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-07-19 42912]
R1 cdrbsvsd;cdrbsvsd; C:\WINDOWS\system32\drivers\cdrbsvsd.sys [2003-04-28 10940]
R1 meiudf;meiudf; C:\WINDOWS\System32\Drivers\meiudf.sys [2003-01-31 90416]
R1 prodrv04;Star Force copy protection driver v4; C:\WINDOWS\System32\drivers\prodrv04.sys [2006-01-04 114496]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.3.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2007-03-10 20747]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-07-19 94416]
R2 BsUDF;B.H.A UDF Filesystem; C:\WINDOWS\system32\drivers\BsUDF.sys [2003-05-20 389888]
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2007-11-29 18048]
R3 AgereSoftModem;Microcom InPorte Home; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2002-09-25 1141248]
R3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2002-05-29 412623]
R3 GearAspiWDM;GEARAspiWDM; C:\WINDOWS\system32\drivers\GEARAspiWDM.sys [2002-06-28 9344]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver; C:\WINDOWS\system32\drivers\msmpu401.sys [2001-08-17 2944]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
R3 Pcouffin;Low level access layer for CD devices; C:\WINDOWS\System32\Drivers\Pcouffin.sys [2006-05-19 47360]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-02-06 9856]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2001-10-25 5888]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\sisnic.sys [2004-08-03 32768]
R3 USBSTOR;Ovladač velkokapacitního paměťového zařízení USB; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 AdfuUd;USB 2.0 (FS) ADFU Device; C:\WINDOWS\System32\Drivers\AdfuUd.sys []
S3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-07-19 23152]
S3 CCDECODE;Dekodér Closed Caption; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 HidUsb;Ovladač třídy standardu HID; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 mouhid;Ovladač myši standardu HID; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-10-24 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 RT73;Belkin USB Network Adapter; C:\WINDOWS\system32\DRIVERS\rt73.sys [2005-08-02 232192]
S3 sermouse;Ovladač sériové myši; C:\WINDOWS\System32\DRIVERS\sermouse.sys [2001-10-24 17664]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 SNPSTD3;USB PC Camera (SNPSTD3); C:\WINDOWS\system32\DRIVERS\snpstd3.sys [2007-03-26 10252544]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 WSTCODEC;Dálnopisný kodek světového standardu; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S3 zuzqcya;zuzqcya; \??\C:\WINDOWS\system32\01591.tmp []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-10-31 611664]
R2 Application Updater;Application Updater; C:\Program Files\Application Updater\ApplicationUpdater.exe [2010-01-08 380928]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-07-19 16056]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-07-19 147640]
R2 Belkin Wireless USB Network Adapter Service;Belkin Wireless USB Network Adapter; C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe [2004-03-29 49152]
R2 DVD-RAM_Service;DVD-RAM_Service; C:\WINDOWS\system32\DVDRAMSV.exe [2003-05-23 106496]
R2 GEARSecurity;GEARSecurity; C:\WINDOWS\system32\gearsec.exe [2002-09-02 49152]
R2 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2003-11-12 49152]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848]
S2 alwzh;Monitor Driver; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
S2 hdudbxewv;System Windows; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
S2 kusmacwg;Server Update; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
S2 lhkiqqk;Boot Config; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
S2 mlfkcuvp;bophp; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
S2 qbkpb;Driver Update; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
S2 sznwjb;Universal Center; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
S2 tqouw;Config Universal; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
S2 waoadxc;Image Windows; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
S2 xyitu;Universal Support; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
S2 ymhjpgh;Network Update; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
S2 zbmdfpqf;Time Update; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
S2 zolix;Driver Microsoft; C:\WINDOWS\system32\svchost.exe [2004-08-17 14336]
S3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-07-19 250040]
S3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-28 182768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2008-02-21 800040]

-----------------EOF-----------------

#2 Příspěvek od **vyosek** » 04 lis 2010 23:43

Zdravim a pekny den preji

Tohle neni jen preventivni kontrola, haveti je tam pekna uroda

PROSIM CTETE DUKLADNE NAVOD - TATO UTILITA MA VELKOU SCHOPNOST MAZAT A JE NUTNE JI APLIKOVAT JEN NA DOPORUCENI, JINAK VAM MUZE JIT SYSTEM DO KYTEK

Stahnete a ulozte na plochu Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Vypnete vsechny rezidentni bezpecnostní programy - firewally, antiviry, antispywary apod.
Vložte do PC vsechny USB klice (flash disky, ext.disky apod.)
Pokud mate Win XP spustte pod uctem Spravce\Administratora
Pokud mate Win Vista ci Win 7, kliknete na Combofix pravym a dejte Run As Administrator ci Spustit jako spravce
Ihned po startu se zobrazi stranka s licencnim ujednanim, pokracujte kliknutim na Ano
Pokud Vam CF nabidne instalaci Konzoly pro zotaveni, tak souhlaste
Dale postupujte dle pokynu, behem scanu nechte PC naprosto v klidu - nespoustejte zadne aplikace a neklikejte do zobrazujiciho se okna
Scan by mel trvat cca 10 min, ale pokud bude PC hodne zaneseno, muze se cas prodlouzit
Po dokonceni skenu a pripadnem restartu CF zobrazi log, pripadne jej najdete zde C:\ComboFix.txt, jeho obsah sem vlozte
Detailni postup vc. obrazku mate zde http://www.bleepingcomputer.com/combofi ... t-combofix

G0nzales · #3 Příspěvek od **G0nzales** » 05 lis 2010 00:57

Dobry vecer, mockrat vam dekuji za pomoc a za vas cas...omlouvam se, ze to trvalo tak dlouho, tady je log z ComboFixu :

ComboFix 10-11-03.04 - radka 05.11.2010 0:39.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.639.245 [GMT 1:00]
Spuštěný z: c:\documents and settings\radka\Plocha\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\radka\Data aplikací\Desktopicon
c:\documents and settings\radka\Data aplikací\Desktopicon\eBayShortcuts.exe
c:\program files\pdfforge Toolbar\IE\1.1.2\pdFForgetoolbarie.dll
c:\program files\pdfforge Toolbar\SeARchsettings.dll
c:\program files\ShoppingReport
c:\program files\ShoppingReport\Uninst.exe
C:\Thumbs.db
c:\windows\system32\fonts
c:\windows\system32\fonts\ACADEMY_.PFB
c:\windows\system32\fonts\ACADEMY_.PFM
c:\windows\system32\fonts\ACADEMY_.TTF
c:\windows\system32\lccim.dll
c:\windows\system32\msxml71.dll
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ALWZH
-------\Legacy_HDUDBXEWV
-------\Legacy_KUSMACWG
-------\Legacy_LHKIQQK
-------\Legacy_MLFKCUVP
-------\Legacy_QBKPB
-------\Legacy_SZNWJB
-------\Legacy_TQOUW
-------\Legacy_WAOADXC
-------\Legacy_XYITU
-------\Legacy_YMHJPGH
-------\Legacy_ZBMDFPQF
-------\Legacy_ZOLIX
-------\Service_alwzh
-------\Service_hdudbxewv
-------\Service_kusmacwg
-------\Service_lhkiqqk
-------\Service_mlfkcuvp
-------\Service_qbkpb
-------\Service_sznwjb
-------\Service_tqouw
-------\Service_waoadxc
-------\Service_xyitu
-------\Service_ymhjpgh
-------\Service_zbmdfpqf
-------\Service_zolix
-------\Legacy_agsnhvm
-------\Legacy_ciuis
-------\Legacy_djppqwbp
-------\Legacy_epmkotx
-------\Legacy_gfoognwx
-------\Legacy_gkgjek
-------\Legacy_gxcorwrgl
-------\Legacy_hapxtt
-------\Legacy_icwzjf
-------\Legacy_inciex
-------\Legacy_iujggp
-------\Legacy_krdstnxxi
-------\Legacy_mixirbush
-------\Legacy_mjkwjaa
-------\Legacy_ndnjw
-------\Legacy_ntrkhwjcf
-------\Legacy_pbuekkkcd
-------\Legacy_ppecg
-------\Legacy_qalat
-------\Legacy_rjjnrt
-------\Legacy_rpgpwjb
-------\Legacy_rserfjk
-------\Legacy_tqrryvrk
-------\Legacy_ufnaxpm
-------\Legacy_ufstrqqp
-------\Legacy_uirwouzux
-------\Legacy_vagttxse
-------\Legacy_wkahh
-------\Legacy_xhzbly
-------\Legacy_zbbxczlqj
-------\Legacy_zwofj
-------\Service_agsnhvm
-------\Service_ciuis
-------\Service_djppqwbp
-------\Service_epmkotx
-------\Service_gfoognwx
-------\Service_gkgjek
-------\Service_gxcorwrgl
-------\Service_hapxtt
-------\Service_icwzjf
-------\Service_inciex
-------\Service_iujggp
-------\Service_krdstnxxi
-------\Service_mixirbush
-------\Service_mjkwjaa
-------\Service_ndnjw
-------\Service_ntrkhwjcf
-------\Service_pbuekkkcd
-------\Service_ppecg
-------\Service_qalat
-------\Service_rjjnrt
-------\Service_rpgpwjb
-------\Service_rserfjk
-------\Service_tqrryvrk
-------\Service_ufnaxpm
-------\Service_ufstrqqp
-------\Service_uirwouzux
-------\Service_vagttxse
-------\Service_wkahh
-------\Service_xhzbly
-------\Service_zbbxczlqj
-------\Service_zwofj

((((((((((((((((((((((((( Soubory vytvořené od 2010-10-04 do 2010-11-04 )))))))))))))))))))))))))))))))
.

2010-11-04 22:17 . 2010-11-04 22:17 -------- d-----w- c:\documents and settings\radka\Data aplikací\Avira
2010-11-04 21:29 . 2010-11-04 21:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-04 20:21 . 2010-08-02 15:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-04 20:21 . 2010-08-02 15:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-04 20:21 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-11-04 20:21 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-11-04 20:21 . 2010-11-04 20:21 -------- d-----w- c:\program files\Avira
2010-11-04 20:21 . 2010-11-04 20:21 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Avira
2010-11-04 19:52 . 2010-11-04 19:52 -------- d-----w- c:\program files\trend micro
2010-11-04 19:52 . 2010-11-04 19:52 -------- d-----w- C:\rsit

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-24 09:28 . 2005-12-21 18:23 90112 ----a-w- c:\windows\DUMP72bc.tmp
2010-09-05 19:46 . 2010-09-05 19:46 1409 ----a-w- c:\windows\QTFont.for
2009-04-12 11:15 . 2009-04-12 11:15 32638800 ----a-w- c:\program files\setupcze.exe
2008-07-27 13:04 . 2008-07-27 13:04 1336031 ----a-w- c:\program files\wrar371cz.exe
2008-07-26 10:50 . 2008-07-26 10:50 13801120 ----a-w- c:\program files\jre-6u1-windows-i586-p.exe
2008-03-22 11:46 . 2008-03-22 16:29 13526432 ----a-w- c:\program files\RealPlayer10-5GOLD_rs.exe
2008-03-12 12:10 . 2008-03-12 12:12 70867 ----a-w- c:\program files\AlienWin2000-XP.exe
2008-03-12 12:03 . 2008-03-12 12:12 5901965 ----a-w- c:\program files\Setup_Moorhuhn-X-XS_V11.exe
2008-03-12 12:02 . 2008-03-12 12:12 4453696 ----a-w- c:\program files\moorhuhn3.exe
2008-02-29 08:04 . 2008-02-29 08:10 860391 ----a-w- c:\program files\7z457.exe
2007-04-24 08:45 . 2007-04-24 09:09 1390518 ----a-w- c:\program files\cdex_140b8_deu.exe
2006-04-13 11:56 . 2006-04-14 15:23 6545442 ----a-w- c:\program files\ezcddax9.exe
2001-06-14 21:18 . 2005-03-22 17:47 710656 ----a-w- c:\program files\MDVDP.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-28 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-26 102400]
"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2003-05-22 1310720]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-22 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AGRSMMSG"="AGRSMMSG.exe" [2002-09-25 87751]
"NBKeyScan"="c:\program files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe" [2008-02-21 1647912]
"FixCamera"="c:\windows\FixCamera.exe" [2007-02-10 20480]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-10 270336]
"SearchSettings"="c:\program files\pdfforge Toolbar\SearchSettings.exe" [2010-01-08 974848]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-4-5 113664]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-3-22 114688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-3-22 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Corel\\Graphics10\\Register\\NAVBrowser.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2892:UDP"= 2892:UDP:Windows Media Format SDK (iexplore.exe)
"2893:UDP"= 2893:UDP:Windows Media Format SDK (iexplore.exe)
"2896:UDP"= 2896:UDP:Windows Media Format SDK (iexplore.exe)
"6550:TCP"= 6550:TCP:pgcmwm

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [22.3.2005 18:28 9344]
R1 prodrv04;Star Force copy protection driver v4;c:\windows\system32\drivers\prodrv04.sys [4.1.2006 21:50 114496]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4.11.2010 21:21 135336]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [8.1.2010 0:51 380928]
R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [22.3.2005 18:28 389888]
S2 agsnhvm;Task Server;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 ciuis;Support Monitor;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 djppqwbp;Server Time;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 epmkotx;Driver Support;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 gfoognwx;Monitor Driver;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 gkgjek;Universal Shell;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 gxcorwrgl;Shell Update;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 hapxtt;Support Microsoft;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 icwzjf;Security Image;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 inciex;Boot Task;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 iujggp;Microsoft Driver;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 krdstnxxi;dhfvaesnx;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 mixirbush;Image Installer;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 mjkwjaa;zsgrks;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 ndnjw;vnozpwx;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 ntrkhwjcf;Microsoft Helper;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 pbuekkkcd;System Manager;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 ppecg;Support Shell;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 qalat;Universal Image;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 rjjnrt;Task Config;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 rpgpwjb;oyhksxw;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 rserfjk;Windows Security;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 tqrryvrk;Support Network;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 ufnaxpm;Config Network;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 ufstrqqp;Microsoft Shell;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 uirwouzux;bddrcrd;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 vagttxse;Manager System;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 wkahh;Security Microsoft;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 xhzbly;Monitor Security;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 zbbxczlqj;Config Microsoft;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]
S2 zwofj;Boot Driver;c:\windows\system32\svchost.exe -k netsvcs [25.10.2001 13:00 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
wkahh
agsnhvm
mjkwjaa
inciex
ntrkhwjcf
krdstnxxi
ufnaxpm
rjjnrt
epmkotx
mixirbush
hapxtt
ciuis
ndnjw
djppqwbp
tqrryvrk
icwzjf
gfoognwx
qalat
pbuekkkcd
vagttxse
ppecg
ufstrqqp
gkgjek
rpgpwjb
zbbxczlqj
iujggp
uirwouzux
zwofj
gxcorwrgl
rserfjk
.
Obsah adresáře 'Naplánované úlohy'

2009-02-22 c:\windows\Tasks\20090222_190400_radka.job
- c:\program files\Nero\Nero 7\Nero BackItUp\BackItUp.exe [2008-02-21 14:41]

2010-11-04 c:\windows\Tasks\Norton Security Scan for radka.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 19:20]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.kb.cz/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
Trusted Zone: mojebanka.cz\etrading
Trusted Zone: mojebanka.cz\www
Trusted Zone: mojebanka.cz.
Trusted Zone: mojebanka.cz\etrading
Trusted Zone: mojebanka.cz\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\radka\Data aplikací\Mozilla\Firefox\Profiles\9s8ngse5.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.centrum.cz/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=302398&p=
FF - component: c:\program files\pdfforge Toolbar\FF\components\pdfforgeToolbarFF.dll
FF - component: c:\program files\pdfforge Toolbar\SSFF\components\SearchSettingsFF.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

URLSearchHooks-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
HKLM-Run-Cmaudio - cmicnfg.dll
Notify-winhuh32 - (no file)
AddRemove-DVDXCopy - c:\program files\321Studios\DVDXCopy\Uninst.exe
AddRemove-Totalcmd - c:\totalcmd\tcuninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-05 00:57
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\agsnhvm]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ciuis]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\djppqwbp]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\epmkotx]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gfoognwx]
"ServiceDll"="c:\windows\system32\lccim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gkgjek]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gxcorwrgl]
"ServiceDll"="c:\windows\system32\lccim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hapxtt]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\icwzjf]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\inciex]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\iujggp]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\krdstnxxi]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mixirbush]
"ServiceDll"="c:\windows\system32\lccim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mjkwjaa]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ndnjw]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ntrkhwjcf]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pbuekkkcd]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ppecg]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qalat]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\rjjnrt]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\rpgpwjb]
"ServiceDll"="c:\windows\system32\lccim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\rserfjk]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tqrryvrk]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ufnaxpm]
"ServiceDll"="c:\windows\system32\lccim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ufstrqqp]
"ServiceDll"="c:\windows\system32\lccim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\uirwouzux]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vagttxse]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wkahh]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xhzbly]
"ServiceDll"="c:\windows\system32\lccim.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\zbbxczlqj]
"ServiceDll"="c:\windows\system32\lccim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\zwofj]
"ServiceDll"="c:\windows\system32\lccim.dll"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(4032)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\RunDll32.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Celkový čas: 2010-11-05 01:01:30 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-11-05 00:01

Před spuštěním: 5 674 868 736
Po spuštění: 5 772 763 136

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 1BA5B272A9E8F983102B72C04D2C2EA2

#4 Příspěvek od **vyosek** » 05 lis 2010 01:12

Boha jeho to je uroda

Tohle se da prosim kde nakoupit

To neni rodinka to je male mesto rootkitu

CF smazal kupu polozek a dalsi hromadu jdeme mazat

Combofix bude v nasledujicim kroku posilat vzorky haveti k sUBSovi - autorovi ComboFixu - na server pro dalsi vyvoj CFka, tak se neleknete ze Vam neco odesila z PC

Pokud nemate, tak presunte Combofix na plochu

Spustte poznamkovy blok (Start-spustit-notepad)
Zkopirujte skript nize

Kód: Vybrat vše

Collect::
c:\windows\system32\lccim.dll
c:\program files\7z457.exe
c:\program files\ezcddax9.exe

Driver::
agsnhvm
ciuis
djppqwbp
epmkotx
gfoognwx
gkgjek
gxcorwrgl
hapxtt
icwzjf
inciex
iujggp
krdstnxxi
mixirbush
mjkwjaa
ndnjw
ntrkhwjcf
pbuekkkcd
ppecg
qalat
rjjnrt
rpgpwjb
rserfjk
tqrryvrk
ufnaxpm
ufstrqqp
uirwouzux
vagttxse
wkahh
xhzbly
zbbxczlqj
zwofj

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\agsnhvm]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ciuis]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\djppqwbp]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gfoognwx]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gkgjek]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gxcorwrgl]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hapxtt]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\icwzjf]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\inciex]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\iujggp]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\krdstnxxi]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mixirbush]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mjkwjaa]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ndnjw]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ntrkhwjcf]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pbuekkkcd]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ppecg]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qalat]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\rjjnrt]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\rpgpwjb]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\rserfjk]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tqrryvrk]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ufnaxpm]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ufstrqqp]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\uirwouzux]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vagttxse]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wkahh]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xhzbly]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\zbbxczlqj]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\zwofj]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"=-
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=-
"Skype"=-
"SpybotSD TeaTimer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"=-
"SunJavaUpdateSched"=-
"Adobe Reader Speed Launcher"=-
"NBKeyScan"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2892:UDP"=-
"2893:UDP"=-
"2896:UDP"=-
"6550:TCP"=-

NetSvc::
wkahh
agsnhvm
mjkwjaa
inciex
ntrkhwjcf
krdstnxxi
ufnaxpm
rjjnrt
epmkotx
mixirbush
hapxtt
ciuis
ndnjw
djppqwbp
tqrryvrk
icwzjf
gfoognwx
qalat
pbuekkkcd
vagttxse
ppecg
ufstrqqp
gkgjek
rpgpwjb
zbbxczlqj
iujggp
uirwouzux
zwofj
gxcorwrgl
rserfjk

File::
c:\windows\Tasks\20090222_190400_radka.job
c:\windows\Tasks\Norton Security Scan for radka.job
c:\windows\DUMP72bc.tmp

DDS::
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Firefox::
FF - ProfilePath - c:\documents and settings\radka\Data aplikací\Mozilla\Firefox\Profiles\9s8ngse5.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=green ... =302398&p=

Ulozte vytvoreny TXT jako CFScript.txt
Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

G0nzales · #5 Příspěvek od **G0nzales** » 05 lis 2010 01:54

Jen bych chtel podotknout, ze to neni muj PC, kamaradka si me pozvala, ze pry ma zavirovany PC a potrebuje s tim pomoct. Kdyz jsem videl ze nema ani servise pack3, zadny firewall ani antivirovy program funkcni tak jsem se hrozne smal a bylo mi hned jasne, ze to bude plne vsemozne haveti....kamaradka uz spi, tak bych ji rad rano prekvapil funkcnim a cistym PC a proto jeste jendou moc dekuji za pomoc...tady je ten log z CF :

ComboFix 10-11-03.04 - radka 05.11.2010 1:35.2.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.420.1029.18.639.331 [GMT 1:00]
Spuštěný z: c:\documents and settings\radka\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\radka\Plocha\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\DUMP72bc.tmp"
"c:\windows\Tasks\20090222_190400_radka.job"
"c:\windows\Tasks\Norton Security Scan for radka.job"

file zipped: c:\program files\7z457.exe
file zipped: c:\program files\ezcddax9.exe
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\7z457.exe
c:\program files\ezcddax9.exe
c:\windows\DUMP72bc.tmp
c:\windows\Tasks\20090222_190400_radka.job
c:\windows\Tasks\Norton Security Scan for radka.job

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_agsnhvm
-------\Service_ciuis
-------\Service_djppqwbp
-------\Service_epmkotx
-------\Service_gfoognwx
-------\Service_gkgjek
-------\Service_gxcorwrgl
-------\Service_hapxtt
-------\Service_icwzjf
-------\Service_inciex
-------\Service_iujggp
-------\Service_krdstnxxi
-------\Service_mixirbush
-------\Service_mjkwjaa
-------\Service_ndnjw
-------\Service_ntrkhwjcf
-------\Service_pbuekkkcd
-------\Service_ppecg
-------\Service_qalat
-------\Service_rjjnrt
-------\Service_rpgpwjb
-------\Service_rserfjk
-------\Service_tqrryvrk
-------\Service_ufnaxpm
-------\Service_ufstrqqp
-------\Service_uirwouzux
-------\Service_vagttxse
-------\Service_wkahh
-------\Service_xhzbly
-------\Service_zbbxczlqj
-------\Service_zwofj

((((((((((((((((((((((((( Soubory vytvořené od 2010-10-05 do 2010-11-05 )))))))))))))))))))))))))))))))
.

2010-11-04 22:17 . 2010-11-04 22:17 -------- d-----w- c:\documents and settings\radka\Data aplikací\Avira
2010-11-04 21:29 . 2010-11-04 21:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-04 20:21 . 2010-08-02 15:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-04 20:21 . 2010-08-02 15:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-04 20:21 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-11-04 20:21 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-11-04 20:21 . 2010-11-04 20:21 -------- d-----w- c:\program files\Avira
2010-11-04 20:21 . 2010-11-04 20:21 -------- d-----w- c:\documents and settings\All Users\Data aplikací\Avira
2010-11-04 19:52 . 2010-11-04 19:52 -------- d-----w- c:\program files\trend micro
2010-11-04 19:52 . 2010-11-04 19:52 -------- d-----w- C:\rsit

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 19:46 . 2010-09-05 19:46 1409 ----a-w- c:\windows\QTFont.for
2009-04-12 11:15 . 2009-04-12 11:15 32638800 ----a-w- c:\program files\setupcze.exe
2008-07-27 13:04 . 2008-07-27 13:04 1336031 ----a-w- c:\program files\wrar371cz.exe
2008-07-26 10:50 . 2008-07-26 10:50 13801120 ----a-w- c:\program files\jre-6u1-windows-i586-p.exe
2008-03-22 11:46 . 2008-03-22 16:29 13526432 ----a-w- c:\program files\RealPlayer10-5GOLD_rs.exe
2008-03-12 12:10 . 2008-03-12 12:12 70867 ----a-w- c:\program files\AlienWin2000-XP.exe
2008-03-12 12:03 . 2008-03-12 12:12 5901965 ----a-w- c:\program files\Setup_Moorhuhn-X-XS_V11.exe
2008-03-12 12:02 . 2008-03-12 12:12 4453696 ----a-w- c:\program files\moorhuhn3.exe
2007-04-24 08:45 . 2007-04-24 09:09 1390518 ----a-w- c:\program files\cdex_140b8_deu.exe
2001-06-14 21:18 . 2005-03-22 17:47 710656 ----a-w- c:\program files\MDVDP.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-26 102400]
"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2003-05-22 1310720]
"AGRSMMSG"="AGRSMMSG.exe" [2002-09-25 87751]
"FixCamera"="c:\windows\FixCamera.exe" [2007-02-10 20480]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-10 270336]
"SearchSettings"="c:\program files\pdfforge Toolbar\SearchSettings.exe" [2010-01-08 974848]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-17 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-4-5 113664]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-3-22 114688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-3-22 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Corel\\Graphics10\\Register\\NAVBrowser.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [22.3.2005 18:28 9344]
R1 prodrv04;Star Force copy protection driver v4;c:\windows\system32\drivers\prodrv04.sys [4.1.2006 21:50 114496]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4.11.2010 21:21 135336]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [8.1.2010 0:51 380928]
R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [22.3.2005 18:28 389888]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.kb.cz/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: mojebanka.cz\etrading
Trusted Zone: mojebanka.cz\www
Trusted Zone: mojebanka.cz.
Trusted Zone: mojebanka.cz\etrading
Trusted Zone: mojebanka.cz\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\radka\Data aplikací\Mozilla\Firefox\Profiles\9s8ngse5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.centrum.cz/
FF - component: c:\program files\pdfforge Toolbar\FF\components\pdfforgeToolbarFF.dll
FF - component: c:\program files\pdfforge Toolbar\SSFF\components\SearchSettingsFF.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

URLSearchHooks-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-05 01:51
Windows 5.1.2600 Service Pack 2 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'explorer.exe'(1836)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Celkový čas: 2010-11-05 01:54:42 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-11-05 00:54
ComboFix2.txt 2010-11-05 00:01

Před spuštěním: 5 817 044 992
Po spuštění: 5 792 161 792

- - End Of File - - 60C67B9AEFB4B95FAA4C48D2A44246ED

#6 Příspěvek od **vyosek** » 05 lis 2010 06:58

Log uz vypada cisty, ale udelame detailni skena na rootkity, jelikoz jich tam bylo vic nez dost

Stahnete SPTD http://www.duplexsecure.com/en/downloads

Vyberte z uvedene stranky verzi dle sveho operacniho systemu (32(x86)bit ci 64(x64)bit)
Ulozte na plochu a spustte
Zvolte moznost Uninstall a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte

Stahnete Defogger http://www.jpshortstuff.247fixes.com/Defogger.exe

Ulozte na plochu a spustte
Kliknete na Disable a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte

Stahnete MBR na plochu http://www2.gmer.net/mbr/mbr.exe

Kliknete na Start a pote Spustit, pripadne pouzijte klavesou zkratku Win+R

Vyskoci na Vas okenko, do ktereho zkopirujte text nize
Kód: Vybrat vše
```
"%userprofile%\plocha\mbr" -t
```
Kliknete na OK
Na plose se Vam vytvori log s nazvem mbr.txt, jeho obsah mi sem vlozte

Dejte logy z Gmeru - viz muj podpis

G0nzales · #7 Příspěvek od **G0nzales** » 05 lis 2010 08:16

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BB-00DEA0 rev.05.03E05 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x833D31F8]<<
1 nt!IofCallDriver[0x804E3D45] -> \Device\Harddisk0\DR0[0x833AD7A8]
3 CLASSPNP[0xF89B005B] -> nt!IofCallDriver[0x804E3D45] -> \Device\00000062[0x8337BF18]
5 ACPI[0xF87FB620] -> nt!IofCallDriver[0x804E3D45] -> \Device\Ide\IdeDeviceP0T0L0-3[0x8337A940]
\Driver\atapi[0x8337DF38] -> IRP_MJ_CREATE -> 0x833D31F8
kernel: MBR read successfully
detected hooks:
\Driver\atapi -> 0x833d31f8
user & kernel MBR OK
Warning: possible MBR rootkit infection !

GMER 1.0.15.15507 - http://www.gmer.net
Rootkit quick scan 2010-11-05 07:56:57
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400BB-00DEA0 05.03E05
Running: gmer.exe; Driver: C:\DOCUME~1\radka\LOCALS~1\Temp\fgtiqpog.sys

---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwEnumerateKey [0xF88AAFFE]
SSDT sptd.sys ZwEnumerateValueKey [0xF88AB38C]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 833D31F8
Device \Driver\atapi \Device\Ide\IdePort0 833D31F8
Device \Driver\atapi \Device\Ide\IdePort1 833D31F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 833D31F8
Device 833D21F8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device 82E40430
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Bohuzel log z hlavniho scanu jsem nestihl, musim bezet na tramvaj, dodam ho odpoledne az dojede scan.

#8 Příspěvek od **vyosek** » 05 lis 2010 09:39

OK, kdyby se vam sekal, tak jej udelejte v nouzovem rezimu...

Neni v PC Starforce jeste, jelikoz to vypada na havet v mbr sektoru ale muze to byt starforcem

G0nzales · #9 Příspěvek od **G0nzales** » 05 lis 2010 18:08

tady je ten log z hlavniho scanu GMERu

GMER 1.0.15.15507 - http://www.gmer.net
Rootkit scan 2010-11-05 17:16:40
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400BB-00DEA0 05.03E05
Running: gmer.exe; Driver: C:\DOCUME~1\radka\LOCALS~1\Temp\fgtiqpog.sys

---- System - GMER 1.0.15 ----

SSDT F8FF4EEE ZwCreateKey
SSDT F8FF4EE4 ZwCreateThread
SSDT F8FF4EF3 ZwDeleteKey
SSDT F8FF4EFD ZwDeleteValueKey
SSDT sptd.sys ZwEnumerateKey [0xF88AAFFE]
SSDT sptd.sys ZwEnumerateValueKey [0xF88AB38C]
SSDT F8FF4F02 ZwLoadKey
SSDT sptd.sys ZwOpenKey [0xF8876A30]
SSDT F8FF4ED0 ZwOpenProcess
SSDT F8FF4ED5 ZwOpenThread
SSDT sptd.sys ZwQueryKey [0xF88AB464]
SSDT sptd.sys ZwQueryValueKey [0xF88AB2E4]
SSDT F8FF4F0C ZwReplaceKey
SSDT F8FF4F07 ZwRestoreKey
SSDT F8FF4EF8 ZwSetValueKey

INT 0x3B ? 82FC8CC8
INT 0x3B ? 82FC8CC8
INT 0x3B ? 82FC8CC8
INT 0x3E ? 833D3CC8
INT 0x3F ? 833D3CC8

---- Kernel code sections - GMER 1.0.15 ----

.text sptd.sys F883C000 28 Bytes [96, 1D, 6F, 80, E0, D0, 6E, ...]
.text sptd.sys F883C01D 3 Bytes [D0, 6E, 80] {SHR BYTE [ESI-0x80], 0x1}
.text sptd.sys F883C024 4 Bytes [0E, EE, 82, F8]
.text sptd.sys F883C02C 73 Bytes [0E, 24, 57, 80, 3E, 68, 59, ...]
.text sptd.sys F883C076 350 Bytes [58, 80, 50, D7, 57, 80, F6, ...]
.text ...
.sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xF8933D38]
? C:\WINDOWS\system32\drivers\sptd.sys Proces nemá přístup k souboru, neboť jej právě využívá jiný proces.
.text USBPORT.SYS!DllUnload F7B8962C 5 Bytes JMP 82FC81D8
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF8D4F300, 0x1B7E, 0xE8000020]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 833A6308
IAT \WINDOWS\System32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F883D574] sptd.sys
IAT \WINDOWS\System32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F883D0C0] sptd.sys
IAT \WINDOWS\System32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F883DFE0] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F883D0C0] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F883D362] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F883D2A4] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F883E1BC] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F883DFE0] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8852312] sptd.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82FC8308

---- Devices - GMER 1.0.15 ----

Device 833D21F8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device 82E40430
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device 831F51F8
Device BsUDF.SYS (UDF File System Driver (WindowsXP)/B.H.A Co.,Ltd.)
Device Udfs.SYS (UDF File System Driver/Microsoft Corporation)
Device \Driver\usbohci \Device\USBPDO-0 832761F8
Device \Driver\usbehci \Device\USBPDO-1 82FB11F8
Device \Driver\usbohci \Device\USBPDO-2 832761F8
Device \Driver\prodrv04 \Device\ProDrv04 82C984A0
Device \Driver\usbohci \Device\USBPDO-3 832761F8
Device \Driver\Cdrom \Device\CdRom0 82FE4430
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 833D31F8
Device \Driver\atapi \Device\Ide\IdePort0 833D31F8
Device \Driver\atapi \Device\Ide\IdePort1 833D31F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 833D31F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 830871F8
Device \Driver\NetBT \Device\NetbiosSmb 830871F8
Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Driver\NetBT \Device\NetBT_Tcpip_{001FA87F-4DD4-406E-B2FB-EAB0EFD5A6B5} 830871F8
Device \Driver\usbohci \Device\USBFDO-0 832761F8
Device \Driver\usbohci \Device\USBFDO-1 832761F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82EA11F8
Device \Driver\usbohci \Device\USBFDO-2 832761F8
Device \Driver\usbehci \Device\USBFDO-3 82FB11F8
Device \FileSystem\Cdfs \Cdfs 82F4C1F8
Device \FileSystem\Cdfs \Cdfs BsUDF.SYS (UDF File System Driver (WindowsXP)/B.H.A Co.,Ltd.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

---- EOF - GMER 1.0.15 ----

#10 Příspěvek od **vyosek** » 05 lis 2010 18:25

Stahnete SytemLook (viz muj podpis) a ulozte jej na plochu

Do okna vlozte skript nize
Kód: Vybrat vše
```
:filefind
atapi.sys
```
Kliknete na Look
Tlacitko Look se zmeni na Scanning a zsedne
Pockejte pokud se tlacitko Scanning opet nezmeni na Look - tak poznate ze SystemLook dokoncil svou praci
Vyskoci na Vas log s nazvem SystemLook (pripadne bude ulozen na plose), jeho obsah mi sem vlozte

G0nzales · #11 Příspěvek od **G0nzales** » 05 lis 2010 20:17

Log ze SystemLooku :

SystemLook 04.09.10 by jpshortstuff
Log created at 20:02 on 05/11/2010 by radka
Administrator - Elevation successful

========== filefind ==========

Searching for "atapi.sys "
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c- 86912 bytes [16:25 22/03/2005] [23:27 28/08/2002] 95B858761A00E1D4F81F79A0DA019ACA
C:\WINDOWS\ERDNT\cache\atapi.sys --a---- 95360 bytes [23:59 04/11/2010] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------- 95360 bytes [16:35 22/03/2005] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\drivers\atapi.sys --a---- 95360 bytes [23:27 28/08/2002] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-= EOF =-

#12 Příspěvek od **vyosek** » 06 lis 2010 06:34

Pokud nemate, tak presunte Combofix na plochu

Spustte poznamkovy blok (Start-spustit-notepad)
Zkopirujte skript nize

Kód: Vybrat vše

FCopy::
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

MBR::

Ulozte vytvoreny TXT jako CFScript.txt
Pretahnete vytvoreny CFScript.txt nad Combofix a pustte (viz obrazek nize)
Po aplikaci skriptu (a pripadnem restartu) na Vas vypadne log, jeho obsah sem vlozte

Muze se stat, ze po aplikaci skriptu nenabehnou windows, v tomto pripade restartuje PC a mackejte F8 a zvolte Posledni znamou konfiguraci

Kliknete na Start a pote Spustit, pripadne pouzijte klavesou zkratku Win+R

Vyskoci na Vas okenko, do ktereho zkopirujte text nize
Kód: Vybrat vše
```
"%userprofile%\plocha\mbr" -t
```
Kliknete na OK
Na plose se Vam vytvori log s nazvem mbr.txt, jeho obsah mi sem vlozte

VIRY.CZ

Prosím o preventivní kontrolu logu, děkuji :)

Prosím o preventivní kontrolu logu, děkuji :)

Re: Prosím o preventivní kontrolu logu, děkuji :)

Re: Prosím o preventivní kontrolu logu, děkuji :)

Re: Prosím o preventivní kontrolu logu, děkuji :)

Re: Prosím o preventivní kontrolu logu, děkuji :)

Re: Prosím o preventivní kontrolu logu, děkuji :)

Re: Prosím o preventivní kontrolu logu, děkuji :)

Re: Prosím o preventivní kontrolu logu, děkuji :)

Re: Prosím o preventivní kontrolu logu, děkuji :)

Re: Prosím o preventivní kontrolu logu, děkuji :)

Re: Prosím o preventivní kontrolu logu, děkuji :)

Re: Prosím o preventivní kontrolu logu, děkuji :)