V C-čku som našiel zaujmavú zložku (meno nepametám), zaujímalo ma čo to je a tak som googlil. Na rozných forách som sa dozvedel, že to je rootkit a tiež, že to vymaže Combofix. Pri zapnuti Combofixu mi naskočilo, že sa našiel Rootkit a system sa musí reštartovať. Niečo potom vymazal a zložka tam už nie je. Podľa toho čo som tu čital, combofix nie je sranda a tak by som bol rad, kebyže sa mi pozriete na log.
Predom ďakujem
ComboFix 11-04-29.04 - Patrik 30.04.2011 21:37:38.2.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1022.750 [GMT 2:00]
Spuštěný z: c:\documents and settings\Patrik\Plocha\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Patrik\WINDOWS
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-03-28 do 2011-04-30 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 02:08 . 2011-03-07 02:08 93552 ----a-w- c:\windows\system32\ElbyCDIO.dll
2011-03-07 00:52 . 2011-03-07 00:52 134512 ----a-w- c:\windows\system32\ElbyVCD.dll
.
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 344064]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-09-29 28672]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 67584]
"OODefragTray"="c:\program files\OO Software\Defrag\oodtray.exe" [2011-01-25 2781000]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-09-29 28672]
.
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2004-9-29 28672]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
2011-01-25 09:41 2781000 ----a-w- c:\program files\OO Software\Defrag\oodtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-04-26 10:09 1242448 ----a-w- c:\program files\Valve\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-04-20 15:57 2423752 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"SysmonLog"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\ufko20\\counter-strike\\hl.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [26.4.2011 12:02 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [26.4.2011 12:02 307288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17.2.2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10.5.2010 20:41 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26.4.2011 12:02 19544]
R2 OODefragAgent;O&O Defrag Agent;c:\program files\OO Software\Defrag\oodag.exe [25.1.2011 11:41 2398536]
R2 organiserservice;organiser database;c:\progra~1\VIVIDW~1\ORGANI~1.EXE -zglaxservice organiserservice --> c:\progra~1\VIVIDW~1\ORGANI~1.EXE -zglaxservice organiserservice [?]
R3 ip100xp;ASUS NX1001 Network Adapter NT Driver;c:\windows\system32\drivers\ipfnd51.sys [26.4.2011 11:51 26752]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-30 21:44
Windows 5.1.2600 Service Pack 3 NTFS
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG14.00.00.01PROFESSIONAL"="732E8735BEE85E81B22DB1230860E66525AB26A72E22F74F3A723C329FCB0EBE8E59E7E2797118705EE7E48F8F9F677F8B3E761572AF38E539D0AB73976EBCC06C793B417B10C2E9C64DF06C6CF16A5D4AD12449CFB15F78B3EE47738692B5FA5944FC80D72EC3642A4346FBF2FE999B3197BA3C79AC03E5A969D480A2B718B1A6664D63E4EA60AA4D20FE17B9A187A894356CFBE7571C64A1523FFC6392E57DABFD6CC03C964559F33056AAFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B98088EDD5E5BE2F6E667FEBC9E127BECC74C8EDD5E5BE2F6E6673F00C8469888E850816F307106D9091AF42C1C928758F7428052C0FBF4933731A150ACEF22BCB793579635FCD3BF03D72521612246B277869DC86E4BC3920F5804E765974A4EC0B076513872C322E2D6B48FFAFC4B48A98AE3019E4483713460F535CA4CFE13A07991A73B6734043DFB173C355D8467BDE7289D866755EB8A37CDD89D7432D615CF9DD7264588DC49BD0323405367D6834C83F5BE08DCB69B6024A57E485AD781AAD553C34BA69AE32BF2713140E94FEFF9CF96464E457617F056A575D46F4AEB9737404409799A8CE1270A00DB09FD9B442EBDFB3637C5CD130515EAF97054003384773A65EF34E697A20388B0C403C39583DF280EE5B2B58696632F6E5E928CB1C3071E9A7C2C3B932C288C9D1F744A6B78A472FA863EE81C343674B8BE11045BBFAE4A3596C07434CF773055A0D9B157F6E66874D0DE253A49E550B69CD4FE0A8666FD193721A367DAA27ADDD4B2A47D3136FBC67F7F4CDB877F3D9904D5B5ADE8575E79DEF17CB26291D8924B6D70971A578111D67D640FE5C29964067D0949FD5DF0E18E49562E3DDD1C24977004F26A3F33C6992B17F59A2428723B2B7B74200B222FCDB62D0685567791529575F09D9B30B08FCEB24726CC8FEEB9B1335A6D274014A636A1FA9BFD05B496287E07F44C76E90821A9CC4797595AA2D8FBBAC7288015A83FF760218A403603697B3E74E36D6250D010648397740B14D9C4E8D5BE790EE637169F7D660817BB10EB33E329DDDCC0012181A41033A837E61F4A024A252A767B0A345E31A3A86A43F6984F9875732E463B29B7F94D2F339FC3DBF8E1E4ECF15C02AE303CB99137A0E3B206E1C68F78AA5FF60D80DA71369D8C2D2D4E7B2C791D5332A60FD6CD55B8A05B1EE7C4737EADB2973A05DA92726AF8E0D58C108F2FF57579B9E26B2A76123D7FEDC2CAB0A440814F1A1DB10C9D862B2EEC4F2E183993034EA4A74CCAD1A46E21133E942FD448B7724710A3A9F0636ADFAFF94515C294BD92E47FB1A7A3DD8ED36DD8C52CFB9FE66CA3D9DA0E2AE8A156A1A829ADFA0F09B9BE41B709AC9E194220C66236099547BB552CE7AC"
.
--------------------- Knihovny navázané na běžící procesy ---------------------
.
- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2011-04-30 21:46:50
ComboFix-quarantined-files.txt 2011-04-30 19:46
.
Před spuštěním: Volných bajtů: 91 134 025 728
Po spuštění: Volných bajtů: 91 102 744 576
.
- - End Of File - - 60A0A2EF2570022C7AC8799BD7EF3DB4
Přispějete na provoz fóra?