VIRY.CZ

Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/

MSE hlasi vir - Security Tool

https://forum.viry.cz:443/viewtopic.php?t=100037

Stránka 2 z 3

Re: MSE hlasi vir - Security Tool

Napsal: 14 dub 2010 18:57
od pupupaj
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82425AC8]<<
kernel: MBR read successfully
user & kernel MBR OK

Re: MSE hlasi vir - Security Tool

Napsal: 14 dub 2010 19:29
od pupupaj
Diky!

Provedla jsem. Ted mi to jeste hlasi, ze MS Security Essential ma zapnuty rezidencni stitek a ze ho mam vypnout, nebo budou nepredvidane vysledky ci poskozeni pC. Mam to ignorovat?

Re: MSE hlasi vir - Security Tool

Napsal: 14 dub 2010 21:15
od pupupaj
ComboFix 10-04-12.06 - Marquise 2010-04-14 21:49:29.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1029.18.502.169 [GMT 2:00]
Spuštěný z: c:\documents and settings\Marquise\Plocha\abraka.com
Použité ovládací přepínače :: c:\docume~1\Marquise\Plocha\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Outpost Firewall Pro *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

FILE ::
"c:\windows\system32\youm_3.dll"
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\youm_3.dll

Nakažená kopie c:\windows\system32\drivers\atapi.sys byla nalezena a vyléčena.
Obnovena kopie z - c:\windows\erdnt\cache\atapi.sys

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-03-14 do 2010-04-14 )))))))))))))))))))))))))))))))
.

2010-04-14 17:44 . 2010-04-14 17:44 77312 ----a-w- C:\mbr.exe
2010-04-13 14:33 . 2010-04-13 14:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-14 19:14 . 2006-12-17 18:47 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS
2010-04-14 10:56 . 2010-01-19 21:09 -------- d-----w- c:\program files\Conduit
2010-04-13 15:05 . 2004-09-16 16:58 460202 ----a-w- c:\windows\system32\perfh005.dat
2010-04-13 15:05 . 2004-09-16 16:58 91760 ----a-w- c:\windows\system32\perfc005.dat
2010-03-10 19:06 . 2009-11-26 21:59 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-02-25 06:18 . 2004-09-16 16:58 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 09:16 . 2009-11-26 22:01 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-12 10:03 . 2010-03-05 19:43 293376 ------w- c:\windows\system32\browserchoice.exe
2007-08-05 13:27 . 2007-08-05 13:27 262 ----a-w- c:\program files\xrmxgsuh.txt
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-11-08 128920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2010-04-14 492840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Windows Search.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-08-03 18:51 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 03:22 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-04-29 22:39 5674352 ----a-w- c:\program files\MSN Messenger\MsnMsgr.Exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ModemOnHold"=c:\program files\NetWaiting\netWaiting.exe
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe"
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"WinampAgent"=c:\program files\Winamp\winampa.exe
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Software\\strongDC\\StrongDC.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=
"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=
"c:\\Program Files\\BitLord2\\BitLord.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM

R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [2009-10-22 70952]
S1 drlmidxb;drlmidxb;\??\c:\windows\system32\drivers\drlmidxb.sys --> c:\windows\system32\drivers\drlmidxb.sys [?]
S1 iiflfanv;iiflfanv;\??\c:\windows\system32\drivers\iiflfanv.sys --> c:\windows\system32\drivers\iiflfanv.sys [?]
S1 qamhdntz;qamhdntz;\??\c:\windows\system32\drivers\qamhdntz.sys --> c:\windows\system32\drivers\qamhdntz.sys [?]
S1 rjkodvpz;rjkodvpz;\??\c:\windows\system32\drivers\rjkodvpz.sys --> c:\windows\system32\drivers\rjkodvpz.sys [?]
S1 vamsenlp;vamsenlp;\??\c:\windows\system32\drivers\vamsenlp.sys --> c:\windows\system32\drivers\vamsenlp.sys [?]
S1 zpldxcuu;zpldxcuu;\??\c:\windows\system32\drivers\zpldxcuu.sys --> c:\windows\system32\drivers\zpldxcuu.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2006-12-30 664064]
.
Obsah adresáře 'Naplánované úlohy'

2010-04-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 17:02]
.
.
------- Doplňkový sken -------
.
uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=cz&l=cs&s=bsd
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = hxxp://search.qip.ru/search?query=%s&from=IE
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} - hxxp://asp08.photoprintit.de/microsite/4860/defaults/activex/IPSUploader.cab
FF - ProfilePath - c:\documents and settings\Marquise\Data aplikací\Mozilla\Firefox\Profiles\ax69x9om.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - component: c:\documents and settings\Marquise\Data aplikací\Mozilla\Firefox\Profiles\ax69x9om.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

BHO-{7c5c0f58-e061-457d-9033-77307f5ed00c} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-14 21:56
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2092)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\DRIVERS\CDANTSRV.EXE
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\tbh\base\bin\tbhDaemon.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
.
**************************************************************************
.
Celkový čas: 2010-04-14 22:04:43 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-04-14 20:04
ComboFix2.txt 2010-04-13 15:11

Před spuštěním: 3,694,206,976
Po spuštění: 3,663,507,456

- - End Of File - - EFA8951AF9E417C8F704328ED86492F3

Re: MSE hlasi vir - Security Tool

Napsal: 14 dub 2010 21:18
od pupupaj
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-14 22:17:40
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Marquise\LOCALS~1\Temp\uxtdapod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

Re: MSE hlasi vir - Security Tool

Napsal: 15 dub 2010 08:51
od pupupaj
Dobre ranko!

Jak se dari?

Takze...tady je ten novy log mbr:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82425AC8]<<
kernel: MBR read successfully
user & kernel MBR OK



A jdu zkusit jeste jednou ten gmer scan dle tech puvodnich instrukci:-)

L.

Re: MSE hlasi vir - Security Tool

Napsal: 15 dub 2010 10:16
od pupupaj
Tady je vysledek rozsahlleho scanu. (Neni to malo? Tentokrat to trvalo podezrele kratkou dobu...necelou hodinu...)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-15 11:04:00
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Marquise\LOCALS~1\Temp\uxtdapod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Fastfat \Fat A9044D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x23 0xA3 0x36 0xBF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x59 0xBB 0x6E 0xD3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x90 0xDC 0x86 0x0A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x23 0xA3 0x36 0xBF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x59 0xBB 0x6E 0xD3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x90 0xDC 0x86 0x0A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x23 0xA3 0x36 0xBF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x59 0xBB 0x6E 0xD3 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x90 0xDC 0x86 0x0A ...

---- EOF - GMER 1.0.15 ----

Re: MSE hlasi vir - Security Tool

Napsal: 15 dub 2010 11:27
od pupupaj
Deamon Tool ani Alcohol nemuzu odistalovat, nebot je nemuzu v seznamu CCleaner najit.

Stahla jsem SPTD, spustila, ale nabidlo mi to pouze moznost Install. (Na Unistall nemuzu kliknout.)

Tady je log :

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 12:24 on 15/04/2010 (Marquise)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
HKLM:DAEMON Tools -> Removed

Checking for services/drivers...
SPTD -> Already disabled


-=E.O.F=-


A ted jdu jeste jednou na Combofix.

Re: MSE hlasi vir - Security Tool

Napsal: 15 dub 2010 12:06
od pupupaj
Tady je novy log z CF.
(Pokud mam neco delat s tim SPTD, dej vedet pls:-))

ComboFix 10-04-12.06 - Marquise 2010-04-15 12:55:46.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1029.18.502.74 [GMT 2:00]
Spuštěný z: c:\documents and settings\Marquise\Plocha\abraka.com
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Outpost Firewall Pro *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-03-15 do 2010-04-15 )))))))))))))))))))))))))))))))
.

2010-04-14 17:44 . 2010-04-14 17:44 77312 ----a-w- C:\mbr.exe
2010-04-13 14:33 . 2010-04-13 14:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-14 19:14 . 2006-12-17 18:47 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS
2010-04-14 10:56 . 2010-01-19 21:09 -------- d-----w- c:\program files\Conduit
2010-04-13 15:05 . 2004-09-16 16:58 460202 ----a-w- c:\windows\system32\perfh005.dat
2010-04-13 15:05 . 2004-09-16 16:58 91760 ----a-w- c:\windows\system32\perfc005.dat
2010-03-10 19:06 . 2009-11-26 21:59 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-03-10 06:17 . 2004-09-16 16:58 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:18 . 2004-09-16 16:58 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-12-17 18:22 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 08:16 . 2009-11-26 22:01 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-16 19:08 . 2004-09-16 16:58 2148352 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:08 . 2004-08-17 15:45 2026496 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-03-05 19:43 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:35 . 2004-09-16 16:58 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-09-16 16:58 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2007-08-05 13:27 . 2007-08-05 13:27 262 ----a-w- c:\program files\xrmxgsuh.txt
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2010-04-15 492840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Windows Search.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-08-03 18:51 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 03:22 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-04-29 22:39 5674352 ----a-w- c:\program files\MSN Messenger\MsnMsgr.Exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ModemOnHold"=c:\program files\NetWaiting\netWaiting.exe
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe"
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"WinampAgent"=c:\program files\Winamp\winampa.exe
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Software\\strongDC\\StrongDC.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=
"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=
"c:\\Program Files\\BitLord2\\BitLord.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM

R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [2009-10-22 70952]
S1 drlmidxb;drlmidxb;\??\c:\windows\system32\drivers\drlmidxb.sys --> c:\windows\system32\drivers\drlmidxb.sys [?]
S1 iiflfanv;iiflfanv;\??\c:\windows\system32\drivers\iiflfanv.sys --> c:\windows\system32\drivers\iiflfanv.sys [?]
S1 qamhdntz;qamhdntz;\??\c:\windows\system32\drivers\qamhdntz.sys --> c:\windows\system32\drivers\qamhdntz.sys [?]
S1 rjkodvpz;rjkodvpz;\??\c:\windows\system32\drivers\rjkodvpz.sys --> c:\windows\system32\drivers\rjkodvpz.sys [?]
S1 vamsenlp;vamsenlp;\??\c:\windows\system32\drivers\vamsenlp.sys --> c:\windows\system32\drivers\vamsenlp.sys [?]
S1 zpldxcuu;zpldxcuu;\??\c:\windows\system32\drivers\zpldxcuu.sys --> c:\windows\system32\drivers\zpldxcuu.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2006-12-30 664064]
.
Obsah adresáře 'Naplánované úlohy'

2010-04-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 17:02]
.
.
------- Doplňkový sken -------
.
uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=cz&l=cs&s=bsd
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = hxxp://search.qip.ru/search?query=%s&from=IE
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} - hxxp://asp08.photoprintit.de/microsite/4860/defaults/activex/IPSUploader.cab
FF - ProfilePath - c:\documents and settings\Marquise\Data aplikací\Mozilla\Firefox\Profiles\ax69x9om.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - component: c:\documents and settings\Marquise\Data aplikací\Mozilla\Firefox\Profiles\ax69x9om.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
.
------- Asociace souborů -------
.
.scr=AutoCADScriptFile
.

**************************************************************************
skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory:

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2944)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Celkový čas: 2010-04-15 13:02:45
ComboFix-quarantined-files.txt 2010-04-15 11:02
ComboFix2.txt 2010-04-14 20:04
ComboFix3.txt 2010-04-13 15:11

Před spuštěním: 3,338,571,776
Po spuštění: 3,364,040,704

- - End Of File - - 753413790CF8B73A00BFEE3DA8075FC7

Re: MSE hlasi vir - Security Tool

Napsal: 15 dub 2010 13:01
od JaRon
pokial sa objavi kolega, aby si nebola len tak volnepohodena, otestuj na www.virustotal.com nasledovne subory:
c:\windows\system32\drivers\drlmidxb.sys
c:\windows\system32\drivers\iiflfanv.sys
c:\windows\system32\drivers\qamhdntz.sys
c:\windows\system32\drivers\rjkodvpz.sys
c:\windows\system32\drivers\vamsenlp.sys
c:\windows\system32\drivers\zpldxcuu.sys

Re: MSE hlasi vir - Security Tool

Napsal: 15 dub 2010 13:38
od pupupaj
Hlasi mi to, ze ani jeden ze souboru, ktere jsem zadala k otestovani, nebyl nalezen...?

Re: MSE hlasi vir - Security Tool

Napsal: 15 dub 2010 13:44
od JaRon
pouzi postup k CFSCript ako minule, novy obsah:

Kód: Vybrat vše

Driver::
drlmidxb
iiflfanv
qamhdntz
rjkodvpz
vamsenlp
zpldxcuu

Re: MSE hlasi vir - Security Tool

Napsal: 15 dub 2010 13:53
od pupupaj
A jeste abych nezapomnela, tady je mbr:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Re: MSE hlasi vir - Security Tool

Napsal: 15 dub 2010 13:55
od pupupaj
A druhy mbr:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

Re: MSE hlasi vir - Security Tool

Napsal: 15 dub 2010 14:15
od pupupaj
A tady je novy log z CF:

ComboFix 10-04-12.06 - Marquise 2010-04-15 15:01:08.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1029.18.502.229 [GMT 2:00]
Spuštěný z: c:\documents and settings\Marquise\Plocha\abraka.com
Použité ovládací přepínače :: c:\docume~1\Marquise\Plocha\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Outpost Firewall Pro *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_drlmidxb
-------\Service_iiflfanv
-------\Service_qamhdntz
-------\Service_rjkodvpz
-------\Service_vamsenlp
-------\Service_zpldxcuu


((((((((((((((((((((((((( Soubory vytvořené od 2010-03-15 do 2010-04-15 )))))))))))))))))))))))))))))))
.

2010-04-15 10:54 . 2010-04-15 11:02 -------- d-----w- C:\abraka
2010-04-14 17:44 . 2010-04-14 17:44 77312 ----a-w- C:\mbr.exe
2010-04-13 14:33 . 2010-04-13 14:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-14 19:14 . 2006-12-17 18:47 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS
2010-04-14 10:56 . 2010-01-19 21:09 -------- d-----w- c:\program files\Conduit
2010-04-13 15:05 . 2004-09-16 16:58 460202 ----a-w- c:\windows\system32\perfh005.dat
2010-04-13 15:05 . 2004-09-16 16:58 91760 ----a-w- c:\windows\system32\perfc005.dat
2010-03-10 19:06 . 2009-11-26 21:59 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-03-10 06:17 . 2004-09-16 16:58 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:18 . 2004-09-16 16:58 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-12-17 18:22 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 08:16 . 2009-11-26 22:01 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-16 19:08 . 2004-09-16 16:58 2148352 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:08 . 2004-08-17 15:45 2026496 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-03-05 19:43 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:35 . 2004-09-16 16:58 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-09-16 16:58 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2007-08-05 13:27 . 2007-08-05 13:27 262 ----a-w- c:\program files\xrmxgsuh.txt
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2010-04-15 492840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Windows Search.lnk]
path=c:\documents and settings\All Users\Nabídka Start\Programy\Po spuštění\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-08-03 18:51 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 03:22 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-04-29 22:39 5674352 ----a-w- c:\program files\MSN Messenger\MsnMsgr.Exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ModemOnHold"=c:\program files\NetWaiting\netWaiting.exe
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" /background
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe"
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"WinampAgent"=c:\program files\Winamp\winampa.exe
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Software\\strongDC\\StrongDC.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=
"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=
"c:\\Program Files\\BitLord2\\BitLord.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM

R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [2009-10-22 70952]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2006-12-30 664064]
.
Obsah adresáře 'Naplánované úlohy'

2010-04-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 17:02]
.
.
------- Doplňkový sken -------
.
uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=cz&l=cs&s=bsd
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = hxxp://search.qip.ru/search?query=%s&from=IE
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} - hxxp://asp08.photoprintit.de/microsite/4860/defaults/activex/IPSUploader.cab
FF - ProfilePath - c:\documents and settings\Marquise\Data aplikací\Mozilla\Firefox\Profiles\ax69x9om.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - component: c:\documents and settings\Marquise\Data aplikací\Mozilla\Firefox\Profiles\ax69x9om.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-15 15:08
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2912)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\DRIVERS\CDANTSRV.EXE
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\tbh\base\bin\tbhDaemon.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
.
**************************************************************************
.
Celkový čas: 2010-04-15 15:12:52 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-04-15 13:12
ComboFix2.txt 2010-04-15 11:02
ComboFix3.txt 2010-04-14 20:04
ComboFix4.txt 2010-04-13 15:11

Před spuštěním: 3,363,835,904
Po spuštění: 3,336,028,160

- - End Of File - - AD57675AFE401BDD563FAC8E5FADF7EF

Re: MSE hlasi vir - Security Tool

Napsal: 15 dub 2010 15:21
od pupupaj
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Verze databáze: 3991

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-04-15 16:20:20
mbam-log-2010-04-15 (16-20-20).txt

Typ skenu: Rychlý sken
Skenované objekty: 111441
Uplynulý čas: 7 minuta(y), 39 sekunda(y)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 0
Infikované hodnoty registru: 0
Infikované datové položky registru: 1
Infikované složky: 0
Infikované soubory: 2

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované hodnoty registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Marquise\Local Settings\Data aplikací\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
C:\WINDOWS\dllcfg04.exe (Malware.Packer) -> No action taken.
C:\Documents and Settings\Marquise\Nabídka Start\Programy\Security Tool.LNK (Rogue.SecurityTool) -> No action taken.
Všechny časy jsou v UTC+01:00
Stránka 2 z 3

Založeno na phpBB® Forum Software © phpBB Limited

Český překlad – phpBB.cz