vytižení CPU

[vyosek]

PROSIM CTETE DUKLADNE NAVOD - TATO UTILITA MA VELKOU SCHOPNOST MAZAT A JE NUTNE JI APLIKOVAT JEN NA DOPORUCENI, JINAK VAM MUZE JIT SYSTEM DO KYTEK
Stahnete a ulozte na plochu Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

• Vypnete vsechny rezidentni bezpecnostní programy - firewally, antiviry, antispywary apod.
• Vložte do PC vsechny USB klice (flash disky, ext.disky apod.)
• Pokud mate Win XP spustte pod uctem Spravce\Administratora
• Pokud mate Win Vista ci Win 7, kliknete na Combofix pravym a dejte Run As Administrator ci Spustit jako spravce
• Ihned po startu se zobrazi stranka s licencnim ujednanim, pokracujte kliknutim na Ano
• Pokud Vam CF nabidne instalaci Konzoly pro zotaveni, tak souhlaste
• Dale postupujte dle pokynu, behem scanu nechte PC naprosto v klidu - nespoustejte zadne aplikace a neklikejte do zobrazujiciho se okna
• Scan by mel trvat cca 10 min, ale pokud bude PC hodne zaneseno, muze se cas prodlouzit
• Po dokonceni skenu a pripadnem restartu CF zobrazi log, pripadne jej najdete zde C:\ComboFix.txt, jeho obsah sem vlozte

[jamet]

ComboFix 10-09-01.04 - hallkiller 02.09.2010 19:44:40.1.1 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1250.420.1029.18.3067.2214 [GMT 2:00]
Spuštěný z: c:\users\hallkiller\Desktop\ComboFix.exe
* Rezidentní štít AV je zapnutý

.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\FlashGet Network
c:\program files\FlashGet Network\FlashGet universal\fgoption.ini
c:\program files\FlashGet Network\FlashGet universal\P2PCfg.ini
c:\program files\FlashGet Network\FlashGet universal\p2spmgr.ini
c:\program files\FlashGet Network\FlashGet universal\p4spmgr.ini
c:\program files\FlashGet Network\FlashGet universal\Profiles\config.dat
c:\program files\FlashGet Network\FlashGet universal\Profiles\tasks.dat
c:\programdata\page
c:\programdata\page\page.ico
c:\programdata\page\page.URL
c:\users\hallkiller\AppData\Roaming\BITS
c:\users\hallkiller\AppData\Roaming\BITS\BITS.ini
c:\users\hallkiller\AppData\Roaming\BITS\DHTTable.dat
c:\users\hallkiller\AppData\Roaming\BITS\ProxyList.ini
c:\users\hallkiller\AppData\Roaming\BITS\Torrent\20091230223213.torrent
c:\users\hallkiller\AppData\Roaming\BITS\Torrent\20091230223213.torrent.bits
c:\users\hallkiller\AppData\Roaming\BITS\Torrent\20091230223213.torrent.filelist
c:\users\hallkiller\AppData\Roaming\BITS\Torrent\20091230223213.torrent.hybridlist
c:\users\hallkiller\AppData\Roaming\BITS\Torrent\20100130223430.torrent
c:\users\hallkiller\AppData\Roaming\BITS\Torrent\20100130223430.torrent.bits
c:\users\hallkiller\AppData\Roaming\BITS\Torrent\20100130223430.torrent.filelist
c:\users\hallkiller\AppData\Roaming\BITS\Torrent\20100130223430.torrent.hybridlist
c:\users\hallkiller\AppData\Roaming\BITS\UPnP.ini
c:\users\hallkiller\AppData\Roaming\Microsoft\Windows\Recent\EXTRA CENY - Pouta s kožíškem.url
c:\windows\system32\system.sys

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-08-02 do 2010-09-02 )))))))))))))))))))))))))))))))
.

2010-09-02 18:00 . 2010-09-02 18:01 -------- d-----w- c:\users\hallkiller\AppData\Local\temp
2010-09-02 18:00 . 2010-09-02 18:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-01 19:01 . 2010-09-01 19:29 -------- d-----w- c:\program files\VS Revo Group
2010-09-01 18:59 . 2010-09-01 18:59 -------- d-----w- c:\users\hallkiller\AppData\Roaming\DVDVideoSoftIEHelpers
2010-09-01 18:45 . 2010-09-01 18:59 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-09-01 18:45 . 2010-09-01 18:58 -------- d-----w- c:\program files\DVDVideoSoft
2010-09-01 15:31 . 2010-09-01 15:31 -------- d-----w- C:\_OTM
2010-08-31 18:21 . 2010-09-01 07:19 -------- d-----w- c:\program files\trend micro
2010-08-31 18:21 . 2010-08-31 19:24 -------- d-----w- C:\rsit
2010-08-29 21:32 . 2010-08-29 21:32 -------- d-----w- c:\users\hallkiller\AppData\Local\2K Games
2010-08-28 20:36 . 2010-08-29 09:09 -------- d-----w- c:\program files\Garena
2010-08-12 17:22 . 2010-08-12 18:28 -------- d-----w- c:\program files\StepMania
2010-08-12 05:39 . 2010-08-12 06:12 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-08-12 05:39 . 2010-08-12 05:55 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-08-11 18:09 . 2010-08-11 18:12 -------- d-----w- c:\program files\Valve
2010-08-10 09:46 . 2010-08-10 12:06 -------- d-----w- c:\users\hallkiller\AppData\Roaming\WindSolutions
2010-08-10 09:46 . 2010-08-10 12:06 -------- d-----w- c:\programdata\WindSolutions

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-01 15:17 . 2010-04-07 14:58 -------- d-----w- c:\programdata\Lavasoft
2010-09-01 07:59 . 2009-11-03 18:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-09-01 04:10 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-09-01 04:10 . 2009-11-03 18:34 -------- d-----w- c:\users\hallkiller\AppData\Roaming\vlc
2010-09-01 04:10 . 2009-11-03 18:38 -------- d-----w- c:\program files\AGEIA Technologies
2010-09-01 04:08 . 2010-06-24 11:15 -------- d-----w- c:\program files\NVIDIA Corporation
2010-08-29 21:08 . 2009-11-12 14:26 -------- d-----w- c:\users\hallkiller\AppData\Roaming\uTorrent
2010-08-29 11:02 . 2009-11-03 19:00 -------- d-----w- c:\program files\Java
2010-08-22 20:00 . 2009-11-03 19:15 -------- d-----w- c:\users\hallkiller\AppData\Roaming\dvdcss
2010-08-15 08:34 . 2009-11-12 14:36 -------- d-----w- c:\program files\uTorrent
2010-08-12 06:33 . 2010-08-12 06:33 47364 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-08-10 15:18 . 2010-08-02 17:57 -------- d-----w- c:\program files\Uniblue
2010-08-10 12:06 . 2010-08-10 12:06 3156136 ----a-w- c:\users\hallkiller\AppData\Roaming\WindSolutions\CopyTransControlCenter\Applications\iCloner.exe
2010-08-10 09:51 . 2010-08-10 09:51 6437560 ----a-w- c:\users\hallkiller\AppData\Roaming\WindSolutions\CopyTransControlCenter\Applications\CopyTransManager.exe
2010-08-10 09:47 . 2010-08-10 09:47 5443752 ----a-w- c:\users\hallkiller\AppData\Roaming\WindSolutions\CopyTransControlCenter\Applications\CopyTrans.exe
2010-08-10 09:46 . 2010-08-10 09:46 2671840 ----a-w- c:\users\hallkiller\AppData\Roaming\WindSolutions\CopyTransControlCenter\Applications\CopyTransControlCenter.exe
2010-08-09 19:40 . 2010-01-13 14:17 -------- d-----w- c:\programdata\Codemasters
2010-08-02 18:50 . 2010-08-02 17:39 -------- d-----w- c:\users\hallkiller\AppData\Roaming\Uniblue
2010-08-02 17:29 . 2009-11-06 15:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-01 11:20 . 2010-01-10 17:23 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-24 14:13 . 2010-07-24 14:13 -------- d-----w- c:\users\hallkiller\AppData\Roaming\Xilisoft
2010-07-24 14:13 . 2010-07-24 14:13 -------- d-----w- c:\program files\Xilisoft
2010-07-24 14:09 . 2010-07-24 14:09 -------- d-----w- c:\users\hallkiller\AppData\Roaming\TuneAid
2010-07-23 18:58 . 2010-07-23 18:58 -------- d-----w- c:\program files\iTunes
2010-07-23 18:58 . 2010-07-23 18:58 -------- d-----w- c:\program files\iPod
2010-07-23 18:58 . 2009-11-03 18:55 -------- d-----w- c:\program files\Common Files\Apple
2010-07-23 18:53 . 2010-07-23 18:53 -------- d-----w- c:\program files\QuickTime
2010-07-23 18:52 . 2010-07-23 18:52 -------- d-----w- c:\program files\Bonjour
2010-07-21 14:30 . 2010-07-21 14:30 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-17 03:00 . 2010-05-11 19:23 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-10 11:46 . 2010-07-07 14:39 -------- d-----r- c:\program files\Skype
2010-07-07 16:39 . 2010-07-07 14:40 -------- d-----w- c:\users\hallkiller\AppData\Roaming\Skype
2010-07-07 14:41 . 2010-07-07 14:41 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-07-07 14:41 . 2010-07-07 14:41 -------- d-----w- c:\users\hallkiller\AppData\Roaming\skypePM
2010-07-07 14:39 . 2010-07-07 14:39 -------- d-----w- c:\program files\Common Files\Skype
2010-07-07 14:39 . 2010-07-07 14:39 -------- d-----w- c:\programdata\Skype
2010-07-07 13:09 . 2010-07-01 07:06 -------- d-----w- c:\users\hallkiller\AppData\Roaming\GetRightToGo
2010-06-06 09:43 . 2010-06-06 09:43 81920 ----a-w- c:\users\hallkiller\AppData\Roaming\ezpinst.exe
2010-06-06 09:43 . 2010-06-06 09:43 81920 ----a-w- c:\users\hallkiller\AppData\Roaming\ezpinst.exe
2010-06-06 09:43 . 2010-06-06 09:43 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-06-06 09:43 . 2010-06-06 09:43 47360 ----a-w- c:\users\hallkiller\AppData\Roaming\pcouffin.sys
2010-06-06 09:43 . 2010-06-06 09:43 47360 ----a-w- c:\users\hallkiller\AppData\Roaming\pcouffin.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-09-11 2054360]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-06-18 1537320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"DefragTaskBar"="c:\program files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2008-10-09 173408]
"Startup Protector"="c:\program files\Startup Protector\StartupProtector.exe" [2007-07-22 1921024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
2008-09-23 07:40 413696 ----a-w- c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- d:\programy\office 2007\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MultiScreen]
2009-08-11 11:57 303104 ----a-w- c:\program files\MultiScreen\MultiScreen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-08-19 14:24 13793824 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-06-13 09:39 73728 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
2007-08-16 07:02 99608 ----a-w- c:\program files\Uniblue\RegistryBooster 2\StartRegistryBooster.exe

R3 DAUpdaterSvc;Dragon Age: Prameny - aktualizace obsahu;d:\hry\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena\plugins\UI\safedrv.sys [x]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-11-12 84240]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series – ovladač adaptéru pro 32bitový systém Windows Vista;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-11-04 691696]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-09-11 108792]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-09-11 735960]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-09-11 38240]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-08-19 24576]
S3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-12-03 625224]
S3 Ltn_stk7070P;PCTV LITEON TT1260 based TV tuner device;c:\windows\system32\DRIVERS\Ltn_stk7070P.sys [2009-05-22 542976]
S3 NETw5s32;Ovladač adaptéru Intel(R) Wireless WiFi Link pro systém Windows 7 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-05-11 64544]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Obsah adresáře 'Naplánované úlohy'

2010-06-07 c:\windows\Tasks\AWC AutoSweep.job
- d:\programy\Advanced SystemCare 3\AutoSweep.exe [2010-06-06 13:35]

2010-06-07 c:\windows\Tasks\AWC Startup.job
- d:\programy\Advanced SystemCare 3\AWC.exe [2010-06-06 12:45]
.
.
------- Doplňkový sken -------
.
uStart Page = www.google.cz
uInternet Settings,ProxyOverride = *.local
IE: E&xportovat do aplikace Microsoft Excel - d:\programy\OFFICE~1\Office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\users\hallkiller\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\users\hallkiller\AppData\Roaming\Mozilla\Firefox\Profiles\wnv849ln.default\
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\hallkiller\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)


.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Celkový čas: 2010-09-02 20:10:52
ComboFix-quarantined-files.txt 2010-09-02 18:10

Před spuštěním: Volných bajtů: 77 192 359 936
Po spuštění: Volných bajtů: 77 123 723 264

- - End Of File - - 26293FD22C84D0699DEDA4AA1ED678F9

[vyosek]

Nastala nejaka zmena

[jamet]

bohužel ne

[vyosek]

Stahnete Malwarebytes' Anti-Malware (zkracene MBAM) (viz muj podpis)

• Provedte aktualizaci - treti zalozka
• Provedte uplny sken - nic nemazte
• MBAM miva obcas falesne detekce, proto vlozte log do prispevku a pockejte na posouzeni

[jamet]

tady to je


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Verze databáze: 4534

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3.9.2010 19:03:35
mbam-log-2010-09-03 (19-03-35).txt

Typ skenu: Úplný sken (C:\|D:\|)
Skenované objekty: 570331
Uplynulý čas: 3 hodina(y), 40 minuta(y), 50 sekunda(y)

Infikované procesy v paměti: 0
Infikované moduly v paměti: 0
Infikované klíče registru: 0
Infikované hodnoty registru: 0
Infikované datové položky registru: 0
Infikované složky: 0
Infikované soubory: 2

Infikované procesy v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované moduly v paměti:
(Žádné škodlivé položky nebyly zjištěny)

Infikované klíče registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované hodnoty registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované datové položky registru:
(Žádné škodlivé položky nebyly zjištěny)

Infikované složky:
(Žádné škodlivé položky nebyly zjištěny)

Infikované soubory:
D:\hry\Dragon Age\Keygen.exe (Trojan.Downloader) -> No action taken.
D:\hry\Dragon Age\bin_ship\Keygen.exe (Trojan.Downloader) -> No action taken.

[vyosek]

Vse smazat

No nic, standartni havet tam neni, jdem na rootkity...
Odinstalujte vsechny emulatory virtualnich jednotek (Deamon Tools, Alcohol 120%)

Stahnete SPTD http://www.duplexsecure.com/en/downloads

• Vyberte z uvedene stranky verzi dle sveho operacniho systemu (32(x86)bit ci 64(x64)bit)
• Ulozte na plochu a spustte
• Zvolte moznost Uninstall a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte

Stahnete Defogger http://www.jpshortstuff.247fixes.com/Defogger.exe

• Ulozte na plochu a spustte
• Kliknete na Disable a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte

Stahnete MBR na plochu http://www2.gmer.net/mbr/mbr.exe

Kliknete na Start a pote Spustit, pripadne pouzijte klavesou zkratku Win+R

• Vyskoci na Vas okenko, do ktereho zkopirujte text nize

• Kód: Vybrat vše

  "%userprofile%\plocha\mbr" -t

• Kliknete na OK
• Na plose se Vam vytvori log s nazvem mbr.txt, jeho obsah mi sem vlozte

Dejte logy z Gmeru - viz muj podpis

[jamet]

ahoj, tak jsem použil SPDT a Defoger a zdá se mi to ještě horší bojím se už použít MBR , a to se to po smazaní pomocí Anti Malvare o hodně zlepšilo, použiji tedy ten MBR a vložím tu logy

[vyosek]

SPTD ani Deffoger by nemeli vliv na rychlost PC, pouze odinstaluji ovladac co pouzivaji virtzualni mechaniky, aby nezkresloval log z mbr. Mbr je pouze skener, stejne jako gmer

[jamet]

ahoj,
lod z MBR jsem tou cestou kterou jsi mi napsal nenašel, vyskočilo upozornění, že dané umístění již není k dispozici, ale přímo na plochu se mi uložil tenhle minilog:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[jamet]

pro lepší přehlednost přikládám logy z GMERu zde:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-09-05 15:41:17
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\HALLKI~1\AppData\Local\Temp\uxlyiuod.sys


---- System - GMER 1.0.15 ----

Code 891CCC4C ZwTraceEvent
Code 891CCC4B NtTraceEvent

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----






a nyní ten větší


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-06 16:53:47
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\HALLKI~1\AppData\Local\Temp\uxlyiuod.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83C41AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83C41104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83C413F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83C29634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83C29898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83C411DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83C41958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83C416F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83C41F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83C421A8

Code 896A0C4C ZwTraceEvent
Code 896A0C4B NtTraceEvent

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!NtTraceEvent 83849E34 5 Bytes JMP 896A0C50
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8385A599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8387EF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 2 83A8C0E5 5 Bytes JMP 896A0E30
PAGE ntkrnlpa.exe!NtRequestWaitReplyPort + 2 83A8DB0D 5 Bytes JMP 896A0D90
PAGE ntkrnlpa.exe!NtRequestPort + 2 83AA1D73 5 Bytes JMP 896A0CF0
.text win32k.sys!XFORMOBJ_iGetXform + 331A 9B124C57 5 Bytes JMP 896A0610
.text win32k.sys!EngAllocMem + 7E47 9B135142 5 Bytes JMP 896A0750
.text win32k.sys!PATHOBJ_bEnum + 7A2F 9B14782E 5 Bytes JMP 896A06B0
.text win32k.sys!PATHOBJ_bEnum + 8714 9B148513 5 Bytes JMP 896A0930
.text win32k.sys!EngCreateSemaphore + CB9F 9B16638F 5 Bytes JMP 896A09D0
.text win32k.sys!EngCreateSemaphore + CEDB 9B1666CB 5 Bytes JMP 896A0570
.text win32k.sys!EngCopyBits + 1F22 9B1689B4 3 Bytes JMP 896A04D0
.text win32k.sys!EngCopyBits + 1F26 9B1689B8 1 Byte [EE]
.text win32k.sys!EngBitBlt + 23D2 9B17179D 2 Bytes JMP 896A0430
.text win32k.sys!EngBitBlt + 23D5 9B1717A0 2 Bytes [52, EE] {PUSH EDX; OUT DX, AL }
.text win32k.sys!EngLpkInstalled + 6119 9B187842 5 Bytes JMP 896A0A70
.text win32k.sys!PATHOBJ_vGetBounds + EB7 9B205C81 5 Bytes JMP 896A0890
.text win32k.sys!EngCTGetCurrentGamma + 1C7A 9B209C9C 5 Bytes JMP 896A07F0
.text win32k.sys!CLIPOBJ_cEnumStart + 6CE0 9B2155A5 5 Bytes JMP 896A0B10
.text win32k.sys!CLIPOBJ_cEnumStart + 71E8 9B215AAD 5 Bytes JMP 896A0BB0
.text peauth.sys A4612C9D 28 Bytes [84, 92, F1, EB, 96, 39, 9C, ...]
.text peauth.sys A4612CC1 28 Bytes [84, 92, F1, EB, 96, 39, 9C, ...]
PAGE peauth.sys A4618B9B 1 Byte [49]
PAGE peauth.sys A4618B9B 9 Bytes [49, E4, 87, A3, B3, A5, BB, ...] {DEC ECX; IN AL, 0x87; MOV [0xcfbba5b3], EAX; INC EDX}
PAGE peauth.sys A4618BA9 1 Byte [AC]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[400] kernel32.dll!SetUnhandledExceptionFilter 762F3142 4 Bytes [C2, 04, 00, 00]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1928] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73C62494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1928] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73C45624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1928] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73C456E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1928] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73C6250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1928] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73C58573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1928] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73C54D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1928] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73C550CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1928] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73C551A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1928] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73C566D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1928] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73C582CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1928] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73C58819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1928] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73C5907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1928] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73C5E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1928] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73C54C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\ACPI_HAL \Device\000000cf halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:3584] A4729F2E

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe2f626d4
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe2f626d4@f81edf01ad02 0x2F 0x77 0x62 0xF1 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe2f626d4@001d28c9f74c 0x99 0xA3 0x17 0xAF ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe2f626d4@60d0a984eccc 0x03 0x57 0xFB 0xD1 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Bind ????????Microsoft???????????? ???????m?????m?m???????m??6to4mp.ndi?E65???????????e??IO???????????2??\D???????????h??sy??6to4mp.ndi?l?l??6to4mp.ndi?sp_??? ?????????????????????1????????????????????????el??ip??? ?????????????????????-?????????????????f??? ?????????????????????1??L????????? ????????v??? ?????????????????????1????????????&????????????????????8??? ?????????????????????1??????????????????????z??????}??De???????????9??6-??? ?????????????????????-??????????????????????sD46??6.1.7600.16385?E4E???????&??? ??????????????x???? ?????????????????????-?????????????????f??? ?????????????????????1??L????????? ???????AB??????????????????????? ?????????????????????1????????????&????????????????????.??????????? ?????????????????????1????????????????????????????? ?????????????????????1????????z???????????? ???????????????????g?1????????.???????????? ???????0???????????????????????????????????????????????s??????????????????????????????????? ?????????????????????1????????????????????? ?????????????????????1???????
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Route ?????B??? ?????????????????????1??????*?8??? ???????? ??????????? ?????????????????????1????????????&????????????????????"??? ?????????????????????1??????*?8??? ???????????????????????????????de??????I????3??????????{3cbadd38-3049-5c8e-9d4c-6c6c19aef2fa}?4?7???????????????????????????}??"T??????????????????? ???????.?????.0????????????d???d???????????????????????????"??{F???????????7??2E??2E??????????*6to4mp?-F????:??????-??25??{e9d59a36-d468-5a09-b5d5-36cd803c1a5b}?Tcp??????????????????????????????????????????????? ??????????????????????????????`????????e??{90386914-D935-47FB-881F-8467C2BD145F}??01??\Device\{90386914-D935-47FB-881F-8467C2BD145F}??91??? ??????????????????????????????<??????i??????<??????E??????Microsoft 6to4 Adapter Driver???? ??????????????????????????????"??? ???????????? ???????D?????17-??? "?????????????????ndis5_ip6_tunnel????????????? ??????????????????????????????????????????? ??????????????????????????????????????????????????????????????????S??ov? adresa????????????????t???? ????????
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Export ????ve??????Net?p???6-21-2006????????????????????????????????????????????????p???????l???&????????????????:??????????e??Net??????????5????????????:??????????????????????????????????????????????????o???????s???????|???????????????????|???e??Net???????????????????????????????????????????????X?????????????? ???????????????????n?-??????0???????????????s?? ??????????????????????????? ?????????????????????-?????????????????f??????????????? ?????????????????????1??L????????? ??????:????????????????????????? ?????????????????????1????????????&???????????????????? ??? ?????????????????????1????????????????????? ?????????????????????1????????????????????????????????????????????????????????????????????????????????????????? ?????????????????????1????????????&???????????????????????input.inf???? ?????????????????????1????????????????????? ?????????????????????1????????????????????????????????????????????????????????????????????HID_Inst????????????????????input.inf:Standard.NTx86:HID_Inst:6.1.7600.16385::generic_hid_devic
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Bind ????????????*6to4mp?????? ???????????????????s?1??????*?:??? ???????????????5-??????????*6to4mp??C??? ?????????????????????1????????????&???????????????????????????????????@???? ????????????8?????????? ??P?ipojen? k m?stn? s?ti* 64?"????????????T????????????6P?ipojen? k m?stn? s?ti* 64??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????4Microsoft 6to4 Adapter #28????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Route ????????? ???????@????????????????????$?N?6????????????????????????????????? ????2?????s-4???????????-??9F??9F???????????????????????????????????????6???????????????????e??????????????? ???????Z?????????????1????????????&???????????????????????? ?????????????????????1??????*?8??? ??????_{8???????????B??????????dB??????A????A????????????8??????5??1}??P?ipojen? k m?stn? s?ti* 65?0-??????????? ?????????????????????1????????????&???????????????????????????????? ?????????????????????1??????????????????????N??????T????D" "??Microsoft???? ?????????????????????1????????????????????? ?????????????????????1?????????????????????????????????????????????????????????????7??AA??2E??? ?????????????????????1??????????????????????,?????????????????? ?????????????????????1????????.???????????{533c5b84-ec70-11d2-9505-00c04f79deaf}????????:??????B???B??????????? ?????????????????????1????????????????????? ?????????????????????1????????????????????????????????????????????????????????4.0.424.0???????????? ?????????????????????1???
Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Export ????;E??tunnel??????tunnel???7???????????5??????-C????$??????1???????4??????????????? ?????????????????????:????????????????pN??? ???????_?????3B1??? ???????????????????~?:????????????,???????????????????????C7??????????????????????????????? ???????5?????????????1??L????????? ??????OEM??? ?????????????????????1????????????&????????????????????R??? ?????????????????????1??L????????? ????????????????????s??????ol???????????????????i?????sOO??? ?????????????????????1????????????&???????????????????????? ?????????????????????-?????????????????????????????!?????sC:??????????????????? ???????:?????????????-??"???*?????????????????????????????????????????? ??????????????????UMB\UMBUS????????????????????~??????????? ??????????????s?????N????????????D????{00000000-0000-0000-ffff-ffffffffffff}???????????????????????????????????0????????N???????????D?????{36fc9e60-c465-11cf-8056-444553540000}?????????????????g????????? ???????????????? ??????????? ?J??????????????????????????s?????????????#?????????????????????????3???
Reg HKLM\SYSTEM\CurrentControlSet\services\NetBIOS\Linkage@Export ????????? ???????Z?????????????1????????????&???????????????????????? ?????????????????????1??????*?<??? ????????????????????e??????????P?ipojen? k m?stn? s?ti* 1194???? ???????Z?????????????1????????????&????????????????????-??? ?????????????????????1??????*?4??? ???????????????????? ??????????????????????????????????P?ipojen? k m?stn? s?ti 4????????????_???????????????????-???????????????????r???????????????????r???????????????????o???????????????????????????????????????_???????????????????????????????????????P???????????????????s???????????????????|???????????????????p???????????????????n???????????????????T???????????????????n???????????????????n???????????????????&???????????????????o???????????????????P???????????????????P???????????????????n???????????????????????????????????????_???????????????????????????????????????w???????????????????????????????????????n???????????????????n???????????????????????????????????}???????????????h???????????????????????????????????????????????????????????????????????3?
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9C 0x9B 0x30 0xA7 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x65 0x5D 0x13 0x8E ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x83 0x62 0xCA 0xE9 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe2f626d4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe2f626d4@f81edf01ad02 0x2F 0x77 0x62 0xF1 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe2f626d4@001d28c9f74c 0x99 0xA3 0x17 0xAF ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe2f626d4@60d0a984eccc 0x03 0x57 0xFB 0xD1 ...
Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Bind ???p?p???????????????p??? ???????o??????????????????????R?K??????????????????????????????????????????p?p?p??system32\drivers\HTTP.sys????????????????????????????????????????????p??RpcSs????????????p???-??25??@%systemroot%\system32\drivers\hwpolicy.sys,-101????????p????? ??o?????????t????? ??????????????????@%SystemRoot%\system32\drivers\http.sys,-1????????<??p????????h??????????p???0??e2???????????????????????v?v?u???????????????p????????????????????????p????????????????????????g???????????????????????????????????g??????R??p?????????e?????????????????????????p??? ???????p???????????p??????????????????????????????4?? ?????????? ????\???????????????????? ??????????????????????????? ??????? ????????p?????o???o???p????????? ???????o??????????????????????T?0??????????????p??????p????p??System32\drivers\hwpolicy.sys???system32\DRIVERS\i8042prt.sys?8042prt.sys?????<??p????????h???????<??p????????h????????p?????????????5????????m??????????????}?}?}??? ???????o??????????????????????P?2??????????o?o?p?p?p?p?p??Keyboar
Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Route ???p?????????????5????????m??????????????}?}?}??? ???????o??????????????????????P?2??????????o?o?p?p?p?p?p??Keyboard Port???system32\DRIVERS\intelppm.sys?ntelppm.sys???Ovlada? procesoru Intel?????system32\DRIVERS\ipfltdrv.sys???????@??????g?????p???????v???p???????v???????s???????????p?????p?????p????0??p?????????e?????????????????v??????????????t???????????????t??????????????g????.NT??????????z???{??? ???????o?????p?????p??????????Z?3???????????????????????????????????????????????T??p????????h?????\SystemRoot\system32\DRIVERS\BrFiltLo.sys?????Z??p?????????e????Brother USB Mass-Storage Lower Filter Driver?????????p??????p???extended base????p?p?p?p?p?p?p????T??p???????????d??brmfcsto.inf_x86_neutral_39ae61431a44cded???? ???????p???????????p??????????,??? ?????????????,??p???????????s??/GR=OFF /TO=10 /OW=30???? ???????o???????????p??????????Z?4?????????????????????t?????????????????????????????????????????T??p????????h????????p???p??????Z??p?????????e???????p?????p??????????????\SystemRoot\system32\DRIVERS\Br
Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Export ???p?p?????????????g?????? ??k??????p????????????v???????{???????????????????????v???????????????????z???z???????t??????????????????????????????t????????????v???????v???????????????????????????p???????e???????v???u???|???????v??? ???????o?????p????????????????:?=??????T??? ???????p???????????o????&???(????? ???????????? ???????p?????p???????????????????????????B????? ???????p?????p?????????????????????????s??? ???????p???????????p?,???????????? ????????????????????????????p???p??? ???????p???????????p?,???????????? ???????????????????????????RpcSs???????? ???????p???????????p?,???????????? ????????????????????????????????????????????p??? ???????p???????????p?,???????????? ???????????????????????????? ???????p???????????p?,???????????? ??????????????????????????????p???p???p???p???p???p????????? ???????p???????????p?,???????????? ???????????? ???????o?????p?????p????????$???>??????v????P??p?????????e????@%SystemRoot%\System32\bthserv.dll,-101???????????????????????????Z??p????????h?????%SystemRoot%\system32\s
Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Bind ???k?p?????????????????s??????X??????????m??Fs_Rec??????{4d36e966-e325-11ce-bfc1-08002be10318}??????{4d36e966-e325-11ce-bfc1-08002be10318}\0000?????CompositeBus????????????????????eset_epfwndismp??????????k???????e??????????????????DETECTEDInternal\ACPI_HAL?DETECTED\ACPI_HAL?????? ~?????????????????????????? ???????1??????????????pi????F??k?????g?????????f???????e???????????????4???k?k?k???????????3??????? ??{00000000-0000-0000-FFFF-FFFFFFFFFFFF}???????k?l?o??????????? ??????????????????Psched?4?4???????k???????????????k???0??02??RDPENCDD?4??? x???????????????????N??k????????D???????N??k????????D??????????????????????????????????4???????????D???_??????????????ms??NDIS?????????k???????????????????????P??\0??Base?????????e??????s???????????????????{4d36e972-e325-11ce-bfc1-08002be10318}??????eset_epfwndismp?????NDIS?;???k??? "??k???????????????k??tcpipreg???????????????g????@oem17.inf,%ndis5desc%;Sony Ericsson Device 117 USB Ethernet Emulation (NDIS 5)?"????????????????????????????5??89?????????????????????????
Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Route ???l?p????N????????????????n?5??{00000000-0000-0000-0000-000000000000}???????????l???????????l?l?l????X??l???&???&???????????????????????????????????.???????????????l???1???????????????n??or??????????????????{4d36e972-e325-11ce-bfc1-08002be10318}\0002?? ????N??l?????????D?????l?l?l?????o?|??????????6.1.7600.16385??6.????(??l???????????????????n???????????????1???1???l?????l?&???l???l???????????????????????????????????????????????l??? ???????k?????l?????k?-??????????A?????????D?????N??l???4???????h??? ???????l???????????l?-????????P????????/??umbus.inf????????????????????????i????N??????????????????????????m??????????HIDClass????LegacyDriver???????|?????????l??????????????11??-9???????????????????????????????????????????????m?m?????k?l?l?l?l???l???????}???????l??????????????????? ???????k?????l?????k?-??????????B? ???????D?????N??l????????D?????? ???????l???????????l?-????????^????????????l?l?l?l?l?l?l?????????????????????l?&???????l??? ???4????????????????????N???????????D?????? L????????????????????????????
Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Export ???p?p???????v??????????????t???????????????????LDDM Graphics Subsystem??????????????c???????S????P??s?????????e????File system??????????|???o???????y???????????\??ea??????????????????FSFilter Bottom???????2??z????????h?????????????acpi.inf?????????????????????zp??p???p??? ???????o?????????????,????????8?c??????????????????1??t-???????????????????????????|???????????-?g14??????????????t??????????????g?????????o???q??5??????????????g?????????|???????????????o???0???2??????????????????????????s_????????????????????<??o????????h?????????????????????????????????????????????????????? ???????o?????o????????????????6?g??????????????????m??tc??system32\DRIVERS\Epfwndis.sys???Eset Personal Firewall???????????????????????????????}???????????????????????????????a??in?????????????g??????N??u?????????e?????????k??????p????????????????????v?|.i??????? ???????o???????????o??????????V??? ???????????? R??o??????????????C:\ProgramData\ESET\ESET Smart Security\????? V??o??????????????C:\Program Files\ESET\ESET Smart Security\?
Reg HKLM\SYSTEM\ControlSet002\services\NetBIOS\Linkage@Export ??????????????????????B??????s????h??????????????r???m???l?m??????????N??????????????????????????????????????????o??tk???o?p????????.NT?????????????????????text????????????????????? ???????q??????????????????????N?k???????????N??????-??????????{CF3F502E-B40D-4071-996F-00981EDF938E}??????? ???????q???????????o?,?????? ?B?t?????????????? ???????????2???????_????????B??????8??????????%SystemRoot%\System32\appmgr.dll?_??? ???????q???????????o??????????h?????????????????????????????????h??????-??????%SystemRoot%\System32\winevt\Logs\Media Center.evtx??????????????s????n32\??? ?q???q???q???q???????q???q???q???q???s????????? ???????????????????q???????? ?@?????????t?????%SystemRoot%\ehome\ehepgres.dll?08??????????? ???????????????????????????? ?>????????r????>??????\??????????%SystemRoot%\ehome\ehRecvr.exe?20???????????????????????? ???????????????????????????? ?>????????d????>?????????????????%SystemRoot%\ehome\ehSched.exe?YS_????@?????????????????? ???????????????????????????? ?@?????????????@??????I??????????%Sy
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9C 0x9B 0x30 0xA7 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x65 0x5D 0x13 0x8E ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x83 0x62 0xCA 0xE9 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D39E6332-4321-4B36-9D29-42FFF3E2C40F}
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D39E6332-4321-4B36-9D29-42FFF3E2C40F}
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D39E6332-4321-4B36-9D29-42FFF3E2C40F}@Path \Microsoft\Windows Defender\MP Scheduled Scan
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D39E6332-4321-4B36-9D29-42FFF3E2C40F}@Triggers 0x15 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D39E6332-4321-4B36-9D29-42FFF3E2C40F}@DynamicInfo 0x03 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows Defender\MP Scheduled Scan@Id {D39E6332-4321-4B36-9D29-42FFF3E2C40F}

---- EOF - GMER 1.0.15 ----


snad ti to řekne více než mě a Díky

[vyosek]

Ma chyba, W7 nemaji plochu ale desktop, takze postup zopakovat, log bude podobny, jen malinko neco navic

MBR nespoustet dvojklikem, smaznout ten log mbr.txt co vytvoril

Kliknete na Start a pote Spustit, pripadne pouzijte klavesou zkratku Win+R

• Vyskoci na Vas okenko, do ktereho zkopirujte text nize

• Kód: Vybrat vše

  "%userprofile%\Desktop\mbr" -t

• Kliknete na OK
• Na plose se Vam vytvori log s nazvem mbr.txt, jeho obsah mi sem vlozte

Log z gmeru vypada zajimave, maly moment...

[jamet]

tady je,


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys dxgkrnl.sys nvlddmkm.sys dxgmms1.sys USBPORT.SYS usbehci.sys ndis.sys NETw5s32.sys usbuhci.sys hidusb.sys HIDCLASS.SYS HIDPARSE.SYS mouhid.sys mouclass.sys usbccgp.sys usbhub.sys yk62x86.sys netbt.sys tdx.sys tcpip.sys NETIO.SYS epfwwfp.sys ipnat.sys pacer.sys Epfwndis.sys epfw.sys >>UNKNOWN [0x8A2E11A0]<<
kernel: MBR read successfully



jinak mám ještě jeden problém, od doby co jsem dělal scan s GMERem mi čas od času když pustím internet spadne celý systém ( objeví se modré okno s textem který nestihnu přečíst a spadne )

[vyosek]

Takze si dame opacko jeste jedno mbr - jsem otravnej, ja vim

Klik na mbr pravym - zvolit vlastnosti - zalozka kompatibilita - zaskrtnout Spustit jako spravce. Smaznout log mbr.txt a znovu spustit mbr pres Start-spustit (znate to )

Myslite modrou obrazovku, znamou jako modra smrt? Zkuste se podivat do slozky C:\Windows\Minidump jestli tam neni nejaky soubor s priponou dmp, pokud ano, tak jej zabalte (ci vsechny pokud jich bude vice) a uploadnete na LP http://leteckaposta.cz/ - poprosim kolegu at na to koukne...

Jinak log z gmeru je OK

[jamet]

ahoj tak složku minidump nemám

a tady je log z MBR, ale je čím dál menší ať to spouštím jak to spouštím


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
kernel: MBR read successfully
user & kernel MBR OK