Re: Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [
Napsal: 19 kvě 2011 21:14
No par cracku a nejak havet nam to naslo, jak se chova PC nyni 
VIRY.CZ
Pomáháme v boji s počítačovou havěti!
https://forum.viry.cz:443/
Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [Rtk]
Stránka 2 z 2
Re: Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [
Napsal: 19 kvě 2011 21:27
bohužel se nezlepšilo nic
Re: Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [
Napsal: 20 kvě 2011 07:29
Stahnete SPTD http://www.duplexsecure.com/en/downloads
- Vyberte z uvedene stranky verzi dle sveho operacniho systemu (32(x86)bit ci 64(x64)bit)
- Ulozte na plochu a spustte
- Zvolte moznost Uninstall a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte
Stahnete Defogger http://www.jpshortstuff.247fixes.com/Defogger.exe
- Ulozte na plochu a spustte
- Kliknete na Disable a restartujte PC - pokud nepujde kliknout (tlacitko bude sede), krok preskocte
Stahnete MBR na plochu http://www2.gmer.net/mbr/mbr.exe ale nespoustejte Kliknete na Start a pote Spustit, pripadne pouzijte klavesou zkratku Win+R
- Vyskoci na Vas okenko, do ktereho zkopirujte text nize
Kód: Vybrat vše
"%userprofile%\plocha\mbr" -t -s- Kliknete na OK
- Na plose se Vam vytvori log s nazvem mbr.txt, jeho obsah mi sem vlozte
Dejte logy z Gmeru - viz muj podpisRe: Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [
Napsal: 20 kvě 2011 09:15
Děkuji, dostanu se k tomu až po víkendu a pak pošlu log.
Re: Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [
Napsal: 20 kvě 2011 10:14
Dobra tedy 
Re: Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [
Napsal: 22 kvě 2011 19:11
log z MBR
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST316082 rev.3.42 -> Harddisk0\DR0 -> \Device\Scsi\viasraid1Port2Path0Target0Lun0
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll viasraid.sys
C:\WINDOWS\system32\drivers\viasraid.sys VIA Technologies inc,.ltd Raid controller 6420 driver
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x82374030]
3 CLASSPNP[0xF857805B] -> nt!IofCallDriver[0x804E37C5] -> \Device\Scsi\viasraid1Port2Path0Target0Lun0[0x82391030]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST316082 rev.3.42 -> Harddisk0\DR0 -> \Device\Scsi\viasraid1Port2Path0Target0Lun0
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll viasraid.sys
C:\WINDOWS\system32\drivers\viasraid.sys VIA Technologies inc,.ltd Raid controller 6420 driver
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x82374030]
3 CLASSPNP[0xF857805B] -> nt!IofCallDriver[0x804E37C5] -> \Device\Scsi\viasraid1Port2Path0Target0Lun0[0x82391030]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user & kernel MBR OK
Re: Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [
Napsal: 22 kvě 2011 19:13
Tohle je OK, ted poprosim o gmer
Re: Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [
Napsal: 22 kvě 2011 19:22
GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-22 20:21:52
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Scsi\viasraid1Port2Path0Target0Lun0 ST316082 rev.3.42
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdipog.sys
---- Kernel code sections - GMER 1.0.15 ----
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys Systém nemůže nalézt uvedený soubor. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[176] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[820] USER32.dll!SetWindowLongA 77D3D61D 5 Bytes JMP 10698DD9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[820] USER32.dll!SetWindowLongW 77D3D63B 5 Bytes JMP 10698D6B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[820] USER32.dll!GetWindowInfo 77D3E78C 5 Bytes JMP 104C7187 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[820] USER32.dll!TrackPopupMenu 77D84EDE 5 Bytes JMP 104C7781 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] sdvpvmm <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm@DisplayName Config Network
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm@Description Spravuje propojen? mezi soubory v syst?mu NTFS v r?mci po??ta?e i mezi po??ta?i v dom?n? s?t?.
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm\Parameters@ServiceDll C:\WINDOWS\system32\rqtbu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x60 0x4C 0xE9 0x3D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xD8 0xB3 0x31 0xE2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x7F 0xBC 0x0C 0xEF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x60 0x4C 0xE9 0x3D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xD8 0xB3 0x31 0xE2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x7F 0xBC 0x0C 0xEF ...
---- EOF - GMER 1.0.15 ----
Rootkit scan 2011-05-22 20:21:52
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Scsi\viasraid1Port2Path0Target0Lun0 ST316082 rev.3.42
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdipog.sys
---- Kernel code sections - GMER 1.0.15 ----
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys Systém nemůže nalézt uvedený soubor. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[176] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[820] USER32.dll!SetWindowLongA 77D3D61D 5 Bytes JMP 10698DD9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[820] USER32.dll!SetWindowLongW 77D3D63B 5 Bytes JMP 10698D6B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[820] USER32.dll!GetWindowInfo 77D3E78C 5 Bytes JMP 104C7187 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[820] USER32.dll!TrackPopupMenu 77D84EDE 5 Bytes JMP 104C7781 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] sdvpvmm <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm@DisplayName Config Network
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm@Description Spravuje propojen? mezi soubory v syst?mu NTFS v r?mci po??ta?e i mezi po??ta?i v dom?n? s?t?.
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdvpvmm\Parameters@ServiceDll C:\WINDOWS\system32\rqtbu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x60 0x4C 0xE9 0x3D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xD8 0xB3 0x31 0xE2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x7F 0xBC 0x0C 0xEF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x60 0x4C 0xE9 0x3D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xD8 0xB3 0x31 0xE2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x7F 0xBC 0x0C 0xEF ...
---- EOF - GMER 1.0.15 ----
Re: Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [
Napsal: 22 kvě 2011 19:24
Stahnete Avenger (viz muj podpis)
- Pokud pouzivate Win Vista ci W7, kliknete na Avenger pravym a dejte Run As Administrator ci Spustit jako spravce
- Po spusteni Vas program upozorni, ze vse co delate, delate na vlastni riziko - Dejte OK
- Po potvrzeni uz na Vas koukne hlavni okno, kam vlozite skript, ktery mate nize
-
Kód: Vybrat vše
Drivers to delete: sdvpvmm - Do ctverecku u Scan for rootkits a Automatically disable any rootkits found dejte fajecku
- Nyni uz kliknete na Execute a potvrdte Yes v nasledujicim okne - timto potvrdite spusteni skriptu
- Na otazku Reboot now odpovezte opet OK - timto se PC restartuje
- Po restartu by se mel otevrit poznamkovy blok s logem a jeho obsah vlozte sem. Pokud se tak nestane, naleznete pozadovany dokument v C:\avenger.txt
Re: Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [
Napsal: 22 kvě 2011 19:34
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver "sdvpvmm" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver "sdvpvmm" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Re: Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [
Napsal: 22 kvě 2011 20:47
Nastala nejaka zmena v chovani PC
Re: Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [
Napsal: 22 kvě 2011 21:19
pořád špatný 
Re: Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [
Napsal: 23 kvě 2011 06:40
Mohl byste prosim problem trochu vice popsat - kdy se zasekava apod...
Re: Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [
Napsal: 23 kvě 2011 09:59
Po naběhnutí do Win počítač nereaguje... u ikonky Avastu v oznamovaci oblasti je žlutý vykřičník, kurzorem myši se dá pohybovat, klávesnice také není zaseknutá (reagují LED). Pokud se ale něco pokusím spustit, nestane se tak. Na kurzoru myši se objeví přesýpací hodiny a požadovaná akce se neprovede, ale kurzorem myší lze dále pohybovat po ploše.
Dříve jsem to několikrát vyřešil tak, že jsem odinstaloval Avast a znovu ho nainstaloval a počítač šel někdy 3 dny, někdy týden úplně normálně a poté se to opět objevilo. Bohužel nedokážu spustit ani správce úloh, abych se podíval na vytížení procesoru, ale mám pocit, že při snaze o spuštění rezidentní ochrany Avastu dojde k vytížení procesoru na 100% a dál už na nic nereaguje.
Dříve jsem to několikrát vyřešil tak, že jsem odinstaloval Avast a znovu ho nainstaloval a počítač šel někdy 3 dny, někdy týden úplně normálně a poté se to opět objevilo. Bohužel nedokážu spustit ani správce úloh, abych se podíval na vytížení procesoru, ale mám pocit, že při snaze o spuštění rezidentní ochrany Avastu dojde k vytížení procesoru na 100% a dál už na nic nereaguje.
Re: Zaseknutí PC po startu AVAST Free + win32: rootkit-gen [
Napsal: 23 kvě 2011 12:39
Zkuste tedy Avast odinstalovat a nainstalovat treba MSE od microsoftu