Re: Fake antivir "Personal Shield Pro"
Napsal: 26 črc 2011 18:07
Tak tady je nový log z CF:
ComboFix 11-07-26.02 - Administrator 26.07.2011 18:56:05.5.1 - FAT32x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.502.260 [GMT 2:00]
Spuštěný z: c:\documents and settings\Administrator\Plocha\ComboFix.exe
AV: Eset NOD32 antivirus system 2.51 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\dna69\Local Settings\temp\RtkBtMnt.exe
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-06-26 do 2011-07-26 )))))))))))))))))))))))))))))))
.
.
2011-07-26 07:25 . 2011-07-26 07:25 -------- d-----w- c:\program files\trend micro
2011-07-26 07:25 . 2011-07-26 07:25 -------- d-----w- C:\rsit
2011-07-26 06:32 . 2011-07-26 06:32 -------- d-----w- C:\Kaspersky Rescue Disk 10.0
2011-07-25 15:26 . 2011-07-25 15:26 -------- d-----w- c:\documents and settings\Administrator
2011-07-25 11:42 . 2011-07-25 11:42 -------- d-----w- c:\documents and settings\All Users\Data aplikací\mD02300CkNbF02300
2011-07-23 17:32 . 2011-07-23 17:32 1409 ----a-w- c:\windows\QTFont.for
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-03 16:42 . 2011-05-27 06:51 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-06 11:35 . 2007-04-04 16:35 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:32 . 2004-08-18 18:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-18 18:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-18 18:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-25_20.06.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-30 22:11 . 2011-07-26 13:36 5536 c:\windows\system32\d3d9caps.dat
- 2009-12-30 22:11 . 2009-12-30 22:54 5536 c:\windows\system32\d3d9caps.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2006-08-09 151552]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"CloneCDTray"="c:\program files\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-06-26 921600]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"UpdateReminder"="c:\program files\Eset\UpdateReminder.exe" [2011-07-19 462848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
.
c:\documents and settings\dna69\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Opera.lnk - c:\program files\Opera\Opera.exe [2007-10-15 79360]
UltimateZip Quick Start.lnk - c:\program files\UltimateZip\uzqkst.exe [2005-2-26 303616]
.
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-18 18:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2006-07-20 20:15 593920 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-18 18:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-18 18:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-18 18:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-28 21:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"d:\\Condition Zero\\czero.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\QIP Infium\\INFIUM.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\BIN\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
S2 Application Updater;Application Updater;"c:\program files\Application Updater\ApplicationUpdater.exe" --> c:\program files\Application Updater\ApplicationUpdater.exe [?]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://global.acer.com
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
LSP: c:\windows\system32\imon.dll
Trusted Zone: mojebanka.cz\*
TCP: DhcpNameServer = 10.107.52.1 10.107.4.100
TCP: Interfaces\{8617164D-C891-448E-9395-C136971A7643}: NameServer = 10.107.52.1,10.107.4.100
DPF: {888078C6-70B2-4F88-8EE7-1F50DDEA6120} - hxxps://as.photoprintit.de/ips-opdata/activex/ImageUploader6.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-26 19:03
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
Celkový čas: 2011-07-26 19:04:40
ComboFix-quarantined-files.txt 2011-07-26 17:04
ComboFix2.txt 2011-07-26 08:34
ComboFix3.txt 2011-07-25 20:08
.
Před spuštěním: Volných bajtů: 18 756 927 488
Po spuštění: Volných bajtů: 18 759 221 248
.
- - End Of File - - C12D9D654A2AF5712DBA3E86989DBF94
ComboFix 11-07-26.02 - Administrator 26.07.2011 18:56:05.5.1 - FAT32x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.502.260 [GMT 2:00]
Spuštěný z: c:\documents and settings\Administrator\Plocha\ComboFix.exe
AV: Eset NOD32 antivirus system 2.51 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\dna69\Local Settings\temp\RtkBtMnt.exe
.
.
((((((((((((((((((((((((( Soubory vytvořené od 2011-06-26 do 2011-07-26 )))))))))))))))))))))))))))))))
.
.
2011-07-26 07:25 . 2011-07-26 07:25 -------- d-----w- c:\program files\trend micro
2011-07-26 07:25 . 2011-07-26 07:25 -------- d-----w- C:\rsit
2011-07-26 06:32 . 2011-07-26 06:32 -------- d-----w- C:\Kaspersky Rescue Disk 10.0
2011-07-25 15:26 . 2011-07-25 15:26 -------- d-----w- c:\documents and settings\Administrator
2011-07-25 11:42 . 2011-07-25 11:42 -------- d-----w- c:\documents and settings\All Users\Data aplikací\mD02300CkNbF02300
2011-07-23 17:32 . 2011-07-23 17:32 1409 ----a-w- c:\windows\QTFont.for
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-03 16:42 . 2011-05-27 06:51 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-06 11:35 . 2007-04-04 16:35 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:32 . 2004-08-18 18:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-18 18:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-18 18:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-25_20.06.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-30 22:11 . 2011-07-26 13:36 5536 c:\windows\system32\d3d9caps.dat
- 2009-12-30 22:11 . 2009-12-30 22:54 5536 c:\windows\system32\d3d9caps.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2006-08-09 151552]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"CloneCDTray"="c:\program files\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-06-26 921600]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"UpdateReminder"="c:\program files\Eset\UpdateReminder.exe" [2011-07-19 462848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
.
c:\documents and settings\dna69\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Opera.lnk - c:\program files\Opera\Opera.exe [2007-10-15 79360]
UltimateZip Quick Start.lnk - c:\program files\UltimateZip\uzqkst.exe [2005-2-26 303616]
.
c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-18 18:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2006-07-20 20:15 593920 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-18 18:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-18 18:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-18 18:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-28 21:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"d:\\Condition Zero\\czero.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\QIP\\qip.exe"=
"c:\\Program Files\\QIP Infium\\INFIUM.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\BIN\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
S2 Application Updater;Application Updater;"c:\program files\Application Updater\ApplicationUpdater.exe" --> c:\program files\Application Updater\ApplicationUpdater.exe [?]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://global.acer.com
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
LSP: c:\windows\system32\imon.dll
Trusted Zone: mojebanka.cz\*
TCP: DhcpNameServer = 10.107.52.1 10.107.4.100
TCP: Interfaces\{8617164D-C891-448E-9395-C136971A7643}: NameServer = 10.107.52.1,10.107.4.100
DPF: {888078C6-70B2-4F88-8EE7-1F50DDEA6120} - hxxps://as.photoprintit.de/ips-opdata/activex/ImageUploader6.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-26 19:03
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
skenování skrytých procesů ...
.
skenování skrytých položek 'Po spuštění' ...
.
skenování skrytých souborů ...
.
sken byl úspešně dokončen
skryté soubory: 0
.
**************************************************************************
.
Celkový čas: 2011-07-26 19:04:40
ComboFix-quarantined-files.txt 2011-07-26 17:04
ComboFix2.txt 2011-07-26 08:34
ComboFix3.txt 2011-07-25 20:08
.
Před spuštěním: Volných bajtů: 18 756 927 488
Po spuštění: Volných bajtů: 18 759 221 248
.
- - End Of File - - C12D9D654A2AF5712DBA3E86989DBF94
