Odvirování PC, zrychlení počítače, vzdálená pomoc prostřednictvím služby neslape.cz

Win32/Mebroot.K

Máte problém s virem? Vložte sem log z FRST nebo RSIT.

Moderátor: Moderátoři

Pravidla fóra
Pokud chcete pomoc, vložte log z FRST [návod zde] nebo RSIT [návod zde]

Jednotlivé thready budou po vyřešení uzamčeny. Stejně tak ty, které budou nečinné déle než 14 dní. Vizte Pravidlo o zamykání témat. Děkujeme za pochopení.

!NOVINKA!
Nově lze využívat služby vzdálené pomoci, kdy se k vašemu počítači připojí odborník a bližší informace o problému si od vás získá telefonicky! Více na www.neslape.cz
Zamčeno
Zpráva
Autor
Simicek
Návštěvník
Návštěvník
Příspěvky: 177
Registrován: 23 črc 2008 19:09

Re: Win32/Mebroot.K

#151 Příspěvek od Simicek »

a ten prvý
C:\DOCUME~1\DIABLO~1\LOCALS~1\Temp\ldiskl.sys


0 bytes size received / Se ha recibido un archivo vacio

Uživatelský avatar
stell
VIP
VIP
Příspěvky: 5175
Registrován: 09 pro 2007 09:27
Bydliště: SK-REVUCA
Kontaktovat uživatele:

Re: Win32/Mebroot.K

#152 Příspěvek od stell »

Pri tejto akcii je nutné mať ComboFix na ploche.

Vypni>FIREWALL>Antivir>Antispyware>vsetko rezidentne.

Otvor Notepad (Poznámkový blok) a zkopíruj do neho celý zeleny tex:

Kód: Vybrat vše

KILLALL::

Rootkit::
C:\DOCUME~1\DIABLO~1\LOCALS~1\Temp\ldiskl.sys
Driver::
ldiskl
Folder::
C:\SDFix
DirLook::
C:\Crack
Potom klik na Subor -> Uložiť ako.. .. -> Ako je Názov souboru tak do toho riadku napiš:CFScript.txt
Typ súboru tak tam vyberies *všetky súbory
A ulož ho na plochu.> Pozor CFScript.txt>Neotvarat a nemoze byt ani>CFScript.txt.txt A Urobis Toto :
Obrázek

Po skonceni skenu vlož log čo ComboFix vytvorí+novy HiJackThis.log
Dôležité informácie.
NEŠLAPE Vám počítač?
Je zavirovaný? Šlape pomalu? Nefunguje program? Problém s instalací?
Využíjte služby vzdálené pomoci!
Obrázek
e-mail: stell(zavináč)forum.viry.cz
Thanks! Vďaka!

Obrázek

Simicek
Návštěvník
Návštěvník
Příspěvky: 177
Registrován: 23 črc 2008 19:09

Re: Win32/Mebroot.K

#153 Příspěvek od Simicek »

Combofix


PUSHD "C:\327882R2FWJFW\"

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

VER | FIND.exe "Microsoft Windows [Version 5.2.3790]" 1>nul

IF NOT ERRORLEVEL 1 GOTO Not_NT

VER | FIND.exe "Windows XP" 1>nul

PV -o"%i\t%l" | SED "/\t.*\\nircmd\.inf$/!d; s///; s/./@pv -kfi &/" 1>temp00.bat

CALL temp00.bat

DEL temp00.bat 2>nul

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Diablo Hit ADSL\Data aplikacˇ
CFLDR=327882R2FWJFW
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_06\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DC037625
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Diablo Hit ADSL
KMD=CF23112.exe
LOGONSERVER=\\DC037625
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\327882R2FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\PC Connectivity Solution;C:\GTK\2.0\bin;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\PROGRA~1\COMMON~1\MGISHA~1\Video;C:\PROGRA~1\COMMON~1\MGISHA~1\SHARED~1\Bin;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Pinnacle\Shared Files;C:\Program Files\Pinnacle\Shared Files\Filter
PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$
QTJAVA=C:\Program Files\Java\j2re1.4.2_06\lib\ext\QTJava.zip
SERINUMB=DC037625
SESSIONNAME=Console
sfxname=C:\Documents and Settings\Diablo Hit ADSL\Plocha\ComboFix.exe
SYSTEM=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\DIABLO~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\DIABLO~1\LOCALS~1\Temp
USERDOMAIN=DC037625
USERNAME=Diablo Hit ADSL
USERPROFILE=C:\Documents and Settings\Diablo Hit ADSL
WBSET=Reset
windir=C:\WINDOWS

=============================================


IF NOT DEFINED sfxname GOTO END

IF /I "C:\327882R2FWJFW" NEQ "C:\327882R2FWJFW" GOTO Abort

IF EXIST "C:\DOCUME~1\DIABLO~1\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log" DEL "C:\DOCUME~1\DIABLO~1\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log"
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 (C)

Volume: C:\ does not support Access Control Lists


COPY /y "C:\WINDOWS\system32\cmd.exe" "C:\WINDOWS\system32\CF23112.exe"
1 zkopˇrovaněch soubor…

(
SET "FileName=ComboFix"
SET "FilePath=C:\Documents and Settings\Diablo Hit ADSL\Plocha\"
)

SET FileName 1>FileName 2>nul

GREP -isqx "FileName=[-[:alnum:]@.]*" FileName || (
Nircmd infobox "You cannot rename ComboFix as ComboFix~n~nPlease use another name, preferbaly made up of alphanumeric characters" ""
GOTO END
)

DIR /ad/b C:\* | Findstr -IVX ComboFix 1>dirname00

Findstr -LIXC:"ComboFix" dirname00 1>nul && call :NameChk

IF EXIST dirname0? del /Q dirname0?

IF EXIST "\ComboFix" DIR /AD "\ComboFix" 1>nul && (
RD /s/q "\ComboFix"
IF EXIST "\ComboFix" (
PV -kf *.cfexe
RD /s/q "\ComboFix"
)
IF EXIST "\ComboFix" (
HANDLE "C:\ComboFix" | SED -r "/pid:/!d; s/.*: (.*): .*/\1/" 1>temp00
FOR /F "TOKENS=1,2" %g in (temp00) DO @ECHO.y | HANDLE -p %g -c %h
DEL /q temp00
RD /s/q "\ComboFix"
)
)
Killing '*.cfexe'

Handle v3.11
Copyright (C) 1997-2005 Mark Russinovich
Sysinternals - www.sysinternals.com

798: File C:\ComboFix
Close handle 798 in CF8633.exe (PID 3108)? (y/n)
Handle closed.

IF EXIST "\ComboFix" RD /s/q "\ComboFix"

IF EXIST "\ComboFix" GOTO :eof

Simicek
Návštěvník
Návštěvník
Příspěvky: 177
Registrován: 23 črc 2008 19:09

Re: Win32/Mebroot.K

#154 Příspěvek od Simicek »

A tady je HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:47:06, on 7.8.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Nokia PC Suite 6\LaunchApplication.exe
C:\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\CF8633.exe
C:\WINDOWS\explorer.exe
C:\Mozilla Firefox\firefox.exe
C:\QIP\qip.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Media Player Classic\mplayerc.exe
C:\Documents and Settings\Diablo Hit ADSL\Plocha\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.177.100.36:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SBCSTray] C:\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all links using BitComet - res://C:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\ICQ6ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\ICQ6ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comfor.cz
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} (DyynoX Class) - http://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{122A31A9-9348-496C-A5C6-0236389914D8}: NameServer = 212.20.96.34 195.250.128.234
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\CounterSpy\SBCSSvc.exe
O23 - Service: SbPF.Launcher - Unknown owner - C:\Sunbelt Software\Personal Firewall\SbPFLnch.exe (file missing)
O23 - Service: ServiceLayer - Unknown owner - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (file missing)
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9297 bytes

Uživatelský avatar
stell
VIP
VIP
Příspěvky: 5175
Registrován: 09 pro 2007 09:27
Bydliště: SK-REVUCA
Kontaktovat uživatele:

Re: Win32/Mebroot.K

#155 Příspěvek od stell »

Vies mi opisat ze co si robil s combofixom ze takyto log ti dalo??
Dôležité informácie.
NEŠLAPE Vám počítač?
Je zavirovaný? Šlape pomalu? Nefunguje program? Problém s instalací?
Využíjte služby vzdálené pomoci!
Obrázek
e-mail: stell(zavináč)forum.viry.cz
Thanks! Vďaka!

Obrázek

Simicek
Návštěvník
Návštěvník
Příspěvky: 177
Registrován: 23 črc 2008 19:09

Re: Win32/Mebroot.K

#156 Příspěvek od Simicek »

mě se nic neobjevilo to bylo v pruzkumníku

Uživatelský avatar
stell
VIP
VIP
Příspěvky: 5175
Registrován: 09 pro 2007 09:27
Bydliště: SK-REVUCA
Kontaktovat uživatele:

Re: Win32/Mebroot.K

#157 Příspěvek od stell »

Precital si ze co som napisal?,takze este raz a po lopate:
Stlac>START>Klik>spustit >napis NOTEPAD klik ok
Do notepad skopiruj zeleny text:

Kód: Vybrat vše

KILLALL::

Rootkit::
C:\DOCUME~1\DIABLO~1\LOCALS~1\Temp\ldiskl.sys
Driver::
ldiskl
Folder::
C:\SDFix
DirLook::
C:\Crack
Potom klik v NOTEPAD>NA Subor -> Uložiť ako.. .. -> Ako je Názov souboru tak do toho riadku napiš:CFScript.txt
Typ súboru tak tam vyberies *všetky súbory
A ulož ho na plochu.> Pozor CFScript.txt>Neotvarat a nemoze byt ani>CFScript.txt.txt A Urobis Toto :
Obrázek

Po skonceni skenu vlož log čo ComboFix vytvorí+novy HiJackThis.log
Dôležité informácie.
NEŠLAPE Vám počítač?
Je zavirovaný? Šlape pomalu? Nefunguje program? Problém s instalací?
Využíjte služby vzdálené pomoci!
Obrázek
e-mail: stell(zavináč)forum.viry.cz
Thanks! Vďaka!

Obrázek

Simicek
Návštěvník
Návštěvník
Příspěvky: 177
Registrován: 23 črc 2008 19:09

Re: Win32/Mebroot.K

#158 Příspěvek od Simicek »

nic mě nevyskočilo

Simicek
Návštěvník
Návštěvník
Příspěvky: 177
Registrován: 23 črc 2008 19:09

Re: Win32/Mebroot.K

#159 Příspěvek od Simicek »

Udělal jsem to podle toho co ten příkaz je správně???

Uživatelský avatar
stell
VIP
VIP
Příspěvky: 5175
Registrován: 09 pro 2007 09:27
Bydliště: SK-REVUCA
Kontaktovat uživatele:

Re: Win32/Mebroot.K

#160 Příspěvek od stell »

Za 4 minuty ani nemohlo.
Takto mas na ploche CFScript.txt co si vytvoril podla navodu??
Dôležité informácie.
NEŠLAPE Vám počítač?
Je zavirovaný? Šlape pomalu? Nefunguje program? Problém s instalací?
Využíjte služby vzdálené pomoci!
Obrázek
e-mail: stell(zavináč)forum.viry.cz
Thanks! Vďaka!

Obrázek

Simicek
Návštěvník
Návštěvník
Příspěvky: 177
Registrován: 23 črc 2008 19:09

Re: Win32/Mebroot.K

#161 Příspěvek od Simicek »

nic mě nevyskočilo

Uživatelský avatar
stell
VIP
VIP
Příspěvky: 5175
Registrován: 09 pro 2007 09:27
Bydliště: SK-REVUCA
Kontaktovat uživatele:

Re: Win32/Mebroot.K

#162 Příspěvek od stell »

Kde som ti pisal ze daco ti ma vyskocit??Pisal som ti aby si vytvoril CFScript.txt podla navodu.Takze precitaj posledny navod >sprav CFScript.txt ako som napisal>uloz ho na plochu ak to budes mat tak napis.OK
Dôležité informácie.
NEŠLAPE Vám počítač?
Je zavirovaný? Šlape pomalu? Nefunguje program? Problém s instalací?
Využíjte služby vzdálené pomoci!
Obrázek
e-mail: stell(zavináč)forum.viry.cz
Thanks! Vďaka!

Obrázek

Simicek
Návštěvník
Návštěvník
Příspěvky: 177
Registrován: 23 črc 2008 19:09

Re: Win32/Mebroot.K

#163 Příspěvek od Simicek »

ComboFIX
ComboFix 08-08-07.01 - Diablo Hit ADSL 2008-08-08 8:06:48.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1029.18.250 [GMT 2:00]
Running from: C:\Documents and Settings\Diablo Hit ADSL\Plocha\ComboFix.exe
Command switches used :: C:\Documents and Settings\Diablo Hit ADSL\Plocha\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\DIABLO~1\LOCALS~1\Temp\ldiskl.sys
C:\SDFix
C:\SDFix\apps\assosfix.reg
C:\SDFix\apps\cliptext.exe
C:\SDFix\apps\download.exe
C:\SDFix\apps\dummy.sys
C:\SDFix\apps\Enable_Command_Prompt.reg
C:\SDFix\apps\ERDNT.E_E
C:\SDFix\apps\ERDNTDOS.LOC
C:\SDFix\apps\ERDNTWIN.LOC
C:\SDFix\apps\ERUNT.EXE
C:\SDFix\apps\ERUNT.LOC
C:\SDFix\apps\fix.reg
C:\SDFix\apps\FixBH.reg
C:\SDFix\apps\FixComponents.reg
C:\SDFix\apps\FIXCU.reg
C:\SDFix\apps\FIXLM.reg
C:\SDFix\apps\FixPath.exe
C:\SDFix\apps\FixRedir.reg
C:\SDFix\apps\FixSchedule.reg
C:\SDFix\apps\FixWebCheck.reg
C:\SDFix\apps\fixXP.reg
C:\SDFix\apps\FixXPsp2.reg
C:\SDFix\apps\grep.exe
C:\SDFix\apps\HaxdFix.reg
C:\SDFix\apps\HPFix.reg
C:\SDFix\apps\HPFix2.reg
C:\SDFix\apps\HPFix3.reg
C:\SDFix\apps\HPFix4.reg
C:\SDFix\apps\HPFix5.reg
C:\SDFix\apps\HPFix6.reg
C:\SDFix\apps\HPFix7.reg
C:\SDFix\apps\HPFix8.reg
C:\SDFix\apps\HPFix9.reg
C:\SDFix\apps\isadmin.exe
C:\SDFix\apps\leg2.txt
C:\SDFix\apps\legacy.txt
C:\SDFix\apps\legacybk.txt
C:\SDFix\apps\locate.com
C:\SDFix\apps\LS.exe
C:\SDFix\apps\MD5File.exe
C:\SDFix\apps\moveex.exe
C:\SDFix\apps\MyGcpvFix.reg
C:\SDFix\apps\MyGkFix2.reg
C:\SDFix\apps\Process.exe
C:\SDFix\apps\procs.exe
C:\SDFix\apps\psservice.exe
C:\SDFix\apps\Rem.txt
C:\SDFix\apps\Rem2.txt
C:\SDFix\apps\Replace\regedit.exe
C:\SDFix\apps\Replace\W2K.exe
C:\SDFix\apps\Replace\w2k\beep.sys
C:\SDFix\apps\Replace\w2k\null.sys
C:\SDFix\apps\Replace\XP.exe
C:\SDFix\apps\Replace\xp\beep.sys
C:\SDFix\apps\Replace\xp\null.sys
C:\SDFix\apps\Reset_AppInit_DLLs.reg
C:\SDFix\apps\RestartIt!.exe
C:\SDFix\apps\Restore_SecurityCenter.reg
C:\SDFix\apps\Restore_SharedAccess.reg
C:\SDFix\apps\sc.exe
C:\SDFix\apps\sed.exe
C:\SDFix\apps\SF.exe
C:\SDFix\apps\shutdown.exe
C:\SDFix\apps\srv2.txt
C:\SDFix\apps\srv2bk.txt
C:\SDFix\apps\svc.txt
C:\SDFix\apps\svcbk.txt
C:\SDFix\apps\swreg.exe
C:\SDFix\apps\swsc.exe
C:\SDFix\apps\unzip.exe
C:\SDFix\apps\vfind.exe
C:\SDFix\apps\WINMSG.EXE
C:\SDFix\apps\winsec.reg
C:\SDFix\apps\zip.exe
C:\SDFix\backups\backupreg.zip
C:\SDFix\backups\backups.zip
C:\SDFix\backups\HOSTS
C:\SDFix\catchme.exe
C:\SDFix\dummy.sys
C:\SDFix\Report.txt
C:\SDFix\RunThis.bat
C:\SDFix\SDFIX_ReadMe_Online.url
C:\SDFix\sinowaltest1.txt
C:\SDFix\W2K_VirusAlert_Repair.inf
C:\SDFix\XP_VirusAlert_Repair.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LDISKL
-------\Service_ldiskl


((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.

2008-08-07 20:20 . 2008-08-07 20:20 <DIR> d-------- C:\Documents and Settings\Diablo Hit ADSL\DoctorWeb
2008-08-07 20:14 . 2008-08-07 20:16 11,070,632 --a------ C:\cureit.exe
2008-08-07 20:12 . 2008-08-07 20:12 <DIR> d-------- C:\jirka flash
2008-08-07 19:47 . 2008-08-07 20:21 100,000,000 --a------ C:\pkmCZ_S01E03.part1.rar
2008-08-07 18:42 . 2008-08-07 18:42 <DIR> d-------- C:\Pokemon
2008-08-07 09:16 . 2008-08-07 09:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-07 07:09 . 2007-06-08 21:27 <DIR> d-a------ C:\Crack
2008-08-04 08:26 . 2008-08-04 08:30 9,730,075 --a------ C:\vlc-0.8.6f-win32.exe
2008-08-04 08:25 . 2008-08-04 08:30 12,724,973 --a------ C:\klmcodec410.exe
2008-08-03 19:05 . 2008-08-03 19:06 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-08-03 19:03 . 2008-08-03 19:03 <DIR> d-------- C:\Sunbelt CounterSpy v2.5.1042
2008-08-03 19:01 . 2008-08-03 19:01 <DIR> d-------- C:\CounterSpy
2008-08-03 18:31 . 2008-08-03 19:00 73,491,568 --a------ C:\_Countspy2.5.1042.rar
2008-07-30 08:59 . 2008-07-30 09:00 <DIR> d-------- C:\GameBoy Advence
2008-07-30 08:58 . 2008-07-30 08:58 <DIR> d-------- C:\GameBoy
2008-07-28 21:02 . 2008-07-28 21:02 <DIR> d-------- C:\backups
2008-07-27 18:00 . 2008-07-27 18:00 355,333 --a------ C:\Recount-r79128.zip
2008-07-26 23:38 . 2008-07-26 23:37 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-07-26 23:38 . 2008-07-26 23:37 270,336 --a------ C:\WINDOWS\system32\imon.dll
2008-07-24 21:59 . 2008-07-24 22:01 1,325 --a------ C:\WINDOWS\mozver.dat
2008-07-23 21:30 . 2008-07-23 21:30 401,720 --a------ C:\HijackThis.exe
2008-07-22 22:56 . 2008-07-22 23:10 77,896,616 --a------ C:\counterspy.exe
2008-07-10 19:59 . 2008-08-08 07:51 20,986 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2008-07-10 19:46 . 2008-07-10 19:46 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-07-10 19:36 . 2008-07-10 19:38 7,421,312 --a------ C:\Kerio_Personal_FireWall_4.3.268.zip
2008-07-10 19:31 . 2008-06-21 04:54 269,736 -ra------ C:\WINDOWS\system32\drivers\SbFw.sys
2008-07-10 19:31 . 2008-06-21 04:54 65,576 --a------ C:\WINDOWS\system32\drivers\SbFwIm.sys
2008-07-09 22:46 . 2008-07-09 22:46 <DIR> d--h----- C:\WINDOWS\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 20:41 301,726 ----a-w C:\wowrm104cz.zip
2008-07-01 20:11 2,047,416 ----a-w C:\qip8070.exe
2008-07-01 18:18 1,647,004 ----a-w C:\qip2005pack.exe
2008-06-28 13:53 --------- d-----w C:\Program Files\NOD32 FiX
2008-06-20 17:42 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:42 247,296 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:42 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 18:00 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 18:00 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-02 14:28 19,854,392 ----a-w C:\Norman_Malware_Cleaner.exe
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-05-22 22:22 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-05-22 22:22 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2007-03-28 18:05 33 ----a-w C:\Program Files\Common Files\LanTingSys.txt
2005-01-03 18:11 15,386 ----a-w C:\Documents and Settings\Diablo Hit ADSL\BestTimes.dat
2005-10-26 07:49 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2005-10-26 07:49 56 --sh--r C:\WINDOWS\system32\32CE239226.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Crack ----

2006-07-21 20:15 492 --a------ C:\Crack\notes.txt
2006-07-21 20:15 43008 --a------ C:\Crack\SKPF43268CRK.exe
2004-12-31 11:42 5106 --a------ C:\Crack\keygen.nfo


((((((((((((((((((((((((((((( snapshot@2008-08-07_20.43.51.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-08-07 09:28:42 5,120 ----a-r C:\WINDOWS\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
+ 2008-08-07 19:04:46 5,120 ----a-r C:\WINDOWS\Installer\{789289CA-F73A-4A16-A331-54D498CE069F}\Icon789289CA.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Steam"="c:\steam\steam.exe" [2008-03-28 15:20 1271032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-18 14:00 15360]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-11 18:43 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 15:29 7561216]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"CnxDslTaskBar"="C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe" [2004-04-29 08:00 462848]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [2004-09-28 20:26 32881]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 15:29 86016]
"PCSuiteTrayApplication"="C:\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-07-26 23:36 917504]
"SBCSTray"="C:\CounterSpy\SBCSTray.exe" [2007-11-28 12:57 698864]
"nwiz"="nwiz.exe" [2006-03-09 15:29 1519616 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-11-13 18:23 62464 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-18 14:00 15360]
"Nokia.PCSync"="C:\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.dvsd"= dvc.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Nabídka Start^Programy^Po spuštění^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Diablo Hit ADSL^Nabídka Start^Programy^Po spuštění^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\Diablo Hit ADSL\Nabídka Start\Programy\Po spuštění\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-08-03 19:06]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2006-07-18 12:02]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2006-07-18 12:02]
R1 SbFw;SbFw;C:\WINDOWS\system32\drivers\SbFw.sys [2008-06-21 04:54]
R2 athsgt;athsgt;C:\WINDOWS\system32\DRIVERS\athsgt.sys [2006-05-03 15:21]
R2 limsgt;limsgt;C:\WINDOWS\system32\DRIVERS\limsgt.sys [2006-05-03 15:21]
R3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2004-04-28 18:47]
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2004-04-28 18:48]
R3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2004-04-29 07:51]
R3 PSched;Plánovač paketů technologie QoS;C:\WINDOWS\system32\DRIVERS\psched.sys [2004-08-18 14:00]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\sbfwim.sys [2008-06-21 04:54]
S1 SpyEmrg;Spy Emergency Driver;C:\WINDOWS\system32\Drivers\spyemrg.sys []
S2 SbPF.Launcher;SbPF.Launcher;C:\Sunbelt Software\Personal Firewall\SbPFLnch.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\CDSTART.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{523c05c4-9c28-11dc-9242-000a4819c49a}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd9dcf83-479e-11d9-92c8-806d6172696f}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e594840a-935a-11da-86e0-000a4819c49a}]
\Shell\AutoRun\command - E:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f923aa49-84e4-11da-8675-000a4819c49a}]
\Shell\AutoRun\command - E:\Autorun.exe

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder

2008-08-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-08 08:19:49
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\GUARD.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\PERSONAL FIREWALL\KPF4SS.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\WINDOWS\SYSTEM32\PASTISVC.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\PERSONAL FIREWALL\KPF4GUI.EXE
C:\WINDOWS\SYSTEM32\UASERVICE7.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\PERSONAL FIREWALL\KPF4GUI.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-08 8:25:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-08 06:24:58
ComboFix2.txt 2008-08-07 18:45:32

Pre-Run: Volných bajtů: 38,462,750,720
Post-Run: Volněch bajt…: 38,384,336,896

310 --- E O F --- 2008-07-09 21:23:55

Simicek
Návštěvník
Návštěvník
Příspěvky: 177
Registrován: 23 črc 2008 19:09

Re: Win32/Mebroot.K

#164 Příspěvek od Simicek »

TADY JE HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:30, on 8.8.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Nokia PC Suite 6\LaunchApplication.exe
C:\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Diablo Hit ADSL\Plocha\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SBCSTray] C:\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download all links using BitComet - res://C:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\ICQ6ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\ICQ6ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comfor.cz
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} (DyynoX Class) - http://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{122A31A9-9348-496C-A5C6-0236389914D8}: NameServer = 212.20.96.34 195.250.128.234
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\CounterSpy\SBCSSvc.exe
O23 - Service: SbPF.Launcher - Unknown owner - C:\Sunbelt Software\Personal Firewall\SbPFLnch.exe (file missing)
O23 - Service: ServiceLayer - Unknown owner - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (file missing)
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9163 bytes

Uživatelský avatar
stell
VIP
VIP
Příspěvky: 5175
Registrován: 09 pro 2007 09:27
Bydliště: SK-REVUCA
Kontaktovat uživatele:

Re: Win32/Mebroot.K

#165 Příspěvek od stell »

Zmaz>C:\Crack

ok;
Start>spustit vloz tam combofix /u ok
Odinstaluj všechny verze Javy přes Start - Nastavení - Ovládací panely - Přidat nebo odebrat programy
- Poté stáhni a nainstaluj nejnovější verzi - Java Runtime Environment (JRE) 6 Update 6 - http://java.sun.com/javase/downloads/index.jsp
Stáhni, nainstaluj a spusť program CCleaner - http://www.ccleaner.com/download/downloadpage.aspx?f=2
- Klikni na Cleaner -> záložku Windows a stiskni Analyzovat a poté Spustit Cleaner
- Klikni na záložku Aplikace a stiskni Analyzovat a poté Spustit Cleaner
- Klikni na Registry, stiskni Hledej problémy, po dokončení skenování klikni na Opravit vybrané problémy,
-zvol Ano pro vytvoření zálohy, ulož nabídnutý soubor a klikni na Opravit všechny problémy,stale mackat gombik kym na pravej strane v okne CCleaner nebude cisto
A teraz spust WEB CUREIT KOMPLET scen,Po skonceni zmen vsetky hesla co pouzivas a skoncili sme.
Dôležité informácie.
NEŠLAPE Vám počítač?
Je zavirovaný? Šlape pomalu? Nefunguje program? Problém s instalací?
Využíjte služby vzdálené pomoci!
Obrázek
e-mail: stell(zavináč)forum.viry.cz
Thanks! Vďaka!

Obrázek

Zamčeno