Win32/Mebroot.K

[Ondras]

spustil jsem a na plochu se stahl tenhle log
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[stell]

hm,zaujimave

Pouzijeme SDFIX v Nudzovom rezime>Stiahnes ho stadial:>
>http://downloads.andymanchesta.com/Remo ... /SDFix.exe

Po stazeni je treba spustit exe soubor, v otevrenem okne vyberte umisteni adresare, kam si aplikace nakopiruje potrebne soubory (doporucuji defaultni C:/SDFix)

Restartujte pocitac do nouzoveho rezimu (pri restartu mackejte klavesu F8, pote zvolte z nabidky Stav nouze; pote chvili vyckejte, otevre se vam potvrzovaci okno s nabidkou spusteni zvlastniho diagnostickeho rezimu, ktere potvrdte OK), otevrete vyse zmineny adresar a spustte aplikaci RunThis.bat

po stisku klavesy Y a Enter se spusti samotny sken, netrvajici dele nez pet minut, behem nejz si muzete vychutnat krasne graficke ztvarneni prubehu skenu

pred zacatkem skenu SDFix zazalohuje registry a hosts soubory, v prubehu skenu pak hleda smejdy dle vyse zmineneho seznamu, maze soubory v Tempech a hleda soubory se skrytymi atributy

po ukonceni skenu vas SDFix vyzve ke stisku jakekoli klavesy k potvrzeni restartu

po restartu do jiz klasickeho rezimu se znovu zobrazi okno prikazoveho radku s informaci o dokonceni skenu a vytvareni logu, ktery se po automatickem zavreni okna prikazoveho radku otevre, k dispozici je pak ve vami zvolenem adresari, kde se nachazi SDFix; nese nazev Report.txt; jeho obsah vloz sem.

[Ondras]

takze tady je ten log


SDFix: Version 1.240
Run by Krejźˇk on p  21.11.2008 at 14:12

Microsoft Windows XP [Verze 5.1.2600]
Running From: E:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-21 14:24:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="E:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:06,0d,d8,2a,3b,3f,e8,b5,a0,5d,2d,03,5b,9e,45,77,5d,41,b6,01,b4,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,79,d3,1d,1d,17,b6,91,6c,d1,79,2b,bf,07,34,c8,01,4f,..
"khjeh"=hex:c4,e5,13,62,35,b9,f1,41,6d,b0,5a,02,8b,ad,f3,c5,83,52,eb,e6,19,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:43,3b,3f,f0,dd,55,2c,7f,40,88,60,74,dc,cc,96,19,94,31,a7,47,07,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="E:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:06,0d,d8,2a,3b,3f,e8,b5,a0,5d,2d,03,5b,9e,45,77,5d,41,b6,01,b4,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,79,d3,1d,1d,17,b6,91,6c,d1,79,2b,bf,07,34,c8,01,4f,..
"khjeh"=hex:c4,e5,13,62,35,b9,f1,41,6d,b0,5a,02,8b,ad,f3,c5,83,52,eb,e6,19,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:43,3b,3f,f0,dd,55,2c,7f,40,88,60,74,dc,cc,96,19,94,31,a7,47,07,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?"="E:\WINDOWS\cursors\arrow_r.cur,E:\WINDOWS\cursors\help_r.cur,E:\WINDOWS\cursors\wait_r.cur,E:\WINDOWS\cursors\busy_r.cur,E:\WINDOWS\cursors\cross_r.cur,E:\WINDOWS\cursors\beam_r.cur,E:\WINDOWS\cursors\pen_r.cur,E:\WINDOWS\cursors\no_r.cur,E:\WINDOWS\cursors\size4_r.cur,E:\WINDOWS\cursors\size3_r.cur,E:\WINDOWS\cursors\size2_r.cur,E:\WINDOWS\cursors\size1_r.cur,E:\WINDOWS\cursors\move_r.cur,E:\WINDOWS\cursors\up_r.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?v?e?l?k?é?)?"="E:\WINDOWS\cursors\arrow_rm.cur,E:\WINDOWS\cursors\help_rm.cur,E:\WINDOWS\cursors\wait_rm.cur,E:\WINDOWS\cursors\busy_rm.cur,E:\WINDOWS\cursors\cross_rm.cur,E:\WINDOWS\cursors\beam_rm.cur,E:\WINDOWS\cursors\pen_rm.cur,E:\WINDOWS\cursors\no_rm.cur,E:\WINDOWS\cursors\size4_rm.cur,E:\WINDOWS\cursors\size3_rm.cur,E:\WINDOWS\cursors\size2_rm.cur,E:\WINDOWS\cursors\size1_rm.cur,E:\WINDOWS\cursors\move_rm.cur,E:\WINDOWS\cursors\up_rm.cur"
"\f\1e?r?n?é? ?u?k?a?z?a?t?e?l?e? ?(?n?e?j?v?\e\1t?a\1í?)?"="E:\WINDOWS\cursors\arrow_rl.cur,E:\WINDOWS\cursors\help_rl.cur,E:\WINDOWS\cursors\wait_rl.cur,E:\WINDOWS\cursors\busy_rl.cur,E:\WINDOWS\cursors\cross_rl.cur,E:\WINDOWS\cursors\beam_rl.cur,E:\WINDOWS\cursors\pen_rl.cur,E:\WINDOWS\cursors\no_rl.cur,E:\WINDOWS\cursors\size4_rl.cur,E:\WINDOWS\cursors\size3_rl.cur,E:\WINDOWS\cursors\size2_rl.cur,E:\WINDOWS\cursors\size1_rl.cur,E:\WINDOWS\cursors\move_rl.cur,E:\WINDOWS\cursors\up_rl.cur"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"E:\\Program Files\\Miranda IM\\miranda32.exe"="E:\\Program Files\\Miranda IM\\miranda32.exe:*:Enabled:Miranda IM"
"C:\\Miranda IM\\miranda32.exe"="C:\\Miranda IM\\miranda32.exe:*:Enabled:Miranda IM"
"E:\\Program Files\\SopCast\\SopCast.exe"="E:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast"
"E:\\Program Files\\SopCast\\adv\\SopAdver.exe"="E:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"E:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"="E:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe:*:Enabled:Orb"
"E:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"="E:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"E:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"="E:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"E:\\Program Files\\Bonjour\\mDNSResponder.exe"="E:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"E:\\Program Files\\iTunes\\iTunes.exe"="E:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Mon 3 Mar 2008 5,702 A..H. --- E:\WINDOWS\NOD32R~1.REG
Mon 22 Jul 2002 418,816 ...HR --- E:\WINDOWS\SYSTEM32\TOOLS\ALL.EXE
Fri 19 Jul 2002 390,144 ...HR --- E:\WINDOWS\SYSTEM32\TOOLS\CHANGE.EXE
Fri 19 Jul 2002 574,464 ...HR --- E:\WINDOWS\SYSTEM32\TOOLS\CHECKP~1.EXE
Tue 20 Aug 2002 430,592 ...HR --- E:\WINDOWS\SYSTEM32\TOOLS\COUNTER.EXE
Tue 23 Jul 2002 390,656 ...HR --- E:\WINDOWS\SYSTEM32\TOOLS\DELFOL~1.EXE
Fri 22 Nov 2002 399,872 ...HR --- E:\WINDOWS\SYSTEM32\TOOLS\DIRECT~1.EXE
Fri 19 Jul 2002 388,096 ...HR --- E:\WINDOWS\SYSTEM32\TOOLS\REGCLEAN.EXE
Fri 19 Jul 2002 388,608 ...HR --- E:\WINDOWS\SYSTEM32\TOOLS\REGEXE.EXE
Mon 2 Dec 2002 431,616 ...HR --- E:\WINDOWS\SYSTEM32\TOOLS\RESTART.EXE
Fri 19 Jul 2002 388,096 ...HR --- E:\WINDOWS\SYSTEM32\TOOLS\RUNREG~1.EXE
Tue 15 Apr 2008 165,888 A..H. --- E:\KREJCIK\BRESSON\ZAKAZK~1\KOTLE-~1\OKP-KO~1\OKP-25~1\VP4288~1\~WRL0002.TMP
Thu 28 Aug 2008 165,376 A..H. --- E:\KREJCIK\BRESSON\ZAKAZK~1\KOTLE-~1\OKP-KO~1\OKP-25~1\VP4288~1\~WRL0004.TMP
Thu 28 Aug 2008 165,888 A..H. --- E:\KREJCIK\BRESSON\ZAKAZK~1\KOTLE-~1\OKP-KO~1\OKP-25~1\VP4288~1\~WRL0292.TMP
Thu 28 Aug 2008 165,888 A..H. --- E:\KREJCIK\BRESSON\ZAKAZK~1\KOTLE-~1\OKP-KO~1\OKP-25~1\VP4288~1\~WRL1743.TMP
Thu 28 Aug 2008 165,376 A..H. --- E:\KREJCIK\BRESSON\ZAKAZK~1\KOTLE-~1\OKP-KO~1\OKP-25~1\VP4288~1\~WRL3422.TMP

Finished!

[stell]

no zatial nevidim ani stopu po MEBROOT,k

PROSIM CITAJTE POZORNE NAVODY!!!,

Stáhněte na plochu, ukončete všechna aktivní okna a spusťte ComboFix -
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Ak combofix skontroluje aktualizaciu>klik>ano<
Suhlasit instalacio Konzoly pre zotavenie (Recovery console)


- ComboFix je třeba spustit pod účtem s právy administrátora.
- Po spuštění se zobrazí podmínky užití, potvrďte je stiskem tlačítka Ano;

A este raz >ANO<
u

- Dále postupujte dle pokynů, během aplikování ComboFixu neklikejte do zobrazujícího se okna

- Po dokončení skenování, trvajícího maximálně 10-15 minut, by měl program vytvořit log - C:\ComboFix.txt, zkopírujte celý jeho obsah do svého threadu na forum


- Před použitím ComboFixu je treba vypnout všechny rezidentní bezpečnostní programy - antiviry, firewally, antispywary. Mohou zasahovat do činnosti ComboFixu, což může způsobit, že nebude fungovat korektně.
V případě detekce antiviru u ComboFixu se jedná o falešný poplach.

[Ondras]

dobre, provedu, jen upozornim, ze predtim jsem spustil dr. web cureIT a ten ho ,,smazal''
jinak tady jsem nasel jeden navod! http://www.eset.sk/buxus/generate_page. ... e_id=20688

[Ondras]

takze tady je pozadovany log

ComboFix 08-11-20.02 - Krejčík 2008-11-21 14:54:09.1 - NTFSx86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.1.1029.18.826 [GMT 1:00]
Spuštěný z: e:\documents and settings\Krejčík\Plocha\ComboFix.exe
* Vytvořen nový Bod Obnovení
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\documents and settings\Krejčík\Local Settings\Temporary Internet Files\REG.EXE
e:\documents and settings\Krejčík\Local Settings\Temporary Internet Files\UN32.EXE
e:\documents and settings\Krejčík\Local Settings\Temporary Internet Files\UN32.INI

.
((((((((((((((((((((((((( Soubory vytvořené od 2008-10-21 do 2008-11-21 )))))))))))))))))))))))))))))))
.

2008-11-21 14:11 . 2008-11-21 14:11 578,560 --a--c--- e:\windows\system32\dllcache\user32.dll
2008-11-21 14:10 . 2008-11-21 14:10 <DIR> d-------- e:\windows\ERUNT
2008-11-21 14:05 . 2008-11-21 14:28 <DIR> d-------- E:\SDFix
2008-11-20 20:29 . 2008-11-20 20:29 <DIR> d-------- e:\documents and settings\Krejčík\DoctorWeb
2008-11-20 20:29 . 2008-11-20 20:29 <DIR> d-------- e:\documents and settings\Krejčík\DoctorWeb
2008-11-14 15:41 . 2008-11-14 16:00 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\DiskAid
2008-11-14 15:41 . 2008-11-14 16:00 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\DiskAid
2008-11-14 15:41 . 2008-11-14 16:00 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\DiskAid
2008-11-12 11:39 . 2008-09-04 18:17 1,106,944 -----c--- e:\windows\system32\dllcache\msxml3.dll
2008-11-12 11:39 . 2008-10-24 12:21 455,296 -----c--- e:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 19:19 . 2008-11-11 19:19 <DIR> d-------- e:\program files\iTunes
2008-11-11 19:19 . 2008-11-11 19:19 <DIR> d-------- e:\program files\iPod
2008-11-11 19:19 . 2008-11-11 19:19 <DIR> d-------- e:\documents and settings\All Users\Data aplikací\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-11 19:19 . 2008-04-17 13:12 107,368 --a------ e:\windows\system32\GEARAspi.dll
2008-11-11 19:19 . 2008-04-17 13:12 15,464 --a------ e:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-11 13:48 . 2008-11-11 13:48 <DIR> d-------- e:\program files\Bonjour
2008-11-11 13:47 . 2008-11-11 13:48 <DIR> d-------- e:\program files\QuickTime
2008-11-11 13:45 . 2008-11-11 13:45 <DIR> d-------- e:\program files\Apple Software Update
2008-11-08 20:13 . 2008-11-08 20:13 <DIR> d-------- e:\program files\DVDVideoSoft
2008-11-08 20:11 . 2008-11-08 20:13 7,974,075 --a------ e:\temp\FreeVideoToiPodConverter.exe
2008-11-08 20:10 . 2008-11-08 20:11 <DIR> d-------- E:\Temp
2008-11-08 19:10 . 2008-11-08 20:40 <DIR> d-------- e:\program files\ChrisTV PVR
2008-11-08 19:10 . 2007-02-07 11:01 22 --a------ e:\windows\system32\wnpa32.sys
2008-11-08 18:59 . 2008-11-08 19:01 <DIR> d-------- e:\program files\ChrisTV Online
2008-11-08 12:27 . 2008-08-08 07:04 545 --a------ e:\windows\UC.PIF
2008-11-08 12:27 . 2008-08-08 07:04 545 --a------ e:\windows\RAR.PIF
2008-11-08 12:27 . 2008-08-08 07:04 545 --a------ e:\windows\PKZIP.PIF
2008-11-08 12:27 . 2008-08-08 07:04 545 --a------ e:\windows\PKUNZIP.PIF
2008-11-08 12:27 . 2008-08-08 07:04 545 --a------ e:\windows\NOCLOSE.PIF
2008-11-08 12:27 . 2008-08-08 07:04 545 --a------ e:\windows\LHA.PIF
2008-11-08 12:27 . 2008-08-08 07:04 545 --a------ e:\windows\ARJ.PIF
2008-11-08 12:27 . 2008-11-08 12:28 542 --a------ e:\windows\wincmd.ini
2008-11-07 13:09 . 2008-11-07 13:09 <DIR> d-------- e:\program files\Cenega Czech
2008-11-05 20:05 . 2008-11-05 21:14 <DIR> d-------- e:\program files\Autodesk
2008-11-05 20:05 . 2008-11-05 20:05 <DIR> d-------- e:\documents and settings\All Users\Data aplikací\Autodesk, Inc
2008-11-05 19:56 . 2008-11-18 18:28 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\Autodesk
2008-11-05 19:56 . 2008-11-18 18:28 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\Autodesk
2008-11-05 19:56 . 2008-11-18 18:28 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\Autodesk
2008-11-05 19:55 . 2008-11-05 19:57 <DIR> d-------- e:\program files\DWG TrueView 2009
2008-11-05 19:55 . 2008-11-05 21:14 <DIR> d-------- e:\documents and settings\All Users\Data aplikací\Autodesk
2008-11-02 00:18 . 2008-11-02 09:11 664 --a------ e:\windows\system32\d3d9caps.dat
2008-11-01 23:34 . 2008-11-05 20:54 <DIR> d-------- e:\program files\Common Files\Autodesk Shared
2008-11-01 23:34 . 2008-11-05 19:59 <DIR> d-------- e:\program files\AOEMView 2009
2008-11-01 19:24 . 2008-11-01 19:24 <DIR> d-------- e:\program files\Google
2008-11-01 11:59 . 2008-11-09 13:02 <DIR> d-------- e:\program files\SopCast
2008-10-31 19:16 . 2008-10-31 19:25 <DIR> d-------- e:\program files\Orb Networks
2008-10-29 18:33 . 2008-10-29 18:38 <DIR> d-------- e:\windows\NV26322572.TMP
2008-10-29 13:44 . 2008-10-29 13:44 <DIR> d-------- e:\program files\Trend Micro
2008-10-28 11:02 . 2008-10-28 11:02 <DIR> d-------- e:\windows\system32\LogFiles
2008-10-24 21:13 . 2008-11-20 14:15 69 --a------ e:\windows\NeroDigital.ini
2008-10-24 14:03 . 2008-10-24 14:03 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\SolidWorksNewsReader
2008-10-24 14:03 . 2008-10-24 14:03 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\SolidWorksNewsReader
2008-10-24 14:03 . 2008-10-24 14:03 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\SolidWorksNewsReader
2008-10-24 14:02 . 2008-11-18 19:36 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\SolidWorks
2008-10-24 14:02 . 2008-11-18 19:36 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\SolidWorks
2008-10-24 14:02 . 2008-11-18 19:36 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\SolidWorks
2008-10-24 14:00 . 2008-10-24 14:00 0 --a------ e:\windows\eDrawingOfficeAutomator.INI
2008-10-24 13:59 . 2008-10-24 13:59 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\DWGeditor
2008-10-24 13:59 . 2008-10-24 13:59 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\DWGeditor
2008-10-24 13:59 . 2008-10-24 13:59 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\DWGeditor
2008-10-24 13:57 . 2008-10-24 13:58 <DIR> d-------- e:\program files\SolidWorks Installation Manager
2008-10-24 13:57 . 2004-11-05 10:08 670,208 --a------ e:\windows\system32\drivers\hardlock.sys
2008-10-24 13:56 . 2008-10-24 13:56 23 --ah----- e:\windows\yacht.xws
2008-10-24 13:55 . 2008-10-24 13:59 <DIR> d-------- e:\program files\Common Files\eDrawings2007
2008-10-24 13:52 . 2008-10-24 13:52 <DIR> d-------- e:\windows\system32\GroupPolicy
2008-10-24 13:50 . 2008-10-24 14:00 <DIR> d-------- e:\program files\Common Files\SolidWorks Shared
2008-10-24 13:49 . 2008-10-24 14:02 <DIR> d-------- e:\program files\SolidWorks
2008-10-24 13:49 . 2008-10-24 13:49 <DIR> d-------- e:\program files\Common Files\Solidworks Data
2008-10-24 13:44 . 2008-10-24 13:44 42 --a------ e:\windows\trailer.xws
2008-10-24 11:56 . 2008-10-15 17:38 337,408 -----c--- e:\windows\system32\dllcache\netapi32.dll
2008-10-23 16:12 . 2008-10-23 16:12 107,888 --a------ e:\windows\system32\CmdLineExt.dll
2008-10-23 16:11 . 2008-10-23 16:11 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\Leadertech
2008-10-23 16:11 . 2008-10-23 16:11 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\Leadertech
2008-10-23 16:11 . 2008-10-23 16:11 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\Leadertech
2008-10-23 15:54 . 2008-10-23 16:13 <DIR> d-------- e:\program files\EA Sports
2008-10-23 15:54 . 2008-03-05 14:56 3,786,760 --a------ e:\windows\system32\D3DX9_37.dll
2008-10-23 15:54 . 2007-05-16 15:45 3,497,832 --a------ e:\windows\system32\d3dx9_34.dll
2008-10-23 15:54 . 2007-03-12 15:42 3,495,784 --a------ e:\windows\system32\d3dx9_33.dll
2008-10-23 15:54 . 2006-11-29 12:06 3,426,072 --a------ e:\windows\system32\d3dx9_32.dll
2008-10-23 15:54 . 2006-09-28 15:05 2,414,360 --a------ e:\windows\system32\d3dx9_31.dll
2008-10-23 15:54 . 2007-04-04 17:53 81,768 --a------ e:\windows\system32\xinput1_3.dll
2008-10-23 15:51 . 2008-10-23 15:51 <DIR> d-------- e:\program files\DAEMON Tools Toolbar
2008-10-23 15:49 . 2008-10-23 15:51 <DIR> d-------- e:\program files\DAEMON Tools Lite
2008-10-23 15:47 . 2008-10-23 15:47 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\DAEMON Tools
2008-10-23 15:47 . 2008-10-23 15:47 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\DAEMON Tools
2008-10-23 15:47 . 2008-10-23 15:47 <DIR> d-------- e:\documents and settings\Krejčík\Data aplikací\DAEMON Tools
2008-10-23 15:47 . 2008-10-23 15:47 717,296 --a------ e:\windows\system32\drivers\sptd.sys
2008-10-23 15:30 . 2008-10-04 11:22 4,713,709,568 --a------ E:\FIFA09CZ.iso

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-21 13:54 --------- d-----w e:\program files\ESET
2008-11-21 13:50 --------- d-----w e:\program files\lg_fwupdate
2008-11-11 12:47 --------- d-----w e:\program files\Common Files\Apple
2008-11-08 19:40 --------- d-----w e:\program files\ChrisTV PVR
2008-11-08 19:14 --------- d-----w e:\program files\Common Files\DVDVideoSoft
2008-10-24 11:21 455,296 ----a-w e:\windows\system32\drivers\mrxsmb.sys
2008-10-19 18:15 --------- d-----w e:\program files\MediaCoder iPhone Edition
2008-10-18 09:41 --------- d-----w e:\program files\MSXML 4.0
2008-10-18 08:32 --------- d-----w e:\program files\Microsoft SQL Server
2008-10-18 08:29 --------- d-----w e:\program files\Microsoft.NET
2008-10-18 08:27 --------- d-----w e:\program files\MSXML 6.0
2008-10-18 07:26 --------- d-----w e:\program files\Microsoft WSE
2008-10-18 07:03 --------- d-----w e:\program files\MSBuild
2008-10-18 06:58 --------- d-----w e:\program files\Reference Assemblies
2008-10-17 15:35 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\IrfanView
2008-10-17 15:35 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\IrfanView
2008-10-17 15:35 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\IrfanView
2008-10-16 13:28 --------- d-----w e:\program files\Any Video Converter
2008-10-16 13:28 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\Any Video Converter
2008-10-16 13:28 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\Any Video Converter
2008-10-16 13:28 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\Any Video Converter
2008-10-16 13:13 202,776 ----a-w e:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w e:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w e:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w e:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w e:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w e:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w e:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w e:\windows\system32\wups.dll
2008-10-16 12:57 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\gtk-2.0
2008-10-16 12:57 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\gtk-2.0
2008-10-16 12:57 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\gtk-2.0
2008-10-16 12:51 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\avidemux
2008-10-16 12:51 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\avidemux
2008-10-16 12:51 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\avidemux
2008-10-16 09:38 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\Ahead
2008-10-16 09:38 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\Ahead
2008-10-16 09:38 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\Ahead
2008-10-16 09:32 --------- d-----w e:\program files\Common Files\Ahead
2008-10-16 09:30 --------- d-----w e:\program files\Nero
2008-10-16 09:30 --------- d-----w e:\documents and settings\All Users\Data aplikací\Nero
2008-10-16 09:01 --------- d--h--w e:\program files\InstallShield Installation Information
2008-10-15 18:17 --------- d-----w e:\program files\Xvid CZ
2008-10-15 18:16 729,088 ----a-w e:\windows\iun6002.exe
2008-10-15 18:16 --------- d-----w e:\program files\Codec Pack - VobSub
2008-10-14 19:59 264,097 ----a-w e:\windows\PDFCreator_Toolbar_Uninstaller_9822.exe
2008-10-14 19:59 --------- d-----w e:\program files\PDFCreator Toolbar
2008-10-14 19:59 --------- d-----w e:\program files\PDFCreator
2008-10-13 18:49 --------- d-----w e:\program files\Plato Video Converter
2008-10-13 16:59 --------- d-----w e:\documents and settings\All Users\Data aplikací\NVIDIA
2008-10-12 19:03 512,096 ----a-w e:\windows\system32\drivers\amon.sys
2008-10-12 19:03 298,104 ----a-w e:\windows\system32\imon.dll
2008-10-12 19:03 15,424 ----a-w e:\windows\system32\drivers\nod32drv.sys
2008-10-12 11:31 --------- d-----w e:\program files\Miranda IM
2008-10-11 18:24 --------- d-----w e:\program files\Common Files\Ulead Systems
2008-10-11 18:23 --------- d-----w e:\program files\WinFast
2008-10-11 18:23 --------- d-----w e:\documents and settings\All Users\Data aplikací\Ulead Systems
2008-10-11 13:43 --------- d-----w e:\program files\OneClick iPhone Video Converter
2008-10-11 13:09 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\vlc
2008-10-11 13:09 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\vlc
2008-10-11 13:09 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\vlc
2008-10-11 13:08 --------- d-----w e:\program files\VideoLAN
2008-10-11 13:05 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\BSplayer PRO
2008-10-11 13:05 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\BSplayer PRO
2008-10-11 13:05 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\BSplayer PRO
2008-10-11 13:04 --------- d-----w e:\program files\Webteh
2008-10-11 13:00 --------- d-----w e:\program files\DVD X Studios
2008-10-11 13:00 --------- d-----w e:\documents and settings\All Users\Data aplikací\DVD X Studios
2008-10-11 09:41 --------- d-----w e:\program files\AllerCalc
2008-10-11 07:49 --------- d-----w e:\program files\Lavasoft
2008-10-11 07:49 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\Lavasoft
2008-10-11 07:49 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\Lavasoft
2008-10-11 07:49 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\Lavasoft
2008-10-10 21:32 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\Apple Computer
2008-10-10 21:32 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\Apple Computer
2008-10-10 21:32 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\Apple Computer
2008-10-10 21:21 --------- d-----w e:\documents and settings\All Users\Data aplikací\Apple Computer
2008-10-10 21:19 --------- d-----w e:\documents and settings\All Users\Data aplikací\Apple
2008-10-10 20:57 --------- d-----w e:\program files\Common Files\Adobe
2008-10-10 20:53 --------- d-----w e:\program files\Verlag Dashöfer s.r.o
2008-10-10 20:41 --------- d-----w e:\program files\Common Files\Borland Shared
2008-10-10 20:35 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\DIMAGE
2008-10-10 20:35 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\DIMAGE
2008-10-10 20:35 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\DIMAGE
2008-10-10 20:34 --------- d-----w e:\program files\DiMAGE Viewer
2008-10-10 20:34 --------- d-----w e:\program files\Common Files\InstallShield
2008-10-10 19:46 --------- d-----w e:\program files\microsoft frontpage
2008-10-10 19:33 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\Microsoft Web Folders
2008-10-10 19:33 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\Microsoft Web Folders
2008-10-10 19:33 --------- d-----w e:\documents and settings\Krejčík\Data aplikací\Microsoft Web Folders
2008-10-10 19:22 --------- d-----w e:\program files\VIA Technologies, INC
2008-10-10 19:12 --------- d-----w e:\documents and settings\All Users\Data aplikací\ESET
2008-10-10 19:07 --------- d-----w e:\program files\IrfanView
2008-10-10 18:44 --------- d-----w e:\program files\My Company Name
2008-09-30 15:43 1,286,152 ----a-w e:\windows\system32\msxml4.dll
2008-09-15 15:27 1,846,400 ----a-w e:\windows\system32\win32k.sys
2008-09-10 01:16 1,307,648 ------w e:\windows\system32\msxml6.dll
2008-09-04 17:17 1,106,944 ----a-w e:\windows\system32\msxml3.dll
2008-08-29 09:18 87,336 ----a-w e:\windows\system32\dns-sd.exe
2008-08-29 08:53 61,440 ----a-w e:\windows\system32\dnssd.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"AllerCalc"="e:\program files\AllerCalc\AllerCalc.exe" [2000-08-22 560408]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="e:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
"DAEMON Tools Lite"="e:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"WinFast Schedule"="e:\program files\WinFast\WFTVFM\WFWIZ.exe" [2004-08-02 176128]
"nod32kui"="e:\program files\Eset\nod32kui.exe" [2008-10-12 949376]
"LGODDFU"="e:\program files\lg_fwupdate\fwupdate.exe" [2005-04-12 229376]
"NeroFilterCheck"="e:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"AppleSyncNotifier"="e:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"nwiz"="nwiz.exe" [2008-09-17 e:\windows\system32\nwiz.exe]
"emMON"="emMON.exe" [2006-05-30 e:\windows\emMON.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

e:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Microsoft Office.lnk - e:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-18 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Miranda IM\\miranda32.exe"=
"e:\\Program Files\\SopCast\\SopCast.exe"=
"e:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=

R2 MSSQL$AUTODESKVAULT;SQL Server (AUTODESKVAULT);"e:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sAUTODESKVAULT [2008-01-22 29178224]
R3 PSched;Plánovač paketů technologie QoS;e:\windows\system32\DRIVERS\psched.sys [2004-08-04 69120]
R3 WFIOCTL;WFIOCTL;\??\e:\program files\WinFast\WFTVFM\WFIOCTL.SYS [2008-10-11 9510]
S3 USB28xxBGA;USB 2820 Device;e:\windows\system32\DRIVERS\emBDA.sys [2006-09-12 292864]
S3 USB28xxOEM;USB 28xx OEM Filter;e:\windows\system32\DRIVERS\emOEM.sys [2006-08-21 7168]

*Newly Created Service* - PROCEXP90
.
.
------- Doplňkový sken -------
.
FireFox -: Profile - e:\documents and settings\Krejčík\Data aplikací\Mozilla\Firefox\Profiles\qllv7dg0.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.seznam.cz/
FF -: plugin - e:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-21 14:55:45
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...


e:\docume~1\KREJK~1\LOCALS~1\Temp\RGI596.tmp

sken byl úspešně dokončen
skryté soubory: 1

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

PROCES: e:\windows\system32\lsass.exe
-> e:\program files\Eset\pr_imon.dll
.
Celkový čas: 2008-11-21 14:57:01
ComboFix-quarantined-files.txt 2008-11-21 13:56:33

Před spuštěním: Volných bajtů: 101 993 218 048
Po spuštění: Volných bajtů: 101,983,457,280

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

284 --- E O F --- 2008-11-12 21:01:55

[stell]

ok,daco combofix zmaznul log je cisty,takto ja viem ze si spustil Cureita ale podla mna tam si nemal Mebroot,nakolko Cureit podla mojej vedomosti neopravuje MBR,a ani nenasiel som v log SDFIX nic co by potvrdzovalo ze si tam mal Mebroota.Podla coho si usudil ze mas tam Mebroot,k.
Log je cisty mozes odinstalovat combofix,a podla mna je to ok.

[Ondras]

ja blbec stahoval demo hry z herniho serveru, nod mi napsal u konce stahovani, ze je infikovany timto virem, ale dal jsem okay, protoze obcas neco NOD hlasil, ale byl to plany poplach... A dneska jsem na netu cetl, ze tento vir skodi pc, kde jsou 2 disky... ja mam 2 disky a samozrejme ten druhy se nenacte vubec.

[stell]

ok,moze byt ze daco si chytil ale nie na systemovy disk ,to co si cital je pravda ale ty to nemas, este pouzi G_MER>>navod
http://www.viry.cz/forum/viewtopic.php?f=29&t=62878

[Ondras]

takze tady je prvni log

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-21 15:22:43
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT spoh.sys ZwEnumerateKey [0xF74F5CA2]
SSDT spoh.sys ZwEnumerateValueKey [0xF74F6030]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8979A1F8

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )

Device \FileSystem\Fastfat \Fat 89560388

AttachedDevice \FileSystem\Fastfat \Fat amon.sys (Amon monitor/Eset )

---- EOF - GMER 1.0.14 ----



A tady je druhy log

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-21 15:42:55
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT spoh.sys ZwCreateKey [0xF74D70E0]
SSDT spoh.sys ZwEnumerateKey [0xF74F5CA2]
SSDT spoh.sys ZwEnumerateValueKey [0xF74F6030]
SSDT spoh.sys ZwOpenKey [0xF74D70C0]
SSDT spoh.sys ZwQueryKey [0xF74F6108]
SSDT spoh.sys ZwQueryValueKey [0xF74F5F88]
SSDT spoh.sys ZwSetValueKey [0xF74F619A]

INT 0x33 ? 893E8BF8
INT 0x35 ? 893E8BF8
INT 0x3A ? 893E8BF8
INT 0x3B ? 893E8BF8
INT 0x3E ? 8979BBF8
INT 0x3F ? 8979BBF8

---- Kernel code sections - GMER 1.0.14 ----

? spoh.sys Systém nemůže nalézt uvedený soubor. !
.text USBPORT.SYS!DllUnload B95698AC 5 Bytes JMP 893E81D8
.text aqznm1id.SYS B94D3386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text aqznm1id.SYS B94D33AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text aqznm1id.SYS B94D33C4 3 Bytes [ 00, 70, 02 ]
.text aqznm1id.SYS B94D33C9 1 Byte [ 2E ]
.text aqznm1id.SYS B94D33CB 9 Bytes [ 00, 00, 5A, 02, 00, 00, 00, ... ]
.text ...

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 897302D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7508C4C] spoh.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7508CA0] spoh.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74D8040] spoh.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74D813C] spoh.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74D80BE] spoh.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74D87FC] spoh.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74D86D2] spoh.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 893E82D8
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!RtlInitUnicodeString] F44D8B48
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!swprintf] C1815753
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeSetEvent] 00002590
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 467C8D51
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 76F6E84A
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] D88BFFFF
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!MmFreeMappingAddress] 8504C483
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 5F0A75DB
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 5B08438D
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!MmUnmapIoSpace] 5DE58B5E
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 259068C3
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IofCompleteRequest] 006A0000
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 88F0E853
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IofCallDriver] 558DFFFF
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 90838DF8
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 52000025
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoConnectInterrupt] 03895750
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoDetachDevice] FFF363E8
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeWaitForSingleObject] 0C458AFF
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeInitializeEvent] 8B104D8B
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeCancelTimer] 43881855
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 1C458B08
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!RtlInitAnsiString] 0F544389
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 89FF45B6
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoQueueWorkItem] 4D8B0C4B
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!MmMapIoSpace] 50538920
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 8924558B
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoReportDetectedDevice] 5389584B
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoReportResourceForDetection] 0A43885C
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 0646B60F
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!NlsMbCodePageTag] A818C483
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!PoRequestPowerIrp] 8D7F743F
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 001A8C8B
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] E0835100
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!sprintf] 7E8D503F
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] B9E85728
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!ObfDereferenceObject] 0F0000D1
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 8D0646B6
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 001B8093
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!ZwClose] E0835200
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] E857503F
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 0000EBB4
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 026B938D
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!PoStartNextPowerIrp] C6830000
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoCreateDevice] 0008B908
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!RtlCopyUnicodeString] FA8B0000
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 758BA5F3
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 064E8A08
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!ZwOpenKey] 883FE180
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 0002688B
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoStartTimer] 06468A00
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeInitializeTimer] 8306E8C0
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoInitializeTimer] 023C18C4
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeInitializeDpc] 02698388
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeInitializeSpinLock] 19750000
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoInitializeIrp] 028C838D
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!ZwCreateKey] 52500000
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 00C143E8
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 08C48300
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!ZwSetValueKey] 0575C085
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeInsertQueueDpc] EB08708D
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 074E8A54
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoStartPacket] 026A8B88
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 83660000
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 7601487E
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoFreeMdl] 4AC68305
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!MmUnlockPages] F63302EB
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 5614558B
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 75E85352
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 8BFFFFF4
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 0CC483F0
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeSynchronizeExecution] 2075F685
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoStartNextPacket] 050C7D80
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeBugCheckEx] 0092850F
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 458B0000
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeSetTimer] E85350F8
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!_allmul] FFFFF848
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!MmProbeAndLockPages] 8408C483
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!_except_handler3] BE7875C0
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!PoSetPowerState] 00000008
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] F346E853
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!RtlWriteRegistryValue] C483FFFF
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 00F46804
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!_aulldiv] 838D0000
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!strstr] 00001A8C
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!_strupr] E850006A
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeQuerySystemTime] FFFF87CA
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 0000F468
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!KeTickCount] 808B8D00
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 6A00001B
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoDeleteDevice] B7E85100
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 33FFFF87
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoAllocateWorkItem] 6B8389C0
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoAllocateIrp] 89000002
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoAllocateMdl] 00026F83
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 73838900
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!MmLockPagableDataSection] 89000002
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 00027783
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 7B838900
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!ExFreePoolWithTag] 89000002
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoFreeIrp] 00027F83
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!IoFreeWorkItem] 83838900
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!InitSafeBootMode] 53000002
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!RtlCompareMemory] 02878389
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!PoCallDriver] 7FE80000
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!memmove] 83FFFF68
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[ntoskrnl.exe!MmHighestUserAddress] 8B5F1CC4
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[HAL.dll!KfAcquireSpinLock] C0840CEC
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[HAL.dll!READ_PORT_UCHAR] 053C0D74
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[HAL.dll!KeGetCurrentIrql] 57B80974
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[HAL.dll!KfRaiseIrql] 8B000000
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[HAL.dll!KfLowerIrql] 56C35DE5
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[HAL.dll!HalGetInterruptVector] 8D08758B
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[HAL.dll!HalTranslateBusAddress] 8D51FC4D
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[HAL.dll!KeStallExecutionProcessor] 8D52FD55
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[HAL.dll!KfReleaseSpinLock] 8D51FE4D
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D52FF55
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[HAL.dll!READ_PORT_USHORT] 8D51F84D
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 5052F455
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[HAL.dll!WRITE_PORT_UCHAR] EACAE856
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[WMILIB.SYS!WmiSystemControl] 0FC08520
IAT \SystemRoot\System32\Drivers\aqznm1id.SYS[WMILIB.SYS!WmiCompleteRequest] 0001B185
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74E8048] spoh.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8979A1F8

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )

Device \FileSystem\Fastfat \FatCdrom 89560388
Device \Driver\usbuhci \Device\USBPDO-0 893E61F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8972E1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8972E1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8972E1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8972E1F8
Device \Driver\PCI_PNP6384 \Device\00000045 spoh.sys
Device \Driver\PCI_PNP6384 \Device\00000045 spoh.sys
Device \Driver\usbuhci \Device\USBPDO-1 893E61F8
Device \Driver\usbuhci \Device\USBPDO-2 893E61F8
Device \Driver\usbehci \Device\USBPDO-3 893C41F8
Device \Driver\sptd \Device\1714007392 spoh.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8979C1F8
Device \Driver\Cdrom \Device\CdRom0 893B81F8
Device \Driver\Cdrom \Device\CdRom1 893B81F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8939F478
Device \Driver\NetBT \Device\NetbiosSmb 8939F478
Device \Driver\NetBT \Device\NetBT_Tcpip_{F6083025-DD26-43AA-BD39-937C281E91D6} 8939F478
Device \Driver\usbuhci \Device\USBFDO-0 893E61F8
Device \Driver\usbuhci \Device\USBFDO-1 893E61F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8953D500
Device \Driver\usbuhci \Device\USBFDO-2 893E61F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8953D500
Device \Driver\usbehci \Device\USBFDO-3 893C41F8
Device \Driver\Ftdisk \Device\FtControl 8979C1F8
Device \Driver\aqznm1id \Device\Scsi\aqznm1id1Port2Path0Target0Lun0 893B01F8
Device \Driver\aqznm1id \Device\Scsi\aqznm1id1 893B01F8
Device \FileSystem\Fastfat \Fat 89560388

AttachedDevice \FileSystem\Fastfat \Fat amon.sys (Amon monitor/Eset )

Device \FileSystem\Cdfs \Cdfs 89392500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x06 0x0D 0xD8 0x2A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC4 0xE5 0x13 0x62 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x43 0x3B 0x3F 0xF0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x06 0x0D 0xD8 0x2A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC4 0xE5 0x13 0x62 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x43 0x3B 0x3F 0xF0 ...

---- EOF - GMER 1.0.14 ----

[stell]

ok,tam len driver od Daemana robi bordel,ale situacia je nasldovna,uz som sa stretol s podobnym problemom,tiez bol pouzity Cureit pravdepodobne mal si skutocne v MBR -na disku ATA c-2 Mebroot,nakolko si pouzil neuvazene Cureita mohol sa dostat na nesystemovy disk a poskodil MBR na disku c:2 nakolko cureit nie je program na odstranenie MEBROOTA z MBR-z disku ,
Mozeme sa pokusit zreparovat MBR-ATA,pozri sa ci ho vidis v Tento pocitaci.

[Ondras]

jestli myslis ten druhy disk, tak ten nevidim...
jeste prosim te, co zname ,,zreparovat''

[stell]

zreparovat=opravit,
Teraz presne napis ze ako si to mal,mal si len 1-windows na E:\ alebo aj 2-windows na ATA disku,alebo to bol disk len na DATA.

[Ondras]

takze mam
pevny disk E: tam mam windows + dokumenty
vymenny disk C: tam jsem mel filmy, hudbu, data...ktery ted tedy nejde

[stell]

ok,startspustit-vloz prikaz diskmgmt.msc ok
pozri sa ci tu vidis disk ATA,ak ano daj Screenshot.