Re: AVG mi našlo několik viru
Napsal: 23 dub 2010 16:32
dnes jsem udelal co jste rekl, ten script.... restartoval se mi PC.... kvuli nejakym rootkitum, na tom neni nic zvlastniho, ale kdyz se to dodelalo zacli mi vsechny soubory hazet nejakou chybu kde bylo napsane
"Cesta k souboru"
"Pokus pouzit neplatnou operaci klice registu, ktery je oznacen pro odstraneni"
tak jsem skousel dat restart PC, ale neslo... musel jsem pouzit "tvrdy restar" (pridrzet zapinaci kolik cca 10sec) pak jsem nastartoval PC a dal F8 a posledni funkcni konfigurace....
prikladam ten log z Combofixu, ktery jsem ulozil...
ComboFix 10-04-21.01 - Boris 23.04.2010 16:42:12.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.420.1029.18.2047.1355 [GMT 2:00]
Spuštěný z: c:\users\Boris\Documents\Downloads\ComboFix.exe
Použité ovládací přepínače :: c:\users\Boris\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\AskTBar
c:\program files\AskTBar\SrchAstt\2.bin\A5SRCHAS.DLL
Nakažená kopie c:\windows\system32\drivers\atapi.sys byla nalezena a vyléčena.
Obnovena kopie z - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!System32!drivers!atapi.sys
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-03-23 do 2010-04-23 )))))))))))))))))))))))))))))))
.
2010-04-23 15:06 . 2010-04-23 15:10 -------- d-----w- c:\users\Boris\AppData\Local\temp
2010-04-23 15:06 . 2010-04-23 15:06 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-23 15:06 . 2010-04-23 15:06 -------- d-----w- c:\users\Hanulka\AppData\Local\temp
2010-04-23 15:06 . 2010-04-23 15:06 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-04-23 15:06 . 2010-04-23 15:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-21 19:44 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-14 11:45 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 11:45 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 11:45 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 11:45 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 11:45 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 11:44 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 11:44 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 11:44 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 11:44 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 11:44 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 11:43 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-05 20:57 . 2010-04-05 20:57 93056 ----a-w- C:\uflcyuog.sys
2010-04-04 16:22 . 2010-04-04 16:22 -------- d-----w- c:\users\Guest\AppData\Local\Apps
2010-04-04 16:20 . 2010-04-04 16:20 -------- d-----w- c:\users\Guest\AppData\Roaming\DivX
2010-04-04 16:20 . 2010-04-04 16:20 -------- d-----w- c:\users\Guest\AppData\Roaming\Malwarebytes
2010-04-04 16:19 . 2010-04-04 16:19 100432 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-03 05:39 . 2010-04-03 05:39 -------- d-----w- c:\windows\Sun
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-23 14:35 . 2007-01-08 21:09 606912 ----a-w- c:\windows\system32\perfh005.dat
2010-04-23 14:35 . 2007-01-08 21:09 119398 ----a-w- c:\windows\system32\perfc005.dat
2010-04-22 12:11 . 2007-11-05 19:08 -------- d-----w- c:\users\Boris\AppData\Roaming\OpenOffice.org2
2010-04-21 19:30 . 2010-01-14 19:17 -------- d-----w- c:\program files\trend micro
2010-04-21 10:57 . 2010-04-21 10:57 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-21 10:56 . 2010-01-05 21:13 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-21 10:54 . 2010-04-21 10:54 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-15 14:29 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-13 17:36 . 2007-07-18 09:38 -------- d-----w- c:\users\Boris\AppData\Roaming\ICQ
2010-04-08 13:03 . 2010-04-08 13:03 4255072 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-04-07 21:08 . 2007-07-18 20:11 -------- d-----w- c:\users\Boris\AppData\Roaming\Skype
2010-04-07 17:28 . 2010-01-10 09:05 -------- d-----w- c:\users\Boris\AppData\Roaming\skypePM
2010-04-04 14:07 . 2010-01-05 21:13 -------- d-----w- c:\programdata\avg9
2010-04-03 09:03 . 2007-10-28 19:05 7244 ----a-w- c:\users\Boris\AppData\Local\d3d9caps.dat
2010-04-02 07:50 . 2010-04-02 07:50 4076824 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-04-02 07:50 . 2010-04-02 07:50 2059544 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-04-02 07:50 . 2010-04-02 07:50 1598744 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
2010-04-02 07:50 . 2010-04-02 07:50 1515224 ----a-w- c:\programdata\avg9\update\backup\avgwd.dll
2010-04-02 07:50 . 2010-04-02 07:50 1274136 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-04-02 07:50 . 2010-04-02 07:50 598296 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2010-04-02 07:50 . 2010-04-02 07:50 313112 ----a-w- c:\programdata\avg9\update\backup\avglogx.dll
2010-04-02 07:50 . 2010-04-02 07:50 1086744 ----a-w- c:\programdata\avg9\update\backup\avgchsvx.exe
2010-04-02 07:50 . 2010-04-02 07:50 556824 ----a-w- c:\programdata\avg9\update\backup\avgchjwx.dll
2010-04-02 07:50 . 2010-04-02 07:50 459544 ----a-w- c:\programdata\avg9\update\backup\avgcclix.dll
2010-04-02 07:50 . 2010-04-02 07:50 341272 ----a-w- c:\programdata\avg9\update\backup\avgxch32.dll
2010-04-02 07:50 . 2010-04-02 07:50 301336 ----a-w- c:\programdata\avg9\update\backup\avgchclx.dll
2010-04-02 07:49 . 2010-04-02 07:49 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-03-13 07:11 . 2010-03-13 07:11 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 07:11 . 2010-01-05 21:13 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 07:09 . 2010-01-05 21:13 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-24 13:15 . 2007-07-13 11:52 100432 ----a-w- c:\users\Boris\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 06:39 . 2010-03-31 14:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 14:08 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 14:08 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 14:08 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-11 22:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 22:00 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 22:00 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-25 12:00 . 2010-02-23 20:58 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-23 20:57 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-23 20:57 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-23 20:58 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-23 20:57 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-23 20:57 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-23 20:57 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-23 20:57 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-25 08:21 . 2010-02-23 20:57 518144 ----a-w- c:\windows\system32\RMActivate.exe
2006-05-08 03:36 . 2007-09-03 10:23 6195970 ----a-w- c:\program files\XP Codec Pack 1.3.4.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll
2004-12-02 05:18 . 2007-04-13 10:17 222390 --sha-r- c:\windows\ConfigSetRoot\IO.SYS
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
c:\users\Hanulka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-6-8 393216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Users^Boris^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\Boris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^Boris^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Jabbim.lnk]
path=c:\users\Boris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jabbim.lnk
backup=c:\windows\pss\Jabbim.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 20:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUSGamerOSD]
2007-07-23 10:48 380928 ----a-w- c:\program files\ASUS\GamerOSD\GamerOSD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-02-07 15:38 135664 ----atw- c:\users\Boris\AppData\Local\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-11 18:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2007-11-02 13:52 36864 ----a-w- c:\program files\HP\HP UT\bin\hppusg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-11 18:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ioCentre]
2007-05-31 18:16 61440 ----a-w- c:\genius\ioCentre\gTaskBar.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 04:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 04:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-07-25 14:02 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-07-25 14:06 2027792 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-01-07 15:07 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-09-17 21:55 13580832 ----a-w- c:\windows\System32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-09-17 21:55 92704 ----a-w- c:\windows\System32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 18:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-06-13 11:11 4489216 ----a-w- c:\windows\RtHDVCpl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-05-28 18:39 1826816 ----a-w- c:\windows\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-05-01 07:47 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-05-14 22:22 35328 ----a-w- c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a4,c1,05,92,28,3a,ca,01
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3038224116-2228616904-308158760-1000]
"EnableNotificationsRef"=dword:00000001
R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2004-10-04 75925]
R3 gMouPS2;PS2 Scroll Mouse Device;c:\windows\system32\DRIVERS\gMouPS2.sys [2006-07-12 17408]
R3 K320bus;Sony Ericsson K320 driver (WDM);c:\windows\system32\DRIVERS\K320bus.sys [2006-08-18 61504]
R3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;c:\windows\system32\DRIVERS\K320mdfl.sys [2006-08-18 9328]
R3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;c:\windows\system32\DRIVERS\K320mdm.sys [2006-08-18 97056]
R3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\K320mgmt.sys [2006-08-18 88560]
R3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\K320obex.sys [2006-08-18 86368]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-01-07 38224]
R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2006-11-02 1083520]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-13 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-21 242896]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-02-20 33800]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-13 308064]
S3 3xHybrid;3xHybrid service;c:\windows\system32\DRIVERS\3xHybrid.sys [2007-04-20 674048]
S3 Atc002;NDIS Miniport Driver for Attansic L2 Fast Ethernet Controller;c:\windows\system32\DRIVERS\L260x86.sys [2006-12-13 25600]
S3 gHidPnp;USB Device Enhanced Function Driver;c:\windows\system32\Drivers\gHidPnp.Sys [2007-07-19 16384]
S3 gMouUsb;USB Mouse Device Drv;c:\windows\system32\DRIVERS\gMouUsb.sys [2007-07-20 9856]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Obsah adresáře 'Naplánované úlohy'
2010-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3038224116-2228616904-308158760-1000Core.job
- c:\users\Boris\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-07 15:38]
2010-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3038224116-2228616904-308158760-1000UA.job
- c:\users\Boris\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-07 15:38]
2010-04-23 c:\windows\Tasks\User_Feed_Synchronization-{1CB939E2-DFCB-4177-9C92-76757785239D}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
2010-04-23 c:\windows\Tasks\User_Feed_Synchronization-{1E0B1D22-D565-4A9E-9DC2-120B0F690ABE}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
2010-04-23 c:\windows\Tasks\User_Feed_Synchronization-{6C33CF46-6887-4FC2-A862-CE0598A2CBEF}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://wow.spojka.org/
uDefault_Search_URL = hxxp://search.qip.ru
mStart Page = hxxp://www.yahoo.com
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: Download with Star Downloader - c:\program files\Star Downloader\sdie.htm
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-23 17:10
Windows 6.0.6002 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x861B4230]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x88cb3d24
\Driver\ACPI -> acpi.sys @ 0x8364bd68
\Driver\atapi -> 0x861b4230
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'Explorer.exe'(9008)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\conime.exe
c:\windows\ehome\ehsched.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Celkový čas: 2010-04-23 17:18:48 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-04-23 15:18
ComboFix2.txt 2010-04-04 16:13
Před spuštěním: Volných bajtů: 94 601 224 192
Po spuštění: Volných bajtů: 94 572 990 464
- - End Of File - - F4FA6094B28353E6A4A8C2A423775AAD
"Cesta k souboru"
"Pokus pouzit neplatnou operaci klice registu, ktery je oznacen pro odstraneni"
tak jsem skousel dat restart PC, ale neslo... musel jsem pouzit "tvrdy restar" (pridrzet zapinaci kolik cca 10sec) pak jsem nastartoval PC a dal F8 a posledni funkcni konfigurace....
prikladam ten log z Combofixu, ktery jsem ulozil...
ComboFix 10-04-21.01 - Boris 23.04.2010 16:42:12.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.420.1029.18.2047.1355 [GMT 2:00]
Spuštěný z: c:\users\Boris\Documents\Downloads\ComboFix.exe
Použité ovládací přepínače :: c:\users\Boris\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\AskTBar
c:\program files\AskTBar\SrchAstt\2.bin\A5SRCHAS.DLL
Nakažená kopie c:\windows\system32\drivers\atapi.sys byla nalezena a vyléčena.
Obnovena kopie z - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!System32!drivers!atapi.sys
.
((((((((((((((((((((((((( Soubory vytvořené od 2010-03-23 do 2010-04-23 )))))))))))))))))))))))))))))))
.
2010-04-23 15:06 . 2010-04-23 15:10 -------- d-----w- c:\users\Boris\AppData\Local\temp
2010-04-23 15:06 . 2010-04-23 15:06 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-23 15:06 . 2010-04-23 15:06 -------- d-----w- c:\users\Hanulka\AppData\Local\temp
2010-04-23 15:06 . 2010-04-23 15:06 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-04-23 15:06 . 2010-04-23 15:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-21 19:44 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-04-14 11:45 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 11:45 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 11:45 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 11:45 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 11:45 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 11:44 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 11:44 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 11:44 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 11:44 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 11:44 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 11:43 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-05 20:57 . 2010-04-05 20:57 93056 ----a-w- C:\uflcyuog.sys
2010-04-04 16:22 . 2010-04-04 16:22 -------- d-----w- c:\users\Guest\AppData\Local\Apps
2010-04-04 16:20 . 2010-04-04 16:20 -------- d-----w- c:\users\Guest\AppData\Roaming\DivX
2010-04-04 16:20 . 2010-04-04 16:20 -------- d-----w- c:\users\Guest\AppData\Roaming\Malwarebytes
2010-04-04 16:19 . 2010-04-04 16:19 100432 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-03 05:39 . 2010-04-03 05:39 -------- d-----w- c:\windows\Sun
.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-23 14:35 . 2007-01-08 21:09 606912 ----a-w- c:\windows\system32\perfh005.dat
2010-04-23 14:35 . 2007-01-08 21:09 119398 ----a-w- c:\windows\system32\perfc005.dat
2010-04-22 12:11 . 2007-11-05 19:08 -------- d-----w- c:\users\Boris\AppData\Roaming\OpenOffice.org2
2010-04-21 19:30 . 2010-01-14 19:17 -------- d-----w- c:\program files\trend micro
2010-04-21 10:57 . 2010-04-21 10:57 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-21 10:56 . 2010-01-05 21:13 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-21 10:54 . 2010-04-21 10:54 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-15 14:29 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-13 17:36 . 2007-07-18 09:38 -------- d-----w- c:\users\Boris\AppData\Roaming\ICQ
2010-04-08 13:03 . 2010-04-08 13:03 4255072 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-04-07 21:08 . 2007-07-18 20:11 -------- d-----w- c:\users\Boris\AppData\Roaming\Skype
2010-04-07 17:28 . 2010-01-10 09:05 -------- d-----w- c:\users\Boris\AppData\Roaming\skypePM
2010-04-04 14:07 . 2010-01-05 21:13 -------- d-----w- c:\programdata\avg9
2010-04-03 09:03 . 2007-10-28 19:05 7244 ----a-w- c:\users\Boris\AppData\Local\d3d9caps.dat
2010-04-02 07:50 . 2010-04-02 07:50 4076824 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2010-04-02 07:50 . 2010-04-02 07:50 2059544 ----a-w- c:\programdata\avg9\update\backup\avgtray.exe
2010-04-02 07:50 . 2010-04-02 07:50 1598744 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
2010-04-02 07:50 . 2010-04-02 07:50 1515224 ----a-w- c:\programdata\avg9\update\backup\avgwd.dll
2010-04-02 07:50 . 2010-04-02 07:50 1274136 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-04-02 07:50 . 2010-04-02 07:50 598296 ----a-w- c:\programdata\avg9\update\backup\avgsrmx.dll
2010-04-02 07:50 . 2010-04-02 07:50 313112 ----a-w- c:\programdata\avg9\update\backup\avglogx.dll
2010-04-02 07:50 . 2010-04-02 07:50 1086744 ----a-w- c:\programdata\avg9\update\backup\avgchsvx.exe
2010-04-02 07:50 . 2010-04-02 07:50 556824 ----a-w- c:\programdata\avg9\update\backup\avgchjwx.dll
2010-04-02 07:50 . 2010-04-02 07:50 459544 ----a-w- c:\programdata\avg9\update\backup\avgcclix.dll
2010-04-02 07:50 . 2010-04-02 07:50 341272 ----a-w- c:\programdata\avg9\update\backup\avgxch32.dll
2010-04-02 07:50 . 2010-04-02 07:50 301336 ----a-w- c:\programdata\avg9\update\backup\avgchclx.dll
2010-04-02 07:49 . 2010-04-02 07:49 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-03-13 07:11 . 2010-03-13 07:11 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 07:11 . 2010-01-05 21:13 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 07:09 . 2010-01-05 21:13 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-24 13:15 . 2007-07-13 11:52 100432 ----a-w- c:\users\Boris\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 06:39 . 2010-03-31 14:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 14:08 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 14:08 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 14:08 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-11 22:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 22:00 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 22:00 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-25 12:00 . 2010-02-23 20:58 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-23 20:57 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-23 20:57 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-23 20:58 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-23 20:57 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-23 20:57 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-23 20:57 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-23 20:57 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-25 08:21 . 2010-02-23 20:57 518144 ----a-w- c:\windows\system32\RMActivate.exe
2006-05-08 03:36 . 2007-09-03 10:23 6195970 ----a-w- c:\program files\XP Codec Pack 1.3.4.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll
2004-12-02 05:18 . 2007-04-13 10:17 222390 --sha-r- c:\windows\ConfigSetRoot\IO.SYS
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4
c:\users\Hanulka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-6-8 393216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Users^Boris^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\Boris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^Boris^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Jabbim.lnk]
path=c:\users\Boris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jabbim.lnk
backup=c:\windows\pss\Jabbim.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 20:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUSGamerOSD]
2007-07-23 10:48 380928 ----a-w- c:\program files\ASUS\GamerOSD\GamerOSD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-02-07 15:38 135664 ----atw- c:\users\Boris\AppData\Local\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-11 18:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2007-11-02 13:52 36864 ----a-w- c:\program files\HP\HP UT\bin\hppusg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-11 18:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ioCentre]
2007-05-31 18:16 61440 ----a-w- c:\genius\ioCentre\gTaskBar.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 04:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 04:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-07-25 14:02 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-07-25 14:06 2027792 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-01-07 15:07 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-09-17 21:55 13580832 ----a-w- c:\windows\System32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-09-17 21:55 92704 ----a-w- c:\windows\System32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 18:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-06-13 11:11 4489216 ----a-w- c:\windows\RtHDVCpl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-05-28 18:39 1826816 ----a-w- c:\windows\SkyTel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-05-01 07:47 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-05-14 22:22 35328 ----a-w- c:\program files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a4,c1,05,92,28,3a,ca,01
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3038224116-2228616904-308158760-1000]
"EnableNotificationsRef"=dword:00000001
R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2004-10-04 75925]
R3 gMouPS2;PS2 Scroll Mouse Device;c:\windows\system32\DRIVERS\gMouPS2.sys [2006-07-12 17408]
R3 K320bus;Sony Ericsson K320 driver (WDM);c:\windows\system32\DRIVERS\K320bus.sys [2006-08-18 61504]
R3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;c:\windows\system32\DRIVERS\K320mdfl.sys [2006-08-18 9328]
R3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;c:\windows\system32\DRIVERS\K320mdm.sys [2006-08-18 97056]
R3 K320mgmt;Sony Ericsson K320 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\K320mgmt.sys [2006-08-18 88560]
R3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\K320obex.sys [2006-08-18 86368]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-01-07 38224]
R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2006-11-02 1083520]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-13 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-21 242896]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-02-20 33800]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-13 308064]
S3 3xHybrid;3xHybrid service;c:\windows\system32\DRIVERS\3xHybrid.sys [2007-04-20 674048]
S3 Atc002;NDIS Miniport Driver for Attansic L2 Fast Ethernet Controller;c:\windows\system32\DRIVERS\L260x86.sys [2006-12-13 25600]
S3 gHidPnp;USB Device Enhanced Function Driver;c:\windows\system32\Drivers\gHidPnp.Sys [2007-07-19 16384]
S3 gMouUsb;USB Mouse Device Drv;c:\windows\system32\DRIVERS\gMouUsb.sys [2007-07-20 9856]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Obsah adresáře 'Naplánované úlohy'
2010-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3038224116-2228616904-308158760-1000Core.job
- c:\users\Boris\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-07 15:38]
2010-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3038224116-2228616904-308158760-1000UA.job
- c:\users\Boris\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-07 15:38]
2010-04-23 c:\windows\Tasks\User_Feed_Synchronization-{1CB939E2-DFCB-4177-9C92-76757785239D}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
2010-04-23 c:\windows\Tasks\User_Feed_Synchronization-{1E0B1D22-D565-4A9E-9DC2-120B0F690ABE}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
2010-04-23 c:\windows\Tasks\User_Feed_Synchronization-{6C33CF46-6887-4FC2-A862-CE0598A2CBEF}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://wow.spojka.org/
uDefault_Search_URL = hxxp://search.qip.ru
mStart Page = hxxp://www.yahoo.com
uSearchAssistant = hxxp://search.qip.ru/ie
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: Download with Star Downloader - c:\program files\Star Downloader\sdie.htm
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-23 17:10
Windows 6.0.6002 Service Pack 2 NTFS
skenování skrytých procesů ...
skenování skrytých položek 'Po spuštění' ...
skenování skrytých souborů ...
sken byl úspešně dokončen
skryté soubory: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x861B4230]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x88cb3d24
\Driver\ACPI -> acpi.sys @ 0x8364bd68
\Driver\atapi -> 0x861b4230
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- ZAMKNUTÉ KLÍČE V REGISTRU ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Knihovny navázané na běžící procesy ---------------------
- - - - - - - > 'Explorer.exe'(9008)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\conime.exe
c:\windows\ehome\ehsched.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Celkový čas: 2010-04-23 17:18:48 - počítač byl restartován
ComboFix-quarantined-files.txt 2010-04-23 15:18
ComboFix2.txt 2010-04-04 16:13
Před spuštěním: Volných bajtů: 94 601 224 192
Po spuštění: Volných bajtů: 94 572 990 464
- - End Of File - - F4FA6094B28353E6A4A8C2A423775AAD
Stáhněte a uložte na plochu SystemLook 