Win32/Mebroot.K

[Speed99]

ano zachranit a format,ale CUREIT ti detectoval aj na H:\ takze ak to nie je systemovy disk tiez komplet format aj MBR.

To som pouzil iba obrazovku z ineho predchadzajuceho topicu, nakolko som sa sem dostal az po odstraneni virusu z bootu. Mne ten isty virus pisalo na jednotke K.

Spravil som uz aj vypis z SdFix - u po lieceni. poslem ?

[stell]

ok,Sdfix ti odstranuje ukradnute data+ovladac,ale treba ti spustit z systemoveho disku G-Mer
http://www.viry.cz/forum/viewtopic.php?f=29&t=62878
potom log c-1-2-vloz sem.

[Speed99]

Tu to je

Log 1

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-20 11:17:36
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwEnumerateKey [0xBA6C3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xBA6C4340]

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 89E4D1E8

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )

---- EOF - GMER 1.0.14 ----

Log2

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-20 11:21:14
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xBA6BE0D0]
SSDT sptd.sys ZwEnumerateKey [0xBA6C3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xBA6C4340]
SSDT sptd.sys ZwOpenKey [0xBA6BE0B0]
SSDT sptd.sys ZwQueryKey [0xBA6C4418]
SSDT sptd.sys ZwQueryValueKey [0xBA6C4298]
SSDT sptd.sys ZwSetValueKey [0xBA6C44AA]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys Proces nemá přístup k souboru, neboť jej právě využívá jiný proces.
.text USBPORT.SYS!DllUnload B9DD362C 5 Bytes JMP 89B9C470
? System32\Drivers\ab5itqke.SYS Systém nemůže nalézt uvedenou cestu. !
? C:\DOCUME~1\COMPANY\LOCALS~1\Temp\catchme.sys Systém nemůže nalézt uvedený soubor. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6BEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6BEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6BEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6BF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6BF61E] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6D429A] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 89E4D1E8

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )

Device \Driver\NetBT \Device\NetBT_Tcpip_{BF31AF66-1530-40AF-8CA5-FEE185E1884B} 89A83790
Device \Driver\NetBT \Device\NetBT_Tcpip_{7F5C6010-B9C5-43AC-AD48-5BAACDAC7CAC} 89A83790
Device \Driver\usbuhci \Device\USBPDO-0 89B9A1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89DD81E8
Device \Driver\dmio \Device\DmControl\DmConfig 89DD81E8
Device \Driver\dmio \Device\DmControl\DmPnP 89DD81E8
Device \Driver\dmio \Device\DmControl\DmInfo 89DD81E8
Device \Driver\usbuhci \Device\USBPDO-1 89B9A1E8
Device \Driver\usbuhci \Device\USBPDO-2 89B9A1E8
Device \Driver\usbehci \Device\USBPDO-3 89B661E8
Device \Driver\usbehci \Device\USBPDO-4 89B661E8
Device \Driver\usbuhci \Device\USBPDO-5 89B9A1E8
Device \Driver\PCI_NTPNP7002 \Device\00000049 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-6 89B9A1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 89E4F1E8
Device \Driver\usbuhci \Device\USBPDO-7 89B9A1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 89E4F1E8
Device \Driver\Cdrom \Device\CdRom0 89B452B0
Device \Driver\Ftdisk \Device\HarddiskVolume3 89E4F1E8
Device \Driver\Cdrom \Device\CdRom1 89B452B0
Device \Driver\atapi \Device\Ide\IdePort0 89E4E1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 89E4E1E8
Device \Driver\atapi \Device\Ide\IdePort1 89E4E1E8
Device \Driver\atapi \Device\Ide\IdePort2 89E4E1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 89E4E1E8
Device \Driver\atapi \Device\Ide\IdePort3 89E4E1E8
Device \Driver\atapi \Device\Ide\IdePort4 89E4E1E8
Device \Driver\atapi \Device\Ide\IdePort5 89E4E1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 89E4E1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-2d 89E4E1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 89E4E1E8
Device \Driver\Cdrom \Device\CdRom2 89B452B0
Device \Driver\NetBT \Device\NetBt_Wins_Export 89A83790
Device \Driver\NetBT \Device\NetbiosSmb 89A83790
Device \Driver\usbuhci \Device\USBFDO-0 89B9A1E8
Device \Driver\usbuhci \Device\USBFDO-1 89B9A1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89BE7438
Device \Driver\usbuhci \Device\USBFDO-2 89B9A1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89BE7438
Device \Driver\usbehci \Device\USBFDO-3 89B661E8
Device \Driver\usbuhci \Device\USBFDO-4 89B9A1E8
Device \Driver\Ftdisk \Device\FtControl 89E4F1E8
Device \Driver\usbuhci \Device\USBFDO-5 89B9A1E8
Device \Driver\usbuhci \Device\USBFDO-6 89B9A1E8
Device \Driver\usbehci \Device\USBFDO-7 89B661E8
Device \Driver\ab5itqke \Device\Scsi\ab5itqke1Port6Path0Target0Lun0 89A6A1E8
Device \Driver\ab5itqke \Device\Scsi\ab5itqke1 89A6A1E8
Device \FileSystem\Cdfs \Cdfs 89A1A790

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x34 0x65 0x2C 0xF3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB4 0x9D 0x38 0x5C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x69 0x84 0x5B 0x54 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x34 0x65 0x2C 0xF3 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB4 0x9D 0x38 0x5C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x69 0x84 0x5B 0x54 ...

---- EOF - GMER 1.0.14 ----

[stell]

logy nedavaj do code zle sa to lusti,systemovy disk je ok,

[Speed99]

upravene....

Teraz mi bezi ten GetDataBack je tam toho 250 GB z neho dufam pojdu zalohovat data.

Potom staci uz iba format K a malo by to byt OK ?

[stell]

ano ale komplet format najlepsie na konzole pre zotavenie nakolko tam nemas priradene pismenko
nastuduj pikaz pre konzolu Diskpart

[Speed99]

Dik moc za radu.... uz som to preformatoval a nahral... trvalo to asi 8 hodin

[stell]

hlavne ze to mas ok,este zmen vsetky hesla.
nemas zaco.

[Sikec]

Dobrý den.

Dnes jsem úplnou náhodou uviděl hlášku v NOD (mám jej zapnutej, ale nijak jej aktivně nepoužívám - blbec) o přítomnosti tohoto trojanu na mém fyzickém disku. Potřeboval bych pomoci s jeho odstraněním. Chápu, že to bude znít směšně, ale jsem rád, že jsem se zaregistroval. Jinak jsou mé znaloti práce s Pc mizivé. Vygoogloval jsem tohle vlákno, celého přečetl a provedl registraci. Nijak moudrý s toho nejsem a moc věcem nerozumím. umisťování různých logů a zadávání příkazů neovládám, ale s pomocí zvládnu. Potřeboval bych vedení někoho trpělivého. Například mě zajímá, jestli můžu ještě vypálit nějaká dvd s filmy a jiným materiálem, který bych nechtěl pozbýt. Taky mě zajímá, jestli mám toho trojana na USB flash disku. Jak na to přijít a jak zálohovat data bez rizika přenosu nákazy? Denně používám heslované přístupy do databází a IB. Potřeboval bych to mít z krku co nejdřív. moc děkuji za Vaši pomoc.

[Sikec]

Tady je první Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:02:16, on 8.2.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Seznam Bezpecny Internet\SBIAntiDialer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Podpora odkazu pro Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Seznam Bezpečný Internet - {B71B15CE-3093-459C-B764-AEB2486F2273} - C:\Program Files\Seznam Bezpecny Internet\SBI.dll
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\Program Files\Pc Translator\WEBIE.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\cs-cz\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SeznamAntidialer] C:\Program Files\Seznam Bezpecny Internet\SBIAntiDialer.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Přelož do češtiny - res://C:\Program Files\Seznam Bezpecny Internet\SBI.dll/5034
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xpt119YYCZ
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://G:\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Hledej v &Seznamu - res://C:\Program Files\Seznam Bezpecny Internet\SBI.dll/5033
O8 - Extra context menu item: Hledej v Seznam &Fulltextu - res://C:\Program Files\Seznam Bezpecny Internet\SBI.dll/5035
O9 - Extra button: WebTran - {7E6A20FB-153F-402c-A84B-1A64E1955D3D} - C:\Program Files\Pc Translator\WEBIE.DLL
O9 - Extra button: (no name) - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - (no file)
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\Program Files\Pc Translator\WEBIE.DLL
O9 - Extra 'Tools' menuitem: &Nastavit překladač - {CC963627-B1DC-40E0-B52A-CF21EE748450} - C:\Program Files\Pc Translator\WEBIE.DLL
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\Program Files\Pc Translator\WEBIE.DLL
O9 - Extra 'Tools' menuitem: Přeložit &označený text - {CC963627-B1DC-40E0-B52A-CF21EE748451} - C:\Program Files\Pc Translator\WEBIE.DLL
O9 - Extra button: (no name) - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\Program Files\Pc Translator\WEBIE.DLL
O9 - Extra 'Tools' menuitem: Přeložit &stránku - {CC963627-B1DC-40E0-B52A-CF21EE748452} - C:\Program Files\Pc Translator\WEBIE.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {030735DF-13FE-4560-8B57-CE341E8EAAA2} (MaGIS 3D Web Control) - mk:@MSITStore:D:\html\instal.chm::/Install/Mg3D.cab
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/ce_ver32b.CAB
O16 - DPF: {1F831FA2-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://C:\Program Files\AutoCAD 2002 Cz\InstFred.ocx
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://gate.rsts.cz/vdesk/cachecleaner ... ,0404,2205
O16 - DPF: {3190CE26-0B6E-4133-A7D3-87D29CB92120} (SBIInetInstall Control) - http://www.bezpecnyinternet.cz/SBI.cab
O16 - DPF: {37B7C7C6-BCD8-11D7-BD5C-00C026104E7F} - http://jav.webreport.cz/sdp/dload/10051_13_CZ_dload.exe
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://gate.rsts.cz/vdesk/terminal/Ins ... ,0404,2212
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Ovládací prvek AcDcToday) - file://C:\Program Files\AutoCAD 2002 Cz\AcDcToday.ocx
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/ce_ver34.CAB
O16 - DPF: {AE563723-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002 Cz\InstBanr.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - https://download.macromedia.com/pub/sho ... wflash.cab
O16 - DPF: {DDF44FD9-749F-4761-89BB-E8A59339E459} - http://akamai.downloadv3.com/binaries/L ... _EN_XP.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Prvek AcPreview) - file://C:\Program Files\AutoCAD 2002 Cz\AcPreview.ocx
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/I ... _EN_XP.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{728ADE8D-21E8-455B-AF73-D04191D13B19}: NameServer = 10.3.3.1,212.24.128.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AA50CCE-3EAD-456C-B0CD-22C3CD3010C6}: NameServer = 194.228.2.1,194.228.41.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{F823DDD0-C493-4146-817D-37F9B756BC26}: NameServer = 194.228.2.1,194.228.41.113
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 11480 bytes

[stell]

zdravim
treba stale otvorit novy topic nakolko ja nemusim byt online a takto tvoj problem zapadne prachom.
No ale ked uz si tu tak pomozem ti.
1:Odinstaluj program
C:\Program Files\Seznam Bezpecny Internet\SBIAntiDialer.exe
nepoznam a google tiaz malo o nom vie.

stáhněte MBR - http://www2.gmer.net/mbr/mbr.exe ulož ho na plochu>spust > vytvoří se log mbr.log, vložte ho celý sem.

[Sikec]

Velmi se omlouvám za porušení pravidel. Jsem účastníkem auto poradny a tam nenávidí všechny, kterří zakládají nová vlákna se stejným problémem.

Odinstalování jsem provedl a log vkládám zde:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
MBR rootkit code detected !
malicious code @ sector 0xdf937c1 size 0x194 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

[stell]

takze mas tam Mebroot a a musis absolvovat celu liecebnu proceduru nakolko tvoje doverne data,hesla...vsetko je ukradnute..
klik-start-klik spustit vloz prikaz
"%userprofile%\plocha\mbr" -f [enter]
restart spust mbr.exe a vloz sem novy log.

[Sikec]

Tady je další log:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[stell]

ok,nasleduje WEBCUREIT-navod v podpise-spravis len Expres sken
potom SDFIX v nudzovom rezime-log vloz sem

Pouzijeme SDFIX v Nudzovom rezime>Stiahnes ho stadial:>
>http://downloads.andymanchesta.com/Remo ... /SDFix.exe

Po stazeni je treba spustit exe soubor, v otevrenem okne vyberte umisteni adresare, kam si aplikace nakopiruje potrebne soubory (doporucuji defaultni C:/SDFix)

Restartujte pocitac do nouzoveho rezimu (pri restartu mackejte klavesu F8, pote zvolte z nabidky Stav nouze; pote chvili vyckejte, otevre se vam potvrzovaci okno s nabidkou spusteni zvlastniho diagnostickeho rezimu, ktere potvrdte OK), otevrete vyse zmineny adresar a spustte aplikaci RunThis.bat

po stisku klavesy Y a Enter se spusti samotny sken, netrvajici dele nez pet minut, behem nejz si muzete vychutnat krasne graficke ztvarneni prubehu skenu

pred zacatkem skenu SDFix zazalohuje registry a hosts soubory, v prubehu skenu pak hleda smejdy dle vyse zmineneho seznamu, maze soubory v Tempech a hleda soubory se skrytymi atributy

po ukonceni skenu vas SDFix vyzve ke stisku jakekoli klavesy k potvrzeni restartu

po restartu do jiz klasickeho rezimu se znovu zobrazi okno prikazoveho radku s informaci o dokonceni skenu a vytvareni logu, ktery se po automatickem zavreni okna prikazoveho radku otevre, k dispozici je pak ve vami zvolenem adresari, kde se nachazi SDFix; nese nazev Report.txt; jeho obsah vloz sem.