Re: MBAM opakovane hlasi Hijack.WindowsUpdates
Napsal: 19 lis 2010 19:44
Prostudujte a pripadne tam mate i odkaz na detailni postup vc. obrazku
ComboFix 10-11-18.05 - Administrator . 11. 2010 20:54:11.1.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.2.1250.421.1033.18.511.308 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Spy Emergency *enabled* (Updated) {82117492-906E-4b02-A33A-84D42A2DD907}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\hpe2E1.dll
c:\documents and settings\All Users\Application Data\hpe494.dll
c:\documents and settings\All Users\Application Data\hpeEA.dll
.
((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.
2010-11-19 19:26 . 2010-11-19 19:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-11-19 19:26 . 2010-11-19 19:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-11-19 19:21 . 2010-11-19 19:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2010-11-19 19:18 . 2010-11-19 19:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ulead Systems
2010-11-19 19:18 . 2010-11-19 19:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2010-11-19 19:17 . 2010-11-19 19:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-11-19 16:44 . 2010-11-19 16:45 -------- d-----w- c:\program files\trend micro
2010-11-19 16:44 . 2010-11-19 16:45 -------- d-----w- C:\rsit
2010-11-19 16:35 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-11-19 16:35 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-19 16:35 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-11-19 16:35 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-11-19 16:35 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-11-19 16:35 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-11-19 16:35 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-11-19 16:34 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr
2010-11-19 16:34 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-11-19 16:34 . 2010-11-19 16:34 -------- d-----w- c:\program files\Alwil Software
2010-11-19 16:34 . 2010-11-19 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-11-19 15:42 . 2010-11-19 15:51 48 ----a-w- c:\windows\rafazon.bat
2010-11-19 15:42 . 2010-02-02 13:33 40 ----a-w- C:\james.bat
2010-11-19 15:42 . 2010-11-19 15:51 -------- d---a-w- C:\rafazon
2010-11-02 10:45 . 2010-11-02 10:45 -------- d-----w- c:\program files\Common Files\Java
2010-11-02 10:44 . 2010-09-15 03:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-07 21:36 . 2010-09-20 13:18 86016 ----a-w- c:\windows\DUMP2da7.tmp
2010-11-07 21:34 . 2010-09-20 13:18 86016 ----a-w- c:\windows\DUMP2fab.tmp
2010-11-07 21:33 . 2010-09-20 13:18 86016 ----a-w- c:\windows\DUMP566d.tmp
2010-11-07 21:31 . 2010-09-20 13:18 86016 ----a-w- c:\windows\DUMP53ad.tmp
2010-11-07 21:30 . 2010-09-20 13:18 86016 ----a-w- c:\windows\DUMP50a0.tmp
2010-09-15 01:29 . 2009-11-25 08:32 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-14 19:25 . 2010-09-14 19:25 1409 ----a-w- c:\windows\QTFont.for
2001-07-22 19:29 . 2008-02-26 20:31 351744 ----a-w- c:\program files\Salamander.exe
1998-06-17 12:42 . 2010-01-26 08:17 602624 ----a-w- c:\program files\w95sstv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bitmeter2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bitmeter2.lnk
backup=c:\windows\pss\Bitmeter2.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Topcom Wireless LAN Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Topcom Wireless LAN Utility.lnk
backup=c:\windows\pss\Topcom Wireless LAN Utility.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-03 22:56 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2007-09-20 08:51 1836328 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 14:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2000-06-26 15:22 905216 ----a-r- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-10-19 19:16 286720 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-04 21:32 53248 ------w- c:\program files\REGSHAVE\REGSHAVE.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 12:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
2007-05-10 11:18 835584 ----a-w- c:\windows\vsnpstd3.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-06-18 08:31 67584 ----a-w- c:\windows\SOUNDMAN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyEmergency]
2009-10-19 11:40 1948216 ----a-w- c:\program files\NETGATE\Spy Emergency\SpyEmergency.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 10:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnpstd3]
2007-04-21 07:32 270336 ----a-w- c:\windows\tsnpstd3.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
2006-08-09 13:27 36864 ------w- c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)
"wuauserv"=2 (0x2)
"SpyEmrgSrv"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson PC Suite\\SEPCSuite.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [19. 11. 2010 17:35 165584]
R1 SpyEmrg;Spy Emergency Driver;c:\windows\system32\drivers\spyemrg.sys [14. 11. 2009 13:15 12344]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [19. 11. 2010 17:35 17744]
R2 OkiPar;OkiPar;c:\windows\system32\drivers\OkiPar.Sys [2. 10. 2001 10:54 40192]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [25. 9. 2009 16:10 27632]
S1 456f9f9e;456f9f9e;c:\windows\system32\drivers\456f9f9e.sys [4. 4. 2009 19:21 0]
S2 gupdate;Služba Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [19. 11. 2010 20:20 135664]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [7. 10. 2010 7:13 90112]
S2 xwoarh;xwoarh;\??\c:\windows\system32\Drivers\xwoarh.sys --> c:\windows\system32\Drivers\xwoarh.sys [?]
S3 FlarionDTM;Flarion DTM Network Interface;c:\windows\system32\drivers\FlrnDTM.sys [4. 12. 2008 18:33 24706]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\drivers\KS-959.sys [27. 2. 2010 13:17 19034]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [31. 7. 2009 18:24 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [31. 7. 2009 18:24 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [31. 7. 2009 18:24 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [31. 7. 2009 18:24 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [31. 7. 2009 18:24 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [31. 7. 2009 18:24 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [31. 7. 2009 18:24 109736]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [4. 12. 2008 22:31 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [4. 12. 2008 22:34 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [4. 12. 2008 22:34 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [4. 12. 2008 22:38 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [4. 12. 2008 22:45 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [4. 12. 2008 22:37 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [4. 12. 2008 22:40 110120]
S3 se26nd3;Sony Ericsson Device 038 USB Ethernet Emulation SEMC38 (NDIS);c:\windows\system32\drivers\se26nd3.sys [14. 11. 2009 13:52 18208]
S3 SpyEmrgAccess;Spy Emergency OnAccess Driver;c:\windows\system32\drivers\spyemrg_access.sys [14. 11. 2009 13:15 18232]
S3 SpyEmrgGuard;Spy Emergency Real-Time Shield Driver;c:\windows\system32\drivers\spyemrg_guard.sys [14. 11. 2009 13:15 14392]
S4 SpyEmrgSrv;Spy Emergency Engine Service;c:\program files\NETGATE\Spy Emergency\SpyEmergencySrv.exe [14. 11. 2009 13:15 1817144]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GUPDATE
.
Contents of the 'Scheduled Tasks' folder
2010-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
2010-06-14 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8268390001.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 23:52]
2010-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-19 19:20]
2010-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-19 19:20]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: {DE0F6CE3-562F-4790-A186-468AE3F02BA4} = 194.154.230.80,195.91.78.80
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-xwoarh
MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-FixCamera - c:\windows\FixCamera.exe
MSConfigStartUp-NvMediaCenter - c:\windows\system32\NvMcTray.dll
MSConfigStartUp-nwiz - nwiz.exe
AddRemove-Totalcmd - c:\totalcmd\tcuninst.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-19 21:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-11-19 21:03:19
ComboFix-quarantined-files.txt 2010-11-19 20:03
Pre-Run: 3 516 194 816 bytes free
Post-Run: 3 552 362 496 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 12E9663C06909CBA42C346BCF48CFA23
Stahnete SytemLook (viz muj podpis) a ulozte jej na plochu
