win32/Mebroot.K Trojan

[Brucoun]

druhy log byl Extras.txt:

OTListIt Extras logfile created on: 15.5.2009 22:27:53 - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Owner\Plocha
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

2,00 Gb Total Physical Memory | 1,44 Gb Available Physical Memory | 71,98% Memory free
3,85 Gb Paging File | 3,43 Gb Available in Paging File | 89,02% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232,88 Gb Total Space | 145,35 Gb Free Space | 62,41% Space Free | Partition Type: NTFS
Drive D: | 642,16 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DENDANEW
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 7 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-1417001333-630328440-725345543-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008.04.13 20:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
File not found -- C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe
File not found -- C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe
File not found -- C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe
[2007.09.26 12:35:38 | 01,848,616 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Nero Web\SetupX.exe:*:Enabled:Nero ProductSetup
File not found -- C:\Documents and Settings\Owner\Local Settings\Temp\Nero Web\SetupXu.exe:*:Enabled:Nero ProductSetup
[2008.04.13 20:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\FarStone\VirtualDrive\MGR.exe:*:Enabled:VirtualDrive MGR
[2009.02.28 16:44:09 | 00,075,064 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA
[2009.05.10 18:40:12 | 00,189,072 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB
[2003.12.24 11:34:26 | 00,221,184 | ---- | M] (Micro-Star International Co.,Ltd.) -- C:\Program Files\MSI\i-Speeder\i-Speeder.exe:*:Enabled:i-Speeder
[2008.05.31 20:25:11 | 00,219,952 | ---- | M] () -- C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent
[2008.09.01 17:08:21 | 00,173,304 | ---- | M] (ICQ, Inc.) -- C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6
[1999.09.21 17:46:58 | 00,938,496 | R--- | M] (Microsoft Corporation) -- C:\Hry\Age of Empires II\empires2.exe:*:Enabled:Age of Empires II
[2000.08.08 16:12:40 | 02,695,213 | R--- | M] (Microsoft Corporation) -- C:\Hry\Age of Empires II\age2_x1\age2_x1.exe:*:Enabled:Age of Empires II Expansion
File not found -- C:\Hry\World of Warcraft\WoW-2.4.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader
[2002.01.12 04:57:56 | 01,519,616 | R--- | M] (Electronic Arts Inc.) -- C:\Hry\EA GAMES\MOHAA\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault
[2003.08.08 20:30:00 | 01,527,808 | ---- | M] (Activision Inc) -- C:\Program Files\LucasArts\Star Wars Jedi Knight Jedi Academy\GameData\jamp.exe:*:Enabled:Jedi Academy MultiPlayer
[2003.09.02 21:39:44 | 07,106,560 | ---- | M] (Ensemble Studios) -- C:\Hry\Age of Mythology\aomx.exe:*:Enabled:Age of Mythology - The Titans Expansion
[2008.06.20 15:43:00 | 03,330,048 | ---- | M] () -- C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)
[2008.06.23 16:51:14 | 04,197,376 | ---- | M] (QIP) -- C:\Program Files\QIP Infium\infium.exe:*:Enabled:QIP Infium
File not found -- C:\Hry\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade
File not found -- C:\Documents and Settings\Owner\Local Settings\Temp\Blizzard Launcher Temporary - 9bd93398\Launcher.exe:*:Enabled:Blizzard Launcher
File not found -- C:\Documents and Settings\Owner\Local Settings\Temp\Blizzard Launcher Temporary - b540c5a8\Launcher.exe:*:Enabled:Blizzard Launcher
File not found -- C:\Documents and Settings\Owner\Local Settings\Temp\Blizzard Launcher Temporary - 0cc53210\Launcher.exe:*:Enabled:Blizzard Launcher
[2009.04.23 06:13:43 | 02,172,400 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\WoW\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader
[2009.04.23 06:13:43 | 03,798,624 | ---- | M] (Blizzard Entertainment) -- C:\Program Files\WoW\Launcher.exe:*:Enabled:Blizzard Launcher

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00CD72B3-E2DF-4DFC-BCC1-5CC4F564518D}" = Symantec Client Security
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0D994CC5-819F-4657-84DD-397B8FE1EA80}" = Star Wars Jedi Knight Jedi Academy
"{0DEA94ED-915A-4834-A87E-388D012C8E02}" = Medal of Honor Allied Assault
"{0F33250B-7C59-5A14-6ED5-FCC251A962D0}" = Skins
"{14378007-ACD5-2482-33A1-F79289A452E7}" = Catalyst Control Center Graphics Full Existing
"{1E1CB0CC-50E9-2618-5D7C-03BE0A27E118}" = Catalyst Control Center Core Implementation
"{2447500B-22D7-47BD-9B13-1A927F43A267}" = Empire Earth
"{29C22873-B939-4EF9-B6E3-1EFE7FA391D1}" = ASUS nVidia Driver
"{350C9405-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{38A0BB97-772D-422E-BCCA-4BA2A5D81F42}" = ACDSee 6.0 PowerPack
"{3CAF8B75-2F1F-4B87-9071-5B838C408DBB}" = LEGO Star Wars
"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HydraVision
"{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation
"{4CA9EA31-65E6-00E2-3DBB-19AF01D51C8D}" = Catalyst Control Center Graphics Light
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5EF19AD3-1873-9072-D526-E8F4E6A9EE59}" = Catalyst Control Center Graphics Full New
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6
"{68C83D63-C661-C444-7E60-E0328D842ECB}" = ccc-core-preinstall
"{6EF72FC6-842E-4FE6-BF88-BFBF03C9DA74}" = Windows Workflow Foundation CS Language Pack
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72D07FDD-94B7-A4EE-8C28-888C55D33831}" = ccc-core-static
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation
"{7F947BFE-C2DF-4779-9909-5BEE746BD0C4}" = Microsoft .NET Framework 2.0 Language Pack - CSY
"{7FFC95A3-A514-E94D-72A1-B0FF80656519}" = CCC Help English
"{8423B39C-AC5F-45F3-AC90-204F891CBF3A}" = Heroes of Might and Magic® II
"{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
"{8A232EC3-38F5-4827-910F-AD1F3BF7878F}" = ATI Parental Control & Encoder
"{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
"{97FA9DC8-B4AF-84EE-DA97-B13FE28381BA}" = ccc-utility
"{99D328E0-51DE-465E-9307-B85CA9511029}" = Nero 7 Essentials
"{9DE9E293-5D7B-4312-88C2-BDFAEC5310AE}" = Microsoft .NET Framework 3.0
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A87B11AC-4344-4E5D-8B12-8F471A87DAD9}" = LightScribe 1.4.136.1
"{AAB6D0F8-02B3-4E89-B24C-0BB153C21445}" = Windows Presentation Foundation Language Pack (CSY)
"{AC76BA86-7AD7-1029-7B44-A81200000003}" = Adobe Reader 8 - Czech
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B6C1833E-6C94-4529-AE2F-E36E247314FA}" = ATI Catalyst Control Center
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D8979435-753B-40AE-9318-5E712C160A71}" = Windows Communication Foundation Language Pack - CSY
"{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty(R) 4 - Modern Warfare(TM)
"{F73920B1-FD39-6893-4E9B-748311B666AF}" = Catalyst Control Center Graphics Previews Common
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FB09515C-8E3E-4E0F-A1F2-032F38DEC185}" = Microsoft .NET Framework 3.0 Czech Language Pack
"{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}" = User Profile Hive Cleanup Service
"3FA1705966809259F916AF817C59B4F389F4572C" = Balíček ovladače systému Windows - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0 CE" = Adobe Photoshop 7.0 CE
"Age of Empires 2.0" = Microsoft Age of Empires II
"Age of Empires II: The Conquerors Expansion 1.0" = Microsoft Age of Empires II: The Conquerors Expansion
"Age of Mythology 1.0" = Age of Mythology
"Age of Mythology Expansion Pack 1.0" = Age of Mythology - The Titans Expansion
"All ATI Software" = ATI - Software Uninstall Utility
"America" = America
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner (remove only)
"Cool's_Codec_pack_4.12" = Codec Pack - All In 1 6.0.3.0
"Corel Uninstaller" = Corel Uninstaller
"CutePDF Writer Installation" = CutePDF Writer 2.2
"DVD Shrink_is1" = DVD Shrink 3.2
"EAX Unified" = EAX Unified
"GameParkClient_is1" = GamePark
"Hamachi" = Hamachi 1.0.2.5
"Heroes of Might and Magic III Complete" = Heroes of Might and Magic III Complete
"HxD Hex Editor_is1" = HxD Hex Editor version 1.7.7.0
"Icewind Dale" = Icewind Dale
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InfoView" = InfoView
"InstallShield_{8423B39C-AC5F-45F3-AC90-204F891CBF3A}" = Heroes of Might and Magic® II
"InstallShield_{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
"InstallShield_{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty(R) 4 - Modern Warfare(TM)
"i-Speeder" = i-Speeder
"IWDCZ" = Icewind Dale(TM) - Čeština
"IZArc 3.4.1.6_is1" = IZArc 3.4.1.6
"Lexicon 3.0" = Lingea Lexicon 2000
"LiveUpdate" = LiveUpdate 2.0 (Symantec Corporation)
"Mafia Game" = Mafia Game
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0 Language Pack - CSY" = Microsoft .NET Framework 2.0 Language Pack - CSY
"Microsoft .NET Framework 3.0" = Microsoft .NET Framework 3.0
"Microsoft .NET Framework 3.0 Czech Language Pack" = Microsoft .NET Framework 3.0 Czech Language Pack
"MobMap_is1" = MobMap 1.30
"Mozilla Firefox (3.0.10)" = Mozilla Firefox (3.0.10)
"MSI Live Update 3" = MSI Live Update 3
"MV2Player" = MV2Player (remove only)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Qip Infium packverze: 9010 RC2 s IRC protokolem" = Qip Infium pack verze: 9010 RC2 s IRC protokolem
"Red Alert 2" = Command & Conquer Red Alert 2
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"World of Warcraft" = World of Warcraft
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1417001333-630328440-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3.5.2009 15:19:08 | Computer Name = DENDANEW | Source = MsiInstaller | ID = 11706
Description = Produkt: Heroes of Might and Magic® II - Chyba 1706. Instalační balíček
pro produkt Heroes of Might and Magic® II nebyl nalezen. Spusťte instalaci znovu
pomocí platného instalačního balíčku Heroes of Might and Magic II.msi.

Error - 3.5.2009 15:26:18 | Computer Name = DENDANEW | Source = Symantec AntiVirus | ID = 16711685
Description = Nalezena hrozba!Hrozba: Trojan.Mebroot v souboru: C:\Documents and
Settings\All Users\Nabídka Start\Programy\Po spuštění\uninstall.exe dle: Auto-Protect
prověření. Akce: Čisté se nezdařil : Karanténa se nezdařil : Odstranit úspěšné
: Přístup odepřen. Popis akce: Soubor byl úspěšně odstraněn.

Error - 3.5.2009 15:52:04 | Computer Name = DENDANEW | Source = Symantec AntiVirus | ID = 16711685
Description = Nalezena hrozba!Hrozba: Trojan.Mebroot v souboru: C:\Documents and
Settings\All Users\Nabídka Start\Programy\Po spuštění\uninstall.exe dle: Auto-Protect
prověření. Akce: Čisté se nezdařil : Karanténa se nezdařil : Odstranit úspěšné
: Přístup odepřen. Popis akce: Soubor byl úspěšně odstraněn.

Error - 3.5.2009 16:01:16 | Computer Name = DENDANEW | Source = Symantec AntiVirus | ID = 16711685
Description = Nalezena hrozba!Hrozba: Trojan.Mebroot v souboru: C:\Documents and
Settings\Owner\DoctorWeb\Quarantine\uninstall.exe dle: Auto-Protect prověření.
Akce: Čisté se nezdařil : Karanténa se nezdařil : Odstranit úspěšné : Přístup odepřen.
Popis akce: Soubor byl úspěšně odstraněn.

Error - 3.5.2009 16:03:49 | Computer Name = DENDANEW | Source = Symantec AntiVirus | ID = 16711685
Description = Nalezena hrozba!Hrozba: Trojan.Mebroot v souboru: C:\Documents and
Settings\All Users\Nabídka Start\Programy\Po spuštění\uninstall.exe dle: Auto-Protect
prověření. Akce: Čisté se nezdařil : Karanténa se nezdařil : Odstranit úspěšné
: Přístup odepřen. Popis akce: Soubor byl úspěšně odstraněn.

Error - 3.5.2009 18:42:40 | Computer Name = DENDANEW | Source = Symantec AntiVirus | ID = 16711685
Description = Nalezena hrozba!Hrozba: Trojan.Mebroot v souboru: C:\System Volume
Information\_restore{5F2022F1-E429-4A32-A393-D4B0771E0C30}\RP273\A0094871.exe dle:
Auto-Protect prověření. Akce: Čisté se nezdařil : Karanténa se nezdařil : Odstranit
úspěšné : Přístup odepřen. Popis akce: Soubor byl úspěšně odstraněn.

Error - 3.5.2009 19:20:03 | Computer Name = DENDANEW | Source = Symantec AntiVirus | ID = 16711685
Description = Nalezena hrozba!Hrozba: Trojan.Mebroot v souboru: C:\System Volume
Information\_restore{5F2022F1-E429-4A32-A393-D4B0771E0C30}\RP273\A0095956.exe dle:
Auto-Protect prověření. Akce: Čisté se nezdařil : Karanténa se nezdařil : Odstranit
úspěšné : Přístup odepřen. Popis akce: Soubor byl úspěšně odstraněn.

Error - 13.5.2009 17:42:49 | Computer Name = DENDANEW | Source = Symantec AntiVirus | ID = 16711685
Description = Nalezena hrozba!Hrozba: Trojan Horse v souboru: C:\WINDOWS\system32\B0800F21.exe
dle: Auto-Protect prověření. Akce: Karanténa úspěšné : Přístup odepřen. Popis
akce: Soubor byl úspěšně izolován v karanténě.

Error - 13.5.2009 17:51:58 | Computer Name = DENDANEW | Source = Symantec AntiVirus | ID = 16711685
Description = Nalezena hrozba!Hrozba: Trojan Horse v souboru: C:\WINDOWS\system32\84B9B207.exe
dle: Auto-Protect prověření. Akce: Karanténa úspěšné : Přístup odepřen. Popis
akce: Soubor byl úspěšně izolován v karanténě.

Error - 13.5.2009 17:52:17 | Computer Name = DENDANEW | Source = Symantec AntiVirus | ID = 16711685
Description = Nalezena hrozba!Hrozba: Trojan Horse v souboru: C:\WINDOWS\system32\47A4C808.exe
dle: Auto-Protect prověření. Akce: Karanténa úspěšné : Přístup odepřen. Popis
akce: Soubor byl úspěšně izolován v karanténě.

[ System Events ]
Error - 12.5.2009 11:07:42 | Computer Name = DENDANEW | Source = DCOM | ID = 10005
Description = Služba DCOM zjistila chybu %1084 při pokusu o spuštění služby EventSystem
s argumenty za účelem spuštění serveru: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12.5.2009 11:07:44 | Computer Name = DENDANEW | Source = DCOM | ID = 10005
Description = Služba DCOM zjistila chybu %1084 při pokusu o spuštění služby EventSystem
s argumenty za účelem spuštění serveru: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12.5.2009 11:08:04 | Computer Name = DENDANEW | Source = DCOM | ID = 10005
Description = Služba DCOM zjistila chybu %1084 při pokusu o spuštění služby EventSystem
s argumenty za účelem spuštění serveru: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12.5.2009 14:35:13 | Computer Name = DENDANEW | Source = DCOM | ID = 10005
Description = Služba DCOM zjistila chybu %1084 při pokusu o spuštění služby EventSystem
s argumenty za účelem spuštění serveru: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 13.5.2009 14:28:38 | Computer Name = DENDANEW | Source = MRxSmb | ID = 8003
Description = Hlavní prohledávač přijal oznámení serveru od počítače MILDA, který
se považuje za hlavní prohledávač domény pro přenos NetBT_Tcpip_{14217C79-DF98-4835-881.
Hlavní
prohledávač bude ukončen nebo bude vyvolána volba.

Error - 13.5.2009 16:52:47 | Computer Name = DENDANEW | Source = MRxSmb | ID = 8003
Description = Hlavní prohledávač přijal oznámení serveru od počítače MILDA, který
se považuje za hlavní prohledávač domény pro přenos NetBT_Tcpip_{14217C79-DF98-4835-881.
Hlavní
prohledávač bude ukončen nebo bude vyvolána volba.

Error - 13.5.2009 17:42:49 | Computer Name = DENDANEW | Source = Service Control Manager | ID = 7000
Description = Služba B0800F21 neuspěla při spuštění v důsledku následující chyby:
%%2

Error - 13.5.2009 17:51:59 | Computer Name = DENDANEW | Source = Service Control Manager | ID = 7000
Description = Služba 84B9B207 neuspěla při spuštění v důsledku následující chyby:
%%2

Error - 13.5.2009 17:52:17 | Computer Name = DENDANEW | Source = Service Control Manager | ID = 7000
Description = Služba 47A4C808 neuspěla při spuštění v důsledku následující chyby:
%%2

Error - 13.5.2009 17:52:51 | Computer Name = DENDANEW | Source = MRxSmb | ID = 8003
Description = Hlavní prohledávač přijal oznámení serveru od počítače MILDA, který
se považuje za hlavní prohledávač domény pro přenos NetBT_Tcpip_{14217C79-DF98-4835-881.
Hlavní
prohledávač bude ukončen nebo bude vyvolána volba.


< End of report >

[Brucoun]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x01D1C06C0 !

[earl]

Posledni kroky:

Pouzijte CureIt a provedte uplny sken dle navodu viz muj podpis.

Udelejte kompletni scan pomoci AvpTool,postupujte presne dle navodu, pri vyberu jaka akce nechte lecit,obsah logu vlozte sem.

CTETE POZORNE NAVOD,TENTO SOFT NETOLERUJE CHYBY V POSTUPU APLIKOVANI!

Klidne si nasledujici radky vytisknete,at vite,co se bude na obrazovce odehravat.

Budte prihlasen na pc s administratorskymi pravy.

stahnete a ulozte nejlepe na plochu ComboFix

v pripade,ze nepujde stranka nacist-stahnete odtud download , popr. nepujde ComboFix spustit - prejmenujte jej na grinder.com a postupujte dale dle instrukci.

hned po startu se zobrazi obrazovka s licencnimi podminkami, pokracujte kliknutim na tlacitko Ano:



Souhlasit s instalaci Recovery console(Konzola pro zotaveni)-nutno funkcni internet

v klidu si postavte na kafe (cela akce trva cca. 5-10 minut, nekdy i dele - dle toho, o jak rychly stroj se jedna a kolika soubory se skener bude muset prodirat), behem skenu se nepokousejte spoustet zadne jine aplikace ani nic jineho

behem skenovani nepropadejte panice, vas stroj muze byt restartovan (predevsim pri prvni aplikaci skeneru)

upozorneni: upozorneni: Vypnete rezidentni stit u antiviru a antispywaru a zakazte docasne firewall-ComboFix by nemusel fungovat korektne-pokud budete mit stity vypnute a Combofix zahlasi,ze nejsou,pokracujte dal a potvrdte.

po restartu aplikace vytvori log, ulozeny na C:/Combofix.txt (pri opakovanem pouziti jsou logy oznaceny Combofix2.txt atd.), jeho obsah vlozte sem

[Brucoun]

Zdravim... vikend jsem byl mimo PC .. tak to dodelam dnes odpolko .. uz jsem sice stihnul prvni dva kroky a oboje v poradku AvpTool nasel vir pouze v karantene .. log jsem samozrejme vlozim .. dal jsem se nedostal. )))

[earl]

Ok.

[Brucoun]

Tak log z Kasperky :

Scan
----
Scanned: 228943
Detected: 24
Untreated: 0
Start time: 16.5.2009 16:49:27
Duration: 01:00:58
Finish time: 16.5.2009 17:50:25


Detected
--------
Status Object
------ ------
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\02AC0000.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\03940000.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\03940001.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\04740000.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\04740001.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\04A80000.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\04A80001.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\04B00000.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\04C00000.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\05540000.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\062C0000.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\06600000.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\07000000.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\07000001.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\08C80000.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\0A200000.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\0BB40000.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\0BB40001.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\0D740000.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\0DB80000.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\0DB80001.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\0DB80002.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\0DB80003.VBN//CryptZ
deleted: Trojan program Backdoor.Win32.Sinowal.dkc File: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\0E540000.VBN//CryptZ


Events
------
Time Name Status Reason
---- ---- ------ ------


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Disinfect, delete if disinfection fails
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search No
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----

[Brucoun]

ComboFix 09-05-15.08 - Owner 18.05.2009 20:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.2047.1452 [GMT 2:00]
Spuštěný z: c:\documents and settings\Owner\Plocha\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\evysh7us.dll

.
((((((((((((((((((((((((( Soubory vytvořené od 2009-04-18 do 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-16 14:46 . 2009-05-18 05:27 4964384 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-16 14:46 . 2008-07-08 12:54 148496 ----a-w c:\windows\system32\drivers\73560174.sys
2009-05-15 20:11 . 2009-05-15 20:11 -------- d-----w c:\program files\CCleaner
2009-05-13 21:36 . 2009-05-13 21:40 -------- d-----w c:\program files\Common Files\AVSMedia
2009-05-13 21:36 . 2008-06-19 08:53 24576 ----a-w c:\windows\system32\msxml3a.dll
2009-05-13 21:36 . 2009-05-13 21:40 -------- d-----w c:\program files\AVS4YOU
2009-05-13 18:28 . 2009-05-13 18:28 -------- d-----w c:\program files\UPM
2009-05-07 11:31 . 2009-05-07 11:31 -------- d-----w c:\program files\HxD
2009-05-03 20:00 . 2009-05-03 20:01 -------- d-----w c:\documents and settings\Owner\DoctorWeb
2009-05-03 19:43 . 2009-05-03 21:25 -------- d-----w c:\program files\TrojanHunter 5.1
2009-05-03 17:26 . 2009-05-03 17:26 -------- d--h--w c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 18:51 . 2008-12-20 14:20 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-18 05:27 . 2009-05-16 14:46 28316 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-17 16:51 . 2008-05-18 17:24 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-17 16:50 . 2008-05-18 17:25 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-05-17 09:32 . 2008-09-25 21:22 -------- d-----w c:\program files\GamePark
2009-05-16 15:52 . 2008-05-17 18:11 -------- d-----w c:\program files\WoW
2009-05-08 07:05 . 2008-12-23 21:50 -------- d-----w c:\program files\AxBx
2009-04-26 10:32 . 2008-07-14 16:19 -------- d-----w c:\program files\QIP Infium
2009-04-15 17:47 . 2006-03-02 12:00 82746 ----a-w c:\windows\system32\perfc005.dat
2009-04-15 17:47 . 2006-03-02 12:00 437518 ----a-w c:\windows\system32\perfh005.dat
2009-03-06 14:23 . 2006-03-02 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:14 . 2006-03-02 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 14:44 . 2008-05-18 17:24 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-20 17:13 . 2006-03-02 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-05-12 66656]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2004-05-12 124128]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-11-17 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Owner\Nabˇdka Start\Programy\Po spuçtŘnˇ\
is-BPRHM.lnk - c:\documents and settings\Owner\Plocha\Virus Removal Tool\is-BPRHM\startup.exe [2009-5-16 65536]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-5-17 113664]
Corel MEDIA FOLDERS INDEXER 8.LNK - c:\corel\Graphics8\Programs\MFIndexer.exe [2009-4-11 83456]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\MSI\\i-Speeder\\i-Speeder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Hry\\Age of Empires II\\empires2.exe"=
"c:\\Hry\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\Hry\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"c:\\Hry\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\QIP Infium\\infium.exe"=
"c:\\Program Files\\WoW\\BackgroundDownloader.exe"=
"c:\\Program Files\\WoW\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 is-BPRHMdrv;is-BPRHMdrv;c:\windows\system32\drivers\73560174.sys [16.5.2009 16:46 148496]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2.3.2006 14:00 69120]
S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};\??\c:\windows\TEMP\6.tmp --> c:\windows\TEMP\6.tmp [?]
S3 47A4C808;47A4C808;c:\windows\system32\47A4C808.exe --> c:\windows\system32\47A4C808.exe [?]
S3 84B9B207;84B9B207;c:\windows\system32\84B9B207.exe --> c:\windows\system32\84B9B207.exe [?]
S3 B0800F21;B0800F21;c:\windows\system32\B0800F21.exe --> c:\windows\system32\B0800F21.exe [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [12.5.2004 18:00 173288]
S4 cdawdm;CDAWDM;c:\windows\system32\DRIVERS\CDAWDM.sys --> c:\windows\system32\DRIVERS\CDAWDM.sys [?]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - uphcleanhlp
.
Obsah adresáře 'Naplánované úlohy'

2008-12-20 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-12-20 10:17]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.cz/
TCP: {14217C79-DF98-4835-8813-19C59AF3B74E} = 212.158.128.2,212.158.128.3
FF - ProfilePath - c:\documents and settings\Owner\Data aplikací\Mozilla\Firefox\Profiles\4h6rsqhy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.cz

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 20:59
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
"ImagePath"="\??\c:\windows\TEMP\6.tmp"
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(828)
c:\windows\system32\mswsock.dll
.
Celkový čas: 2009-05-18 21:01
ComboFix-quarantined-files.txt 2009-05-18 19:00

Před spuštěním: Volných bajtů: 155 934 789 632
Po spuštění: Volných bajtů: 155 953 721 344

WindowsXP-KB310994-SP2-Home-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

142 --- E O F --- 2009-05-13 22:00

[earl]

Osobne bych odinstaloval Trojan Hunter a nahradil ho napr. Spyware Terminatorem nebo Spybotem SaD.

pokud jste tak jeste neucinil, presunte Combofix na plochu

otevrete si Poznamkovy blok

do nej zkopirujte skript z nasledujiciho okna:

Kód: Vybrat vše

KillAll::
Extra::
File::
c:\documents and settings\Owner\Plocha\Virus Removal Tool\is-BPRHM\startup.exe
c:\windows\system32\drivers\73560174.sys
c:\windows\TEMP\6.tmp
c:\windows\system32\47A4C808.exe
c:\windows\system32\84B9B207.exe
c:\windows\system32\B0800F21.exe 
c:\windows\system32\DRIVERS\CDAWDM.sys
Driver::
is-BPRHMdrv
cdawdm
47A4C808
84B9B207
B0800F21
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]

ulozte vami vytvoreny textovy soubor jako CFScript.txt na plochu

po ulozeni uchopte vami vytvoreny skript levym tlacitkem mysi a presunte jej nad ikonu Combofixu, nad niz skript upustte:



po aplikaci by na vas mel vyskocit dalsi log, vlozte jej sem

Upozorneni: je mozne, ze po aplikaci skriptu a restartu nenabehnou Windows, v takovem pripade znovu restartujte, po restartu mackejte F8 a zvolte Posledni znamou fukncni konfiguraci

[Brucoun]

ComboFix 09-05-15.08 - Owner 19.05.2009 17:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.420.1029.18.2047.1392 [GMT 2:00]
Spuštěný z: c:\documents and settings\Owner\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Owner\Plocha\CFScript.txt

FILE ::
c:\documents and settings\Owner\Plocha\Virus Removal Tool\is-BPRHM\startup.exe
c:\windows\system32\47A4C808.exe
c:\windows\system32\84B9B207.exe
c:\windows\system32\B0800F21.exe
c:\windows\system32\drivers\73560174.sys
c:\windows\system32\DRIVERS\CDAWDM.sys
c:\windows\TEMP\6.tmp
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Plocha\Virus Removal Tool\is-BPRHM\startup.exe
c:\windows\system32\drivers\73560174.sys

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_47A4C808
-------\Legacy_84B9B207
-------\Legacy_B0800F21
-------\Legacy_IS-BPRHMDRV
-------\Service_47A4C808
-------\Service_84B9B207
-------\Service_B0800F21
-------\Service_cdawdm
-------\Service_is-BPRHMdrv


((((((((((((((((((((((((( Soubory vytvořené od 2009-04-19 do 2009-05-19 )))))))))))))))))))))))))))))))
.

2009-05-16 14:46 . 2009-05-19 15:55 7811104 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-15 20:11 . 2009-05-15 20:11 -------- d-----w c:\program files\CCleaner
2009-05-13 21:36 . 2009-05-13 21:40 -------- d-----w c:\program files\Common Files\AVSMedia
2009-05-13 21:36 . 2008-06-19 08:53 24576 ----a-w c:\windows\system32\msxml3a.dll
2009-05-13 21:36 . 2009-05-13 21:40 -------- d-----w c:\program files\AVS4YOU
2009-05-13 18:28 . 2009-05-13 18:28 -------- d-----w c:\program files\UPM
2009-05-07 11:31 . 2009-05-07 11:31 -------- d-----w c:\program files\HxD
2009-05-03 20:00 . 2009-05-03 20:01 -------- d-----w c:\documents and settings\Owner\DoctorWeb
2009-05-03 19:43 . 2009-05-03 21:25 -------- d-----w c:\program files\TrojanHunter 5.1
2009-05-03 17:26 . 2009-05-03 17:26 -------- d--h--w c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-19 15:56 . 2008-12-20 14:20 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-19 15:55 . 2009-05-16 14:46 92612 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-19 15:41 . 2008-05-18 17:24 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-19 15:07 . 2008-05-18 17:25 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-05-17 09:32 . 2008-09-25 21:22 -------- d-----w c:\program files\GamePark
2009-05-16 15:52 . 2008-05-17 18:11 -------- d-----w c:\program files\WoW
2009-05-08 07:05 . 2008-12-23 21:50 -------- d-----w c:\program files\AxBx
2009-04-26 10:32 . 2008-07-14 16:19 -------- d-----w c:\program files\QIP Infium
2009-04-15 17:47 . 2006-03-02 12:00 82746 ----a-w c:\windows\system32\perfc005.dat
2009-04-15 17:47 . 2006-03-02 12:00 437518 ----a-w c:\windows\system32\perfh005.dat
2009-03-06 14:23 . 2006-03-02 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:14 . 2006-03-02 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 14:44 . 2008-05-18 17:24 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-20 17:13 . 2006-03-02 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-05-12 66656]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2004-05-12 124128]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-11-17 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-5-17 113664]
Corel MEDIA FOLDERS INDEXER 8.LNK - c:\corel\Graphics8\Programs\MFIndexer.exe [2009-4-11 83456]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\MSI\\i-Speeder\\i-Speeder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Hry\\Age of Empires II\\empires2.exe"=
"c:\\Hry\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\Hry\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"c:\\Hry\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\QIP Infium\\infium.exe"=
"c:\\Program Files\\WoW\\BackgroundDownloader.exe"=
"c:\\Program Files\\WoW\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2.3.2006 14:00 69120]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [12.5.2004 18:00 173288]

--- Ostatní služby/ovladače v paměti ---

*Deregistered* - uphcleanhlp
.
Obsah adresáře 'Naplánované úlohy'

2008-12-20 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-12-20 10:17]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.google.cz/
TCP: {14217C79-DF98-4835-8813-19C59AF3B74E} = 212.158.128.2,212.158.128.3
FF - ProfilePath - c:\documents and settings\Owner\Data aplikací\Mozilla\Firefox\Profiles\4h6rsqhy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.cz

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 17:56
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\mswsock.dll

- - - - - - - > 'explorer.exe'(4420)
c:\windows\system32\mswsock.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\windows\system32\wdfmgr.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Celkový čas: 2009-05-19 17:59 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-05-19 15:59
ComboFix2.txt 2009-05-18 19:01

Před spuštěním: Volných bajtů: 155 958 521 856
Po spuštění: Volných bajtů: 155 893 735 424

172 --- E O F --- 2009-05-13 22:00

[Brucoun]

Jinak TrojanHunter jiz byl odinstalovan .. jen po nem zbyly adresare a nejaky log ... mel jsem ho jen na zkousku jestli neco nenajde ... a nic nenasel )

[earl]

OK,jeste docistime:

Start - spustit - napiste combofix /u - a klepnout na OK



Pouzijte T-Cleaner na vycisteni pc po docasnych souborech pri odvirovani.Postupujte dle instrukci na obrazovce.Pri detekci antivirem se jedna o falesny poplach.

Vycistete pc Ccleanerem.Stahujte zde.Vzdy nejprve Analyzovat a pak Spustit Cleaner.2x po sobe.
Windows-odskrtnout historii a historii automatickeho vyplnovani formularu.
Aplikace-u prohlizecu internetu odskrtnout Historii internetu.
Registry-nechat vse zaskrtle,Hledej problemy,Opravit vybrane problemy(nechat ho udelat zalohu-ta je ulozena v Dokumentech).Taktez 2x-3x po sobe.

A je to ok.Pokud se objevi nejake potize,jsme tu.

[Brucoun]

jasne super .. vecir provedu .. Moc diky .. ikdyz jsem pak ztratil nit co je spatny a co ne )) ale tím nebudu zatezovat ... mam jen projistotu pustit jeste MBR ??? co to tam hodi?? .... (po vycistení .. ) ???

[earl]

Spustte MBR,vlozte log a muzeme to pak uzavrit.

[Brucoun]

tak po vycisteni :

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
PE file found in sector at 0x01D1C06C0 !

hmm nevim ten posledni radek tam asi byt nema co ???? aaaaaaaaaaaaaa

[earl]

MBR Rootkit (Mebroot/Sinowal) uklada nektere ze svych dat do jinych sektoru (predevsim na konci disku).Utilita mbr.exe zobrazuje tyto sektory.Vzhledem k tomu,ze MBR jiz infikovany neni,tak kod ukryty v poslednich sektorech disku je neskodny.

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK toto musi byt v teto podobe,aby byl mbr ok.
PE file found in sector at 0x01D1C06C0 ! toto jsou data,ulozena rootkitem v jinych sektorech,nyni uz jsou bez ucinku.

Takze dle meho nazoru mate pc v poradku.